Platform: Hack The Box Fortress
Date: 2025-11-11
Author: x4cc3
Jet is a multi-flag Fortress machine. DNS zone transfer reveals securewebinc.jet subdomain with a hidden admin panel found via JS deobfuscation. SQL injection in the login form extracts admin credentials. The admin panel has RCE via PHP preg_replace /e modifier in the swear words filter, and a SUID binary LEAK provides the final flag.
Landing page
dig axfr @10.13.37.10 securewebinc.jet
JS deobfuscation revealed /dirb_safe_dir_rf9EmcEIx/admin/
Admin panel stats page
sqlmap -u "<http://www.securewebinc.jet/dirb_safe_dir_rf9EmcEIx/admin/dologin.php>" ...
sqlmap results
Admin hash cracked
Hash cracking result