Beginner’s Guide to Conquering Eloquia on HackTheBox

Key Highlights

Welcome to your guide for the Eloquia machine! Here’s a quick rundown of what you will learn.

• Start your journey with initial enumeration to scan the target IP and discover open ports and services.
• Uncover exposed Spring Boot Actuator endpoints on the web server, a critical step in your attack.
• Learn to download and analyze a server heapdump to find sensitive credentials.
• Execute a man-in-the-middle exploit against the Eureka service to capture user login details.
• Escalate your privileges to root by exploiting a vulnerable script on the server.
• Strengthen your cybersecurity skills with this hands-on, real-world hacking scenario.

Introduction

Are you ready to dive into the exciting world of cybersecurity and test your skills? HackTheBox offers a fantastic playground for aspiring ethical hackers, and the Eloquia machine is an excellent challenge to conquer. This retired Windows box is rated as “Insane,” making it a perfect starting point for advanced CTF players. In this guide, you will learn how to methodically approach, exploit, and gain complete control of the machine. Let’s get ready to hack!

Understanding the Eloquia Machine on HackTheBox

Eloquia is a Windows machine on HackTheBox that provides a realistic environment to practice your penetration testing skills. Your first task is to perform thorough enumeration on the machine’s IP address. This involves scanning for open ports and identifying the services running on them, which is the foundation of any successful hack.

Once you identify the web server, you will need to probe the running app for vulnerabilities. The key to this machine is discovering exposed management endpoints that leak information. Your goal is to find misconfigurations that allow you to extract credentials and gain your initial foothold on the server. The next sections will explore what makes this machine unique and the challenges you might encounter.

Overview and Unique Features of Eloquia

The Eloquia machine presents a modern web application environment. Initially, you will interact with a standard HTTP web server on port 80, which hosts a furniture e-commerce site. This is a common setup, but the real complexity lies beneath the surface of this Windows system.

What sets Eloquia apart is its backend architecture. The primary web app is built on Spring Boot, a popular Java framework. More distinctively, it uses a Netflix Eureka server for service discovery. This type of microservice architecture is common in real-world enterprise applications but is a unique feature for a beginner-level HTB machine.

Understanding how these services communicate is crucial for exploitation. Instead of a simple monolithic app, you must analyze how different components like the API gateway, user management service, and the main application interact. This provides excellent exposure to attacking more complex, distributed systems.

Common Challenges Faced by Beginners

While Eloquia is rated “Easy,” it introduces several concepts that can be challenging for newcomers. The primary hurdle is navigating the multi-stage exploit path, which requires patience and a good methodology.

One of the first challenges is analyzing the large heapdump file you will acquire from the server. Sifting through megabytes of memory data to find a single password or piece of configuration can feel overwhelming. Another significant challenge is understanding and executing the man-in-the-middle exploit against the Eureka service discovery server to intercept credentials.

Here are some common sticking points you might face:

• Finding the correct credentials within the heapdump.
• Crafting the malicious XML file for the Eureka exploit.
• Identifying the privilege escalation vector after gaining user access.
• Reusing the correct password for the right service.

Eloquia represents a sophisticated, multi-layered “Insane” difficulty challenge that simulates a modern, hardened Windows environment running a custom CRM application stack. The exploitation path does not rely on simple CVE exploits of outdated services but rather on a chain of logical vulnerabilities, client-side misconfigurations, and forensic artifact abuse.

The kill chain is executed in four distinct phases:

1. Web Exploitation: A combination of a logical flaw in a custom OAuth 2.0 provider (“Qooqle”) and a Client-Side Template Injection (CSTI/XSS) vulnerability in AngularJS (CVE-2025-2336). By chaining these, an attacker can perform a Cross-Site Request Forgery (CSRF) attack against an administrator to link the attacker’s identity to the admin’s account.
2. Initial Access (RCE): Abuse of the SQLite load_extension() feature within the administrative console to load a malicious Dynamic Link Library (DLL), granting remote code execution.
3. Lateral Movement: Forensic enumeration of browser artifacts (Microsoft Edge), specifically abusing the Windows Data Protection API (DPAPI) to decrypt saved credentials, leading to Lateral Movement via WinRM.
4. Privilege Escalation: Exploiting a custom .NET service (Failure2Ban) via weak file permissions to hijack the service binary and execute code as SYSTEM.

