A walkthrough of the HackTheBox machine 'Snapped', a Linux box running nginx with an Nginx UI admin panel. Initial access is gained by exploiting CVE-2026-27944, an unauthenticated backup download vulnerability in Nginx UI that leaks AES encryption keys via the X-Backup-Security response header. Decrypting the backup reveals a SQLite database with bcrypt password hashes; cracking one yields SSH access as user jonathan. Privilege escalation to root uses CVE-2026-3888, a snapd local privilege escalation where systemd-tmpfiles deletes snap-confine's private /tmp/.snap directory, enabling a race condition to replace the dynamic linker (ld-linux-x86-64.so.2) with a malicious payload that runs as root via the SetUID snap-confine binary.
Sort: