Category: HackTheBox
-
Timelapse – HackTheBox
Timelapse was a relatively easy ‘Easy’ machine that required exploiting misconfigured SMB that led to a shell as a normal user where a service account password was discovered in powershell history. That account was configured to be allowed to read the LAPS password, which let us get administrative access on the machine. Scanning From the…
-
Late – HackTheBox
Late was an easy machine that required enumerating a subdomain to discover a Flask application used to OCR images. The application was vulnerable to Server Side Template Injection which allowed for remote code execution. This led to ssh access where it was discovered that a script run by root was in a writeable location from…
-
Mantis – HackTheBox
Mantis was a hard machine that focused on good enumeration and discovering an older vulnerability in the way kerberos authenticates regular users. We’ll first discover a mssql credentials, access the mssql server, and extract a domain user’s credentials. From there we will find the version of Windows Server is vulnerable to MS14-068 which allows for…
-
Curling – HackTheBox
Curling is an easy machine that required directory busting a web page to find a secret key to access a Joomla CMS admin panel. This allowed for code execution which led to our initial shell. From there we moved laterally by finding a hex dump, decoding it, and discovering a password. To achieve root access,…
-
Bounty – HackTheBox
Scanning I started with my standard nmap scan. Only one port opened, which I verified by running a scan against all ports as well. Enumeration – HTTP Port 80 There’s just an image here of Merlin with nothing else. Scanning with gobuster found something interesting. Unfortunately, this directory wasn’t working. No vhosts on the box…
-
Forest – HackTheBox
Forest is a much-hyped retired “Easy” Windows machine that deals with a wide variety of common AD attack vectors, both for initial entry and privilege escalation. Initially, I was able to leverage RPC to dump usernames from the domain, then ASRep-roast a service account. This was used to gain entry into the system, where I…
-
Bashed – HackTheBox
Scanning I started as always with an nmap scan. Enumeration Just port 80 open so let’s check that out. The dev folder looks promising. Wow, a phpbash webshell. That’s handy. Foothold – Shell as www-data Awesome, I should be able to get a reverse shell from this. It took a bit of tinkering with payloads…
-
Mango – HackTheBox
Scanning Started with my typical nmap scan. Enumeration – Port 443 Port 80 returned a 403 forbidden as seen in the scan, but 443 seemed worthwhile to check out. This search function just returned to itself. Gobuster revealed a subdirectory /analytics & this also worked from the primary page. This was a collected table of…
-
Bolt – HackTheBox
Bolt is a Medium level machine on HTB that was recently retired. Nmap scan: Enumeration: Port 80 – HTTP There’s a pretty basic website with not many obvious paths, but I was able to download a copy of the docker file that is presumably being used to run the webserver, so saving that for now,…
A Cyber Journey 