Posts by Tag

PowerShell

HackTheBox - Monteverde

8 minute read

Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.

HackTheBox - Resolute

10 minute read

Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

Back to Top ↑

SSH

HackTheBox - Postman

5 minute read

Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.

HackTheBox - AI

6 minute read

AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.

HackTheBox - Player

13 minute read

Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.

HackTheBox - Bitlab

11 minute read

Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.

HackTheBox - Craft

10 minute read

Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.

HackTheBox - Haystack

5 minute read

Haystack was a nice 20 point box created by JoyDragon. It started out with dumping SSH credentials via Elasticsearch and then escalating to the Kibana user and abusing its privileges to exploit Logstash and get root.

HackTheBox - Safe

2 minute read

Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.

HackTheBox - Ellingson

11 minute read

Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in. We then needed to crack some hashes to get user and pwn a SUID binary to get root.

HackTheBox - Writeup

3 minute read

Writeup was a nice 20 point box created by jkr. It started with a CVE to get SSH creds and then abusing a SSH startup process by injecting into PATH to get root.

Back to Top ↑

Python

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

HackTheBox - Wall

6 minute read

Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.

Spawning TTYs

less than 1 minute read

The following commands should be executed from the Linux command line. What TTY you’re able to spawn will come down to available shells on the host - cat /etc/shells

Back to Top ↑

Windows

Covenant C2

1 minute read

In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.

SDDL Security Descriptors

6 minute read

Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings.

Windows Security Identifiers

8 minute read

Instead of having to check the Microsoft docs every time I needed to identify a mysterious SID, I decided to type up the table here so I can reference it easily when required.

DLL Shells

2 minute read

Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.

Back to Top ↑

Active Directory

Active Directory Security Checklist

1 minute read

I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.

HackTheBox - Forest

11 minute read

Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.

Back to Top ↑

SMB

HackTheBox - Monteverde

8 minute read

Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.

HackTheBox - Resolute

10 minute read

Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

Back to Top ↑

Red

Covenant C2

1 minute read

In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.

SDDL Security Descriptors

6 minute read

Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings.

Back to Top ↑

Shells

Spawning TTYs

less than 1 minute read

The following commands should be executed from the Linux command line. What TTY you’re able to spawn will come down to available shells on the host - cat /etc/shells

Back to Top ↑

PHP

HackTheBox - Player

13 minute read

Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.

HackTheBox - Bitlab

11 minute read

Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.

HackTheBox - Networked

5 minute read

Networked was a nice 20 point box created by guly. It started out by finding backup source code and then embedding PHP into an uploaded image to get command injection, then exploiting a vulnerable PHP function to get user and finally abusing a sudo bash script to get root.

Back to Top ↑

Blue

SDDL Security Descriptors

6 minute read

Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings.

Active Directory Security Checklist

1 minute read

I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.

Back to Top ↑

John

HackTheBox - Postman

5 minute read

Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.

HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

HackTheBox - Safe

2 minute read

Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.

HackTheBox - Ellingson

11 minute read

Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in. We then needed to crack some hashes to get user and pwn a SUID binary to get root.

Back to Top ↑

Meterpreter

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

Back to Top ↑

crackmapexec

HackTheBox - Resolute

10 minute read

Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.

Back to Top ↑

Impacket

HackTheBox - Forest

11 minute read

Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.

HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

Back to Top ↑

XSS

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

Back to Top ↑

Priv Esc

Back to Top ↑

nps_payload

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

Back to Top ↑

SQLi

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

HackTheBox - AI

6 minute read

AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.

HackTheBox - Jarvis

5 minute read

Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.

Back to Top ↑

bash

Spawning TTYs

less than 1 minute read

The following commands should be executed from the Linux command line. What TTY you’re able to spawn will come down to available shells on the host - cat /etc/shells

Back to Top ↑

Perl

Spawning TTYs

less than 1 minute read

The following commands should be executed from the Linux command line. What TTY you’re able to spawn will come down to available shells on the host - cat /etc/shells

Back to Top ↑

Ruby

Spawning TTYs

less than 1 minute read

The following commands should be executed from the Linux command line. What TTY you’re able to spawn will come down to available shells on the host - cat /etc/shells

Back to Top ↑

Java

HackTheBox - AI

6 minute read

AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.

Back to Top ↑

openssl

Back to Top ↑

FTP

HackTheBox - Json

12 minute read

Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.

Back to Top ↑

Metasploit

Back to Top ↑

Linux

Back to Top ↑

Infosec

Back to Top ↑

pwntools

HackTheBox - Ellingson

11 minute read

Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in. We then needed to crack some hashes to get user and pwn a SUID binary to get root.

Back to Top ↑

BloodHound

HackTheBox - Forest

11 minute read

Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.

Back to Top ↑

MSSQL

HackTheBox - Monteverde

8 minute read

Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.

Back to Top ↑

LDAP

HackTheBox - Forest

11 minute read

Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.

Back to Top ↑

GPOs

Back to Top ↑

OUs

Back to Top ↑

sudo

HackTheBox - Jarvis

5 minute read

Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.

Back to Top ↑

API

HackTheBox - Craft

10 minute read

Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.

HackTheBox - Wall

6 minute read

Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.

Back to Top ↑

AWS

Release: clovery

less than 1 minute read

Clovery is a Cloud Discovery tool written in Go. Based on a supplied wordlist it checks for open AWS, GCP, Alibaba, and Azure cloud storage and services.

Back to Top ↑

GCP

Release: clovery

less than 1 minute read

Clovery is a Cloud Discovery tool written in Go. Based on a supplied wordlist it checks for open AWS, GCP, Alibaba, and Azure cloud storage and services.

Back to Top ↑

Alibaba

Release: clovery

less than 1 minute read

Clovery is a Cloud Discovery tool written in Go. Based on a supplied wordlist it checks for open AWS, GCP, Alibaba, and Azure cloud storage and services.

Back to Top ↑

Azure

Release: clovery

less than 1 minute read

Clovery is a Cloud Discovery tool written in Go. Based on a supplied wordlist it checks for open AWS, GCP, Alibaba, and Azure cloud storage and services.

Back to Top ↑

.NET

Covenant C2

1 minute read

In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.

Back to Top ↑

Netcat

Back to Top ↑

Telnet

Back to Top ↑

socat

Back to Top ↑

Xterm

Back to Top ↑

awk

Back to Top ↑

Lua

Spawning TTYs

less than 1 minute read

The following commands should be executed from the Linux command line. What TTY you’re able to spawn will come down to available shells on the host - cat /etc/shells

Back to Top ↑

Vim

Spawning TTYs

less than 1 minute read

The following commands should be executed from the Linux command line. What TTY you’re able to spawn will come down to available shells on the host - cat /etc/shells

Back to Top ↑

Apache

Back to Top ↑

TFTP

Back to Top ↑

certutil

Back to Top ↑

bitsadmin

Back to Top ↑

VBS

Back to Top ↑

debug.exe

Back to Top ↑

curl

Back to Top ↑

netcat

Back to Top ↑

fetch

Back to Top ↑

Shellcode

Back to Top ↑

Msfvenom

Back to Top ↑

Confidentiality

Back to Top ↑

Integrity

Back to Top ↑

Availability

Back to Top ↑

Books

Back to Top ↑

Blue Team

Back to Top ↑

Red Team

Back to Top ↑

Pass The Hash toolkit

Back to Top ↑

psexec

Back to Top ↑

PSCredential

Back to Top ↑

HackTheBox

Back to Top ↑

cmdkey

Back to Top ↑

SecLists

Back to Top ↑

CeWL

Back to Top ↑

Crunch

Back to Top ↑

Hydra

Back to Top ↑

Ncrack

Back to Top ↑

Wfuzz

Back to Top ↑

John the Ripper

Back to Top ↑

Hashcat

Back to Top ↑

SQL Injection

Back to Top ↑

Login Bypass

Back to Top ↑

UNION

Back to Top ↑

Second Order

Back to Top ↑

MongoDB

Back to Top ↑

Content Management Systems

Back to Top ↑

Wordpress

Back to Top ↑

Moodle

Back to Top ↑

Drupal

Back to Top ↑

Joomla

Back to Top ↑

Templates

Back to Top ↑

Stored

Back to Top ↑

Reflected

Back to Top ↑

DOM

Back to Top ↑

stealing cookies

Back to Top ↑

browser redirection

Back to Top ↑

command execution

Back to Top ↑

DLL

DLL Shells

2 minute read

Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.

