Hack the Box

Description VariaType is a medium Hack The Box machine that features: Arbitrary File Write in a web application using Python fontTools library Subdomain Enumeration to find a management dashboard Upload of malicious PHP file leads to Remote Command Execution User Pivoting by leveraging Command Injection vulnerability in Python FontForge library Privilege Escalation via a vulnerable Python script executable by root allowing Arbitrary File Write Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.10.139. ...

Description Facts is an easy Hack The Box machine that features: Web Path Enumeration to find an administration login dashboard Camaleon CMS Privilege Escalation vulnerability leads to access to the administrator dashboard with access to credentials of an internal S3 MinIO bucket Enumeration of the S3 MinIO bucket leads into the discovery of a private SSH key Privilege Escalation via a vulnerable Ruby script allowing the execution with --custom-dir parameter. Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.18.175. ...

Description Interpreter is a medium Hack The Box machine that features: Mirth Connect Remote Command Execution Mirth Connect database enumeration to find available channels Enumeration of internal opened ports to find a Mirth Connect channel and an unknown application Privilege Escalation via Python Command Injection in an internal application Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.2.28. ...

Description MonitorsFour is an easy Hack The Box machine that features: Web enumeration to discover an API vulnerable to Insecure Direct Object Reference vulnerability leading to the discovery of database users Subdomain Enumeration to discover a Cacti instance with reused credentials from the previous service Cacti instance vulnerable to Authenticated Remote Command Execution leads to an user shell in a Docker container Privilege Escalation via a vulnerable Docker Desktop installation exposing the Docker socket to the containers without authentication Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.126.11. ...

Description Pterodactyl is a medium Hack The Box machine that features: Pterodactyl Server Management Panel allows PHP Code Injection into a file PHP Code Injection leads into Remote Command Execution by using PHP-PEAR User Pivoting by reading credentials saved in a MySQL database Privilege Escalation via Incorrect Authorization vulnerability in Linux Pluggable Authentication Modules (PAM) and the allow_active setting in Polkit and libblockdev leading to execution of a SUID-root shell Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.1.99. ...

Description Overwatch is a medium Hack The Box machine that features: SMB Enumeration allows accessing to a public share containing a C# desktop application C# application reverse engineering to find credentials and an exposed service Linked SQL server exploitation by adding a DNS entry pointing to the attacker machine to obtain the MSSQL credentials via the responder application Reused credentials allow access to the machine via WinRM protocol Port Forwarding of the internal port exposed by the C# application Privilege Escalation via Command Injection to the SOAP API exposed by the C# application Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.15.185. ...

Description AirTouch is a medium Hack The Box machine that features: SNMP Enumerating to discover a default password used by an SSH user Access to a machine connected to an internal network with Wi-Fi interfaces WPA2 Pre-Shared Key recovery for connecting to a wireless network Wi-Fi sniffing to recover the cookie of an user of the router web interface Cookie manipulation allows the pivoting from user permission to administration one Web application vulnerable to Insecure File Upload leads to Remote Command Execution in WPA2-PSK router machine Privilege Escalation in the WPA2-PSK machine by reused credentials leads to the discovery of WPA-EAP (Enterprise) certificates, private keys, and a credential of the WPA-EAP router machine Spoofing of the WPA-EAP access point with the discovered certificate leads to the discovery of the credentials of the user that connected to the network, allowing the connection Access to the WPA-EAP by using the previous discovered credentials Privilege Escalation in the WPA-EAP machine by using a found credentials in Hostapd configuration Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.9.3. ...

Description Eighteen is an easy Hack The Box machine that features: Active Directory assumed breach scenario and service enumeration Microsoft SQL server user impersonation to read the web service database Password recovery via cracking a hash found in the MSSQL database User pivoting by password reuse and user enumerating by RID cycling attack Privilege Escalation via the group that the user belongs ability to write in a OU, exploiting dMSA, by using BadSuccessor attack Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.71.55. ...

Description Browsed is a medium Hack The Box machine that features: Upload of malicious Chrome extension to discover internal web pages Use of the Chrome extension to gain access to a local web application with Server Side Request Forgery SSRF of the internal application leads to Command Injection and Remote Command Execution Privilege Escalation by a writable Python cache directory and a Python program executable as root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.4.136. ...

Description Conversor is an easy Hack The Box machine that features: XSLT Injection in Python Flask web application leading to machine file writing File Writing in scripts directory leads to Remote Command Execution User Pivoting by recovering the password of the user from a SQLite database Privilege Escalation via needrestart Arbitrary Code Execution Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.21.73. ...