ALSO READ: Mastering MonitorsFour: Beginner’s Guide from HackTheBox

INITIAL FOOTHOLD

Advanced Reconnaissance

Network Service Enumeration

We initiate the engagement with a high-speed TCP port scan using rustscan to identify open ports, followed by a targeted nmap scan for service versioning and script enumeration.

rustscan -a 10.10.11.99 --ulimit 2000 -r 1-65535 -- -A sS -Pn

Scan Results:

PORT     STATE SERVICE REASON  VERSION
80/tcp   open  http    syn-ack Microsoft IIS httpd 10.0
|_http-title: Eloquia
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: 7487AC79D09DE6E54F3DF799C6B5B14A
5985/tcp open  http    syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Analysis:

• Port 80 (IIS 10.0): The primary web server. IIS 10.0 indicates a Windows Server 2016 or 2019 environment.
• Port 5985 (WinRM): Windows Remote Management is exposed. This is a critical vector for lateral movement if credentials can be obtained. The absence of Port 445 (SMB) suggests a hardened perimeter or firewall rules blocking file sharing.

Web Application Discovery

Upon visiting http://10.10.11.99, the server redirects or references the hostname eloquia.htb. Further interaction with the login page reveals a secondary domain, qooqle.htb, utilized for Single Sign-On (SSO).

Configuration: We update our local DNS resolution (/etc/hosts) to facilitate proper routing:

echo "10.10.11.99 eloquia.htb qooqle.htb" | sudo tee -a /etc/hosts

Application Fingerprinting:

• Eloquia (eloquia.htb): A CRM application for creating and sharing articles. It appears to be built on Django (Python) given the csrftoken and sessionid cookies.
• Qooqle (qooqle.htb): A custom Identity Provider (IdP) mimicking Google’s OAuth infrastructure.
• Frontend Technology: Inspection of the source code reveals the usage of AngularJS v1.8.2 (ng-app, ng-controller). This is a critical finding, as older versions of Angular often suffer from Template Injection or Sandbox Escape vulnerabilities.

Now we can browse to:

1. http://eloquia.htb: The core marketing application.
2. http://qooqle.htb: The mock OAuth provider.

Web Exploitation (The OAuth Takeover)

The entry point into the system requires chaining a Client-Side vulnerability (XSS) with a Server-Side Logic flaw (OAuth Misconfiguration).

OAuth 2.0 Analysis

The application implements a custom OAuth 2.0 flow to allow users to “Log in with Qooqle”.

The Standard Authorization Code Flow:

App verifies state, exchanges code for an access token via back-channel.

User clicks “Login”.

App redirects to IdP (/authorize) with client_id, redirect_uri, and a random state.

User approves access.

IdP redirects back to App (/callback) with a code and state.

The Eloquia/Qooqle Implementation (Vulnerable): Analysis of the HTTP traffic reveals critical deviations from the standard:

1. Missing State Parameter: The initial redirect to qooqle.htb does not include a cryptographic state parameter.
   • Impact: The application cannot verify if the user initiating the flow is the same user consuming the callback. This opens the door to Cross-Site Request Forgery (CSRF).
2. Weak Code Validation: The callback endpoint (/accounts/oauth2/qooqle/callback/?code=...) blindly consumes the code. If an authenticated user visits this URL, the Qooqle account associated with that code is immediately linked to the Eloquia user’s account.

The Attack Vector: If we can force an Administrator to visit the Callback URL with our authorization code, our Qooqle account will be linked to the Admin’s Eloquia account. We can then log in as the attacker via Qooqle and gain Admin access.

AngularJS XSS (CVE-2025-2336)

The application allows users to create “Articles” with banner images and HTML content. While the backend accepts raw HTML, the frontend uses AngularJS’s Strict Contextual Escaping ($sce.trustAsHtml) to sanitize output.

The Vulnerability: AngularJS v1.8.2 has a specific vulnerability (CVE-2025-2336) regarding SVG Animation. The sanitizer fails to properly validate URLs inside <animate> tags within an <svg> element. This allows bypassing standard href sanitization.

