RCE on z3r0s

HTB - DevHub

Sat, 30 May 2026 00:00:00 +0000

Difficulty: Medium | OS: Linux

Logo & Name Analysis - First Impressions Link to heading

Before touching a single tool, the machine logo and name already give away a significant amount of information to an experienced player.

The Logo Link to heading

The machine logo shows a caged beast with red glowing eyes trapped behind bars. On HackTheBox, machine logos almost always hint directly at the technology or theme involved.

What the logo tells us immediately:

Caged beast behind bars: A system designed to restrict access, block unsafe operations, or confine environments (sandboxing / containerization).
Red glowing eyes: A powerful or potentially dangerous interface that is supposed to be fully locked down, but might have vulnerabilities in its containment.
Caged element: An environment escape (sandbox escape) or a container escape scenario.

The Name Link to heading

"DevHub" combined with the logo points toward:

A centralized developer platform or gateway (like GitLab, JupyterHub, or a custom tool manager) that coordinates multiple services.
An environment where developers deploy models, notebooks, or scripts, pointing directly to development-centric protocols like Model Context Protocol (MCP) or Jupyter.

The Instant Hypothesis Link to heading

Combining name and logo before even running nmap:

"This is a developer platform (DevHub) managing internal development or model tools. The caged beast suggests containerization, sandboxing, or restricted environments that we must escape. The primary attack vector will likely involve exploiting development utilities or container/sandbox escape vulnerabilities."

This hypothesis is confirmed within minutes of enumeration, revealing an exposed Model Context Protocol (MCP) debugger and Jupyter notebook.

HTB - Reactor

Sun, 24 May 2026 00:00:00 +0000

Difficulty: Easy | OS: Linux

Logo & Name Analysis - First Impressions Link to heading

Before touching a single tool, the machine logo and name already give away a significant amount of information to an experienced player.

The machine logo shows a nuclear reactor facility - cooling towers with radiation symbols (☢), smoke/steam rising, set inside a green circle. On HackTheBox, machine logos almost always hint directly at the technology or theme involved.

What the logo tells us immediately:

Nuclear reactor theme → the web app will be a reactor monitoring dashboard, ICS/SCADA-style interface with sensor readings, logs, and personnel panels
Green color scheme → "nominal / online" status indicators - a live running service dashboard
Radiation symbols → nuclear operations terminology ahead: coolant flow, pressure, neutron flux, core temperature - all realistic dashboard labels that give no obvious attack surface

The Name Link to heading

"Reactor" combined with the logo points toward two things at once:

React/Next.js - "Reactor" is almost certainly a pun on React, the JavaScript framework. HTB machine names frequently reference the intended technology this way. This immediately narrows the attack surface to a Node.js web application.
Nuclear monitoring theme - the app will look like a static read-only dashboard with no login, no forms, no visible input - pushing the attacker toward framework-level vulnerabilities rather than application logic.

The Instant Hypothesis Link to heading

Combining name + logo before even running nmap:

"This is a Next.js app themed as a nuclear reactor dashboard. The name 'Reactor' punning on React strongly suggests a Next.js vulnerability is the intended path. The dashboard will look static but the attack vector will be server-side - likely Server Actions, API routes, or RSC deserialization."

This hypothesis was confirmed within minutes:

Port 3000 → X-Powered-By: Next.js in response headers
No login page, no visible forms → the framework itself is the attack surface, not the application logic
Next.js Server Actions prototype pollution (CVE-2025-55182) → exact match

This is why reading the logo matters. A good HTB player can often narrow the entire attack path to 1-2 CVEs before the nmap scan finishes.

HTB - Helix

Sun, 10 May 2026 00:00:00 +0000

Difficulty: Medium | OS: Linux | Date: 2026-05-10

Summary Link to heading

Helix presents a realistic industrial operations scenario built around Apache NiFi, OPC UA, and a custom maintenance console. The attack chain is:

Vhost fuzzing → flow.helix.htb (Apache NiFi 1.21.0, unauthenticated)
NiFi RCE via ExecuteScript processor → shell as nifi
SSH private key for operator found in NiFi support bundles
Privilege escalation via OPC UA node manipulation to open a timed maintenance window → root shell

HTB - WingData

Fri, 08 May 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux
CVEs	CVE-2025-47812 · CVE-2025-4517 · CVE-2025-4138

Summary Link to heading

WingData is an Easy Linux machine. A company website redirects to an FTP client portal running Wing FTP Server v7.4.3, which is vulnerable to an unauthenticated RCE (CVE-2025-47812). Post-exploitation enumeration reveals a salted SHA-256 hash for user wacky stored in Wing FTP config files. After cracking the hash with hashcat and gaining SSH access, a misconfigured sudo rule allows execution of a Python backup restoration script as root. The script is vulnerable to CVE-2025-4517, a tarfile PATH_MAX bypass that allows arbitrary file write - used to overwrite /etc/sudoers and gain root.

