Machine / Machines

Connected

By Jennofrie Daguil · Cybersecurity and Red Team Operator

State: target-state.json - Notes: notes.md The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets....

DocumentedPublished 2025-12-14Sanitized local writeup

Scenario

Connected attack path

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Walkthrough flow

Manually verify in the HTB UI that the machine name...

If HTB still shows , use the HTB controls to...

After respawn, rerun only the minimal baseline (ping...

Source coverage

High source coverage

Status: complete. This article is generated from 7 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

100% coverage

Evidence verdict

High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.

<TARGET>-Connected/walkthrough.md
HTB/<TARGET>-Connected/notes.md
HTB/<TARGET>-Connected/attack-map.md
HTB/<TARGET>-Connected/session-resume.md
HTB/<TARGET>-Connected/dead-ends.md
HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Connected__attack-map.md.53c4e0a462.md
HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Connected__memory-summary.md.5139810e01.md

Technical Walkthrough

Connected Walkthrough

Raw flags and reusable secrets are stored only under loot/.

Summary

Evidence

State: target-state.json
Notes: notes.md

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

Field	Value
Platform	Hack The Box / simulated lab
Target	Connected
Difficulty	Easy
OS	Linux
Active target IP	<TARGET>
Hostname/domain	unknown
Pwnbox	<TARGET> (`profex0r`)
Attacker/VPN IP	<TARGET>
Local workspace	`<local workspace><TARGET>-Connected`
Pwnbox workspace	`~/htb/<TARGET>-Connected`
Started	2026-06-07T05:20:21Z

