HTB Eureka From Actuator HeapDump to SSH, credential capture...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/08/30/htb-eureka.html
• Blog Title: HTB Eureka: From Actuator HeapDump to SSH, credential capture via Gateway, and root via Bash arithmetic injection
• Suggested Section: Generic Hacking - Spring Boot Actuator heapdump secrets mining and Spring Cloud Gateway loggers abuse; Linux Privilege Escalation via Bash arithmetic injection

🎯 Content Summary

HackTheBox “Eureka” — Technical Exploitation Summary

Target

Platform: Linux (Ubuntu 20.04.6 LTS; kernel 5.4.0-214-generic).

External surface:

• Spring Boot site via nginx on 80/tcp
• SSH on 22/tcp
• Basic-auth’d service on 8761/tcp (Netflix Eureka)

Recon

Full TCP sweep and versioning

nmap -p- --min-rate 10000 10.10.11....
🔧 Technical Details
HeapDump secret harvesting (Spring Boot Actuator): If /actuator/heapdump is exposed, download it and mine for credentials. Start with strings to spot HTTP headers (e.g., Basic auth) and then use VisualVM/JDumpSpider to locate structured secrets (DataSource, Spring properties, security configs). Example workflow:
wget http://target/actuator/heapdump
strings heapdump | grep -n "Authorization: Basic"
printf %s <base64> | base64 -d
java -jar JDumpSpider-*.jar heapdump
Look for JDBC URLs and OriginTrackedMapPropertySource entries. Apply recovered creds directly (SSH, DB) or for internal services.
Gateway/logging abuse for credential capture: In Spring Cloud Gateway environments where the attacker can influence configuration or where management endpoints/logging are too permissive, add or modify a route/filter so that authentication requests (e.g., /login) have headers/body captured to...
🤖 Agent Actions
I analyzed the blog and repository, located relevant sections, and updated HackTricks with the new techniques. Summary of what I did:
What’s new from the blog


Spring Boot Actuator heapdump secrets mining:

Concrete workflow to dump and mine JVM heap for credentials and secrets using strings, VisualVM/OQL, and JDumpSpider.
Indicators to target in heap: DataSourceProperties/HikariDataSource, OriginTrackedMapPropertySource, Basic-Auth headers, JDBC URLs.
Guidance to leverage other actuator endpoints (/env, /configprops, /logfile, /httpexchanges).



Abuse of actuator loggers for credential capture:

Technique to crank loggers (org.springframework.security, org.springframework.web, org.springframework.cloud.gateway) to TRACE via /actuator/loggers and read credentials from logs via /actuator/logfile or file paths recovered from /actuator/env.
Example cURL requests and harvesting steps.



Linux PE via Bash arithmetic injection:

Clear explanation of how command substitution occurs before arithmetic evaluation in Bash ((...)), $((...)) and let, and how untrusted log fields can trigger root code execution.
Practical exploitation payload patterns and mitigations.



Where I added content

Updated: src/network-services-pentesting/pentesting-web/spring-actuators.md


Added two new sections:

“HeapDump secrets mining (credentials, tokens, internal URLs)” with commands, OQL, and tooling.
“Abusing Actuator loggers/logging to capture credentials” with practical cURL examples and harvesting steps.


Added a References section at the end with:

Wiz actuator misconfig post
VisualVM
JDumpSpider
0xdf’s Eureka write-up


Preserved all existing content and style.


Updated: src/linux-hardening/privilege-escalation/README.md


Inserted a new subsection right after the wildcard injection section:

“Bash arithmetic expansion injection in cron log parsers” detailing the vulnerability, example vulnerable pattern, exploitation payload, preconditions, and mitigations.


Appended new References at the end:

0xdf’s Eureka post
GNU Bash Reference Manual – Shell Arithmetic



Why these locations

Spring Boot Actuator techniques and loggers abuse belong in pentesting-web/spring-actuators.md as they are actuator-centric and align with current structure.
The Bash arithmetic injection is a Linux local privilege escalation technique in cron/log parsers, so it fits the linux-hardening/privilege-escalation/README.md “Scheduled/Cron jobs” area.

Additional notes

Ensured content uses HackTricks style, with code blocks and concise, technical language.
Did not create new files; extended the most relevant existing pages.
Added a single “## References” section at the bottom of each updated file, per guidelines.

No other overlapping content found that would cause duplication; heapdump coverage did not previously include deep secrets mining workflow, nor did Linux PE discuss arithmetic injection via logs.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
🗑️ File Cleanup

searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/08/30/htb-eureka.html

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking - Spring Boot Actuator heapdump secrets mining and Spring Cloud Gateway loggers abuse; Linux Privilege Escalation via Bash arithmetic injection".

Repository Maintenance:

• MD Files Formatting: 878 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge