I just solved Nimbus from Hack the Box!
Nimbus Machine Summary
Nimbus is a hard-difficulty Linux machine on Hack The Box that focuses on cloud-native application security, AWS service abuse, and containerized privilege escalation. The machine demonstrates how seemingly isolated vulnerabilities including Server-Side Request Forgery (SSRF), insecure cloud configurations, unsafe deserialization, and privileged container execution can be chained together to achieve complete system compromise.
The attack chain began with Nmap enumeration, which revealed an Nginx web server running on port 80 and a redirect to the nimbus.htb virtual host. After performing host configuration by updating the /etc/hosts file, web enumeration exposed a job submission platform and a login page that indicated authentication had been temporarily disabled. Further virtual host enumeration and subdomain validation uncovered an AWS-related subdomain, aws.nimbus.htb, which hinted at the presence of cloud services within the environment.
Investigation of the job submission functionality led to the discovery of a Server-Side Request Forgery (SSRF) vulnerability. By abusing the preview endpoint and bypassing filtering using an octal representation of the metadata service IP address, temporary AWS credentials for the nimbus-web-role were extracted. After performing AWS credential configuration and credential verification, AWS identity enumeration confirmed access to the compromised IAM role, and AWS SQS enumeration revealed a message queue named nimbus-jobs.
The accessible SQS queue became the initial access vector. By submitting a malicious YAML payload to the queue, the worker service deserialized attacker-controlled input and executed arbitrary commands, resulting in a reverse shell as the worker user inside a containerized environment. After obtaining the user flag, environment enumeration revealed a second set of AWS credentials embedded within the container. Following AWS credential reconfiguration, credential verification, and additional AWS identity enumeration, a new identity associated with the nimbus-worker-role was obtained, allowing further AWS enumeration and SQS queue enumeration.
Subsequent process enumeration, application enumeration, source code review, process verification, and worker behaviour analysis revealed that the Python-based worker continuously polled the SQS queue and unsafely processed messages using yaml.load(). This vulnerable design enabled repeated arbitrary code execution and exposed the application's architecture. To automate exploitation, a custom Python script, nimbusexploit.py, was developed to orchestrate the entire attack chain, from SSRF and credential extraction to SQS abuse and callback handling.
Privilege escalation was ultimately achieved by abusing the worker's ability to create privileged CodeBuild containers. The exploit leveraged a privileged build environment and manipulated the Linux core_pattern mechanism to execute commands on the host system and retrieve /root/root.txt. The successful extraction of the root flag completed the compromise of the machine and demonstrated the severe impact of combining cloud misconfigurations, insecure deserialization, and privileged container execution within a modern AWS-backed application.
Protected Page
The first step in owning the Nimbus machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:
Once the connection between my Kali Linux terminal and Hack the Box server has been established, I started the Nimbus machine and I was assigned an IP address (10.129.33.110).
Nmap Enumeration
I began the assessment by running an Nmap scan against the target's HTTP service to identify the web server version and gather any default scripts information. I enumerated port 80 and discovered that the host was running an Nginx web server on Ubuntu.
The scan revealed that port 80 was open and serving nginx 1.24.0 on an Ubuntu system. Nmap also reported that the website automatically redirected visitors to http://nimbus.htb/, indicating that the application relies on a virtual host configuration rather than direct IP access. This immediately suggested that I needed to configure my local hosts file to resolve the nimbus.htb domain before proceeding with further web enumeration.
Host Configuration
After discovering that the web server redirected requests to http://nimbus.htb/, I needed to make my system resolve this domain locally. I ran the following command to map the target IP address to the nimbus.htb hostname in my /etc/hosts file.
This command appended a new entry to the hosts file, allowing my machine to associate nimbus.htb with 10.129.33.110. With the hostname configured, I could now access the application through its intended virtual host and continue with web enumeration.
Web Enumeration
After configuring the hostname, I browsed to http://nimbus.htb/ and began enumerating the web application manually. I discovered two interesting functionalities exposed on the homepage: a Submit Job feature at /jobs and a Sign In page at /login.
The /login page revealed that authentication was temporarily disabled due to an ongoing migration to Okta and explicitly stated that the job_submitter endpoint was unauthenticated during this period. Meanwhile, the /jobs page allowed users to submit jobs either by providing a raw Git URL or by pasting YAML directly, immediately making the job submission functionality a high-value target for further investigation.
Virtual Host Enumeration
After manually reviewing the application, I performed virtual host enumeration to identify any hidden subdomains configured on the web server. I ran ffuf against nimbus.htb and fuzzed the Host header while filtering out the default response size.
The scan revealed a new virtual host named aws.nimbus.htb, which returned an HTTP 403 Forbidden response instead of the filtered default page. Although access was denied, the unique response confirmed that the subdomain existed and exposed an additional attack surface for further enumeration.
Subdomain Validation
After discovering aws.nimbus.htb, I manually inspected the subdomain to determine the type of service running behind it. I used curl to send a request and retrieve both the HTTP headers and response body.
The response returned HTTP/1.1 403 Forbidden along with an XML error message stating InvalidClientTokenId. The presence of the sts.amazonaws.com namespace and the invalid security token error strongly suggested that the subdomain was emulating or exposing an AWS Security Token Service (STS)-like endpoint. Although access was denied, this indicated that the target environment had AWS-related functionality that warranted further investigation.
Server-Side Request Forgery (SSRF)
After noticing that the job submission feature accepted external URLs, I tested whether the application would fetch arbitrary resources on my behalf. I submitted a crafted URL pointing to the cloud instance metadata service using an octal representation of 169.254.169.254 to bypass the application's filtering mechanisms.
The request succeeded and returned HTTP 200 along with temporary AWS credentials for the nimbus-web-role IAM role, including an AccessKeyId, SecretAccessKey, and session Token. This confirmed a Server-Side Request Forgery (SSRF) vulnerability that allowed me to access the cloud metadata service and extract valid AWS credentials from the target environment.
AWS Credential Configuration
After obtaining the temporary AWS credentials through the SSRF vulnerability, I configured my local environment to authenticate as the compromised nimbus-web-role. I exported the access key, secret key, session token, custom AWS endpoint, and region so that subsequent AWS CLI commands would use these credentials automatically.
Credential Verification
After exporting the temporary AWS credentials, I verified that the environment variables had been configured correctly. I ran the following command to display all AWS-related variables currently loaded into my shell session.
The output confirmed that the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, AWS_ENDPOINT_URL, and AWS_DEFAULT_REGION variables were all present. This validation step ensured that my shell was successfully authenticated as the compromised nimbus-web-role and ready for further enumeration of the target's AWS environment.
AWS Identity Enumeration
After confirming that my AWS credentials were loaded correctly, I authenticated to the target's AWS-compatible endpoint and queried my current identity. I used the AWS Security Token Service (STS) to determine which IAM role I had compromised.
The command returned the AWS account ID and revealed that I was operating as the assumed IAM role nimbus-web-role. The ARN also showed that the credentials belonged to an EC2 instance session (i-0a1b2c3d4e5f6789a), confirming that the SSRF vulnerability had exposed temporary credentials from a running cloud instance. This provided a valid identity for further enumeration of the AWS environment.
AWS SQS Enumeration
After confirming my identity as the nimbus-web-role, I began enumerating the available AWS services to understand the cloud environment better. I queried the Simple Queue Service (SQS) to identify any message queues accessible with my compromised credentials.
The command returned a single queue named nimbus-jobs. The queue name closely matched the application's job submission functionality, suggesting that submitted jobs were likely processed asynchronously through this SQS queue. This immediately became an attractive target for further investigation and potential abuse.
Initial Access
After identifying the nimbus-jobs queue, I set up a Netcat listener on port 4444 to wait for an incoming connection. I then submitted a malicious YAML payload to the SQS queue, targeting the job worker responsible for processing queued messages.
A few seconds later, my listener received a connection from 10.129.33.110, providing an interactive shell as the worker user inside a containerized environment. This confirmed that the job worker unsafely deserialized YAML messages from the SQS queue, allowing arbitrary command execution and granting me initial access to the target.
User Flag
worker user's home directory, and discovered a file named user.txt./app directory contained requirements.txt and worker.py, indicating that I had landed inside the application's worker container. In the home directory, I found user.txt and read its contents, successfully obtaining the user flag. This confirmed that I had achieved initial access and completed the user-level objective of the machine.Environment Enumeration
After obtaining the user flag, I continued enumerating the compromised container to search for sensitive information that could facilitate further access. I inspected the environment variables and filtered for AWS-related entries.
The output revealed another set of AWS credentials embedded in the container's environment, including an AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, endpoint URL, and default region. Unlike the temporary credentials obtained through SSRF, these credentials appeared to be long-lived access keys associated with the worker container itself. This discovery provided a new identity to investigate and potentially a path toward further privilege escalation within the cloud environment.
