HTB: Valentine

Summary Valentine is an easy Linux box that can be exploited by enumerating the HTTP(S)-service properly and identifying that the host is vulnerable to heartbleed. By exploiting heartbleed you can gain a Base64-encoded password that can be used in combination with a private key file to gain an initial foothold on Valentine. The PrivEsc is done by exploiting Tmux running as root. Discovery Nmap discovered the following open ports and services:...

July 20, 2022 · 3 min · Me

HTB: Swagshop

Summary SwagShop is an easy Linux box. It can be exploited by enumerating the webserver and finding a script to create admin users. After tweaking the script you can continue to the authenticated remote code execution script which requires a lot of troubleshooting and modification. After debugging this with burpsuite and pdb it will result in code execution eventually. Privileges can be escalated by abusing the vi binary which can be run as sudo without password from a certain directory....

July 20, 2022 · 6 min · Me

HTB: Sunday

Summary Sunday is an easy Linux box that can be exploited by brute-forcing the finger service and finding two users. One of which has default credentials that can be used to obtain a low privileged shell. By enumerating the system you will find a backup of the shadow file which can be bruteforced to obtain credentials of the second user. The final privilege escalation can be obtained by abusing both user’s sudo permissions....

July 20, 2022 · 5 min · Me

HTB: Solidstate

Summary SolidState is an easy Linux box that can be exploited by identifying a peculiar remote port which is running the James Remote Administration tool, version 2.3.2 with default credentials. Through this tool, users were identified and passwords could be changed to authenticate with through pop3 on port 111. An email was retrieved that contained plaintext credentials which enabled an SSH shell. The privilege escalation was a result of a world-writeable python file that was modified to execute a bash script....

July 20, 2022 · 4 min · Me

HTB: Shocker

Summary Shocker is an easy Linux box that can be exploited with CVE-2014-6271. Privileges can be escalated with the perl binary which can be run with root privileges. Discovery Nmap discovered the following open ports and services: nmap -sC -sV -oN fullscan -Pn 10.129.24.92 PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2....

July 20, 2022 · 2 min · Me

HTB: Sense

Summary Sense is an easy Linux box that can be exploited by performing a directory brute-force to identify the login page of pfSense. The brute-force also helps to identify a file that contains credentials for pfSense. This combination was used to exploit pfSense with a public exploit to obtain a root shell. Discovery Nmap discovered the following open ports and services: nmap -sC -sV -oN fullscan -Pn 10.129.94.74 PORT STATE SERVICE 80/tcp open http 443/tcp open https Gobuster found the following locations:...

July 20, 2022 · 2 min · Me

HTB: Postman

Summary Postman is an easy Linux box. It can be exploited by enumerating SMB and finding credentials which can be used to authenticate to an admin portal. This portal can be found by performing DNS enumeration and obtaining several new subdomains. The application was vulnerable to LFI and in combination with a writeable SMB share, this could be chained to obtain a low-level shell. Privileges were escalated by finding credentials in a configuration file and by abusing a writeable python library through python library hijacking....

July 20, 2022 · 9 min · Me

HTB: Popcorn

Summary Popcorn is a medium Linux box that is probably on the edge of easy. It can be exploited through a SQL Injection authentication bypass after which you have administrative access to Torrent Hoster. This is vulnerable to file upload bypass and enables you to get a low privileged reverse shell. The PrivEsc can be done two ways, the intended way is to exploit motd.legal-displayed and the other way is through a kernel exploit....

July 20, 2022 · 4 min · Me

HTB: Poison

Summary Poison is an easy Linux box that can be exploited by abusing the Local File Inclusion present on the home page of the web server. From here it’s possible to access a backup of a password file which comes with a subtle hint how to decode it. This will provide you with a lower-privileged SSH shell from where you will see a secret zip folder. After enumerating the running processes you will identify a tightvnc process running as root that can only be accessed from localhost....

July 20, 2022 · 5 min · Me

HTB: Nineveh

Summary Nineveh is a medium Linux box that can be exploited by brute-forcing login credentials. This will lead you to a page that is vulnerable to a LFI vulnerability. Login credentials can then be brute-forced to authenticate to the phpLiteAdmin software after which you can create a new database with malicious php code that gets executed when used in combination with the LFI. A private key was found inside one of the images which can be combined with a port knock to obtain a lower privileged SSH shell....

July 20, 2022 · 5 min · Me

HTB: Nibbles

Summary Nibbles is an easy Linux box that can be exploited by bruteforcing the administrator’s login page. After this you can install a malicious plugin due to a file upload vulnerability. Privileges can be escalated by replacing a monitoring script which can be run with sudo rights. Discovery Nmap discovered the following open ports and services: nmap -sC -sV -oN fullscan -Pn 10.129.25.188/ PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7....

