HackTheBox - Travel

Summary

Travel,a Linux box created by HackTheBox user xct and jkr was a hard box, but was a real fun box. The Initial foothold was finding the .git folder on the blog-dev and analyzing the code to see that there is a SSRF on memcached and a Deserielization on SimplePie combining both of them we can get a RCE on the box. Using which we can get a shell as www-data enumerating we find a db-dump.sql on in /opt/ which have the user as lynik-admin and a password hash. Cracking that we can get a shell as the user.Privilege Escalation on this box was something new for me it was using the ldapmodify and using the ability of ssh on ldap. We modify a user from ldap and change its UID and GID to 1000 and 117(docker) and quickly ssh to the box using that. now we can use docker to get a shell as root using gtfobins.

Read more
HackTheBox - Remote

Summary

Remote,a Windows box created by HackTheBox user mrb3n, was an overall easy difficulty box.The Initial enumeration show that port 80, 111 ,139 and 445. The nmap scan also shows that NFS mount are present. So we mount it and look at the backup of the site and we find credential for web and also version of the web app Umbraco as 7.12.4 which have an RCE on exploitdb and get a shell as low privilege shell and grab user.txt. Enumerating again we see we have All Access to UsoSvc. Exploiting that we get a shell as Administrator.

Read more
HackTheBox - Quick

Summary

Quick,a Linux box created by HackTheBox user MrR3boot, was an overall hard difficulty box. Initial foothold was finding a password from HTTPS-over-UDP and bruteforce the login. And exploiting Esigate to get an RCE and get User by that. Getting Second user was exploiting a Race Condition and get the second user and looking in the conf.d we get a password using that on root give us Root.

Read more
HackTheBox - Magic

Summary

Magic,a Linux box created by HackTheBox user TRX, was an overall easy-medium difficulty box. The initial enumeration shows only port 22 and 80 opened. The login page contain a SQL injection. which redirected us to upload.php. creating a image with a php shell we get a shell as www-data looking in db.php5 we find creds for db but we don’t see any mysql client but we see mysqldump dumping that we get credential for user theseus. Privilege Escalation on this box was pretty fun as we need to find a SUID binary and doing strings on that we see it have a command used which is not using absolute path so we can try to do a path hijacking doing that we can get a shell as root.

Read more
HackTheBox - Traceback

Summary

Traceback,a Linux box created by HackTheBox user Xh4H, was an overall very easy difficulty box. The initial enumeration expose that the web-server was already pwned by the author of the box opening the source code we see that the author had left an webshell on the box.We try some but get nothing so I looked for the author and found his github account and saw a repo named WebShell trying the shells in that we get a webshell as smevk.php. Using that we can get a shell on the box as webadmin looking in his home directory we see another file left by the previous pwn as privesc.lua we also see in sudo -l that we can execute /home/webadmin/luvit as sysadmin without password. using that privesc.lua which is just appending a public key to the authorized_keys for the sysadmin and using that we get user. Enumerating the box we see when we login we get a message that the box was pwned by Xh4H so looking in the /etc/update-motd.d we see we can modify files in that so we modify 00-header file and add a reverse shell there and get root on the box.

Read more