Medium on z3r0s

HTB - SmartHire

Mon, 18 May 2026 00:37:12 +0300

SmartHire HTB Write-up Link to heading

Executive Summary Link to heading

SmartHire was compromised in two stages:

Initial access / user shell The SmartHire web application relied on an external MLflow instance to load a model by name during resume prediction. Because the MLflow registry was exposed and protected only by weak credentials (admin:password), it was possible to register a malicious pyfunc model under the exact name expected by the application. When the application later loaded that model during a prediction request, it deserialized attacker-controlled pickle content and executed a reverse shell as svcweb.

HTB - Browsed

Sun, 10 May 2026 23:19:05 +0300

After get the target ip lets scan with nmap

We have port 80 lets check it

sudo nano /etc/hosts

ip browsed.htb

lets go to check Samples Page

http://browsed.htb/samples.html

lets Download any file, I'll download second file

**After download the file we got zip file lets unzip it

It Looks interesting

lets Check upload page

We can Upload Chrome Extension (.zip)

HTB - Helix

Sun, 10 May 2026 00:00:00 +0000

Difficulty: Medium | OS: Linux | Date: 2026-05-10

Summary Link to heading

Helix presents a realistic industrial operations scenario built around Apache NiFi, OPC UA, and a custom maintenance console. The attack chain is:

Vhost fuzzing → flow.helix.htb (Apache NiFi 1.21.0, unauthenticated)
NiFi RCE via ExecuteScript processor → shell as nifi
SSH private key for operator found in NiFi support bundles
Privilege escalation via OPC UA node manipulation to open a timed maintenance window → root shell

HTB - VariaType

Tue, 05 May 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux
CVEs	CVE-2025-66034 · CVE-2024-25082 · CVE-2025-47273

Summary Link to heading

VariaType is a Linux medium box centered around a typography company's web infrastructure. The attack chain involves three distinct CVEs:

CVE-2025-66034 - fonttools DesignSpace output path traversal → PHP webshell (www-data)
CVE-2024-25082 - FontForge archive filename command injection → SSH as steve (user)
CVE-2025-47273 - setuptools PackageIndex path traversal → SSH as root

Attack Chain Overview Link to heading

#	Stage	Technique	CVE/Tool
1	Recon	Nmap + vhost fuzzing + `.git` dump	-
2	Foothold	DesignSpace filename path traversal	CVE-2025-66034
3	User (steve)	FontForge archive filename cmd injection	CVE-2024-25082
4	Root	setuptools PackageIndex path traversal	CVE-2025-47273

01 - Reconnaissance Link to heading

rustscan -a <TARGET_IP> --ulimit 5000 -b 1500 -- -sV -sC

Port 22 OpenSSH 9.2p1
Port 80 nginx/1.22.1

Virtual Host Discovery Link to heading

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
 -u http://<TARGET_IP> -H "Host: FUZZ.variatype.htb" -fs <default_size>
# → portal.variatype.htb

Git Repository Leak Link to heading

curl -s http://portal.variatype.htb/.git/HEAD
# ref: refs/heads/master

Dumping the repository reveals hardcoded credentials in commit history:

HTB - Pterodactyl

Sun, 03 May 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux
CVEs	CVE-2025-49132 · CVE-2025-6018 · CVE-2025-6019

Pterodactyl is a Linux machine that chains three critical vulnerabilities for full system compromise. The Pterodactyl Panel (a Laravel-based game server management platform) is hosted on a discovered subdomain. PHP PEAR is enabled with writable config paths, vulnerable to CVE-2025-49132 - unauthenticated RCE. Database credentials extracted from Laravel's .env file reveal a secondary user. Privilege escalation leverages CVE-2025-6018 (PAM environment variable injection) chained with CVE-2025-6019 (UDisks2 XFS filesystem privilege escalation) to achieve root.

HTB - Silentium

Tue, 14 Apr 2026 00:00:00 +0000

1. Port Scan Link to heading

nmap -sV -A -T4 10.129.30.114 -o port_scan

Starting Nmap 7.99 ( https://nmap.org ) at 2026-04-14 15:20 -0400
Nmap scan report for 10.129.30.114
Host is up (0.088s latency).
Not shown: 998 closed tcp ports (reset)

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://silentium.htb/

OS details: Linux 5.0 - 5.14
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only SSH (22) and HTTP (80) are exposed. Add silentium.htb to /etc/hosts.

HTB - Interpreter

Sun, 29 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux (Debian 12)
CVEs	CVE-2023-43208 · CVE-2023-37679

Summary Link to heading

Interpreter is a Medium-difficulty Linux machine centred around Mirth Connect 4.4.0, a widely-deployed open-source healthcare integration engine. The attack chain exploits CVE-2023-43208 - an unauthenticated pre-auth RCE via XStream deserialization - to gain an initial shell as the service user. Database credentials extracted from Mirth's config file lead to a PBKDF2-hashed password in the internal MySQL/PostgreSQL database. After cracking the hash offline with hashcat, SSH access is gained as user sedric. A locally-bound Python Flask service (notif.py) running as root exposes an eval() sink vulnerable to SSTI, which is abused to plant a SUID bash binary and achieve full root compromise.

HTB - DevArea

Sun, 08 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux (Ubuntu 24.04)
Season	10

Summary Link to heading

DevArea is a Medium Linux machine. An anonymous FTP share exposes a Java SOAP service JAR. Decompiling it reveals Apache CXF with XOP/MTOM processing, vulnerable to CVE-2022-46364 - allowing Local File Inclusion via <xop:Include href="file:///..."/> elements. Using this LFI, plaintext HoverFly credentials are extracted from a systemd service file. HoverFly's middleware API then provides unauthenticated RCE. Privilege escalation abuses a world-writable /bin/bash combined with a passwordless sudo rule.