Hack the Box

Description Editor is an easy Hack The Box machine that features: XWiki Remote Command Execution vulnerability User Pivoting via a reused credential from a MySQL database Privilege Escalation via netdata binary with SUID bit set and PATH manipulation Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.209.7. $ ping -c 3 10.129.209.7 PING 10.129.209.7 (10.129.209.7) 56(84) bytes of data. 64 bytes from 10.129.209.7: icmp_seq=1 ttl=63 time=46.7 ms 64 bytes from 10.129.209.7: icmp_seq=2 ttl=63 time=46.6 ms 64 bytes from 10.129.209.7: icmp_seq=3 ttl=63 time=46.6 ms --- 10.129.209.7 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 46.625/46.646/46.666/0.016 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Description Era is a medium Hack The Box machine that features: Subdomain Enumeration to find a web storage application User enumeration via a flawed login implementation Login bypass via a flawed login implementation User pivoting via a flawed security reset implementation Download of the source code of the application (Insecure Direct Object Reference) leading to the discovery of a local file inclusion vulnerability by using PHP wrappers and user credentials Local File Inclusion vulnerability allows Remote Command Execution User pivoting by using previously found credentials Privilege Escalation by replacing a signed ELF writable by the user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.244.58. ...

Description Outbound is an easy Hack The Box machine that features: Assumed breach of a mail user credentials Remote Command Execution vulnerability in Roundcube mail client Password from a Roundcube session decryption Roundcube decrypted password allow access to a mailbox with a password of a Linux user Privilege Escalation via Below application changing log files permissions to be writable to all users Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.253.19. ...

Description Voleur is a medium Hack The Box machine that features: Initial access using an assumed breach scenario that leads in domain discovery. This domain only allows Kerberos authentication SMB share discovery leading to the discover of a file with credentials of service accounts and a removed account One of the leaked accounts allows a targeted Kerberoast attack to another service account allowed to create remote sessions to the system Removed account can be recovered containing a backup of credentials encrypted using DPAPI and recovered credentials allow user pivoting Pivoted user has the private SSH key of the service backup account Service backup account holds the backup of Active Directory user database containing all the credentials Privilege Escalation by dumping the secrets of the Active Directory user database (Kerberos keys) Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.250.126. ...

Description Artificial is an easy Hack The Box machine that features: AI web platform allowing the upload of Tensorflow models, which leads in remote command execution User pivoting by cracking the user hashes of the AI platform and password reuse Internal web application Backrest with a backup of its configuration archived with its password hash and the cracking of it Privilege Escalation via Command Execution using Backrest application Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.68.41. ...

Description TombWatcher is a medium Hack The Box machine that features: Initial access using an assumed breach scenario that leads in domain discovery Controlled user has WriteSPN permission over other user, allowing user pivoting with a targeted Kerberoast attack User is able to add itself to a group with the ReadGMSAPassword permission over a service account, allowing user pivoting Service account have ForceChangePassword permission over an user account, allowing changing the user password and user pivoting Next user account has WriteOwner permission over other user, allowing changing the owner, the permissions and the password of the user that is able of remotely access to the remote machine Active Directory Certificate Services deleted account recovery via the AD Recycle Bin One of the controlled users have GenericAll permission over the ADCS account, allowing full control Privilege Escalation via Active Directory Certificate Services ESC15 vulnerability Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.44.254. ...

Description Puppy is a medium Hack The Box machine that features: Initial access using an assumed breach scenario that leads in a discovery of a SMB share Access to a SMB share by adding the user to a group Recovery of a KeePass database from a SMB share and its password for user pivoting User have GenericAll permission over Remote Management disabled user Enabling previous disabled account to have console access to the system User Pivoting by using credentials found in a backup file Privilege Escalation via a saved credentials in a DPAPI-encrypted file Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.152.233. ...

Description Fluffy is an easy Hack The Box machine that features: Initial access using an assumed breach scenario that leads the discovery of a SMB server that hosts a vulnerabilities report Windows File Explorer Spoofing Vulnerability that allows the capture of other user NTLM hash and the corresponding hash cracking User belonging to a group that has GenericAll permission over other group that has GenericWrite permissions over service accounts One of the service account have remote console access to the system and another is the Certification Authority one Privilege Escalation via ESC16 vulnerability in the certification templates allowing the authentication as Administrator user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.130.70. ...

Description Planning is an easy Hack The Box machine that features: Subdomain Enumeration Grafana authenticated RCE with given credentials User Pivoting via leaked credentials in a Docker container environment variables Privilege Escalation via crontab-ui web application and a stored password Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.142.49. $ ping -c 3 10.129.142.49 PING 10.129.142.49 (10.129.142.49) 56(84) bytes of data. 64 bytes from 10.129.142.49: icmp_seq=1 ttl=63 time=77.4 ms 64 bytes from 10.129.142.49: icmp_seq=2 ttl=63 time=50.9 ms 64 bytes from 10.129.142.49: icmp_seq=3 ttl=63 time=82.6 ms --- 10.129.142.49 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 50.914/70.309/82.646/13.882 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Description Environment is a medium Hack The Box machine that features: Laravel web application exposing source code in debug mode Changing of Laravel environment variable allows Authentication Bypass Insecure File Upload allows Remote Command Execution Access to GPG encrypted file and key-chain by web-running user reveals credentials of machine’s user Privilege Escalation via a misconfigured SUDO policy Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.26.20. ...