Shubham Kumar

Hackthebox - Unbalanced 2020-12-05|htbmachinesretired|linux-writeup-retired-hackthebox-hard-sqli-docker-EncFS-squid-blind-injection-pi-hole

Summary

Unbalanced is a Linux, hard box is a created by polarbearer & GibParadox. Initial Enumeration was finding and download EncFS folder, and cracking that and opening the squid.conf and getting the squid password to look at Fully qualified domain name cache which gave us few IPs. Looking on those we found XPATH injection on removed IP from load-balancer.
Using the injection we can find some usernames and again using Blind injection we can crack the password. Which give us access to ssh Enumerating we find pi-hole running. Exploiting that we get a shell as www-data which have access to docker root which have few scripts and one of them contained root password. using which we get root.

Hackthebox - SneakyMailer 2020-11-27|htbmachinesretired|linux-writeup-retired-hackthebox-medium-gtfobins-ftp-swaks-phishing-mail-python-registry-pip

Summary

SneakyMailer, was a medium difficulty linux box created by Hackthebox user, sulcud. The box was all about creating a mail list from the emails found on the website. and using swaks to send phishing mail to all the employees and getting a hit back with one user email credentials. login to email we find credential for dev ftp. using that we can upload a shell and visit that on dev subdomain and we get a shell back. after getting the shell we can reuse the ftp credential for user developer we can switch to developer user. also in pypi webroot we find a .htaccess and we can crack the password for the hash.visiting the site we see that is a python registry so we create a custom package and upload to get a shell as low.Checking sudo -l we see we can run pip3 without password so using GTFOBINs we can get root.

Hackthebox - Buff 2020-11-21|htbmachinesretired|cve-writeup-retired-hackthebox-easy-windows-cloudme-chisel

Summary

Buff,a windows box created by egotisticalSW was an easy box. Everything was about finding a CVE and using that to get to next step. Initial foothold was finding a CVE in Gym Management System which gave us a RCE as user of the box. Later we discover Cloudme was running internally so we port forward that using chisel and using another CVE we get a shell as Administrator.

Hackthebox - Tabby 2020-11-07|htbmachinesretired|linux-writeup-retired-hackthebox-easy-lfi-tomcat-msfvenom-lxd

Hackthebox - Fuse 2020-10-31|htbmachinesretired|writeup-retired-hackthebox-medium-windows-printer-malicious-driver

Summary

Fuse is a Windows, medium box is a created by egre55. Initial foothold was exploiting a corporation automatic printer install process and finding an expire credential for an user,after resetting the password we can do rpc Enumeration which give us credential for the printer service using which we can get a shell on the box. Checking Printer service permission we see it can load drivers so we create a malicious driver to get privilege escalation on the box.