Machine / Machines
Helix
Completion state: COMPLETE. The machine was completed against live target IP <TARGET>. Full evidence and loot are in: - <local workspace><TARGET>-Helix/ Successful
Scenario
Helix attack path
Completion state: COMPLETE. The machine was completed against live target IP . Full evidence and loot are in: - -Helix/ Successful
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Reconfirmed helix.htb and flow.helix.htb on the live...
Reconfirmed Apache NiFi 1.21.0 anonymous API access...
Re-established NiFi ExecuteScript code execution as...
Recovered operator SSH material from NiFi support...
SSH as operator succeeded and user.txt was captured...
Source coverage
High source coverage
Status: complete. This article is generated from 7 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
100%
coverage
Evidence verdict
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- <TARGET>-Helix/walkthrough.md
- HTB/<TARGET>-Helix/notes.md
- HTB/<TARGET>-Helix/session-resume.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Helix__attack-map.md.0669f9d897.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Helix__notes.md.7b6a3625c1.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Helix__session-resume.md.c66432f7d4.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Helix__notes.md.3a7696cf0b.md
Technical Walkthrough
Helix Walkthrough
Raw flags and reusable secrets are stored only under loot/ in the completed new-IP workspace.
Summary
Completion state: COMPLETE.
The machine was completed against live target IP <TARGET>. Full evidence and loot are in:
<local workspace><TARGET>-Helix/
Successful chain:
flow.helix.htb NiFi anonymous ExecuteScript -> nifi -> NiFi support bundle operator SSH material -> operator -> OPC UA maintenance window -> sudo helix-maint-console -> root
Key Evidence
- Recon and NiFi baseline:
<local workspace><TARGET>-Helix/enum/baseline-services.txt - NiFi execution as
nifi:<local workspace><TARGET>-Helix/enum/nifi-exec-shell-health.txt - Support-bundle operator material path:
<local workspace><TARGET>-Helix/enum/nifi-support-bundle-inventory.txt - Operator SSH proof:
<local workspace><TARGET>-Helix/enum/operator-ssh-baseline.txt - Operator sudo and maintenance console:
<local workspace><TARGET>-Helix/enum/operator-sudo-maintconsole.txt - OPC UA maintenance-window proof:
<local workspace><TARGET>-Helix/enum/opcua-maintenance-window-newip.txt - Root proof:
<local workspace><TARGET>-Helix/enum/root-id.txt - Flag format and cleanup verification:
<local workspace><TARGET>-Helix/enum/final-cleanup-and-verification.txt
Lessons
The operator-first chain matched live reality. The old world-writable /usr/bin/bash wrapper branch was not used and should remain a dead branch unless a root-owned invocation trigger is proven.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
| Field | Value |
|---|---|
| Platform | Hack The Box / simulated lab |
| Target | Helix |
| Difficulty | Medium |
| OS | Linux |
| Active target IP | <TARGET> |
| Hostname/domain | unknown |
| Pwnbox | <TARGET> |
| Attacker/VPN IP | unknown |
| Local workspace | <local workspace><TARGET>-Helix |
| Pwnbox workspace | ~/htb/<TARGET>-Helix |
| Started | 2026-05-27T11:01:37Z |
Evidence Ledger
| Time UTC | Phase | Command/Action | Output file | Finding | Confidence | Next action |
|---|---|---|---|---|---|---|
| 2026-05-27T11:01:37Z | setup | htbctl init | target-state.json | Workspace initialized by deterministic harness. | High | Validate route and start baseline recon. |
Synthesis
Current completion state: COMPLETE on new live IP <TARGET>.
Raw flags and reusable secrets must be stored only under loot/.
Completion Update — 2026-06-06
The machine was completed in the mirrored workspace <local workspace><TARGET>-Helix.