Evidence Ledger

Time UTC	Phase	Command/Action	Output file	Finding	Confidence	Next action
2026-06-07T05:20:21Z	setup	`htbctl init`	`target-state.json`	Workspace initialized by deterministic harness.	High	Validate route and start baseline recon.
2026-06-07T05:20:21Z	setup	Manual runbook created	`manual-runbook.md`, `session-resume.md`	Collaboration will be manual execution by user with Codex reviewing outputs and maintaining notes.	High	Run Phase 0 route check and Phase 1 baseline TCP recon.
2026-06-07T05:20:21Z	setup	Output workflow revised	Chat plus workspace notes	Operator will paste outputs directly into chat; Codex will update workspace files.	High	Run Phase 0 route check and Phase 1 baseline TCP recon.
2026-06-07T05:31:00Z	recon	Manual route check and full TCP sweep from Pwnbox	`enum/manual-phase0-phase1-20260607.md`	Pwnbox/VPN is live as `<TARGET>`, but target `<TARGET>` returns `Destination Host Unreachable` from `<TARGET>`; full TCP scan found no open ports and all ports filtered.	High	Verify target IP/spawn state and route before any service scan or exploitation.
2026-06-07T05:36:00Z	recon	Manual route debug	`enum/manual-route-debug-20260607.md`	Open port variable is empty; route to target correctly uses `tun0` via `<TARGET>`; `tracepath` is unavailable on Pwnbox.	High	Run host-discovery and common-port checks; if still negative, verify machine spawn/IP in HTB UI.
2026-06-07T05:39:00Z	recon	Host discovery and common-port attempt	`enum/manual-host-discovery-20260607.md`	Host discovery reports `0 hosts up`; common-port scan did not run because shell was in `~` and `nmap/` did not exist there.	High	Re-run common-port check from the target workspace; if negative, verify/reset target in HTB UI.
2026-06-07T05:42:00Z	recon	Common Easy Linux port check	`enum/manual-common-port-check-20260607.md`	Ports 22, 80, 443, 3000, 5000, 8000, 8008, 8080, and 8081 are all filtered with `no-response`; `-Pn` host-up status is user-forced.	High	Stop scanning and verify machine name/IP/spawn state in HTB UI; reset/re-spawn if needed.
2026-06-07T05:45:00Z	research	Safe public metadata review	`research.md`	`Connected` appears to be a newly active/free Easy Linux machine released 2026-06-06; no credible full walkthrough found and machine-specific spoiler research is inappropriate while active.	High	Use HTB UI/spawn/VPN checks; resume live enumeration only after target responds.
2026-06-07T05:55:00Z	handoff	HTB agent handoff prepared	`agent-handoff-2026-06-07.md`, `handoffs.md`	Handoff captures current blocker, tried commands, evidence files, research boundary, and exact next actions for the HTB agent.	High	Pass handoff prompt to HTB agent; agent should verify UI/IP/spawn before scanning further.
2026-06-07T05:51:22Z	memory	Sanitized CTF LightRAG export/ingest started	`_knowledge/exports/ctf-lightrag-20260607-155117`, remote track `scan_20260607_055122_61cf71a1`	Summary-only strict export created 273 local documents; remote ingest accepted and queued with no errors in latest status check.	High	Treat local workspace files as source of truth; RAG is advisory only.
2026-06-07T06:03:00Z	ui-check	Read-only HTB UI verification via copied local Chrome profiles	`enum/htb-ui-check.json`, `enum/htb-ui-network-log.json`, `screenshots/htb-ui-default-connected-small.png`, `screenshots/htb-ui-profile1-connected-small.png`	HTB session shell loaded and page title/path matched `Connected`, but the machine panel showed `Network Error`; a second profile hit HTB rate limiting, so assigned IP/spawn/region were not authoritatively confirmed.	High	Stop UI automation and use only minimal Pwnbox baseline recheck.
2026-06-07T06:08:13Z	route	Fresh Pwnbox route recheck via `htbctl`	`enum/route-recheck-20260607.txt`	Pwnbox user and `tun0=<TARGET>` remain valid; route to `<TARGET>` still goes via `<TARGET>`.	High	Rerun only ping and common-port baseline.
2026-06-07T06:08:20Z	recon	Fresh ping baseline via `htbctl`	`enum/ping-recheck-driver-20260607.txt`, `enum/ping-recheck.txt`	`ping -c 3 <TARGET>` still returns `Destination Host Unreachable` from `<TARGET>`.	High	Recheck common ports once; stop if still no response.
2026-06-07T06:08:27Z	recon	Fresh common-port baseline via `htbctl`	`nmap/recheck-common-driver-20260607.txt`, `nmap/recheck-common.nmap`, `nmap/recheck-common.gnmap`, `nmap/recheck-common.xml`	Ports `22,80,443,3000,5000,8000,8080` remain filtered with `no-response`; no reachable service surface recovered.	High	Stop and treat as target/lab state until manual HTB reset/re-spawn is completed.
2026-06-07T06:49:09Z	setup	Rebound continuity workspace to new Pwnbox via direct SSH health check	chat-only validation, `target-state.json`	New Pwnbox `<TARGET>` is reachable as `profex0r`; `tun0=<TARGET>`; route to `<TARGET>` still uses `<TARGET>`; remote workspace exists at `~/htb/<TARGET>-Connected`.	High	Rebind state and rerun only the minimal baseline through `htbctl`.
2026-06-07T06:50:21Z	route	Rebound Pwnbox route recheck via `htbctl`	`enum/route-recheck-20260607-rebind.txt`	New Pwnbox remains healthy and routes `<TARGET>` over `tun0` via `<TARGET>` with source `<TARGET>`.	High	Rerun only ping and common-port baseline on the rebound Pwnbox.
2026-06-07T06:50:34Z	recon	Rebound ping baseline via `htbctl`	`enum/ping-recheck-driver-20260607-rebind.txt`, `enum/ping-recheck.txt`	Ping no longer shows gateway `Destination Host Unreachable`, but still returns `0/3` replies and `100% packet loss`.	High	Recheck common ports once on the rebound Pwnbox.
2026-06-07T06:50:39Z	recon	Rebound common-port baseline via `htbctl`	`nmap/recheck-common-driver-20260607-rebind.txt`, `nmap/recheck-common.nmap`, `nmap/recheck-common.gnmap`, `nmap/recheck-common.xml`, `enum/recheck-common-nmap-copy-20260607-rebind.txt`, `enum/recheck-common-gnmap-copy-20260607-rebind.txt`, `enum/recheck-common-xml-copy-20260607-rebind.txt`	Ports `22,80,443,3000,5000,8000,8080` remain filtered with `no-response`; no open port emerged after rebinding to the new Pwnbox.	High	Stop and treat as target/spawn/lab state until manual HTB UI verification/reset confirms a live instance.

Synthesis

Current completion state: BASELINE.

