Welcome to another Hack the Box walkthrough. In this blog post, I have demostrated how I owned the Eureka machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.
About the Machine
Eureka is a hard Linux machine which incorporated a password leakage in heapdump and a vulnerability in the Eureka service on the intranet port, by registering a fake microservice instance and obtaining user credentials. The Linux machine also feature an array comparison vulnerability by modifying a log file to achieve privilege escalation.
The first step in pwning the Eureka machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:
After the connection has been set up, I started the target machine, and I was assigned an IP address of 10.10.11.66.
I kicked things off with an Nmap scan to see what services the target was running:
The scan quickly revealed that the box was alive and exposing just two services:
- Port 22 (SSH) – running OpenSSH 8.2p1 on Ubuntu. While SSH is always useful for eventual access, it typically requires valid credentials or a private key, so I noted it down for later.
- Port 80 (HTTP) – served by nginx 1.18.0. Interestingly, the HTTP title indicated a redirect to another virtual host: http://furni.htb/. This suggested the presence of a vhost setup, and likely meant I’d need to add furni.htb to my /etc/hosts file before I could explore the web application properly.
The OS fingerprinting also hinted at the target running a Linux 5.x kernel, with possible traces of MikroTik RouterOS signatures (likely a false positive due to overlapping TCP/IP fingerprints). The traceroute confirmed the host was just two hops away on the HackTheBox network.
At this point, the real lead was the web server and its furni.htb virtual host, which looked like the intended attack surface. SSH would remain on the backburner until I uncovered credentials through web exploitation or enumeration.
Since the Nmap scan revealed that the web server on eureka.htb was redirecting to furni.htb, I suspected the target was using virtual hosting. By default, my system wouldn’t know how to resolve that hostname, so I had to manually map it to the target’s IP address.
I edited the /etc/hosts file to include both domains:
f
g
h
i
j
k
l
m
n
o
p
q
r
s
0 Comments