Delivery was an easy difficulty machine on Hack the Box.
TL;DR I’ll identify a helpdesk virtual subdomain which will allow me to create a ticket with a temporary email address. Using that address I’ll create an account on Mattermost instance on port 8065 where I’ll find credentials to SSH. Using this access I’ll read password hashes from SQL database. Based on the information from the Mattermost I’ll create a really short wordlist for hashcracking and find out the admin password.
Nmap scan reveals 3 open ports:
PORT STATE SERVICE VERSION
22/tcp open ssh…
Laboratory was an easy machine on Hack the Box.
TL;DR: I’ll find a virtual domain with a vulnerable instance of Gitlab. It can be exploited to gain a shell on Docker instance. I’ll use this access to change Dexter’s password and gain access to his private repository. The repository contains a private SSH key which I’ll use to get user flag. Privileges escalation can be done by exploiting a custom SUID binary. It calls chmod application with user priviliges which can be exploited to run any code by manipulating PATH variable.
Academy was an easy machine on Hack the Box.
I’ll exploit a simple pivilege escalation in registration form gain access to administrator panel. Admin panel will reveal a virtual subdomain where I’ll exploit a RCE in Laravel framework. Using that access I’ll find a database password that’s been reused by cry0l1t3 user. Browsing through system logs will reveal password to another user: mrb3n. Mrb3n can sudo Composer which I’ll exploit to gain root shell.
Cache was medium diffculty machine on Hack the Box. Here’s my take on solving the challenge.
Travel was a hard difficulty mahcine of Hack the Box. Here’s my take on solving the challenge.
TL;DR: Travel was really great box with some advanced web exploitation. I’ll find a virtual subodmain in SSL certificate that contains a stray .git folder. It’ll allow me to reconstruct php files, where I’ll find a SSRF vulnerability. I’ll exploit this vulnerability to inject a PHP object to plant a webshell. With a webshell in place I’ll gain a reverse shell on Docker machine. I’ll find a Wordpress database backup file with password hash. After reversing, the password will allow me to login…
Buff was an easy machine on Hack the Box. Here’s my take on solving the challenge
TL;DR: There’s a Gym Management Software running on HTTP port 8080. It’s vulnerable to a unauthenticated PHP file upload and therefore RCE. Locally there’s a CloudMy version running with known buffer overflowe vulnerability which can be exploited to escalate privileges.
Nmap scan shown only port 8080 open with HTTP server:
Cascade was a medium difficulty machine on Hack the box. Here’s my take on solving the machine
TL;DR: There’s a public LDAP database endpoint available. One of users has a custom field that reveals it’s password. Using this access it’s possible to access a SMB share that contains a VNC registry entry containing another user’s password, this time encrypted. There is a publicly accessible tool capable of decrypting the password. Newly acquired credential allow to get access WinRM shell and retrieve a user flag. On top of that it gives acces another SMB share, this time containing a Sqlite database…
Magic was a medium difficulty machine on Hack the box. Here’s my take on solving the machine
TL;DR: Sql injection in login form allows authentication bypass and grants access to a image upload feature. The feature’s filter can by bypassed by sending a PHP file prepended with PNG format header, granting code execution and revese shell. Locally it’s possible to dump database using credentials found in PHP file. In the database there’s a password that allows to login as Theseus user and grab a user file. Privlege escalation is possible through a vulnerable SysInfo program. It calls fdisk with root…