https://phucrio.me/tags/rce/Recent content in Rce on Rio BlogHugo -- 0.150.0enSun, 31 May 2026 17:38:09 -0400https://phucrio.me/posts/htb-cctv-write-up/Sun, 31 May 2026 16:48:47 -0400https://phucrio.me/posts/htb-cctv-write-up/<h2 id="summary">Summary</h2> <p>CCTV is a Linux HackTheBox machine exposing SSH and a ZoneMinder web application on HTTP. The key foothold is an authenticated SQL injection in ZoneMinder 1.37.63, specifically the <code>removetag</code> action affected by <strong>CVE-2024-51482</strong>. After authenticating to the panel, the SQLi can be exploited with <code>sqlmap</code> to dump <code>zm.Users</code>, recover password hashes, and crack the <code>mark</code> account password.</p> <p>Once on the box as <code>mark</code>, privilege escalation comes from a second service: <strong>motionEye</strong>. A world-readable <code>/etc/motioneye/motion.conf</code> exposes the motionEye admin credential hash. That hash is sufficient to compute valid request signatures for the localhost-only motionEye API on <code>127.0.0.1:8765</code>. By updating camera configuration and setting <code>command_storage_exec</code>, it is possible to trigger root command execution through the snapshot action.</p>https://phucrio.me/posts/htb-wingdata-write-up/Sun, 31 May 2026 14:22:01 -0400https://phucrio.me/posts/htb-wingdata-write-up/<h2 id="summary">Summary</h2> <p>WingData is a Linux machine built around <strong>Wing FTP Server</strong>. The intended path chains a <strong>Wing FTP unauthenticated RCE</strong> into credential recovery for SSH access as <code>wacky</code>, followed by a root escalation through a <strong>Python <code>tarfile</code> extraction bug</strong> exposed by a sudo-allowed restore script.</p> <p>Attack chain:</p> <p><code>Wing FTP exposure → config leakage / credential recovery → SSH as wacky → vulnerable tar restore script → root</code></p> <table> <thead> <tr> <th>Step</th> <th>Technique</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>Recon</td> <td><code>nmap</code>, vhost checks, <code>ffuf</code></td> <td>Wing FTP attack surface identified</td> </tr> <tr> <td>Initial access</td> <td>Wing FTP RCE / recovered credentials</td> <td>SSH as <code>wacky</code></td> </tr> <tr> <td>Privilege escalation</td> <td>CVE-2025-4517 (<code>tarfile.extractall(filter=&quot;data&quot;)</code>)</td> <td><code>root</code></td> </tr> </tbody> </table> <p><strong>Target</strong></p>https://phucrio.me/posts/htb-smarthire-write-up/Sat, 30 May 2026 14:00:00 +0700https://phucrio.me/posts/htb-smarthire-write-up/<h2 id="summary">Summary</h2> <p>SmartHire is a medium-difficulty Linux machine from HackTheBox. It hosts an AI hiring platform built with Flask on nginx, using <strong>MLflow</strong> for model management. Initial access is gained via <strong>CVE-2024-37054</strong>, a pickle deserialization vulnerability in MLflow that allows remote code execution by overwriting a model artifact with a malicious payload. Privilege escalation exploits a writable plugin directory combined with a sudo rule — a crafted <code>.pth</code> file executed by <code>site.addsitedir()</code> runs as root.</p>