Posts

• Oct 18, 2023

  HTB: OPTIMUM (10.10.10.8)

  HTB HackTheBox powershell optimum nishang hfs HttpFileServer python RCE CVE-2014-6287 Server 2012 local_exploit_suggester
  
  

  Optimum is an easy rated windows box from Hack The Box. It runs a vulnerable version of HttpFileServer which is just a free web server specifically designed for publishing and sharing files. For the Privesc I Will exploit MS16-098 to gain administrative privileges on the box.

• Oct 14, 2023

  HTB: GRANNY (10.10.10.15)

  granny HTB HackTheBox wedav curl PUT MOVE msfvenom metasploit local_exploit_suggester davtest
  
  

  Granny is an easy windows box from HackTheBox running webdav that allows uploading of certain file extensions and blocking others. I will use curl to upload an aspx shell as txt file and later use curl to move it to an aspx extension which will execute on the webserver to gain initial foothold. In root I will use local_exploit_suggester, a module on metasploit, to serach for local exploits to privesc to nt authority.

• Oct 14, 2023

  HTB: GRANDPA (10.10.10.14)

  HTB HackTheBox Grandpa buffer overflow Juicy Potato Churrasco WebDAV davtest IIS 6.0 SeImpersonatePrivilege
  
  

  Grandpa is an easy windows box from HackTheBox similar in style to Granny but with a twist. I will find a buffer overflow vulnerability on IIS 6.0 which will give me my initial foothold on the box. For privesc I will use juicy potato to exploit the box and get admin privileges

• Oct 5, 2023

  HTB: MIRAI (10.10.10.48)

  Mirai HTB hackthebox data recovery raspberry pi default credentials plex Strings
  
  

  Mirai is an easy linux box from hack the box hosting a plex media server and running raspberry pi OS. The raspberry has its default credentials still intact. To escalate privileges, the user pi has the ability to execute sudo commands as root without needing any additional credentials. While this may seem straightforward, there's a twist. The root.txt flag isn't readily available in the root directory. Instead, you have to retrieve the deleted flag from a USB drive attached to the box.

• Oct 1, 2023

  HTB: SUNDAY (10.10.10.76)

  sunday solaris HTB HackTheBox finger-user-enum finger freeBSD hydra Bruteforcing bash unshadow shadow Hashcat wget troll
  
  

  Sunday is an easy box thats retired from Hack the box. I learned a tonn of stuff from this box, including enumerating users through Finger, brute forcing SSH, and exploiting sudo NOPASSWD. In beyond root I will look at the reset script and also log in to the web portal.

• Sep 30, 2023

  HTB: JEEVES (10.10.10.63)

  Jenkins Jeeves HTB HackTheBox Nishang Script console Groovey pass the hash password spray crackmapexec psexec gobuster Alternate Data Stream keepass keepass2john hashcat password cracking
  
  

  I will begin by targeting a web server and identifying a Jenkins instance that lacks authentication. This Jenkins misconfiguration can be exploited to gain execution privileges and establish a remote shell connection. Once I have access, I will search for a KeePass database, extract a hash, and leverage it to gain administrative privileges. It's worth noting that the root.txt file is hidden within an alternative data stream.

• Sep 29, 2023

  HTB: BASHED (10.10.10.68)

  bash webshell gobuster bashed htb hackthebox nmap sudo Linenum python cron crontab php
  
  

  Bashed is an easy linux box that presents an interesting challenge. It had a webshell already available but you had to do more enumeration just to find the directory. In privilage escalation, I will find a script directory with a cron job running and create a reverse shell which will be executed and give me access as root

• Sep 28, 2023

  HTB: DEVEL (10.10.10.5)

  Windows HTB hackthebox MS11-046 CVE-2011-1249 Kernel Exploit FTP Nishang Webshell Reverse shell Powershell cmd aspx devel msfvenom
  
  

  Devel is a user-friendly Windows box ideal for beginners. It begins with an open FTP server, allowing anonymous login with write access to the web server's root directory. My initial step involves uploading a webshell to establish a foothold, which will then enable me to gain a reverse shell on the system. Once inside, I'll explore various available Windows kernel exploits to escalate privileges and achieve root access.

• Sep 27, 2023

  HTB: SHOCKER (10.10.10.56)

  Bash ShellShock Environment Variables CGI Scripts CVE-2014–6271 Reverse Shell HTB HackTheBox Shocker GTFObin Pentestmonkey nmap BurpSuite Proxy Gobuster dirb
  
  

  Shocker is an easy box from HackThe Box themed after the shellshock vulnerability in Bash. The directory Bruteforce becomes tricky since it requires a trailing slash which most wordlists dont have. Intresting enough dirb as able to find it which shows the improtance of not relying on just one tool Privesc was an easy GTFObin in Perl

• Sep 26, 2023

  HTB: BLUE (10.10.10.40)

  Blue HTB HackTheBox metasploit nmap OSCP Like smbmap smbclient enum4linux EternalBlue MS17-010 Windows 7 Windows
  
  

  Blue is an easy box from HTB running a vulnerable version of SMB. I will show how to exploit MS17-010 both manual and using metasploit. I will have to modify the python script to add anonymous authentication for the script to work. I will also show why metasploit exploit worked despite not giving it any credentials

• Sep 25, 2023

  HTB: LEGACY (10.10.10.4)

  Windows xp htb hackthebox smb ms17-010 eternalblue shadow brokers msfvenom Legacy htb-legacy
  
  

  Legacy is an easy box on Hack The Box (HTB) that is susceptible to an SMB vulnerability. While it can be quickly exploited using a Metasploit module, I've chosen to demonstrate the manual approach to exploit this vulnerability.

• Sep 24, 2023

  HTB: BRAINFUCK (10.10.10.17)

  Brainfuck Insane Wordpress RSA htb boxes wpscan python SMTP IMAP POP3 https subdomain John ssh2john ctf crypto nmap vulnerable-plugin auth-bypass
  
  

  Brainfuck is an Insane Linux Box from Hack The Box which hosts a wordpress site with a vulnerable plugin which allows for authentication bypass. In root we dont actually get shell on the box but we are able to read the root flag by breaking RSA.

• Sep 23, 2023

  HTB: LAME (10.10.10.3)

  Vsftpd Samba HTB Hackthebox Lame CVE-2007-2447 CVE-2011-2523 shell python
  
  

  Lame is an easy box from HTB which was the first box on the platform. I start of by attempting to exploit vsftp but turns it fails due to a firewall running on the box, we will look at this in depth in beyond root. The box is also running a vulnerable version of Samba. I will take advantage of `CVE-2007-2447` vulnerability to gain root on the box. There is a `Metasploit` exploit which would have made the box super easy but I will exploit it the manual way.

• Feb 10, 2023

  HTB: PHOTOBOMB (10.10.11.182)

  hackthebox htb photobomb js command injection RCE path-injection burp
  
  

  Photobomb was an easy box from Hack The Box that starts out with having to find credentials within a JavaScript file, utilizing them to access an image manipulation panel, and then exploiting a command injection vulnerability in the panel to gain shell access. For privilege escalation, I will run a script as root, utilizing a find command that was not called with its full path.

• Apr 2, 2022

  HTB: SHIBBOLETH (10.10.11.124)

  hackthebox htb linux snmp zabbix command execution access control lists shibboleth nmap gobuster ipimi-svc mysql password reuse CVE-2021-27928 port 623 monitoring
  
  

  Shibboleth is a medium machine from HackTheBox created by knightmare & mrb3n. It starts off with a static website template. We will find a clue to look into BMC automation then find IPMI listening on UDP port 632. I will use Metasploit to leak a hash from IPMI, and crack it to get creds. This creds will allow me to log into Zabbix instance. Once in Zabbix i will use the Zabbix agent to execute commands and gain initial foothold. I will use credential reuse to pivots the next user. To get root, I’ll exploit a CVE in MariaDB / MySQL.

• Dec 4, 2021

  HTB: EXPLORE (10.10.10.247)

  ctf hackthebox android adb debug-port es-file-explorer CVE-2019-6447 5555 explore nmap port-forwad
  
  

  Explore is an easy Android box, the first of its kind on HTB. First I will check out the services running on the ports and discover ESFileExplorer which is vulnerable to CVE-2019-6447. This will allow me to read, list and get files. I will find a an image with credentials to the ssh service. Once logged in via SSH I will check for listening services and discover a hidden service listening on port 5555. I will forward this port to my box and use ADB to connect and gain root shell on the box.