Connected HTB Writeup

I just solved Connected on Hack the Box!

Connected Machine Summary

Connected is an easy-difficulty Linux machine on Hack The Box that focuses on web application exploitation, vulnerability research, FreePBX abuse, and privilege escalation through insecure system automation mechanisms. The machine demonstrates how an exposed and outdated PBX management platform can be leveraged to achieve remote code execution and how misconfigured file monitoring services can ultimately lead to full system compromise.

The attack chain began with Nmap enumeration, which revealed SSH, HTTP, and HTTPS services running on the target. During host configuration, the target IP address was mapped to the connected.htb hostname to ensure proper virtual host resolution. Subsequent web enumeration revealed a FreePBX administration portal accessible through /admin/config.php, where the application version was identified as FreePBX 16.0.40.7.

Version-based vulnerability research quickly led to the discovery of CVE-2025-57819, an unauthenticated SQL injection vulnerability affecting the FreePBX Endpoint Manager component. Further vulnerability analysis confirmed that the target version fell within the vulnerable range and that the flaw could be abused to achieve remote code execution through the creation of malicious MySQL Events. Before exploitation, a VPN configuration issue was identified and resolved by reducing the MTU of the HTB VPN interface, allowing staged payloads to be delivered successfully.

Using the Metasploit module for CVE-2025-57819, initial access was obtained as the asterisk user through a reverse shell. After verifying the execution context, the user flag was successfully captured from the asterisk user's home directory.

With a foothold established, privilege escalation enumeration was performed to identify potential avenues for obtaining elevated privileges. Standard SUID and capability checks did not reveal any immediately exploitable binaries, prompting deeper investigation into system-specific services. During local privilege escalation enumeration, an incron configuration was discovered that monitored several directories and automatically executed administrative scripts whenever specific files were modified.

Further incron analysis revealed that both /usr/local/asterisk/incron and the ha_trigger file were writable by the compromised user while simultaneously being monitored by privileged processes. Investigation of the associated scripts during root trigger analysis uncovered a workflow that executed the rootTrigger() function from the freepbx_ha module whenever the monitored file was modified. Since the FreePBX modules directory was writable by the asterisk user, it became possible to introduce attacker-controlled PHP code into the execution path.

The privilege escalation phase involved creating a malicious incron.php implementation containing a custom rootTrigger() function that generated a SUID-enabled copy of /bin/bash. By writing to the monitored ha_trigger file, the root-owned process loaded the attacker-controlled module and executed the malicious code with elevated privileges. Finally, after verifying the creation of the SUID binary, root access was obtained and the root flag was successfully captured, completing the machine.

Protected Page

The first step in owning the Connected machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:

Once the connection between my Kali Linux terminal and Hack the Box server has been established, I started the Connected machine and I was assigned an IP address (10.129.72.56).

Nmap Enumeration

I started by performing an Nmap scan against the target to identify exposed services, service versions, and potential attack vectors. The scan revealed three accessible ports: SSH on 22, HTTP on 80, and HTTPS on 443.

The results showed OpenSSH 7.4 running on port 22 and an Apache web server on ports 80 and 443. The HTTPS service immediately stood out because the page returned a 404 Not Found error while indicating that the requested resource was config.php, suggesting a possible misconfiguration or hidden application entry point. Additionally, the SSL certificate contained the common name pbxconnect, providing an important clue about the underlying application. Based on the service banners and OS fingerprinting results, the target appeared to be a Linux-based system, making web enumeration the logical next step.

Host Configuration

After identifying the target IP address during enumeration, I configured my local hosts file to resolve the machine using a hostname instead of the raw IP address. This allows virtual hosts and web applications that rely on domain-based routing to function correctly during testing.

I authenticated with sudo privileges and added an entry mapping the target IP address to the hostname connected.htb. With name resolution configured successfully, I was able to access the target using its domain name and continue with web enumeration.

Web Enumeration

After configuring the hostname, I browsed to connected.htb to begin enumerating the web application. Upon visiting the site, I was automatically redirected to the FreePBX administration portal located at /admin/config.php, revealing the technology in use.

The application's footer disclosed the exact version as FreePBX 16.0.40.7, providing valuable information for vulnerability research and version-specific enumeration. Identifying the software version early in the assessment helped narrow the attack surface and guided subsequent searches for publicly known vulnerabilities affecting this release.

Vulnerability Research

After identifying the target as FreePBX 16.0.40.7, I performed version-based vulnerability research to determine whether any publicly disclosed vulnerabilities affected the installation. This approach quickly led me to several security advisories and exploit references related to FreePBX 16.

During the research process, I discovered CVE-2025-57819, an unauthenticated SQL injection vulnerability affecting the Endpoint Manager component. The vulnerability appeared particularly interesting because it could be exploited without valid credentials, making it a promising avenue for gaining initial access. With a potential attack vector identified, I shifted my focus toward validating the vulnerable component and understanding how the flaw could be leveraged against the target.

Vulnerability Analysis

After identifying a potential vulnerability, I reviewed the available advisory and public proof-of-concept to determine whether the target version was affected. The research revealed that FreePBX versions prior to 16.0.89 contain an unauthenticated SQL injection vulnerability in /admin/ajax.php, which can ultimately lead to remote code execution.

Since the target was running FreePBX 16.0.40.7, it fell within the vulnerable version range. The vulnerability exists because user-controlled input is passed directly into a MySQL query, and the FreePBX database user possesses the EVENT privilege. This allows an unauthenticated attacker to create a malicious MySQL Event capable of executing operating system commands, making the vulnerability a viable path toward initial access.

