Hack the Box

Description Sightless is an easy Hack The Box machine that features: Remote Command Execution in the SQLPad web application Escaping from Docker container by cracking the “shadow” hashes and logging through SSH Discovery of internal Froxlor web application and local port forwarding Password Recovery by using a debugging session of the Chrome browser Recovery of a KeePass database file password located in a FTPS service owned by Froxlor application Privilege Escalation by recovering the SSH login key from the KeePass database Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.172.196. ...

Description Sea is an easy Hack The Box machine that features: Remote Command Execution via a Cross Site Scripting vulnerability in WonderCMS application Crack of a weak password hash that allows the login as a Linux user Privilege Escalation via a Command Injection in an internal HTTP monitoring application Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.214.57. ...

Description Compiled is a medium Hack The Box machine that features: Windows Git vulnerability allowing Remote Command Execution by cloning a repository Cracking the password hash of a Gitea user Password Reuse of the Gitea user password in a Windows Local Account Privilege Escalation via a Visual Studio 2019 vulnerability Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.91.211. ...

Description GreenHorn is an easy Hack The Box machine that features: Leaked CMS password hash in a Gitea server Crack of a weak password Vulnerable pluck web application that allows Arbitrary File Upload that leads in Remote Command Execution Reused CMS password in a Linux user Privilege Escalation via the recovery of the root’s password by depixelizing a pixelized image in a PDF file Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.242.145. ...

Description Unrested is a medium Hack The Box machine that features: Zabbix SQL Injection that leads into Remote Command Execution vulnerability Privilege Escalation via a restricted Nmap command script Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.10.11.50. $ ping -c 3 10.10.11.50 PING 10.10.11.50 (10.10.11.50) 56(84) bytes of data. 64 bytes from 10.10.11.50: icmp_seq=1 ttl=63 time=44.3 ms 64 bytes from 10.10.11.50: icmp_seq=2 ttl=63 time=43.3 ms 64 bytes from 10.10.11.50: icmp_seq=3 ttl=63 time=43.8 ms --- 10.10.11.50 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 43.288/43.796/44.292/0.409 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Description Resource is a hard Hack The Box machine that features: Local File Inclusion in a Dockerized PHP application leading to Remote Command Execution User Pivoting by using a reused password recovered from a HAR file User Pivoting by signing a public key to login over SSH using a Certification Authority Docker escape by signing a public key with an API to login over SSH using a principal User Pivoting by signing a public key with an API to login over SSH using a principal Privilege Escalation via a vulnerable script that allows to retrieve the private key of the Certification Authority and then generating a certificate for root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.81.215. ...

Description Blazorized is a hard Hack The Box machine that features: Reverse Engineering of a Razor WebAssembly web application to obtain the parameters to build a correct JWT token Reverse Engineering of a Razor Server web application by monitoring the HTTP requests to obtain the JWT Local Storage item name Injection of the token in the Razor Server web application to access to an administration panel Error-Based SQL injection in the administration panel that leads to a Remote Command Execution Pivoting to another user using WriteSPN rights and a Kerberoasting attack to obtain the hash of the user and then the hash is cracked Pivoting to another user using the ability of the user to change the Logon Script path and the ability to write in specific directories Privilege Escalation using DCSync rights to obtain the NTLM hash of the Administrator user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.184.48. ...

Description PermX is an easy Hack The Box machine that features: Subdomain Enumeration Chamilo LMS Remote Command Execution Vulnerability Sensitive Data Exposure of Database Credentials Password of a Database Reused for a Linux User Privilege Escalation using ACLs (Access Control Lists) and a misconfigured SUDO script Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.121.154. ...

Description Editorial is an easy Hack The Box machine that features: Server Side Request Forgery (SSRF) in a web application that exposes an internal API Internal API exposing reused SSH user credentials Git Repository exposing reused user credentials Privilege Escalation via a vulnerable GitPython library (Remote Command Execution) Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.202.197. ...

Description Blurry is a medium Hack The Box machine that features: Access to an unauthenticated ClearML server Remote Command Execution in ClearML 1.13.1 application due to Unsafe Deserialization of Untrusted Data Privilege Escalation by using a Pickle file inside a machine learning model and the ability to run a command that can load models as the root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.127.228. ...