I just solved Nimbus from Hack the Box!
Nimbus Machine Summary
Nimbus is a hard-difficulty Linux machine on Hack The Box that focuses on cloud-native application security, AWS service abuse, and containerized privilege escalation. The machine demonstrates how seemingly isolated vulnerabilities including Server-Side Request Forgery (SSRF), insecure cloud configurations, unsafe deserialization, and privileged container execution can be chained together to achieve complete system compromise.
The attack chain began with Nmap enumeration, which revealed an Nginx web server running on port 80 and a redirect to the nimbus.htb virtual host. After performing host configuration by updating the /etc/hosts file, web enumeration exposed a job submission platform and a login page that indicated authentication had been temporarily disabled. Further virtual host enumeration and subdomain validation uncovered an AWS-related subdomain, aws.nimbus.htb, which hinted at the presence of cloud services within the environment.
Investigation of the job submission functionality led to the discovery of a Server-Side Request Forgery (SSRF) vulnerability. By abusing the preview endpoint and bypassing filtering using an octal representation of the metadata service IP address, temporary AWS credentials for the nimbus-web-role were extracted. After performing AWS credential configuration and credential verification, AWS identity enumeration confirmed access to the compromised IAM role, and AWS SQS enumeration revealed a message queue named nimbus-jobs.
The accessible SQS queue became the initial access vector. By submitting a malicious YAML payload to the queue, the worker service deserialized attacker-controlled input and executed arbitrary commands, resulting in a reverse shell as the worker user inside a containerized environment. After obtaining the user flag, environment enumeration revealed a second set of AWS credentials embedded within the container. Following AWS credential reconfiguration, credential verification, and additional AWS identity enumeration, a new identity associated with the nimbus-worker-role was obtained, allowing further AWS enumeration and SQS queue enumeration.
Subsequent process enumeration, application enumeration, source code review, process verification, and worker behaviour analysis revealed that the Python-based worker continuously polled the SQS queue and unsafely processed messages using yaml.load(). This vulnerable design enabled repeated arbitrary code execution and exposed the application's architecture. To automate exploitation, a custom Python script, nimbusexploit.py, was developed to orchestrate the entire attack chain, from SSRF and credential extraction to SQS abuse and callback handling.
Privilege escalation was ultimately achieved by abusing the worker's ability to create privileged CodeBuild containers. The exploit leveraged a privileged build environment and manipulated the Linux core_pattern mechanism to execute commands on the host system and retrieve /root/root.txt. The successful extraction of the root flag completed the compromise of the machine and demonstrated the severe impact of combining cloud misconfigurations, insecure deserialization, and privileged container execution within a modern AWS-backed application.
Protected Page
Keywords:
Nimbus Hack the Box Walkthrough
Nimbus Hack the Box Writeup
Nimbus htb write up
Nimbus htb walkthrough
I just solved Nimbus from Hack the Box!
Owned Nimbus from Hack the Box
Nimbus - HackTheBox Season 11 Walkthrough
HTB Writeup - Nimbus
Nimbus Writeup - HackTheBox
Nimbus machine HTB reddit hackthebox
Nimbus HTB - Complete Writeup
HTB Nimbus Walkthrough - Season 11 writeup
HTB-Nimbus - Full Exploit Writeup
Hack The Box - HTB Nimbus Writeup - Hard Linux Machine
Nimbus Htb User Flag
Nimbus Htb Root Flag
Nimbus HTB Spoiler Season 11 Complete Solution
HackTheBox Nimbus - Hard Linux HTB Machine Walkthrough Season 11
Connected HTB Write Up
connected htb walkthrough
connected htb writeup
connected hackthebox write up
Connected HackTheBox machine Season 11 HTB
connected hack the box walkthrough
I just solved connected from Hack the Box
Rooted Connected from Hack the Box
Pwned Connected from Hack the Box
Connected HackTheBox HTB Season 11 Machine Writeup Solution Walkthrough
HackTheBox - DevHub Season 11 Walkthrough
boltech has successfully pwned Nimbus Machine from Hack The Box
1 Comments
To current members, the password to access this encrypted page and other pages has been sent to your email address. If you haven't received it yet, reach out to me at isiaqibrahim.tr@gmail.com
ReplyDeleteNote: This write up includes the complete code blocks and commands. The password for each write up is different. I have sent the password to your inbox on Buy Me A Coffee.
Happy Hacking!!!😈😈