AWS Credential Reconfiguration
After discovering a second set of AWS credentials inside the worker container, I reconfigured my local environment to use these newly obtained access keys. I exported the region, secret key, access key, and custom endpoint so that all subsequent AWS CLI requests would be authenticated with the worker's credentials.
By updating these environment variables, I authenticated as the identity associated with the worker container rather than the previously compromised nimbus-web-role. This prepared my shell for further enumeration and potential privilege escalation using the newly discovered AWS credentials.
Credential Verification
After updating my shell with the newly discovered AWS credentials, I verified that the environment variables had been set correctly. I enumerated the current shell environment and filtered for AWS-related entries.
The output confirmed that the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_ENDPOINT_URL, and AWS_DEFAULT_REGION variables were all present and active. This verification step ensured that subsequent AWS CLI commands would be executed using the credentials extracted from the worker container, allowing me to continue enumerating the cloud environment with the new identity.
AWS Identity Enumeration
After configuring the newly discovered AWS credentials, I authenticated to the target's AWS environment and verified which identity I was operating as. I queried the AWS Security Token Service (STS) to enumerate the current IAM role associated with these credentials.
The command returned the AWS account ID and revealed that I had assumed the nimbus-worker-role with the session name worker. This confirmed that the credentials extracted from the container belonged to the worker service itself rather than the previously compromised nimbus-web-role. The discovery provided a new AWS identity that potentially possessed different permissions and opened additional opportunities for further cloud enumeration and privilege escalation.
AWS Enumeration
After switching to the worker's AWS credentials, I authenticated to the target's AWS environment to identify my new permissions and enumerate accessible services. I first queried my identity and then enumerated the available SQS queues.
The STS response confirmed that I was operating as the nimbus-worker-role within AWS account 847219365028. Enumerating SQS again revealed access to the same nimbus-jobs queue, indicating that the worker role retained permissions over the application's job-processing infrastructure. This suggested that the worker service was tightly integrated with the job queue and warranted further investigation for additional cloud resources and privilege escalation opportunities.
SQS Queue Enumeration
After confirming access to the nimbus-jobs queue, I enumerated its configuration to understand how the application processed queued messages. I requested all available attributes associated with the queue.
The response revealed the queue's ARN, message retention period, visibility timeout, and message statistics. Most notably, the ApproximateNumberOfMessages attribute indicated that two messages were currently waiting in the queue. This suggested that the queue contained pending jobs that could potentially be inspected or manipulated as part of further exploitation of the application's job-processing workflow.
Exploit Development
After enumerating the AWS environment and understanding the relationship between the web application, SQS queue, and worker container, I created a custom Python exploit named nimbusexploit.py. I used the script to automate the entire attack chain, from exploiting the SSRF vulnerability to achieving remote code execution and triggering privilege escalation.
The script automated several tasks, including retrieving IAM credentials from the instance metadata service, authenticating to the AWS-compatible endpoint, sending malicious jobs to the nimbus-jobs queue, and starting an HTTP listener to receive callbacks. It also generated a payload that abused the worker's CodeBuild functionality to launch a privileged container and attempt host-level code execution. By consolidating all these steps into a single script, I eliminated the need for manual exploitation and streamlined the path to obtaining both the user and root flags.
Process Enumeration
Back to the worker container, I enumerated the running processes to better understand how jobs were being executed and to confirm the context of my shell. I listed all active processes running inside the container.
python3 -u worker.py, confirming that a Python-based worker service was responsible for processing queued jobs. I also observed the bash -i processes associated with my reverse shell connection, indicating that my payload had been successfully executed by the worker. This process information provided additional insight into the application's architecture and reinforced that I had achieved code execution within the job-processing container.Application Enumeration
After identifying worker.py as the main process, I navigated to the application's directory to inspect its contents and understand how the worker service was implemented. I enumerated the files and permissions inside the /app directory.
requirements.txt and worker.py. Both files were owned by the worker user and appeared to be the core components of the containerized application. The presence of a single Python script responsible for processing jobs made worker.py an interesting target for source code review and further analysis of the application's functionality and potential vulnerabilities.Source Code Review
After discovering worker.py, I inspected its source code to understand how jobs from the nimbus-jobs queue were processed. I enumerated the script and identified the worker's message-handling logic.