Current blocker: continuity has been rebound to the new Pwnbox <TARGET>, and the new VPN source <TARGET> routes correctly to <TARGET> over tun0, but the target still exposes no reachable service surface. HTB UI verification remains inconclusive because prior automated checks hit HTB-side Network Error and rate limiting, so assigned IP/spawn/region still require manual HTB verification. Do not proceed to exploitation or broader service research until the machine is manually verified/reset and at least one port becomes reachable.

Raw flags and reusable secrets must be stored only under loot/.

Attack Map

Current State

Target: <TARGET>
Difficulty/OS: Easy / Linux
Completion state: BASELINE
Services: none reachable after fresh baseline recheck
Hostname/domain: unknown
Credentials: none
Shells: none
Pwnbox/VPN: profex0r@<TARGET>, tun0=<TARGET>
Current blocker: HTB machine-page verification is still inconclusive and the target still has no reachable service surface after rebinding to a new Pwnbox.

Working Hypotheses

ID	Hypothesis	Evidence	Missing proof	Cheapest validation	Status
H1	Easy Linux path will likely be service-exposure driven.	Machine difficulty and OS only.	Open ports and versions.	Recover lab state, then run full TCP + service scan only if a port opens.	Blocked
H2	The assigned lab instance for `<TARGET>` is absent, unspawned, or otherwise unreachable even though the VPN route exists.	After rebinding to a new Pwnbox, route recheck still uses `tun0` via `<TARGET>`; rebound ping returns `100% packet loss`; rebound common-port scan shows 22,80,443,3000,5000,8000,8080 all filtered with `no-response`.	Stable HTB UI confirmation of assigned IP/spawn state and a post-respawn target response.	Manually verify/reset/re-spawn in HTB, then rerun the minimal baseline.	Active
H3	Local automated HTB UI checks are currently unreliable for authoritative machine-state confirmation.	The authenticated Connected page loaded with title/path match, but the machine panel showed `Network Error`; a second profile hit HTB rate limiting; the captured network log did not yield usable machine-state details.	Stable manual UI confirmation of exact IP, spawned state, and lab region.	Use a normal browser session to verify and reset/re-spawn once the rate-limit window clears.	Active

Decision Rule

Do not exploit until services and likely path are synthesized from live enumeration. Current live enumeration has no reachable service surface, so the next step is manual HTB UI verification and reset/re-spawn, not deeper scanning.

Session Resume

Last updated: 2026-06-07T06:52:37Z

Current Access

Completion state: BASELINE.
Target IP expected from user scope: <TARGET>.
Machine: Connected.
Difficulty/OS: Easy / Linux.
Safe public metadata indicates Connected is active/free and newly released on 2026-06-06. Avoid machine-specific writeups/hints unless explicitly switching to spoiler mode.
Pwnbox is active as profex0r@<TARGET>.
HTB VPN interface is tun0 with attacker IP <TARGET>.
Fresh rebound Pwnbox recheck confirms the route to <TARGET> still goes via <TARGET> over tun0.
The target is still not reachable enough for enumeration:

- rebound ping returned 100% packet loss with no replies.

- rebound common-port baseline left ports 22,80,443,3000,5000,8000,8080 filtered with no-response.

- no open TCP ports have been validated.

HTB UI automation was only partially useful:

- the official page path/title matched Connected, but the machine panel showed Network Error.

- a second local browser profile hit HTB rate limiting.

- assigned IP, spawned state, and lab/Pwnbox region remain inconclusive and still require manual UI verification.

No user flag, root flag, shell, credential, hostname, or service path has been validated yet.

Collaboration Model

Codex used htbctl for minimal remote baseline checks from the local Mac to the Pwnbox.
Browser automation was limited to read-only HTB UI confirmation attempts and stopped once rate limiting and HTB-side errors appeared.
No exploitation or deeper enumeration should proceed until HTB machine state is manually verified and recovered.

Next Three Actions

Manually verify in the HTB UI that the machine name is Connected, the assigned IP is still <TARGET>, and the instance is fully spawned.
If HTB still shows <TARGET>, use the HTB controls to reset/release and re-spawn the machine, then confirm the lab/Pwnbox region matches before scanning again.
After respawn, rerun only the minimal baseline (ping plus common ports) from the rebound Pwnbox; continue to full TCP and service enumeration only if at least one port opens.

