MakeSense HTB Writeup Premium

I just solved MakeSense from Hack the Box!

MakeSense Machine Summary

MakeSense is a medium-difficulty Linux machine on Hack The Box that focuses on web application assessment, WordPress enumeration, client-side source code analysis, cryptographic abuse, cross-site scripting (XSS), authenticated remote code execution, credential harvesting, lateral movement, and privilege escalation through the abuse of an internal OCR service. The machine demonstrates how a seemingly minor client-side information disclosure can be chained with insecure server-side processing to achieve complete system compromise.

The attack chain began with Nmap enumeration, which identified an Ubuntu-based target exposing SSH and an HTTPS web server running Apache. During the initial reconnaissance, the TLS certificate revealed the virtual host makesense.htb, leading to host configuration by adding the hostname to the local hosts file. With name resolution in place, web enumeration confirmed that the application was a WordPress-powered website built with PHP and MySQL, while directory enumeration using Feroxbuster identified several WordPress-specific directories, including wp-admin, wp-content, and wp-includes.

Next, WordPress enumeration with WPScan confirmed the WordPress version, exposed XML-RPC and WP-Cron, revealed an accessible uploads directory and readme.html file, and enumerated valid usernames that could later assist in authentication attacks. During source code analysis, inspection of the custom whisper-wrapper.js file uncovered a hardcoded AES-GCM encryption key used by the site's voice transcription feature, together with valuable implementation details describing how transcription data was encrypted before being submitted to the backend.

Further vulnerability analysis revealed that the server blindly trusted client-generated encrypted payloads and stored decrypted transcription data without proper sanitization. This made it possible to encrypt arbitrary content using the exposed key and inject malicious JavaScript into the transcription field, resulting in a stored XSS vulnerability that executed whenever the administrator reviewed the malicious submission.

To automate the attack, I performed exploit development by creating a Python script that encrypted a malicious transcription payload, delivered the XSS attack, waited for the administrator bot to execute it, created a new WordPress administrator account, uploaded a malicious plugin for remote code execution, extracted database credentials from wp-config.php, and reused them to authenticate as a local user over SSH.

Finally, the attack concluded with initial access and privilege escalation. Remote code execution provided a shell as www-data, from which the database password for the user walter was recovered and reused for SSH access to capture the user flag. The final privilege escalation abused an internally exposed OCR service by submitting a crafted payload that wrote a PHP file, modified the permissions of /bin/bash, and leveraged the resulting SUID binary to obtain root privileges, successfully capturing both the user and root flags.

Owned MakeSense from Hack the Box -- HTB Season 11 Machine Complete Walkthrough

Protected Page

The first step in owning the MakeSense machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:

MakeSense HTB Walkthrough

Once the connection between my Kali Linux terminal and Hack the Box server has been established, I started the MakeSense machine and I was assigned an IP address (10.129.32.128).

MakeSense HTB Write Up


Nmap Enumeration

I began by performing an Nmap service and version scan against the target to enumerate the exposed network services, identify the operating system, and gather as much information as possible for the initial reconnaissance phase. This allowed me to understand the attack surface before interacting with any of the available services.

makesense.htb

The scan revealed SSH running on port 22 and an HTTPS web server on 443 backed by Apache 2.4.58. The TLS certificate identified the virtual host as makesense.htb, while the website was running WordPress 7.0 with the page title Agency LLC, indicating that host configuration would likely be required before further web enumeration. Ports 80 and 8001 appeared filtered, suggesting firewall restrictions, and OS detection identified the target as an Ubuntu-based Linux system.


Host Configuration

After identifying the virtual host makesense.htb from the TLS certificate during the Nmap scan, I needed to configure my attack machine so that requests would resolve to the correct hostname. Without this step, the web application might not load properly or could serve unexpected content.

MakeSense Hack the Box Walkthrough

I added the target IP address and hostname to my local /etc/hosts file, allowing my system to resolve makesense.htb locally. With the host configuration complete, I was ready to begin enumerating the web application through the intended virtual host.


Web Enumeration

After configuring the virtual host, I navigated to the target in my browser and confirmed that requests to the target IP were redirected to https://makesense.htb. I manually explored the website and found a professionally designed WordPress-based company page containing sections such as Cases, Team, and a Contact form, but no obvious functionality that immediately led to code execution.

HTB-MakeSense
makesense hack the box writeup
I just solved MakeSense from Hack the Box

Using the Wappalyzer browser extension, I fingerprinted the web application to identify the technologies running behind the site. The results confirmed that the application was built on WordPress 7.0, powered by PHP with a MySQL database, and served by Apache 2.4.58. This information provided valuable insight into the application's technology stack and helped narrow the focus toward WordPress-specific enumeration and potential vulnerabilities.


Directory Enumeration

After confirming the application was running WordPress, I performed directory enumeration to identify additional files and directories that were not directly linked from the homepage. I used Feroxbuster with a medium-sized wordlist, disabled certificate verification because the site used a self-signed certificate, and disabled recursion to perform a quick initial scan.

HackTheBox - MakeSense

The scan confirmed several interesting directories, including /wp-admin, /wp-content, and /wp-includes, further verifying the WordPress installation. It also identified /scripts and /javascript, which could contain custom application resources worth investigating. With these paths identified, I proceeded to inspect each one manually for sensitive files and potential attack vectors.


Directory Enumeration

To complement the previous directory enumeration, I also tested the application with Gobuster using a different wordlist. Running multiple enumeration tools can sometimes uncover resources that another tool misses due to differences in request handling or filtering.

[HTB] MakeSense Writeup

The scan did not complete successfully because the server returned a 301 redirect for non-existent directories instead of the expected 404 Not Found response. Since every invalid path appeared to exist, Gobuster detected wildcard behavior and stopped the scan to prevent false positives. This indicated that the scan would require additional filtering, such as excluding the redirect response or enabling wildcard handling, before meaningful enumeration could continue.


WordPress Enumeration

After confirming that the target was running WordPress, I used WPScan to enumerate users, themes, and known vulnerabilities while disabling TLS certificate validation because the site was using a self-signed certificate. This provided a more comprehensive assessment of the WordPress installation than manual inspection alone.

Beginner’s Guide to Conquering MakeSense on Hack the Box

MakeSense-HTB---Full-Walkthrough-Linux-Medium-Season-11

The scan confirmed that the site was running WordPress 7.0 with the custom WebAgency theme. It also revealed that XML-RPC and WP-Cron were enabled, the uploads directory allowed directory listing, and the readme.html file was publicly accessible, exposing additional information about the installation. Although no vulnerable plugins or themes were identified, WPScan successfully enumerated three valid usernames - walter, admin, and jake - which became valuable targets for further authentication testing.


Source Code Analysis

While reviewing the files exposed under the custom WebAgency theme, I manually browsed to the whisper-wrapper.js JavaScript file. Examining client-side source code is often worthwhile because developers sometimes leave sensitive information, hardcoded secrets, or implementation details that are not visible through the web interface.

MakeSense HackTheBox root flag

The source code revealed a hardcoded AES-GCM encryption key (ENCRYPTION_KEY = 'bLs6z8iv3gWpsvyeabFosDjb4YQe7jdU13rI') used by the application's voice transcription feature. The script also showed that the application relied on Whisper and Transformers.js models hosted locally, performed client-side transcription and summarization, and encrypted the transcription data before sending it to the server. This exposed encryption key immediately stood out as a valuable finding and suggested that the client-side encryption mechanism might be reversible or reusable during later stages of the attack.


Vulnerability Analysis

After reviewing the JavaScript source, I traced how the voice transcription feature processed user input from the browser to the server. The client transcribed audio, generated a summary, encrypted both values with the exposed AES-GCM key, and submitted the encrypted payload to the admin-ajax.php?action=save_voice_results endpoint.

Because the encryption key was hardcoded in the client, I could generate my own valid encrypted payloads that the server would successfully decrypt. More importantly, the decrypted transcription was stored without proper sanitization, making it possible to inject arbitrary JavaScript into the application. When an administrator later viewed the malicious entry, the injected script executed in their browser, retrieved the required WordPress nonce, and created a new administrator account, providing the initial foothold into the application.


Exploit Development

After confirming the exposed encryption key and vulnerable voice workflow, I created an exploit script to automate the full attack chain instead of performing each step manually. The script handles payload encryption, XSS delivery, administrator account creation, plugin upload for RCE, credential extraction, SSH access, and final privilege escalation.

HackTheBox - MakeSeason HTB Season 11 Machine Complete Walkthrough

The script first sets the target host, derives the AES-GCM key, detects my VPN IP, and prepares an XSS payload that creates the pwn administrator user when the admin bot visits the injected content. Functions like get_nonce_val(), enc_data(), and trigger_xss() retrieve the WordPress nonce, encrypt the malicious transcription payload, and submit it to admin-ajax.php.

After the admin user is created, try_login() authenticates to WordPress, while upload_plugin_file() uploads a malicious plugin to gain command execution as www-data through exec_cmd(). The script then reads wp-config.php to extract the database password, reuses it for SSH access as walter, and retrieves user.txt.

For privilege escalation, make_img() converts the PHP payload into an image for the internal OCR service, while ssh_exec() and ssh_stdin_exec() interact with the target over SSH. The final OCR abuse writes a PHP file internally, triggers it to set the SUID bit on /bin/bash, and then uses bash -p to read the root flag.


