Helix

Technical Walkthrough

Helix Walkthrough

Raw flags and reusable secrets are stored only under loot/.

Summary

Completion state: COMPLETE.

The live target matched the corrected operator-first route:

flow.helix.htb NiFi anonymous ExecuteScript -> nifi -> NiFi support bundle operator SSH material -> operator -> OPC UA maintenance window -> sudo helix-maint-console -> root

Recon

• Target IP: <TARGET>
• Validated hosts: helix.htb, flow.helix.htb
• Open ports: SSH 22/tcp, HTTP 80/tcp
• NiFi version: 1.21.0
• Anonymous NiFi API user had controller/restricted-component write permissions.

Evidence:

• nmap/initial
• enum/vhost-validation.txt
• enum/baseline-services.txt

Foothold

Used the existing Apache NiFi ExecuteScript helper to run Groovy as nifi. A shell-health smoke test confirmed execution as nifi and verified the target shell path was working.

Evidence:

• enum/nifi-exec-smoke-trigger.txt
• enum/nifi-exec-shell-health.txt

User Path

Enumerated NiFi operational artifacts first. The support bundle directory contained an operator OpenSSH private-key backup. The file was exfiltrated directly to loot/, permissions were locked down, and SSH as operator succeeded. user.txt was captured from the live target and stored only under loot/.

Evidence:

• enum/nifi-artifacts-baseline.txt
• enum/nifi-support-bundle-inventory.txt
• enum/operator-key-verify.txt
• enum/operator-ssh-baseline.txt
• enum/user-flag-verify.txt
• loot/user.txt

Privilege Escalation

As operator, sudo -l confirmed <password redacted> sudo for /usr/local/sbin/helix-maint-console. The console script checks /opt/helix/state/maintenance_window for a future timestamp and launches a privileged bash shell only while the maintenance window is open.

Evidence:

• enum/operator-sudo-maintconsole.txt

The maintenance window was opened through the internal OPC UA endpoint using minimal writes:

• Mode = <secret redacted>
• TestOverride = true
• CalibrationOffset = 12.0

The HMI changed from CLOSED to OPEN. During the open window, the maintenance console granted a root shell. Root identity proof was saved to enum/root-id.txt, and root.txt was captured to loot/root.txt only.

Evidence:

• enum/opcua-maintenance-window-newip.txt
• enum/maint-console-root-capture.txt
• enum/root-id.txt
• enum/root-flag-verify.txt
• loot/root.txt

Dead Branch Avoided

The old world-writable /usr/bin/bash wrapper path was not used. No root-owned process invoking /usr/bin/bash was proven, and no core target binary was modified during this run.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Target: Helix
• Current target IP: <TARGET>
• Difficulty: Medium
• Authorized HTB/CTF-style target
• Raw flags/secrets stored only under loot/.

Evidence Ledger

Session Resume

Current Status

• Target: Helix at <TARGET>
• Completion: COMPLETE
• User flag: captured from live target; raw value stored only in loot/user.txt
• Root flag: captured from live target; raw value stored only in loot/root.txt
• Raw reusable secrets: stored only under loot/

Verified Chain

1. Reconfirmed helix.htb and flow.helix.htb on the live target.
2. Reconfirmed Apache NiFi 1.21.0 anonymous API access on flow.helix.htb.
3. Re-established ExecuteScript code execution as nifi.
4. Recovered operator SSH material from /opt/nifi-1.21.0/support-bundles/ and stored it only under loot/.
5. SSH as operator succeeded and user.txt was captured.
6. operator had <password redacted> sudo for /usr/local/sbin/helix-maint-console.
7. Opened the HMI privileged maintenance window by minimal OPC UA writes.
8. Ran the maintenance console during the window and captured root.txt.

Active Sessions/Tunnels/Listeners

None. Pwnbox receiver and SSH port forwards were stopped at session end.

Important Evidence Files

• enum/setup-connectivity.txt
• nmap/initial
• enum/baseline-services.txt
• enum/nifi-exec-shell-health.txt
• enum/nifi-support-bundle-inventory.txt
• enum/operator-key-verify.txt
• enum/operator-ssh-baseline.txt
• enum/operator-sudo-maintconsole.txt
• enum/opcua-maintenance-window-newip.txt
• enum/maint-console-root-capture.txt
• enum/root-id.txt
• enum/final-cleanup-and-verification.txt
• loot/user.txt and loot/root.txt (raw flags; do not print)

Cleanup Notes

• No /usr/bin/bash wrapper path was used during this run.
• No core target binaries were modified during this run.
• OPC UA writes were limited to the values required to open the maintenance window.

