Hack the Box

Description Resource is a hard Hack The Box machine that features: Local File Inclusion in a Dockerized PHP application leading to Remote Command Execution User Pivoting by using a reused password recovered from a HAR file User Pivoting by signing a public key to login over SSH using a Certification Authority Docker escape by signing a public key with an API to login over SSH using a principal User Pivoting by signing a public key with an API to login over SSH using a principal Privilege Escalation via a vulnerable script that allows to retrieve the private key of the Certification Authority and then generating a certificate for root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.81.215. ...

Description Blazorized is a hard Hack The Box machine that features: Reverse Engineering of a Razor WebAssembly web application to obtain the parameters to build a correct JWT token Reverse Engineering of a Razor Server web application by monitoring the HTTP requests to obtain the JWT Local Storage item name Injection of the token in the Razor Server web application to access to an administration panel Error-Based SQL injection in the administration panel that leads to a Remote Command Execution Pivoting to another user using WriteSPN rights and a Kerberoasting attack to obtain the hash of the user and then the hash is cracked Pivoting to another user using the ability of the user to change the Logon Script path and the ability to write in specific directories Privilege Escalation using DCSync rights to obtain the NTLM hash of the Administrator user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.184.48. ...

Description PermX is an easy Hack The Box machine that features: Subdomain Enumeration Chamilo LMS Remote Command Execution Vulnerability Sensitive Data Exposure of Database Credentials Password of a Database Reused for a Linux User Privilege Escalation using ACLs (Access Control Lists) and a misconfigured SUDO script Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.121.154. ...

Description Editorial is an easy Hack The Box machine that features: Server Side Request Forgery (SSRF) in a web application that exposes an internal API Internal API exposing reused SSH user credentials Git Repository exposing reused user credentials Privilege Escalation via a vulnerable GitPython library (Remote Command Execution) Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.202.197. ...

Description Blurry is a medium Hack The Box machine that features: Access to an unauthenticated ClearML server Remote Command Execution in ClearML 1.13.1 application due to Unsafe Deserialization of Untrusted Data Privilege Escalation by using a Pickle file inside a machine learning model and the ability to run a command that can load models as the root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.127.228. ...

Description EvilCUPS is a medium Hack The Box machine that features: CUPS Remote Command Execution Privilege Escalation via leaked credential in past print job Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.10.11.40. $ ping -c 3 10.10.11.40 PING 10.10.11.40 (10.10.11.40) 56(84) bytes of data. 64 bytes from 10.10.11.40: icmp_seq=1 ttl=63 time=118 ms 64 bytes from 10.10.11.40: icmp_seq=2 ttl=63 time=117 ms 64 bytes from 10.10.11.40: icmp_seq=3 ttl=63 time=117 ms --- 10.10.11.40 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 116.944/117.494/118.123/0.484 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Description BoardLight is an easy Hack The Box machine that features: Subdomain Enumeration Dolibarr vulnerability that allows remote command execution Password reuse that allows user pivoting Privilege Escalation via a vulnerable SUID Enlightement window manager binary Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.62.232. $ ping -c 3 10.129.62.232 PING 10.129.62.232 (10.129.62.232) 56(84) bytes of data. 64 bytes from 10.129.62.232: icmp_seq=1 ttl=63 time=55.3 ms 64 bytes from 10.129.62.232: icmp_seq=2 ttl=63 time=57.4 ms 64 bytes from 10.129.62.232: icmp_seq=3 ttl=63 time=56.5 ms --- 10.129.62.232 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 55.290/56.404/57.401/0.865 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Description SolarLab is a medium Hack The Box machine that features: SMB share enumeration and the download of a file with credentials / SMB user enumeration Password Reuse in a web application ReportLab Library Remote Command Execution vulnerability Sensitive Data Exposure in a database and Password Reuse of an user running an Openfire service Privilege Escalation via a password Blowfish hash cracking of an Openfire service Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.52.107. ...

Description Mailing is an easy Hack The Box machine that features: Directory Traversal and Local File Inclusion in a web server Recovery of an user email password using a hash obtained from a configuration file Microsoft Outlook CVE-2024-21413 Remote Command Execution vulnerability to gain an user credential Privilege Escalation via LibreOffice CVE-2023-2255 Local Command Execution vulnerability Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.51.252. ...

Description Runner is an medium Hack The Box machine that features: Subdomain Enumeration to find a TeamCity instance TeamCity vulnerability CVE-2024-27198 that allows unauthenticated administrative account creation Export of a id_rsa SSH private key from a Linux user by exporting a TeamCity project Enumeration of Linux system to find a Portainer instance Remote Command Execution in TeamCity using a malicious plugin to get access to the database Cracking of a TeamCity password hash to obtain the access to Portainer instance Privilege Escalation via mounting a block device as a volume in a container with Portainer Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.81.22. ...