July 20, 2022 · 3 min · Me

HTB: Netmon

Summary Netmon is an easy Windows box. It can be exploited by enumerating FTP and finding credentials that can be used to authenticate to PRTG which is running on port 80. After finding credentials, a script can be used (after modifications) to obtain a system shell or a manual method can be used. Discovery Started off by running NmapAutomator. Nmap discovered the following open ports and services: PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 80/tcp open http Indy httpd 18....

July 20, 2022 · 6 min · Me

HTB: Mirai

Summary Mirai is an easy Linux box. It can be exploited by properly enumerating the application and finding an admin directory that discloses pi-hole is used. The default credentials were used to start a SSH shell. The user pi was able to execute all commands as root but the root.txt was lost and stored on the USB. However, it was also lost from the USB and has to be recovered by analysing the hard disk....

July 20, 2022 · 3 min · Me

HTB: Legacy

Summary Legacy is one of the easiest boxes from HackTheBox. It is vulnerable to EternalBlue (MS17-010) and is running Windows XP. You can use a public exploit that will provide you with a System Shell. Discovery Started off by running NmapAutomator. Nmap discovered the following open ports and services: PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds The automated nmap script discovered a potential vulnerability for EternalBlue:...

July 20, 2022 · 2 min · Me

HTB: Lame

Summary Lame is an easy Linux box that can be exploited with CVE-2007-2447 - no privilege escalation was required. Discovery Nmap discovered the following open ports and services: nmap -sC -sV -Pn -oN fullnmap 10.129.24.78 PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.14.33 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2....

July 20, 2022 · 3 min · Me

HTB: Jerry

Summary Jerry is an easy Linux box that can be exploited by abusing Apache Tomcat’s default credentials and gaining access to Tomcat’s manager dashboard from where you can upload .war files. Such a file can be generated with MSFvenom and when deployed it will provide a reverse shell as system. Discovery Nmap discovered the following open ports and services: nmap -sC -sV -oN fullscan -Pn 10.129.105.253 PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1....

July 20, 2022 · 2 min · Me

HTB: Irked

Summary Irked is an easy Linux box. It can be exploited by properly enumerating the box and finding that it is running a vulnerable version of UnrealIRCd. This can be exploited with a python script which will provide the initial shell. To obtain low level privileges you will need to use steganography extraction techniques to find the hidden text file from the landing page image. After this you can exploit a SUID process that executes a non existing bash file from /tmp....

July 20, 2022 · 4 min · Me

HTB: Haircut

Summary Haircut is a medium Linux box. It can be exploited by properly brute-forcing for files and directories on the webserver. This will lead to an exposed php file that is executing and loading files with curl which can be abused by downloading a php reverse shell. The privileges can be escalated by abusing a vulnerable SUID binary which will provide a root shell. Discovery Started off by running NmapAutomator....

July 20, 2022 · 4 min · Me

HTB: Granny

Summary Granny is an easy Windows box. It can be exploited by properly enumerating the box and finding that it is running Microsoft IIS 6.0 and is vulnerable to a well known exploit: CVE-2017-7269 (WebDav). This is due to a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service. This was abused and resulted in a shell as nt authority\network service. This shell was upgraded through token kidnapping with churrasco....

July 20, 2022 · 4 min · Me

HTB: Grandpa

Summary Grandpa is an easy Windows box. It can be exploited by properly enumerating the box and finding that it is running Microsoft IIS 6.0 and is vulnerable to a well known exploit: CVE-2017-7269 (WebDav). This is due to a buffer overflow in the ScStoragePathFromUrl function in the WebDAV service. This was abused and resulted in a shell as nt authority\network service. This shell was upgraded through token kidnapping with churrasco....

July 20, 2022 · 4 min · Me

HTB: Friendzone

Summary Friendzone is an easy Linux box. It can be exploited by enumerating SMB and finding credentials which can be used to authenticate to an admin portal. This portal can be found by performing DNS enumeration and obtaining several new subdomains. The application was vulnerable to LFI and in combination with a writeable SMB share, this could be chained to obtain a low-level shell. Privileges were escalated by finding credentials in a configuration file and by abusing a writeable python library through python library hijacking....

July 20, 2022 · 9 min · Me

HTB: Devel

Summary Devel is an easy Linux box that can be exploited by properly enumerating all ports and services. You will find that there are multiple domains by enumerating DNS. The admin login page is vulnerable to SQL Injection after which you can execute command injection to obtain a low level shell. Privileges can be escalated by exploiting a php cronjob. Discovery Nmap discovered the following open ports and services: nmap -sC -sV -oN fullscan -Pn 10....