Blockers

HTB machine-page automation could not fully confirm assigned IP/spawn/region because the page returned Network Error and rate limiting was triggered on a secondary profile.
Service surface remains unavailable on the rebound Pwnbox because no open TCP ports are reachable and common ports stay filtered with no-response.
Current blocker is target/spawn/lab state, not an exploit path.
Research blocker: do not use machine-specific walkthroughs while the box appears active.

Session Registry

Name	Host	Command	Status	Evidence
none	n/a	n/a	inactive	n/a

Dead Ends

Time UTC	Branch	Why closed	Evidence	Revisit condition
2026-06-07T06:03:00Z	Automated HTB UI confirmation from copied local Chrome profiles	Closed for now because the official Connected machine page returned `Network Error` in the machine panel and a second profile hit HTB rate limiting, so automated UI output is not authoritative for assigned IP/spawn/region.	`enum/htb-ui-check.json`, `enum/htb-ui-network-log.json`, `screenshots/htb-ui-default-connected-small.png`, `screenshots/htb-ui-profile1-connected-small.png`	Revisit only after cooldown or manual browser verification exposes stable machine controls.
2026-06-07T06:08:27Z	Direct service enumeration before lab-state recovery	Closed because a fresh baseline still showed `Destination Host Unreachable` on ping and all rechecked common ports filtered with `no-response`, so there is no live service surface to enumerate yet.	`enum/route-recheck-20260607.txt`, `enum/ping-recheck-driver-20260607.txt`, `enum/ping-recheck.txt`, `nmap/recheck-common.nmap`, `nmap/recheck-common.gnmap`	Revisit only after HTB reset/re-spawn and a successful reachability baseline.
2026-06-07T06:50:39Z	Minimal re-enumeration after rebinding continuity to a fresh Pwnbox	Closed because the new Pwnbox `<TARGET>` with `tun0=<TARGET>` still routes through `<TARGET>`, ping still gets `100% packet loss`, and the rechecked common ports remain filtered with `no-response`, so rebinding alone did not recover a live service surface.	`enum/route-recheck-20260607-rebind.txt`, `enum/ping-recheck-driver-20260607-rebind.txt`, `enum/ping-recheck.txt`, `nmap/recheck-common-driver-20260607-rebind.txt`, `nmap/recheck-common.nmap`, `nmap/recheck-common.gnmap`, `nmap/recheck-common.xml`	Revisit only after manual HTB UI verification confirms assigned IP/spawn/region and the machine has been reset/re-spawned.

Attack Map

Completion State

COMPLETE

Known Facts

Fact	Evidence	Confidence
Machine is `Connected`.	Operator scope and official HTB metadata.	High
Current active target IP is `<TARGET>`.	Operator update plus `enum/pwnbox-preflight-respawn.txt`.	High
Prior stale target IPs are `<TARGET>` and `<TARGET>`.	Historical workspaces and operator update.	High
Current Pwnbox is `<<secret redacted>>@<TARGET>`.	Operator update plus `enum/pwnbox-preflight-respawn.txt`.	High
The new Pwnbox has `tun0` and a valid route to `<TARGET>`.	`enum/pwnbox-preflight-respawn.txt`	High
The respawn exposes `22/tcp`, `80/tcp`, and `443/tcp`.	`enum/ping-common-respawn.txt`	High
`connected.htb` still redirects to `/admin`.	`enum/web-base-curl-respawn.txt`	High
The web product on the respawn is still `FreePBX <TARGET>`.	`enum/admin-source-respawn.txt`	High
`/ucp`, `cxpanel`, and the `userman` asset reference are still present.	`enum/admin-source-respawn.txt`	High
The exact <secret redacted> endpoint route still resolves on the respawn.	`enum/endpoint-watchtowr-shape-probe-respawn.txt`	High
The respawned foothold again lands as `asterisk`.	`loot/webshell-baseline.txt`, `loot/post-foothold-baseline.txt`, `loot/user.txt`	High
`incrond` runs as `root` and watches `/usr/local/asterisk/incron` with `<secret redacted>`.	`enum/incron-watcher-source.txt`, `enum/local-incron-path-check.txt`	High
`sysadmin_manager` passes watched-filename params into `system("$hookfile $params")` and does not block pipe `	`.	`enum/sysadmin-hook-sources-live.txt`, `enum/sysadmin-contents-pipe-manual-asterisk.txt`
A watched filename `sysadmin.dump-iptables.	touch <secret redacted> `created` /<secret redacted> `as` root`.	`enum/local-incron-filename-pipe-marker.txt`
A watched filename `sysadmin.dump-iptables.	tar cf ROOTTAR root `created` /ROOTTAR` as a readable root-owned tar archive.	`enum/root-tar-seed.txt`
`root/root.txt` was extracted from `/ROOTTAR` into local `loot/root.txt`.	`loot/root.txt`	High
The final webshell file was removed and the old URL returns `404 Not Found`.	`loot/webshell-post-clean-status.txt`, `enum/webshell-body-after-cleanup.txt`	High
`asterisk.cron_jobs` has zero remaining watchTowr rows.	`enum/cron-jobs-cleanup-check.txt`	High

