Posts

Description SolarLab is a medium Hack The Box machine that features: SMB share enumeration and the download of a file with credentials / SMB user enumeration Password Reuse in a web application ReportLab Library Remote Command Execution vulnerability Sensitive Data Exposure in a database and Password Reuse of an user running an Openfire service Privilege Escalation via a password Blowfish hash cracking of an Openfire service Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.52.107. ...

Description Mailing is an easy Hack The Box machine that features: Directory Traversal and Local File Inclusion in a web server Recovery of an user email password using a hash obtained from a configuration file Microsoft Outlook CVE-2024-21413 Remote Command Execution vulnerability to gain an user credential Privilege Escalation via LibreOffice CVE-2023-2255 Local Command Execution vulnerability Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.51.252. ...

Introduction️ There are additional protections related to the requirement for a specific TLS certificate (pinning). There is also the possibility of encrypting network communications over the HTTP protocol. In the case of symmetric encryption, the application will obtain the key from the server or obtain it from the application’s own source code, statically (stored in a variable), or dynamically, where several obfuscated methods will be executed to create the key to use. ...

Description Runner is an medium Hack The Box machine that features: Subdomain Enumeration to find a TeamCity instance TeamCity vulnerability CVE-2024-27198 that allows unauthenticated administrative account creation Export of a id_rsa SSH private key from a Linux user by exporting a TeamCity project Enumeration of Linux system to find a Portainer instance Remote Command Execution in TeamCity using a malicious plugin to get access to the database Cracking of a TeamCity password hash to obtain the access to Portainer instance Privilege Escalation via mounting a block device as a volume in a container with Portainer Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.81.22. ...

Description Usage is an easy Hack The Box machine that features: SQL Injection in a Laravel database to obtain credentials of administrator dashboard Insecure File Upload of PHP files in the administrator dashboard (bypass client filter) User pivoting using hardcoded password in a configuration file Privilege Escalation via a 7z archive application executed as root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.104.234. ...

Description IClean is a medium Hack The Box machine that features: Cross-Site-Scripting in a contact form (obtains administrator cookie) Python Server Side Template Injection for Command Execution Weak password from an user (reused) obtained from a database with unprotected credentials in hash format Access to privileged files using qpdf tool and its attachments feature Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.235.68. ...

Introduction️ Various applications related to banking environments or public administrations contain restrictions that prevent their execution on Android mobile devices that have been altered, for example, after installing Magisk and obtaining super administrator permissions, unlocking the boot loader, or if they are running in emulators and not on real devices, all of this to avoid analysis.️ In an example application, we will have to remove those restrictions from the source code of the application. One option will be to unpack the application and modify the .smali code, which is a type of low-level non-binary bytecode that can be read. For this, we will first extract the corresponding APK file for the application and decompile the source code of the application using the tool JADX.️ ...

Description WifineticTwo is an medium Hack The Box machine that features: Remote Command Execution in the OpenPLC 3 application Wi-Fi Password Recovery by using WPS protocol and Reaver tool Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.107.4. $ ping -c 3 10.129.107.4 PING 10.129.107.4 (10.129.107.4) 56(84) bytes of data. 64 bytes from 10.129.107.4: icmp_seq=1 ttl=63 time=47.2 ms 64 bytes from 10.129.107.4: icmp_seq=2 ttl=63 time=46.7 ms 64 bytes from 10.129.107.4: icmp_seq=3 ttl=63 time=59.1 ms --- 10.129.107.4 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 46.694/50.990/59.085/5.727 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Description Headless is an easy Hack The Box machine that features: Cross Site Scripting (XSS) in a User-Agent field to steal cookies Command Injection in a form Privilege Escalation via a vulnerable script executed with SUDO command Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.248.249. $ ping -c 3 10.129.248.249 PING 10.129.248.249 (10.129.248.249) 56(84) bytes of data. 64 bytes from 10.129.248.249: icmp_seq=1 ttl=63 time=48.2 ms 64 bytes from 10.129.248.249: icmp_seq=2 ttl=63 time=48.7 ms 64 bytes from 10.129.248.249: icmp_seq=3 ttl=63 time=48.4 ms --- 10.129.248.249 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 48.160/48.421/48.714/0.227 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Description Perfection is an easy Hack The Box machine that features: Ruby web application Server Side Template Injection (SSTI) Sensitive Data Exposure in a SQLite database Hash cracking using a custom mask Privilege escalation via the password previously recovered and weak permissions Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.144.202. $ ping -c 3 10.129.144.202 PING 10.129.144.202 (10.129.144.202) 56(84) bytes of data. 64 bytes from 10.129.144.202: icmp_seq=1 ttl=63 time=52.2 ms 64 bytes from 10.129.144.202: icmp_seq=2 ttl=63 time=51.6 ms 64 bytes from 10.129.144.202: icmp_seq=3 ttl=63 time=52.1 ms --- 10.129.144.202 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 51.565/51.967/52.210/0.286 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...