Hackthebox - Bucket

Summary

Bucket,a Linux box created by HackTheBox user MrR3boot, was an overall medium difficulty box. Initial foothold was finding credentials in dynamo-db and using that to use that credentials on aws s3 cli. and then we upload a php shell and we get a shell as www-data and using another credential. we get roy(user). for Privilege Escalation we find another internal service running on 8000 and checking the code we see it is using pd4ml to convert an html to pdf. so we can inject and attach some files and download the result.pdf, using that we can download root .id_rsa with that we can ssh and we have pwned the box.

Read more
Hackthebox - Laboratory

Summary

Laboratory an easy box created by Hackthebox user 0xc45.
Initial Foothold was finding a CVE for gitlab which gave us Arbitrary file read Later checking the hackerone thread for this issue we find that this can be converted to an RCE, using which we get the initial shell in a docker container as git.
Enumerating the box i decided to take a gitlab-backup and saw it contain a securedocker repository.
Extracting that we get user ssh key and get user shell.Enumerating the box again as dexter we see an interesting SUID binary.
docker-security So I ran ltrace to see what it is doing and saw it was using chmod but without absolute path. So using PATH hijacking we get a shell as root.

Read more
Hackthebox - Time

Summary

Time,a Linux box created by HackTheBox user egotisticalSW & felamos was a medium difficulty box. Initial foothold was finding an exploiting a CVE in fasterxml.jackson and using that we get a shell as pericles which was the user of the box, and we can grab user.txt. Running Linpeas we find timer_backup.sh editing that we can get code-execution as root.

Read more
Hackthebox - Luanne

Summary

Luanne, a FreeBSD box created by HackTheBox user Luanne, was an overall easy box. The Initial-foothold was find an command-injection on a Lua API. using which we can get a shell as httpd user. Enumerating we find a local version of the same service was running by httpd_devel and checking http://127.0.0.1:3001/~r.michaels/ and we find the user key. After getting user as r.michaels we find a backups folder checking that we find an encrypted file and we can use netpgp to decrypt and in that we find a .htaccess cracking the password and trying that on doas we can switch to root

Read more
Hackthebox - Reel2

Hackthebox - Reel2

Summary

Reel2 was a hard windows machine by user cube0x0 on Hackthebox. Initial Enumeration on the box was creating a password list from the Social media platform and password spraying to get access to the owa and phishing other user which give us a password hash. Cracking the password we can use powershell to get a shell on the box. Enumerating the box we find some intresting credential in a log file in AppData using which we can read root.txt and have Administrator access on the box.

Read more