Shubham Kumar

HackTheBox - OpenAdmin 2020-01-05|htbmachinesretired|cve-linux-writeup-retired-hackthebox-easy-gtfobins-OpenNetAdmin-password-reuse-nano

Summary

OpenAdmin,a Linux box created by HackTheBox user dmw0ng, was an overall easy difficulty box.Initial Enumeration shows that only port 22 and port 80 to be opened.On Web we see that OpenNetAdmin, searching the exploit we see an shell-script on exploitdb,using that we get a shell as www-data. Enumerating we find a credentials for database checking if we have a password reuse on ssh we try with both usernames and we get a hit as jimmy and enumerating we find an internal service which was cating the id_rsa for joanna and port-forwarding and getting the password,Cracking the passphrase we get user. Root was pretty simple using nano

HackTheBox - Zetta 2020-01-01|htbmachinesretired|linux-writeup-retired-hackthebox-hard-sqli-fpx-rsync-tudu-rsyslog-psql_history

Summary

Zetta,a Linux box created by HackTheBox user jkr, was an overall hard difficulty box.The initial foothold was finding the ipv6 address using FPX from FTP. Enumerating again we find a new port 8370 as rsync,enumerating that we find we can upload ssh key and get a shell as user.from here this was a really hard box first we find the .tudu.xml file which contain the todo-list by roy.then we see that rsyslog is installed so we try to look at its config we see we can’t read that but we can copy the .git folder inside /etc/rsyslog.d and do git stash to get the config, we see we local7.info is pushed to postgres db. seeing nothing else interesting i started to poke around and try an SQLi there and with lot of effort we get a shell as postgres and we see a .psql_history file which contain the password for postgres also from a hint from roy todo we get the password for root and we have pwned Zetta

HackTheBox - Sniper 2019-12-31|htbmachinesretired|writeup-retired-hackthebox-medium-lfi-windows-rfi-malicious-chm

Summary

Sniper,a Windows box created by HackTheBox user MinatoTW & felamos , was an overall medium to hard difficulty box.The initial enumeration shows an LFI and a RFI vulnerability in the web application hosted, further to gain access we have setup Samba Server in our Box, and put our malicious payload inside samba share directory. Once everything is done we can upload an nc.exe and get a low privilege shell. Using the shell we see the code of db.php which contains the password for user, use that password with powershell Invoke-Command to get user. The privilege escalation is pretty nice in the box: you will find .chm in downloads of user, And in we get a nice hint. Use a malicious .chm and you will get root.

HackTheBox - Resoulte 2019-12-19|htbmachinesretired|writeup-retired-hackthebox-medium-windows-enum4linux-pstranscripts-dnsadmin

Summary

Resoulte is an Windows box created by egre55, is an Windows medium difficulty box.Initial foothold was finding the user description from enum4linux response which contained the default password,And trying that with all the user to get a valid user with that credential.Using which we can get a shell (winrm) on the box and get user.txt. Lateral moment required us to find rayan credential in PSTranscripts.Then checking the group we see that rayan is a member of DNSAdmin group using which we can get a root shell on the box.

HacktheBox - Control 2019-12-18|htbmachinesretired|writeup-retired-hackthebox-hard-windows-sqli-powershell-history

Summary

Control,a Windows box created by HacktheBox user TRX, was an overall hard difficulty box. The initial foothold was about finding the sql injection on the view_product page. Using that we can upload nc.exe and get a low privilege shell.Also, we get few hashes and checking them on crackstation we can get password for two of them . Using that we can get another shell as user. Privilege Escalation was little pain as we cannot use any Enumeration scripts looking around we find some commands in powershell history.We see we have Full Control on services, Then it was all about finding the correct service which we can exploit to get Administrator.