<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>Zumpyx Blog</title><description>Notes from the terminal — blog, HTB writeups, and projects</description><link>https://blog.zumpyx.com/</link><language>zh-CN</language><item><title>[Blog] SysWhispers4 解析</title><link>https://blog.zumpyx.com/blog/syswhispers4-notes/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/syswhispers4-notes/</guid><description>SysWhispers4 的 SSN 解析方法、系统调用执行方式与常用混淆/绕过选项对照速查。</description><pubDate>Fri, 17 Jul 2026 00:00:00 GMT</pubDate><category>blog</category><category>maldev</category><category>SysWhispers</category><category>Windows</category><category>notes</category></item><item><title>[HTB · Fortresses] Corporate</title><link>https://blog.zumpyx.com/hackthebox/fortresses/corporate/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/fortresses/corporate/</guid><description>root:$y$j9T$4gVb2bPTl.mH8rioTPjdS1$D0c0Qeihkk/P3hMBbkAQYfd/pT8sCWeA5Hd6QSLVGh8:19745:0:99999:7:::</description><pubDate>Thu, 16 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>fortresses</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Active</title><link>https://blog.zumpyx.com/hackthebox/machines/0148-active/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0148-active/</guid><description>发现了4个文件，并在其中发现了账户 active.htb\\\\SVCTGS 和被加密的密码： edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ</description><pubDate>Thu, 16 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Forest</title><link>https://blog.zumpyx.com/hackthebox/machines/0212-forest/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0212-forest/</guid><description>因此可以通过 svc-alfresco 用户创建新用户，并将其添加到 Exchange Windows Permissions 组，然后利用</description><pubDate>Thu, 16 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Sauna</title><link>https://blog.zumpyx.com/hackthebox/machines/0229-sauna/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0229-sauna/</guid><description>没有枚举到用户，再看看 Web 服务</description><pubDate>Thu, 16 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Trickster</title><link>https://blog.zumpyx.com/hackthebox/machines/0626-trickster/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0626-trickster/</guid><description>发现 Prestashop 后台登录界面 admin634ewutrx1jgitlooaj，搜索 Prestashop 漏洞 CVE-2024-34716</description><pubDate>Thu, 16 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Cicada</title><link>https://blog.zumpyx.com/hackthebox/machines/0627-cicada/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0627-cicada/</guid><description>发现第二个凭据 aRt$Lp#7tVQ!3</description><pubDate>Thu, 16 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Sherlocks] OPTinselTrace24-2: Cookie Consumption</title><link>https://blog.zumpyx.com/hackthebox/sherlocks/optinseltrace24-2-cookie-consumption/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/sherlocks/optinseltrace24-2-cookie-consumption/</guid><description>Santa&apos;s North Pole Operations have implemented the &quot;Cookie Consumption Scheduler&quot; (CCS), a crucial service running on a Kubernetes cluster. This service ensures…</description><pubDate>Thu, 16 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>sherlocks</category></item><item><title>[HTB · Sherlocks] OPTinselTrace24-3: Blizzard Breakdown</title><link>https://blog.zumpyx.com/hackthebox/sherlocks/optinseltrace24-3-blizzard-breakdown/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/sherlocks/optinseltrace24-3-blizzard-breakdown/</guid><description>Furious after discovering he&apos;s been left off the Nice List this holiday season, one particular elf - heavily influenced by Krampus - goes rogue, determined to t…</description><pubDate>Thu, 16 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>sherlocks</category></item><item><title>[HTB · Sherlocks] UFO-1</title><link>https://blog.zumpyx.com/hackthebox/sherlocks/ufo-1/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/sherlocks/ufo-1/</guid><description>Sherlock Scenario：研究 Sandworm Team（BlackEnergy / APT44），利用 MITRE ATT&amp;CK 映射对手行为与战术。</description><pubDate>Thu, 16 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>sherlocks</category></item><item><title>[Project] Port Scanner</title><link>https://blog.zumpyx.com/projects/port-scanner/</link><guid isPermaLink="true">https://blog.zumpyx.com/projects/port-scanner/</guid><description>轻量异步端口扫描小工具，支持常用端口模板与简单服务指纹。</description><pubDate>Sun, 12 Jul 2026 00:00:00 GMT</pubDate><category>project</category><category>active</category><category>Rust</category><category>Tokio</category><category>CLI</category></item><item><title>[HTB · Machines] Paperwork</title><link>https://blog.zumpyx.com/hackthebox/machines/0921-paperwork/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0921-paperwork/</guid><description>HTB machine: Paperwork</description><pubDate>Sat, 11 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[Blog] Recon Cheatsheet</title><link>https://blog.zumpyx.com/blog/recon-cheatsheet/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/recon-cheatsheet/</guid><description>常用信息收集命令速查：子域、端口、目录与指纹。</description><pubDate>Fri, 10 Jul 2026 00:00:00 GMT</pubDate><category>blog</category><category>recon</category><category>notes</category></item><item><title>[Blog] Linux PrivEsc Notes</title><link>https://blog.zumpyx.com/blog/linux-privesc-notes/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/linux-privesc-notes/</guid><description>Linux 提权检查清单：SUID、capabilities、sudo、cron 与内核。</description><pubDate>Thu, 09 Jul 2026 00:00:00 GMT</pubDate><category>blog</category><category>linux</category><category>privesc</category></item><item><title>[Project] CTF Toolkit</title><link>https://blog.zumpyx.com/projects/ctf-toolkit/</link><guid isPermaLink="true">https://blog.zumpyx.com/projects/ctf-toolkit/</guid><description>个人 CTF 脚本合集：编码、密文识别、流量与取证辅助。</description><pubDate>Wed, 08 Jul 2026 00:00:00 GMT</pubDate><category>project</category><category>active</category><category>Python</category><category>pwntools</category></item><item><title>[Blog] AD Attack Path 备忘</title><link>https://blog.zumpyx.com/blog/ad-attack-path/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ad-attack-path/</guid><description>域环境常见攻击路径：Kerberoast、AS-REP、ACL 滥用与横向。</description><pubDate>Tue, 07 Jul 2026 00:00:00 GMT</pubDate><category>blog</category><category>ad</category><category>windows</category></item><item><title>[Blog] Web Fuzzing Workflow</title><link>https://blog.zumpyx.com/blog/web-fuzzing-workflow/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/web-fuzzing-workflow/</guid><description>目录、参数、vhost 与 API 的 fuzz 顺序和字典选择。</description><pubDate>Sun, 05 Jul 2026 00:00:00 GMT</pubDate><category>blog</category><category>web</category><category>fuzzing</category></item><item><title>[Project] Homelab Dashboard</title><link>https://blog.zumpyx.com/projects/homelab-dashboard/</link><guid isPermaLink="true">https://blog.zumpyx.com/projects/homelab-dashboard/</guid><description>家里实验室状态面板：服务探活、证书到期与简单告警。</description><pubDate>Sat, 04 Jul 2026 00:00:00 GMT</pubDate><category>project</category><category>active</category><category>Astro</category><category>Go</category><category>Docker</category></item><item><title>[HTB · Machines] MakeSense</title><link>https://blog.zumpyx.com/hackthebox/machines/0918-makesense/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0918-makesense/</guid><description>HTB machine: MakeSense</description><pubDate>Sat, 04 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[Blog] Docker Escape Basics</title><link>https://blog.zumpyx.com/blog/docker-escape-basics/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/docker-escape-basics/</guid><description>容器逃逸基础：挂载、capabilities、socket 与 privileged。</description><pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate><category>blog</category><category>docker</category><category>cloud</category></item><item><title>[HTB · Tracks] Starting Point（example Track）</title><link>https://blog.zumpyx.com/hackthebox/tracks/0001-starting-point/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/tracks/0001-starting-point/</guid><description>Example Track linking several machine writeups via the machines field.</description><pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>tracks</category><category>beginner</category></item><item><title>[Blog] Burp 工作流整理</title><link>https://blog.zumpyx.com/blog/burp-workflow/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/burp-workflow/</guid><description>Proxy → Logger → Repeater → Intruder 的日常节奏与插件。</description><pubDate>Thu, 02 Jul 2026 00:00:00 GMT</pubDate><category>blog</category><category>web</category><category>tools</category></item><item><title>[Project] 我的第一个项目</title><link>https://blog.zumpyx.com/projects/my-first-project/</link><guid isPermaLink="true">https://blog.zumpyx.com/projects/my-first-project/</guid><description>示例项目简介：展示封面图、技术栈与状态标签。把本文件改成你的真实项目即可。</description><pubDate>Wed, 01 Jul 2026 00:00:00 GMT</pubDate><category>project</category><category>active</category><category>Astro</category><category>TypeScript</category></item><item><title>[Project] Writeup Exporter</title><link>https://blog.zumpyx.com/projects/writeup-exporter/</link><guid isPermaLink="true">https://blog.zumpyx.com/projects/writeup-exporter/</guid><description>把笔记导出为博客内容集合：frontmatter、图片路径与分类整理。</description><pubDate>Tue, 30 Jun 2026 00:00:00 GMT</pubDate><category>project</category><category>completed</category><category>Python</category><category>Markdown</category></item><item><title>[Blog] 写报告时的几个原则</title><link>https://blog.zumpyx.com/blog/notes-on-reporting/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/notes-on-reporting/</guid><description>漏洞描述、复现步骤、影响与修复建议怎么写才清晰。</description><pubDate>Sun, 28 Jun 2026 00:00:00 GMT</pubDate><category>blog</category><category>report</category><category>soft-skill</category></item><item><title>[HTB · Machines] Enigma</title><link>https://blog.zumpyx.com/hackthebox/machines/0915-enigma/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0915-enigma/</guid><description>HTB machine: Enigma</description><pubDate>Sat, 27 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Orion</title><link>https://blog.zumpyx.com/hackthebox/machines/0945-orion/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0945-orion/</guid><description>`Orion` is a very easy Linux machine that features CSRF Validation Bypass and exploration of CraftCMS and Telnetd. The foothold includes achieving remote code execution by exploiting CVE-2025-32432 in a vulnerable version of CraftCMS. Then the default Craft environment variable file exposes the credentials for its MySQL database, which contains a crackable password. The password has been reused and leads to SSH access to the user on the machine. Finally, privilege escalation is achieved by finding and exploiting a vulnerable version of telnetd (CVE-2026-24061), allowing authentication bypass to root.