Sorcery is a Linux box with a Rust Rocket web app backed by Neo4j, Gitea, and a Kafka message bus. I’ll exploit Cypher injection in a derive-macro-generated query to leak the seller registration key, then use XSS in a product description to register a passkey on the admin account through a headless Chrome bot. I’ll also show a shortcut to change the admin’s password using cypher injection. As admin, a port-debug tool becomes an SSRF I can use to send Kafka wire protocol messages, which I’ll use to get RCE in the DNS container. From there, I’ll recover a CA keypair from FTP, phish the next user with mitmproxy proxying their own Gitea login page, read a password out of an Xvfb framebuffer, and reverse a .NET binary to generate OTPs for Docker Registry auth. Pulling layers out of a pushed image leaks another password, and the final pivots abuse FreeIPA roles to change one user’s password over LDAP and bootstrap sudo rights to root. I’ll show a couple unintended paths using pspy to capture creds as well.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox 'Sorcery' machine, a complex Linux box running a Rust Rocket web app backed by Neo4j, Gitea, and Kafka. The path to root involves exploiting Cypher injection in a derive-macro-generated query to leak a seller registration key, using XSS in a product description to register a passkey on the admin account via a headless Chrome bot, abusing an SSRF in a port-debug tool to send Kafka wire protocol messages for RCE in the DNS container, recovering a CA keypair from FTP, phishing a user via mitmproxy, reading credentials from an Xvfb framebuffer, reversing a .NET binary for Docker Registry OTP auth, and finally abusing FreeIPA roles over LDAP to escalate to root.

HTB: Sorcery