HTB Pollution - Linux (Hard)

Dec 08, 2025

XXE on vuln API end-point leading to LFI to fetch credentials for another WebApp for initial access RCE through filter Injection. Pivot in MySQL for User access. PrivEsc with JWT Token manipulation.

From HTB: Pollution is a challenging Linux machine with several intricate and sophisticated vulnerabilities to exploit, such as XXE and leveraging LFI to gain RCE, as well as prototype pollution. Initially, we gain a foothold shell as user www-data by reading critical files through XXE and then leveraging LFI to gain RCE.

Further, we discover that php-fpm is running as user victor on an internal port of the remote host, which can be leveraged to move laterally from www-data to victor. Finally, we manage to escalate privileges to user root by exploiting prototype pollution on an internal NodeJS service.

Network Enumeration and Port Discovery

. . .[SOON]. . .

Post we’re created for learning template, not going to finished it in the near time.

And that’s it. Hope you guys Enjoy the box. And happy hacking!

Enhance your security posture with ZIntel. Comprehensive auditing and threat intelligence APIs designed for modern infrastructure.

Visit ZIntel Cloud API Documentation

XXE on vuln API end-point leading to LFI to fetch credentials for another WebApp for initial access RCE through filter Injection. Pivot in MySQL for User access. PrivEsc with JWT Token manipulation.

Cybersecurity Auditing Tools