HTB: download Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐⭐☆☆
• CTF-like: ⭐⭐⭐⭐☆

Summary

Status: This is a partial writeup based on reconnaissance data. The exploitation chain, lateral movement, and privilege escalation phases are marked as incomplete and require further testing and documentation.

download is a Hard-difficulty Linux machine running a Node.js Express-based file sharing application. Initial enumeration reveals a web service on port 80 with user registration, authentication, and file upload/download functionality. The machine has SSH access on port 22. This writeup documents the reconnaissance phase in detail; further exploitation steps require continued investigation.

TL;DR: Reconnaissance → Web Service Enumeration → [Exploitation Path - INCOMPLETE] → [User Flag - INCOMPLETE] → [Privilege Escalation - INCOMPLETE]

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.126.200

Results:

22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.8 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     nginx 1.18.0 (Ubuntu)

Service Enumeration

Hostname: download.htb

Add the hostname to your hosts file:

echo "10.129.126.200 download.htb" >> /etc/hosts

Web Application Discovery

URL: http://download.htb

Server Information:

• Web Server: nginx 1.18.0
• Backend Framework: Express (Node.js) - revealed via X-Powered-By: Express header
• Application Type: File sharing platform with user authentication

Core Functionality:

1. Authentication System

   • /auth/register - User registration endpoint
   • /auth/login - User login endpoint
   • Logout functionality available to authenticated users

2. File Management Features

   • /files/upload - Upload files to the platform
   • /files/view/{uuid} - View/access uploaded files via unique identifier
   • Download functionality for uploaded files
   • Delete functionality for file removal (available to file owners)
   • Copy link function (frontend implementation - requires further investigation)

3. File Access Control

   • Files can be marked as “private” upon upload (when authenticated)
   • Non-authenticated file uploads may also be supported
   • Upload creates shareable links with UUID-based identifiers

Subdomain Enumeration

wfuzz -c -Z -w /path/to/wordlist -u http://download.htb -H "Host: FUZZ.download.htb"

Status: Subdomain scan was performed but no additional subdomains were discovered.

Initial Foothold

Exploitation Path

STATUS: INCOMPLETE - Investigation Required

The reconnaissance phase has identified a file upload application with user authentication, but the specific vulnerability or exploitation path has not yet been documented. Based on the application features, potential attack vectors to investigate include:

Potential Attack Vectors:

1. File Upload Vulnerabilities

   • Unrestricted file upload (executable files, web shells, etc.)
   • File type validation bypass
   • Path traversal in upload/download functionality
   • Race conditions in file handling
   • Filename/extension manipulation

2. Authentication Bypass

   • Registration/login logic flaws
   • Session management vulnerabilities
   • JWT/token manipulation if applicable
   • Credential enumeration

3. Access Control Issues

   • Private file access bypass
   • Accessing files without proper UUID enumeration
   • Direct object reference vulnerabilities (IDOR)
   • Privilege escalation between authenticated users

4. Code Injection

   • Expression Language injection in file metadata
   • Template injection in the file sharing links
   • Node.js-specific vulnerabilities (require gadgets, prototype pollution, etc.)

Next Steps for Investigation

• Perform detailed HTTP request analysis on file upload/download operations
• Test file upload with various payloads (web shells, arbitrary extensions, etc.)
• Analyze UUID generation patterns for predictability
• Examine copy link functionality and frontend JavaScript implementation
• Test authentication boundaries and session handling
• Enumerate application files and source code disclosure possibilities

User Compromise

STATUS: INCOMPLETE

Initial Access Method

Once the initial foothold vulnerability is identified and exploited, the following reconnaissance commands should be executed to discover user credentials:

# Check system users
cat /etc/passwd

# Look for application configuration files
find / -name "*.config" -o -name "*.env" -o -name "*.json" 2>/dev/null

# Check web application directories
ls -la /var/www/
ls -la /srv/

# Review application source code if accessible
find / -name "*.js" -path "*/node_modules" -prune -o -type f -print 2>/dev/null | grep -E "\.(js|ts|json)$"

# Check for database files or credentials
find / -name "*.db" -o -name "*cred*" -o -name "*secret*" 2>/dev/null

Credential Discovery

Credentials may be discovered through:

• Application database files
• Environment variable files (.env, config.js)
• Source code review
• Database server enumeration
• Process memory inspection

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

STATUS: INCOMPLETE

Enumeration Commands

Once user-level access is obtained, perform the following enumeration to identify privilege escalation vectors:

# Check sudo permissions
sudo -l

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Check for capability-enabled binaries
find / -type f -perm /4000 2>/dev/null | xargs getcap 2>/dev/null

# Monitor running processes
ps aux | grep -E "python|java|node|php|ruby|npm"

# Check cron jobs
crontab -l
ls -la /etc/cron.d/
ls -la /etc/cron.daily/

# Review system configuration
cat /etc/fstab
mount | grep -E "noexec|nosuid"

# Check kernel version and potential exploits
uname -a

# Look for world-writable directories
find / -type d -writable 2>/dev/null | grep -v proc | grep -v sys

Likely Privilege Escalation Vectors

Given the Node.js/Express backend:

1. Application Process Running as Root/sudo

   • If the web application runs with elevated privileges, command injection in file upload/download could lead to direct root access
   • Check application startup scripts in systemd/init.d

2. Credential Extraction

   • Database credentials in application config may grant access to privileged services
   • SSH key discovery in user home directories

3. Node.js-Specific Vectors

   • Prototype pollution leading to RCE with elevated privileges
   • Gadget chains in dependencies
   • Local package installation vulnerabilities

4. System Misconfiguration

   • Misconfigured sudo rules
   • World-writable script files in privileged locations
   • Missing input validation in privileged operations

Exploitation (Root/Administrator)

Privilege escalation technique and payload to be documented upon successful exploitation.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance:<br/>Port Scan & Enumeration"] --> B["Web Application Discovery:<br/>Express.js File Share App"]
    B --> C["Identify Vulnerability:<br/>[File Upload / Auth Bypass / IDOR]"]
    C --> D["Gain Initial Foothold:<br/>Execute Payload / Access System"]
    D --> E["User Privilege Discovery:<br/>Extract Credentials / Access Database"]
    E --> F["Privilege Escalation:<br/>Exploit Misconfiguration / RCE"]
    F --> G["Root Access:<br/>Complete System Compromise"]

    style A fill:#e1f5ff
    style C fill:#fff3e0
    style G fill:#ffebee

Status: The attack chain framework is outlined above. Detailed exploitation methods for phases C through G require further investigation and testing.

Tools Used

Key Learnings

• File upload functionality is a critical attack surface; always test for extension bypass, path traversal, and executable upload scenarios.
• Express.js applications may expose sensitive information via headers and should be analyzed for known vulnerabilities and misconfigurations.
• User authentication systems in web applications should be thoroughly tested for bypass techniques and session management flaws.
• Frontend functionality (like the “copy link” feature) may reveal sensitive patterns or implementation details affecting backend security.
• Comprehensive enumeration of application endpoints and features is essential before attempting exploitation.
• Node.js-based applications often contain dependency vulnerabilities; identify and research the specific versions in use.

References & Resources

• HackTheBox Machine: download
• OWASP Top 10: File Upload Vulnerabilities, Broken Authentication, Broken Access Control
• Express.js Security: Best practices and common vulnerabilities
• Node.js Exploitation: Prototype pollution, gadget chains, and code injection vectors

Notes & Additional Observations

• The application uses UUID-based file identifiers, which should be analyzed for randomness and predictability
• The “private” file feature suggests access control logic that may contain bypass vulnerabilities
• Frontend “copy link” functionality requires JavaScript analysis to understand implementation details
• The OpenSSH version (8.2p1) does not appear to have known public exploits; focus is on web application vulnerabilities
• Consider both authenticated and unauthenticated attack paths during further testing

Author

D3vnomi (Original) | Writeup Enhanced: Partial/Incomplete Status Documentation

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

This is a partial writeup documenting reconnaissance findings. The exploitation, user access, and privilege escalation phases require further investigation and testing to complete the full documentation.

Status: Partial/Incomplete Writeup - Reconnaissance Complete Last Updated: 08 Mar 2026 Next Steps: Complete exploitation chain investigation and document findings

Tags: #HackTheBox #Linux #Hard #FileUpload #Express #NodeJS #Partial