Machine Overview
| Platform | HackTheBox |
| Target | nimbus.htb / aws.nimbus.htb |
| Operating System | Linux |
| Difficulty | Hard |
| Category | Cloud / Container Escape |
SSRF through a dual-layer filter bypass leaks EC2 metadata IAM credentials, a PyYAML unsafe-loader RCE via SQS delivers a worker shell inside Docker, and a privileged LocalStack CodeBuild job writes to the overlay upperdir to hijack modprobe and pop root on the host.
2026-06-24
Recon → health endpoint leak → SSRF (extension + IP filter bypass) → EC2 metadata IAM creds → SQS job injection → PyYAML RCE → worker shell → LocalStack CodeBuild privileged build → overlay upperdir write → modprobe path hijack → Root
| Platform | HackTheBox |
| Target | nimbus.htb / aws.nimbus.htb |
| Operating System | Linux |
| Difficulty | Hard |
| Category | Cloud / Container Escape |
This machine is currently live on HackTheBox. The full writeup unlocks automatically once it retires.
← Back to writeups