Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreienqxuofvdzgsmpuojqhsbitdujcczzvzswcaz4qbjrt7ifplinlu",
    "uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3mhnf3s43qej2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreie2el6bwrb4opucw7uicikj22ie4ocyzr4t4dszhfngqx5etp23tm"
    },
    "mimeType": "image/png",
    "size": 3396974
  },
  "description": "KOBOLD -- HACK THE BOX DETAILED WRITEUP\n\nPlatform: Hack The Box\nBox Name: Kobold\nOS: Linux\nDifficulty: Easy\n\n\n\nBOX SUMMARY\n\nKobold is a Linux easy box featuring a multi-service web application behind nginx with HTTPS and wildcard virtual hosting. The attack surface spans multiple subdomains, each running a different application. Initial access requires\nexploiting a vulnerability in one of the exposed services, while privilege escalation involves chaining a web application flaw with credential...",
  "path": "/hack-the-box-season-10-htb-kobold-writeup-easy-weekly-march-21th-2026/",
  "publishedAt": "2026-03-21T04:00:00.000Z",
  "site": "https://1337sheets.com",
  "tags": [
    "Subscribe now"
  ],
  "textContent": "# Kobold -- Hack The Box Detailed Writeup\n\n**Platform** : Hack The Box\n**Box Name** : Kobold\n**OS** : Linux\n**Difficulty** : Easy\n\n\n* * *\n\n## Box Summary\n\nKobold is a Linux easy box featuring a multi-service web application behind nginx with HTTPS and wildcard virtual hosting. The attack surface spans multiple subdomains, each running a different application. Initial access requires\nexploiting a vulnerability in one of the exposed services, while privilege escalation involves chaining a web application flaw with credential discovery and abuse of a Docker management interface running with elevated privileges.\n\n* * *\n\n## Reconnaissance\n\n### Port Scanning\n\n\n    nmap -sV -sC -p- --min-rate 5000 <TARGET_IP>\n\n\n\n    PORT    STATE SERVICE    VERSION\n    22/tcp  open  tcpwrapped\n    | ssh-hostkey:\n    |   256 <REDACTED> (ECDSA)\n    |_  256 <REDACTED> (ED25519)\n    80/tcp  open  tcpwrapped\n    |_http-server-header: nginx/1.24.0 (Ubuntu)\n    |_http-title: Did not follow redirect to https://kobold.htb/\n    443/tcp open  tcpwrapped\n    |_http-title: Kobold Operations Suite\n    | ssl-cert: Subject: commonName=kobold.htb\n    | Subject Alternative Name: DNS:kobold.htb, DNS:*.kobold.htb\n    | tls-alpn:\n    |   http/1.1\n    |   http/1.0\n    |_  http/0.9\n    |_http-server-header: nginx/1.24.0 (Ubuntu)\n\n\nKey observations:\n\n  * **3 open ports** : SSH (22), HTTP (80, redirects to HTTPS), HTTPS (443)\n  * **nginx 1.24.0** on Ubuntu\n  * **Wildcard TLS certificate** (`*.kobold.htb`) -- indicates virtual host routing with subdomains\n  * Port 80 redirects to `https://kobold.htb/`\n\n\n\n### Hosts File Setup\n\n\n    echo \"<TARGET_IP> kobold.htb mcp.kobold.htb bin.kobold.htb\" | sudo tee -a /etc/hosts\n\n\n### Subdomain Enumeration\n\n\n    ffuf -u \"https://<TARGET_IP>\" -k -H \"Host: FUZZ.kobold.htb\" \\\n      -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \\\n      -mc all -c -fs 154\n\n\nResults:\n\n\n    mcp     [Status: 200, Size: 466]\n    bin     [Status: 200, Size: 24402]\n\n\nTwo subdomains discovered:\n\n  * **mcp.kobold.htb** -- MCP Inspector (small page, 466 bytes)\n  * **bin.kobold.htb** -- PrivateBin 2.0.2 (24402 bytes)\n\n\n\n### Service Identification\n\n#### kobold.htb (Main Site)\n\nThe main domain hosts \"Kobold Operations Suite\" -- a static landing page served directly by nginx with PHP-FPM 8.3 backend.\n\n#### mcp.kobold.htb (MCP Inspector)\n\nProxied to `127.0.0.1:6274` (Node.js application). This is an MCP Inspector -- a tool for connecting to and testing Model Context Protocol servers. It exposes an API endpoint at `/api/mcp/connect` that accepts server configurations including executable commands.\n\n#### bin.kobold.htb (PrivateBin)\n\nProxied to `127.0.0.1:8080` (Docker container running `privatebin/nginx-fpm-alpine:2.0.2`). A PrivateBin instance with:\n\n  * Discussion feature enabled\n  * Password protection enabled\n  * Template selection enabled (critical -- this is the LFI vector)\n  * Filesystem-based storage at `/privatebin-data/data/`\n\n\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
  "title": "Hack The Box - Season 10 HTB Kobold Writeup - Easy- Weekly - March 21th, 2026",
  "updatedAt": "2026-03-22T10:55:57.401Z"
}