Posts by Category

Windows

HackTheBox - Monteverde

8 minute read

Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.

HackTheBox - Resolute

10 minute read

Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.

Covenant C2

1 minute read

In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.

SDDL Security Descriptors

6 minute read

Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings.

Active Directory Security Checklist

1 minute read

I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

HackTheBox - Forest

11 minute read

Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

HackTheBox - Json

12 minute read

Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

Windows Security Identifiers

8 minute read

Instead of having to check the Microsoft docs every time I needed to identify a mysterious SID, I decided to type up the table here so I can reference it easily when required.

DLL Shells

2 minute read

Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.

Back to Top ↑

HackTheBox

HackTheBox - Monteverde

8 minute read

Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.

HackTheBox - Resolute

10 minute read

Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

HackTheBox - Forest

11 minute read

Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.

HackTheBox - Postman

5 minute read

Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

HackTheBox - Json

12 minute read

Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

HackTheBox - AI

6 minute read

AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.

HackTheBox - Player

13 minute read

Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.

HackTheBox - Bitlab

11 minute read

Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.

HackTheBox - Craft

10 minute read

Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.

HackTheBox - Wall

6 minute read

Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.

HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

HackTheBox - Chainsaw

7 minute read

Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.

HackTheBox - Networked

5 minute read

Networked was a nice 20 point box created by guly. It started out by finding backup source code and then embedding PHP into an uploaded image to get command injection, then exploiting a vulnerable PHP function to get user and finally abusing a sudo bash script to get root.

HackTheBox - Jarvis

5 minute read

Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.

HackTheBox - Haystack

5 minute read

Haystack was a nice 20 point box created by JoyDragon. It started out with dumping SSH credentials via Elasticsearch and then escalating to the Kibana user and abusing its privileges to exploit Logstash and get root.

HackTheBox - Safe

2 minute read

Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.

HackTheBox - Ellingson

11 minute read

Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in. We then needed to crack some hashes to get user and pwn a SUID binary to get root.

HackTheBox - Writeup

3 minute read

Writeup was a nice 20 point box created by jkr. It started with a CVE to get SSH creds and then abusing a SSH startup process by injecting into PATH to get root.

Back to Top ↑

Linux

HackTheBox - Postman

5 minute read

Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.

HackTheBox - AI

6 minute read

AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.

HackTheBox - Player

13 minute read

Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.

HackTheBox - Bitlab

11 minute read

Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.

HackTheBox - Craft

10 minute read

Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.

HackTheBox - Wall

6 minute read

Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.

HackTheBox - Chainsaw

7 minute read

Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.

HackTheBox - Networked

5 minute read

Networked was a nice 20 point box created by guly. It started out by finding backup source code and then embedding PHP into an uploaded image to get command injection, then exploiting a vulnerable PHP function to get user and finally abusing a sudo bash script to get root.

HackTheBox - Jarvis

5 minute read

Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.

HackTheBox - Haystack

5 minute read

Haystack was a nice 20 point box created by JoyDragon. It started out with dumping SSH credentials via Elasticsearch and then escalating to the Kibana user and abusing its privileges to exploit Logstash and get root.

HackTheBox - Safe

2 minute read

Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.

HackTheBox - Ellingson

11 minute read

Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in. We then needed to crack some hashes to get user and pwn a SUID binary to get root.

HackTheBox - Writeup

3 minute read

Writeup was a nice 20 point box created by jkr. It started with a CVE to get SSH creds and then abusing a SSH startup process by injecting into PATH to get root.

Back to Top ↑

Cheat sheets

Back to Top ↑

Shells

DLL Shells

2 minute read

Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.

Spawning TTYs

less than 1 minute read

The following commands should be executed from the Linux command line. What TTY you’re able to spawn will come down to available shells on the host - cat /etc/shells

Back to Top ↑

Web Apps

Back to Top ↑

Enumeration

Back to Top ↑

Priv Esc

Back to Top ↑

Active Directory

Active Directory Security Checklist

1 minute read

I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.

Back to Top ↑

Snippets

Back to Top ↑

Defence

Active Directory Security Checklist

1 minute read

I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.

Back to Top ↑

Infosec

Back to Top ↑

Password Attacks

Back to Top ↑

XSS

Back to Top ↑

Python

Back to Top ↑

Tools

Release: clovery

less than 1 minute read

Clovery is a Cloud Discovery tool written in Go. Based on a supplied wordlist it checks for open AWS, GCP, Alibaba, and Azure cloud storage and services.

Back to Top ↑

Cloud

Back to Top ↑

Review

Back to Top ↑