Summary

Dyplesher, a Linux machine created by HackTheBox felamos & yuntao, was an overall insane difficulty box. The inital foothold was finding the .git folder on test.dyplesher.htb which give us the credentials for the memcache server trying rockyou we can leak few hashes from the memcache and we can crack one of that.Using the password we got from the memcache we can login to the gogs as felamos from which we see a gitlab mirror/backup. We see a repo.zip folder on the release page of the repository. After downloading that we see that is a git-bundle. After googling around i saw how unbundle that and get some information. from the repository we got we find a sqlite db looking into that we get another hash and Cracking that give another password. Trying that on the web server we are able to login and we see that we can upload Minecraft plugin. creating a plugin which write to user .ssh/authorized_keys and we can ssh to the user as MinatoTW. After getting a shell we still don’t find user.txt but checking the groups we see this user is a member of wireshark group. so i used dumpcap to capture some packets and sent that to local machine for analyses. which reveal some rabbitMQ messages containing all users password and rabbitMQ password for yunato. Su-ing to user felamos we see an interesting message which states yunato can publish message to plugin_data with an URL of cuberite plugin. so we create a bogus plugin to write to root authorized_keys and ssh-ing using that.

Summary

Blunder, a Linux box created by HackTheBox user egotisticalSW is an easy rated box.The Initial foothold was finding a username is todo.txt and brute-forcing the password with the wordlist created from the blog posts.Using metasploit we can get a shell as www-data and then finding a user.php which contain a password hash for user. Cracking the hash an using su we can get the user. Checking sudo -l we see we can run /bin/bash as different user and not root, and the version of sudo was Sudo version 1.8.25p1 which have a CVE using which we can get root.

Summary

Cache,a Linux box created by HackTheBox user ASHacker, was an overall medium difficulty box.The Initial enumeration is finding a domain hms.htb which is running a openemr which has a a SQLi which can give us a hash,cracking the hash and it also have a RCE which give us a shell. We also had a cred from the cache.htb. Using that we can su to get user. Enumerating in the shell we see memcached is running from which we can grab the password for second user luffy.su to that we see luffy is a memeber of docker group using that we can get root.

Summary

Blackfield,a Windows box created by HackTheBox user aas, It begin with finding list of folders which were username and kerbrosting the box to get a creds using which we can run bloodhound and we see that we can force change password for another uesr. by that we get access to forensic share downloading that we get lass.dmp which contain NTLM hashes and one of them worked for svc_backup account. with that we get on the box. checking groups we see we are member of SeBackupPrivilege using that we upload SeBackupPrivilegeUtils and take ntds.dit and download that and secretdump to get Administrator hash.

Summary

Admirer,a Linux box created by HackTheBox user polarbearer & GibParadox.The Initial scan shows that we can dump some contacts and credentials from admin-dir. which reveal the credential for ftp downloading data from ftp we see we have a copy of /var/html/www we see that it has utility-scripts a db_admin which shows that it is using some open-source alternative googling around something similar we find adminer. We also see a file discloser vulnerability using.So I hosted my own mysql db and connected to my db and started dumping files on the server and dumping ../index.php,which reveal the credential. Using that on ssh and username as waldo we can ssh to the server. sudo -l reveal that we can SETENV and run /opt/scripts/admin_tasks.sh. Using that we can exploit the Backup web,which is using python script. So PYTHONPATH hijacking we can get a root shell.