{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreicxwax7vsuvfmaidbhb6etq7766eu3qgbz476z7arbvtk2ggalnlq",
"uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3morrb3y4jon2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreicfldo6nc7gnbcg4vxqgnaypgxiaauj25waqb35s5g2oghkc4mqqe"
},
"mimeType": "image/jpeg",
"size": 61004
},
"description": "OS: Linux · Difficulty: Hard · Theme: Cloud / AWS (LocalStack) misconfiguration Target Attacker (tun0) /etc/hosts nimbus.htb aws.nimbus.htb 0. SETUP & THE MTU BLACK-HOLE (DO THIS FIRST) On the HTB VPN, tun0 defaults to MTU 1500 but the real path MTU to the target is ~1300. Oversized packets are silently dropped (no ICMP frag-needed), so small requests succeed while large ones hang forever. On the first solve a ~2.5 KB SQS send-message hu...",
"path": "/hack-the-box-htb-nimbus-writeup-hard-weekly-june-21th-2026/",
"publishedAt": "2026-06-20T15:39:00.000Z",
"site": "https://1337sheets.com",
"tags": [
"Subscribe now"
],
"textContent": "#\n\n**OS:** Linux · **Difficulty:** Hard · **Theme:** Cloud / AWS (LocalStack) misconfiguration\n\n|\n---|---\nTarget | `<TARGET_IP>`\nAttacker (tun0) | `<LHOST>`\n`/etc/hosts` | `<TARGET_IP> nimbus.htb aws.nimbus.htb`\n\n* * *\n\n## 0. Setup & the MTU black-hole (do this first)\n\nOn the HTB VPN, `tun0` defaults to MTU 1500 but the real path MTU to the target is ~1300. Oversized packets are **silently dropped** (no ICMP frag-needed), so **small** requests succeed while **large** ones hang forever. On the first solve a ~2.5 KB SQS `send-message` hung indefinitely while a tiny test went through instantly — pure MTU. Fix it up front so it never bites:\n\n\n sudo ip link set dev tun0 mtu 1300\n\n\nConfirm connectivity and set `/etc/hosts`:\n\n\n echo \"<TARGET_IP> nimbus.htb aws.nimbus.htb\" | sudo tee -a /etc/hosts\n\n\nTooling: `awscli` (`sudo apt install -y awscli`), `tmux`, `curl`, `python3`.\n\n* * *\n\n## 1. Recon\n\n### nmap\n\n\n nmap -sC -sV -p22,80 <TARGET_IP>\n\n\n\n 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.16\n 80/tcp open http nginx 1.24.0 (Ubuntu)\n |_http-title: Nimbus — Internal Job Scheduler\n\n\n### vhosts / web\n\n\n curl -s -o /dev/null -w \"%{http_code}\\n\" http://nimbus.htb/ # 200, \"Nimbus — Internal Job Scheduler\"\n curl -s -o /dev/null -w \"%{http_code}\\n\" http://aws.nimbus.htb/ # 403 -> LocalStack AWS API endpoint\n curl -s -o /dev/null -w \"%{http_code}\\n\" http://nimbus.htb/jobs/preview # 405 -> needs POST\n\n\n`aws.nimbus.htb` is discoverable via vhost fuzzing:\n\n\n ffuf -u \"http://nimbus.htb\" -H \"Host: FUZZ.nimbus.htb\" \\\n -w /usr/share/wordlists/dirb/big.txt -fs 178\n # aws [Status: 403, Size: 305]\n\n\n* * *\n\n## 2. Foothold — SSRF → IMDS credentials\n\n`POST /jobs/preview` fetches a user-supplied `url=` **server-side**. The app:\n\n * **blocklists** the literal IMDS IP `169.254.169.254`, and\n * applies a **suffix filter** expecting a `.yaml`-looking URL.\n\n\n\nBypass both:\n\n * Encode the IMDS IP in **octal** : `169.254.169.254` → `0251.0376.0251.0376` (`inet_aton` accepts it; the string blocklist doesn't match).\n * Append `?a=test.yaml` so the suffix check passes while still hitting the IMDS path.\n\n\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
"title": "Hack The Box - HTB Nimbus Writeup - Hard - Weekly - June 21th, 2026",
"updatedAt": "2026-06-21T06:40:36.027Z"
}