July 20, 2022 · 4 min · Me

HTB: Cronos

Summary Cronos is an easy Linux box that can be exploited by properly enumerating all ports and services. You will find that there are multiple domains by enumerating DNS. The admin login page is vulnerable to SQL Injection after which you can execute command injection to obtain a low level shell. Privileges can be escalated by exploiting a php cronjob. Discovery Nmap discovered the following open ports and services: nmap -sC -sV -oN fullscan -Pn 10....

July 20, 2022 · 4 min · Me

HTB: Blocky

Summary Blocky is an easy Linux box. It can be exploited by properly enumerating the application. Brute-forcing for files and directories results to a wiki page that discloses some useful information. This lead to checking the plugins directory which contains a .jar that can be analysed which contains plaintext credentials. These were used to authenticate to phpmyadmin. The wp-users table contained more plaintext credentials. These provided a shell as the notch user....

July 20, 2022 · 3 min · Me

HTB: Beep

Summary Beep is an easy Linux box that can be exploited by properly enumerating all ports and services. You will find an Elastix login portal. This Elastix version is vulnerable to a local file inclusion. This gives you root credentials which you can use to open a SSH shell. It is worth mentioning that there were other methods of exploiting this host. Discovery Nmap discovered the following open ports and services:...

July 20, 2022 · 3 min · Me

HTB: Bastard

Summary Bastard is a medium Windows box. It can be exploited by enumerating the webserver and identifying that Drupal is running. The respective Drupal service is vulnerable to an RCE exploit that can be used to gain initial access. The privilege escalation is based on abusing the SeImpersonatePrivilege and obtaining a root shell. Discovery Started off by running NmapAutomator. Nmap discovered the following open ports and services: PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7....

July 20, 2022 · 3 min · Me

HTB: Bashed

Summary Bashed is an easy Linux box that can be exploited by discovering a php web shell named ‘phpbash.php’ on the webserver. Privileges can be escalated with by exploiting a cronjob that is running as root. Discovery Nmap discovered the following open ports and services: nmap -sC -sV -oN fullscan -Pn 10.129.24.131 PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Arrexel's Development Site The first thing I checked was the webserver....

July 20, 2022 · 3 min · Me

HTB: Bank

Summary Bank is an easy Linux box. It can be exploited by enumerating DNS and finding a new subdomain. This forwards to a login page. This domain was brute-forced for directories and it contained a directory with a large amount of sensitive files containing encrypted emails and passwords. One of the files contained plaintext credentials which was found with grep. After obtaining credentials you will have access to a support page where you can create a ticket and bypass the file upload restrictions....

July 20, 2022 · 4 min · Me

HTB: Arctic

Summary Arctic is an easy Windows box. It can be exploited by navigating to an odd port in the browser and finding out that ColdFusion is running. A directory traversal can be abused to obtain an encrypted password. The password was cracked and administrative access was obtained. ColdFusion enables you to run scheduled tasks, this was used to retrieve a JSP reverse shell which provided initial access. Sherlock was executed and found several supposedly vulnerable exploits....

July 20, 2022 · 3 min · Me

HTB: Active

Summary Active is an easy linux box that can be exploited by enumerating the SMB service and finding a hash in one of the files. This can be decrypted resulting in valid credentials that can be used to enumerate SMB again but this time from an authenticated perspective. Then you can apply kerberoasting to obtain the Administrator hashes which can be cracked with netcat. By using smbexec.py from impacket you will obtain a semi-interactive shell....

July 20, 2022 · 3 min · Me

HTB: Access

Summary Access is an easy Linux box that can be exploited by enumerating the FTP server and finding two useful files. After decrypting the backup.mdb you will find credentials that can be used to unzip an archive. This archive contains a .pst file which contains an email with credentials. These credentials were then used to authenticate to the Telnet Server. Privileges were escalated by abusing runas and obtaining an Administrative shell....

July 20, 2022 · 3 min · Me

HTB: Academy

Summary Academy is an easy Linux box that can be exploited by registering a user with administrator privileges. After authenticating as an admin, a new sub-domain is discovered. This shows a vulnerability in the Laravel framework that was used to gain an initial foothold. After finding sensitive information in environment variables and log files, it is possible to switch to a higher privileged user. This user was allowed to run composer as root which has a GTFOBins entry which could be used to spawn a root shell....

July 18, 2022 · 4 min · Me