Shubham Kumar

HackTheBox - Oouch 2020-08-01|htbmachinesretired|linux-writeup-retired-hackthebox-hard-ssrf-oauth-sessionid-stealing-uwsgi-dbus

Summary

Oouch,a Linux box created by HackTheBox user qtc, was an overall hard difficulty box. The Initial Enumeration was was finding the oauth hidden directory and we also find an SSRF in contact page using which we trick Admin to oauth and link account to our account and can read some admin only Documents which leak an applications/registration.We register an application, and we trick admin again and steal admin sessionid of qtc and use that and using the api and we grab the qtc ssh key and using that we can ssh as qtc and read user.txt. Enumerating user, we find docker running and we see we can ssh to on of the container we see uwsgi and which was vulnerable and we can get a shell as www-data. Enumerating again we see dbus is used and it is running as root.Using dbus we can send a a payload to get a shell as root.

HackTheBox - Cascade 2020-07-25|htbmachinesretired|writeup-retired-hackthebox-medium-windows-ldap-service-account-reverse-engineering

Summary

Cascade,a Windows box created by HackTheBox user VbScrub, was an overall easy-medium difficulty box.The Initial enumeration show that the box is a LDAP Server. Using Jxplorer digging in that we get credential for a user and looking in the shares we find a TightVNC registry key which contain password for user s.smith and using vncpwd we can get the password. We can winrm and get user.txt. Again looking the new open smb-shares we find a executable and a sqlite database which contain password for a service account. Reverse Engineering the binary we can get the password. login with the new creds and a mail we saw in the shares earlier we can try to retrieve the password for TempAdmin which is the password for the local admin.

Hackthebox - Sauna 2020-07-18|htbmachinesretired|writeup-retired-hackthebox-easy-windows-impacket-svc_loanmgr-psexec

Summary

Sauna,a Windows box created by HackTheBox user egotisticalSW, was an overall easy difficulty box.The initial enumeration expose some Names using which we can create some username list.Using impacket GetNPUsers.py we expose valid user and hash . using that we can use evil-winrm to get a shell as user. Enumerating and looking in the Registry we see a password for a service account using that we can get a shell as the Service.We see that svc_loanmgr has permission to DCSync so using that we can do use impacket secretdump.py to dump Administrator Credentials and use psexec to get shell as Administrator.

Hackthebox - Book 2020-07-11|htbmachinesretired|linux-writeup-retired-hackthebox-medium-lfi-xss-ssrf-logrotten

Summary

Book,a Linux box created by HackTheBox user egotisticalSW, was an overall hard difficulty box. The initial enumeration shows only port 22 and 80 opened. Enumerating the web we find /admin and index.php which have login and sign-up.
Using which we expose the admin email-id. Using SQL truncate attack we can reset the password for admin. and login to /admin we also see that the Book upload is vulnerable to XSS which create a SSRF and using that we can get an LFI and read ssh private key for the user. Enumerating we see that logrotate is running and the log file is writable by us. Looking searchsploit we find logrotten which exploit a race condition and using that we can get a shell as root (or grab root .ssh private key and get shell as root.)

HackTheBox - Forwardslash 2020-07-04|htbmachinesretired|linux-writeup-retired-hackthebox-hard-ssrf-cryptsetup

Summary

Forwardslash,a Linux box created by HackTheBox user InfoSecJack and chivato, was an overall hard difficulty box.The Initial foothold was finding the SSRF on porfilepicture.php in backup.forwardslash.htb and that expose the creds for chiv. SSH that and enumerating we find backup binary looking in that we find how it work abusing it we get config.php.bak which contain the creds for pain and we have user. In pain home directory we can see an encryption folder which contain ciphertext and a python script upon bruteforcing the weakness we get a creds for /var/backups/recovery checking sudo -l we see we can mount that image using cryptsetup and mount we find the root rsa key using which we can get root