Delivery was an easy difficulty machine on Hack the Box.

TL;DR I’ll identify a helpdesk virtual subdomain which will allow me to create a ticket with a temporary email address. Using that address I’ll create an account on Mattermost instance on port 8065 where I’ll find credentials to SSH. Using this access I’ll read password hashes from SQL database. Based on the information from the Mattermost I’ll create a really short wordlist for hashcracking and find out the admin password.

Nmap scan reveals 3 open ports:

PORT     STATE SERVICE VERSION
22/tcp open ssh…

Laboratory was an easy machine on Hack the Box.

TL;DR: I’ll find a virtual domain with a vulnerable instance of Gitlab. It can be exploited to gain a shell on Docker instance. I’ll use this access to change Dexter’s password and gain access to his private repository. The repository contains a private SSH key which I’ll use to get user flag. Privileges escalation can be done by exploiting a custom SUID binary. It calls chmod application with user priviliges which can be exploited to run any code by manipulating PATH variable.

User

Nmap:

$ sudo nmap -sS -sV -sC laboratory.htb
Starting Nmap…

Academy was an easy machine on Hack the Box.

Academy

I’ll exploit a simple pivilege escalation in registration form gain access to administrator panel. Admin panel will reveal a virtual subdomain where I’ll exploit a RCE in Laravel framework. Using that access I’ll find a database password that’s been reused by cry0l1t3 user. Browsing through system logs will reveal password to another user: mrb3n. Mrb3n can sudo Composer which I’ll exploit to gain root shell.

User

Nmap scan:


Cache was medium diffculty machine on Hack the Box. Here’s my take on solving the challenge.

Cache

TL;DR: There’s a virtual host on webserver with an instance of a vulnerable version of OpenEMR. It’s vulnerabilities can be chained up, first to gain patient access, then use it to exploit authenticated sql injection to get admin password hash. After cracking the hash there’s a authenticated RCE that allows to gain shell on the machine. Lateral movement is possible in two ways: password to ash user can be gained from a Javascript file on the HTTP server (the default one, not the virtual…


Travel was a hard difficulty mahcine of Hack the Box. Here’s my take on solving the challenge.

Travel

TL;DR: Travel was really great box with some advanced web exploitation. I’ll find a virtual subodmain in SSL certificate that contains a stray .git folder. It’ll allow me to reconstruct php files, where I’ll find a SSRF vulnerability. I’ll exploit this vulnerability to inject a PHP object to plant a webshell. With a webshell in place I’ll gain a reverse shell on Docker machine. I’ll find a Wordpress database backup file with password hash. After reversing, the password will allow me to login…


Buff was an easy machine on Hack the Box. Here’s my take on solving the challenge

Buff

TL;DR: There’s a Gym Management Software running on HTTP port 8080. It’s vulnerable to a unauthenticated PHP file upload and therefore RCE. Locally there’s a CloudMy version running with known buffer overflowe vulnerability which can be exploited to escalate privileges.

Recon

Nmap scan shown only port 8080 open with HTTP server:


Blunder was an easy machine on Hack the Box. Here’s my take on solving the challenge

User

According to nmap, the webserver should be the only attack surface:

Nmap scan

There seems to be some kind of blog on the site


Admirer was an easy difficulty machine on Hack the Box. Here’s my take on solving the challenge.

Admirer

User

Nmap reveals three running services:


Cascade was a medium difficulty machine on Hack the box. Here’s my take on solving the machine

TL;DR: There’s a public LDAP database endpoint available. One of users has a custom field that reveals it’s password. Using this access it’s possible to access a SMB share that contains a VNC registry entry containing another user’s password, this time encrypted. There is a publicly accessible tool capable of decrypting the password. Newly acquired credential allow to get access WinRM shell and retrieve a user flag. On top of that it gives acces another SMB share, this time containing a Sqlite database…


Magic was a medium difficulty machine on Hack the box. Here’s my take on solving the machine

TL;DR: Sql injection in login form allows authentication bypass and grants access to a image upload feature. The feature’s filter can by bypassed by sending a PHP file prepended with PNG format header, granting code execution and revese shell. Locally it’s possible to dump database using credentials found in PHP file. In the database there’s a password that allows to login as Theseus user and grab a user file. Privlege escalation is possible through a vulnerable SysInfo program. It calls fdisk with root…

Tellico Lungrevink

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store