Kobold
HackTheBox Kobold machine writeup — reconnaissance and enumeration walkthrough.
Executive Summary
Kobold is a medium-difficulty Linux machine that demonstrates a realistic attack chain involving modern AI tooling misconfigurations and container security failures. The engagement begins with reconnaissance revealing multiple web services including an MCPJam Inspector endpoint vulnerable to unauthenticated Remote Code Execution (CVE-2026-23744). After obtaining an initial shell as user ben, enumeration reveals the user possesses a dormant Docker group membership that - when activated via newgrp docker - provides full root access through a container escape technique, mounting the host filesystem into a privileged container.
Table of Contents
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
1. Environment Setup
2. Reconnaissance
2.1 - Port Scanning
2.2 - Service Enumeration
2.3 - Virtual Host Discovery
3. Initial Access - CVE-2026-23744
3.1 - Vulnerability Research
3.2 - Exploit Development
3.3 - Shell Acquisition
3.4 - Shell Stabilization
4. Post-Exploitation Enumeration
4.1 - User Context
4.2 - Network Services
4.3 - Running Processes
4.4 - File System Analysis
4.5 - Group Membership Analysis
5. Privilege Escalation - Docker Group Abuse
5.1 - Activating Docker Group
5.2 - Container Verification
5.3 - Container Escape
5.4 - Flag Capture
6. Vulnerability Summary
7. Remediation Recommendations
1. Environment Setup
Before beginning enumeration, configure the local /etc/hosts file to resolve the target’s virtual hostnames. The SSL certificate discovered during scanning reveals wildcard SAN coverage for *.kobold.htb, indicating multiple subdomains are in use.
1
sudo nano /etc/hosts
Add the following line:
1
10.129.12.219 kobold.htb mcp.kobold.htb bin.kobold.htb
Create a dedicated working directory to keep all output organized:
1
2
mkdir -p ~/htb/kobold/{nmap,web,loot}
cd ~/htb/kobold
Set the target IP as a variable for convenience throughout the engagement:
1
2
export TARGET=10.129.12.219
export LHOST=10.10.14.209
2. Reconnaissance
2.1 - Port Scanning
Begin with a comprehensive Nmap scan covering all 65535 ports with service detection, default scripts, and version enumeration:
1
nmap -sC -sV -p- -T4 --min-rate 5000 -oA nmap/kobold_full $TARGET
Full Scan Output:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Starting Nmap 7.98 at 2026-03-22 23:34 +0530
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15
| ssh-hostkey:
| 256 8c:45:12:36:03:61:de:0f:0b:2b:c3:9b:2a:92:59:a1 (ECDSA)
|_ 256 d2:3c:bf:ed:55:4a:52:13:b5:34:d2:fb:8f:e4:93:bd (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_ http-title: Did not follow redirect to https://kobold.htb/
|_ http-server-header: nginx/1.24.0 (Ubuntu)
443/tcp open ssl/http nginx 1.24.0 (Ubuntu)
|_ http-title: Kobold Operations Suite
| ssl-cert: Subject: commonName=kobold.htb
| Subject Alternative Name: DNS:kobold.htb, DNS:*.kobold.htb
| Not valid before: 2026-03-15T15:08:55
|_ Not valid after: 2125-02-19T15:08:55
3552/tcp open http Golang net/http server
|_ http-title: (no title - GetArcane UI)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Analysis of Findings:
| Port | Service | Notes |
|---|---|---|
| 22 | OpenSSH 9.6p1 | Standard SSH - note key fingerprints |
| 80 | nginx 1.24.0 | Immediate redirect to HTTPS - nothing here directly |
| 443 | nginx 1.24.0 | Main application - “Kobold Operations Suite” |
| 3552 | Golang HTTP | GetArcane - Docker management UI running as root |
The wildcard SAN *.kobold.htb in the TLS certificate is a strong indicator of virtual host routing for multiple subdomains. Port 3552 running a Golang HTTP server is unusual - Golang-based Docker management tools like Portainer, Arcane, and similar panels are often misconfigured.
2.2 - Service Enumeration
Probe each service individually for version information and content:
1
2
3
4
5
6
7
8
9
10
11
# Check port 80 - confirm redirect
curl -v http://$TARGET/ 2>&1 | grep -E "Location|HTTP/"
# HTTP/1.1 301 Moved Permanently
# Location: https://kobold.htb/
# Check port 443 - grab page title and headers
curl -sk https://kobold.htb/ | grep -i "<title>"
# <title>Kobold Operations Suite</title>
# Check GetArcane on port 3552
curl -sk http://$TARGET:3552/ | grep -i "title\|arcane\|version" | head -5
2.3 - Virtual Host Discovery
With the wildcard SAN confirmed, enumerate subdomains:
1
2
3
4
5
# Check mcp subdomain
curl -sk https://mcp.kobold.htb/ | grep -i "title\|mcp\|inspector" | head -5
# Check bin subdomain
curl -sk https://bin.kobold.htb/ | grep -i "title\|privatebin\|version" | head -5
Discovered subdomains:
https://mcp.kobold.htb - MCPJam Inspector
This is an MCP (Model Context Protocol) server testing and debugging interface. It provides a web UI and REST API for connecting to, testing, and debugging MCP servers. The API exposes an endpoint /api/mcp/connect that processes server connection requests.
https://bin.kobold.htb - PrivateBin 2.0.2
An encrypted zero-knowledge pastebin. The version number 2.0.2 is visible in the page footer and in JavaScript asset filenames like privatebin.js?2.0.2. This version carries CVE-2025-64714 (LFI via template cookie).
http://kobold.htb:3552 - GetArcane Docker Manager
A Docker container management panel (similar to Portainer) written in Go. Runs directly on the host as root. Presents a login page.
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup →