Machine / Machines
Connected
The live respawn at <TARGET> still exposed FreePBX <TARGET> on connected.htb, so the previously validated endpoint branch remained the fastest initial access path. I revalidated the exact endpoint route family, reused the <secret redacted> chain to regain...
Scenario
Connected attack path
The live respawn at still exposed FreePBX on connected.htb, so the previously validated endpoint branch remained the fastest initial access path. I revalidated the exact endpoint route family, reused the chain to regain...
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Revalidate FreePBX endpoint route anchors.
Reuse the endpoint CVE to regain transient asterisk...
Prove the root-side sysadmin_manager watched-filename...
Use the same root-side filename pipeline to create...
Read root/root.txt from that archive into...
Source coverage
High source coverage
Status: complete. This article is generated from 7 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
100%
coverage
Evidence verdict
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- <TARGET>-Connected/walkthrough.md
- HTB/<TARGET>-Connected/notes.md
- HTB/<TARGET>-Connected/attack-map.md
- HTB/<TARGET>-Connected/memory-summary.md
- HTB/<TARGET>-Connected/session-resume.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Connected__attack-map.md.fb3535ce8e.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Connected__dead-ends.md.3bea054de5.md
Technical Walkthrough
Connected Walkthrough
Raw flags and reusable secrets are stored only under loot/.
Summary
The live respawn at <TARGET> still exposed FreePBX <TARGET> on connected.htb, so the previously validated endpoint branch remained the fastest initial access path. I revalidated the exact endpoint route family, reused the <secret redacted> chain to regain transient asterisk execution, and recaptured user.txt.
For privesc, the strongest live branch was not amportal or dnsmasq. The decisive source-backed primitive was root-owned incrond plus /usr/bin/sysadmin_manager. sysadmin_manager concatenates watched-filename params into system("$hookfile $params"), and its metacharacter filter misses pipe |. A harmless watched filename under /usr/local/asterisk/incron created a root-owned marker, then a watched filename sysadmin.dump-iptables.|tar cf ROOTTAR root created a readable root-owned tar archive. From the asterisk foothold I extracted root/root.txt from that archive into loot/root.txt.
After objective capture, I removed /ROOTTAR and the validation markers, verified asterisk.cron_jobs had no remaining watchTowr rows, deleted the active webshell file, and confirmed the old URL returned 404 Not Found.
Evidence
- State:
target-state.json - Notes:
notes.md - Route + surface revalidation:
enum/pwnbox-preflight-respawn.txt,enum/ping-common-respawn.txt,enum/admin-source-respawn.txt,enum/endpoint-watchtowr-shape-probe-respawn.txt - Root hook source and watcher proof:
enum/incron-watcher-source.txt,enum/sysadmin-hook-sources-live.txt,enum/local-incron-filename-pipe-marker.txt - Root copy-out proof:
enum/local-incron-tar-validation.txt,enum/root-tar-seed.txt,loot/root.txt - Cleanup proof:
loot/privesc-cleanup.txt,enum/cron-jobs-cleanup-check.txt,loot/webshell-post-clean-status.txt,enum/webshell-body-after-cleanup.txt
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
| Field | Value |
|---|---|
| Platform | Hack The Box / simulated lab |
| Target | Connected |
| Difficulty | Easy |
| OS | Linux |
| Active target IP | <TARGET> |
| Hostname/domain | connected.htb |
| Pwnbox | <TARGET> |
| Attacker/VPN IP | <TARGET> |
| Local workspace | <local workspace><TARGET>-Connected |
| Pwnbox workspace | ~/htb/<TARGET>-Connected |
| Prior respawned IPs | <TARGET>, <TARGET> |
| Started | 2026-06-09T02:06:18Z |
Evidence Ledger
| Time UTC | Phase | Command/Action | Output file | Finding | Confidence | Next action |
|---|---|---|---|---|---|---|
| 2026-06-09T02:06:18Z | setup | htbctl init | target-state.json | Workspace initialized by deterministic harness. | High | Validate route and start baseline recon. |
| 2026-06-09T02:03:03Z | <secret redacted> | Direct Pwnbox SSH preflight against <TARGET> and route to <TARGET> | enum/pwnbox-preflight-respawn.txt | New Pwnbox is reachable; tun0 is present; route to <TARGET> is via <TARGET> on tun0; hostname mappings for connected.htb and pbxconnect resolve to the new target. | High | Validate the exposed surface on the respawn before reusing any old exploit chain. |
| 2026-06-09T02:03:04Z | <secret redacted> | ping and common-port check from the new Pwnbox to <TARGET> | enum/ping-common-respawn.txt | The respawn is live and exposes the same open TCP set as the prior instance: 22, 80, 443. | High | Re-anchor the web product and exact exploit route. |
| 2026-06-09T02:08:04Z | <secret redacted> | Base HTTP/HTTPS behavior from the new Pwnbox | enum/web-base-curl-respawn.txt | Both HTTP and HTTPS on connected.htb still return 302 Location: /admin. | High | Pull the admin page and confirm product/version anchors. |
| 2026-06-09T02:09:11Z | <secret redacted> | Pull /admin/ and grep high-value anchors | enum/admin-source-respawn.txt | The respawn still presents FreePBX <TARGET> with /ucp, cxpanel, and the userman asset reference. | High | Revalidate the exact endpoint route family before reusing the old exploit chain. |
| 2026-06-09T02:09:40Z | <secret redacted> | Harmless endpoint route revalidation with browser-shaped headers | enum/endpoint-watchtowr-shape-probe-respawn.txt | The exact module=FreePBX\\modules\\endpoint\\ajax&command=model... route still reaches endpoint/views/model.php, while a bad module path still fails separately in Self_Helper.class.php. The old endpoint chain remains source-backed on the respawn. | High | Record a fresh exploit evaluator and re-establish the asterisk foothold on this instance. |
| 2026-06-09T02:09:40Z | stale-state-guard | Historical <secret redacted> result retained only in the prior workspace | <local workspace><TARGET>-Connected/loot/user.txt | The previous instance reached <secret redacted>, but that flag does not count for the active target. The current respawn remains at BASELINE until foothold and flags are recaptured live. | High | Continue on the current IP only. |
| 2026-06-09T03:28:09Z | FOOTHOLD | Revalidate live sysadmin_manager, module hooks, and dnsmasq service paths from the asterisk webshell foothold | enum/sysadmin-path-reality-check.txt, enum/sysadmin-selected-hooks.txt, enum/incron-watcher-source.txt | The live root-side watcher is incrond as root; /etc/incron.d/local watches /usr/local/asterisk/incron with <secret redacted>; /etc/incron.d/sysadmin watches /var/spool/asterisk/incron; /usr/bin/sysadmin_manager still passes $params directly into system("$hookfile $params") and blocks several shell metacharacters but not pipe ` | `. | High |
| 2026-06-09T03:29:56Z | <secret redacted> | Manual sysadmin_manager execution against sysadmin.dump-iptables.CONTENTS with a pipe payload | enum/sysadmin-contents-pipe-manual-asterisk.txt | sysadmin_manager accepts ` | /usr/bin/touch ...` and executes the piped command under the caller identity. This proves the parser flaw, but not yet the root-side watcher behavior. | High |
| 2026-06-09T03:32:00Z | <secret redacted> | Drop watched filename `sysadmin.dump-iptables. | touch <secret redacted> into /usr/local/asterisk/incron` | enum/local-incron-filename-pipe-marker.txt | The root-side watcher consumed the request and created /<secret redacted> as root:root. This is live proof that an asterisk-writable watched filename can inject a root command via the unfiltered pipe character. | High |
| 2026-06-09T03:35:00Z | <secret redacted> | Drop watched filename `sysadmin.dump-iptables. | tar cf ETCTAR etc into /usr/local/asterisk/incron` | enum/local-incron-tar-validation.txt | The same root-side watcher created /ETCTAR as a world-readable root-owned tar archive, proving the pipeline can run a multi-argument command and persist a readable root-owned artifact at /. | High |
| 2026-06-09T03:36:00Z | <secret redacted> | Drop watched filename `sysadmin.dump-iptables. | tar cf ROOTTAR root, extract root/root.txt from /ROOTTAR, then delete /ROOTTAR` and validation artifacts | enum/evaluator-privesc-20260609T033050Z.txt, enum/root-tar-seed.txt, loot/root.txt, loot/privesc-cleanup.txt | The root-side watcher created /ROOTTAR as a readable root-owned archive; tar xf /ROOTTAR -O root/root.txt from the asterisk foothold recovered the live root flag into loot/root.txt; cleanup removed /ROOTTAR, /ETCTAR, /<secret redacted>, and temporary marker files. | High |
| 2026-06-09T05:46:00Z | CLEANUP | Verify asterisk.cron_jobs for watchTowr leftovers, delete the active webshell file, and confirm the HTTP path is no longer executable | enum/cron-jobs-cleanup-check.txt, loot/webshell-post-clean-status.txt, enum/webshell-http-status-after-cleanup.txt, enum/webshell-body-after-cleanup.txt | asterisk.cron_jobs has zero rows matching the watchTowr artifact patterns; the active webshell file is absent on disk; the old URL now returns a normal 404 Not Found body with no command execution. | High | Update cleanup docs, mark the machine COMPLETE, and stop. |
Synthesis
Current completion state: COMPLETE.
