Nginx

Another medium box that starts with just a web form and ends with a root shell through a surprisingly elegant chain. Editorial is all about knowing what to look for — and what to ask the server to fetch for you. Machine Info Field Value Name Editorial Platform HackTheBox OS Linux Difficulty Medium IP 10.129.1.101 TL;DR SSRF on the book cover URL field → internal API on port 5000 → /api/latest/metadata/messages/authors leaks SSH creds for dev → git history in ~/apps reveals prod credentials → prod can run a GitPython clone script as root → ext:: protocol injection sets SUID on /bin/bash → root. ...

CVE-2023-46604 dropped while this machine was live - a critical Apache ActiveMQ RCE with a public PoC, CVSS 10.0. The privesc flips the script: instead of running code, nginx becomes a file server for the entire filesystem. Machine info Name Broker Platform HackTheBox OS Linux Difficulty Easy TL;DR Rustscan reveals port 61616 running Apache ActiveMQ 5.15.15 - vulnerable to CVE-2023-46604 Clone and adapt the public PoC: serve a malicious ClassInfo XML and trigger the RCE to land a shell as activemq sudo -l shows activemq can run /usr/sbin/nginx as root without a password Craft an evil nginx config with WebDAV PUT and root /; to expose the entire filesystem on port 1337 Read root.txt directly, or overwrite /etc/passwd to add a new root-level user Recon Port scan ...