Successful chain:
flow.helix.htb NiFi anonymous ExecuteScript -> nifi -> NiFi support bundle operator SSH material -> operator -> OPC UA maintenance window -> sudo helix-maint-console -> root
Key evidence files:
<local workspace><TARGET>-Helix/enum/nifi-support-bundle-inventory.txt<local workspace><TARGET>-Helix/enum/operator-sudo-maintconsole.txt<local workspace><TARGET>-Helix/enum/opcua-maintenance-window-newip.txt<local workspace><TARGET>-Helix/enum/root-id.txt<local workspace><TARGET>-Helix/enum/final-cleanup-and-verification.txt<local workspace><TARGET>-Helix/loot/raw flags/secrets only; do not print
Session Resume
Current Status
- Target: Helix, completed on new live IP
<TARGET> - Completion:
COMPLETE - Current primary workspace:
<local workspace><TARGET>-Helix - Raw flags and reusable secrets: stored only under
<local workspace><TARGET>-Helix/loot/
Verified Chain
- Reconfirmed
helix.htbandflow.helix.htbon the live target. - Reconfirmed Apache NiFi
1.21.0anonymous API access onflow.helix.htb. - Re-established NiFi
ExecuteScriptcode execution asnifi. - Recovered operator SSH material from NiFi support bundles and stored it only under
loot/. - SSH as
operatorsucceeded anduser.txtwas captured from the live target. operatorhad <password redacted> sudo for/usr/local/sbin/helix-maint-console.- OPC UA writes opened the HMI privileged maintenance window.
- The maintenance console granted root shell access during the open window and
root.txtwas captured from the live target.
Important Evidence
See the completed workspace:
<local workspace><TARGET>-Helix/notes.md<local workspace><TARGET>-Helix/walkthrough.md<local workspace><TARGET>-Helix/auditor-handover-complete.md<local workspace><TARGET>-Helix/enum/final-cleanup-and-verification.txt<local workspace><TARGET>-Helix/loot/raw flags/secrets only; do not print
Cleanup Notes
- No
/usr/bin/bashwrapper path was used in the successful run. - No core target binaries were modified in the successful run.
- Pwnbox receiver and SSH port forwards were stopped; final verification is in the new workspace.
Attack Map
Target: <TARGET> (HTB Helix, Medium/Linux, creator tarfouss3)
Live evidence: nmap full-TCP + top100 -sV (banners empty during boot window)
Open TCP Ports
| Port | Default Service | Banner | Evidence |
|---|---|---|---|
| 21 | FTP | empty | nmap/alltcp.gnmap |
| 80 | HTTP | empty | nmap/alltcp.gnmap |
| 443 | HTTPS | empty | nmap/alltcp.gnmap |
| 554 | RTSP | empty | nmap/alltcp.gnmap |
| 1723 | PPTP | empty | nmap/alltcp.gnmap |
| 8554 | RTSP-alt | empty | nmap/alltcp.gnmap |
Filtered: 65529 ports (consistent with target firewall, not NAT artifact).
Ranked Hypotheses
H1 — Web foothold on 80/443 (Confidence: Medium-High)
- Why: Two web ports are the most common Linux Medium foothold surface; dual HTTP/HTTPS suggests an app, not just a default page.
- Cheapest validation: header capture, TLS SAN, whatweb, baseline directory + vhost fuzz.
- Missing proof: any server banner, page title, redirect, or cert CN/SAN.
- Next:
enum/pwnbox-handoff.shstep 3 + step 7.
H2 — Vhost / virtual-host required (Confidence: Medium)
- Why: Dual web ports + locked TLS SAN often imply Host-header-keyed app on
helix.htbor sub-vhost. App returning zero bytes to a bare-IP request fits a Host-strict reverse proxy / nginx default_serverreturn 444. - Cheapest validation: try
Host: helix.htb, thenHost: localhost, then short brute via SecListssubdomains-top1million-5000. - Missing proof: a non-zero response with any Host value.
- Next: after H1 fingerprint, run
ffuf -H "Host: FUZZ.helix.htb"block in handoff script.
H3 — RTSP camera/stream surface (Confidence: Low-Medium)
- Why: Two RTSP ports (554 + 8554) is unusual for a generic Linux box; tarfouss3's prior themes lean into streaming/CCTV. Possible exposed stream that leaks creds, RTP, or device info.
- Cheapest validation:
OPTIONS+ DESCRIBE + nmaprtsp-methodsandrtsp-url-brute. - Missing proof: any RTSP
RTSP/1.0 ...response line; default URL like/liveor/stream. - Next: handoff step 5.
H4 — FTP anon-read / cred-leak (Confidence: Low)
- Why: FTP open on a 2026 Medium machine is almost always intentional — used either for anon-read of staged files or for credentialed write later in the chain.
- Cheapest validation: banner capture +
anonymous:anonymous@read-only listing. - Missing proof: a banner string, or
230after anon login. - Next: handoff step 4.