The active respawn matched the prior instance at the high-value anchors needed to reuse the old endpoint chain, and the root branch is now fully live-proven:
22/tcp,80/tcp,443/tcpare openconnected.htbstill redirects to/admin/admin/still identifiesFreePBX <TARGET>/ucp,cxpanel, and theusermanasset references are still present- the exact
endpointexploit route still resolves and differentiates correctly incrondruns asrootand watches/usr/local/asterisk/incronwith<secret redacted>sysadmin_managerstill concatenates the watched filename params intosystem("$hookfile $params")- the parameter filter blocks several metacharacters but not pipe
| - a watched filename payload created
/<secret redacted>asroot - a watched filename payload created
/ROOTTARas a readable root-owned tar archive root/root.txtwas extracted from that archive intoloot/root.txtasterisk.cron_jobshas no remaining watchTowr rows on the active respawn- the active endpoint webshell file was removed and the old URL now returns
404 Not Found
Historical evidence from <local workspace><TARGET>-Connected remained advisory only until revalidated on <TARGET>. The final privesc chain on the active respawn is fully backed by live files under enum/ and loot/.
Raw flags and reusable secrets must be stored only under loot/.
Attack Map
Completion State
COMPLETE
Known Facts
| Fact | Evidence | Confidence |
|---|---|---|
Machine is Connected. | Operator scope and official HTB metadata. | High |
Current active target IP is <TARGET>. | Operator update plus enum/pwnbox-preflight-respawn.txt. | High |
Prior stale target IPs are <TARGET> and <TARGET>. | Historical workspaces and operator update. | High |
Current Pwnbox is profex0r@<TARGET>. | Operator update plus enum/pwnbox-preflight-respawn.txt. | High |
The new Pwnbox has tun0 and a valid route to <TARGET>. | enum/pwnbox-preflight-respawn.txt | High |
The respawn exposes 22/tcp, 80/tcp, and 443/tcp. | enum/ping-common-respawn.txt | High |
connected.htb still redirects to /admin. | enum/web-base-curl-respawn.txt | High |
The web product on the respawn is still FreePBX <TARGET>. | enum/admin-source-respawn.txt | High |
/ucp, cxpanel, and the userman asset reference are still present. | enum/admin-source-respawn.txt | High |
| The exact <secret redacted> endpoint route still resolves on the respawn. | enum/endpoint-watchtowr-shape-probe-respawn.txt | High |
The respawned foothold again lands as asterisk. | loot/webshell-baseline.txt, loot/post-foothold-baseline.txt, loot/user.txt | High |
incrond runs as root and watches /usr/local/asterisk/incron with <secret redacted>. | enum/incron-watcher-source.txt, enum/local-incron-path-check.txt | High |
sysadmin_manager passes watched-filename params into system("$hookfile $params") and does not block pipe ` | `. | enum/sysadmin-hook-sources-live.txt, enum/sysadmin-contents-pipe-manual-asterisk.txt |
| A watched filename `sysadmin.dump-iptables. | touch <secret redacted> created /<secret redacted> as root`. | enum/local-incron-filename-pipe-marker.txt |
| A watched filename `sysadmin.dump-iptables. | tar cf ROOTTAR root created /ROOTTAR` as a readable root-owned tar archive. | enum/root-tar-seed.txt |
root/root.txt was extracted from /ROOTTAR into local loot/root.txt. | loot/root.txt | High |
The final webshell file was removed and the old URL returns 404 Not Found. | loot/webshell-post-clean-status.txt, enum/webshell-body-after-cleanup.txt | High |
