This writeup details the complete attack chain for the Silentium machine, starting from a vulnerable Flowise AI instance to a privilege escalation using a recent Gogs vulnerability (CVE-2025-8110). 1. Enumeration & Discovery Initial enumeration of the target IP revealed an Nginx web server redirecting to silentium.htb and an open SSH port. nmap -sV -sC <TARGET_IP> Enter fullscreen mode Exit fullscreen mode Adding the primary domain to /etc/hosts : echo "<TARGET_IP> silentium.htb" | sudo tee -a /etc/hosts Enter fullscreen mode Exit fullscreen mode VHost Fuzzing Knowing we were dealing with a web application, we fuzzed for subdomains using gobuster and discovered a staging environment: gobuster vhost -u http://silentium.htb -w /usr/share/wordlists/dirb/common.txt --append-domain Enter fullscreen mode Exit fullscreen mode This revealed staging.silentium.htb . We added this to /etc/hosts and navigated to it, discovering an instance of Flowise AI (version 3.0.5). 2.…