HackTheBox: Sink Machine (insane difficulty) Walkthrough
HackTheBox: Sink Machine Walkthrough A complete guide to pwning an Insane-rated box featuring HTTP Request Smuggling, Gitea source code analysis, and AWS KMS exploitation INSANE Linux CVE-2019-18277 Property Value Machine Sink OS Linux Difficulty Insane IP 10.10.10.225 Key Techniques HTTP Request Smuggling, Gitea Credential Harvesting, AWS Secrets Manager, AWS KMS Decryption CVEs CVE-2019-18277 (HAProxy HTTP Request Smuggling) Attack Chain Overview Nmap Recon → HTTP Smuggling (HAProxy + Gunicorn) → Session Hijacking → Credential Extraction from Notes → Gitea Source Code Review → SSH Key + AWS Keys from Commits → SSH as marcus → AWS Secrets Manager → su david → AWS KMS Decrypt → Root Table of Contents Reconnaissance & Port Scanning Web Application Analysis (Port 5000) HTTP Request Smuggling (CVE-2019-1827...