WEB EASY HTB Season 10 · 

Kobold

Key observations: - Port 80/443 redirects to `https://kobold.htb/` - Port 3552 runs **Arcane** — a self-hosted Docker and Compose management platform (v1.13.0) - SSL cert has `DNS:kobold.htb, DNS:*.kobold.htb` — wildcard

Category
WEB
OS
Linux

Table of Contents


Enumeration

Port Scan

rustscan -a 10.129.11.231 --ulimit 1000 -r 1-65535 -- -A -sC -Pn
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.6p1 Ubuntu 3ubuntu13.15
80/tcp   open  http     nginx 1.24.0 (Ubuntu)
443/tcp  open  ssl/http nginx 1.24.0 (Ubuntu)
3552/tcp open  http     Golang net/http server

Key observations:

Add Hostnames

echo "10.129.11.231  kobold.htb mcp.kobold.htb bin.kobold.htb" | sudo tee -a /etc/hosts

Subdomain Enumeration

gobuster vhost -u https://kobold.htb --append-domain \
  -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
  -t 50 -k
mcp.kobold.htb  Status: 200 [Size: 466]
bin.kobold.htb  Status: 200 [Size: 24402]
Subdomain Service Version
mcp.kobold.htb MCPJam Inspector v1.4.2
bin.kobold.htb PrivateBin v2.0.2

Service Summary

Port Service Notes
22 SSH OpenSSH 9.6p1
80/443 nginx Redirects to https://kobold.htb/
3552 Arcane Docker management API (Go), v1.13.0
127.0.0.1:8080 PrivateBin container Docker-proxied, exposed via bin.kobold.htb

The rest of this writeup is locked

Contact me on Discord or LinkedIn for the password.

Contact on Discord

HackTheBox policy restricts publishing walkthroughs for active-season machines. This writeup is password-protected to respect that policy while keeping the content available to those who already have access.