asterisk.cron_jobs has zero remaining watchTowr rows. | enum/cron-jobs-cleanup-check.txt | High |
Ranked Hypotheses
| Rank | Path | Evidence | Missing proof | Cheapest validation | Status |
|---|---|---|---|---|---|
| 1 | Reuse the validated endpoint <secret redacted> chain to regain transient asterisk execution on <TARGET>. | enum/endpoint-watchtowr-shape-probe-respawn.txt, enum/admin-source-respawn.txt, enum/ping-common-respawn.txt | Actual foothold and recaptured user.txt on the respawn. | Run the same public CVE chain from the new Pwnbox and confirm id; hostname; pwd as asterisk. | Closed - succeeded |
| 2 | Abuse the root-side sysadmin_manager watcher through watched-filename params that include an unfiltered shell pipe. | enum/incron-watcher-source.txt, enum/sysadmin-hook-sources-live.txt, enum/sysadmin-contents-pipe-manual-asterisk.txt, enum/local-incron-filename-pipe-marker.txt | A safe copy-out form that creates a readable root-owned artifact from /root. | Use a single-command payload ` | tar cf ROOTTAR root, then read root/root.txt from the archive through the asterisk` foothold. |
| 3 | If the pipe injection failed, revisit the dnsmasq/sysadmin mutation branch for a copy-out primitive. | enum/sysadmin-selected-hooks.txt, enum/dnsmasq-hook-rootwatch-current-post.txt | Proof that a root-side restart path can execute a readable copy-out rather than only mutate permissions. | Only revisit on a fresh respawn if the stronger filename-pipe branch no longer works. | Closed - superseded |
| 4 | Revisit aiovega, amportal, or localhost services only if the root-side filename injection disappears on a later respawn. | Historical workspace plus local source-backed root hook evidence | Fresh live proof on the active respawn that the stronger branch is gone. | Keep as fallback only on future respawns. | Closed - unnecessary |
Decision Rule
The current target is the respawned <TARGET> instance. Historical work from <TARGET> remained advisory only until revalidated. The final active chain on <TARGET> was:
- Revalidate FreePBX endpoint route anchors.
- Reuse the endpoint CVE to regain transient
asteriskexecution. - Prove the root-side
sysadmin_managerwatched-filename pipe injection with a harmless marker. - Use the same root-side filename pipeline to create
/ROOTTARfrom/root. - Read
root/root.txtfrom that archive intoloot/root.txt. - Remove
/ROOTTARand validation artifacts. - Verify there are no remaining watchTowr cron rows and remove the active webshell.
Memory Summary
Connected (<TARGET> respawn) reached COMPLETE by revalidating the FreePBX <TARGET> endpoint CVE foothold and then pivoting to a stronger local privesc than the earlier amportal/dnsmasq ideas. The durable lesson is that /usr/bin/sysadmin_manager on this image concatenates watched-filename params into system("$hookfile $params") while missing pipe |, and root-owned incrond watches /usr/local/asterisk/incron with <secret redacted>. A harmless watched filename proved root-side command execution, and a watched filename |tar cf ROOTTAR root produced a readable root-owned tar archive that allowed root/root.txt recovery through the existing asterisk foothold. Cleanup mattered: remove /ROOTTAR and validation markers, confirm no leftover watchTowr cron rows, delete the active webshell, and verify the old URL returns 404.
Session Resume
Last updated: 2026-06-09T05:46:00Z
Current Access
- Completion state:
COMPLETE. - Machine:
Connected. - Category/status: seasonal active HTB machine.
- Difficulty/OS: Easy / Linux.
