Skip to content
MananisPiwPiw
Go back

Hack The Box: Silentium (Writeup)

Table of contents

Open Table of contents

Recon 🔎

Nmap scan:

# Full port scan
sudo nmap -p- --min-rate 1000 -T4 <MACHINE_IP>

# After got the port lists, use this detailed scan
sudo nmap -sC -sV -O -oA nmap/silentium -p <PORT1, PORT2, PORTN...> <MACHINE_IP>

Nuclei scan:

nuclei -u <MACHINE_IP/URL>

From Nuclei scan i got nothing. From nmap, I got 2 port open, which are 22 (ssh) and 80 (web/http). And for the web app, it seems redirecting us to http://silentium.htb/. Add those hostname to you hosts file.

Here are the web pages, image

After deep through to all pages and it source page. Nothing seems interesting to exploit, all of them is just a static page. Let’s try another enumeration.

Subdomain enumeration:

gobuster vhost -u silentium.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

The result: image

from that result, we got a potential subdomain staging.silentium.htb. Add that to hosts file.

Here is the web interface for staging.silentium.htb: image

Shell as ben

From this interface: image

We can see the technology they used are Flowise. {%preview https://flowiseai.com/ %}

Since it is an open-source tech. Let’s deep dive into the github repo for further enumeration. {%preview https://github.com/FlowiseAI/Flowise %}

At packages/ui/src/routes/AuthRoutes.jsx we can see the configuration of the routes/endpoints for this web app. For me, there are 2 interesing endpoint that we can play with. First one is /register: image

And /organization-setup endpoint: image

Turns out both of them doesn’t work. /register is just a static page. While /organization-setup returning this warning when registering: image Burpsuite looks: image

Now let’s find its version so we can enumerate more regarding known vulnerabilities for those version.

If you check the file at packages/server/srcroutes/index.ts we can see all endpoint on server-sisde. Since my goal is to find the version, here is the one: image

After hitting thoose endpoint, I can see that the version they use are 3.0.5. image

I found a CVE-2025-58434, it is interesting, not only because the version are sufficient, but the scenario itself suits us. We don’t have a user to logged in. So other CVE might be useless since most of them (after i did some research) require me to be authenticated first.

But the thing is, I need a valid user email to hijack. Where do i need to look it up?

If you remember at silentium.htb/#features. There are some interesting name list there: image It is either:

After I did try all of those with appending @silentium.htb as the email. Turns out, ben is the only valid one. It’s time to exploit this!

You can go in-depth here to see how to exploit it manually: {%preview https://github.com/advisories/GHSA-wgpv-6j63-x5ph %}

After you understood behind those vulnerability, you can use my PoC script or manually using cURL, it’s up to you: {%preview https://github.com/mananispiwpiw/CVE-2025-58434-PoC/tree/main %}

Running the script, you will be prompted like this: image

Input the new password you want to use and logged in as ben. After that, the response should look like this: image

Next step are log in as ben, and here are the interface inside flowise: image

Next CVE that looks good are CVE-2025-59528: {%preview https://github.com/advisories/GHSA-3gcm-f6qx-ff7p %}

Basically this vulnerability happen at nodeJS. It remind me of n8n vulnerability last year.

Here is the PoC I made, for the sake of simplicity. When you run it, you will be prompted like this: image

Just fill all the value based on your env and machine. And we will get shell.

Let’s try enumerate the machine/container.

FLOWISE_PASSWORD=F1l3_d0ck3r
ALLOW_UNAUTHORIZED_CERTS=true
NODE_VERSION=20.19.4
HOSTNAME=c78c3cceb7ba
YARN_VERSION=1.22.22
SMTP_PORT=1025
SHLVL=3
PORT=3000
HOME=/root
OLDPWD=/root
SENDER_EMAIL=ben@silentium.htb
PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
JWT_ISSUER=ISSUER
JWT_AUTH_TOKEN_SECRET=AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD
LLM_PROVIDER=nvidia-nim
SMTP_USERNAME=test
SMTP_SECURE=false
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
FLOWISE_USERNAME=ben
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DATABASE_PATH=/root/.flowise
JWT_TOKEN_EXPIRY_IN_MINUTES=360
JWT_AUDIENCE=AUDIENCE
SECRETKEY_PATH=/root/.flowise
PWD=/root
SMTP_PASSWORD=r04D!!_R4ge
NVIDIA_NIM_LLM_MODE=managed
SMTP_HOST=mailhog
JWT_REFRESH_TOKEN_SECRET=AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD
SMTP_USER=test

Since i see SMTP there. Let’s check does the SMTP running on the same machine or not:

# Exposes kernel TCP socket information
cat /proc/net/tcp | awk '{print $2}'
# Running processes
ps aux
# 
getent hosts mailhog

After several thing. It turns out, mailhog(smtp) is just a service within the container. So i can’t exploit further.

And it turns out that the value of SMTP_PASSWORD can also be used for an ssh session as ben.

image

Shell as root

After runnint sudo -l command. Turns out this ben user doesn’t have any root privileges: image

Next let’s check all listening network sockets and the processes using them:

ss -tulnp

image

Let’s check those services with simple curl command like this:

for port in 46363 1025 3001 3000; do curl -i "http://127.0.0.1:$port"; done

At port 3001 scan. I found a new subdomain that might worth to check, staging-v2-code.dev.silentium.htb. Add it yo your hosts file. image

Here is the web UI: image

Let’s try register to it. And let’s see what we can do.

After did some research. It was vulnerable to CVE-2025-8110. {%preview https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit %}

You can use this PoC for the exploit: https://github.com/mananispiwpiw/CVE-2025-8110-PoC

And you will gain a shell as root.


Share this post:

Next Post
Hack The Box: Facts (Writeup)