Hack the Box

Description UnderPass is an easy Hack The Box machine that features: SNMP Enumeration to find an installed web application Use of default credentials in the RADIUS management web application User and Password Enumeration of the RADIUS web application Password Reuse of RADIUS user in Linux server Privilege Escalation via Mosh (Mobile Shell) command executed with root permissions Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.145.216. ...

Description Administrator is an medium Hack The Box machine that features: Active Directory Enumeration using given user domain credentials Given user domain with GenericAll access grant to an user, allowing the user to change the password User domain with ForceChangePassword access grant to an user, allowing the user to change the password User can access to a FTP server that allows the recovery of a password manager backup Recovery of the master password of a password manager and its credentials User domain with GenericWrite access grant to an user, allowing the user to recover the Kerberos hash and the password Privilege Escalation with an user domain with the DCSync permissions, dumping the credentials Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.144.56. ...

Description LinkVortex is an easy Hack The Box machine that features: Subdomain Enumeration to find a hidden Git Repository Credential Leakage in a Git Repository Arbitrary File Read in Ghost CMS Password Reuse in Linux account found in Ghost configuration file Privilege Escalation via bypassing the restriction of a Bash script Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.39.160. ...

Description Alert is an easy Hack The Box machine that features: PHP web application vulnerable to Cross-Site Scripting (XSS) PHP web application vulnerable to Server-Side Request Forgery (SSRF) PHP web application vulnerable to Path Traversal that leaks the credentials of a web server Web server credentials of a web server reused for the Linux system Privilege Escalation via a writable web server folder hosted with a service by root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.121.113. ...

Description Certified is an medium Hack The Box machine that features: Active Directory Enumeration using given user domain credentials Given user domain with WriteOwner access grant to a group, allowing the user to add itself to the group Group users has the GenericWrite access grant to a domain user with permissions to log into the machine, allowing changing the password Logged user has the GenericAll permission to a Certificate Authority user, allowing them to change its password and other user fields Privilege Escalation via impersonating the Administrator user using the ESC9 vulnerability in Certificate Templates used in Active Directory Certificate Services Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.24.237. ...

Description Chemistry is an easy Hack The Box machine that features: Arbitrary Code Execution in pymatgen Python library and CIF files User Pivoting by cracking a hashed password in a database file Local Port Forwarding of an internal web application using aiohttp Python library Privilege Escalation via a File Traversal vulnerability in aiohttp Python library that allows retrieving the private SSH key of the root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.79.219. ...

Description Instant is a medium Hack The Box machine that features: Leaked Administrator JWT token in the source code of an Android application package Subdomain enumeration in the XML network configuration of an Android application package API enumeration using one subdomain that provides the application documentation Brute Force to the login endpoint to recover the weak password of an API user Path Traversal vulnerability in an API endpoint that allows reading an user SSH private key Privilege Escalation by the decryption of a backup from the Solar-Putty application using a previously obtained password Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.132.27. ...

Description Cicada is an easy Hack The Box machine that features: Domain Controller enumeration using a NULL session User credentials recovered from a share accesible with a NULL session Domain Controller enumeration using a domain account User credentials recovered from the description of an user of the domain User credentials recovered from a share accesible with a domain account Initial access to the machine with a domain account that belongs to the Remote Management Users group Privilege Escalation via a dump of the SAM database using a domain account with the SeBackupPrivilege privilege Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.209.245. ...

Description Trickster is a medium Hack The Box machine that features: Cross-Site-Scripting in PrestaShop application that leads into Remote Code Execution User Pivoting by recovering the password of the user from the PrestaShop MySQL database Docker internal application changedetection.io discovery and local port forwarding Remote Code Execution in changedetection.io Docker application Privilege Escalation via a password leak in the Bash History of the container Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.80.146. ...

Description Strutted is a medium Hack The Box machine that features: Image upload web application with Apache Struts vulnerable to Remote Command Execution User Pivoting by leaked credential in a configuration file Privilege Escalation by using tcpdump tool ran as root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.10.11.59. $ ping -c 3 10.10.11.59 PING 10.10.11.59 (10.10.11.59) 56(84) bytes of data. 64 bytes from 10.10.11.59: icmp_seq=1 ttl=63 time=44.1 ms 64 bytes from 10.10.11.59: icmp_seq=2 ttl=63 time=43.3 ms 64 bytes from 10.10.11.59: icmp_seq=3 ttl=63 time=43.5 ms --- 10.10.11.59 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 43.274/43.637/44.093/0.340 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...