MrRobot,a Linux box is created by user ben, was a easy box.The Initial scan show that robots.txt. which show the first key and fsocity.dic and using that and username elliot we get access to word-press,using which we can get a shell.Cracking the md5 hash we can su as robot user and grab second key. Privilege Escalation was using nmap suid binary we can get a shell as root.
Bankrobber,a Windows box created by HackTheBox user Gioo and Cneeliz, was an overall Insane difficulty box. The initial foothold was about finding an XXS vector and use that to leak the admin cookie and use that to access the admin panel.There we find an SQLInjection using that we can grab the source code for an backdoorchecker.php also when we try to run that we see that it can only be ran from localhost. which means we will have to use that XXS and convert that to an CSRF attack and use that to get an RCE. And we have user. Privilege Escalation on this box was like port-forwarding a filtered port to local and using the application on nc, we write an script to brute-force the pin for the application. Doing a Command Injection on that we can get a shell as Administrator.
Mango,a Linux box created by HackTheBox user MrR3boot, was an overall medium difficulty box. Initial foothold was finding credentials using NoSQL injection. which drop us some creds using them we can ssh on the box and then use the other cred (admin) to get user. Privilege Escalation on this box was using jjs.
Nest,a Windows box created by HackTheBox user VbScrub, was an overall easy difficulty box. It had a smbshare which was Guest accessible and was leaking a cred for low privilege user.Using which we can get configurations for installed application on the box, one of which was exposing the creds for user of the box and also had a hidden directory which contain a VB projected which contain the routine to decrypt the password for the user. The user directory contain few files and a .NET binary which find was the to decrpyt the Administrator Password.
Monteverde,a Windows box created by HackTheBox user egre55, was an overall medium difficulty box. Initial foothold was finding a cred which was a result of a lazy sysadmin. using that we can find credentials for user in a azure.xml file. checking the group of that user we see it is in Azure Admin group which mean it can perform DCSync using that we can get administrator credentials and pwned this box.
