I just solved MakeSense from Hack the Box!
MakeSense Machine Summary
MakeSense is a medium-difficulty Linux machine on Hack The Box that focuses on web application assessment, WordPress enumeration, client-side source code analysis, cryptographic abuse, cross-site scripting (XSS), authenticated remote code execution, credential harvesting, lateral movement, and privilege escalation through the abuse of an internal OCR service. The machine demonstrates how a seemingly minor client-side information disclosure can be chained with insecure server-side processing to achieve complete system compromise.
The attack chain began with Nmap enumeration, which identified an Ubuntu-based target exposing SSH and an HTTPS web server running Apache. During the initial reconnaissance, the TLS certificate revealed the virtual host makesense.htb, leading to host configuration by adding the hostname to the local hosts file. With name resolution in place, web enumeration confirmed that the application was a WordPress-powered website built with PHP and MySQL, while directory enumeration using Feroxbuster identified several WordPress-specific directories, including wp-admin, wp-content, and wp-includes.
Next, WordPress enumeration with WPScan confirmed the WordPress version, exposed XML-RPC and WP-Cron, revealed an accessible uploads directory and readme.html file, and enumerated valid usernames that could later assist in authentication attacks. During source code analysis, inspection of the custom whisper-wrapper.js file uncovered a hardcoded AES-GCM encryption key used by the site's voice transcription feature, together with valuable implementation details describing how transcription data was encrypted before being submitted to the backend.
Further vulnerability analysis revealed that the server blindly trusted client-generated encrypted payloads and stored decrypted transcription data without proper sanitization. This made it possible to encrypt arbitrary content using the exposed key and inject malicious JavaScript into the transcription field, resulting in a stored XSS vulnerability that executed whenever the administrator reviewed the malicious submission.
To automate the attack, I performed exploit development by creating a Python script that encrypted a malicious transcription payload, delivered the XSS attack, waited for the administrator bot to execute it, created a new WordPress administrator account, uploaded a malicious plugin for remote code execution, extracted database credentials from wp-config.php, and reused them to authenticate as a local user over SSH.
Finally, the attack concluded with initial access and privilege escalation. Remote code execution provided a shell as www-data, from which the database password for the user walter was recovered and reused for SSH access to capture the user flag. The final privilege escalation abused an internally exposed OCR service by submitting a crafted payload that wrote a PHP file, modified the permissions of /bin/bash, and leveraged the resulting SUID binary to obtain root privileges, successfully capturing both the user and root flags.
Protected Page
The first step in owning the MakeSense machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:
Once the connection between my Kali Linux terminal and Hack the Box server has been established, I started the MakeSense machine and I was assigned an IP address (10.129.32.128).
Nmap Enumeration
I began by performing an Nmap service and version scan against the target to enumerate the exposed network services, identify the operating system, and gather as much information as possible for the initial reconnaissance phase. This allowed me to understand the attack surface before interacting with any of the available services.
The scan revealed SSH running on port 22 and an HTTPS web server on 443 backed by Apache 2.4.58. The TLS certificate identified the virtual host as makesense.htb, while the website was running WordPress 7.0 with the page title Agency LLC, indicating that host configuration would likely be required before further web enumeration. Ports 80 and 8001 appeared filtered, suggesting firewall restrictions, and OS detection identified the target as an Ubuntu-based Linux system.
Host Configuration
After identifying the virtual host makesense.htb from the TLS certificate during the Nmap scan, I needed to configure my attack machine so that requests would resolve to the correct hostname. Without this step, the web application might not load properly or could serve unexpected content.
I added the target IP address and hostname to my local
/etc/hosts file, allowing my system to resolve makesense.htb locally. With the host configuration complete, I was ready to begin enumerating the web application through the intended virtual host.Web Enumeration
After configuring the virtual host, I navigated to the target in my browser and confirmed that requests to the target IP were redirected to https://makesense.htb. I manually explored the website and found a professionally designed WordPress-based company page containing sections such as Cases, Team, and a Contact form, but no obvious functionality that immediately led to code execution.
Using the Wappalyzer browser extension, I fingerprinted the web application to identify the technologies running behind the site. The results confirmed that the application was built on WordPress 7.0, powered by PHP with a MySQL database, and served by Apache 2.4.58. This information provided valuable insight into the application's technology stack and helped narrow the focus toward WordPress-specific enumeration and potential vulnerabilities.
Directory Enumeration
After confirming the application was running WordPress, I performed directory enumeration to identify additional files and directories that were not directly linked from the homepage. I used Feroxbuster with a medium-sized wordlist, disabled certificate verification because the site used a self-signed certificate, and disabled recursion to perform a quick initial scan.
