HTB: cybermonday Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐⭐☆☆
• CTF-like: ⭐⭐⭐⭐☆

Summary

cybermonday is a Hard-difficulty Linux machine running a Laravel-based e-commerce application. The exploitation path involves enumerating a vulnerable web application with information disclosure vulnerabilities, leveraging SQL error messages and mass assignment flaws to gain administrative access, exploiting SSRF/webhook functionality to interact with internal services, and finally leveraging Docker socket access for privilege escalation to root.

TL;DR: Enumerate Laravel app → Information Disclosure (SQL errors) → Mass Assignment/Admin Panel → SSRF/Webhook Exploitation → Docker Socket Privilege Escalation → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.114.83

Results:

22/tcp  open  ssh  80/tcp open  http
22/tcp  open  ssh  OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp  open  http  nginx 1.25.1

Service Enumeration

Hostname: cybermonday.htb

echo "10.129.114.83 cybermonday.htb" >> /etc/hosts

Web Service Details:

• Server: nginx 1.25.1
• Backend: PHP 8.1.20 (Laravel framework)
• Application Title: “Welcome - Cyber Monday” (e-commerce platform)
• Detected Cookies: XSRF-TOKEN, cybermonday_session
• Database: MySQL backend

Web Application Endpoints Discovered:

• / - Homepage
• /products - Product listing
• /login - User login
• /signup - User registration
• /assets/ - Static assets

Initial Web Application Reconnaissance

Accessing http://cybermonday.htb reveals a Laravel-based e-commerce application. The application presents a typical user authentication flow with login and signup functionality. Initial fingerprinting through HTTP response headers and cookies confirms Laravel’s presence.

Key Finding — Information Disclosure via SQL Error:

Accessing the signup functionality and attempting to register with a duplicate username (or other invalid input) triggers detailed error responses. The application leaks sensitive information through stack traces:

• Laravel/Illuminate stack trace exposure revealing the application framework structure
• MySQL database backend confirmation with table and column names
• Database Table Discovery: users table containing fields: username, email, password

This information disclosure is critical for understanding the application’s structure and identifying potential attack vectors.

Initial Foothold

Phase 1: Authentication & Mass Assignment Exploitation

Exploitation Steps:

1. Register a new user account via the signup endpoint using the discovered users table structure.

2. Trigger SQL error on duplicate registration to confirm the application’s vulnerability to information disclosure and refine attack methodology.

3. Login with created credentials to establish an authenticated session.

4. Exploit Mass Assignment Vulnerability: Laravel applications using vulnerable create() or update() methods can be exploited through mass assignment. The hint “Give yourself some rights” suggests escalating privileges to administrator/admin role through request parameter manipulation:

   • Submit registration/profile update requests with additional parameters: is_admin=1, role=admin, or similar privilege-escalating fields
   • Bypass framework protections if not properly configured via $fillable or $guarded properties

5. Gain Administrative Access: Upon successful mass assignment, the created account obtains admin privileges, allowing access to restricted panels and functionality.

Note: Complete command sequences and payload details for this phase are documented in the original engagement notes.

Phase 2: Hidden Admin Panel & Extended Privileges

The hint “Hidden web part” and “give yourself some more rights” indicates the presence of additional administrative functionality:

• Discover hidden endpoints (potentially at /admin, /dashboard, /admin-panel, or similar)
• Further privilege escalation or capability grants may be available within the admin panel
• Administrator-only API endpoints may provide additional functionality for the next exploitation phase

Status: Partial documentation — complete exploitation details to be referenced from original engagement notes.

User Compromise

Phase 3: Cookie Analysis & Session Manipulation

The hint “Take a look at your cookie, can you read it? Decode it? What data does it hold?” indicates critical information can be extracted from session cookies:

Cookie Exploitation:

• Examine the cybermonday_session cookie (Laravel session)
• Attempt decoding of cookie values (base64, JWT, or custom encoding)
• Session cookies may contain serialized user data that can be manipulated
• Inspect XSRF-TOKEN for additional structural information about the application state

This phase may reveal additional user information, session tokens, or paths toward further lateral movement.

