Key observations: - Port 80/443 redirects to `https://kobold.htb/` - Port 3552 runs **Arcane** — a self-hosted Docker and Compose management platform (v1.13.0) - SSL cert has `DNS:kobold.htb, DNS:*.kobold.htb` — wildcard
rustscan -a 10.129.11.231 --ulimit 1000 -r 1-65535 -- -A -sC -Pn
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15
80/tcp open http nginx 1.24.0 (Ubuntu)
443/tcp open ssl/http nginx 1.24.0 (Ubuntu)
3552/tcp open http Golang net/http server
Key observations:
https://kobold.htb/DNS:kobold.htb, DNS:*.kobold.htb — wildcard subdomain, worth fuzzingecho "10.129.11.231 kobold.htb mcp.kobold.htb bin.kobold.htb" | sudo tee -a /etc/hosts
gobuster vhost -u https://kobold.htb --append-domain \
-w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
-t 50 -k
mcp.kobold.htb Status: 200 [Size: 466]
bin.kobold.htb Status: 200 [Size: 24402]
| Subdomain | Service | Version |
|---|---|---|
| mcp.kobold.htb | MCPJam Inspector | v1.4.2 |
| bin.kobold.htb | PrivateBin | v2.0.2 |
| Port | Service | Notes |
|---|---|---|
| 22 | SSH | OpenSSH 9.6p1 |
| 80/443 | nginx | Redirects to https://kobold.htb/ |
| 3552 | Arcane | Docker management API (Go), v1.13.0 |
| 127.0.0.1:8080 | PrivateBin container | Docker-proxied, exposed via bin.kobold.htb |
Contact me on Discord or LinkedIn for the password.
Contact on DiscordHackTheBox policy restricts publishing walkthroughs for active-season machines. This writeup is password-protected to respect that policy while keeping the content available to those who already have access.