</description><pubDate>Tue, 23 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Nexus</title><link>https://blog.zumpyx.com/hackthebox/machines/0948-nexus/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0948-nexus/</guid><description>`Nexus` is an easy-difficulty Linux machine that features an exposed Gitea repository leaking credentials and a job posting that reveals valid usernames. The leaked credentials provide access to `Krayin CRM`, which is vulnerable to `CVE-2026-38526`, leading to a shell as `www-data`.换行Further enumeration of the `Krayin CRM` configuration files reveals additional credentials that allow `SSH` access. Service enumeration reveals a `Gitea` template sync service vulnerable to directory traversal, which is leveraged to gain a shell as `root`.</description><pubDate>Tue, 23 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Ghostlink</title><link>https://blog.zumpyx.com/hackthebox/machines/0951-ghostlink/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0951-ghostlink/</guid><description>`Ghostlink` is a Hard difficulty Windows machine featuring an Active Directory domain controller and a web server. Enumeration reveals a critical `MQTT` service used for node tracking, which exposes two internal hosts: a secure file sharing app and a `Gogs` code host. The attacker modifies the MQTT health check to trigger NTLM authentication, relaying credentials to authenticate as the `svc_canary` service account. Using this authentication, the attacker exploits a double URL-encoded path traversal vulnerability to exfiltrate the service account&apos;s `ntuser.dat` file. Analysis of the registry hive reveals a recent document for `db.zip`, containing KeePass credentials for the Gogs application. These credentials are then leveraged to exploit an RCE vulnerability CVE-2025-8110 in Gogs to obtain a foothold. Once on the system, the attacker cracks a Gogs hash to log in as the local user `nvirelli`. Finally, the ESC11 vulnerability in ADCS allows the attacker to request a Domain Controller certificate and compromise the domain.</description><pubDate>Tue, 23 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Odyssey</title><link>https://blog.zumpyx.com/hackthebox/machines/0954-odyssey/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0954-odyssey/</guid><description>`Odyssey` is an Insane Windows machine that starts with a web application gated behind `WebAuthn` authentication. An endpoint vulnerable to `NoSQL Pipeline Aggregation Injection` provides access to unclaimed onboarding tokens, which can then be used to register a custom-made authenticator to log in to the application. A `userHandle` confusion vulnerability provides admin access to the application. Administrators have access to a template drafting and render preview panel, where a `merge` sink allows `prototype pollution`. Polluting the `allowRawBlocks` prototype enables raw LaTeX blocks to be passed through pandoc, which allows local file contents to be retrieved via special LaTeX primitives that escape catcode encoding. Then, an endpoint vulnerable to CVE-2025-1302 is identified in the application&apos;s source code, which provides access to the Linux web server as `webadmin`. Password reuse grants privileged access to the Linux server via `webadmin&apos;s` `sudo` group membership. `bulkadmin` privileges on an MSSQL account enable coercion via the BULK INSERT statement. The retrieved NTLMv2 hash can be cracked, providing access to the `MSSQL` server as a sysadmin. 换行换行Then, enabling `xp_cmdshell` allows command execution on `Odyssey-DB`, where the `SeImpersonatePrivilege` privilege of the account enables privilege escalation. Through local hive extraction, the machine account of `Odyssey-DB` is retrieved, which has `addKeyCredentialLink` rights on `svc-aegis-build` through multiple group membership inheritance. Next, a `dMSA Ouroboros` attack chain provides access to the `svc-aegis-deploy` user, who can access the domain controller via `WinRM`. Finally, a `.NET` pipe application is exploited through unsafe `YAML` deserialization and weak credential management.</description><pubDate>Tue, 23 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Fireflow</title><link>https://blog.zumpyx.com/hackthebox/machines/0957-fireflow/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0957-fireflow/</guid><description>`Fireflow` is a medium difficulty Linux machine that starts off with a leaked Langflow `flow_id`. With this, an attacker is able to exploit the unauthenticated CVE-2026-33017 and get a shell as `www-data` on the remote machine. There, he will find that a password in Langflow&apos;s `.env` file is reused by the user `nightfall`, who is able to SSH into the machine. In the home directory of `nightfall`, a configuration file leaks sensitive information on how to connect to a custom MCP server. From there, it is discovered that an attacker can craft a malicious JWT token and impersonate an administrative user since the signing algorithms on the token also have the option `None`. Then, they are able to register a custom malicious tool and get a shell on the MCP pod. Enumerating the Kubernetes environment reveals that the `nodes/proxy` permission is set. This allows the attacker to execute arbitrary commands on privileged pods and eventually gain root on the host file system.</description><pubDate>Tue, 23 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[Project] Payload Lab</title><link>https://blog.zumpyx.com/projects/payload-lab/</link><guid isPermaLink="true">https://blog.zumpyx.com/projects/payload-lab/</guid><description>本地 payload 演练环境：XSS / SSTI / 反序列化样本与防护对照。</description><pubDate>Mon, 22 Jun 2026 00:00:00 GMT</pubDate><category>project</category><category>active</category><category>PHP</category><category>Node</category><category>Docker</category></item><item><title>[HTB · Machines] Nimbus</title><link>https://blog.zumpyx.com/hackthebox/machines/0912-nimbus/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0912-nimbus/</guid><description>HTB machine: Nimbus</description><pubDate>Sat, 20 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[Project] RedTeam Notes App</title><link>https://blog.zumpyx.com/projects/redteam-notes-app/</link><guid isPermaLink="true">https://blog.zumpyx.com/projects/redteam-notes-app/</guid><description>离线优先的作战笔记：目标树、凭证箱与命令片段。</description><pubDate>Mon, 15 Jun 2026 00:00:00 GMT</pubDate><category>project</category><category>archived</category><category>TypeScript</category><category>SQLite</category><category>Tauri</category></item><item><title>[HTB · Machines] Checkpoint</title><link>https://blog.zumpyx.com/hackthebox/machines/0909-checkpoint/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0909-checkpoint/</guid><description>HTB machine: Checkpoint</description><pubDate>Sat, 13 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[Blog] 安全高效的SSH最佳实践</title><link>https://blog.zumpyx.com/blog/ssh-best-practices/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ssh-best-practices/</guid><description>利用 FIDO2 硬件密钥、conf.d 模块化配置与 ControlMaster 连接复用，搭建兼顾安全与效率的 SSH 客户端工作流。</description><pubDate>Tue, 09 Jun 2026 00:00:00 GMT</pubDate><category>blog</category><category>SSH</category><category>基础设施</category></item><item><title>[HTB · Machines] Connected</title><link>https://blog.zumpyx.com/hackthebox/machines/0906-connected/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0906-connected/</guid><description>HTB machine: Connected</description><pubDate>Sat, 06 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Abducted</title><link>https://blog.zumpyx.com/hackthebox/machines/0924-abducted/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0924-abducted/</guid><description>`Abducted` is a medium-difficulty Linux machine built around the on-premise file and print server of a professional-services firm. The Samba installation is vulnerable to a print-subsystem command injection (CVE-2026-4480): the client-supplied print job name is passed to the configured `print command` without escaping, and a crafted job submitted over the spooler protocol yields code execution as the print service account. An offsite-backup configuration is then recovered and its password decoded with `rclone`&apos;s own tooling, which has been reused for a system account. A second Samba share configured with `force user` and `wide links` is abused to write an SSH key into a second user&apos;s home directory. That user belongs to a group that has been delegated management of the Samba service through `polkit`, and a service drop-in is used to execute a command as `root`.</description><pubDate>Fri, 05 Jun 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] DevHub</title><link>https://blog.zumpyx.com/hackthebox/machines/0903-devhub/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0903-devhub/</guid><description>HTB machine: DevHub</description><pubDate>Sat, 30 May 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Reactor</title><link>https://blog.zumpyx.com/hackthebox/machines/0900-reactor/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0900-reactor/</guid><description>HTB machine: Reactor</description><pubDate>Sat, 23 May 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] SmartHire</title><link>https://blog.zumpyx.com/hackthebox/machines/0897-smarthire/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0897-smarthire/</guid><description>HTB machine: SmartHire</description><pubDate>Sat, 16 May 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[Blog] Ex. Nmap Timing Templates</title><link>https://blog.zumpyx.com/blog/ex-nmap-timing/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-nmap-timing/</guid><description>示例文：-T0 到 -T5 的适用场景与在 CTF / 内网中的折中。</description><pubDate>Tue, 12 May 2026 00:00:00 GMT</pubDate><category>blog</category><category>recon</category><category>nmap</category><category>example</category></item><item><title>[HTB · Machines] Helix</title><link>https://blog.zumpyx.com/hackthebox/machines/0894-helix/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0894-helix/</guid><description>HTB machine: Helix</description><pubDate>Sat, 09 May 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] PingPong</title><link>https://blog.zumpyx.com/hackthebox/machines/0891-pingpong/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0891-pingpong/</guid><description>HTB machine: PingPong</description><pubDate>Sat, 25 Apr 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[Blog] C2监听器重定向架构设计</title><link>https://blog.zumpyx.com/blog/c2-listener-redirector-architecture/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/c2-listener-redirector-architecture/</guid><description>利用 WireGuard 星型隧道与 Caddy + Socat 双路径转发，实现多前置节点到隐藏 C2 核心监听器的高弹性红队基础设施。</description><pubDate>Sat, 18 Apr 2026 00:00:00 GMT</pubDate><category>blog</category><category>Wireguard</category><category>基础设施</category><category>红队战术</category><category>C2</category><category>Caddy</category></item><item><title>[HTB · Machines] Logging</title><link>https://blog.zumpyx.com/hackthebox/machines/0888-logging/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0888-logging/</guid><description>HTB machine: Logging</description><pubDate>Sat, 18 Apr 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Silentium</title><link>https://blog.zumpyx.com/hackthebox/machines/0867-silentium/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0867-silentium/</guid><description>HTB machine: Silentium</description><pubDate>Sat, 11 Apr 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Garfield</title><link>https://blog.zumpyx.com/hackthebox/machines/0862-garfield/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0862-garfield/</guid><description>HTB machine: Garfield</description><pubDate>Sat, 04 Apr 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[Blog] Ex. Wordlist Hygiene</title><link>https://blog.zumpyx.com/blog/ex-wordlist-hygiene/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-wordlist-hygiene/</guid><description>示例文：字典去重、编码变体与按目标裁剪 wordlist。</description><pubDate>Fri, 03 Apr 2026 00:00:00 GMT</pubDate><category>blog</category><category>fuzzing</category><category>web</category><category>example</category></item><item><title>[HTB · Machines] DevArea</title><link>https://blog.zumpyx.com/hackthebox/machines/0859-devarea/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0859-devarea/</guid><description>`DevArea` is a medium-difficulty Linux machine that chains together several service misconfigurations. Anonymous FTP exposes a Java SOAP application built on `Apache CXF` with the Aegis databinding module, which is vulnerable to an SSRF flaw, CVE-2024-28752. We abuse this to read `/proc/&amp;lt;PID&amp;gt;/cmdline` entries and recover the `Hoverfly` admin credentials from the arguments of a running process. The `Hoverfly` Admin UI is affected by CVE-2025-54123, whose middleware endpoint permits remote code execution and grants a foothold as `dev_ryan`. We then analyze the source of an internal monitoring app, `SysWatch`, whose installation script leaves its environment file world-readable. The leaked secret key lets us forge an admin `Flask` session, and a weak blacklist regex in the service-status feature is bypassed to gain command injection as the `syswatch` user. Finally, we abuse a root-executed log-reading CLI whose symlink validation fails to resolve chained symlinks, leaking the root SSH private key for a full compromise.</description><pubDate>Sat, 28 Mar 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Snapped</title><link>https://blog.zumpyx.com/hackthebox/machines/0864-snapped/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0864-snapped/</guid><description>Snapped is a hard-difficulty machine that features two recent CVEs. The foothold showcases [CVE-2026-27944](https://nvd.nist.gov/vuln/detail/CVE-2026-27944) in Nginx-UI, which exposes the /api/backup endpoint without authentication. The endpoint will produce a full backup of the nginx and nginx-UI configuration files, and includes the key to decrypt the backup in the response headers. This leads to finding and decrypting a weak user password from the Nginx-UI database file. Root exploits [CVE-2026-3888](https://nvd.nist.gov/vuln/detail/CVE-2026-3888), a TOCTOU race condition between snap-confine and systemd-tmpfiles. After the system&apos;s cleanup daemon deletes a stale mimic directory under /tmp, the attacker recreates it with controlled content and single-steps snap-confine&apos;s execution via AF_UNIX socket backpressure to win the race during the mimic bind-mount sequence reliably. This poisons the sandbox&apos;s shared libraries, enabling dynamic linker hijacking on the SUID-root snap-confine binary to compromise the system.</description><pubDate>Mon, 23 Mar 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Kobold</title><link>https://blog.zumpyx.com/hackthebox/machines/0856-kobold/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0856-kobold/</guid><description>HTB machine: Kobold</description><pubDate>Sat, 21 Mar 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[Blog] Ex. SSH Tunnel Cheatsheet</title><link>https://blog.zumpyx.com/blog/ex-ssh-tunnel-cheatsheet/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-ssh-tunnel-cheatsheet/</guid><description>示例文：本地转发、远程转发与动态 SOCKS 的常见写法。</description><pubDate>Wed, 18 Mar 2026 00:00:00 GMT</pubDate><category>blog</category><category>linux</category><category>tools</category><category>example</category></item><item><title>[HTB · Machines] VariaType</title><link>https://blog.zumpyx.com/hackthebox/machines/0850-variatype/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0850-variatype/</guid><description>`VariaType` is a medium-difficulty Linux machine that begins with web enumeration of a font-generation platform and an associated portal subdomain hosting a login page with an exposed `.git` directory. Dumping the repository and inspecting the commit history exposes hardcoded credentials, granting access to the portal dashboard. A path traversal vulnerability in the portal&apos;s download functionality allows reading arbitrary files from the server, including the Nginx configuration, which reveals the web root. Combined with a fonttools CVE-2025-66034 affecting the `.designspace` parser, a webshell is written to the `files` directory to obtain a foothold as `www-data`. Process monitoring reveals a cron job run by `steve` that processes uploaded font archives using `fontforge`. A command injection vulnerability in `fontforge`&apos;s handling of malformed tar archives (CVE-2024-25082), is leveraged to pivot to `steve`. Privilege escalation is achieved by exploiting a path traversal vulnerability in `setuptools` (CVE-2025-47273), which is invoked by a script `steve` can run as root via `sudo`, allowing an attacker-controlled public SSH key to be written to `/root/.ssh/authorized_keys`.</description><pubDate>Sat, 14 Mar 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Principal</title><link>https://blog.zumpyx.com/hackthebox/machines/0853-principal/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0853-principal/</guid><description>Principal is a medium difficulty machine that is themed around misplaced cryptographic trust. The foothold exploits [CVE-2026-29000](https://nvd.nist.gov/vuln/detail/CVE-2026-29000), an authentication bypass in pac4j-jwt&amp;amp;amp;#039;s JwtAuthenticator where a PlainJWT wrapped inside a valid JWE envelope bypasses signature verification entirely. After forging an admin token and extracting SSH credentials from the corporate dashboard, privilege escalation abuses an SSH CA configuration that trusts any certificate signed by the CA without validating the principal (username) claim, allowing us to forge a certificate for root. Both attack stages exploit the same class of flaw: a system that verifies the cryptographic envelope but never validates the identity claim inside it.</description><pubDate>Thu, 12 Mar 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] CCTV</title><link>https://blog.zumpyx.com/hackthebox/machines/0847-cctv/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0847-cctv/</guid><description>`CCTV` is an easy difficulty machine that features various CCTV monitoring software. Initial access is obtained by exploiting a boolean-based SQL injection in `Zoneminder` (CVE-2024-51482). After dumping the application&apos;s database, cracked user credentials are found to be reused, providing a terminal on the machine. Next, sniffing the traffic between running Docker containers reveals unencrypted credentials for another user. Finally, privilege escalation is achieved by bypassing a client-side JavaScript validation check and achieving remote code execution in `MotionEye` (CVE-2025-60787), resulting in root access.</description><pubDate>Sat, 07 Mar 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Pirate</title><link>https://blog.zumpyx.com/hackthebox/machines/0844-pirate/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0844-pirate/</guid><description>HTB machine: Pirate</description><pubDate>Sat, 28 Feb 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Interpreter</title><link>https://blog.zumpyx.com/hackthebox/machines/0841-interpreter/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0841-interpreter/</guid><description>`Interpreter` is a medium-difficulty Linux machine running Mirth Connect, an open-source healthcare integration engine developed by NextGen Healthcare. Enumerating the web interface reveals that the deployed version, `4.4.0`, is vulnerable to CVE-2023-43208. This is a pre-authentication insecure deserialization flaw that grants remote code execution and an initial foothold as the `mirth` service account. From there, database credentials stored in the Mirth configuration provide access to the local MariaDB instance, where a `PBKDF2-HMAC-SHA256` password hash belonging to the user `sedric` is recovered and cracked offline to obtain SSH access. For privilege escalation, a root-owned Flask notification service listening on localhost builds a template string and evaluates it with `eval()`.  