Cobblestone

Technical Walkthrough

Cobblestone Walkthrough

This file will be written from live evidence as the engagement progresses. Public research is not evidence until reproduced against the live target.

Phase 0 - Setup

• Workspace created.
• Memory files loaded: MEMORY.md, htb_web_attack_patterns.md, htb_quick_wins.md, htb_file_transfer_tunneling.md, htb_hard_insane_state.md, htb_lightrag_context.md.
• Start-of-case LightRAG query completed.

Phase 1 - Validation Gate

Matched core public anchors:

• Full TCP scan found only 22/tcp and 80/tcp.
• HTTP service redirects direct IP traffic to cobblestone.htb.
• Service scan identifies OpenSSH 9.2p1 Debian and Apache 2.4.62 on Debian.
• Base page links deploy.cobblestone.htb, vote.cobblestone.htb, and mc.cobblestone.htb.
• Vhost fuzzing confirmed vote and deploy; mc redirects to base and is linked from the page.
• vote exposes login/register and authenticated suggest.php.

The advisory chain is valid enough to proceed, but SQL injection and file-write/RCE are not evidence yet.

Phase 2 - Vote SQLi And Source Recovery

• Registered a controlled vote account and validated authenticated access to suggest.php.
• Confirmed second-order SQL injection in vote.cobblestone.htb/suggest.php POST url, triggered through details.php.
• Enumerated DBMS context: MariaDB, current DB vote, current user voteuser@localhost, and global FILE privilege.
• Used SQL file-read to recover Apache vhost config and PHP/Twig source for both vote and main cobblestone.htb.
• Rejected SQL file-write after live checks showed @@secure_file_priv as NULL; this made the public FILE-write webshell path stale for this instance.

Phase 3 - Main App XSS To Twig SSTI

• Source review identified:

- suggest_skin.php: authenticated users can insert skin suggestions.

- templates/suggest.html.twig: suggestion fields are rendered with | raw.

- preview_banner.php: admin-only endpoint renders attacker input through Twig::createTemplate().

• Submitted a harmless stored-XSS callback and confirmed the admin reviewer executed it.
• Proved the Twig sink with {{7*7}}, which rendered as 49.
• Proved command execution as www-data using Twig filters such as filter('system').

Phase 4 - Stable User Foothold

• Public advisory credential for cobble was treated as a hypothesis and validated live over SSH.
• Captured user flag from the live target and stored it in loot/user.txt.
• Confirmed cobble is constrained by restricted rbash/jail behavior, but SSH port forwarding still works.

Phase 5 - Cobbler Root

• Created SSH local forward from Pwnbox <TARGET>:25151 to target <TARGET>:25151.
• Confirmed Cobbler XML-RPC version 3.3.6.
• Used Cobbler XML-RPC auth bypass to obtain an admin-capable token.
• Created controlled cdx_* Cobbler distro/profile/autoinstall template objects.
• Rendered a Cheetah autoinstall template that executed a root command and returned output.
• Captured root flag from live root execution and stored it in loot/root.txt.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Platform: HackTheBox Machine
• Target: <TARGET>
• Name: Cobblestone
• OS: Linux
• Difficulty: Insane
• Creator: c1sc0
• Pwnbox: profex0r@<TARGET>
• Started: 2026-05-07 AEST
• Rules: Public pre-research and LightRAG are advisory only. Live target evidence is source of truth. Store raw flags/secrets in loot/ only.

Evidence Ledger

Pre-Research Validation Gate

Current Status

• Access: root achieved through Cobbler XML-RPC template rendering.
• Active tunnels/listeners: Pwnbox tmux cobble:tunnel, cobble:callback, and cobble:shell were used during exploitation; no further interaction required.
• Flags: user and root captured from live target and stored under loot/.

Attack Map

Hosts

Services

Credentials

Attack Paths

Trust Edges

None yet.

Memory Summary

Status: Pending user approval before ingestion.

Metadata

• Platform: HackTheBox
• Content type: Machine
• Name: Cobblestone
• OS: Linux
• Difficulty: Insane
• Workspace: <local workspace><TARGET>-Cobblestone

Verified Chain

1. External scan exposed only SSH and HTTP.
2. HTTP vhosts included cobblestone.htb, vote, deploy, and mc.
3. vote app had authenticated second-order SQL injection through stored url values rendered by details.php.
4. SQL <secret redacted>() was useful for source/config recovery, but INTO OUTFILE was blocked on the live instance because secure_file_priv resolved to NULL.
5. Source review of the main app found stored XSS in user-submitted skin suggestions and an admin-only Twig createTemplate() sink in preview_banner.php.
6. Stored XSS executed in an admin reviewer session and triggered Twig SSTI as www-data.
7. A live-validated SSH credential gave access as cobble, restricted by rbash/jail behavior.
8. SSH local forwarding exposed Cobbler XML-RPC on <TARGET>:25151.
9. Cobbler 3.3.6 XML-RPC auth bypass plus Cheetah autoinstall rendering produced root command execution.

Reusable Lessons

• Treat public SQL file-write chains as volatile: validate @@secure_file_priv early and pivot if export is disabled.
• Source-read from SQLi can be more valuable than shell upload on Insane Linux web chains.
• For stored-XSS admin bots, use a short external script loader instead of trying to fit long JavaScript into application fields.
• If a browser-based payload navigates away too early, serve callback endpoints with HTTP 204 to keep the page active.
• rbash may block interactive command execution but still permit SSH local forwarding, which is enough for internal-only services.
• Cobbler XML-RPC exploitation can avoid reverse shells by rendering command output directly through Cheetah templates.

Do Not Ingest

• Raw flags
• Raw <password redacted>
• Cookies
• Full callback logs containing transient session artifacts

Session Resume

Last updated: 2026-05-07 AEST

Current Access

• User flag and root flag captured from the live target and stored in loot/.
• Validated SSH as cobble with credential stored in loot/<password redacted>; shell is restricted rbash/jail.
• Root achieved through Cobbler XML-RPC on <TARGET>:25151 via SSH local forward.

Session Registry

Next Three Actions

1. Optional cleanup: remove stored XSS suggestion rows and cdx_* Cobbler objects if desired.
2. Write post-solve sanitized memory summary for approval before LightRAG ingestion.
3. Keep memory-summary.md out of LightRAG until user approves ingestion.

Blockers

• SQL INTO OUTFILE path was stale/blocked by secure_file_priv=NULL; documented in dead-ends.md.

Cleanup

• Stored XSS suggestion rows were created.
• Cobbler cdx_* distro/profile/template objects were created.

Notes

Track exploit scripts, payload versions, state mutations, and rollback commands here.

State Mutations

Exploit Iterations

Dead Ends

SQLi FILE Write To Webroot

• Evidence: enum/outfile-variant-summary.txt, enum/sqlmap-file-write-proof-summary.txt, enum/sqlmap-file-write-alias-summary.txt
• Result: Automated sqlmap writes and manual UNION ... INTO OUTFILE variants did not create a reachable PHP file.
• Root cause: live union probe showed @@secure_file_priv resolves to NULL, so read via <secret redacted>() worked but export/write was blocked.
• Decision: Treat public writeup FILE-write claims as stale for this live instance and pivot to source-assisted main-app XSS/SSTI.

Reverse Shell Through Twig

• Evidence: logs/xss-callback-8001.log, logs/www-data-shell-9002.log
• Result: Twig command execution worked, but reverse-shell payloads were unreliable through the admin bot queue and field-length constraints.
• Decision: Prefer stable SSH credential validation and Cobbler API exploitation over continuing to fight browser-driven shell orchestration.