ALSO READ: CVE-2025-2336: Critical AngularJS XSS & SVG Vulnerability Fix

Content Security Policy (CSP): The application enforces a CSP:

Content-Security-Policy: default-src 'self'; script-src 'self'; ...

This blocks loading images or scripts from external domains (e.g., attacker.com). However, it allows Same-Origin requests.

The Bypass: Since we want the Admin Bot to visit a URL on eloquia.htb (the OAuth callback), this is a Same-Origin request. The CSP permits this.

The Payload:

<svg>
  <a xlink:href="/accounts/oauth2/qooqle/callback/?code=[ATTACKER_CODE]">
    <text x="20" y="20">Click Me</text>
    <animate attributeName="xlink:href" values="/accounts/oauth2/qooqle/callback/?code=[ATTACKER_CODE]" />
  </a>
</svg>

When the bot renders this SVG, the <animate> tag triggers the link traversal automatically.

FOR THE COMPLETE oauth_exploit.py CODE, PLEASE BUY ME A COFFEE!

The Exploitation Chain (Automated)

We utilize a Python script (oauth_exploit.py) to automate the attack race condition:

1. Mint Code: The script logs into qooqle.htb as the attacker and initiates an OAuth flow to generate a valid, fresh code.
2. Inject: The script creates a new Article on eloquia.htb. The content is the malicious SVG payload containing the fresh code.
3. Trigger: The script “Reports” the article.
4. Execution: The Admin Bot visits the reported article. AngularJS renders the SVG. The browser follows the link to the OAuth callback.
5. Takeover: The Admin’s Eloquia account is now linked to the Attacker’s Qooqle account.
6. Access: The attacker logs out and logs back in using “Log in with Qooqle”, gaining access to the Admin Dashboard.

Initial Access (SQLite RCE)

We now have access to the Django Admin interface (/accounts/admin/).

Database Enumeration

Inside the admin panel, we find an SQL Explorer tool. Executing select sqlite_version(); confirms the backend is SQLite. Normally, SQLite is file-based and does not offer RCE. However, we check if extensions are enabled:

PRAGMA compile_options;
-- or
SELECT load_extension('test');

The error message or output confirms that load_extension is enabled.

Malicious Extension Construction

SQLite extensions are simply Shared Libraries (DLLs on Windows). We can compile a custom C program into a DLL that spawns a reverse shell when loaded.

The Source Code (sqlite_revshell.c): We use standard Win32 API calls (WSASocket, CreateProcess) to spawn cmd.exe and tunnel the input/output over a TCP socket.

FOR THE COMPLETE sqlite_revshell.c CODE, PLEASE BUY ME A COFFEE!

Compilation: We must compile this as a Windows DLL.

x86_64-w64-mingw32-gcc -shared -o xpl.dll sqlite_revshell.c -lws2_32

Upload and Execution

1. Upload: We leverage the Django Admin’s “Article” management to upload xpl.dll as a “Banner Image”.
2. Locate: The file is saved to /static/assets/images/blog/xpl.dll (or similar, verifiable via the admin UI).
3. Execute: In the SQL Explorer, we run:SELECT load_extension('static/assets/images/blog/xpl.dll');

Result: A reverse shell connects back to our listener.

whoami
eloquia\web

Lateral Movement (Forensics)

We have a shell as the web user. We begin local enumeration.

Artifact Discovery

Exploring the user’s home directory (C:\Users\web), we find .cache and .idlerc directories, along with a selenium folder. This suggests the “Admin Bot” is actually a Selenium script running in a headless browser context under this user.

We investigate the Microsoft Edge profile data located at: C:\Users\web\AppData\Local\Microsoft\Edge\User Data\Default

Key files found:

• Login Data: An SQLite database containing saved credentials (passwords are encrypted).
• Local State: A JSON file containing the encrypted master key used to decrypt the database.

DPAPI Decryption Theory

Chromium-based browsers (Edge, Chrome) encrypt saved passwords using AES-256-GCM. The AES key itself is stored in the Local State file, but it is encrypted using the Windows DPAPI (Data Protection API).

DPAPI encryption is tied to the user’s login session. Since we are executing code as the user (web), we can transparently call the Windows API CryptUnprotectData to decrypt the master key. Once we have the master key, we can decrypt the passwords in Login Data.

Credential Extraction

We upload a Python script (edge_decrypt.py) to perform the decryption on the target.

Execution:

python edge_decrypt.py

Recovered Credentials:

[1] [https://eloquia.htb/](https://eloquia.htb/)
    Username: O******
    Password: S********

FOR THE COMPLETE edge_decrypt.py CODE, PLEASE BUY ME A COFFEE!

WinRM Pivot

We verify these credentials against the exposed WinRM port (5985).

evil-winrm -i 10.10.11.99 -u 'O******' -p 'S******'

Success. We are now logged in as O*********.

Privilege Escalation (The Failure2Ban Service)

Running as O******, we perform service enumeration and discover a non-standard service named Failure2Ban.

Service Analysis

Registry Path: HKLM\SYSTEM\CurrentControlSet\Services\Failure2Ban Binary Path: C:\Program Files\Qooqle IPS Software\Failure2Ban - Prototype\Failure2Ban\bin\Debug\Failure2Ban.exe

The “Prototype” and “Debug” path indicators suggest insecure development practices. The service runs as LocalSystem.

Permission Analysis (The Vulnerability)

We check the Access Control Lists (ACLs) on the binary and its folder.

icacls "C:\Program Files\Qooqle IPS Software\Failure2Ban - Prototype\Failure2Ban\bin\Debug\Failure2Ban.exe"

Output:

ELOQUIA\O*******:(I)(RX,W)
NT AUTHORITY\SYSTEM:(I)(F)
...

The user O****** has Write (W) permissions on the service executable. This is a classic Insecure Service Executable vulnerability.

Exploitation (Binary Hijacking)

Since the service runs as SYSTEM, if we replace the .exe with our own malicious binary, it will execute with SYSTEM privileges when the service restarts.

Payload (service_hijack.c): We create a simple C program that copies the root flag to a readable location (C:\temp\root.txt). This is cleaner than a reverse shell and avoids some AV heuristics.

Compilation:

x86_64-w64-mingw32-gcc -O2 -s -o xpl.exe service_hijack.c

The Race Condition: We cannot simply stop and start the service (we lack permission). However, logs indicate the service restarts periodically or processes files in a loop. We can use a PowerShell loop to attempt to overwrite the file until the file lock is released (e.g., during a scheduled restart or crash).

FOR THE COMPLETE service_hijack.c CODE, PLEASE BUY ME A COFFEE!

$svc = 'C:\Program Files\Qooqle IPS Software\Failure2Ban - Prototype\Failure2Ban\bin\Debug\Failure2Ban.exe'
while ($true) { try { Copy-Item C:\temp\xpl.exe $svc -Force; break } catch {} }

Once the overwrite succeeds, we wait for the service to execute. We check C:\temp\root.txt.

Result: The flag is copied. We have effectively achieved SYSTEM privileges.

The “Intended” Path (Log Poisoning)

Reverse engineering the Failure2Ban.exe (a .NET assembly) using tools like dotPeek reveals another potential vector: Log Poisoning.

The service reads a configuration file (Failure2Ban.exe.config) to find a log file path. It then parses this log file for “FAILED” login attempts.

1. Path Traversal: The log file path in the config is not sanitized. We can point it to a file we control.
2. Rule Injection: When a ban is triggered, the service constructs a Firewall Rule using the IP address from the log.// Vulnerable Code Logic instance.Rules.Add(new INetFwRule { Name = "Block IP " + ip, RemoteAddresses = ip // Injection point? });

While Binary Hijacking was sufficient due to the weak ACLs on the executable itself, the application logic suggests an intended path involving crafting a malicious log file to inject Firewall rules or potentially execute commands if the arguments were passed to a shell (though the code uses COM objects for Firewall rules, making direct command injection unlikely via this specific vector). The weak file permission remains the dominant vulnerability.