Ranked Hypotheses

Rank	Path	Evidence	Missing proof	Cheapest validation	Status
1	Reuse the validated endpoint <secret redacted> chain to regain transient `asterisk` execution on `<TARGET>`.	`enum/endpoint-watchtowr-shape-probe-respawn.txt`, `enum/admin-source-respawn.txt`, `enum/ping-common-respawn.txt`	Actual foothold and recaptured `user.txt` on the respawn.	Run the same public CVE chain from the new Pwnbox and confirm `id; hostname; pwd` as `asterisk`.	Closed - succeeded
2	Abuse the root-side `sysadmin_manager` watcher through watched-filename params that include an unfiltered shell pipe.	`enum/incron-watcher-source.txt`, `enum/sysadmin-hook-sources-live.txt`, `enum/sysadmin-contents-pipe-manual-asterisk.txt`, `enum/local-incron-filename-pipe-marker.txt`	A safe copy-out form that creates a readable root-owned artifact from `/root`.	Use a single-command payload `	tar cf ROOTTAR root`, then read` root/root.txt `from the archive through the` asterisk` foothold.
3	If the pipe injection failed, revisit the dnsmasq/sysadmin mutation branch for a copy-out primitive.	`enum/sysadmin-selected-hooks.txt`, `enum/dnsmasq-hook-rootwatch-current-post.txt`	Proof that a root-side restart path can execute a readable copy-out rather than only mutate permissions.	Only revisit on a fresh respawn if the stronger filename-pipe branch no longer works.	Closed - superseded
4	Revisit `aiovega`, `amportal`, or localhost services only if the root-side filename injection disappears on a later respawn.	Historical workspace plus local source-backed root hook evidence	Fresh live proof on the active respawn that the stronger branch is gone.	Keep as fallback only on future respawns.	Closed - unnecessary

Decision Rule

The current target is the respawned <TARGET> instance. Historical work from <TARGET> remained advisory only until revalidated. The final active chain on <TARGET> was:

Revalidate FreePBX endpoint route anchors.
Reuse the endpoint CVE to regain transient asterisk execution.
Prove the root-side sysadmin_manager watched-filename pipe injection with a harmless marker.
Use the same root-side filename pipeline to create /ROOTTAR from /root.
Read root/root.txt from that archive into loot/root.txt.
Remove /ROOTTAR and validation artifacts.
Verify there are no remaining watchTowr cron rows and remove the active webshell.

Memory Summary

Connected (<TARGET> respawn) reached COMPLETE by revalidating the FreePBX <TARGET> endpoint CVE foothold and then pivoting to a stronger local privesc than the earlier amportal/dnsmasq ideas. The durable lesson is that /usr/bin/sysadmin_manager on this image concatenates watched-filename params into system("$hookfile $params") while missing pipe |, and root-owned incrond watches /usr/local/asterisk/incron with <secret redacted>. A harmless watched filename proved root-side command execution, and a watched filename |tar cf ROOTTAR root produced a readable root-owned tar archive that allowed root/root.txt recovery through the existing asterisk foothold. Cleanup mattered: remove /ROOTTAR and validation markers, confirm no leftover watchTowr cron rows, delete the active webshell, and verify the old URL returns 404.

Connected

Connected attack path

High source coverage

Technical Walkthrough

Connected Walkthrough

Summary

Evidence

Source-Backed Dossier

Notes

Scope

Evidence Ledger

Synthesis

Attack Map

Current State

Working Hypotheses

Decision Rule

Session Resume

Current Access

Collaboration Model

Next Three Actions

Blockers

Session Registry

Dead Ends

Attack Map

Completion State

Known Facts

Ranked Hypotheses

Decision Rule

Memory Summary

Related insights