VPN Configuration

Before attempting exploitation, I encountered an issue where payload delivery consistently failed despite the target reaching my listener. During troubleshooting, I determined that the problem was related to packet fragmentation across the HTB VPN interface.

I reduced the MTU of the tun0 interface from the default value of 1500 to 1200, which resolved the connectivity issue. After applying the change, the target was able to download the staged payload successfully, allowing exploitation to proceed without interruption.

Initial Access

With the vulnerability confirmed and the VPN configuration corrected, I launched the Metasploit module targeting CVE-2025-57819. I configured the target host, virtual host, and reverse shell parameters before executing the exploit against the vulnerable FreePBX instance.

The exploit successfully leveraged the unauthenticated SQL injection vulnerability to create a malicious scheduled task on the target. Once the cron job executed, the server connected back to my listener and spawned a reverse shell. After obtaining code execution, the module automatically removed the scheduled task as part of its cleanup routine, leaving me with an interactive shell on the target system.

User Flag

After obtaining an interactive shell on the target, I verified the context of my access to determine which account had been compromised. This helped confirm the success of the initial access phase and identify potential locations of user-specific files.

The output showed that I was operating as the asterisk user (uid=999), which is commonly associated with FreePBX deployments. I then navigated to the user's home directory and successfully read the user.txt file, obtaining the user flag and confirming complete access to the compromised account.

Privilege Escalation Enumeration

After capturing the user flag, I began enumerating the system for privilege escalation opportunities. My initial focus was on scheduled tasks and file-monitoring mechanisms that might execute commands with elevated privileges.

The enumeration revealed an incron rule that monitored /var/spool/asterisk/incron and automatically invoked /usr/bin/sysadmin_manager whenever files were modified. Further investigation showed that the monitored directory was writable by the asterisk user. While examining the FreePBX framework files, I also identified a logrotate hook referenced within the module signature file, suggesting that file creation inside the monitored directory could potentially trigger privileged maintenance actions. This appeared to be a promising path toward privilege escalation.

Local Privilege Escalation Enumeration

To identify potential privilege escalation vectors, I performed a standard enumeration of SUID binaries and Linux capabilities. This helped me determine whether any misconfigured privileged executables or capability-enabled binaries could be abused to gain elevated access.

The results revealed several common SUID binaries, including sudo, pkexec, crontab, and incrontab, along with a handful of binaries assigned Linux capabilities. However, nothing immediately stood out as an obvious privilege escalation path. Since the findings appeared largely standard for a FreePBX installation, I shifted my attention back to the previously discovered incron monitoring mechanism and the sysadmin_manager workflow, which remained the most promising avenue for obtaining root privileges.

Incron Analysis

Since the incron configuration appeared to be the most promising privilege escalation vector, I performed a deeper inspection of all configured incron rules and the directories they monitored. My goal was to identify writable locations that could trigger privileged actions.

The output revealed several incron rules that executed system administration scripts whenever specific files were written. More importantly, I discovered that /usr/local/asterisk/incron was monitored by sysadmin_manager --local and that both the incron directory and the ha_trigger file were world-writable. Since these paths were monitored by a privileged process and could be modified by the asterisk user, they immediately stood out as a potential avenue for triggering unintended root-level actions.

Root Trigger Analysis

To understand how the writable ha_trigger file was processed, I examined the sysadmin_ha script referenced by the incron configuration. I wanted to determine whether the monitored file ultimately triggered code execution in a privileged context.

The script revealed that whenever ha_trigger was activated, it loaded the freepbx_ha module and executed the rootTrigger() function from incron.php. I also confirmed that the FreePBX modules directory was owned by the asterisk user, meaning the web application files were writable from my current shell. At this point, I had identified a chain involving a writable trigger file, a root-executed script, and application files under the control of the compromised user, making the freepbx_ha module a prime target for further investigation.

Privilege Escalation

After identifying that the rootTrigger() function was executed by a privileged process and that the FreePBX module directory was writable by the asterisk user, I created the missing module path and supplied my own incron.php implementation. The custom class defined a rootTrigger() method that would create a SUID copy of /bin/bash when executed.

With the malicious module in place, I triggered the incron workflow by writing to the world-writable ha_trigger file. This caused the privileged sysadmin_ha process to load my attacker-controlled incron.php file and execute the rootTrigger() function, resulting in the creation of a SUID-enabled bash binary that could be used to obtain root privileges.

Root Flag

After triggering the vulnerable workflow, I verified that the malicious payload had executed successfully. The presence of a SUID-enabled bash binary in /tmp confirmed that my code had been executed with root privileges.

I executed the SUID bash binary using the -p option to preserve elevated privileges and confirmed that the process was running with an effective UID of 0 (root). With full administrative access established, I successfully read the contents of /root/root.txt and captured the root flag, completing the machine.

If you enjoy reading my write-ups, please consider subscribing to my YouTube channel and following me on LinkedIn | Medium | Twitter | Boltech Twitter | Buy Me a Coffee. Found this walkthrough helpful? Buying me a coffee helps power the late nights spent writing technical walkthroughs and keeping them free for everyone ☕

Keywords:

Connected HackTheBox Season 11 HTB Machine Writeup

connected htb writeup

connected htb walkthrough

connected hack the box writeup

connected hack the box walkthrough

HackTheBox connected.htb machine

I just solved connected from Hack the Box

Pwned Connected from Hack the Box

Rooted Connected from Hack the Box

DevArea HTB Walkthrough

HackTheBox Season 11 Machine Complete Writeup Solution Connected

DevHub HTB Writeup

HackTheBox [DevHub] HTB Writeup

reactor htb write up