Explore CVE-2026-27944 and CVE-2026-3888 in Snapped, a new HTB Machine

Just days after two critical vulnerabilities were disclosed, you can now explore how they are exploited in the Snapped machine.

The foothold demonstrates CVE-2026-27944 in Nginx-UI, where the /api/backup endpoint is accessible without authentication. This endpoint returns a full backup of nginx and Nginx-UI configuration files, along with the key required to decrypt the backup via response headers, allowing you to recover a weak user password from the Nginx-UI database file.

After gaining initial access, the machine shifts focus to privilege escalation through CVE-2026-3888, a TOCTOU race condition between snap-confine and systemd-tmpfiles. The challenge involves the deletion and recreation of a temporary mimic directory under /tmp, where an attacker must race the cleanup process by recreating the directory with controlled content and influencing execution timing via AF_UNIX socket backpressure during the bind-mount sequence.

By successfully winning the race condition, you can poison the sandbox’s shared libraries and leverage dynamic linker hijacking against the SUID-root snap-confine binary. This ultimately enables full system compromise, demonstrating how misconfigurations and race conditions can be chained together to escalate from initial access to root.