Posts

Description Imagery is a medium Hack The Box machine that features: Cross Site Scripting in gallery web application allowing the capture of administrator session Path Traversal in web application allowing reading the source code Command Injection in functionality unlocked by a pivoted testing user Linux user pivoting by the decryption an old backup of the website source code Privilege Escalation via a vulnerable backup application allowing command execution Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.17.177. ...

Description HackNet is a medium Hack The Box machine that features: Server Side Template Injection in Python Django web application Credentials obtained from SSTI leads to password reuse in Linux user User pivoting to web server user via Django cache deserialization Privilege Escalation via decryption of GPG encrypted SQL dump backups Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.208.8. ...

Description Previous is a medium Hack The Box machine that features: Next.js Middleware Authorization Bypass Vulnerability Next.js Path Traversal that leads into reading compiled source code Compiled source code contains user credentials User credentials reused for Linux user Privilege Escalation via a malicious Terraform provider Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.235.175. ...

Introduction The Bluetooth Low Energy (BLE) protocol has become a fundamental standard within the IoT ecosystem, used in wearables, sensors, peripherals, and a wide variety of connected devices. It is possible to capture and analyze its traffic in real time using dedicated hardware. For this purpose, the nRF52840 Dongle from Nordic Semiconductor, together with the tool nRF Sniffer for Bluetooth LE, constitutes an accessible and powerful solution. The necessary firmware will be installed on the dongle, the sniffer will be integrated into a Linux environment, and BLE traffic will be captured in Wireshark. Three analysis scenarios are also addressed with different levels of security: connections without pairing, vulnerable classic pairing (Legacy Pairing), and modern and robust pairing based on elliptic curves (LE Secure Connections). ...

Description Editor is an easy Hack The Box machine that features: XWiki Remote Command Execution vulnerability User Pivoting via a reused credential from a MySQL database Privilege Escalation via netdata binary with SUID bit set and PATH manipulation Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.209.7. $ ping -c 3 10.129.209.7 PING 10.129.209.7 (10.129.209.7) 56(84) bytes of data. 64 bytes from 10.129.209.7: icmp_seq=1 ttl=63 time=46.7 ms 64 bytes from 10.129.209.7: icmp_seq=2 ttl=63 time=46.6 ms 64 bytes from 10.129.209.7: icmp_seq=3 ttl=63 time=46.6 ms --- 10.129.209.7 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 46.625/46.646/46.666/0.016 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Introduction Dynamic analysis of Android applications has become an essential discipline for those who develop or audit their own mobile projects. Instrumenting an app in real time allows us to fully understand how it behaves, which code paths are involved in each operation, and how our defensive mechanisms respond to different scenarios. Among the tools that facilitate this process stand out Frida and Objection. To explore these concepts in a controlled way, we will use the application Android SSL Pinning Demo by httptoolkit, an open-source project designed to experiment with various methods of certificate pinning. We will also make use of the scripts published by the same team to analyze the internal workings of TLS verification. This lab is ideal because it offers a secure environment in which it is possible to test instrumentation techniques without impacting third-party software. ...

Description Era is a medium Hack The Box machine that features: Subdomain Enumeration to find a web storage application User enumeration via a flawed login implementation Login bypass via a flawed login implementation User pivoting via a flawed security reset implementation Download of the source code of the application (Insecure Direct Object Reference) leading to the discovery of a local file inclusion vulnerability by using PHP wrappers and user credentials Local File Inclusion vulnerability allows Remote Command Execution User pivoting by using previously found credentials Privilege Escalation by replacing a signed ELF writable by the user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.244.58. ...

Description Outbound is an easy Hack The Box machine that features: Assumed breach of a mail user credentials Remote Command Execution vulnerability in Roundcube mail client Password from a Roundcube session decryption Roundcube decrypted password allow access to a mailbox with a password of a Linux user Privilege Escalation via Below application changing log files permissions to be writable to all users Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.253.19. ...

Description Voleur is a medium Hack The Box machine that features: Initial access using an assumed breach scenario that leads in domain discovery. This domain only allows Kerberos authentication SMB share discovery leading to the discover of a file with credentials of service accounts and a removed account One of the leaked accounts allows a targeted Kerberoast attack to another service account allowed to create remote sessions to the system Removed account can be recovered containing a backup of credentials encrypted using DPAPI and recovered credentials allow user pivoting Pivoted user has the private SSH key of the service backup account Service backup account holds the backup of Active Directory user database containing all the credentials Privilege Escalation by dumping the secrets of the Active Directory user database (Kerberos keys) Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.250.126. ...

Introduction After the configuration in previous articles of the lab, we will proceed to its step-by-step resolution. Solution of the environment Now, in order to participate in the resolution of the environment, it will be necessary to deploy a virtual machine with an operating system such as Kali Linux with a network interface connected to the NatNetwork network created earlier with the OpenVPN .ovpn file to connect to the lab network. We connect to the VPN. ...