Summary

Passage is a Linux, medium box is a created by ChefByzen, initial foothold required to find a CVE for CuteNews and using that to get a shell as www-data. Enumerating the filesystem we find a Lines files which contained some php serialized object. deseralizeing the object and checking we find some hash cracking that and trying to su we get access to paul user checking the .ssh directory we see that the id_rsa.pub is the key of nadav so possible key reuse, using which we can get nadav. After getting nadav we need to see .viminfo for a hint, which contain something about USBCreator.conf Looking for that we stumble upon a blog post explaining how to exploit it and get a root shell.

Spectra

Summary

Spectra, was a easy chromeos machine by user egre55. Inital foothold was find db creds in .save file leaking from /testing route. checking the creds resuse on /main route (wordpress) was successful. using unix/webapp/wp_admin_shell_upload metasploit to get a shell as nginx. enumerating the box in /opt we find a config which give us a hint to check for credentials in /etc/autologin which gave user password and we can ssh as user. Privelege Escalation on the box was exploiting initctl to get root.

Summary

Academy,a easy Linux box created by HackTheBox user egre55 & mrb3n. Initial Foothold was using register to create a Admin user and using that to login on admin page and finding a second vhost and checking that is Laravel Checking searchsploit we have a RCE POC in metasploit using that we can get a Shell as www-data. To get User we had to Password Spray from the password in .env file. Based on user group adm we check logs and find a password for another user. and getting shell for that user and checking sudo -l we see we can run composer. Using that we get root

Summary

Jewel,a Linux box created by HackTheBox user polarbearer, was an overall medium difficulty box.Initial foothold was analysing the code and finding a CVE for that (rails deserilaztion to RCE), using that we can get a shell(This was the hardest part of the box). After having the shell we need to find a database dump which contain some hash, cracking that we get password for user bill using sudo -l revel we need verfication code. we can use .google_authenticator in the user home directory to generate the code using which see that we can run gem, checking GTFOBINs and using that we can get root.

Summary

Doctor is a Linux, easy box is a created by egotisticalSW. Initial foothold was finding the the SSTI(Server side template injection) and using that to get a low privilege shell. User was finding the password for user in apache2 backup log. Rooting was exploiting Splunkd and getting root.