👲🏼Silentium

Hacking "Silentium": A Journey Through Frustration, Code, and Final Victory

The world of penetration testing is rarely a straight line. It is a jagged path of trial and error, where the most significant breakthroughs often come only after a period of intense frustration. My experience with the "Silentium" machine on Hack The Box was a perfect embodiment of this reality. It wasn't just a technical challenge; it was a psychological one that tested my methodology, my patience, and my ability to pivot when the "obvious" path led to a dead end.

The Deceptive Beginning

The journey began with "Silentium," a machine that whispered its secrets through a series of exposed internal services. My initial foothold was achieved by identifying a Flowise AI instance and a local MailHog server. Exploiting a password reset vulnerability allowed me to intercept a reset token in the MailHog web interface. At that moment, the rush of adrenaline was palpable. I had the token; I was moments away from a shell. However, this early success was a siren’s song. The reset link was broken, pointing to an undefined URL, luring me into a false sense of security that this would be an "easy" win. I was wrong.

The "Undefined" Era

Once I realized the password reset wouldn't work through the browser, I was trapped in a "black box" scenario. I spent a significant amount of time attempting to brute-force or bypass the application's logic. I saw the xxxxxxx password and the xxxxxxx credentials in the logs and environment files, but the path forward was obscured. This was my first major lesson in methodology. I was trying to force the application to behave in a way it wasn't configured to. Without knowing why the URL was undefined, I was just tossing coins into a dark well. This phase was a massive time sink, but it forced me to realize that I needed to move laterally and look at the system's internal services from the inside.

The Grind of Lateral Movement

Realizing I couldn't simply "web-exploit" my way to the top, I pivoted to the user shell I gained as ben. This is where the real technical grind began. I started a deep dive into the internal ports and services. I found Gogs running on port 3001, and more importantly, my investigation of the app.ini configuration file revealed a massive oversight: RUN_USER = root.

Landing as ben was more than just a new shell; it was the key to the library. I finally had the permissions to read the Gogs configuration and realize that any vulnerability in this Git service would grant me the highest authority on the system.

The "Aha!" Moment: Source Code and CVE Analysis

The moment I identified the Gogs version and its configuration, the dark clouds vanished. Seeing RUN_USER = root was like having a map after wandering in the woods for hours. I immediately identified the "villain" of the story: CVE-2025-8110, a symlink vulnerability that allowed for Remote Code Execution. The exploit was surgical. By creating a malicious repository and uploading a symlink pointing to the internal .git/config, I could inject an sshCommand into the repository's configuration. Because Gogs was running as root, any command I placed there would be executed with total system authority. This was the most profound learning moment: the most secure-looking services are often the most vulnerable if they are misconfigured to run with excessive privileges.

The Final Strike: Root

With the plan clearly defined, the final execution was a battle of persistence. My initial attempts with an automated Python exploit failed because of a Captcha requirement on the registration page. I had to pivot again, manually creating the user semiramis and modifying the exploit script to bypass the registration phase. Even then, Git threw a final hurdle at me, demanding a global user identity before it would commit my malicious symlink. After a quick git config fix and setting up my Netcat listener, I fired the script one last time. The connection hit. The terminal didn't say "Connection refused"; it stayed silent for a second and then gave me the prompt I had spent hours hunting: root@silentium. I navigated to /root, ran cat root.txt, and the high-entropy string of the final victory was mine.

Reflections on the Learning Process

Looking back, the "Silentium" machine taught me more about the "Hacker Mindset" than any entry-level tutorial ever could. I learned that:

• Enumeration is Continuous: I never stopped gathering info. When the MailHog path stalled, I didn't give up; I went back to the internal port scans.
• Configuration is King: Finding the app.ini and seeing the service user turned a "guessing game" into an "engineering problem."
• Persistence Overcomes Constraints: The Captcha and Git identity errors were just puzzles. Solving them manually was the difference between a failed exploit and a successful pwn.
• Privilege Escalation is a Logic Puzzle: You don't always need a complex kernel exploit. Sometimes, you just need to find a root-level service and tell it to do your bidding.

In the end, I didn't just "beat" a machine. I decoded a puzzle, bypassed a firewall of my own making, and learned to speak the language of the target system. The "Silentium" machine was a grueling instructor, but its lessons are now permanently etched into my methodology.