H5 — PPTP / VPN tunnel hint (Confidence: Very Low)
- Why: PPTP is a clue more than a vector — usually points at retro/legacy or a VPN that lets you reach an internal subnet.
- Cheapest validation:
nmap pptp-infobanner. Do not attempt auth/brute. - Missing proof: <REDACTED>
- Next: handoff step 6.
Closed Branches
- ICMP echo: target drops echo (HTB norm). Not actionable.
Local-Mac Drift / Blocker
- L4 reachable but every L7 probe returns 0 bytes within 12s. This run cannot fingerprint services from local Mac. Pwnbox required for further enumeration.
- Pwnbox SSH host was not provided this run; the operator must run
enum/pwnbox-handoff.shon Pwnbox and mirror outputs back here.
Notes
Scope
- Target IP: <TARGET>
- Machine: Helix (HTB ID 894)
- OS: Linux
- Difficulty: Medium
- Creator: tarfouss3
- Released: 2026-05-09
- Authorized: HackTheBox lab; AI assistance permitted under HTB rules.
Connection
- Operator: HTB Pwnbox (user: <<secret redacted>>)
- Pwnbox SSH host: not provided to this session (no live SSH executed)
- Attacker VPN IP: not yet captured
Operator Notes
- Helix may take up to 5 minutes to boot. Retry before declaring services down.
- No reliable public technical writeups (active machine). Pre-research in <local workspace>
- Prior workspace (<TARGET>) superseded by new respawn IP.
Evidence Ledger
| Timestamp (UTC) | Command | Output File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-05-21T_init | workspace bind | enum/start-time.txt | Fresh workspace created for new IP | High | Run reachability probe |
| 2026-05-21T01:13 | nmap -Pn -sV -sC --top-ports 100 | nmap/top100.nmap | 21,80,443,554,1723 open; banners empty (boot delay) | Medium | Re-run with full TCP + service scripts after boot stabilises |
| 2026-05-21T01:13 | curl http://<TARGET>/ | enum/http-verbose-v4.txt | TCP connected, 0 bytes (still booting) | Medium | Retry from Pwnbox after 5min wait |
| 2026-05-20T15:47 | ping/nc/curl/openssl from local Mac | enum/http-root-1547Z.txt, enum/https-root-1547Z.txt | No real data flow; en0 cellular NAT gives false TCP accept | High | Workflow cannot enumerate from this Mac — handoff to Pwnbox required |
| 2026-05-20T15:47 | wrote Pwnbox handoff pack | enum/pwnbox-handoff.sh | Reproducible recon pack (no secrets in file) | High | Operator runs on Pwnbox; re-ingest output here |
Blocker (Run 2026-05-20T15:47Z)
- Local Mac has no 10.129/16 route (no HTB VPN this session). TCP "accept" on en0 is a cellular-NAT artifact; HTTPS+openssl confirm no real data flow.
- Pwnbox SSH host not provided in this run, so no remote command relay was attempted.
- Pwnbox runtime password is held by the operator only and is not stored in this workspace, in line with operator instructions.
Next Action
- Operator: copy
enum/pwnbox-handoff.shto the Pwnbox session and run it. Mirrornmap/andenum/outputs back here. - After full TCP + service scan, re-evaluate hypothesis map (H1 Web is leading; FTP/RTSP secondary).
Session Resume
Completion State: <secret redacted>
Harness Level: BASELINE
Current Checkpoint: Connectivity baseline — blocked on application-layer transport
Verified Live Anchors
- Full TCP sweep (nmap -p<redacted> completed 2026-05-21T02:10Z. Open: 21, 80, 443, 554, 1723, 8554. 65529 ports filtered.
- Top-100 -sV/-sC at 01:13Z returned empty banners (boot window).
- Second HTTP/HTTPS retry at 16:10Z still returns 0 bytes within 12s — boot window has clearly elapsed, so this is a transport or Host-strict-app behaviour, not a "service still booting" issue.
Ranked Hypotheses
- H1 Web foothold (80/443) — Medium-High. Need fingerprint from Pwnbox.
- H2 Hidden vhost / Host-strict app (helix.htb candidate) — Medium. Zero-byte responses to bare-IP fit nginx
default_server return 444. - H3 RTSP surface (554 + 8554) — Low-Medium. Two RTSP ports is unusual; likely the box theme.
- H4 FTP anon-read — Low. Banner + read-only probe in handoff.
- H5 PPTP info-only — Very Low. Banner only, no auth.
