Machine / Machines

Included

By Jennofrie Daguil ยท Cybersecurity and Red Team Operator

Completed. 1. Run initial recon from the fresh Pwnbox and identify exposed services. 2. Load the matching HTB methodology memory based on the discovered surface. 3. Research the machine name and service pattern as requested, treating outside information as...

EasyPublished 2026-02-21Sanitized local writeup

Scenario

Included attack path

Completed. 1. Run initial recon from the fresh Pwnbox and identify exposed services. 2. Load the matching HTB methodology memory based on the discovered surface. 3. Research the machine name and service pattern as requested, treating outside information as...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Included sanitized attack graph

Walkthrough flow

01

This box is a short service-led chain rather than a...

02

The intended path is web include abuse to local code...

03

Once mike is reached, lxd is the root path.

Source coverage

High source coverage

Status: complete. This article is generated from 3 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

92% coverage
Evidence verdict

High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.

  • <TARGET>-Included/walkthrough.md
  • HTB/<TARGET>-Included/notes.md
  • HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Included__notes.md.c679128ba8.md

Technical Walkthrough

Included - Walkthrough

Status

Completed.

Plan

  1. Run initial recon from the fresh Pwnbox and identify exposed services.
  2. Load the matching HTB methodology memory based on the discovered surface.
  3. Research the machine name and service pattern as requested, treating outside information as advisory only.
  4. Continue with exploitation and capture live flags.

Executed Chain

  1. TCP recon showed only 80/tcp, Apache 2.4.29, and a redirect into /?file=home.php.
  2. Verified LFI by reading /etc/passwd, which exposed:

- user mike

- TFTP root /var/lib/tftpboot

  1. Uploaded a small PHP command shell to the target over TFTP and executed it through the file include path.
  2. Used the web shell to read:

- /var/www/html/index.php

- /var/www/html/.htpasswd

  1. Reused the disclosed mike credential after upgrading to an interactive reverse shell.
  2. Confirmed mike belonged to lxd.
  3. Staged an Alpine LXD image from Pwnbox because the target had no DNS access to the public image server.
  4. Imported the image, launched a privileged container, mounted / from the host, and read root.txt.

Artifacts

  • User flag: [loot/user.txt](<local workspace><TARGET>-Included/loot/user.txt)
  • Root flag: [loot/root.txt](<local workspace><TARGET>-Included/loot/root.txt)
  • Interactive proof log: [loot/revshell-4444.log](<local workspace><TARGET>-Included/loot/revshell-4444.log)
  • Research summary: [enum/research-links.md](<local workspace><TARGET>-Included/enum/research-links.md)

Evidence Handling

  • Keep raw flags and secrets under loot/.
  • Keep notes and walkthrough sanitized.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Platform: Hack The Box
  • Machine: Included
  • Difficulty: Easy
  • Target IP: <TARGET>
  • Domain: unknown
  • Pwnbox SSH: profex0r@<TARGET>
  • Pwnbox hostname: htb-oeqgummbq1
  • Attacker VPN IP: <TARGET>
  • Session start: 2026-05-05 18:24:19 AEST

Local Workspace

  • Local dir: <local workspace><TARGET>-Included
  • Remote dir: /home/profex0r/Desktop/<TARGET>-Included

Evidence Ledger

Time (local)CommandOutput fileFindingConfidenceNext action
2026-05-05 18:24 AESTsed -n '1,220p' AGENTS.mdin-consoleLoaded HTB project workflow and confirmed AGENTS.md is authoritative for Codex in this repoHighFollow Pwnbox-first workflow
2026-05-05 18:24 AESTsed -n '1,220p' CODEX.mdin-consoleCODEX.md is a compatibility pointer back to AGENTS.mdHighUse AGENTS.md as the source of truth
2026-05-05 18:24 AESTsshpass -p '***' ssh profex0r@<TARGET> 'hostname; pwd; ip -brief addr show tun0'in-consoleNew Pwnbox is reachable and VPN IP is <TARGET>HighCreate remote target workspace and start recon
2026-05-05 18:26 AESTTCP discovery and service scan from Pwnbox[nmap/all-tcp.nmap](<local workspace><TARGET>-Included/nmap/all-tcp.nmap), [nmap/service-scan.nmap](<local workspace><TARGET>-Included/nmap/service-scan.nmap)Only 80/tcp is open; Apache 2.4.29 redirects to /?file=home.phpHighTreat file as the main attack surface
2026-05-05 18:28 AESTTargeted UDP check plus LFI verification[nmap/udp-69.nmap](<local workspace><TARGET>-Included/nmap/udp-69.nmap), [enum/etc-passwd.txt](<local workspace><TARGET>-Included/enum/etc-passwd.txt)69/udp is `openfiltered; ?file=../../../../../../etc/passwd works; /var/lib/tftpboot and user mike` confirmedHigh
2026-05-05 18:30 AESTSource and config review through web-exec[enum/index_php.txt](<local workspace><TARGET>-Included/enum/index_php.txt), [loot/htpasswd.txt](<local workspace><TARGET>-Included/loot/htpasswd.txt)index.php blindly includes $_GET['file']; a reusable mike credential exists in .htpasswdHighGet a proper tty shell and validate credential reuse
2026-05-05 18:31 AESTExternal research pass after initial recon[enum/research-links.md](<local workspace><TARGET>-Included/enum/research-links.md)Official and third-party sources all pointed to the same chain: LFI -> TFTP web shell -> mike -> lxdMediumUse research only as guidance; verify each step live
2026-05-05 18:34 AESTReverse shell via TFTP-staged PHP payload[loot/revshell-4444.log](<local workspace><TARGET>-Included/loot/revshell-4444.log)Interactive shell as www-data established from target to PwnboxHighUse tty to pivot to mike
2026-05-05 18:35 AESTInteractive pivot and LXD escalation[loot/revshell-4444.log](<local workspace><TARGET>-Included/loot/revshell-4444.log)Live mike access confirmed; mike is in group lxd; privileged container mount of / succeededHighRecover live root flag and clean artifacts