- Active target IP:
<TARGET>. - Prior stale target IPs:
<TARGET>,<TARGET>. - Current local workspace:
<local workspace><TARGET>-Connected. - Superseded prior workspace:
<local workspace><TARGET>-Connected. - Pwnbox:
profex0r@<TARGET>. - Pwnbox password is intentionally not stored. Use
<secret redacted>only at runtime. - Attacker/VPN IP:
<TARGET>. - Hostname/domain:
connected.htb. - Route to
<TARGET>is validated viatun0. - Live service map on the respawn stayed consistent at
22/tcp,80/tcp,443/tcp. /admin/is again a validated FreePBX admin login page.- Product/version anchor on the respawn:
FreePBX <TARGET>. - The transient endpoint webshell foothold was reused to reach
asterisk, then removed after cleanup. incrondruns asrootand watches/usr/local/asterisk/incronwith<secret redacted>.sysadmin_managerconcatenates watched-filename params intosystem("$hookfile $params").- The parameter filter blocks several shell metacharacters but misses pipe
|. - A harmless watched filename created
/<secret redacted>asroot. - A watched filename
|tar cf ROOTTAR rootcreated/ROOTTARas a readable root-owned tar archive. tar xf /ROOTTAR -O root/root.txtrecovered the live root flag intoloot/root.txt.- Privesc cleanup removed
/ROOTTAR,/ETCTAR,/<secret redacted>, and temporary marker files. asterisk.cron_jobshas zero rows matching the watchTowr artifact patterns.- The old webshell URL now returns
404 Not Found.
Immediate Objective
Stop. The machine is complete on the active respawn; both user.txt and root.txt are captured locally and the live exploit artifacts were cleaned.
Next Three Actions
- Keep
loot/root.txt,loot/user.txt,loot/privesc-cleanup.txt, andloot/webshell-post-clean-status.txtas the authoritative local evidence refs. - Do not resume exploitation on this respawn unless the operator explicitly asks for replay or extra validation.
- On a future respawn, start with route/Pwnbox validation and re-check the watched-filename root hook before assuming the same branch still works.
Stop Conditions
Stop and report instead of continuing if:
- The target respawns again and invalidates the current
loot/evidence. - Any later task would require replaying the root chain without a fresh route/Pwnbox validation.
Session Registry
| Name | Owner | Host | Command | Status | Evidence |
|---|---|---|---|---|---|
| pwnbox-ssh | coordinator | <TARGET> | direct ssh/scp for secret-safe exploit execution | active | enum/pwnbox-preflight-respawn.txt, enum/ping-common-respawn.txt, enum/web-base-curl-respawn.txt, enum/admin-source-respawn.txt, enum/endpoint-watchtowr-shape-probe-respawn.txt |
| endpoint-webshell | coordinator | connected.htb | transient watchTowr endpoint webshell reused for asterisk command execution | closed after cleanup | loot/webshell-base-url.txt, exploits/watchtowr-run.txt, loot/webshell-baseline.txt, loot/post-foothold-baseline.txt, loot/webshell-post-clean-status.txt, enum/webshell-body-after-cleanup.txt |
| incrond-root-hook | coordinator | connected.htb | watched-filename pipeline via /usr/local/asterisk/incron into sysadmin_manager | closed after success | enum/local-incron-filename-pipe-marker.txt, enum/local-incron-tar-validation.txt, enum/root-tar-seed.txt, loot/privesc-cleanup.txt |
Attack Map
Completion State
<secret redacted>
Known Facts
| Fact | Evidence | Confidence |
|---|---|---|
Machine is Connected. | Operator scope and official HTB metadata. | High |
Current target IP is <TARGET>. | Operator scope for this run. | High |
Prior target IP <TARGET> is stale. | Previous workspace stalled on unreachable surface. | High |
| OS/difficulty are Linux / Easy. | Operator scope and official metadata. | High |
Current Pwnbox is <<secret redacted>>@<TARGET>. | Operator scope. | High |
The web product is FreePBX <TARGET>. | enum/admin-source.txt | High |
The commercial endpoint module is present enough for the CVE route family to resolve. | enum/freepbx-surface-validation.txt, enum/endpoint-watchtowr-shape-probe.txt | High |
The exact <secret redacted> module path reaches endpoint/views/model.php on the live target. | enum/endpoint-watchtowr-shape-probe.txt | High |
The matched endpoint chain yielded transient command execution as asterisk. | exploits/watchtowr-run.txt, loot/webshell-baseline.txt | High |
user.txt is readable from the asterisk foothold and has been captured. | loot/user.txt, loot/webshell-baseline.txt | High |
amportal resolves freepbx_engine from /var/lib/asterisk/bin first, and that path is writable by asterisk. | enum/privesc-cve-2025-67722-validation.txt, enum/privesc-amportal-paths-live.txt | High |