A permissive character whitelist still allows curly braces, enabling Python f-string injection which, combined with Base64 encoding to bypass the space restriction, drops a SUID `bash` binary and yields a root shell.</description><pubDate>Sat, 21 Feb 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] WingData</title><link>https://blog.zumpyx.com/hackthebox/machines/0835-wingdata/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0835-wingdata/</guid><description>`WingData` is an easy-difficulty Linux machine featuring a Wing FTP Server web client exposed on port `80` via an Apache reverse proxy. The instance is running version `7.4.3`, which is vulnerable to CVE-2025-47812, allowing unauthenticated remote code execution through the anonymous user account to gain a foothold as `wingftp`. Enumerating the server&apos;s configuration directory reveals salted SHA-256 password hashes. The hash for `wacky` is successfully cracked, and the recovered credentials are reused for SSH access. Privilege escalation is achieved via a `sudo` rule allowing `wacky` to run a Python backup restoration script as `root`. The script invokes Python&apos;s `tarfile` module, which is vulnerable to CVE-2025-4517, and is leveraged to get a root shell.</description><pubDate>Sat, 14 Feb 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Barrier</title><link>https://blog.zumpyx.com/hackthebox/machines/0838-barrier/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0838-barrier/</guid><description>Barrier is a medium difficulty machine that features exposed credentials and exploiting SSO authentication, privileged API access and CI/CD runners. Initial access is gained by discovering credentials in a public repository and then exploiting a SAML authentication bypass in GitLab to obtain administrative access. From there, a CI/CD runner is abused to execute code and extract sensitive information from environment variables. With the authorization token, the Authentik API can be exploited to obtain administrative control of the identity platform. Access to the Authentik admin panel allows user impersonation and access to Apache Guacamole. Then an existing connection within Guacamole provides remote access to the host. Finally, a private SSH key is recovered from MySQL and privilege escalation is achieved through credential disclosure in shell history.</description><pubDate>Thu, 12 Feb 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[Blog] Ex. JWT Common Pitfalls</title><link>https://blog.zumpyx.com/blog/ex-jwt-pitfalls/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-jwt-pitfalls/</guid><description>示例文：alg none、弱密钥与 kid 注入等经典问题。</description><pubDate>Mon, 09 Feb 2026 00:00:00 GMT</pubDate><category>blog</category><category>web</category><category>crypto</category><category>example</category></item><item><title>[HTB · Machines] Pterodactyl</title><link>https://blog.zumpyx.com/hackthebox/machines/0832-pterodactyl/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0832-pterodactyl/</guid><description>`Pterodactyl` is a medium-difficulty Linux machine that runs Pterodactyl Panel on the `panel` virtual host. The Panel is vulnerable to [CVE-2025-49132](https://nvd.nist.gov/vuln/detail/CVE-2025-49132), an unauthenticated Remote Code Execution vulnerability in the `locales/locale.json` endpoint. This endpoint accepts user-controlled `locale` and `namespace` parameters and uses them to dynamically `require` the resulting PHP file. The attacker can chain this with PHP’s bundled `pearcmd.php` to write an arbitrary PHP file and gain command execution as the `wwwrun` user. The same bug also leaks the Panel’s database credentials from `config/database.php`. Although a public PoC exists, it requires a small tweak to match the target’s `PEAR` installation path for successful exploitation. The leaked database credentials are reused against the local MariaDB instance to dump the `users` table, exposing a bcrypt hash for `phileasfogg3`. The hash is cracked offline with John the Ripper, and the recovered password is reused for SSH access. For privilege escalation, the attacker abuses the chained OpenSUSE 15 LPE published by Qualys ([CVE-2025-6018](https://nvd.nist.gov/vuln/detail/CVE-2025-6018) and CVE-2025-6019). By forging `XDG_SEAT` and `XDG_VTNR` environment variable overrides within `.pam_environment`, the attacker gains `allow_active` polkit rights. These privileges allow triggering a `udisks` XFS resize on an attacker-controlled image, resulting in a root-owned SUID bash binary being written to the disk.</description><pubDate>Sat, 07 Feb 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Facts</title><link>https://blog.zumpyx.com/hackthebox/machines/0829-facts/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0829-facts/</guid><description>`Facts` is an easy-difficulty Linux machine that begins with the discovery of a Camaleon CMS instance. By identifying the CMS version and exploiting a mass-assignment vulnerability (CVE-2025-2304), it is possible to escalate privileges within the application and obtain access to sensitive MinIO S3 credentials. These credentials provide access to an internal bucket containing an encrypted SSH private key. After recovering the key&apos;s passphrase and identifying the associated user account, SSH access is obtained as `trivia`. Enumeration of sudo privileges reveals that the user can execute `facter` as root, which can be abused through custom Ruby facts to achieve arbitrary code execution and obtain root access.</description><pubDate>Sat, 31 Jan 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Overwatch</title><link>https://blog.zumpyx.com/hackthebox/machines/0826-overwatch/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0826-overwatch/</guid><description>`Overwatch` is a medium-difficulty Windows machine focused on Active Directory enumeration, MSSQL abuse, and insecure .NET application development. Initial access is obtained through an anonymously accessible SMB share containing a custom .NET monitoring application, from which hardcoded MSSQL credentials are recovered. Further enumeration reveals a linked server configuration that can be abused through malicious DNS record injection to coerce MSSQL authentication and capture additional credentials using Responder, ultimately leading to WinRM access. For privilege escalation, the monitoring application is reverse-engineered, revealing a SOAP-based service vulnerable to PowerShell command injection, allowing arbitrary command execution as `NT AUTHORITY\\SYSTEM`.</description><pubDate>Sat, 24 Jan 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] AirTouch</title><link>https://blog.zumpyx.com/hackthebox/machines/0823-airtouch/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0823-airtouch/</guid><description>`AirTouch` is a medium-difficulty Linux machine built around a wireless attack path initiated from a consultant workstation. Starting with SNMP enumeration, valid credentials for the consultant account can be recovered, granting access to a workstation that contains multiple wireless interfaces. From there, two relevant wireless networks are identified: `AirTouch-Internet` (protected with WPA-PSK) and `AirTouch-Office` (protected with WPA-EAP). The first objective is to compromise the PSK network by capturing and cracking a handshake. After decrypting the captured traffic, the attacker extracts an HTTP session cookie that grants access to an internal router interface. By tampering with the role information in the cookie, the attacker gains administrative access to the web panel and abuses an insecure upload mechanism to achieve remote code execution. This leads to SSH access on the PSK access point and the recovery of certificates needed for the second phase of the attack. With valid certificates, the attacker creates a rogue enterprise access point for `AirTouch-Office` and forces clients to connect to it by repeatedly deauthenticating them from both legitimate APs. Through this process, MSCHAPv2 material is captured and can be cracked. After joining the management network, the attacker accesses the remote host and discovers additional credentials in the `hostapd` configuration. These credentials enable pivoting into a privileged administrative account capable of using `sudo`, leading to full compromise.</description><pubDate>Sat, 17 Jan 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Browsed</title><link>https://blog.zumpyx.com/hackthebox/machines/0820-browsed/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0820-browsed/</guid><description>`Browsed` is a medium-difficulty Linux machine centred around abusing browser extension functionality to access internal services. By uploading a malicious Chrome extension, we intercept a developer’s browsing activity and uncover an internal Gitea instance hosting a Flask application. Source code analysis reveals a command injection vulnerability in a bash script exposed via a localhost-only endpoint, which we exploit by delivering a second extension to trigger the payload through the developer’s browser and obtain a reverse shell as user `larry`. For privilege escalation, the machine demonstrates insecure handling of Python bytecode: writable access to the `__pycache__` directory allows replacing a trusted `.pyc` file, resulting in arbitrary code execution as root.</description><pubDate>Sat, 10 Jan 2026 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[Blog] Ex. BloodHound CE Notes</title><link>https://blog.zumpyx.com/blog/ex-bloodhound-ce-notes/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-bloodhound-ce-notes/</guid><description>示例文：采集、导入与最短路径阅读习惯。</description><pubDate>Sat, 20 Dec 2025 00:00:00 GMT</pubDate><category>blog</category><category>ad</category><category>windows</category><category>example</category></item><item><title>[HTB · Machines] Eloquia</title><link>https://blog.zumpyx.com/hackthebox/machines/0817-eloquia/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0817-eloquia/</guid><description>HTB machine: Eloquia</description><pubDate>Sat, 13 Dec 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] MonitorsFour</title><link>https://blog.zumpyx.com/hackthebox/machines/0814-monitorsfour/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0814-monitorsfour/</guid><description>`MonitorsFour` is an easy-difficulty Windows machine that begins by exploiting an `IDOR` vulnerability to get access to admin credentials through an API. Then, Cacti is found vulnerable to CVE-2025-24367 which upon exploitation allows access to a docker container. For privilege escalation, CVE-2025-9074 can be leveraged to escape the container by using the exposed Docker API to create a new container with the host file system mounted.