Snapped is a Linux box hosting a static site behind nginx, with an Nginx UI admin panel. I’ll exploit CVE-2026-27944 to decrypt a backup download from the Nginx UI to find bcrypt password hashes in a SQLite database. I’ll crack one to get SSH access. To escalate to root, I’ll exploit CVE-2026-3888, a recent vulnerability in snapd where systemd-tmpfiles deletes snap-confine’s private temp directory, allowing me to win a race condition and replace the dynamic linker with a malicious payload that runs as root.

0xdf hacks stuff

A walkthrough of the HackTheBox machine 'Snapped', a Linux box running nginx with an Nginx UI admin panel. Initial access is gained by exploiting CVE-2026-27944, an unauthenticated backup download vulnerability in Nginx UI that leaks AES encryption keys via the X-Backup-Security response header. Decrypting the backup reveals a SQLite database with bcrypt password hashes; cracking one yields SSH access as user jonathan. Privilege escalation to root uses CVE-2026-3888, a snapd local privilege escalation where systemd-tmpfiles deletes snap-confine's private /tmp/.snap directory, enabling a race condition to replace the dynamic linker (ld-linux-x86-64.so.2) with a malicious payload that runs as root via the SetUID snap-confine binary.

HTB: Snapped