Back to Top ↑

Visual Studio

DLL Shells

2 minute read

Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.

Back to Top ↑

Domain Services

Back to Top ↑

MSBuild

Back to Top ↑

unicorn

Back to Top ↑

JavaScript

Back to Top ↑

Hijacking

Back to Top ↑

Social Engineering

Back to Top ↑

Keylogging

Back to Top ↑

PowerView.ps1

Back to Top ↑

ACLs

Back to Top ↑

wmic

Back to Top ↑

service abuse

Back to Top ↑

runas

Back to Top ↑

.conf files

Back to Top ↑

cronjobs

Back to Top ↑

capabilities

Back to Top ↑

daemons

Back to Top ↑

SUIDs

Back to Top ↑

Scripts

Back to Top ↑

References

Back to Top ↑

Enumeration

Back to Top ↑

Exploitation

Back to Top ↑

OSINT

Back to Top ↑

EventLog

Back to Top ↑

Windows Defender

Back to Top ↑

Windows Firewall

Back to Top ↑

Sysmon

Back to Top ↑

Applocker

Back to Top ↑

SID

Windows Security Identifiers

8 minute read

Instead of having to check the Microsoft docs every time I needed to identify a mysterious SID, I decided to type up the table here so I can reference it easily when required.

Back to Top ↑

IoC

Back to Top ↑

Network symptoms

Back to Top ↑

Host symptoms

Back to Top ↑

pspy

HackTheBox - Writeup

3 minute read

Writeup was a nice 20 point box created by jkr. It started with a CVE to get SSH creds and then abusing a SSH startup process by injecting into PATH to get root.

Back to Top ↑

CMS

HackTheBox - Writeup

3 minute read

Writeup was a nice 20 point box created by jkr. It started with a CVE to get SSH creds and then abusing a SSH startup process by injecting into PATH to get root.

Back to Top ↑

Werkzeug Debugger

HackTheBox - Ellingson

11 minute read

Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in. We then needed to crack some hashes to get user and pwn a SUID binary to get root.

Back to Top ↑

ropstar

HackTheBox - Safe

2 minute read

Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.

Back to Top ↑

KeePass

HackTheBox - Safe

2 minute read

Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.

Back to Top ↑

Elasticsearch

HackTheBox - Haystack

5 minute read

Haystack was a nice 20 point box created by JoyDragon. It started out with dumping SSH credentials via Elasticsearch and then escalating to the Kibana user and abusing its privileges to exploit Logstash and get root.

Back to Top ↑

Kibana

HackTheBox - Haystack

5 minute read

Haystack was a nice 20 point box created by JoyDragon. It started out with dumping SSH credentials via Elasticsearch and then escalating to the Kibana user and abusing its privileges to exploit Logstash and get root.

Back to Top ↑

Logstash

HackTheBox - Haystack

5 minute read

Haystack was a nice 20 point box created by JoyDragon. It started out with dumping SSH credentials via Elasticsearch and then escalating to the Kibana user and abusing its privileges to exploit Logstash and get root.

Back to Top ↑

systemctl

HackTheBox - Jarvis

5 minute read

Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.

Back to Top ↑

exiftool

HackTheBox - Networked

5 minute read

Networked was a nice 20 point box created by guly. It started out by finding backup source code and then embedding PHP into an uploaded image to get command injection, then exploiting a vulnerable PHP function to get user and finally abusing a sudo bash script to get root.

Back to Top ↑

network-scripts

HackTheBox - Networked

5 minute read

Networked was a nice 20 point box created by guly. It started out by finding backup source code and then embedding PHP into an uploaded image to get command injection, then exploiting a vulnerable PHP function to get user and finally abusing a sudo bash script to get root.

