Suyog Jung Karki ⚡️
Silentium

Silentium


New
writeup HTB silentium

Silentium — Hack The Box Writeup [live box]

Summary

Silentium is an easy Linux machine that highlights how multiple low-impact issues can be chained together into full system compromise. The attack path involves abusing application logic, achieving code execution in a containerized environment, pivoting to the host using exposed credentials, and escalating privileges via an internal service.

Recon

Initial enumeration is performed to identify exposed services.

┌──(kali㉿attacker)-[~/htb/silentium]
└─$ nmap -sC -sV <target-ip>

The scan reveals SSH and HTTP services. With a web service exposed, the focus shifts toward web enumeration.

Web Enumeration

The application uses a virtual host. To properly access it, the domain is added locally.

┌──(kali㉿attacker)-[~]
└─$ echo "<target-ip> silentium.htb" | sudo tee -a /etc/hosts

After resolving the domain, the website becomes accessible in the browser.

Subdomain Discovery

While exploring the application, references to a staging environment are identified. Manual probing leads to the discovery of a subdomain.

staging.silentium.htb

Staging environments often have weaker security controls, making them a valuable target.

Application Analysis

The staging application is identified as a Flowise instance. It exposes authentication functionality, API endpoints, and a system for building chatflows.

Instead of interacting only through the UI, the focus shifts toward backend API behavior.

Initial Access

Analysis of the application’s API reveals weaknesses in the password reset functionality. The system allows user enumeration and exposes excessive response data, indicating improper handling of reset tokens.

By chaining these issues, it is possible to reset credentials for a valid user and gain authenticated access.

Specific request and response details are intentionally omitted.

Post-Authentication Enumeration

After gaining access, the dashboard provides functionality to create and manage workflows. One feature allows users to define custom configurations that are processed by the backend.

This becomes the primary attack surface.

Remote Code Execution

The application does not properly validate user-controlled configuration input. By crafting input carefully, it is possible to influence backend execution.

A listener is prepared locally.

┌──(kali㉿attacker)-[~/htb]
└─$ nc -lvnp <port>

Triggering the vulnerable functionality results in a reverse shell, providing access to the system.

Foothold

The obtained shell has limited privileges, indicating a containerized environment.

Further enumeration reveals environment variables that contain sensitive data.

┌──(www-data㉿container)-[/]
└─$ cat /proc/1/environ

Credentials for a system user are identified from this output.

Lateral Movement

Using the recovered credentials, access to the host system is obtained via SSH.

┌──(kali㉿attacker)-[~]
└─$ ssh <user>@<target-ip>

This provides a more stable and direct shell on the host machine.

Privilege Escalation

Local enumeration reveals a service bound to localhost, not accessible externally.

┌──(user㉿silentium)-[~]
└─$ netstat -tulpn

To interact with this service, port forwarding is used.

┌──(kali㉿attacker)-[~]
└─$ ssh -L <local-port>:127.0.0.1:<remote-port> <user>@<target-ip>

The service becomes accessible locally and is identified as vulnerable to a known issue.

By leveraging this vulnerability, command execution as root is achieved.

Root

Once root access is obtained, the flags can be retrieved.

┌──(user㉿silentium)-[~]
└─$ cat /home/<user>/user.txt
┌──(root㉿silentium)-[/root]
└─$ cat /root/root.txt

Attack Chain

[ Recon ]
    └── Nmap → Identify 22, 80

[ Web Enumeration ]
    └── Add host entry
    └── Discover staging subdomain

[ Initial Access ]
    └── Analyze API
    └── Abuse password reset logic
    └── Gain dashboard access

[ Exploitation ]
    └── Abuse backend configuration
    └── Achieve RCE (container)

[ Pivot ]
    └── Extract credentials
    └── SSH to host

[ Privilege Escalation ]
    └── Discover internal service
    └── Port forward
    └── Exploit → root

[ Post-Exploitation ]
    └── Retrieve flags

Key Takeaways

API behavior often exposes more than the frontend Staging environments are common weak points Misconfigurations can be as impactful as vulnerabilities Containers do not guarantee isolation if secrets are exposed Internal services frequently provide the final escalation path

Final Thoughts

Silentium reinforces a core penetration testing principle:

Small issues, when combined correctly, lead to full compromise.

A structured approach with careful enumeration is more effective than relying on complex exploits.

© 2026 Suyog Jung Karki