</description><pubDate>Sat, 06 Dec 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Gavel</title><link>https://blog.zumpyx.com/hackthebox/machines/0811-gavel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0811-gavel/</guid><description>`Gavel` is a medium-difficulty Linux machine that demonstrates the exploitation of a misused SQL PDO statement to achieve SQL injection and extract data from an internal database. The scenario further highlights a PHP code-injection flaw that is exploited to execute remote commands, thereby enabling initial access to the target. Privilege escalation is achieved by targeting a root-owned daemon that processes user-supplied YAML files; by submitting a crafted YAML payload, PHP code is executed within a sandboxed environment with root privileges.</description><pubDate>Sat, 29 Nov 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Fries</title><link>https://blog.zumpyx.com/hackthebox/machines/0808-fries/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0808-fries/</guid><description>HTB machine: Fries</description><pubDate>Sat, 22 Nov 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Eighteen</title><link>https://blog.zumpyx.com/hackthebox/machines/0805-eighteen/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0805-eighteen/</guid><description>`Eighteen` is an easy difficulty Windows machine that demonstrates common weaknesses in database access control and Active Directory misconfigurations. Initial access is obtained by identifying valid MSSQL credentials and abusing impersonation privileges to access backend application data. Extracted password hashes are cracked offline and used for password spraying, leading to WinRM access as a domain user. Privilege escalation is achieved by abusing delegated permissions in Active Directory. Specifically, membership in a group with CreateChild rights over an Organisational Unit allows exploitation of the BadSuccessor technique to create a delegated Managed Service Account (dMSA) linked to the Administrator account, ultimately leading to full domain compromise.</description><pubDate>Sat, 15 Nov 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[Blog] Ex. Linux SUID Triage</title><link>https://blog.zumpyx.com/blog/ex-linux-suid-triage/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-linux-suid-triage/</guid><description>示例文：如何快速筛有价值的 SUID 二进制。</description><pubDate>Sat, 08 Nov 2025 00:00:00 GMT</pubDate><category>blog</category><category>linux</category><category>privesc</category><category>example</category></item><item><title>[HTB · Machines] JobTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0799-jobtwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0799-jobtwo/</guid><description>JobTwo is a hard-diffculty Windows machine that involves a macro phishing attack for initial foothold. The box has hMailServer installed, which includes a configuration file containing encrypted credentials for the database connection. After extracting the password database, we decrypt the SQL Server Compact database file (SDF), allowing a compromised user who can use WinRM to the machine. The machine has a vulnerable version of Veeam Backup &amp;amp; Replication; the attacker executes a malicious executable under `sqlserver.exe`, which is running as SYSTEM to gain full access.</description><pubDate>Thu, 06 Nov 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Giveback</title><link>https://blog.zumpyx.com/hackthebox/machines/0796-giveback/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0796-giveback/</guid><description>`Giveback` is a medium-difficulty Linux box featuring a `WordPress` site vulnerable to an insecure deserialization flaw in the Give plugin, known as [CVE-2024-5932](https://nvd.nist.gov/vuln/detail/CVE-2024-5932), which allows unauthenticated remote code execution and provides an initial foothold in a containerized environment. Further enumeration reveals an internal service exposed via environment variables, accessible via port forwarding. Lateral movement is achieved by exploiting a `PHP-CGI` argument injection vulnerability [CVE-2024-4577](https://nvd.nist.gov/vuln/detail/CVE-2024-4577), resulting in command execution as the root user within the container. Enumeration of `Kubernetes` service account secrets allows the extraction of credentials, leading to SSH access to the host. Privilege escalation is achieved by exploiting a `runc` debug wrapper vulnerable to [CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626), resulting in full root access on the host system.</description><pubDate>Sat, 01 Nov 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Dump</title><link>https://blog.zumpyx.com/hackthebox/machines/0793-dump/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0793-dump/</guid><description>Dump is a Hard difficulty Linux machine featuring a custom PHP web application that allows the creation of packet captures as well as upload and download functionality of `pcap` files. The machine demonstrates command argument injection through file naming to obtain initial remote code execution as `www-data`. Enumeration of the system reveals a `sudo` rule with `tcpdump` that can be abused for arbitrary file writes to the system and bypassing AppArmor security policy restrictions. With arbitrary file writes players can write malicious Message of The Day configurations that execute as root during system login.</description><pubDate>Thu, 30 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Store</title><link>https://blog.zumpyx.com/hackthebox/machines/0790-store/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0790-store/</guid><description>Store is a Hard difficulty box that hosts a Node.js web application, allowing file uploads and storage. The app is vulnerable to Arbitrary File Read, which lets us read configuration files and recover SFTP credentials. We can also dump the host’s environment variables and discover the app was started with `--inspect`, with the Node inspector listening on port `9229`. By abusing SFTP for port forwarding, we can tunnel that internal inspector port to our machine, attach and run JavaScript to spawn a reverse shell as user `dev`. For privilege escalation, the ChromeDriver service on port `9515` can be abused via its WebDriver API to execute a malicious script and gain a root shell.</description><pubDate>Tue, 28 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Conversor</title><link>https://blog.zumpyx.com/hackthebox/machines/0787-conversor/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0787-conversor/</guid><description>`Conversor` is an easy-difficulty Linux machine featuring a web application that converts XML documents into visually formatted HTML documents using XSLT stylesheets. By registering an account and reviewing the downloadable source code, we discover that the application processes user-supplied XSLT files without proper sanitisation, leading to an XSLT injection vulnerability. This allows us to write a malicious Python script to a server-side directory that is periodically executed by a cron job, granting an initial shell as `www-data`. Enumerating the application directory reveals a SQLite database file containing user credentials, from which we extract and crack an MD5 password hash to obtain valid SSH access as the user `fismathack`. For privilege escalation, the machine highlights a misconfigured sudo rule allowing execution of `needrestart`, which is vulnerable to [CVE-2024-48990](https://nvd.nist.gov/vuln/detail/CVE-2024-48990), enabling code execution via a controlled `PYTHONPATH` and ultimately allowing us to gain root privileges.</description><pubDate>Sat, 25 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Atlas</title><link>https://blog.zumpyx.com/hackthebox/machines/0784-atlas/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0784-atlas/</guid><description>Atlas is a Hard difficulty machine that demonstrates advanced exploitation techniques through Java deserialization vulnerabilities and .NET cryptographic analysis. The machine features a Spring Boot web application using the vulnerable Castor XML library for marshalling / un-marshalling operations, leading to remote code execution via Java RMI exploitation. Privilege escalation involves reverse engineering a .NET `WinSSHTerm` application, performing cryptographic analysis of AES-256-CBC encryption with PBKDF2-SHA1 key derivation, and recovering administrator credentials through password brute-forcing and dynamic debugging techniques.</description><pubDate>Thu, 23 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Bruno</title><link>https://blog.zumpyx.com/hackthebox/machines/0781-bruno/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0781-bruno/</guid><description>`Bruno` is a medium-difficulty Windows domain box that chains insecure application configuration and weak Active Directory hygiene to go from no access to domain admin. The service-facing component is a custom .NET application that extracts ZIP entries unsafely using `Path.Combine`, allowing crafted archives to perform a zip-slip and place files under `C:\samples\app`. That capability enables a DLL-search-path hijack - an attacker who can write to the queue share can drop a malicious `dll` and achieve code execution as the service user. On the network/AD side, an account svc_scan is discoverable and `kerberoastable/AS-REP crackable`; its recovered credentials grant write access to the queue share, which is used to trigger the DLL payload and get a low-privilege shell. From there the default `machine account quota` of authenticated users and `RBCD` are abused to perform a `Kerberos relay/RBCD` attack that resets the Administrator password and yields full domain compromise.