Back to Top ↑

Web3.py

HackTheBox - Chainsaw

7 minute read

Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.

Back to Top ↑

Smart Contracts

HackTheBox - Chainsaw

7 minute read

Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.

Back to Top ↑

IPFS

HackTheBox - Chainsaw

7 minute read

Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.

Back to Top ↑

bmap

HackTheBox - Chainsaw

7 minute read

Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.

Back to Top ↑

Cisco

HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

Back to Top ↑

WinRM

HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

Back to Top ↑

ProcDump

HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

Back to Top ↑

Firefox

HackTheBox - Heist

6 minute read

Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.

Back to Top ↑

Curl

HackTheBox - Wall

6 minute read

Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.

Back to Top ↑

Centreon

HackTheBox - Wall

6 minute read

Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.

Back to Top ↑

GNU Screen

HackTheBox - Wall

6 minute read

Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.

Back to Top ↑

gogs

HackTheBox - Craft

10 minute read

Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.

Back to Top ↑

eval()

HackTheBox - Craft

10 minute read

Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.

Back to Top ↑

MySQL

HackTheBox - Craft

10 minute read

Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.

Back to Top ↑

GitLab

HackTheBox - Bitlab

11 minute read

Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.

Back to Top ↑

Git Hooks

HackTheBox - Bitlab

11 minute read

Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.

Back to Top ↑

Reversing

HackTheBox - Bitlab

11 minute read

Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.

Back to Top ↑

bfac

HackTheBox - Player

13 minute read

Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.

Back to Top ↑

JWT

HackTheBox - Player

13 minute read

Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.

Back to Top ↑

XAUTH

HackTheBox - Player

13 minute read

Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.

Back to Top ↑

Codiad

HackTheBox - Player

13 minute read

Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.

Back to Top ↑

wav

HackTheBox - AI

6 minute read

AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.

Back to Top ↑

JDWP

HackTheBox - AI

6 minute read

AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.

Back to Top ↑

Yara

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

Back to Top ↑

Macros

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

Back to Top ↑

ZipSlip

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

Back to Top ↑

Binary Planting

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

Back to Top ↑

PowerUp.ps1

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

Back to Top ↑

Incognito

HackTheBox - RE

12 minute read

RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.

Back to Top ↑

ysoserial.net

HackTheBox - Json

12 minute read

Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.

Back to Top ↑

Json

HackTheBox - Json

12 minute read

Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.

Back to Top ↑

C#

HackTheBox - Json

12 minute read

Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.

Back to Top ↑

Juicy Potato

HackTheBox - Json

12 minute read

Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.

Back to Top ↑

Go

Release: clovery

less than 1 minute read

Clovery is a Cloud Discovery tool written in Go. Based on a supplied wordlist it checks for open AWS, GCP, Alibaba, and Azure cloud storage and services.

Back to Top ↑

Oracle

Back to Top ↑

SSRF

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

Back to Top ↑

Powershell

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

Back to Top ↑

Buffer Overflow

HackTheBox - Bankrobber

13 minute read

Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.

Back to Top ↑

redis

HackTheBox - Postman

5 minute read

Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.

Back to Top ↑

Webmin

HackTheBox - Postman

5 minute read

Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.

Back to Top ↑

Kerberos

HackTheBox - Forest

11 minute read

Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.

Back to Top ↑

LFI

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

Back to Top ↑

RFI

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

Back to Top ↑

Samba

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

Back to Top ↑

CHM

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

Back to Top ↑

nishang

HackTheBox - Sniper

8 minute read

Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.

Back to Top ↑

Labs

Back to Top ↑

DNSAdmins

HackTheBox - Resolute

10 minute read

Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.

Back to Top ↑

WMI

Back to Top ↑

dsquery

Back to Top ↑

nltest

Back to Top ↑

Crackmapexec

HackTheBox - Monteverde

8 minute read

Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.

Back to Top ↑

Azure Admins

HackTheBox - Monteverde

8 minute read

Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.

Back to Top ↑