Posts
HTB: OPTIMUM (10.10.10.8)
Optimum is an easy rated windows box from Hack The Box. It runs a vulnerable version of HttpFileServer which is just a free web server specifically designed for publishing and sharing files. For the Privesc I Will exploit MS16-098 to gain administrative privileges on the box.
HTB: GRANNY (10.10.10.15)
Granny is an easy windows box from HackTheBox running webdav that allows uploading of certain file extensions and blocking others. I will use curl to upload an aspx shell as txt file and later use curl to move it to an aspx extension which will execute on the webserver to gain initial foothold. In root I will use local_exploit_suggester, a module on metasploit, to serach for local exploits to privesc to nt authority.
HTB: GRANDPA (10.10.10.14)
Grandpa is an easy windows box from HackTheBox similar in style to Granny but with a twist. I will find a buffer overflow vulnerability on IIS 6.0 which will give me my initial foothold on the box. For privesc I will use juicy potato to exploit the box and get admin privileges
HTB: MIRAI (10.10.10.48)
Mirai is an easy linux box from hack the box hosting a plex media server and running raspberry pi OS. The raspberry has its default credentials still intact. To escalate privileges, the user pi has the ability to execute sudo commands as root without needing any additional credentials. While this may seem straightforward, there's a twist. The root.txt flag isn't readily available in the root directory. Instead, you have to retrieve the deleted flag from a USB drive attached to the box.
HTB: SUNDAY (10.10.10.76)
Sunday is an easy box thats retired from Hack the box. I learned a tonn of stuff from this box, including enumerating users through Finger, brute forcing SSH, and exploiting sudo NOPASSWD. In beyond root I will look at the reset script and also log in to the web portal.
HTB: JEEVES (10.10.10.63)
I will begin by targeting a web server and identifying a Jenkins instance that lacks authentication. This Jenkins misconfiguration can be exploited to gain execution privileges and establish a remote shell connection. Once I have access, I will search for a KeePass database, extract a hash, and leverage it to gain administrative privileges. It's worth noting that the root.txt file is hidden within an alternative data stream.
HTB: BASHED (10.10.10.68)
Bashed is an easy linux box that presents an interesting challenge. It had a webshell already available but you had to do more enumeration just to find the directory. In privilage escalation, I will find a script directory with a cron job running and create a reverse shell which will be executed and give me access as root
HTB: DEVEL (10.10.10.5)
Devel is a user-friendly Windows box ideal for beginners. It begins with an open FTP server, allowing anonymous login with write access to the web server's root directory. My initial step involves uploading a webshell to establish a foothold, which will then enable me to gain a reverse shell on the system. Once inside, I'll explore various available Windows kernel exploits to escalate privileges and achieve root access.
HTB: SHOCKER (10.10.10.56)
Shocker is an easy box from HackThe Box themed after the shellshock vulnerability in Bash. The directory Bruteforce becomes tricky since it requires a trailing slash which most wordlists dont have. Intresting enough dirb as able to find it which shows the improtance of not relying on just one tool Privesc was an easy GTFObin in Perl
HTB: BLUE (10.10.10.40)
Blue is an easy box from HTB running a vulnerable version of SMB. I will show how to exploit MS17-010 both manual and using metasploit. I will have to modify the python script to add anonymous authentication for the script to work. I will also show why metasploit exploit worked despite not giving it any credentials
HTB: LEGACY (10.10.10.4)
Legacy is an easy box on Hack The Box (HTB) that is susceptible to an SMB vulnerability. While it can be quickly exploited using a Metasploit module, I've chosen to demonstrate the manual approach to exploit this vulnerability.
HTB: BRAINFUCK (10.10.10.17)
Brainfuck is an Insane Linux Box from Hack The Box which hosts a wordpress site with a vulnerable plugin which allows for authentication bypass. In root we dont actually get shell on the box but we are able to read the root flag by breaking RSA.
HTB: LAME (10.10.10.3)
Lame is an easy box from HTB which was the first box on the platform. I start of by attempting to exploit vsftp but turns it fails due to a firewall running on the box, we will look at this in depth in beyond root. The box is also running a vulnerable version of Samba. I will take advantage of `CVE-2007-2447` vulnerability to gain root on the box. There is a `Metasploit` exploit which would have made the box super easy but I will exploit it the manual way.
HTB: PHOTOBOMB (10.10.11.182)
Photobomb was an easy box from Hack The Box that starts out with having to find credentials within a JavaScript file, utilizing them to access an image manipulation panel, and then exploiting a command injection vulnerability in the panel to gain shell access. For privilege escalation, I will run a script as root, utilizing a find command that was not called with its full path.
HTB: SHIBBOLETH (10.10.11.124)
Shibboleth is a medium machine from HackTheBox created by knightmare & mrb3n. It starts off with a static website template. We will find a clue to look into BMC automation then find IPMI listening on UDP port 632. I will use Metasploit to leak a hash from IPMI, and crack it to get creds. This creds will allow me to log into Zabbix instance. Once in Zabbix i will use the Zabbix agent to execute commands and gain initial foothold. I will use credential reuse to pivots the next user. To get root, I’ll exploit a CVE in MariaDB / MySQL.
HTB: EXPLORE (10.10.10.247)
Explore is an easy Android box, the first of its kind on HTB. First I will check out the services running on the ports and discover ESFileExplorer which is vulnerable to CVE-2019-6447. This will allow me to read, list and get files. I will find a an image with credentials to the ssh service. Once logged in via SSH I will check for listening services and discover a hidden service listening on port 5555. I will forward this port to my box and use ADB to connect and gain root shell on the box.