March 23, 2026

Snapped HackTheBox Writeup

Adrian Reategui
Share
HackTheBox Snapped machine walkthrough

SUMMARY

Snapped is a Hard-rated Linux machine from HackTheBox Season 10 that chains two sophisticated CVEs to achieve full root access. Virtual host enumeration on snapped.htb reveals an admin subdomain running an Nginx-UI management panel.

The Nginx-UI instance is vulnerable to CVE-2026-27944, an unauthenticated backup exfiltration vulnerability. The /api/backup endpoint returns a full encrypted backup of Nginx and Nginx-UI configuration files while simultaneously leaking the AES decryption key in the X-Backup-Security response header. Decrypting the backup exposes a SQLite database containing a weakly hashed user password, which when cracked grants an initial shell.

Privilege escalation abuses CVE-2026-3888, a TOCTOU race condition between snap-confine and systemd-tmpfiles. After researching the vulnerability, a public exploit on Github was identified and followed to achieve code execution as root.

PROOF OF COMPLETION HERE

PATH TO FOLLOW

  1. Reconnaissance
  2. Virtual Host Enumeration
  3. Nginx-UI Unauthenticated Backup (CVE-2026-27944)
  4. AES Key Extraction from Response Headers
  5. Backup Decryption and SQLite Credential Extraction
  6. Initial Shell
  7. Local Enumeration and snap-confine Analysis
  8. CVE-2026-3888
  9. AF_UNIX Socket Backpressure to Win the Race
  10. Dynamic Linker Hijacking for Root

CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED

Linux CVE-2026-27944 CVE-2026-3888 Nginx-UI snap-confine TOCTOU HackTheBox

Table of Contents