</description><pubDate>Tue, 21 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Hercules</title><link>https://blog.zumpyx.com/hackthebox/machines/0778-hercules/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0778-hercules/</guid><description>HTB machine: Hercules</description><pubDate>Sat, 18 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] ReaperTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0772-reapertwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0772-reapertwo/</guid><description>ReaperTwo is an Insane Windows machine that involves both browser and kernel exploitation. The attack chain begins with enumeration of exposed services and access to an SMB share containing development artifacts. A vulnerable web application leveraging the V8 JavaScript engine allows for arbitrary JavaScript execution, which is escalated to remote code execution through a type confusion vulnerability in Harmony Set methods, combined with WebAssembly-based shellcode execution. After gaining an initial foothold as a low-privileged user, privilege escalation is achieved by exploiting a vulnerable kernel driver that exposes a function pointer execution primitive. The exploit bypasses modern protections such as kASLR, DEP, and SMEP by leaking kernel addresses via MSRs, performing a stack pivot, and constructing a ROP chain to modify Page Table Entries (PTEs). Finally, custom kernel shellcode is executed to steal a SYSTEM token, resulting in full system compromise.</description><pubDate>Thu, 16 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Slonik</title><link>https://blog.zumpyx.com/hackthebox/machines/0769-slonik/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0769-slonik/</guid><description>Slonik is a Medium-difficulty Linux machine that focuses on NFS, PostgreSQL abuse, and privilege escalation through insecure backup automation. Initial access is obtained by enumerating exposed NFS shares and leveraging UID/GID trust relationships to access a home directory. History files within the share reveal database credentials and reference a locally bound PostgreSQL socket. Although direct SSH access is restricted, the socket is tunneled over SSH to interact with the database, where built-in PostgreSQL functionality is leveraged to achieve remote code execution. Privilege escalation is accomplished by monitoring system processes and identifying a root-executed backup script, ultimately leveraging `pg_basebackup` behavior and SUID permissions to obtain a root shell.</description><pubDate>Tue, 14 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Signed</title><link>https://blog.zumpyx.com/hackthebox/machines/0775-signed/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0775-signed/</guid><description>`Signed` is a medium-difficulty Windows machine that demonstrates the exploitation of an MSSQL server by extracting the NTLMv2 hash of the service account running the instance and cracking the hash to obtain its password. This enables the issuance of silver tickets for user impersonation and service access. The domain is then enumerated via the MSSQL instance to gather the necessary information to impersonate the Administrator account and grant command execution through the MSSQL service. For privilege escalation, the recently discovered [CVE-2025-33073](https://nvd.nist.gov/vuln/detail/CVE-2025-33073), an NTLM reflection attack, is leveraged to perform self-relaying even with signing enforced, providing access to the `WinRMS` interface.</description><pubDate>Sat, 11 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Breach</title><link>https://blog.zumpyx.com/hackthebox/machines/0766-breach/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0766-breach/</guid><description>`Breach` is a medium difficulty Windows machine, where guest access to an SMB share is available. By leveraging write permissions on that SMB share, `NTLMv2` hashes of a domain user are captured to obtain valid credentials. With access as a low-privileged domain user, a kerberoastable service account (`svc_mssql`) is revealed. After getting access to the service account, a Silver Ticket attack is performed to impersonate the `Administrator` user and gain access to Microsoft SQL Server. Through the `xp_cmdshell` feature, remote code execution is achieved as the `svc_mssql` service account. Finally, privilege escalation is performed by abusing the `SeImpersonatePrivilege` privilege.</description><pubDate>Thu, 09 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Bamboo</title><link>https://blog.zumpyx.com/hackthebox/machines/0763-bamboo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0763-bamboo/</guid><description>`Bamboo` is an medium-difficulty Linux machine that begins with discovering a `Squid` proxy. The proxy is used to scan internal ports and reveals a `PaperCut NG` instance. A known PaperCut vulnerability `[CVE-2023-27350](https://nvd.nist.gov/vuln/detail/CVE-2023-27350)` is exploited to gain a foothold. Local enumeration reveals a writable directory containing a script that runs with root privileges. By modifying the script, we obtain a shell as `root`.</description><pubDate>Tue, 07 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] DarkZero</title><link>https://blog.zumpyx.com/hackthebox/machines/0754-darkzero/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0754-darkzero/</guid><description>`DarkZero` is a hard-difficulty Windows machine designed around an assumed breach scenario in which the attacker is provided with low-privileged user credentials. The machine features an Active Directory environment with Bidirectional trust, Cross-domain MSSQL Trusted Link, and TGT Delegation. The attacker discovers a misconfigured MSSQL trusted link that points to a different domain (`darkzero.htb` -&amp;gt; `darkzero.ext`), and the remote login has sysadmin privileges. The attacker enables the `xp_cmdshell` procedure as a sysadmin and executes commands. The spawned session under MSSQLSERVICE doesn&apos;t have the `SeImpersonatePrivilege`; however, the user account running the service has the `SeServiceLogonRight`. The attacker is forced to change the password and get a new session with Logon Type 5 (Service Logon) to regain those privileges and gain system privileges on the DC02 (`darkzero.ext`). To compromise the `darkzero.htb` domain: the attacker abuses TGT delegation by forcing DC01 to authenticate to DC02, with Unconstrained Delegation enabled.</description><pubDate>Sat, 04 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Watcher</title><link>https://blog.zumpyx.com/hackthebox/machines/0760-watcher/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0760-watcher/</guid><description>Watcher is a medium difficulty Linux box that involves Zabbix and is vulnerable to [CVE-2024-22120](https://nvd.nist.gov/vuln/detail/CVE-2024-22120), which allows an attacker to gain Remote Code Execution. After getting RCE, the attacker discovers that a web app can be backdoored, allowing them to gain credentials for a user account. The user is allowed to access TeamCity, which is running as root, and an agent terminal is active, allowing an attacker to gain a reverse shell as the root user.</description><pubDate>Thu, 02 Oct 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Job</title><link>https://blog.zumpyx.com/hackthebox/machines/0757-job/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0757-job/</guid><description>Job is a Medium difficulty Windows box. It runs an SMTP server and its website accepts LibreOffice-compatible documents, providing a vector to deliver a document with embedded macros that leads to remote code execution as user `jack.black`. `jack.black` is a member of the `DEVELOPERS` group, which has write access to `C:\inetpub\wwwroot` (the IIS web root), allowing files to be placed in the webroot and achieve code execution as the IIS AppPool service account. The IIS AppPool account has the SeImpersonate privilege, creating conditions that allow token-impersonation techniques to be used to escalate privileges to Administrator.</description><pubDate>Tue, 30 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Imagery</title><link>https://blog.zumpyx.com/hackthebox/machines/0751-imagery/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0751-imagery/</guid><description>`Imagery` is a medium-difficulty Linux machine that involves gaining admin access via exploiting a blind XSS. With admin privileges, the attacker exploits arbitrary file read to read sensitive files and source code. By reading the web app’s source code, the attacker discovers a feature that allows them to modify/transform an image, thereby making it vulnerable to remote code execution. After gaining an initial foothold, the attacker finds a backup file encrypted with `pyAesCrypt`, which leaks credentials for the `mark` user account. The `mark` user account is allowed to execute a custom Python-written `Charcol` app as root. The attacker manages to reset the master password, create a cron job via the `Charcol` app, and obtain command execution as the `root` user.</description><pubDate>Sat, 27 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] BabyTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0746-babytwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0746-babytwo/</guid><description>`BabyTwo` is a medium-difficulty Windows machine set in an Active Directory environment. The initial foothold is gained through password guessing and the abuse of Windows logon scripts. Privilege escalation is achieved by exploiting misconfigured Access Control Lists (`ACLs`) and Group Policy Objects (`GPOs`).</description><pubDate>Thu, 25 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] RainbowTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0743-rainbowtwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0743-rainbowtwo/</guid><description>RainbowTwo is a Hard Windows machine centered around exploit development for a custom network file-sharing service. Initial enumeration reveals anonymous FTP access and an unknown service listening on TCP port `2121`. The FTP share exposes the vulnerable service binary, a developer README, and a copy of `SysWOW64\kernel32.dll`. The README confirms that the service was rebuilt with `ASLR`, `DEP`, and `GS` enabled. Static and dynamic analysis then shows that the service is still vulnerable to a format string issue and a stack-based overflow that overwrites the SEH chain. The format string leak provides a reliable ASLR bypass by disclosing a pointer inside `filesrv.exe`; the SEH overwrite provides control of the exception handler; and a ROP chain calls `VirtualAlloc` to bypass DEP. Privilege escalation is achieved by abusing `SeDebugPrivilege` to migrate into a SYSTEM process.</description><pubDate>Tue, 23 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Expressway</title><link>https://blog.zumpyx.com/hackthebox/machines/0736-expressway/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0736-expressway/</guid><description>`Expressway` is an easy-difficulty Linux machine that demonstrates enumeration and exploits the IKE service, a component of the `IPsec` framework. Upon leaking the Pre-Shared key of the service and cracking it, the retrieved clear-text credentials are used to access the target via SSH. For privilege escalation, [CVE-2025-32462](https://nvd.nist.gov/vuln/detail/CVE-2025-32462) is exploited to get a privileged shell as the `root` user.</description><pubDate>Sat, 20 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Baby</title><link>https://blog.zumpyx.com/hackthebox/machines/0739-baby/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0739-baby/</guid><description>`Baby` is an easy difficulty Windows machine that features `LDAP` enumeration, password spraying and exposed credentials. For privilege escalation, the `SeBackupPrivilege` is exploited to extract registry hives and the `NTDS.dit` file. A `Pass-the-Hash` attack can be performed using the uncovered domain hashes ultimately achieving `Administrator` access.</description><pubDate>Thu, 18 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Forgotten</title><link>https://blog.zumpyx.com/hackthebox/machines/0733-forgotten/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0733-forgotten/</guid><description>Forgotten is a Easy difficulty Linux machine from VulnLab that showcases several real-world techniques.  By discovering an unfinished LimeSurvey installation the player will deploy a controlled MariaDB instance to complete the web application installation with, thereby gaining administrative access to the application.  Players will then upload a malicious LimeSurvey plugin to achieve remote code execution inside of a Docker container. After enumerating the container players will discover an environment variable that will grant access to the host as well as the ability to enumerate `sudo` privileges within the docker container. With low privilege access to the host and root privilege to the container, players can then expect to chain the two together in order to escalate privileges by leveraging a `setuid` binary.</description><pubDate>Tue, 16 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[Blog] Ex. Proxychains Setup</title><link>https://blog.zumpyx.com/blog/ex-proxy-chains-setup/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-proxy-chains-setup/</guid><description>示例文：proxychains4 与动态转发的组合用法。</description><pubDate>Mon, 15 Sep 2025 00:00:00 GMT</pubDate><category>blog</category><category>tools</category><category>network</category><category>example</category></item><item><title>[HTB · Machines] HackNet</title><link>https://blog.zumpyx.com/hackthebox/machines/0727-hacknet/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0727-hacknet/</guid><description>`HackNet` is a medium-difficulty Linux machine that features a hacker-themed social networking site built with Django. By registering an account and enumerating site functionality, we can identify a Server-Side Template Injection (SSTI) flaw in the likes widget and abuse it to enumerate template context variables. Using a small script to automate payload testing, we leak sensitive user data (emails and passwords) from the users who liked a post, allowing us to obtain valid SSH credentials and gain an initial foothold. For privilege escalation, the box highlights a weakness in Django’s FileBasedCache mechanism that allows cache poisoning via Pickle deserialization, then pivots to GPG key/passphrase recovery to decrypt database backups and ultimately obtain root access.</description><pubDate>Sat, 13 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Delegate</title><link>https://blog.zumpyx.com/hackthebox/machines/0724-delegate/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0724-delegate/</guid><description>Delegate is a medium-difficulty Windows machine that involves Active Directory attacks. The machine has the guest account enabled, allowing the attacker to read files that contain hard-coded credentials. The credentials allow us to WriteProperty of a user account that is allowed to have WinRM sessions on the Domain Controller. The compromised user has the `SeEnableDelegationPrivilege` privilege assigned, which allows us to modify the `TRUSTED_FOR_DELEGATION` flag for AD objects, enabling us to perform Unconstrained Delegation.</description><pubDate>Thu, 11 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Soulmate</title><link>https://blog.zumpyx.com/hackthebox/machines/0721-soulmate/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0721-soulmate/</guid><description>`Soulmate` is an easy difficulty Linux machine that showcases exploitation of [CVE-2025-31161](https://nvd.nist.gov/vuln/detail/CVE-2025-31161), an authentication bypass vulnerability in CrushFTP, allowing players to access an admin user account. By uploading a malicious PHP file to the application&apos;s web root, remote command execution is achieved. For privilege escalation, [CVE-2025-32433](https://nvd.nist.gov/vuln/detail/CVE-2025-32433), another remote command execution vulnerability in the Erlang/OTP SSH server is being exploited to gain `root` access.</description><pubDate>Sat, 06 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Media</title><link>https://blog.zumpyx.com/hackthebox/machines/0718-media/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0718-media/</guid><description>Media is a Medium difficulty machine that features an Apache XAMPP stack on Windows hosting a custom PHP web application.  The web application allows the upload of a Windows Media Player compatible file that can be leveraged to leak the NTLMv2 hash of the user account that opens it.  This hash can be cracked to obtain user credentials that can be used to authenticate to the target via SSH. Upon gaining initial access the source code of the application can be analyzed to determine the generate storage path of uploaded files on the web application which can lead to an NTFS Junction (directory symbolic link) attack to upload a malicious PHP web shell for RCE. Once a shell under the context of the web server&amp;amp;#039;s service account, players can abuse the `SeTcbPrivilege - Act as part of the operating system`, a Windows privilege that lets code impersonate any user and achieve administrative privileges. Alternative methods for privilege escalation involve regaining the `SeImpersonate` privilege to elevate to `NT Authority\SYSTEM`.</description><pubDate>Thu, 04 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Race</title><link>https://blog.zumpyx.com/hackthebox/machines/0715-race/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0715-race/</guid><description>Race is a hard-difficulty Linux machine with a web application running Grav CMS and `phpsysinfo`. The `phpsysinfo` endpoint is protected with basic authentication, but its password is weak. The endpoint leaks credentials for the Grav CMS admin panel, which is accessible to a low-privilege user with permission to create web server backups. The attacker exploits the backup functionality to retrieve the rest token for a user with privileges to add a proxy and install themes. The attacker adds a proxy to intercept the response, uploads a custom theme, and gets a reverse shell. After gaining a reverse shell, the attacker is able to read sensitive files using a hardcoded password for the `max` user account. The `max` user account is a `racers` group member, which has write permission over a file vulnerable to a time-of-check / time-of-use vulnerability in a cron script. As an attacker, we will create named pipes to suspend execution and replace the file, thereby gaining command execution as root.</description><pubDate>Tue, 02 Sep 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Guardian</title><link>https://blog.zumpyx.com/hackthebox/machines/0703-guardian/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0703-guardian/</guid><description>`Guardian` is a hard difficulty Linux machine that starts with a web service redirecting to a university-themed site containing multiple subdomains, including a Gitea instance. Using default student credentials, accessing the student portal reveals an IDOR vulnerability in the chat feature, exposing admin messages and Jamil’s Gitea password. After accessing Jamil’s Gitea, the source code discloses a vulnerable PHPSpreadsheet version exploitable via XSS. A crafted Excel file is used to hijack a lecturer’s (Sammy Treat) session, leading to the discovery of a CSRF vulnerability in the admin panel that allows the creation of a new admin account. With admin access, a restricted PHP filter-based LFI is exploited via a modified filter-chain technique to achieve remote code execution. Post-exploitation shows that Jamil can run a Python script as the user Mark. That script can be modified to inject and execute a reverse shell payload, granting access as Mark. Mark can run `safeapache2ctl` as `root`, a restricted wrapper for `apache2ctl` that only permits configuration files from `/home/mark/confs`. Although symlinks are blocked via a realpath check, this restriction is bypassed by using Apache’s Include directive to reference a symlink within the allowed directory pointing to sensitive files. When executed, this leak protected data such as the root hash or root flag, ultimately enabling full root privilege escalation.</description><pubDate>Sat, 30 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Sendai</title><link>https://blog.zumpyx.com/hackthebox/machines/0712-sendai/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0712-sendai/</guid><description>`Sendai` is a medium-difficulty Windows `Active Directory` machine focused on weak account hygiene, `GMSA` abuse, and `ADCS` misconfigurations. Initial access is gained through `anonymous SMB` enumeration, revealing files that hint at expired accounts with weak passwords. RID brute-forcing identifies users, and login attempts highlight accounts in a forced password reset state. By resetting `thomas.powell`’s password, the attacker obtains a domain foothold. `BloodHound` analysis shows that Powell’s group membership can be leveraged to compromise the `MGTSVC$ GMSA` account, enabling remote code execution on the domain controller. Further local enumeration uncovers inline credentials for `clifford.davey`, whose `CA-OPERATORS` group membership grants `GenericAll` rights over a certificate template. Abusing `ESC4/ESC1` conditions with Certipy, the attacker forges a certificate for the administrator account, retrieves its NT hash, and authenticates via `WinRM`, achieving full domain compromise.