Overview

Silentium is an Easy-difficulty Linux machine featuring Flowise AI framework exploitation and Gogs privilege escalation. This machine teaches:

  • Vhost enumeration techniques
  • Flowise vulnerability exploitation
  • Password reset token manipulation
  • JavaScript injection for RCE
  • Git repository exploitation
  • Symlink-based privilege escalation

Enumeration

Domain Discovery

The box requires vhost enumeration to discover:

  • Main domain: silentium.htb
  • Subdomain: staging.silentium.htb

Web Applications

Main Site (silentium.htb):

  • Static fintech/corporate website
  • Staff member names (potential usernames)

Staging Site (staging.silentium.htb):

  • Flowise 3.0.5 - AI agent builder
  • Login portal
  • API endpoints

Initial Foothold

CVE Chain Overview

Email Enumerationchr(10)    ↓chr(10)CVE-2025-58434 (Password Reset Token Leak)chr(10)    ↓chr(10)Account Takeoverchr(10)    ↓chr(10)CVE-2025-59528 (JS Injection RCE)chr(10)    ↓chr(10)Shell Access

Email Enumeration

Flowise login endpoint reveals whether an email exists:

  • 404 - Email doesn't exist
  • 401 - Email exists, wrong password

Attack: Enumerate valid emails using staff names from main site

Password Reset Vulnerability

CVE-2025-58434 - Password reset tokens leak in API responses

Exploitation:

  1. Request password reset for valid email
  2. Capture reset token from response
  3. Use token to set new password
  4. Login with compromised account

JavaScript Injection RCE

CVE-2025-59528 - JavaScript code execution in Flowise workflows

Once authenticated, exploit workflow configuration to inject malicious JavaScript that executes on the server.

→ For the complete writeup with all commands, CLICK HERE

→ For every script used in this writeup, CLICK HERE

Privilege Escalation

Git Repository Exploitation

After initial access, discover:

  • Gogs - Self-hosted Git service
  • Running version vulnerable to CVE-2025-8110

Symlink Privilege Escalation

The vulnerability allows:

  1. Create malicious Git repository with symlinks
  2. Upload to Gogs
  3. Trigger server-side processing
  4. Symlink traversal to read/write privileged files
  5. SSH key injection or SUID binary creation

Root Flag Location: /root/root.txt

Key Takeaways

  • Vhost enumeration is essential
  • Email enumeration enables targeted attacks
  • Password reset flows need protection
  • JavaScript execution contexts are dangerous
  • Git servers have unique attack surface
  • Symlinks can bypass restrictions

→ For the complete writeup with all commands, CLICK HERE

→ For every script used in this writeup, CLICK HERE

Tools Used

  • nmap - Port scanning
  • gobuster - Vhost/directory enumeration
  • curl - API testing
  • burpsuite - Request manipulation
  • Custom exploit scripts
  • git - Repository interaction

Want the full exploitation chain? Get the PAID version on Buy Me a Coffee with all commands, CVE exploitation details, and complete privilege escalation walkthrough.