HackTheBox Sloink: NFS Misconfiguration Chains to Full Root Compromise

·1 views

A HackTheBox machine named Sloink was compromised through a series of chained vulnerabilities beginning with publicly exposed NFS shares that leaked a user's PostgreSQL command history. The history contained an MD5 hash which, once cracked, revealed the password for a 'service' account whose shell was set to /bin/false, preventing direct login. However, SSH port forwarding remained functional, allowing the attacker to tunnel directly to the PostgreSQL Unix socket and authenticate as the database superuser. From there, the PostgreSQL COPY FROM PROGRAM feature was abused to achieve remote code execution, enabling SSH key injection and a shell as the postgres user. Finally, a root-owned cron job that copied the postgres data directory — writable by the postgres user — was exploited by planting a SUID bash binary, which upon execution granted a full root shell.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Developer Ditches VS Code for Custom 30MB Native IDE to Cut IPC Latency

A developer building V.E.L.O.C.I.T.Y.-OS, a bare-metal operating system project, has abandoned the VS Code extension model due to its high memory overhead, which can exceed 300MB at idle. The decision came after JSON-RPC serialization in the agent processing path was identified as a performance bottleneck consuming unnecessary CPU cycles. As a replacement, the developer built a standalone native IDE weighing just 30MB, paired with zero-allocation binary parsing using C# and Rust. Benchmarks show the new binary format reduced read latency from 846 nanoseconds with JSON to 61 nanoseconds, a roughly 92.7% improvement. This is the third installment in a 12-part series documenting the project's progression toward a fully self-contained, CPU cache-resident operating system.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Codename One Adds watchOS and Wear OS Support via Single Java/Kotlin Codebase

Codename One, an open-source framework for building cross-platform apps from a single Java or Kotlin codebase, has released wearable support for both Apple watchOS and Google Wear OS. The watchOS port uses a dedicated Core Graphics rendering backend hosted inside a SwiftUI shell, since watchOS lacks UIKit, OpenGL ES, and Metal. Developers can share the same codebase across phone and watch apps, controlling per screen how much of the UI is displayed on the smaller device. A dedicated entry point, codename1.watchMain, allows the watch build to start from a lightweight class, enabling dead-code elimination to reduce the memory and CPU footprint. On Apple devices, the watch app is embedded within the iOS app by default so both install together, while a standalone watch-only build is also available.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Guide: Automate Airtable Record Operations Using n8n Workflow Node

The n8n Airtable node allows users to read, create, update, and delete Airtable records without writing any custom scripts. Setup requires an Airtable personal access token with appropriate scopes, as the older API key was deprecated in February 2024. The node supports multiple operations including List, Search, Get, Create, Update, and Upsert, each configurable with field mappings and filter formulas. Key pitfalls include case-sensitive field names and missing token scopes that can silently fail or return 403 errors. A free importable workflow JSON is provided to help users get started quickly.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

Why Hardcoding AI System Prompts in Production Is a Costly Mistake

Hardcoded system prompts — whether stored in source files, environment variables, config files, or database seeds — require a full engineering deploy cycle to change, making even minor adjustments expensive and slow. A real incident described by a support engineer showed that a single mismatched prompt string caused four hours of confusion, with no one able to confirm what was actually running in production. In mature teams, this bottleneck means compliance edits queue behind unrelated feature work, small improvements get abandoned, and prompt quality stagnates over time. The problem is compounded by model drift, as AI providers like OpenAI ship model updates independently of customer deployments — OpenAI's April 2025 GPT-4o update, for instance, affected over 180 million users due to a prompt-level behaviour change. A 2025 State of AI Engineering Survey found that 70% of teams update prompts at least monthly, yet 31% still manage them manually, highlighting a widening gap between iteration needs and deploy constraints.

0 comments Read more at DEV Community