WhiteRabbit HTB Writeup | HacktheBox

HTB: WhiteRabbit – Season 7 Walkthrough Summary

WhiteRabbit was the final machine of Hack The Box Season 7, and it delivered a solid mix of enumeration, exploitation, and privilege escalation techniques.

In this box, we explored and learned the following:

• 🔍 Directory brute-forcing to uncover hidden paths
• 🧩 WebSocket-based SQL injection vulnerabilities
• 🔐 HMAC signature bypass techniques
• 💾 Backup enumeration using Restic
• 🗂️ Cracking .7z archive files to extract credentials
• 🧠 Reverse engineering for privilege escalation

This machine was a great learning experience, especially for understanding how different layers of a system can be exploited when chained together properly. A must-try for anyone looking to sharpen their intermediate-to-advanced CTF skills!

Basic Information

1. https://app.hackthebox.com/machines/WhiteRabbit
2. 10.10.11.63

Port Scanning

# Nmap 7.95 scan initiated Fri Apr 11 18:58:42 2025 as: /usr/lib/nmap/nmap --privileged -v -sCTV -p- -T4 -Pn -oN 10.10.11.63.txt 10.10.11.63
Warning: 10.10.11.63 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.63
Host is up (0.34s latency).
Not shown: 65506 closed tcp ports (conn-refused)
PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0f:b0:5e:9f:85:81:c6:ce:fa:f4:97:c2:99:c5:db:b3 (ECDSA)
|_  256 a9:19:c3:55:fe:6a:9a:1b:83:8f:9d:21:0a:08:95:47 (ED25519)
80/tcp    open     http        Caddy httpd
| http-methods: 
|_  Supported Methods: HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://whiterabbit.htb
|_http-server-header: Caddy
518/tcp   filtered ntalk
1182/tcp  filtered accelenet
2222/tcp  open     ssh         OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 c8:28:4c:7a:6f:25:7b:58:76:65:d8:2e:d1:eb:4a:26 (ECDSA)
|_  256 ad:42:c0:28:77:dd:06:bd:19:62:d8:17:30:11:3c:87 (ED25519)

Need to add hosts:

echo "10.10.11.63 whiterabbit.htb" | sudo tee -a /etc/hosts > /dev/null

Penetration Testing Services:

Subdomain Scan

ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://whiterabbit.htb/" -H 'Host: FUZZ.whiterabbit.htb' -fs 0

status [Status: 302, Size: 32, Words: 4, Lines: 1, Duration: 100ms]

now as you can see with that help of ffuf we found one host status.whiterabbit.htb

need to add new hosts

echo "10.10.11.63 status.whiterabbit.htb" | sudo tee -a /etc/hosts > /dev/null

Exploring Uptime Kuma: Finding an Interesting Endpoint

I started exploring Uptime Kuma and first tried logging in using default credentials, but that didn’t work. Next, I attempted subdomain enumeration and directory brute-forcing, but those approaches didn’t yield any useful results either.

Then I decided to simply Google "Uptime Kuma," and I came across its GitHub repository. I began reading through the issues section, and although it was a bit of a painful process, I discovered something interesting. https://github.com/louislam/uptime-kuma/issues/2917 

One of the issues mentioned that under the /status/ endpoint, there might be pages accessible without authentication. This gave me a lead to investigate further — a valuable tip when working with applications like Uptime Kuma.

 So we brute forced this endpoint and found /status/temp/ that lists some new subdomains:

Access is restricted by HackTheBox rules#

The solution to the problem can be published in the public domain after her retirement.

Look for a non-public solution to the problem in the telegram channel .