Recent Posts

HackTheBox - Craft

10 minute read

Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.

HackTheBox - Wall

6 minute read

Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.

HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

HackTheBox - Chainsaw

7 minute read

Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.

HackTheBox - Networked

5 minute read

Networked was a nice 20 point box created by guly. It started out by finding backup source code and then embedding PHP into an uploaded image to get command injection, then exploiting a vulnerable PHP function to get user and finally abusing a sudo bash script to get root.

HackTheBox - Jarvis

5 minute read

Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.