Linux on z3r0s

HTB - DevHub

Sat, 30 May 2026 00:00:00 +0000

Difficulty: Medium | OS: Linux

Logo & Name Analysis - First Impressions Link to heading

Before touching a single tool, the machine logo and name already give away a significant amount of information to an experienced player.

The Logo Link to heading

The machine logo shows a caged beast with red glowing eyes trapped behind bars. On HackTheBox, machine logos almost always hint directly at the technology or theme involved.

What the logo tells us immediately:

Caged beast behind bars: A system designed to restrict access, block unsafe operations, or confine environments (sandboxing / containerization).
Red glowing eyes: A powerful or potentially dangerous interface that is supposed to be fully locked down, but might have vulnerabilities in its containment.
Caged element: An environment escape (sandbox escape) or a container escape scenario.

The Name Link to heading

"DevHub" combined with the logo points toward:

A centralized developer platform or gateway (like GitLab, JupyterHub, or a custom tool manager) that coordinates multiple services.
An environment where developers deploy models, notebooks, or scripts, pointing directly to development-centric protocols like Model Context Protocol (MCP) or Jupyter.

The Instant Hypothesis Link to heading

Combining name and logo before even running nmap:

"This is a developer platform (DevHub) managing internal development or model tools. The caged beast suggests containerization, sandboxing, or restricted environments that we must escape. The primary attack vector will likely involve exploiting development utilities or container/sandbox escape vulnerabilities."

This hypothesis is confirmed within minutes of enumeration, revealing an exposed Model Context Protocol (MCP) debugger and Jupyter notebook.

HTB - Reactor

Sun, 24 May 2026 00:00:00 +0000

Difficulty: Easy | OS: Linux

Logo & Name Analysis - First Impressions Link to heading

Before touching a single tool, the machine logo and name already give away a significant amount of information to an experienced player.

The machine logo shows a nuclear reactor facility - cooling towers with radiation symbols (☢), smoke/steam rising, set inside a green circle. On HackTheBox, machine logos almost always hint directly at the technology or theme involved.

What the logo tells us immediately:

Nuclear reactor theme → the web app will be a reactor monitoring dashboard, ICS/SCADA-style interface with sensor readings, logs, and personnel panels
Green color scheme → "nominal / online" status indicators - a live running service dashboard
Radiation symbols → nuclear operations terminology ahead: coolant flow, pressure, neutron flux, core temperature - all realistic dashboard labels that give no obvious attack surface

The Name Link to heading

"Reactor" combined with the logo points toward two things at once:

React/Next.js - "Reactor" is almost certainly a pun on React, the JavaScript framework. HTB machine names frequently reference the intended technology this way. This immediately narrows the attack surface to a Node.js web application.
Nuclear monitoring theme - the app will look like a static read-only dashboard with no login, no forms, no visible input - pushing the attacker toward framework-level vulnerabilities rather than application logic.

The Instant Hypothesis Link to heading

Combining name + logo before even running nmap:

"This is a Next.js app themed as a nuclear reactor dashboard. The name 'Reactor' punning on React strongly suggests a Next.js vulnerability is the intended path. The dashboard will look static but the attack vector will be server-side - likely Server Actions, API routes, or RSC deserialization."

This hypothesis was confirmed within minutes:

Port 3000 → X-Powered-By: Next.js in response headers
No login page, no visible forms → the framework itself is the attack surface, not the application logic
Next.js Server Actions prototype pollution (CVE-2025-55182) → exact match

This is why reading the logo matters. A good HTB player can often narrow the entire attack path to 1-2 CVEs before the nmap scan finishes.

HTB - SmartHire

Mon, 18 May 2026 00:37:12 +0300

SmartHire HTB Write-up Link to heading

Executive Summary Link to heading

SmartHire was compromised in two stages:

Initial access / user shell The SmartHire web application relied on an external MLflow instance to load a model by name during resume prediction. Because the MLflow registry was exposed and protected only by weak credentials (admin:password), it was possible to register a malicious pyfunc model under the exact name expected by the application. When the application later loaded that model during a prediction request, it deserialized attacker-controlled pickle content and executed a reverse shell as svcweb.

