Writeup for the "Titanic" machine on HackTheBox. It involves exploiting LFI to discover sensitive Gitea configuration and database files, cracking PBKDF2 hashes for SSH access, and escalating privileges via a shared library injection in ImageMagick (CVE-2024-41817).
Walkthrough of the "Jerry" machine on HackTheBox. It involves brute-forcing Tomcat Manager credentials, deploying a WAR reverse shell, and retrieving both user and root flags from a Windows system.
Writeup for the "Nibbles" machine on HackTheBox. It involves discovering a vulnerable Nibbleblog CMS, exploiting it via Metasploit for initial access, and escalating privileges by abusing a writable script with sudo rights.
Walkthrough of the "Active" machine on HackTheBox, showcasing SMB enumeration, GPP password extraction, Kerberoasting, and gaining SYSTEM access via Impacket's PsExec.
Walkthrough of the "Markup" machine on HackTheBox, featuring enumeration, XML external entity (XXE) injection to gain a user shell, and privilege escalation via writable batch script to SYSTEM.
Detailed walkthrough of the Sea room on HackTheBox platform, covering initial enumeration, exploiting vulnerabilities, and obtaining user and root flags.
Busqueda is an Easy Difficulty Linux machine that involves exploiting a command injection vulnerability present in a `Python` module. By leveraging this vulnerability, we gain user-level access to the machine. To escalate privileges to `root`, we discover credentials within a `Git` config file, allowing us to log into a local `Gitea` service. Additionally, we uncover that a system checkup script can be executed with `root` privileges by a specific user. By utilizing this script, we enumerate `Docker` containers that reveal credentials for the `administrator` user and `Gitea` account. Further analysis of the system checkup script and source code in a `Git` repository reveals a means to exploit a relative path reference, granting us Remote Code Execution (RCE) with `root` privileges.
IClean is a medium-difficulty Linux machine featuring a website for a cleaning services company. The website contains a form where users can request a quote, which is found to be vulnerable to Cross-Site Scripting (XSS). This vulnerability is exploited to steal an admin cookie, which is then used to access the administrator dashboard. The page is vulnerable to Server-Side Template Injection (SSTI), allowing us to obtain a reverse shell on the box. Enumeration reveals database credentials, which are leveraged to gain access to the database, leading to the discovery of a user hash. Cracking this hash provides `SSH` access to the machine. The userβs mail mentions working with PDFs. By examining the `sudo` configuration, it is found that the user can run `qpdf` as `root`. This is leveraged to attach the `root` private key to a PDF, which is then used to gain privileged access to the machine.
Office is a hard-difficulty Windows machine featuring various vulnerabilities including Joomla web application abuse, PCAP analysis to identify Kerberos credentials, abusing LibreOffice macros after disabling the `MacroSecurityLevel` registry value, abusing MSKRP to dump DPAPI credentials and abusing Group Policies due to excessive Active Directory privileges.
Detailed walkthrough of the Crafty room on HackTheBox platform, covering initial enumeration, exploiting vulnerabilities, and obtaining user and root flags.
Detailed walkthrough of the Monitored box on HackTheBox platform, covering initial enumeration, exploiting vulnerabilities, and obtaining user and root flags.
Detailed walkthrough of the Builder box on HackTheBox platform, covering initial enumeration with LFI, exploiting vulnerabilities, and obtaining user and root flags.
