Posts

2023

In this easy linux machine we will face the classic hackthebox invite challenge that is required to be solved by the users to register a new account. We will generate the invite code and create a new account then escalate to the admin role by manipulating some api misconfigurations which leads to the access of a new api endpoint with rce vulnerability. We will exploit the rce to gain access to the system and read admin user credentials from the .env file. We then privesc to root by exploiting CVE-2022-0386 and read the final root flag. Read More...
In this easy machine we will exploit a critical RCE vulnerability in a PDF document generation library for ruby to gain initial access on the machine as the ruby user. And from there we will do a lateral movement to another user by using exposed plain text password. After that we will perform privilege escalation to root user by exploiting another vulnerability in a ruby function which is a deserialization RCE in YAML.load() function. Read More...
In this easy machine we will use the plain text password used in a js file to log in to the server at port 80. Then by exploiting an RCE on a vulnerable endpoint we will gain initial access to the machine. From there we will privesc to root by abusing the setenv directive Read More...
In this medium machine we will exploit a directory traversal vulnarability in an outdated grafana instance to read the config and db file. From that we will get passwords for grafana admin panel and mysql instance. Logging into the mysql instance leaks the SSH password for the user developer who has access to a git repo. The git commit history leaks a token used for Consul. We will use that token to execute command as root. Read More...
In this easy box we will exploit an unauthenticated blind SQL injection on a vulnerable instance of CMS Made Simple and gain credentials of an SSH user. From there we will read the root flag by privilege escalation using vim. Read More...

2022

In this easy box, we have to use a technique called Port Knocking to open an anonymous ftp service. And then using the credentials got from the ftp server, we will get access to a very limited shell. From there we will use mkfifo to upgrade the shell. After that we have to reverse a simple binary file to get the password to run that binary, which will give us a ssh private key. We will use that to SSH into a docker instance running on the box. For reading the final root flag we will modify a script to run a revese shell, which is called by a cronjob. Read More...