Posts

2024

A few weeks ago, someone shared a shady message with Android malware in the WhatsApp group of a cybersecurity community I’m part of. I’ve always wanted to do some malware analysis and Android security, and since the message or app didn’t even attempt to look legitimate, I figured it wasn’t created by someone particularly competent, I decided to take this as an opportunity to start learning. I quickly downloaded that APK file into my system, before the admin noticed and deleted it. In this blog, I’ll share my experience analyzing the malware, what I discovered, and the steps I took to begin understanding this field. Read More...
Resource is a hard difficulty Linux machine that intricately covers various ways to use OpenSSH private and public keys. It centers around the SSG IT Resource Center which offers a ticketing service to address the IT issues (SSH access, website and security issues, etc. ) of its customers. Upon creating a ticket through the website we can execute Local File Inclusion, trigger a reverse shell and get access to what appears to be a docker container which hosts the ticketing website. From this point, there are various clues in past tickets and left over SSH artifacts as well as a key signing API service that will lead to pivoting through other users and escaping the docker. Finally, the machine includes various scripts detailing the functions of its ticketing service and key signing API, one of which includes a vulnerable line of code allowing for brute forcing the final SSH key and achieving full privilege escalation Read More...
PermX is an Easy Difficulty Linux machine featuring a learning management system vulnerable to unrestricted file uploads via CVE-2023-4220. This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A sudo misconfiguration is then exploited to gain a root shell. Read More...
Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities CVE-2024-24590 - CVE-2024-24595 that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with sudo is discovered. The program loads arbitrary PyTorch models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, fickling is used to scan the dataset for insecure pickle files , prior to loading the model. Malicious code can be injected into a model, using runpy to bypass the fickling checks. Read More...
BoardLight is an easy difficulty Linux machine that features a Dolibarr instance vulnerable to CVE-2023-30253. This vulnerability is leveraged to gain access as www-data. After enumerating and dumping the web configuration file contents, plaintext credentials lead to SSH access to the machine. Enumerating the system, a SUID binary related to enlightenment is identified which is vulnerable to privilege escalation via CVE-2022-37706 and can be abused to leverage a root shell. Read More...
Airplane is a medium level linux box. In this box you will use a path traversal bug to collect information from /proc directory about a gdbserver. We will get initial access into the box as user hudson by exploiting the gdb remote debugging server. From there it is a relatively easy privilege escalation by exploiting a suid in find command to escalate as user carlos and from there into exploiting a wildcard entry in sudoers. Read More...
Perfection is an easy Linux machine that features a web application with functionality to calculate student scores. This application is vulnerable to Server-Side Template Injection (SSTI) via regex filter bypass. A foothold can be gained by exploiting the SSTI vulnerability. Enumerating the user reveals they are part of the sudo group. Further enumeration uncovers a database with password hashes, and the user’s mail reveals a possible password format. Using a mask attack on the hash, the user’s password is obtained, which is leveraged to gain root access. Read More...

2023

In this easy linux machine we will face the classic hackthebox invite challenge that is required to be solved by the users to register a new account. We will generate the invite code and create a new account then escalate to the admin role by manipulating some api misconfigurations which leads to the access of a new api endpoint with rce vulnerability. We will exploit the rce to gain access to the system and read admin user credentials from the .env file. We then privesc to root by exploiting CVE-2022-0386 and read the final root flag. Read More...
In this easy machine we will exploit a critical RCE vulnerability in a PDF document generation library for ruby to gain initial access on the machine as the ruby user. And from there we will do a lateral movement to another user by using exposed plain text password. After that we will perform privilege escalation to root user by exploiting another vulnerability in a ruby function which is a deserialization RCE in YAML.load() function. Read More...
In this easy machine we will use the plain text password used in a js file to log in to the server at port 80. Then by exploiting an RCE on a vulnerable endpoint we will gain initial access to the machine. From there we will privesc to root by abusing the setenv directive Read More...
In this medium machine we will exploit a directory traversal vulnarability in an outdated grafana instance to read the config and db file. From that we will get passwords for grafana admin panel and mysql instance. Logging into the mysql instance leaks the SSH password for the user developer who has access to a git repo. The git commit history leaks a token used for Consul. We will use that token to execute command as root. Read More...
In this easy box we will exploit an unauthenticated blind SQL injection on a vulnerable instance of CMS Made Simple and gain credentials of an SSH user. From there we will read the root flag by privilege escalation using vim. Read More...

2022

In this easy box, we have to use a technique called Port Knocking to open an anonymous ftp service. And then using the credentials got from the ftp server, we will get access to a very limited shell. From there we will use mkfifo to upgrade the shell. After that we have to reverse a simple binary file to get the password to run that binary, which will give us a ssh private key. We will use that to SSH into a docker instance running on the box. For reading the final root flag we will modify a script to run a revese shell, which is called by a cronjob. Read More...