Hack The Box - HTB Connected Writeup - Easy - Weekly - June 06th, 2026
Difficulty: Easy
OS: Linux (CentOS 7)
Reconnaissance
Port Scan
nmap -sV -sC -p- --min-rate 5000 <TARGET_IP>
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/7.4.16)
|_http-title: Did not follow redirect to http://connected.htb/
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/7.4.16)
| ssl-cert: Subject: commonName=pbxconnect/organizationName=SomeOrganization
Three ports open. Port 80 immediately redirects to http://connected.htb/ — add the vhost to /etc/hosts:
echo "<TARGET_IP> connected.htb" | sudo tee -a /etc/hosts
The SSL certificate on port 443 contains commonName=pbxconnect. Combined with the hostname, this strongly suggests a PBX (Private Branch Exchange) telephone system — specifically FreePBX, which uses the brand name "pbxconnect" in its certificates.
Web Enumeration
Browsing to http://connected.htb/ follows two redirects:
/ → 302 /admin → 301 /admin/ → 302 /admin/config.php
The page is a FreePBX administration login panel. The page footer discloses the exact version:
FreePBX 16.0.40.7
The login page also embeds a session key in a white-on-white <div> (hidden visually but present in source):
<div id="key" style="color: white;font-size:small">
<KEY>
</div>
This is a session-specific token used by the FreePBX REST API — not directly useful for login bypass on this version.
No subdomain enumeration or directory bruteforcing is required. The attack surface is entirely on the main application.