The scan confirmed several interesting directories, including /wp-admin, /wp-content, and /wp-includes, further verifying the WordPress installation. It also identified /scripts and /javascript, which could contain custom application resources worth investigating. With these paths identified, I proceeded to inspect each one manually for sensitive files and potential attack vectors.
Directory Enumeration
To complement the previous directory enumeration, I also tested the application with Gobuster using a different wordlist. Running multiple enumeration tools can sometimes uncover resources that another tool misses due to differences in request handling or filtering.
The scan did not complete successfully because the server returned a 301 redirect for non-existent directories instead of the expected 404 Not Found response. Since every invalid path appeared to exist, Gobuster detected wildcard behavior and stopped the scan to prevent false positives. This indicated that the scan would require additional filtering, such as excluding the redirect response or enabling wildcard handling, before meaningful enumeration could continue.
WordPress Enumeration
After confirming that the target was running WordPress, I used WPScan to enumerate users, themes, and known vulnerabilities while disabling TLS certificate validation because the site was using a self-signed certificate. This provided a more comprehensive assessment of the WordPress installation than manual inspection alone.
The scan confirmed that the site was running WordPress 7.0 with the custom WebAgency theme. It also revealed that XML-RPC and WP-Cron were enabled, the uploads directory allowed directory listing, and the readme.html file was publicly accessible, exposing additional information about the installation. Although no vulnerable plugins or themes were identified, WPScan successfully enumerated three valid usernames - walter, admin, and jake - which became valuable targets for further authentication testing.
Source Code Analysis
While reviewing the files exposed under the custom WebAgency theme, I manually browsed to the whisper-wrapper.js JavaScript file. Examining client-side source code is often worthwhile because developers sometimes leave sensitive information, hardcoded secrets, or implementation details that are not visible through the web interface.
The source code revealed a hardcoded AES-GCM encryption key (
ENCRYPTION_KEY = 'bLs6z8iv3gWpsvyeabFosDjb4YQe7jdU13rI') used by the application's voice transcription feature. The script also showed that the application relied on Whisper and Transformers.js models hosted locally, performed client-side transcription and summarization, and encrypted the transcription data before sending it to the server. This exposed encryption key immediately stood out as a valuable finding and suggested that the client-side encryption mechanism might be reversible or reusable during later stages of the attack.Vulnerability Analysis
After reviewing the JavaScript source, I traced how the voice transcription feature processed user input from the browser to the server. The client transcribed audio, generated a summary, encrypted both values with the exposed AES-GCM key, and submitted the encrypted payload to the admin-ajax.php?action=save_voice_results endpoint.
Because the encryption key was hardcoded in the client, I could generate my own valid encrypted payloads that the server would successfully decrypt. More importantly, the decrypted transcription was stored without proper sanitization, making it possible to inject arbitrary JavaScript into the application. When an administrator later viewed the malicious entry, the injected script executed in their browser, retrieved the required WordPress nonce, and created a new administrator account, providing the initial foothold into the application.
Exploit Development
After confirming the exposed encryption key and vulnerable voice workflow, I created an exploit script to automate the full attack chain instead of performing each step manually. The script handles payload encryption, XSS delivery, administrator account creation, plugin upload for RCE, credential extraction, SSH access, and final privilege escalation.
The script first sets the target host, derives the AES-GCM key, detects my VPN IP, and prepares an XSS payload that creates the pwn administrator user when the admin bot visits the injected content. Functions like
get_nonce_val(), enc_data(), and trigger_xss() retrieve the WordPress nonce, encrypt the malicious transcription payload, and submit it to admin-ajax.php.After the admin user is created, try_login() authenticates to WordPress, while upload_plugin_file() uploads a malicious plugin to gain command execution as www-data through exec_cmd(). The script then reads wp-config.php to extract the database password, reuses it for SSH access as walter, and retrieves user.txt.
For privilege escalation, make_img() converts the PHP payload into an image for the internal OCR service, while ssh_exec() and ssh_stdin_exec() interact with the target over SSH. The final OCR abuse writes a PHP file internally, triggers it to set the SUID bit on /bin/bash, and then uses bash -p to read the root flag.
Initial Access and Privilege Escalation
With the exploit script complete, I executed it against the target to automate the entire attack chain. The script delivered the encrypted XSS payload, waited for the administrator bot to trigger it, created a new administrator account, and authenticated to the WordPress dashboard before continuing with the remaining stages of the attack.