Closed Branches
- ICMP echo dropped (HTB norm). Not actionable.
Blocker
- Local Mac achieves L4 (TCP) but every L7 probe returns 0 bytes (curl, raw HTTP/1.0, ftp QUIT, RTSP OPTIONS). This pattern is too uniform to be a service-boot issue; likely VPN-provider asymmetric routing or Host-strict reverse-proxy. Either way, this Mac cannot complete fingerprinting.
- Pwnbox SSH host was not provided this run; remote relay not attempted.
- Pwnbox runtime password is held by the operator only, never written to workspace.
Handoff
enum/pwnbox-handoff.sh— paste/run on Pwnbox as<<secret redacted>>. Runs full TCP, service scripts, HTTP/HTTPS fingerprint, TLS cert peek, FTP anon test (read-only), RTSP methods, PPTP info, hostname-hint extraction. Mirror~/HTB/<TARGET>-Helix/{nmap,enum}back to this workspace afterward.attack-map.md— ranked hypotheses + cheapest-validation steps per branch.
Next Checkpoint
- After Pwnbox runs the handoff script, ingest
nmap/svc.nmap,enum/*-headers.txt,enum/tls-cert.txt, andenum/hostname-hints.txt. - Decide H1 sub-path (CMS / framework / custom app / API) and whether to add
helix.htb(or other) to/etc/hostsbased on cert SAN or redirect — never guess. - Re-rank hypotheses. Only then pick the first 20-min vector to test (Medium box timebox).
Notes
Scope
- Target: Helix
- Current target IP: <TARGET>
- Difficulty: Medium
- Authorized HTB/CTF-style target
- Raw flags/secrets stored only under loot/.
Evidence Ledger
| Timestamp UTC | Command | Output file | Finding | Next action |
|---|---|---|---|---|
| 2026-06-06T02:04:30Z | setup connectivity | enum/setup-connectivity.txt | Pwnbox/VPN/target reachability checked | recon |
| 2026-06-06T02:06:47Z | baseline service validation | nmap/initial, enum/baseline-services.txt | Services and NiFi API reconfirmed on new IP | NiFi execution smoke test |
| 2026-06-06T02:08:19Z | NiFi ExecuteScript shell-health smoke | enum/nifi-exec-smoke-trigger.txt, enum/nifi-exec-shell-health.txt | Execution as nifi and shell health verified | enumerate NiFi operational artifacts |
| 2026-06-06T02:09:22Z | NiFi ExecuteScript shell-health smoke | enum/nifi-exec-smoke-trigger.txt, enum/nifi-exec-shell-health.txt | Execution as nifi and shell health verified | enumerate NiFi operational artifacts |
| 2026-06-06T02:10:16Z | NiFi artifact baseline | enum/nifi-artifacts-baseline.txt | NiFi artifact paths and operator-related permissions checked | enumerate support bundles |
| 2026-06-06T02:13:31Z | NiFi artifact baseline | enum/nifi-artifacts-baseline.txt | NiFi artifact paths and operator-related permissions checked | enumerate support bundles |
| 2026-06-06T02:14:48Z | NiFi support-bundle inventory | enum/nifi-support-bundle-inventory.txt | Support bundle contents inventoried without dumping secrets | recover operator material if present |
| 2026-06-06T02: <REDACTED>, loot/user.txt | Operator SSH worked; user flag captured to loot if valid | inspect operator docs and sudo | ||
| 2026-06-06T02:16:23Z | operator sudo and maint-console inspection | enum/operator-sudo-maintconsole.txt | Sudo policy and maintenance console inspected | satisfy maintenance-window condition |
| 2026-06-06T02:18:50Z | OPC UA maintenance-window open | enum/opcua-maintenance-window-newip.txt | Pre/post state recorded; window opened if HMI shows OPEN | run maint console |
| 2026-06-06T02: <REDACTED>, enum/root-id.txt, loot/root.txt | Maint-console used during open window; root flag captured to loot if valid | document completion | ||
| 2026-06-06T02:20:44Z | final cleanup and docs | enum/final-cleanup-and-verification.txt, walkthrough.md, session-resume.md | COMPLETE; flags valid and active tunnels stopped | final report |
| 2026-06-06T02:21:23Z | final cleanup verification | enum/final-cleanup-and-verification.txt | No active listener/tunnel expected; flags valid | mirror artifacts |