Guardian

Platform: Hack The Box

Season: 9

Difficulty: Hard

OS: Linux

Date: 2025-11-06

Author: x4cc3

Executive Summary

Guardian is a Hard Linux machine with a university portal. The multi-stage attack: IDOR in chat reveals Gitea creds → PhpSpreadsheet source code analysis → XSS in sheet names steals admin session → CSRF creates admin user → LFI with PHP filter chain gives RCE → database credential extraction → privilege escalation through jamil → mark → root via Apache shared library injection.

Recon

Port Service
22/tcp SSH
80/tcp HTTP 
ffuf -u <http://10.10.11.84> -H "Host: FUZZ.guardian.htb" -ac
# portal.guardian.htb

Portal subdomain

Portal subdomain

Help button — default credentials

Help button — default credentials

Default student IDs

Default student IDs

Exploitation Chain

1. IDOR → Gitea Credentials

Chat messages had IDOR (chat.php?chat_users[0]=X&chat_users[1]=Y). Brute-forcing found: jamil.enockson:DHsNnk3V503 for Gitea.

IDOR chat contents

IDOR chat contents