HTB - Browsed

Sun, 10 May 2026 23:19:05 +0300

After get the target ip lets scan with nmap

We have port 80 lets check it

sudo nano /etc/hosts

ip browsed.htb

lets go to check Samples Page

http://browsed.htb/samples.html

lets Download any file, I'll download second file

**After download the file we got zip file lets unzip it

It Looks interesting

lets Check upload page

We can Upload Chrome Extension (.zip)

HTB - Helix

Sun, 10 May 2026 00:00:00 +0000

Difficulty: Medium | OS: Linux | Date: 2026-05-10

Summary Link to heading

Helix presents a realistic industrial operations scenario built around Apache NiFi, OPC UA, and a custom maintenance console. The attack chain is:

Vhost fuzzing → flow.helix.htb (Apache NiFi 1.21.0, unauthenticated)
NiFi RCE via ExecuteScript processor → shell as nifi
SSH private key for operator found in NiFi support bundles
Privilege escalation via OPC UA node manipulation to open a timed maintenance window → root shell

HTB - WingData

Fri, 08 May 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux
CVEs	CVE-2025-47812 · CVE-2025-4517 · CVE-2025-4138

Summary Link to heading

WingData is an Easy Linux machine. A company website redirects to an FTP client portal running Wing FTP Server v7.4.3, which is vulnerable to an unauthenticated RCE (CVE-2025-47812). Post-exploitation enumeration reveals a salted SHA-256 hash for user wacky stored in Wing FTP config files. After cracking the hash with hashcat and gaining SSH access, a misconfigured sudo rule allows execution of a Python backup restoration script as root. The script is vulnerable to CVE-2025-4517, a tarfile PATH_MAX bypass that allows arbitrary file write - used to overwrite /etc/sudoers and gain root.

HTB - VariaType

Tue, 05 May 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux
CVEs	CVE-2025-66034 · CVE-2024-25082 · CVE-2025-47273

Summary Link to heading

VariaType is a Linux medium box centered around a typography company's web infrastructure. The attack chain involves three distinct CVEs:

CVE-2025-66034 - fonttools DesignSpace output path traversal → PHP webshell (www-data)
CVE-2024-25082 - FontForge archive filename command injection → SSH as steve (user)
CVE-2025-47273 - setuptools PackageIndex path traversal → SSH as root

Attack Chain Overview Link to heading

#	Stage	Technique	CVE/Tool
1	Recon	Nmap + vhost fuzzing + `.git` dump	-
2	Foothold	DesignSpace filename path traversal	CVE-2025-66034
3	User (steve)	FontForge archive filename cmd injection	CVE-2024-25082
4	Root	setuptools PackageIndex path traversal	CVE-2025-47273

01 - Reconnaissance Link to heading

rustscan -a <TARGET_IP> --ulimit 5000 -b 1500 -- -sV -sC

Port 22 OpenSSH 9.2p1
Port 80 nginx/1.22.1

Virtual Host Discovery Link to heading

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
 -u http://<TARGET_IP> -H "Host: FUZZ.variatype.htb" -fs <default_size>
# → portal.variatype.htb

Git Repository Leak Link to heading

curl -s http://portal.variatype.htb/.git/HEAD
# ref: refs/heads/master

Dumping the repository reveals hardcoded credentials in commit history:

HTB - Pterodactyl

Sun, 03 May 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux
CVEs	CVE-2025-49132 · CVE-2025-6018 · CVE-2025-6019

Summary Link to heading

Pterodactyl is a Linux machine that chains three critical vulnerabilities for full system compromise. The Pterodactyl Panel (a Laravel-based game server management platform) is hosted on a discovered subdomain. PHP PEAR is enabled with writable config paths, vulnerable to CVE-2025-49132 - unauthenticated RCE. Database credentials extracted from Laravel's .env file reveal a secondary user. Privilege escalation leverages CVE-2025-6018 (PAM environment variable injection) chained with CVE-2025-6019 (UDisks2 XFS filesystem privilege escalation) to achieve root.

HTB - Silentium

Tue, 14 Apr 2026 00:00:00 +0000

1. Port Scan Link to heading

nmap -sV -A -T4 10.129.30.114 -o port_scan

Starting Nmap 7.99 ( https://nmap.org ) at 2026-04-14 15:20 -0400
Nmap scan report for 10.129.30.114
Host is up (0.088s latency).
Not shown: 998 closed tcp ports (reset)

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://silentium.htb/

OS details: Linux 5.0 - 5.14
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only SSH (22) and HTTP (80) are exposed. Add silentium.htb to /etc/hosts.

HTB - Kobold

Sun, 05 Apr 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux (Ubuntu)
CVE	CVE-2026-23744
Tags	`docker` `gshadow` `lfi` `mcp` `mcpjam` `pastebin` `path-traversal` `rce`

Summary Link to heading

Kobold is a Linux easy box featuring a multi-service web application behind nginx with HTTPS and wildcard virtual hosting. Initial access requires exploiting CVE-2026-23744 - an unauthenticated RCE in MCPJam Inspector - by sending a crafted JSON payload to /api/mcp/connect to execute arbitrary commands. Privilege escalation abuses a discrepancy between /etc/gshadow and the running session, allowing the sg command to switch into the docker group and mount the host filesystem inside a container.

HTB - Interpreter

Sun, 29 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux (Debian 12)
CVEs	CVE-2023-43208 · CVE-2023-37679

Summary Link to heading

Interpreter is a Medium-difficulty Linux machine centred around Mirth Connect 4.4.0, a widely-deployed open-source healthcare integration engine. The attack chain exploits CVE-2023-43208 - an unauthenticated pre-auth RCE via XStream deserialization - to gain an initial shell as the service user. Database credentials extracted from Mirth's config file lead to a PBKDF2-hashed password in the internal MySQL/PostgreSQL database. After cracking the hash offline with hashcat, SSH access is gained as user sedric. A locally-bound Python Flask service (notif.py) running as root exposes an eval() sink vulnerable to SSTI, which is abused to plant a SUID bash binary and achieve full root compromise.

HTB - Facts

Sun, 15 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux
Techniques	Mass Assignment · MinIO · ssh2john · facter GTFOBin

Summary Link to heading

Facts is an Easy Linux machine running a Ruby on Rails CMS. The intended foothold is a Mass Assignment vulnerability in the password change endpoint - by appending &password[role]=admin to the intercepted request, a low-privilege user escalates to admin without touching the LFI path. As admin, MinIO S3 credentials are exposed in the General Site filesystem settings. Using the mc client, an SSH private key is pulled from the internal MinIO bucket. The key passphrase is cracked offline with ssh2john + john (rockyou.txt → dragonballz). SSH access lands as trivia, who can run /usr/bin/facter as root via sudo. A malicious Ruby script planted in /tmp/piv and loaded via --custom-dir gives a root shell.

HTB - DevArea

Sun, 08 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux (Ubuntu 24.04)
Season	10

Summary Link to heading

DevArea is a Medium Linux machine. An anonymous FTP share exposes a Java SOAP service JAR. Decompiling it reveals Apache CXF with XOP/MTOM processing, vulnerable to CVE-2022-46364 - allowing Local File Inclusion via <xop:Include href="file:///..."/> elements. Using this LFI, plaintext HoverFly credentials are extracted from a systemd service file. HoverFly's middleware API then provides unauthenticated RCE. Privilege escalation abuses a world-writable /bin/bash combined with a passwordless sudo rule.

HTB - CCTV

Sun, 01 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux (Ubuntu 24.04)
CVE	CVE-2024-51482

Summary Link to heading

CCTV is an Easy Linux machine running ZoneMinder, a CCTV management web application. The attack chain involves exploiting a boolean-based SQL injection vulnerability (CVE-2024-51482) to enumerate the database and dump credentials, then pivoting through an internal Motion/MotionEye camera stack via command injection in the picture_filename parameter to gain a root shell.