Linux

Hack The Box - Season 10 HTB Kobold Writeup - Easy- Weekly - March 21th, 2026

1337 Sheets
1337 Sheets
·
Hack The Box - Season 10 HTB Kobold Writeup - Easy- Weekly - March 21th, 2026

Kobold -- Hack The Box Detailed Writeup

Platform: Hack The Box
Box Name: Kobold
OS: Linux
Difficulty: Easy

Box Summary

Kobold is a Linux easy box featuring a multi-service web application behind nginx with HTTPS and wildcard virtual hosting. The attack surface spans multiple subdomains, each running a different application. Initial access requires
exploiting a vulnerability in one of the exposed services, while privilege escalation involves chaining a web application flaw with credential discovery and abuse of a Docker management interface running with elevated privileges.

Reconnaissance

Port Scanning

nmap -sV -sC -p- --min-rate 5000 <TARGET_IP>

PORT    STATE SERVICE    VERSION
22/tcp  open  tcpwrapped
| ssh-hostkey:
|   256 <REDACTED> (ECDSA)
|_  256 <REDACTED> (ED25519)
80/tcp  open  tcpwrapped
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to https://kobold.htb/
443/tcp open  tcpwrapped
|_http-title: Kobold Operations Suite
| ssl-cert: Subject: commonName=kobold.htb
| Subject Alternative Name: DNS:kobold.htb, DNS:*.kobold.htb
| tls-alpn:
|   http/1.1
|   http/1.0
|_  http/0.9
|_http-server-header: nginx/1.24.0 (Ubuntu)

Key observations:

  • 3 open ports: SSH (22), HTTP (80, redirects to HTTPS), HTTPS (443)
  • nginx 1.24.0 on Ubuntu
  • Wildcard TLS certificate (*.kobold.htb) -- indicates virtual host routing with subdomains
  • Port 80 redirects to https://kobold.htb/

Hosts File Setup

echo "<TARGET_IP> kobold.htb mcp.kobold.htb bin.kobold.htb" | sudo tee -a /etc/hosts

Subdomain Enumeration

ffuf -u "https://<TARGET_IP>" -k -H "Host: FUZZ.kobold.htb" \
  -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
  -mc all -c -fs 154

Results:

mcp     [Status: 200, Size: 466]
bin     [Status: 200, Size: 24402]

Two subdomains discovered:

  • mcp.kobold.htb -- MCP Inspector (small page, 466 bytes)
  • bin.kobold.htb -- PrivateBin 2.0.2 (24402 bytes)

Service Identification

kobold.htb (Main Site)

The main domain hosts "Kobold Operations Suite" -- a static landing page served directly by nginx with PHP-FPM 8.3 backend.

mcp.kobold.htb (MCP Inspector)

Proxied to 127.0.0.1:6274 (Node.js application). This is an MCP Inspector -- a tool for connecting to and testing Model Context Protocol servers. It exposes an API endpoint at /api/mcp/connect that accepts server configurations including executable commands.

bin.kobold.htb (PrivateBin)

Proxied to 127.0.0.1:8080 (Docker container running privatebin/nginx-fpm-alpine:2.0.2). A PrivateBin instance with:

  • Discussion feature enabled
  • Password protection enabled
  • Template selection enabled (critical -- this is the LFI vector)
  • Filesystem-based storage at /privatebin-data/data/