HTB: visual Writeup

#htb #writeup #windows #nmap #nc #curl

Machine Banner

Machine Information

AttributeDetails
Namevisual
OSWindows
DifficultyMedium
PointsN/A
Release DateN/A
IP Address10.129.119.198
AuthorD3vnomi

Machine Rating

⭐⭐⭐⭐☆ (7.0/10)

Difficulty Assessment:

  • Enumeration: ⭐⭐⭐☆☆
  • Real-world: ⭐⭐⭐⭐☆
  • CVE: ⭐⭐☆☆☆
  • CTF-like: ⭐⭐⭐☆☆

Summary

visual is a Medium-difficulty Windows machine hosting a Visual Studio build service accessible via a web application. The machine demonstrates the risk of accepting untrusted input (Git repository URLs) and automatically building .NET projects without validation. Exploitation involves crafting a malicious .NET project with pre-build events containing reverse shell commands, hosting it via a git HTTP server, and submitting the repository URL to the build service for automatic RCE.

TL;DR: Recon → Visual Studio Build Service → Malicious .NET project with pre-build shell → Git server → Submit to /submit.php → RCE → [Privilege escalation not documented].

Reconnaissance

Port Scanning

Terminal window
nmap -sC -sV -T4 -p- 10.129.119.198

Results:

Only port 80 is open:

80/tcp  open  http  Apache httpd 2.4.56 ((Win64) OpenSSL/1.1.1t PHP/8.1.17)

OS Identified: Windows, Apache 2.4.56 with PHP 8.1.17

Service Enumeration

Hostname: visual.htb

Terminal window
echo "10.129.119.198 visual.htb" >> /etc/hosts

Web Application Reconnaissance:

The application title is “Visual - Revolutionizing Visual Studio Builds” and presents a form that accepts Git repository URLs for building .NET projects. The form action is /submit.php.

Additional Virtual Hosts Discovered:

  • devel.htb

HTTP Methods Enabled:

The TRACE HTTP method is enabled on the web server, which can be used for further fingerprinting or debugging.

Initial Foothold

Attack Concept

The Visual Studio build service automatically clones and builds .NET projects from provided Git repository URLs. The vulnerability lies in insufficient validation of project contents before compilation. By creating a malicious .NET project with pre-build events (configured in the .csproj file), arbitrary commands are executed during the build process.

Exploitation Steps

1. Create Malicious .NET Project

The attack uses a basic C# console application structure (project/Program.cs) with a malicious pre-build event in the project file that executes a reverse shell command:

<Target Name="PreBuild" BeforeTargets="PreBuildEvent">
  <Exec Command="[malicious command here]" />
</Target>

When the server builds the project via Visual Studio or MSBuild, this command executes with the privileges of the web server process.

2. Host via Git HTTP Backend

The attacker hosts the malicious project using git_server.py, a Python HTTP server that implements the git-http-backend protocol. This serves git repositories that can be cloned by the build service:

Terminal window
python3 git_server.py

The git server listens on a local port and provides the malicious repository.

3. Submit Repository URL

The attacker submits the git repository URL to the build service via the /submit.php form. The application then:

  • Clones the repository
  • Executes the build process
  • Triggers the pre-build event, executing the reverse shell

4. Achieve RCE

The reverse shell establishes a connection back to the attacker, providing command execution on the target machine.

Key Artifacts

  • git_server.py: Python HTTP server implementing git-http-backend for serving malicious repositories
  • project/Program.cs: Basic “Hello World” C# console application used as the malicious project template
  • project-http/Program.cs: Alternate version of the basic C# application

[Notes incomplete: Detailed exploitation payload, specific reverse shell command, and connection logs not documented.]

User Compromise

[Notes incomplete: User credential discovery and user flag capture steps not documented.]

Privilege Escalation

[Notes incomplete: Privilege escalation enumeration, techniques, and root flag not documented.]

Attack Chain Summary

graph TD
    A[Recon: Port 80 - Apache/PHP/Win64] --> B[Visual Studio Build Service]
    B --> C["Create Malicious .NET Project<br/>(pre-build shell event)"]
    C --> D[Host via git_server.py]
    D --> E["Submit Repo URL<br/>to /submit.php"]
    E --> F[Server Clones & Builds Project]
    F --> G[Pre-Build Event Executes → RCE]
    G --> H["[Privilege Escalation<br/>Not Documented]"]

Tools Used

ToolPurpose
nmapPort scanning and service fingerprinting
python3Running git_server.py HTTP backend
curl / BrowserInteracting with /submit.php form
nc / socatReverse shell listener

Key Artifacts

  • git_server.py: Custom Python HTTP server implementing git-http-backend for serving malicious repositories
  • project/Program.cs & project.sln: Basic .NET console application with pre-build event payload
  • project-http/Program.cs: Alternate version of malicious .NET project

Key Learnings

  • Input Validation: Accepting arbitrary Git repository URLs without validation creates significant RCE risk
  • Build Processes: Automated build systems (Visual Studio, MSBuild) should run in sandboxed environments
  • .NET Pre-Build Events: Pre-build and post-build events in .csproj files execute arbitrary code during compilation
  • Git as Attack Vector: Self-hosted git servers can serve malicious projects if the consumption endpoint doesn’t validate contents
  • Windows Service Context: Build services typically run with elevated privileges, amplifying the impact of RCE exploits

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Windows #Medium