Attack Map

Target: <TARGET> (HTB Helix, Medium/Linux, creator tarfouss3)

Live evidence: nmap full-TCP + top100 -sV (banners empty during boot window)

Open TCP Ports

Filtered: 65529 ports (consistent with target firewall, not NAT artifact).

Ranked Hypotheses

H1 — Web foothold on 80/443 (Confidence: Medium-High)

• Why: Two web ports are the most common Linux Medium foothold surface; dual HTTP/HTTPS suggests an app, not just a default page.
• Cheapest validation: header capture, TLS SAN, whatweb, baseline directory + vhost fuzz.
• Missing proof: any server banner, page title, redirect, or cert CN/SAN.
• Next: enum/pwnbox-handoff.sh step 3 + step 7.

H2 — Vhost / virtual-host required (Confidence: Medium)

• Why: Dual web ports + locked TLS SAN often imply Host-header-keyed app on helix.htb or sub-vhost. App returning zero bytes to a bare-IP request fits a Host-strict reverse proxy / nginx default_server return 444.
• Cheapest validation: try Host: helix.htb, then Host: localhost, then short brute via SecLists subdomains-top1million-5000.
• Missing proof: a non-zero response with any Host value.
• Next: after H1 fingerprint, run ffuf -H "Host: FUZZ.helix.htb" block in handoff script.

H3 — RTSP camera/stream surface (Confidence: Low-Medium)

• Why: Two RTSP ports (554 + 8554) is unusual for a generic Linux box; tarfouss3's prior themes lean into streaming/CCTV. Possible exposed stream that leaks creds, RTP, or device info.
• Cheapest validation: OPTIONS + DESCRIBE + nmap rtsp-methods and rtsp-url-brute.
• Missing proof: any RTSP RTSP/1.0 ... response line; default URL like /live or /stream.
• Next: handoff step 5.

H4 — FTP anon-read / cred-leak (Confidence: Low)

• Why: FTP open on a 2026 Medium machine is almost always intentional — used either for anon-read of staged files or for credentialed write later in the chain.
• Cheapest validation: banner capture + anonymous:anonymous@ read-only listing.
• Missing proof: a banner string, or 230 after anon login.
• Next: handoff step 4.

H5 — PPTP / VPN tunnel hint (Confidence: Very Low)

• Why: PPTP is a clue more than a vector — usually points at retro/legacy or a VPN that lets you reach an internal subnet.
• Cheapest validation: nmap pptp-info banner. Do not attempt auth/brute.
• Missing proof: <REDACTED>
• Next: handoff step 6.

Closed Branches

• ICMP echo: target drops echo (HTB norm). Not actionable.

Local-Mac Drift / Blocker

• L4 reachable but every L7 probe returns 0 bytes within 12s. This run cannot fingerprint services from local Mac. Pwnbox required for further enumeration.
• Pwnbox SSH host was not provided this run; the operator must run enum/pwnbox-handoff.sh on Pwnbox and mirror outputs back here.

Notes

Scope

• Target IP: <TARGET>
• Machine: Helix (HTB ID 894)
• OS: Linux
• Difficulty: Medium
• Creator: tarfouss3
• Released: 2026-05-09
• Authorized: HackTheBox lab; AI assistance permitted under HTB rules.

Connection

• Operator: HTB Pwnbox (user: <<secret redacted>>)
• Pwnbox SSH host: not provided to this session (no live SSH executed)
• Attacker VPN IP: not yet captured

Operator Notes

• Helix may take up to 5 minutes to boot. Retry before declaring services down.
• No reliable public technical writeups (active machine). Pre-research in <local workspace>
• Prior workspace (<TARGET>) superseded by new respawn IP.

Evidence Ledger

Blocker (Run 2026-05-20T15:47Z)

• Local Mac has no 10.129/16 route (no HTB VPN this session). TCP "accept" on en0 is a cellular-NAT artifact; HTTPS+openssl confirm no real data flow.
• Pwnbox SSH host not provided in this run, so no remote command relay was attempted.
• Pwnbox runtime password is held by the operator only and is not stored in this workspace, in line with operator instructions.

Next Action

• Operator: copy enum/pwnbox-handoff.sh to the Pwnbox session and run it. Mirror nmap/ and enum/ outputs back here.
• After full TCP + service scan, re-evaluate hypothesis map (H1 Web is leading; FTP/RTSP secondary).

Session Resume

Completion State: <secret redacted>

Harness Level: BASELINE

Current Checkpoint: Connectivity baseline — blocked on application-layer transport

Verified Live Anchors

• Full TCP sweep (nmap -p<redacted> completed 2026-05-21T02:10Z. Open: 21, 80, 443, 554, 1723, 8554. 65529 ports filtered.
• Top-100 -sV/-sC at 01:13Z returned empty banners (boot window).
• Second HTTP/HTTPS retry at 16:10Z still returns 0 bytes within 12s — boot window has clearly elapsed, so this is a transport or Host-strict-app behaviour, not a "service still booting" issue.

Ranked Hypotheses

1. H1 Web foothold (80/443) — Medium-High. Need fingerprint from Pwnbox.
2. H2 Hidden vhost / Host-strict app (helix.htb candidate) — Medium. Zero-byte responses to bare-IP fit nginx default_server return 444.
3. H3 RTSP surface (554 + 8554) — Low-Medium. Two RTSP ports is unusual; likely the box theme.
4. H4 FTP anon-read — Low. Banner + read-only probe in handoff.
5. H5 PPTP info-only — Very Low. Banner only, no auth.

Closed Branches

• ICMP echo dropped (HTB norm). Not actionable.

Blocker

• Local Mac achieves L4 (TCP) but every L7 probe returns 0 bytes (curl, raw HTTP/1.0, ftp QUIT, RTSP OPTIONS). This pattern is too uniform to be a service-boot issue; likely VPN-provider asymmetric routing or Host-strict reverse-proxy. Either way, this Mac cannot complete fingerprinting.
• Pwnbox SSH host was not provided this run; remote relay not attempted.
• Pwnbox runtime password is held by the operator only, never written to workspace.

Handoff

• enum/pwnbox-handoff.sh — paste/run on Pwnbox as <<secret redacted>>. Runs full TCP, service scripts, HTTP/HTTPS fingerprint, TLS cert peek, FTP anon test (read-only), RTSP methods, PPTP info, hostname-hint extraction. Mirror ~/HTB/<TARGET>-Helix/{nmap,enum} back to this workspace afterward.
• attack-map.md — ranked hypotheses + cheapest-validation steps per branch.

Next Checkpoint

• After Pwnbox runs the handoff script, ingest nmap/svc.nmap, enum/*-headers.txt, enum/tls-cert.txt, and enum/hostname-hints.txt.
• Decide H1 sub-path (CMS / framework / custom app / API) and whether to add helix.htb (or other) to /etc/hosts based on cert SAN or redirect — never guess.
• Re-rank hypotheses. Only then pick the first 20-min vector to test (Medium box timebox).

Notes

Scope

Evidence Ledger

Synthesis

Current completion state: COMPLETE on new live IP <TARGET>.

Raw flags and reusable secrets must be stored only under loot/.

Completion Update — 2026-06-06

The machine was completed in the mirrored workspace <local workspace><TARGET>-Helix.

Successful chain:

flow.helix.htb NiFi anonymous ExecuteScript -> nifi -> NiFi support bundle operator SSH material -> operator -> OPC UA maintenance window -> sudo helix-maint-console -> root

Key evidence files:

• <local workspace><TARGET>-Helix/enum/nifi-support-bundle-inventory.txt
• <local workspace><TARGET>-Helix/enum/operator-sudo-maintconsole.txt
• <local workspace><TARGET>-Helix/enum/opcua-maintenance-window-newip.txt
• <local workspace><TARGET>-Helix/enum/root-id.txt
• <local workspace><TARGET>-Helix/enum/final-cleanup-and-verification.txt
• <local workspace><TARGET>-Helix/loot/ raw flags/secrets only; do not print