HTB - VariaType

Tue, 05 May 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux
CVEs	CVE-2025-66034 · CVE-2024-25082 · CVE-2025-47273

Summary Link to heading

VariaType is a Linux medium box centered around a typography company's web infrastructure. The attack chain involves three distinct CVEs:

CVE-2025-66034 - fonttools DesignSpace output path traversal → PHP webshell (www-data)
CVE-2024-25082 - FontForge archive filename command injection → SSH as steve (user)
CVE-2025-47273 - setuptools PackageIndex path traversal → SSH as root

Attack Chain Overview Link to heading

#	Stage	Technique	CVE/Tool
1	Recon	Nmap + vhost fuzzing + `.git` dump	-
2	Foothold	DesignSpace filename path traversal	CVE-2025-66034
3	User (steve)	FontForge archive filename cmd injection	CVE-2024-25082
4	Root	setuptools PackageIndex path traversal	CVE-2025-47273

01 - Reconnaissance Link to heading

rustscan -a <TARGET_IP> --ulimit 5000 -b 1500 -- -sV -sC

Port 22 OpenSSH 9.2p1
Port 80 nginx/1.22.1

Virtual Host Discovery Link to heading

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
 -u http://<TARGET_IP> -H "Host: FUZZ.variatype.htb" -fs <default_size>
# → portal.variatype.htb

Git Repository Leak Link to heading

curl -s http://portal.variatype.htb/.git/HEAD
# ref: refs/heads/master

Dumping the repository reveals hardcoded credentials in commit history:

HTB - Pterodactyl

Sun, 03 May 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux
CVEs	CVE-2025-49132 · CVE-2025-6018 · CVE-2025-6019

Summary Link to heading

Pterodactyl is a Linux machine that chains three critical vulnerabilities for full system compromise. The Pterodactyl Panel (a Laravel-based game server management platform) is hosted on a discovered subdomain. PHP PEAR is enabled with writable config paths, vulnerable to CVE-2025-49132 - unauthenticated RCE. Database credentials extracted from Laravel's .env file reveal a secondary user. Privilege escalation leverages CVE-2025-6018 (PAM environment variable injection) chained with CVE-2025-6019 (UDisks2 XFS filesystem privilege escalation) to achieve root.

HTB - Kobold

Sun, 05 Apr 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux (Ubuntu)
CVE	CVE-2026-23744
Tags	`docker` `gshadow` `lfi` `mcp` `mcpjam` `pastebin` `path-traversal` `rce`

Summary Link to heading

Kobold is a Linux easy box featuring a multi-service web application behind nginx with HTTPS and wildcard virtual hosting. Initial access requires exploiting CVE-2026-23744 - an unauthenticated RCE in MCPJam Inspector - by sending a crafted JSON payload to /api/mcp/connect to execute arbitrary commands. Privilege escalation abuses a discrepancy between /etc/gshadow and the running session, allowing the sg command to switch into the docker group and mount the host filesystem inside a container.

HTB - Interpreter

Sun, 29 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Medium
OS	Linux (Debian 12)
CVEs	CVE-2023-43208 · CVE-2023-37679

Summary Link to heading

Interpreter is a Medium-difficulty Linux machine centred around Mirth Connect 4.4.0, a widely-deployed open-source healthcare integration engine. The attack chain exploits CVE-2023-43208 - an unauthenticated pre-auth RCE via XStream deserialization - to gain an initial shell as the service user. Database credentials extracted from Mirth's config file lead to a PBKDF2-hashed password in the internal MySQL/PostgreSQL database. After cracking the hash offline with hashcat, SSH access is gained as user sedric. A locally-bound Python Flask service (notif.py) running as root exposes an eval() sink vulnerable to SSTI, which is abused to plant a SUID bash binary and achieve full root compromise.

HTB - CCTV

Sun, 01 Mar 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux (Ubuntu 24.04)
CVE	CVE-2024-51482

Summary Link to heading

CCTV is an Easy Linux machine running ZoneMinder, a CCTV management web application. The attack chain involves exploiting a boolean-based SQL injection vulnerability (CVE-2024-51482) to enumerate the database and dump credentials, then pivoting through an internal Motion/MotionEye camera stack via command injection in the picture_filename parameter to gain a root shell.