yaml.load(), and executed the script field by passing it directly to python3 -c. Most importantly, the application used yaml.load(..., Loader=yaml.Loader), which performs unsafe deserialization on untrusted input. This design flaw explained why my malicious YAML message achieved arbitrary code execution and confirmed the root cause of the worker compromise.Process Verification
After reviewing the source code, I verified that the worker service was actively running and processing jobs inside the container. I enumerated the running processes and filtered for anything related to the worker application.
python3 -u worker.py was running as PID 1, indicating that it was the container's primary process. I also observed the bash processes associated with my reverse shell connection and the grep command I had just executed. This confirmed that I still had interactive access to the worker container and that the vulnerable job-processing service remained active.Worker Behaviour Analysis
After reviewing the source code, I manually executed the worker application to observe how it processed messages from the nimbus-jobs queue. I ran the worker directly and monitored its output as it consumed queued jobs.
4444 was no longer listening, resulting in a Connection refused error. I also observed several privesc jobs being executed, confirming that the worker accepted queued Python scripts and ran them automatically. This behavior further validated that the vulnerable yaml.load() implementation could be repeatedly abused to achieve arbitrary code execution through the SQS job queue.Privilege Escalation and Root Flag
After validating the worker's behavior, I executed my custom exploit script to automate the entire attack chain from SSRF to privilege escalation. I supplied my VPN IP as the callback address and specified the target IP and listener port.
nimbus-jobs queue. The worker processed the payload and launched a privileged CodeBuild container, which abused the host's core_pattern mechanism to read /root/root.txt. A few seconds later, my callback listener received the flag, and the script printed the root flag, completing the compromise of the machine.Keywords:
Nimbus Hack the Box Walkthrough
Nimbus Hack the Box Writeup
Nimbus htb write up
Nimbus htb walkthrough
I just solved Nimbus from Hack the Box!
Owned Nimbus from Hack the Box
Nimbus - HackTheBox Season 11 Walkthrough
HTB Writeup - Nimbus
Nimbus Writeup - HackTheBox
Nimbus machine HTB reddit hackthebox
Nimbus HTB - Complete Writeup
HTB Nimbus Walkthrough - Season 11 writeup
HTB-Nimbus - Full Exploit Writeup
Hack The Box - HTB Nimbus Writeup - Hard Linux Machine
Nimbus Htb User Flag
Nimbus Htb Root Flag
Nimbus HTB Spoiler Season 11 Complete Solution
HackTheBox Nimbus - Hard Linux HTB Machine Walkthrough Season 11
Connected HTB Write Up
connected htb walkthrough
connected htb writeup
connected hackthebox write up
Connected HackTheBox machine Season 11 HTB
connected hack the box walkthrough
I just solved connected from Hack the Box
Rooted Connected from Hack the Box
Pwned Connected from Hack the Box
Connected HackTheBox HTB Season 11 Machine Writeup Solution Walkthrough
devarea htb walkthrough
Hack the Box Season 11 machine complete write up
DevHub htb writeup
DevHub htb walkthrough
DevHub Hack the Box Write Up
DevHub Hack the Box Walkthrough
devhub.htb season 11 HackTheBox machine
DevHub HackTheBox Writeup
DevHub HackTheBox Walkthrough
HackTheBox devhub machine complete writeup solution
I just solved DevHub from Hack the Box
Pwned DevHub from Hack the Box
Rooted DevHub from Hack the Box
Owned DevHub from Hack the Box
devhub.htb
boltech has successfully pwned Nimbus Machine from Hack The Box
Reactor HTB Writeup
Reactor HTB Walkthrough
reactor.htb Hack the Box Season 10 Walkthrough
Reactor HackTheBox Season 11 Machine
reactor htb machine season 11 user flag
reactor.htb Season 11 HackTheBox Machine Root Flag
[HTB] Reactor Walkthrough
HTB Reactor Writeup
Reactor | HTB Write Up
SmartHire HTB Write Up Premium
SmartHire HackTheBox
SmartHire Hack the Box Walkthrough
SmartHire Hack the Box Writeup
smarthire.htb Season 10 Machine Solution
models.smarthire.htb
SmartHire HTB Walkthrough
Owned SmartHire on Hack the Box































1 Comments
To current members, the password to access this encrypted page and other pages has been sent to your email address. If you haven't received it yet, reach out to me at isiaqibrahim.tr@gmail.com
ReplyDeleteNote: This write up includes the complete code blocks and commands. The password for each write up is different. I have sent the password to your inbox on Buy Me A Coffee.
Happy Hacking!!!😈😈