Snapped

Platform: Hack The Box

Season: 10

Difficulty: Hard

OS: Linux

Date: 2026-05-06

Author: x4cc3

Executive Summary

Snapped is a Medium Linux machine with an nginx UI admin panel on a subdomain. An unauthenticated API vulnerability in nginx UI leaks the application database containing bcrypt password hashes. Cracking reveals user credentials for SSH access. Privilege escalation exploits CVE-2026-3888 — a snap-confine + systemd-tmpfiles race condition on Ubuntu 24.04, leading to root.

Recon

<table header-row="true"><tr><td>Port</td><td>Service</td></tr><tr><td>22/tcp</td><td>SSH</td></tr><tr><td>80/tcp</td><td>HTTP — nginx UI</td></tr></table>

Exploitation

Nginx UI API Leak

Caido intercept

Landing page

Subdomain/ directory enumeration:

Dirsearch results

Nginx UI admin dashboard

An unauthenticated API endpoint leaked the database. CVE research revealed the vulnerability: