HTB Write-up: Helix

OS: Linux
Difficulty: Medium

1. Executive Summary

Helix is a lab that simulates a realistic industrial control systems (ICS/SCADA) environment.

• Target IP: [TARGET_IP]
• Attacker IP: [ATTACKER_IP]

2. Reconnaissance

2.1 Nmap Port Scanning

I started by scanning the target for open ports and services:

nmap -p- -sV -sC -T4 [TARGET_IP]

The scan revealed:

• 22/tcp — OpenSSH 8.9p1 Ubuntu 3ubuntu0.10
• 80/tcp — Nginx HTTP
• 8080/tcp — Apache NiFi

During virtual host enumeration using ffuf, I identified flow.helix.htb as a host pointing to the NiFi management interface. I added the hostname to /etc/hosts and accessed it through the browser.

3. Initial Access

3.1 Apache NiFi 1.21.0 Analysis

Visiting http://flow.helix.htb:8080/nifi exposed a NiFi instance that allowed the creation of controller services and processors. This represented a serious misconfiguration.

The goal was to abuse the ExecuteSQL processor for remote code execution. NiFi supports multiple database backends. On the target, an H2 Database JAR was present at /opt/nifi-1.21.0/lib/h2-2.1.214.jar. H2 is known for supporting Java aliases that can be abused to run arbitrary Java code.