Remediation and Conclusion

Fixing the OAuth Vulnerability

To secure the OAuth implementation, the developers must:

1. Implement state Parameter: Generate a cryptographic nonce (random token) in the user’s session before redirecting to Qooqle. Pass this as the state parameter.
2. Verify state: Upon return to /auth/callback, verify the returned state matches the session’s nonce.
3. Strict Binding: Do not allow the callback endpoint to link accounts blindly. Require the user to confirm their password before linking a sensitive third-party identity.

Hardening the Server

1. Restrict Uploads: “Custom Workflows” allowing DLL uploads is inherently dangerous. This feature should be removed or restricted to code signed by the organization’s certificate authority (Allowlisting).
2. AppLocker/WDAC: Implement Windows Defender Application Control to prevent the loading of unsigned DLLs, even if they bypass antivirus signatures.

Fixing File Permissions

The svc_web account should Read-Only access to the Fail2Ban configuration.

Service accounts should strictly follow the Principle of Least Privilege.

Fix: icacls "C:\Program Files\Fail2Ban\config\action.d" /remove eloquia\svc_web

ALSO READ: Mastering Gavel: Beginner’s Guide from HackTheBox

Preparing for Your Eloquia HTB Writeup Journey

Getting ready to tackle Eloquia involves having the right tools and a solid mindset. You should be comfortable with basic Windows and Linux commands and have a general understanding of web applications. While deep knowledge isn’t required, familiarity with tools written in Python will also be helpful, as many penetration testing scripts rely on it.

This guide is designed to walk you through every step, from initial scanning to gaining root access. We will cover the specific tools you need and how to set up your environment for a successful attack. Are you ready to find that first password and begin your journey? Let’s prepare for the hack.

Essential Tools and Resources Needed

To conquer Eloquia, you will need a few standard penetration testing tools. Most of these come pre-installed on security-focused Linux distributions like Kali Linux or Parrot OS. Having these tools at your disposal will make the enumeration and exploitation phases much smoother.

Your primary tools will focus on network scanning, web directory brute-forcing, and interacting with the HTTP server. You will also need a specific utility to analyze the Java heapdump you will download from the target server. Running a simple Python HTTP server will also be necessary to host files for your attack.

Here is a breakdown of the essential tools for this machine:

Tool Name	Purpose
Nmap/Rustscan	For port scanning to discover open services on the server.
Dirsearch	To find hidden files and directories on the web server.
curl	To make HTTP requests to interact with web services and APIs.
JDumpSpider	A Java tool to analyze heapdump files for sensitive information.
Netcat	For setting up listeners and catching reverse shells.

Setting Up Your Attack Environment

A proper setup is key to a smooth and successful attack. First, ensure you are running a Linux-based operating system designed for penetration testing. This will give you access to all the necessary tools without extra installation hassles.

Next, you must connect to the HackTheBox network. Download your OpenVPN connection pack from the HTB website and use it to establish a VPN connection. This will assign you an IP address on the lab network, allowing you to communicate with the Eloquia machine. Verify your connection by pinging the machine’s IP.

Here are the key steps to prepare your environment:

• Connect to the HackTheBox VPN.
• Create a dedicated directory for the Eloquia machine to stay organized.
• Confirm you can reach the target IP address.
• Have your enumeration tools ready for the initial scan of the app.

Step-by-Step Guide to Conquering Eloquia HackTheBox

Now that you are prepared, it is time to begin the hack. This section provides a detailed walkthrough, breaking down the process into clear, manageable steps. We will start with initial enumeration to build a picture of the target server and move methodically toward gaining full control.

Follow these steps carefully to navigate the challenges of this Windows machine. Each phase builds upon the last, taking you from an outside attacker to the root user. Let’s start by scanning the machine and seeing what secrets it holds.

Step 1: Initial Enumeration and Reconnaissance

Your first action is to run a port scan against the machine’s IP address. Using a tool like Nmap or Rustscan, you will quickly discover several open ports. The scan results will show port 22 (SSH), port 80 (HTTP), and port 8761 (HTTP) are open. This immediately tells you there is a web server to investigate and a potential entry point through a web application.

With port 80 identified, your next move is to perform web enumeration. Use a directory brute-forcing tool like Dirsearch to scan the web server for hidden pages. This scan will reveal a critical directory: /actuator. The presence of this directory is a strong indicator that the web application is running on Spring Boot.