The prior amportal/incrond trigger attempt did not yield a root-readable copy before the engine was restored. | enum/privesc-trigger-postfire.txt, enum/evaluator-privesc-20260608T142730Z.txt, telemetry.jsonl | Medium |
A root-owned localhost service exists on <TARGET>:4000: python3.6 -m aiohttp.web aiovega.web:app_factory. | enum/privesc-amportal-deep-check.txt | High |
| Coordinator-to-Pwnbox transport is currently down, and the local Mac still has no HTB route. | enum/pwnbox-transport-recheck.txt, enum/local-route-recheck.txt | High |
Ranked Hypotheses
| Rank | Path | Evidence | Missing proof | Cheapest validation | Status |
|---|---|---|---|---|---|
| 1 | Endpoint <secret redacted> to transient asterisk code execution. | enum/endpoint-watchtowr-shape-probe.txt, exploits/watchtowr-run.txt, loot/webshell-baseline.txt | None for <secret redacted>; foothold is proven. | Completed. | Proven |
| 2 | Read user.txt directly from the asterisk foothold. | /home/asterisk/user.txt is group-readable by asterisk. | None; flag captured. | Completed. | Proven |
| 3 | Exploit or abuse the root-owned localhost aiovega proxy service on <TARGET>:4000. | enum/privesc-amportal-deep-check.txt proves the process is root-owned and bound to loopback. | aiovega.web request shape and whether it exposes SSRF, file, or command side effects. | Re-establish asterisk foothold and dump/import aiovega.web, then probe <TARGET>:4000 with the discovered parameters. | Priority root branch |
| 4 | Revisit <secret redacted> / amportal only if a stronger root-run trigger is proven. | enum/privesc-cve-2025-67722-validation.txt, enum/privesc-amportal-paths-live.txt, enum/privesc-trigger-postfire.txt, telemetry.jsonl | A reliable root-side trigger that actually executes the planted wrapper. | Re-establish foothold, prove the root trigger path end to end without mutating the engine first, then reassess. | Weakened after bounded failure |
| 5 | Local privilege escalation from asterisk using other localhost-only services or configs. | loot/post-foothold-baseline.txt shows local MongoDB, MySQL, Redis, and AMI listeners plus the asterisk shell. | A concrete root transition. | Re-establish foothold and validate service-specific abuse only if aiovega and amportal close. | Active fallback |
| 6 | UCP/userman fallback. | userman is present and browser-shaped auth checks work. | Source-backed valid account on this host. | Only revisit if endpoint chain becomes unavailable or if user explicitly wants the alternate path documented further. | Deprioritized |
Decision Rule
The user objective is now <secret redacted>. Continue privesc only after re-establishing asterisk access and recording a privesc evaluator. Prefer the root-owned aiovega localhost service first; keep amportal as a secondary branch unless a stronger trigger is proven.
Dead Ends
Stale Prior IP Branch
| Branch | Evidence | Reason closed | Revisit condition |
|---|---|---|---|
Treat <TARGET> findings as current Connected evidence. | <local workspace><TARGET>-Connected shows unreachable target behavior and old Pwnbox details. | Target IP has changed to <TARGET>; old reachability failures are not evidence for the new target. | Only revisit if HTB UI reassigns <TARGET> again. |
Active Dead Ends
| Branch | Evidence | Reason closed | Revisit condition |
|---|---|---|---|
Pre-header userman AJAX controls as a meaningful auth oracle. | enum/userman-ajax-controls.txt | Without browser-shaped headers, every harmless control collapsed to ajaxRequest declined - Referrer, so those early results were only front-gate behavior. | Revisit only if a future branch needs the exact same-origin request shape again. |
| Source-backed generic template username as a ready-made foothold. | loot/userman-auth-check.txt, /tmp/userman16-htb/Userman.class.php, /tmp/userman16-htb/install.php, /tmp/userman16-htb/Console/Userman.class.php | The historic userman source identified the legacy generic-template account pattern, but the bounded live credential test did not resolve that username as a valid UCP account on this host. | Revisit only if later authenticated access exposes an existing template-creator user in the database. |
Generic module=endpoint probing as the exploit path. | enum/endpoint-route-controls.txt, enum/endpoint-browser-auth-probe.txt | module=endpoint reached only auth-gated module logic; the live exploit route was the fully qualified module=FreePBX\\modules\\endpoint\\ajax path instead. | Revisit only to contrast pre-exploit controls with the proven CVE route. |