Skip to content
HackTheBox Season 10 Writeups
HackTheBox: Silentium

HackTheBox: Silentium

Arbaaz Jamadar
Written by
Arbaaz Jamadar
Cloud Security & Application Security Engineer · OSCP · AWS Security Specialty · Master’s in Cybersecurity, University of Maryland

Initial Enumeration:

Port Scan: 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Silentium | Institutional Capital & Lending Solutions
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Subdomain enumeration: 

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://silentium.htb/ -H 'Host: FUZZ.silentium.htb' -fw 6

staging.silentium.htb

image.png

There is a staging subdomain which hosts a low-code LLM agent deployment web application

image.png

Use the FlowiseAI API endpoint to verify The version of FlowiseAI

curl http://staging.silentium.htb/api/v1/version

image.png

Feel free to reachout on LinkedIn or any of my socials in case you need help with the challenge. The full writeup will be released after the box is retired.

image.png

Related Articles

Wiz The Ultimate Cloud Security Championship: Split Horizon
Wiz The Ultimate Cloud Security Championship: Split Horizon
Kubernetes CTF writeup: pivoting from a low-privilege bastion into a hidden cluster service by manually joining a Flannel VXLAN overlay network, bypassing pod network isolation, and discovering an internal endpoint via reverse DNS sweeps against CoreDNS.
HackTheBox: PingPong
HackTheBox: PingPong
HackTheBox Season 10 PingPong writeup: cross-forest Active Directory compromise from a low-privileged user to Domain Admin via ADCS ESC4, gMSA credential reading, RBCD, SeImpersonatePrivilege/GodPotato, DCSync, and JEA constrained-language bypass.
HackTheBox: Logging
HackTheBox: Logging
HackTheBox Season 10 Logging writeup: unauthenticated AD enumeration, shadow-credential abuse to reset msa_health for the initial foothold, DLL hijacking on UpdateMonitor for lateral movement, and ADCS ESC1 + WSUS abuse for Domain Admin.
HackTheBox: GarfieldHackTheBox: Logging