HackTheBox: FireFlow Writeup

·1 views

Executive Summary FireFlow is a Linux machine running a fictional "Task Force Nightfall" intelligence platform. The web application exposes a Langflow instance (flow.fireflow.htb) with a public flow playground. The flow engine version (1.8.2) is vulnerable to CVE-2026-33017 - an unauthenticated RCE via the /api/v1/build_public_tmp/{flow_id}/flow endpoint, which executes attacker-supplied Python without sandboxing. This gives us a shell as www-data. Environment variable enumeration leaks the Langflow superuser password, which is reused by the nightfall local user (user flag).

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Creating Ebooks

制作没有数字痕迹的电子书手工制作的目录输入掌握Markdown的基本语法撰写素材文档校对素材文档制作封面图片和插图安装Calibre 自动生成的目录章节分页符相对固定的输出格式把素材文档导入书库编辑元数据生成书籍并另存为 EPUB DOCX PDF 清理 Markdown是通用、健壮、易学易读易写、便于移植的轻量级标记语言，教程见Markdown Guide和Daring Fireball。主要语法列举如下：用至少一个空白行分隔不同段落（包括标题）。正常段落没有必要缩进（即空两格），需要时每4个空格（）或1个制表符（TAB）可缩进一级。 # 一级标题 ## 二级标题 ### 三级标题 #### 四级标题 **粗体** *斜体* ***粗体和斜体*** 1. 有序列表第一项 1. 有序列表第二项 1. 有序列表第三项 - 无序列表第一项 * 无序列表第二项 + 无序列表第三项 ```段落之间的等宽字体代码块``` ``段落内部嵌入的等宽字体代码`` > 引用的第一个段落 > > 引用的第二个段落 >> 嵌套引用的段落段落之间的多行引用块 [外部超链接显示名](外部超链接地址) [外部超链接显示名](外部超链接地址 "鼠标悬停在链接上时显示的文字提示") ![图片无法加载时显示的文字描述](图片路径) ![图片无法加载时显示的文字描述](图片路径 "鼠标

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Forced full-screen on Gnome

Small improvements to desktop environment make small improvements in productivity, and they compound. Today I found that I can force any app (not only the app with special support for it) to run in a fullscreen mode under Gnome. gsettings \ set org.gnome.desktop.wm.keybindings \ toggle-fullscreen "[' f']" Super-F, and ANY application is full-screen.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Hunting Digital Chameleons: How We Defeated Botnets in Laravel v2.4.0

In the world of web traffic, there’s a simple rule: if it looks like a regular user, walks like a user, and even brings its favorite cookies along—it doesn't always mean there’s a human on the other side. Sometimes, it’s just a very diligent bot that happened to read the User-Agent documentation yesterday. In this article, we’ll share how our traffic analysis tool evolved from naive trust in headers to a paranoid level of verification, and how that led to a "spring cleaning" of our architecture. (For more on the project's first deep refactoring, read our article: Refactoring Laravel Visit Anal

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Are USB Devices a Security Risk for Your PC?

The attack that shouldn't be possible — but is Picture a $283 soundbar sitting on a desk, plugged into a PC via USB, playing music. To every security tool watching that machine, the speaker is a trusted, known device — essentially invisible. To an attacker sitting in the parking lot outside, it's an open door. That is the reality of a vulnerability discovered in Creative Technologies' Sound Blaster Katana V2X. Researcher Rasmus Moorats found the flaw after purchasing the soundbar himself.

0 comments Read more at DEV Community