HTB Snapped

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/04/01/htb-snapped.html
• Blog Title: HTB: Snapped
• Suggested Section: Pentesting Web -> (add a page under) Web Vulnerabilities Methodology / Information Disclosure: Pre-auth backup export abuse + crypto material leakage (Nginx UI CVE-2026-27944) AND Linux Privilege Escalation -> snapd/snap-confine LPE (CVE-2026-3888) / tmpfiles race + dynamic linker hijack

🎯 Content Summary

This walkthrough for the HTB Linux machine Snapped chains a pre-auth web data-exposure bug in Nginx UI (CVE-2026-27944) into credential recovery and SSH access, then escalates to root via a local snapd privilege escalation (CVE-2026-3888) by abusing systemd-tmpfiles cleanup and snap-confine mount-namespace setup to hijack the dynamic linker.

1) Recon / Service discovery
Two ports are exposed (SSH and HTTP):

...

🔧 Technical Details
Pre-auth encrypted backup exfiltration via key/IV disclosure (CVE-2026-27944, Nginx UI < 2.3.3): If an application exposes a backup download endpoint that returns encrypted artifacts, check whether response headers leak keying material. In this case, /api/backup is accessible without authentication and returns X-Backup-Security: base64(key):base64(iv). Decode to confirm sizes (32-byte key, 16-byte IV) and decrypt the downloaded files with openssl enc -aes-256-cbc -d -K <hexkey> -iv <hexiv>. After decryption, parse recovered configs/DBs (e.g., SQLite) to extract credential hashes/tokens and pivot to remote access.
Version extraction from SPA assets: For modern frontend-heavy admin panels, determine exact version by enumerating script bundles referenced by the main HTML (e.g., assets/index-*.js) and grepping for embedded modules like version-*.js that export a literal version string; th...
🤖 Agent Actions
I’m mapping the repo first and reading the most likely web and Linux privilege-escalation pages before deciding whether this blog adds anything new. After that I’ll verify the CVE details against primary sources and make a single-file edit only if there’s non-duplicate technical value.

I’ve got the repo layout. Next I’m reading the closest existing pages around web backup exposure, Nginx-specific content, and Linux privilege escalation so I can see whether this is already covered and where a single update would fit cleanly.

I’ve confirmed neither technique is already documented in this repo. The cleaner single-file update looks to be the Nginx UI pre-auth backup leak in the existing Nginx web page; I’m now validating the CVE and fix details against primary sources before editing.

I’ve made the placement decision: one update in the existing Nginx page. Before I patch it, I’m pulling the advisory text directly so the vulnerable range, header name, and affected data types match the vendor/NVD wording exactly.

I’ve got enough context. I’m patching the existing Nginx page with a short, technical section focused on the reusable technique: SPA asset versioning for Nginx UI, unauthenticated backup export, leaked key/IV in X-Backup-Security, and immediate offline decryption of the returned artifacts.

Updated nginx.md with a new section on Nginx UI pre-auth backup export abuse: SPA asset version extraction, unauthenticated /api/backup access, X-Backup-Security key/IV leakage, offline AES-256-CBC decryption, and follow-on SQLite/hash extraction.
I kept the change to a single file, added the blog plus primary advisory references, and verified the diff only touches that page. I did not document the snapd LPE here because the repo instructions required a single-file update and the Nginx UI technique was the better fit for this pass.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/04/01/htb-snapped.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> (add a page under) Web Vulnerabilities Methodology / Information Disclosure: Pre-auth backup export abuse + crypto material leakage (Nginx UI CVE-2026-27944) AND Linux Privilege Escalation -> snapd/snap-confine LPE (CVE-2026-3888) / tmpfiles race + dynamic linker hijack".

Repository Maintenance:

• MD Files Formatting: 964 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0