Recon Synthesis

  • Only 80/tcp is exposed on TCP. The application redirects into index.php?file=home.php.
  • The file parameter is a direct include() sink, so path traversal is immediately exploitable as LFI.
  • A justified targeted UDP check found 69/udp reachable enough to use as TFTP staging.
  • Live enumeration confirmed a local user mike, a TFTP root at /var/lib/tftpboot, and LXD installed for an lxd-group escalation path.

Working Hypotheses

  1. This box is a short service-led chain rather than a broad multi-service pivot.
  2. The intended path is web include abuse to local code execution, then a user pivot using a credential disclosed in web content.
  3. Once mike is reached, lxd is the root path.

Outcome

  • Live user.txt captured and stored at [loot/user.txt](<local workspace><TARGET>-Included/loot/user.txt)
  • Live root.txt captured and stored at [loot/root.txt](<local workspace><TARGET>-Included/loot/root.txt)
  • Full interactive proof, including the www-data shell, mike pivot, and LXD container mount, is stored at [loot/revshell-4444.log](<local workspace><TARGET>-Included/loot/revshell-4444.log)

Notes

Scope

  • Platform: Hack The Box
  • Machine: Included
  • Difficulty: Easy
  • Target IP: <TARGET>
  • Domain: unknown
  • Pwnbox SSH: <<secret redacted>>@<TARGET>
  • Pwnbox hostname: htb-oeqgummbq1
  • Attacker VPN IP: <TARGET>
  • Session start: 2026-05-05 18:24:19 AEST

Local Workspace

  • Local dir: <local workspace><TARGET>-Included
  • Remote dir: /home/<<secret redacted>>/Desktop/<TARGET>-Included

Evidence Ledger

Time (local)CommandOutput fileFindingConfidenceNext action
2026-05-05 18:24 AESTsed -n '1,220p' AGENTS.mdin-consoleLoaded HTB project workflow and confirmed AGENTS.md is authoritative for Codex in this repoHighFollow Pwnbox-first workflow
2026-05-05 18:24 AESTsed -n '1,220p' CODEX.mdin-consoleCODEX.md is a compatibility pointer back to AGENTS.mdHighUse AGENTS.md as the source of truth
2026-05-05 18:24 AESTsshpass -p '<REDACTED>' ssh <<secret redacted>>@<TARGET> 'hostname; pwd; ip -brief addr show tun0'in-consoleNew Pwnbox is reachable and VPN IP is <TARGET>HighCreate remote target workspace and start recon
2026-05-05 18:26 AESTTCP discovery and service scan from Pwnbox[nmap/all-tcp.nmap](<local workspace><TARGET>-Included/nmap/all-tcp.nmap), [nmap/service-scan.nmap](<local workspace><TARGET>-Included/nmap/service-scan.nmap)Only 80/tcp is open; Apache 2.4.29 redirects to /?file=home.phpHighTreat file as the main attack surface
2026-05-05 18: <REDACTED>, [enum/etc-passwd.txt](<local workspace><TARGET>-Included/enum/etc-passwd.txt)69/udp is `openfiltered; ?file= <REDACTED>
2026-05-05 18: <REDACTED>, [loot/htpasswd.txt](<local workspace><TARGET>-Included/loot/htpasswd.txt)index.php blindly includes $_GET['file']; a reusable mike credential exists in .htpasswdHighGet a proper tty shell and validate credential reuse
2026-05-05 18:31 AESTExternal research pass after initial recon[enum/research-links.md](<local workspace><TARGET>-Included/enum/research-links.md)Official and third-party sources all pointed to the same chain: LFI -> TFTP web shell -> mike -> lxdMediumUse research only as guidance; verify each step live
2026-05-05 18:34 AESTReverse shell via TFTP-staged PHP payload[loot/revshell-4444.log](<local workspace><TARGET>-Included/loot/revshell-4444.log)Interactive shell as www-data established from target to PwnboxHighUse tty to pivot to mike
2026-05-05 18: <REDACTED>

Recon Synthesis

  • Only 80/tcp is exposed on TCP. The application redirects into index.php?file=home.php.
  • The file parameter is a direct include() sink, so path traversal is immediately exploitable as LFI.
  • A justified targeted UDP check found 69/udp reachable enough to use as TFTP staging.
  • Live enumeration confirmed a local user mike, a TFTP root at /var/lib/tftpboot, and LXD installed for an lxd-group escalation path.

Working Hypotheses

  1. This box is a short service-led chain rather than a broad multi-service pivot.
  2. The intended path is web include abuse to local code execution, then a user pivot using a credential disclosed in web content.
  3. Once mike is reached, lxd is the root path.

Outcome

  • Live user.txt captured and stored at [loot/user.txt](<local workspace><TARGET>-Included/loot/user.txt)
  • Live root.txt captured and stored at [loot/root.txt](<local workspace><TARGET>-Included/loot/root.txt)
  • Full interactive proof, including the www-data shell, mike pivot, and LXD container mount, is stored at [loot/revshell-4444.log](<local workspace><TARGET>-Included/loot/revshell-4444.log)

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase