Recent Posts

HackTheBox - Postman

5 minute read

Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

Release: clovery

less than 1 minute read

Clovery is a Cloud Discovery tool written in Go. Based on a supplied wordlist it checks for open AWS, GCP, Alibaba, and Azure cloud storage and services.

HackTheBox - Json

12 minute read

Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.