Sign in

Jim Solomon

Overview:

Sharp is a hard windows machine that exploits remoting server and wcf (Windows Communication Foundation), And they must done in a windows environment. There are public exploits (recompiled )out there from 2014, but they require many set up before run the exploits including serialization, after gotten a shell, there is a wcf folder and wcfclient exe file that running with admin privilege, by looking at the source code in visual studio that the attacker could take advantage of Main function and rebuild the exe file and run it on the victim’s machine to privilege escalation to Administrator. …


Overview:

Bucket is a fun linux machine exploiting aws bucker server. After fuzz subdomain there is a bucket server running. Use aws CLI commands to find a endpoint and use put-item to upload a reverse shell. PriEsc is also to exploit aws bucket. but its abit hard to do. After forawrd a port, We could create a table and take advantage of put item about root’s id_rsa key then save it to a default directory. This box it’s awesome to learn some aws CLI stuff. With all that being said, Let’s just jump in!

Reconnaissance:

┌──(kali㉿kali)-[~/htb/boxes/bucket] └─$ nmap -sC -sV…

Overview:

Laboratory is an easy and fun machine. It exploits vulnerable gitlab by the buildin function Rails console, this a command line on gitlab to interact with gitlab over commands such as changing user’s password. The foothold is to take advantage of Rails console by changing admin dexter’s password and find his ssh key on his git repository. After got into the shell, there is a vulneravle docker-secuetiy execuable file that runs with root privilege. By running lstrace that we are able to see its looking for chmod exeucable on the machine through a path. The last PriEsc is to…


Overview:

APT is AN insanely tough windows AD box, this box requires deep knowledge for a windows AD environments. First is to leak the ipv6 address on the server because namp only returned 2 ports which is 80 and 135 on the server, after gotten the ipv6 address there 445port for smb share that has a backup.zip. The backup.zip contains windows registry files that contains passwords and hashes. But for this instance, use creackmapexec will be blocked for cracking the hashes for a user, therefore, turned to use getTGT to get a ticket. Then use reg.py to find registries on…


Overview:

Time is a medium-level machine. First the web server running java scripts that has a vulnerable Jackson library for json deserialization. After got a shell, there is a cronjob that running as root privilege and has write access for the user. With all that being said, Let’s just jump in!

Reconnaissance:

root@kali:~/htb/boxes/time# nmap -T4 -A -p- -oA time -v 10.10.10.214 # Nmap 7.91 scan initiated Mon Oct 26 07:25:13 2020 as: nmap -T4 -A -p- -oA time -v 10.10.10.214 Nmap scan report for 10.10.10.214 Host is up (0.047s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp…

Overview:

Luanne is an great easy BSD machine. First it comes to a vulnerable lua weather script running on the web server that allows code execution and then there is a backend server running that exposed id_rsa file for the user that by having user’s credentials and using curl to pull the id_rsa key. Last, there is encrypted backup file in the user folded and by using a exist netpgp tool in the box that allows we simply decrypt it and get the root’s password. Although, The concepts of this box are not too complicated but it still requires dedicated…


Overview:

This is an OSCP prep box form Vulnhub Created by FalconSpy & InfoSec Prep Discord Server ( https://discord.gg/RRgKaep ), It’s relatively easy but still teach some good stuff for people who begins to prepare OSCP (I was one of them). The image can be found the link below. With all that being said, Let’s just jump in.

Reconnaissance:

ports=$(nmap -p- — min-rate=1000 -T4 192.168.170.154 | grep ^[0–9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//)nmap -sC -sV -p$ports -v -oN sc 192.168.170.154PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1…

Overview:

Crossfit is an insanely tough box that includes tons of complex attacking vectors. Include a user agent XSS on the web server and then used js to register a ftp account at the backend server. After get a shell, there is a cronjob running as user isaac, that involved a CVE of a shell command application, after be the user isaac. It requires reverse engineering a 64bit binary to find a mgbus server running. Last by take advantage of dbmsg, overwrite the root id_rsa key by a local id_rsa key created on the attacker local machine. It mixes all sort…


Overview:

Passage is a medium level linux machine in Hackthebox, it comes with a vulnerable webserver CuteNews, when you use public exploits getting into the machine and crack some hashes in the CuteNews user folder there are user credentials that allow you to login to users. Finally, there is a dbus vulnerable service running under user nadav it you can exploit it to get a root flag or id_rsa. With all that being said, Let’s just jump in!

Reconnaissance:

# Nmap 7.91 scan initiated Fri Jan 29 17:32:54 2021 as: nmap -A -T4 -p- -oN all -v 10.10.10.206 Nmap scan…

Overview:

Doctor is an easy box in HTB created by Shaun. there are two ways to exploit this box, the intended way is that the doctor’s website has a sign up function, after signed up an account then login, in the comment area there is a SSTI vulnerability, after saved the payload, then trigger it on another link then gives us a shell. The PriEsc is to exploit the vulnerable Splunkd service for root privileged code execution. With all that being said, let’s just jump in to the box!

Reconnaissance:

First off, fire up nmap scanning all open ports, -A…

Jim Solomon

Christian, Studying Cyber Security and Digital Forensics, Security Consultant at 12security.com | OSCP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store