Posts

Description Unrested is a medium Hack The Box machine that features: Zabbix SQL Injection that leads into Remote Command Execution vulnerability Privilege Escalation via a restricted Nmap command script Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.10.11.50. $ ping -c 3 10.10.11.50 PING 10.10.11.50 (10.10.11.50) 56(84) bytes of data. 64 bytes from 10.10.11.50: icmp_seq=1 ttl=63 time=44.3 ms 64 bytes from 10.10.11.50: icmp_seq=2 ttl=63 time=43.3 ms 64 bytes from 10.10.11.50: icmp_seq=3 ttl=63 time=43.8 ms --- 10.10.11.50 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2003ms rtt min/avg/max/mdev = 43.288/43.796/44.292/0.409 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Introduction️ KeeLoq is a security protocol based on a symmetric key cryptographic algorithm that is mainly used in remote control systems, such as garage door remotes and remote access systems for cars. It was developed by Microchip Technology and is widely used due to its low cost and relatively simple implementation.️ KeeLoq implements a “rolling code” system to prevent replay attacks. This means that every time the remote control button is pressed, a unique code is generated that never repeats. The receiver (such as a garage door opener) recognizes this code and validates it against an expected sequence, ignoring any duplicate codes.️ ...

Description Resource is a hard Hack The Box machine that features: Local File Inclusion in a Dockerized PHP application leading to Remote Command Execution User Pivoting by using a reused password recovered from a HAR file User Pivoting by signing a public key to login over SSH using a Certification Authority Docker escape by signing a public key with an API to login over SSH using a principal User Pivoting by signing a public key with an API to login over SSH using a principal Privilege Escalation via a vulnerable script that allows to retrieve the private key of the Certification Authority and then generating a certificate for root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.81.215. ...

Description Blazorized is a hard Hack The Box machine that features: Reverse Engineering of a Razor WebAssembly web application to obtain the parameters to build a correct JWT token Reverse Engineering of a Razor Server web application by monitoring the HTTP requests to obtain the JWT Local Storage item name Injection of the token in the Razor Server web application to access to an administration panel Error-Based SQL injection in the administration panel that leads to a Remote Command Execution Pivoting to another user using WriteSPN rights and a Kerberoasting attack to obtain the hash of the user and then the hash is cracked Pivoting to another user using the ability of the user to change the Logon Script path and the ability to write in specific directories Privilege Escalation using DCSync rights to obtain the NTLM hash of the Administrator user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.184.48. ...

Description PermX is an easy Hack The Box machine that features: Subdomain Enumeration Chamilo LMS Remote Command Execution Vulnerability Sensitive Data Exposure of Database Credentials Password of a Database Reused for a Linux User Privilege Escalation using ACLs (Access Control Lists) and a misconfigured SUDO script Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.121.154. ...

Introduction️ Having access to a device with a GNU/Linux operating system and MIPS architecture as a router or embedded system will require generating executable binary files using tools such as the complete busybox suite or the tcpdump tool to intercept network packets. These systems often lack these tools or include them with reduced features. To do this, it is necessary to install a cross-compiler and the source code of the application, which depending on the versions used, can result in errors.️ ...

Description Editorial is an easy Hack The Box machine that features: Server Side Request Forgery (SSRF) in a web application that exposes an internal API Internal API exposing reused SSH user credentials Git Repository exposing reused user credentials Privilege Escalation via a vulnerable GitPython library (Remote Command Execution) Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.202.197. ...

Description Blurry is a medium Hack The Box machine that features: Access to an unauthenticated ClearML server Remote Command Execution in ClearML 1.13.1 application due to Unsafe Deserialization of Untrusted Data Privilege Escalation by using a Pickle file inside a machine learning model and the ability to run a command that can load models as the root user Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.129.127.228. ...

Description EvilCUPS is a medium Hack The Box machine that features: CUPS Remote Command Execution Privilege Escalation via leaked credential in past print job Footprinting First, we are going to check with ping command if the machine is active and the system operating system. The target machine IP address is 10.10.11.40. $ ping -c 3 10.10.11.40 PING 10.10.11.40 (10.10.11.40) 56(84) bytes of data. 64 bytes from 10.10.11.40: icmp_seq=1 ttl=63 time=118 ms 64 bytes from 10.10.11.40: icmp_seq=2 ttl=63 time=117 ms 64 bytes from 10.10.11.40: icmp_seq=3 ttl=63 time=117 ms --- 10.10.11.40 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 116.944/117.494/118.123/0.484 ms The machine is active and with the TTL that equals 63 (64 minus 1 jump) we can assure that it is an Unix machine. Now we are going to do a Nmap TCP SYN port scan to check all opened ports. ...

Introduction️ Various devices marketed in the market both for acquisition by consumers and for rental by Internet service providers’ clients allow their administration through a web portal. This portal may be limited in features and if more advanced configurations are needed, such as configuring the firewall, with the iptables tool, access via console is necessary. The operating system of routers usually is GNU/Linux.️ The console access is usually blocked to prevent problems with incorrect configurations made by inexperienced users, which makes it necessary, for example, to access the serial port by removing the device casing. In other cases, access to the console is allowed through the SSH (Secure Shell) protocol, but access is limited to a restricted console, with pre-defined commands from the manufacturer. These devices usually have a backdoor that allows deploying a command terminal sh or bash with the introduction of specific commands.️ ...