The /actuator endpoint exposes several management and monitoring endpoints. By exploring these, such as /actuator/env and /actuator/beans, you can gather valuable information about the server’s configuration and technologies. However, the most interesting endpoint you will find is /actuator/heapdump, which is your key to the next stage.

Step 2: Exploiting Vulnerabilities and Gaining User Access

The exposed /actuator/heapdump endpoint is a critical vulnerability. This allows you to download a complete memory snapshot of the Java application. Use curl to download this large file to your local machine. This heapdump contains a wealth of information, including sensitive data like credentials that were in memory when the snapshot was taken.

To find the hidden password, you will use a tool called JDumpSpider. Run this tool against the downloaded heapdump file. It will automatically parse the memory dump and extract any hardcoded credentials it finds. The output will reveal multiple sets of credentials, including the database password for the user oscar190 and, more importantly, the username and password for the Eureka service (EurekaSrvr:0scarPWDisTheB3st).

With the Eureka credentials, you can perform a man-in-the-middle exploit. Log into the Eureka dashboard on port 8761 and replace the legitimate USER-MANAGEMENT-SERVICE with a fake one pointing to your IP. When a user tries to log in, their credentials will be sent to your listener. This allows you to capture the password for the user miranda.wise. You can then use this password to log in via SSH and gain user access to the Windows system.

Step 3: Privilege Escalation Techniques to Root the Box

Once you have a foothold as the user miranda-wise, the final step is privilege escalation to become root. Start by performing local enumeration on the Windows system. You will find a suspicious script in /opt named log_analyse.sh. Examining this script reveals that it is owned by root and is executed periodically.

The script is designed to parse application log files. However, it contains a command injection vulnerability in the analyze_logins function. The script reads lines from a log file and uses awk to parse them in an insecure way. This means you can inject shell commands into one of the log files that the script reads.

To perform the escalation, craft a malicious log entry containing a payload like a[ $(chmod +s /bin/bash) ]. Write this line to one of the application log files that your user has write access to, such as /var/www/web/cloud-gateway/log/application.log. When the cron job runs the script as root, your command will be executed, setting the SUID bit on bash. This gives you a shell with root privileges, completing the box.

Conclusion

Eloquia is a testament to the complexity of modern red teaming. It moves beyond simple CVE exploitation into the realm of logic abuse and environment manipulation.

• Key Learning 1: OAuth Race Conditions. Time windows in security protocols (like the 30-second auth code) can be exploited if the attacker controls the traffic flow via a redirector.
• Key Learning 2: Defense Evasion. In Insane environments, “off-the-shelf” payloads (Meterpreter) are liabilities. Custom C++ development with behavior masking is essential.
• Key Learning 3: Security Tool Exploitation. Tools designed to protect systems (like Fail2Ban) often run with high privileges. If their configuration is writable, they become the ultimate privilege escalation vector.

Happy Hacking, and see you in Season 10!

Frequently Asked Questions

What makes the Eloquia machine different from other HTB boxes?

Eloquia stands out due to its modern app architecture. Unlike simpler Windows servers, it features a Spring Boot application with a Eureka service discovery server. The exploit path requires you to understand this microservice setup to perform a man-in-the-middle attack, which is a unique challenge for an “Easy” rated box.

How long does it typically take a beginner to complete Eloquia HackTheBox?

For a beginner, completing this hack could take several hours. The initial enumeration of the server’s IP and web directory is straightforward, but analyzing the heapdump to find credentials and understanding the Eureka service attack can be time-consuming. The key is patience and methodical work.

Which tools are most effective for the Eloquia HTB writeup?

The most effective tools for this Windows machine include Nmap for initial enumeration, Dirsearch for web scanning, and JDumpSpider for finding the password in the heapdump. You will also use curl to interact with the app and a simple Python HTTP server for parts of the exploit.

Are there any common pitfalls beginners should avoid on Eloquia HackTheBox?

A common pitfall is getting stuck on the heapdump analysis or not understanding how to craft the Eureka MITM exploit. Another is overlooking the writable log directory for privilege escalation. Ensure you use the right password for the right service, as multiple credentials are found.