Initial Access and Privilege Escalation

With the exploit script complete, I executed it against the target to automate the entire attack chain. The script delivered the encrypted XSS payload, waited for the administrator bot to trigger it, created a new administrator account, and authenticated to the WordPress dashboard before continuing with the remaining stages of the attack.

Rooted MakeSense from Hack the Box

After gaining administrative access, the script uploaded a malicious plugin to obtain remote code execution as www-data, extracted Walter's password from wp-config.php, and reused it to authenticate over SSH and retrieve the user flag. Finally, it abused the internal OCR service to achieve root privileges, successfully capturing both user.txt and root.txt, confirming complete compromise of the target system.


Keywords:

MakeSense HTB Writeup

MakeSense HTB Walkthrough

makesense.htb

HTB-MakeSense

MakeSense Hack the Box Writeup

MakeSense Hack the Box Walkthrough

HackTheBox - MakeSense 

guide makesense htb walkthrough youtube

HackTheBox - MakeSeason HTB Season 11 Machine Complete Walkthrough

tool makesense htb walkthrough checklist

video makesense htb walkthrough pdf

download makesense htb walkthrough sheet

MakeSense Writeup - HackTheBox

Hack The Box - HTB MakeSense Writeup - Medium - Linux

[HTB] MakeSense Writeup

Beginner’s Guide to Conquering MakeSense on Hack the Box

MakeSense-HTB---Full-Walkthrough-Linux-Medium-Season-11

MakeSense HTB - Complete Writeup

htb-writeup makesense

MakeSense HTB S11 (Linux Medium)

Walkthrough MakeSense HTB

I just solved MakeSense from Hack the Box

Rooted MakeSense from Hack the Box

MakeSense HTB user flag

MakeSense HackTheBox root flag

Enigma HTB Writeup

Enigma HTB Walkthrough

enigma.htb

Enigma - HackTheBox Season 11 Machine Walkthrough

enigma hack the box writeup

enigma hack the box

support_001.enigma.htb

mail001.enigma.htb

kevin:Enigma2024!

I just solved Enigma from Hack the Box!

Enigma machine htb season11 user flag

HackTheBox - Enigma Season 11 htb root flag

Owned Enigma from Hack the Box

Enigma HTB Walkthrough Season 11 HackTheBox machine

Rooted Enigma from Hack the Box

Enigma user flag htb season 11 HackTheBox walkthrough

Enigma machine root flag HTB Season11 Hack the Box

Hack The Box (HTB): Enigma Machine (Full Walkthrough)

Pwned Enigma from Hack the Box

eloquia.htb

eloquia htb writeup

Eloquia - HackTheBox Season 9 htb machine walkthrough

HTB Eloquia Complete Solution

Eloquia Hack the Box Walkthrough

Eloquia Hack the Box Write Up

Eloquia HTB Machine Season 9 User Flag

Eloquia Hack The Box Machine Season 9 Root Flag

checkpoint.htb season 11

Checkpoint Hack the Box Walkthrough

Checkpoint Hack the Box Write Up

Checkpoint HTB Writeup

Season 11 Hack the Box - Checkpoint User Flag

Season11 HackTheBox - Checkpoint Root Flag HTB Walkthrough

Reactor - HackTheBox Season 11 Walkthrough

Helix Season11 Hack the Box Walkthrough

Logging HTB Walkthrough

HTB Logging - HackTheBox Season 10 Machine Complete Walkthrough User & Root Flag

DC01.logging.htb

wsus.logging.htb

Hack The Box - Season 10 HTB Logging Writeup - Medium

Logging CTF Walkthroughs

logging htb writeup

Logging Writeup - HackTheBox

Nimbus HTB - Complete Writeup

HTB: Logging - Full Writeup (Season 10)

HTB-Logging

HackTheBox - Logging Season 10 HTB Machine Complete Walkthrough

logging hack the box write up

Logging Machine | HackTheBox

Logging htb-writeup

logging hack the box walkthrough

HTB :: Logging - Writeup

Logging HTB Machine Walkthrough

Mastering Logging: Beginner's Guide from Hack The Box

I just solved Logging from Hack the Box

Pwned Logging from Hack the Box

Hack the Box (HTB) machines Logging walkthrough Season 10

Rooted Logging from Hack the Box

HTB-Logging Season 10 Machine User & Root Flag Solution

Owned Logging from Hack the Box

Post a Comment

1 Comments

  1. To current members, the password to access this encrypted page and other pages has been sent to your email address. If you haven't received it yet, reach out to me at isiaqibrahim.tr@gmail.com

    Note: This write up includes the complete code blocks and commands. The password for each write up is different. I have sent the password to your inbox on Buy Me A Coffee.

    Happy Hacking!!!😈😈

    ReplyDelete