HTB Sorcery

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/04/25/htb-sorcery.html
• Blog Title: HTB: Sorcery
• Suggested Section: Pentesting Web (WebAuthn/2FA-MFA bypass & account takeover patterns) and/or Generic Hacking / Post-Exploitation (Message-bus to RCE pattern: Kafka/RabbitMQ -> bash -c command injection); plus a small note under Network Services Pentesting or Web Recon for Host-header vhost fuzzing and under TLS/Certificates for 'Leaked internal Root CA key -> trusted MITM'.

🎯 Content Summary

Title / Context
HTB “Sorcery” (Linux) is a microservice-style stack fronted by nginx (TLS 443) with a Next.js frontend, a Rust/Rocket backend, Neo4j, Gitea, Kafka, a DNS sidecar, MailHog, and an anonymous FTP server. The post’s overall chain (as stated in the intro) is: Cypher injection → leak seller registration key → stored XSS → abuse a headless Chrome/admin bot to enroll a WebAuthn passkey on admin → admin access → SSRF via a port-debug tool → Kafka wire-protocol message inject...

🔧 Technical Details

Host-header vhost discovery with ffuf: When a reverse proxy routes by Host, scan subdomains by sending requests to the target IP and fuzzing the host header (e.g., ffuf -u https://IP -H "Host: FUZZ.sorcery.htb" -w ... -ac) to identify hidden virtual hosts like git.sorcery.htb.

Cloning repos from internal/self-signed Git endpoints: If a Git service uses an untrusted certificate chain, local source review can still be done by setting GIT_SSL_NO_VERIFY=1 during git clone. This often unlocks container definitions, internal hostnames, topic names, and code-level sinks.

WebAuthn (Passkey) testing with Chrome’s virtual authenticator: Use Chrome DevTools → “More tools” → “WebAuthn” to add a virtual authenticator, enroll a passkey, and then authenticate with “Login with Passkey” (username-only). This is useful for analyzing passkey registration/auth flows and for reasoning about how headless bro...

🤖 Agent Actions

I’m organizing the update around three decisions: which techniques in the post are genuinely novel for HackTricks, which single existing page is the best fit, and whether anything should be left out as already covered or too CTF-specific.
I’m pulling the source post and scanning the repo for existing coverage around WebAuthn, Kafka, message-bus abuse, vhost fuzzing, and TLS trust-store abuse before choosing a target file.
The strongest candidate so far is the Kafka consumer pattern, because it’s a reusable technique rather than box-specific chaining. I’m now reading actual target pages to confirm where HackTricks already covers adjacent material and where a concise addition would fit without duplication.
I’ve read well past the five-file minimum. The remaining question is placement: creating a new Kafka page would be cleaner technically, but your single-file constraint makes an existing message-broker page the safer choice if it can absorb a protocol-agnostic broker-to-RCE pattern cleanly.
I’ve narrowed it to a single reusable addition: a broker-publish to consumer-shell-exec pattern. I’m placing it in the AMQP page because that existing page already covers broker exploitation primitives and HTTP-side publishing, while the other Sorcery tricks are already documented or would force multiple-file edits.
I’m editing the AMQP page now. The change is limited to one new exploitation subsection plus reference updates, keeping it protocol-agnostic but concrete enough to cover Kafka-style raw publish abuse and RabbitMQ management/API publish paths.
Updated 5671-5672-pentesting-amqp.md with a new section covering the reusable technique from Sorcery: message-broker publish access leading to consumer-side shell execution and RCE.

I kept it to one file and focused on the only clearly novel, reusable pattern that wasn’t already in HackTricks. I did not add the vhost fuzzing, WebAuthn/passkey testing, FTP, or Root CA/MITM notes because those are already broadly covered elsewhere and would have required either redundant content or multiple-file edits.

Verification: checked the inserted section in place, confirmed the references section remains at the end, and confirmed the diff only touches that single file.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/04/25/htb-sorcery.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web (WebAuthn/2FA-MFA bypass & account takeover patterns) and/or Generic Hacking / Post-Exploitation (Message-bus to RCE pattern: Kafka/RabbitMQ -> bash -c command injection); plus a small note under Network Services Pentesting or Web Recon for Host-header vhost fuzzing and under TLS/Certificates for 'Leaked internal Root CA key -> trusted MITM'.".

Repository Maintenance:

• MD Files Formatting: 972 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0