Phase 4: SSRF/Webhook Exploitation

The hint “Can the machine talk to you? Make it talk to something else” indicates Server-Side Request Forgery (SSRF) or webhook functionality:

Exploitation Approach:

• Identify webhook or callback functionality within the admin panel
• Configure webhooks or request handlers to interact with external/internal services
• Use SSRF to access internal services or enumerate Docker internal hosts
• Common targets: localhost, 127.0.0.1, 172.17.0.1 (Docker gateway), internal service discovery

Phase 5: Internal Service Enumeration

The hint “Internal hosts, enumerate common ports, source of another web service” suggests:

• Enumerate internal Docker services and running applications
• Common ports to check: 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis), 8080-8090 (alternate web services)
• Identify additional vulnerable services or credential stores accessible from the compromised host
• This reconnaissance leads to identifying a second internal web service or API

Status: Partial documentation — specific SSRF payload and internal service details to be referenced from original engagement notes.

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

sudo -l
find / -perm -4000 -type f 2>/dev/null
ps aux | grep -E "python|java|node|php|ruby"
docker ps
ls -la /var/run/
docker exec --help

Docker Socket Exploitation

The hint “What can you map other than volumes?” is the critical clue for privilege escalation. This refers to Docker socket access:

Exploitation Path:

1. Identify Docker Socket Access: Check for access to /var/run/docker.sock

   ls -la /var/run/docker.sock
   groups  # Check if user is in docker group

2. Docker Socket Exploitation: If accessible, the docker socket can be used to execute commands as root:

   • Create a privileged container and mount the root filesystem
   • Execute commands within the container with full system access
   • Alternative: Use Docker API directly to create containers and execute payloads

3. Privilege Escalation Commands (if docker.sock is accessible):

   # Mount root filesystem in privileged container and read root flag
   docker run -v /:/mnt -it alpine cat /mnt/root/root.txt
   
   # Or obtain interactive root shell
   docker run -v /:/mnt --rm -it alpine chroot /mnt /bin/bash

4. API-based Exploitation: If docker CLI is unavailable, use direct socket interaction:

   • Connect to /var/run/docker.sock via curl or netcat
   • Execute API calls to create containers and run arbitrary commands

Root Flag Extraction:

cat /root/root.txt

Root Flag

🚩 Root Flag: <REDACTED>

Status: This phase documents the exploitation methodology. Complete payload execution details and post-exploitation commands to be referenced from original engagement notes.

Attack Chain Summary

graph TD
    A["Nmap Enumeration<br/>Port 80: nginx + Laravel"] --> B["Web App Reconnaissance<br/>Signup/Error Information Disclosure"]
    B --> C["SQL Error Messages<br/>Database Structure Leakage"]
    C --> D["Mass Assignment Exploitation<br/>Privilege Escalation to Admin"]
    D --> E["Hidden Admin Panel<br/>Extended Privileges"]
    E --> F["Cookie Analysis<br/>Session Manipulation"]
    F --> G["SSRF/Webhook Exploitation<br/>Internal Service Access"]
    G --> H["Internal Host Enumeration<br/>Docker Service Discovery"]
    H --> I["Docker Socket Access<br/>Identified"]
    I --> J["Docker Socket Exploitation<br/>Privileged Container Execution"]
    J --> K["Root Flag Obtained"]

Tools Used

Key Learnings

• Information Disclosure via Error Messages: Laravel and PHP applications can leak critical system information (database structure, framework internals) through unhandled exceptions. Always examine error messages during reconnaissance.

• Mass Assignment Vulnerabilities: Laravel’s $fillable and $guarded properties are crucial for security. Inadequate configuration allows attackers to elevate privileges by injecting additional request parameters.

• Session & Cookie Analysis: Serialized session data in cookies may contain exploitable information or manipulation opportunities. Always decode and analyze session tokens.

• SSRF as a Pivot Point: SSRF vulnerabilities enable attackers to interact with internal services, internal APIs, and metadata services. Webhooks and callback functionality should be scrutinized for SSRF exploitation.

• Docker Security Misconfiguration: Exposed Docker sockets (/var/run/docker.sock) are a critical privilege escalation vector. Default Docker group membership or misconfigured capabilities can lead to immediate root compromise.

• Defense-in-Depth: This machine demonstrates the importance of implementing security controls at multiple layers: input validation, output encoding, privilege separation, and container isolation.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Hard