HTB Helix: Apache NiFi RCE (CVE-2023-34468) → OPC UA Logic Manipulation to Root
Subdomain enumeration reveals an unauthenticated Apache NiFi instance. CVE-2023-34468 (H2 JDBC INIT injection) provides a shell as nifi. An SSH key found in NiFi support bundles grants access as operator. Privilege escalation requires manipulating OPC UA industrial control nodes to trigger a safety controller maintenance window, leading to root.
