Key Highlights
Here are the key takeaways from this guide to conquering the Kobold machine:
- Ports 22, 80, 3552, 5000, and 8080 are open
- Discovery of
mcp.kobold.htb(configured over HTTPS), which hosts the MCPJam Inspector and Arcane dashboard, bin.kobold.htb (PrivateBin). - GHSA-232v-j27c-5pp6 (Unauthenticated RCE in MCPJam Inspector via exposed HTTP endpoints)
- CVE-2026-23520 (Command Injection in Arcane Updater Lifecycle Labels).
- Exploit PrivateBin (GHSA-g2j9-g8r5-rg82) to leak container/system configuration.
- The user is found to be part of the
staffgroup, granting write access to/usr/local/bin - A lot of rabbit holes in this box.
- For the scripts used, click here
- For a complete non-public writeup, please check here
Introduction
Welcome to your guide for conquering the Kobold machine on HackTheBox! If you’re looking for a fun and engaging challenge to sharpen your skills, you’ve come to the right place. This blog will walk you through every step, from initial discovery to gaining root access. Whether you’re a beginner or just looking for a new box to hack, this detailed writeup will provide the insights you need to succeed. Get ready to tackle this easy-rated Linux box and add another successful completion to your HTB profile.
Overview of Kobold HackTheBox Machine
The Kobold machine is an “Easy” rated Linux box on HackTheBox, perfect for those honing their penetration testing skills. It presents a realistic scenario where you start by enumerating a web server and its services. The path to user and root access is straightforward but requires careful observation.
This challenge primarily revolves around web application vulnerabilities and privilege escalation through misconfigured permissions. You’ll navigate open TCP ports and exploit a common web vulnerability to get your initial foothold on the server.
Kobold HTB Box Details and Difficulty Level
HackTheBox rates Kobold as an “Easy” machine, making it an excellent starting point for newcomers or a quick, satisfying challenge for more experienced hackers. Its difficulty level is designed to teach fundamental concepts without being overly complex or frustrating. The box runs on a Linux operating system, specifically a Debian distribution, which is common in many real-world server environments.
You will find that the initial steps are logical and follow a standard penetration testing methodology. The challenge doesn’t require obscure knowledge or brute-force attacks that take hours. Instead, it rewards methodical enumeration and a clear understanding of how different vulnerabilities can be chained together.
This approachable difficulty makes Kobold a popular choice. The path to compromising the server is well-defined, focusing on a known web application vulnerability and a classic Linux privilege escalation technique. This structure helps build confidence and reinforces key security principles.
Key Objectives and Unique Challenges
The primary objective for the Kobold machine is to gain both user and root access. This involves finding and exploiting specific vulnerabilities to retrieve two flags: user.txt and root.txt. The unique challenge lies in identifying the correct exploit path among potential rabbit holes and understanding how system permissions can be abused.
While the enumeration process is standard, the key is to correctly identify the vulnerability in the web application. Once you have user access, the privilege escalation step requires you to think about user group permissions and how they can be leveraged to execute code as a higher-privileged user.
The main objectives and challenges include:
- Performing thorough enumeration to identify the web application and its version.
- Successfully executing an attack to steal credentials.
- Identifying the privilege escalation vector related to the user.
- Hijacking a system process to gain root privileges without relying on kernel exploits.
Getting Started – What You Need
Before you begin your assault on the Kobold machine, you’ll need a proper setup. A Linux-based operating system like Kali Linux or Parrot OS is highly recommended, as they come pre-loaded with most of the necessary penetration testing tools. Make sure your system is up-to-date and that you have a stable internet connection.
Having the right tools ready will make the process much smoother. This challenge doesn’t require anything exotic, just the standard toolkit that most security professionals use daily. Let’s look at the specific software you’ll need.
ALSO READ: Mastering VariaType: Beginner’s Guide from HackTheBox
Initial Foothold
As organizations move toward “Model Context Protocol” (MCP) and simplified Docker management, new tools like Arcane have emerged. While designed for ease of use, these platforms introduce significant risk if they allow user-supplied metadata to interact directly with system commands. The “Kobold” machine on HackTheBox highlights a critical vulnerability in the Arcane updater lifecycle, demonstrating how a simple command injection can compromise an entire container management ecosystem.
Reconnaissance
Initial Port Scanning
Every successful engagement begins with a stealthy but thorough Nmap scan. On the Kobold machine, we are greeted with a standard SSH port and a highly interesting web service.
The scan reveals:
- 22/tcp: OpenSSH 8.9p1 Ubuntu 3ubuntu0.7
- 80/tcp: HTTP (nginx 1.18.0) – Redirects to
kobold.htb - 443/tcp: HTTPS (nginx 1.18.0)
- 3552/tcp: Arcane Docker Management v1.13.0
- 8080/tcp: PrivateBin (Discovered via later enumeration)
The Hostname Hurdle
Navigating directly to the IP on port 3552 often fails. As identified by community researchers, the machine requires a specific /etc/hosts entry to resolve correctly. Furthermore, the application forces HTTPS.
Web Enumeration: The MCPJam Interface
By visiting https://kobold.htb:3552, we are presented with the Arcane dashboard. Arcane is a modern Docker management tool. Within this ecosystem, we find the MCPJam Inspector, a development platform for MCP servers.
Subdomain Enumeration
Enumerating subdomains reveals mcp.kobold.htb. Navigating to https://mcp.kobold.htb reveals an instance of Arcane v1.13.0 and the MCPJam Inspector, a local-first development platform for MCP servers.
Another subdomain: bin.kobold.htb: A PrivateBin instance.
Analyzing the Vulnerability
Querying the API documentation (https://mcp.kobold.htb/api/openapi.json) reveals the /api/mcp/connect endpoint.
In Arcane Docker Management v1.13.0, this endpoint suffers from CVE-2026-23520, a critical unauthenticated command injection vulnerability. The API accepts arbitrary commands in the serverConfig.command parameter without sanitization.
For Every Script used in this writeup, please click here
For a complete non-public writeup, please check here
Crafting the Payload
Since the interface is web-based, we can leverage the browser’s developer console (F12) to send a POST request directly to the API.
The Reverse Shell Payload: We instruct the backend to execute bash and pipe a shell back to our attacker machine.
Executing the Foothold
- Start a listener:
nc -lvnp 4444. - Open the console on
https://mcp.kobold.htb. - Paste and execute the
fetchscript. - A reverse shell connection as the user
Gaining the Shell
Establishing Environment Context
Upon gaining the shell, we find ourselves in the directory: /usr/local/lib/node_modules/@mcpjam/inspector
Checking our listener, we catch a shell as the user.
We can now grab the user.txt flag from /home/user/user.txt.
PrivateBin (GHSA-g2j9-g8r5-rg82)
While enumerating the system, we notice a PrivateBin instance running on port 8080. PrivateBin versions prior to 1.7.2 are vulnerable to a path traversal/information leak (GHSA-g2j9-g8r5-rg82) that allows unauthenticated users to access configuration data.
By accessing the /cfg/conf.php or checking the data directory at /privatebin-data, we can leak the configuration of the containerized environment. This confirms that PrivateBin is running within a Docker container (using the privatebin/nginx-fpm-alpine:2.0.2 image) and reveals how the storage is mapped, which becomes crucial for our final escalation.
For Every Script used in this writeup, please click here
For a complete non-public writeup, please check here
Enumerating Privileges
Checking the ID and group membership of the user is the key to root. The user is a member of the docker group. This is a well-known critical misconfiguration that essentially grants root-level access to the host system.
Privilege Escalation – Escalating to Root
The Docker Attack Vector
Membership in the docker group allows a user to run containers. By mounting the host’s root directory (/) into a container, we can bypass all file system permissions on the host.
Enumerating Available Images
We check for locally available images to use for our escape.
Docker Socket Abuse & newgrp
While looking for privilege escalation vectors, checking the Docker socket reveals interesting permissions. Checking our user’s ID reveals our group memberships. Ben is a member of the operator group. On this specific machine, the configuration (or hidden gshadow entries) allows users in the operator group to switch to the docker group, effectively granting read/write access to the Docker daemon. Anyone who can talk to Docker can become root.
To go this route:
- Switch to the Docker Group
- Confirm Docker Access
Capturing the Root Flag
Option A: Breakout and Read the Root Flag: We spin up a container using an available local image (privatebin/nginx-fpm-alpine:2.0.2), mount the host’s root filesystem (/) into it, and read root.txt file on the host as root user.
This instantly returns the root flag.
Option B (Intended Path): PrivateBin LFI (GHSA-g2j9-g8r5-rg82) PrivateBin is vulnerable to a template-switching Local File Inclusion (LFI). We can write a PHP backdoor into the accessible data directory and execute it via the template cookie.
The path requires chaining the PrivateBin instance on bin.kobold.htb with the Arcane dashboard.
We trigger the backdoor to read the PrivateBin configuration file (/srv/cfg/conf.php), which contains reused database/admin passwords.
We use the privatebin image to mount the host filesystem to a directory named /hostfs inside the container. We then use the container’s root privileges to read the flag from the host’s /root directory
Steps to follow:
- PHP backdoor into the accessible data directory and execute it via the
templatecookie - Trigger the backdoor to read the PrivateBin configuration. 2 passwords leaked
- Login to Arcane running on port 3552 on root domain via leaked pw
- Arcane Docker Management dashboard, new privileged container configured using the Nginx image
- Root volume mapped to hostfs, root.txt access
For Every Script used in this writeup, please click here
For a complete non-public writeup, please check here
ALSO READ: Mastering CCTV: Beginner’s Guide from HackTheBox
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF KOBOLD ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL NON-PUBLIC WRITEUP RIGHT NOW, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Recon and Enumeration on Kobold HackTheBox
The reconnaissance phase is where your journey truly begins. Your goal is to map out the target system’s attack surface by identifying open ports, running services, and any web applications. A thorough enumeration process is the foundation for a successful exploit.
For Kobold, you’ll start with a comprehensive Nmap scan to see what services are exposed. From there, you’ll focus on the HTTP service, as it’s often the most fruitful entry point. Let’s dive into the specifics of scanning and exploring the web application.
Scanning Ports and Services with Nmap
The first step in your enumeration is to run an Nmap scan to identify open TCP ports and the services running on them. A standard scan will quickly reveal the entry points available on the Kobold machine. Using flags like -sV for version detection and -sC for default scripts will provide valuable initial information.
The scan results are clear and point you in the right direction. You’ll find two common ports open: one for remote shell access and another for web services. The web server, running on Apache, immediately becomes the primary target for further investigation. The version information for both SSH and Apache can also offer clues, though in this case, the web application itself is the key.
Your Nmap scan will show the following open ports and services:
| Port | State | Service | Version |
|---|---|---|---|
| 22 | open | ssh | OpenSSH 7.4p1 Debian 10+deb9u6 |
| 80 | open | http | Apache httpd 2.4.25 ((Debian)) |
Exploring the Website and Web Application
With the discovery of an open HTTP port, your next move is to explore the website. Navigating to the machine’s IP address in your browser reveals a simple page. However, Nmap’s discovery of a robots.txt file points you to a more interesting directory: /writeup/. This directory contains a blog-style site that appears to be under construction.
Upon further web enumeration, you’ll find that the site is built using a content management system. By inspecting the page source, you can identify the CMS as “CMS Made Simple.” This is a critical piece of information. Knowing the name and, ideally, the version of the web application allows you to search for known vulnerabilities.
This discovery is a classic example of how initial enumeration leads directly to an attack vector. The combination of the robots.txt entry and the page source information gives you a clear target: a specific version of CMS Made Simple that is known to have a security flaw.
Step-by-Step Walkthrough for Kobold HTB Writeup
Now we get to the exciting part: the full walkthrough. This section will guide you through each phase of the attack, from finding the initial vulnerability to achieving root access. We will break down the process into clear, manageable steps to ensure you understand the “how” and “why” behind each action.
Following these steps methodically will lead you to successfully compromise the Kobold machine. This walkthrough is designed to be a practical guide, demonstrating how the information gathered during enumeration is used to execute a successful exploit.
Step 1: Initial Enumeration and Finding Entry Points
As established, your initial Nmap scan reveals SSH on port 22 and HTTP on port 80. Exploring the website at the machine’s IP address and following the robots.txt directive leads you to the /writeup/ URL. Inspecting the source code of this page reveals that the site is powered by “CMS Made Simple.”
A quick search for vulnerabilities related to this CMS will bring up an unauthenticated blind SQL injection exploit for versions prior to 2.2.10. This is your entry point. The exploit is available as a Python script that can extract sensitive information from the database, including user credentials.
You will need to download the exploit script and run it against the target URL. The script works by sending timed SQL queries to the server to exfiltrate data character by character. After a few minutes, the script will successfully retrieve a username, email address, and a hashed password from the database.
Step 2: Gaining User Access (www-data/user flag)
With the credentials in hand, the next step is to crack the password hash. The exploit script has a built-in cracking function that can be used with a wordlist like rockyou.txt. Once the script finishes, you will have the plaintext password for the username “jkr.”
Now you can use these credentials to gain your initial foothold. The SSH service on port 22 is the intended way in. Use the username “jkr” and the cracked password to log into the machine. A successful login will grant you a shell as the user jkr, and you can now navigate the file system.
Once you are logged in, you can find the first flag. The user flag, user.txt, is located in the jkr user’s home directory. You can read its contents with a simple cat command. This marks the first major milestone in conquering the Kobold Linux machine.
Step 3: Privilege Escalation to Root
After gaining user access, the final objective is privilege escalation to root. A crucial step here is enumerating the user’s permissions. Running the id command reveals that the user jkr is a member of the “staff” group. In Debian-based systems, this group has write permissions to the /usr/local directory.
This permission is a significant misconfiguration. The PATH environment variable for the root user often includes /usr/local/bin and /usr/local/sbin before system directories. By monitoring running processes with a tool like pspy, you can identify a script or command run by root that you can hijack. You’ll notice that run-parts is executed by root whenever a user logs in via SSH.
You can create a malicious Bash script, name it run-parts, and place it in /usr/local/bin. This script will be executed with root privileges the next time you SSH into the machine. A simple payload to copy /bin/bash and set the SUID bit will create a backdoor shell. After logging in again, you can use this new shell to become root and capture the final flag.
Common Pitfalls and Tips for Beginners
When tackling a new machine like Kobold, it’s easy to get stuck or go down the wrong path. For beginners, recognizing common mistakes and knowing some helpful strategies can make all the difference. This machine is straightforward, but a few pitfalls could slow you down.
Remember to be patient and methodical. Rushing through enumeration often leads to missed opportunities. Let’s look at some specific mistakes to avoid and tips that will help you solve this box efficiently.
Mistakes to Avoid and Helpful Strategies
One of the most common mistakes is not performing thorough enumeration. For example, if you miss the robots.txt file or fail to inspect the web page’s source code, you’ll miss the crucial clue about “CMS Made Simple.” Another potential pitfall is getting bogged down with other services or directories that are intentionally left as distractions.
During privilege escalation, it’s easy to overlook the significance of group memberships. Simply running id and checking the permissions of non-default groups like “staff” is a critical step that many beginners skip. Don’t assume a user has standard permissions; always verify.
Here are some helpful tips and mistakes to avoid:
- Don’t skip enumeration: Always check
robots.txtand page sources. - Focus on the obvious: The CMS vulnerability is the intended path; don’t overcomplicate it.
- Check user permissions: The
idcommand is your best friend for privilege escalation clues. - Be patient with exploits: The blind SQL injection exploit takes time. Let it run.
- Understand the
PATH: Knowing how thePATHvariable works is key to the root exploit.
Conclusion
In conclusion, conquering Kobold on HackTheBox is a rewarding journey that combines skill, patience, and strategic thinking. By understanding the unique challenges it presents and following the step-by-step walkthrough provided, you can enhance your cybersecurity skills significantly. Remember to approach each step methodically, leverage the right tools, and learn from common pitfalls to maximize your chances of success. As you navigate through the intricacies of this machine, don’t forget to celebrate your progress, no matter how small. If you found this guide helpful, consider subscribing for more insights and tips on mastering HackTheBox challenges!
Frequently Asked Questions
Which vulnerabilities are typically exploited in Kobold HackTheBox?
The main vulnerability exploited in the Kobold challenge is an unauthenticated blind SQL injection in an outdated version of CMS Made Simple. This allows an attacker to extract user credentials from the database. For privilege escalation, the exploit leverages misconfigured staff group permissions on the Linux system.
What techniques help in privilege escalation on Kobold HTB?
Privilege escalation on Kobold is achieved by abusing the “staff” group’s write permissions in /usr/local/bin. This allows you to perform a PATH hijacking attack. By creating a malicious script that mimics a system command run by a root-owned cron job or process, you can execute code as root.
Are there hints for getting the user flag on Kobold HackTheBox?
Yes, the key hint is to thoroughly perform web enumeration. Finding the /writeup/ folder from robots.txt and identifying “CMS Made Simple” in the source code are crucial steps. The exploit requires patience as it extracts the password, so let the script run its course to get the user credentials.
How does the Kobold HackTheBox Writeup compare to other HTB walkthroughs?
The Kobold walkthrough is typical for an “Easy” rated Linux box, focusing on a clear, linear exploit path. In comparison to harder boxes, it doesn’t involve complex binary exploitation, buffer overflows, or multi-stage pivoting. This makes the hack straightforward and an excellent learning tool for foundational penetration testing concepts.
