Table of contents
Open Table of contents
Recon 🔎
Nmap scan:
# Full port scan
sudo nmap -p- --min-rate 1000 -T4 <MACHINE_IP>
# After got the port lists, use this detailed scan
sudo nmap -sC -sV -O -oA nmap/silentium -p <PORT1, PORT2, PORTN...> <MACHINE_IP>
Nuclei scan:
nuclei -u <MACHINE_IP/URL>
From Nuclei scan i got nothing. From nmap, I got 2 port open, which are 22 (ssh) and 80 (web/http). And for the web app, it seems redirecting us to http://silentium.htb/. Add those hostname to you hosts file.
Here are the web pages,

After deep through to all pages and it source page. Nothing seems interesting to exploit, all of them is just a static page. Let’s try another enumeration.
Subdomain enumeration:
gobuster vhost -u silentium.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
The result:

from that result, we got a potential subdomain staging.silentium.htb. Add that to hosts file.
Here is the web interface for staging.silentium.htb:

Shell as ben
From this interface:

We can see the technology they used are Flowise.
{%preview https://flowiseai.com/ %}
Since it is an open-source tech. Let’s deep dive into the github repo for further enumeration. {%preview https://github.com/FlowiseAI/Flowise %}
At packages/ui/src/routes/AuthRoutes.jsx we can see the configuration of the routes/endpoints for this web app. For me, there are 2 interesing endpoint that we can play with. First one is /register:

And /organization-setup endpoint:

Turns out both of them doesn’t work. /register is just a static page. While /organization-setup returning this warning when registering:
Burpsuite looks:

Now let’s find its version so we can enumerate more regarding known vulnerabilities for those version.
If you check the file at packages/server/srcroutes/index.ts we can see all endpoint on server-sisde. Since my goal is to find the version, here is the one:

After hitting thoose endpoint, I can see that the version they use are 3.0.5.

I found a CVE-2025-58434, it is interesting, not only because the version are sufficient, but the scenario itself suits us. We don’t have a user to logged in. So other CVE might be useless since most of them (after i did some research) require me to be authenticated first.
But the thing is, I need a valid user email to hijack. Where do i need to look it up?
If you remember at silentium.htb/#features. There are some interesting name list there:
It is either:
- ben
- marcus
- thorne
- elena
- rossi
After I did try all of those with appending @silentium.htb as the email. Turns out, ben is the only valid one. It’s time to exploit this!
You can go in-depth here to see how to exploit it manually: {%preview https://github.com/advisories/GHSA-wgpv-6j63-x5ph %}
After you understood behind those vulnerability, you can use my PoC script or manually using cURL, it’s up to you: {%preview https://github.com/mananispiwpiw/CVE-2025-58434-PoC/tree/main %}
Running the script, you will be prompted like this:

Input the new password you want to use and logged in as ben. After that, the response should look like this:

Next step are log in as ben, and here are the interface inside flowise:

Next CVE that looks good are CVE-2025-59528: {%preview https://github.com/advisories/GHSA-3gcm-f6qx-ff7p %}
Basically this vulnerability happen at nodeJS. It remind me of n8n vulnerability last year.
Here is the PoC I made, for the sake of simplicity. When you run it, you will be prompted like this:

Just fill all the value based on your env and machine. And we will get shell.
Let’s try enumerate the machine/container.
env
FLOWISE_PASSWORD=F1l3_d0ck3r
ALLOW_UNAUTHORIZED_CERTS=true
NODE_VERSION=20.19.4
HOSTNAME=c78c3cceb7ba
YARN_VERSION=1.22.22
SMTP_PORT=1025
SHLVL=3
PORT=3000
HOME=/root
OLDPWD=/root
SENDER_EMAIL=ben@silentium.htb
PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
JWT_ISSUER=ISSUER
JWT_AUTH_TOKEN_SECRET=AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD
LLM_PROVIDER=nvidia-nim
SMTP_USERNAME=test
SMTP_SECURE=false
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
FLOWISE_USERNAME=ben
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DATABASE_PATH=/root/.flowise
JWT_TOKEN_EXPIRY_IN_MINUTES=360
JWT_AUDIENCE=AUDIENCE
SECRETKEY_PATH=/root/.flowise
PWD=/root
SMTP_PASSWORD=r04D!!_R4ge
NVIDIA_NIM_LLM_MODE=managed
SMTP_HOST=mailhog
JWT_REFRESH_TOKEN_SECRET=AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD
SMTP_USER=test
Since i see SMTP there. Let’s check does the SMTP running on the same machine or not:
# Exposes kernel TCP socket information
cat /proc/net/tcp | awk '{print $2}'
# Running processes
ps aux
#
getent hosts mailhog
After several thing. It turns out, mailhog(smtp) is just a service within the container. So i can’t exploit further.
And it turns out that the value of SMTP_PASSWORD can also be used for an ssh session as ben.

Shell as root
After runnint sudo -l command. Turns out this ben user doesn’t have any root privileges:

Next let’s check all listening network sockets and the processes using them:
ss -tulnp

Let’s check those services with simple curl command like this:
for port in 46363 1025 3001 3000; do curl -i "http://127.0.0.1:$port"; done
At port 3001 scan. I found a new subdomain that might worth to check, staging-v2-code.dev.silentium.htb. Add it yo your hosts file.

Here is the web UI:

Let’s try register to it. And let’s see what we can do.
After did some research. It was vulnerable to CVE-2025-8110. {%preview https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit %}
You can use this PoC for the exploit: https://github.com/mananispiwpiw/CVE-2025-8110-PoC
And you will gain a shell as root.