Table of Contents
Machine Overview
Field | Detail |
|---|---|
Name | Silentium |
OS | Linux (Ubuntu 24.04) |
Difficulty | Easy |
IP Address | 10.129.25.158 |
Attack Path | Web → API Abuse → RCE → SSH → Gogs → Root |
CVEs | CVE-2025-58434, CVE-2025-59528, CVE-2025-8110 |
Silentium is a Linux-based machine centered around modern application security. The attack chain involves exploiting a vulnerable Flowise AI instance exposed on a staging subdomain, chaining two CVEs to gain a foothold inside a Docker container, harvesting credentials from environment variables, and finally escalating to root via a Gogs git service running internally on the host.
Phase 1 - Reconnaissance
Port Scanning
We begin with a comprehensive Nmap scan against the target to identify open ports and enumerate running services.
nmap -sC -sV -p- --min-rate 5000 10.129.25.158 -oN nmap.txt
Output:
Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-13 23:42 +0530
Nmap scan report for silentium.htb (10.129.25.158)
Host is up (0.41s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Silentium | Institutional Capital & Lending Solutions
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Analysis:
Port 22 (SSH): OpenSSH 9.6p1 - modern and unlikely to be directly exploitable. Will be useful once credentials are found.
Port 80 (HTTP): nginx 1.24.0 serving a web application. The page title reveals a financial services company - Silentium | Institutional Capital & Lending Solutions. The HTTP redirect points to
http://silentium.htb/, meaning virtual host routing is in play.
Hosts File Setup
Since the server uses virtual host-based routing, we add the domain to our local hosts file:
echo "10.129.25.158 silentium.htb staging.silentium.htb" | sudo tee -a /etc/hosts
Browsing to http://silentium.htb/ presents a corporate landing page for a financial institution. On its own, it offers no obvious attack surface - but the presence of virtual host routing suggests additional subdomains may exist.
Phase 2 - Web Enumeration & Subdomain Discovery
Subdomain Fuzzing with FFUF
We use ffuf to fuzz for virtual host subdomains by manipulating the Host header:
ffuf -u http://silentium.htb/ \
-H "Host: FUZZ.silentium.htb" \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-fs 178
Output:
staging [Status: 200, Size: 3142, Words: 789, Lines: 70, Duration: 55ms]
Finding: The subdomain staging.silentium.htb resolves and returns a valid 200 response. We update /etc/hosts if not already done, then browse to it.
Identifying Flowise
Navigating to http://staging.silentium.htb/ presents a login panel. Inspecting the HTML source reveals:
<title>Flowise - Build AI Agents, Visually</title>
Flowise is an open-source, low-code platform for building LLM-powered agent workflows. The presence of a login page without visible credentials immediately directs us toward researching known vulnerabilities in this software.
A quick review of public advisories reveals two high-impact vulnerabilities:
CVE-2025-58434 - Unauthenticated password reset token leak
CVE-2025-59528 - Authenticated Remote Code Execution via the CustomMCP endpoint
We proceed to exploit these in sequence.
🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED
This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.
But you can access the entire premium writeup right now.
🌟 Get Instant Access
Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.
Why Go Premium?
Early access to full detailed writeups
Passwords for active CTF solutions
Advanced exploitation techniques
Upgrade once - unlock everything instantly.
Keep hacking, keep learning, keep winning. 🎯
