Hack the Box

Description Expressway is an easy Hack The Box machine that features: IKE IPSec server enumeration and PSK recovery Password Reuse for Linux user Privilege Escalation via a vulnerable SUDO application Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.62.220. $ ping -c 3 10.129.62.220 PING 10.129.62.220 (10.129.62.220) 56(84) bytes of data. 64 bytes from 10.129.62.220: icmp_seq=1 ttl=63 time=48.0 ms 64 bytes from 10.129.62.220: icmp_seq=2 ttl=63 time=48.7 ms 64 bytes from 10.129.62.220: icmp_seq=3 ttl=63 time=47.5 ms --- 10.129.62.220 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 47.508/48.072/48.719/0.497 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Description Giveback is a medium Hack The Box machine that features: WordPress plugin blog vulnerable to PHP Object Injection leading to Remote Command Execution in a Kubernetes container Kubernetes Network Enumeration to find another containers Container Pivoting via PHP-CGI Remote Command Execution vulnerability Use of a Kubernetes service account to read secrets containing passwords Password reuse for Linux user allows creating a shell in the host Linux machine Custom Executable password recovery via enumeration Privilege Escalation via a runc command protected with a password found previously Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.188.129. ...

Description Soulmate is an easy Hack The Box machine that features: Subdomain discovery to find a CrushFTP instance CrushFTP Authentication Bypass CrushFTP allows file upload in web server which leads in Remote Command Execution Erlang configuration script leads to user pivoting due to leaked credentials Privilege Escalation via a Erlang (EPMD) daemon running as root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.94.109. ...

Description Signed is a medium Hack The Box machine that features: Assumed breach scenario with credentials that leads in MSSQL service enumeration MSSQL service account NTLM hash capture and crack to elevate the privileges Privilege Escalation via the ability of creating silver tickets and the use of OPENROWSET(BULK) T-SQL query to read privileged files Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.186.204. ...

Description CodePartTwo is an easy Hack The Box machine that features: Remote Command Execution in Python application interfacing with Javascript code using js2py Recovery of a credential found in web application database and password reuse Privilege Escalation via npbackup backup application ran as root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.119.51. ...

Description Imagery is a medium Hack The Box machine that features: Cross Site Scripting in gallery web application allowing the capture of administrator session Path Traversal in web application allowing reading the source code Command Injection in functionality unlocked by a pivoted testing user Linux user pivoting by the decryption an old backup of the website source code Privilege Escalation via a vulnerable backup application allowing command execution Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.17.177. ...

Description HackNet is a medium Hack The Box machine that features: Server Side Template Injection in Python Django web application Credentials obtained from SSTI leads to password reuse in Linux user User pivoting to web server user via Django cache deserialization Privilege Escalation via decryption of GPG encrypted SQL dump backups Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.208.8. ...

Description Previous is a medium Hack The Box machine that features: Next.js Middleware Authorization Bypass Vulnerability Next.js Path Traversal that leads into reading compiled source code Compiled source code contains user credentials User credentials reused for Linux user Privilege Escalation via a malicious Terraform provider Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.235.175. ...

Description Editor is an easy Hack The Box machine that features: XWiki Remote Command Execution vulnerability User Pivoting via a reused credential from a MySQL database Privilege Escalation via netdata binary with SUID bit set and PATH manipulation Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.209.7. $ ping -c 3 10.129.209.7 PING 10.129.209.7 (10.129.209.7) 56(84) bytes of data. 64 bytes from 10.129.209.7: icmp_seq=1 ttl=63 time=46.7 ms 64 bytes from 10.129.209.7: icmp_seq=2 ttl=63 time=46.6 ms 64 bytes from 10.129.209.7: icmp_seq=3 ttl=63 time=46.6 ms --- 10.129.209.7 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 46.625/46.646/46.666/0.016 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Description Era is a medium Hack The Box machine that features: Subdomain Enumeration to find a web storage application User enumeration via a flawed login implementation Login bypass via a flawed login implementation User pivoting via a flawed security reset implementation Download of the source code of the application (Insecure Direct Object Reference) leading to the discovery of a local file inclusion vulnerability by using PHP wrappers and user credentials Local File Inclusion vulnerability allows Remote Command Execution User pivoting by using previously found credentials Privilege Escalation by replacing a signed ELF writable by the user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.244.58. ...