Keywords:
MakeSense HTB Writeup
MakeSense HTB Walkthrough
makesense.htb
HTB-MakeSense
MakeSense Hack the Box Writeup
MakeSense Hack the Box Walkthrough
HackTheBox - MakeSense
guide makesense htb walkthrough youtube
HackTheBox - MakeSeason HTB Season 11 Machine Complete Walkthrough
tool makesense htb walkthrough checklist
video makesense htb walkthrough pdf
download makesense htb walkthrough sheet
MakeSense Writeup - HackTheBox
Hack The Box - HTB MakeSense Writeup - Medium - Linux
[HTB] MakeSense Writeup
Beginner’s Guide to Conquering MakeSense on Hack the Box
MakeSense-HTB---Full-Walkthrough-Linux-Medium-Season-11
MakeSense HTB - Complete Writeup
htb-writeup makesense
MakeSense HTB S11 (Linux Medium)
Walkthrough MakeSense HTB
I just solved MakeSense from Hack the Box
Rooted MakeSense from Hack the Box
MakeSense HTB user flag
MakeSense HackTheBox root flag
Enigma HTB Writeup
Enigma HTB Walkthrough
enigma.htb
Enigma - HackTheBox Season 11 Machine Walkthrough
enigma hack the box writeup
enigma hack the box
support_001.enigma.htb
mail001.enigma.htb
kevin:Enigma2024!
I just solved Enigma from Hack the Box!
Enigma machine htb season11 user flag
HackTheBox - Enigma Season 11 htb root flag
Owned Enigma from Hack the Box
Enigma HTB Walkthrough Season 11 HackTheBox machine
Rooted Enigma from Hack the Box
Enigma user flag htb season 11 HackTheBox walkthrough
Enigma machine root flag HTB Season11 Hack the Box
Hack The Box (HTB): Enigma Machine (Full Walkthrough)
Pwned Enigma from Hack the Box
eloquia.htb
eloquia htb writeup
Eloquia - HackTheBox Season 9 htb machine walkthrough
HTB Eloquia Complete Solution
Eloquia Hack the Box Walkthrough
Eloquia Hack the Box Write Up
Eloquia HTB Machine Season 9 User Flag
Eloquia Hack The Box Machine Season 9 Root Flag
checkpoint.htb season 11
Checkpoint Hack the Box Walkthrough
Checkpoint Hack the Box Write Up
Checkpoint HTB Writeup
Season 11 Hack the Box - Checkpoint User Flag
Season11 HackTheBox - Checkpoint Root Flag HTB Walkthrough
Reactor - HackTheBox Season 11 Walkthrough
Helix Season11 Hack the Box Walkthrough
Logging HTB Walkthrough
HTB Logging - HackTheBox Season 10 Machine Complete Walkthrough User & Root Flag
DC01.logging.htb
wsus.logging.htb
Hack The Box - Season 10 HTB Logging Writeup - Medium
Logging CTF Walkthroughs
logging htb writeup
Logging Writeup - HackTheBox
Nimbus HTB - Complete Writeup
HTB: Logging - Full Writeup (Season 10)
HTB-Logging
HackTheBox - Logging Season 10 HTB Machine Complete Walkthrough
logging hack the box write up
Logging Machine | HackTheBox
Logging htb-writeup
logging hack the box walkthrough
HTB :: Logging - Writeup
Logging HTB Machine Walkthrough
Mastering Logging: Beginner's Guide from Hack The Box
I just solved Logging from Hack the Box
Pwned Logging from Hack the Box
Hack the Box (HTB) machines Logging walkthrough Season 10
Rooted Logging from Hack the Box
HTB-Logging Season 10 Machine User & Root Flag Solution
Owned Logging from Hack the Box









![[HTB] MakeSense Writeup [HTB] MakeSense Writeup](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmTu8lffS5ZWUtFG0yjPxCk8xTGvCKJtfEMX67iwFB6VGzI51i0dpemnlU7XQOxMe4AFWzl3yxVZ_5bZy6_z3sqiCa2DfK3uAIp0Jn3yZZy-QO_T_0pdjacP8S3T2ea1MKQO82xICo4bJfGWx59k82ZQuTdu5PV-WGwM8ZOnJbsnsSlnjDEJvJGf8u9Rl3/s1600/%5BHTB%5D%20MakeSense%20Writeup.jpg)





1 Comments
To current members, the password to access this encrypted page and other pages has been sent to your email address. If you haven't received it yet, reach out to me at isiaqibrahim.tr@gmail.com
ReplyDeleteNote: This write up includes the complete code blocks and commands. The password for each write up is different. I have sent the password to your inbox on Buy Me A Coffee.
Happy Hacking!!!😈😈