Delivery was an easy difficulty machine on Hack the Box. — Delivery was an easy difficulty machine on Hack the Box. TL;DR I’ll identify a helpdesk virtual subdomain which will allow me to create a ticket with a temporary email address. Using that address I’ll create an account on Mattermost instance on port 8065 where I’ll find credentials to SSH. Using…

Laboratory was an easy machine on Hack the Box. — Laboratory was an easy machine on Hack the Box. TL;DR: I’ll find a virtual domain with a vulnerable instance of Gitlab. It can be exploited to gain a shell on Docker instance. I’ll use this access to change Dexter’s password and gain access to his private repository. The repository contains…

Academy was an easy machine on Hack the Box. — Academy was an easy machine on Hack the Box. I’ll exploit a simple pivilege escalation in registration form gain access to administrator panel. Admin panel will reveal a virtual subdomain where I’ll exploit a RCE in Laravel framework. Using that access I’ll find a database password that’s been reused by…

Cache was medium diffculty machine on Hack the Box. Here’s my take on solving the challenge. — Cache was medium diffculty machine on Hack the Box. Here’s my take on solving the challenge. TL;DR: There’s a virtual host on webserver with an instance of a vulnerable version of OpenEMR. It’s vulnerabilities can be chained up, first to gain patient access, then use it to exploit authenticated sql…

Travel was a hard difficulty mahcine of Hack the Box. Here’s my take on solving the challenge. — Travel was a hard difficulty mahcine of Hack the Box. Here’s my take on solving the challenge. TL;DR: Travel was really great box with some advanced web exploitation. I’ll find a virtual subodmain in SSL certificate that contains a stray .git folder. It’ll allow me to reconstruct php files, where…

Buff was an easy machine on Hack the Box. Here’s my take on solving the challenge — Buff was an easy machine on Hack the Box. Here’s my take on solving the challenge TL;DR: There’s a Gym Management Software running on HTTP port 8080. It’s vulnerable to a unauthenticated PHP file upload and therefore RCE. …

Blunder was an easy machine on Hack the Box. Here’s my take on solving the challenge — Blunder was an easy machine on Hack the Box. Here’s my take on solving the challenge User According to nmap, the webserver should be the only attack surface: There seems to be some kind of blog on the site

Admirer was an easy difficulty machine on Hack the Box. Here’s my take on solving the challenge. — Admirer was an easy difficulty machine on Hack the Box. Here’s my take on solving the challenge. User Nmap reveals three running services:

Cascade was a medium difficulty machine on Hack the box. Here’s my take on solving the machine — Cascade was a medium difficulty machine on Hack the box. Here’s my take on solving the machine TL;DR: There’s a public LDAP database endpoint available. One of users has a custom field that reveals it’s password. Using this access it’s possible to access a SMB share that contains a VNC…