</description><pubDate>Thu, 28 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Reaper</title><link>https://blog.zumpyx.com/hackthebox/machines/0706-reaper/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0706-reaper/</guid><description>Reaper is an Insane Windows machine that begins with an exposed FTP service. Within the FTP share resides a Windows binary vulnerable to both format-string and buffer-overflow attacks. By exploiting these flaws, an attacker can leak sensitive memory regions, hijack the program’s execution flow, and ultimately obtain a reverse shell on the target as the user `keysvc`. After gaining initial access, the attacker discovers a file containing a DPAPI blob. Once decrypted, this blob provides valid credentials for RDP access as `keysvc`. Continued enumeration reveals a custom kernel driver present and actively running on the system. Through reverse-engineering the driver, the attacker determines that it permits arbitrary kernel-level writes. Leveraging this capability, the attacker is able to steal a privileged token and escalate to a full SYSTEM shell (`NT AUTHORITY\SYSTEM`).</description><pubDate>Tue, 26 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Previous</title><link>https://blog.zumpyx.com/hackthebox/machines/0701-previous/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0701-previous/</guid><description>`Previous` is a medium-difficulty Linux machine that features a web application vulnerable to [CVE-2025-29927](https://nvd.nist.gov/vuln/detail/CVE-2025-29927), an authorization bypass vulnerability in the `Next.js` authentication middleware, allowing access to restricted documentation pages. Further enumeration uncovers a Local File Inclusion (LFI) vulnerability, which is leveraged to extract the compiled `Next.js` server files and retrieve user credentials. With SSH access as a standard user, privilege escalation is achieved through `Terraform` by exploiting the ability to run the `apply` command with root privileges.</description><pubDate>Sat, 23 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Lock</title><link>https://blog.zumpyx.com/hackthebox/machines/0699-lock/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0699-lock/</guid><description>Lock is an easy-difficulty Windows machine that involves enumerating a `Gitea` repository to find a `Personal Access Token`. This token is then used to deploy an `ASPX` web shell on the server, which provides an initial foothold. A password is then decrypted from an `mRemoteNG` configuration file, providing access to a new user account. Finally, a local privilege escalation vulnerability in the `PDF24` application is exploited to obtain a shell with `SYSTEM` privileges.</description><pubDate>Thu, 21 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Phantom</title><link>https://blog.zumpyx.com/hackthebox/machines/0697-phantom/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0697-phantom/</guid><description>Phantom is a medium difficulty `Windows` machine which highlights AD exploitation. Initial enumeration reveals a publicly accessible `SMB Share` containing an `email file` with a base64 encoded `PDF` attachment that leaks a domain password. After enumerating domain users and performing a `password spray`, valid credentials are discovered for the `ibryant` account. Further enumeration of network shares uncovers a `VeraCrypt` container, which, after cracking, discloses a `VyOS router backup` holding credentials. These credentials provide access to the `lstanley` account, which has sufficient rights to configure `Resource-Based Constrained Delegation (RBCD)`. By abusing RBCD and leveraging `S4U2Self/S4U2Proxy` Kerberos delegation, we impersonate a `Domain Admin` and achieve full domain compromise.</description><pubDate>Tue, 19 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Sweep</title><link>https://blog.zumpyx.com/hackthebox/machines/0695-sweep/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0695-sweep/</guid><description>Sweep is a medium difficulty Windows box that involves Active Directory and `Lansweeper`, a technology asset intelligence tool. The attacker abuses an enabled guest account to gain access to Lansweeper, which has Map Credentials configured, which are login/password combinations for accessing and scanning network assets remotely. The attacker deploys a honeypot SSH server to read the configured credentials. The compromised account is a member of the `Lansweeper Discovery` group, which has `GenericAll` ACL over the `Lansweeper Admins` group. Any account member of the `Lansweeper Admins` group has administrator privileges on the Lansweeper dashboard. The attacker creates and deploys a package on the Domain Controller to gain complete control.</description><pubDate>Thu, 14 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Zero</title><link>https://blog.zumpyx.com/hackthebox/machines/0693-zero/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0693-zero/</guid><description>Zero is an Insane difficulty Linux machine that features a web application that allows for the creation of credentials to be used on an SFTP server where users can create their own HTML pages. This service is exploitable by uploading a malicious `.htaccess` file to gain arbitrary file read access to the web servers&apos; asset files.  By viewing the source code of these files players will find hard coded credentials that allow for access to the target over SSH.  The Apache server configuration is periodically managed by a cronjob that checks the integrity of the Apache configurations and can be abused by satisfying the conditions of the cronjob task to include a malicious line into the restored configuration to leak the contents of files owned by root.</description><pubDate>Tue, 12 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Cobblestone</title><link>https://blog.zumpyx.com/hackthebox/machines/0691-cobblestone/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0691-cobblestone/</guid><description>HTB machine: Cobblestone</description><pubDate>Sat, 09 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Build</title><link>https://blog.zumpyx.com/hackthebox/machines/0689-build/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0689-build/</guid><description>Build is an easy-rated Linux machine which involves reading sensitive files from unauthenticated rsync shares, leading to exposing an encrypted Jenkins password. The attacker manages to decrypt the password, which allows them to access GitLab. The repository owned by the admin on GitLab has a webhook configured, allowing attackers to gain arbitrary code execution and a shell in the Docker container. The Docker container has access to MySQL and PowerDNS, both of which run on another container on the same Docker network. The container also has a mounted file called `.rhosts`, which is also mounted in the host machine&amp;amp;#039;s root directory. MySQL is misconfigured not to have the root&amp;amp;#039;s password, allowing an attacker to gain complete control over the database. The attacker can now either crack the admin&amp;amp;#039;s hash or directly modify the `intern`/`admin` DNS record pointing towards the attacking machine, assuming the same `.rhosts` file is mounted on the host machine too, allowing them to get a root session over Remote Shell Protocol (RSH).</description><pubDate>Tue, 05 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Editor</title><link>https://blog.zumpyx.com/hackthebox/machines/0684-editor/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0684-editor/</guid><description>`Editor` is an easy-difficulty Linux machine that focuses on web application exploitation followed by local privilege escalation. Initial enumeration reveals a web application exposing an `XWiki` instance, which is identified as vulnerable to `[CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)`, a remote code execution flaw in the `SolrSearch` endpoint. By adapting a public proof-of-concept, Groovy code injection is achieved, allowing arbitrary command execution and providing a shell as the xwiki user. Post-exploitation enumeration of the system reveals additional local users and misconfigurations that allow lateral movement to the user oliver. Further analysis of the system uncovers a privilege escalation vector involving a misconfigured `SUID binary` that relies on environment-controlled execution. By abusing `PATH` manipulation, a malicious binary is executed in place of a trusted system binary, resulting in execution with elevated privileges and ultimately granting root access.</description><pubDate>Sat, 02 Aug 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] LustrousTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0688-lustroustwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0688-lustroustwo/</guid><description>LustrousTwo is a hard-rated Windows box that deals with LDAP signing, channel binding, and disabled NTLM authentication. The box has a web server vulnerable to arbitrary file read, which helps attackers capture a `Net-NTLMv2` hash for the service account, using it to request Service Tickets via `s4u2self`, a stealthier alternative to Silver Ticket, to bypass protective measures like `Account is sensitive and cannot be delegated`. After reversing and auditing the source code, the attacker achieves Remote Code Execution. For privilege escalation, the attacker exploits a misconfigured, insecure [Velociraptor](https://github.com/Velocidex/velociraptor) installation.</description><pubDate>Thu, 31 Jul 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Manage</title><link>https://blog.zumpyx.com/hackthebox/machines/0687-manage/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0687-manage/</guid><description>Manage is an easy Linux machine that features an exposed `Java RMI` service. Exploiting the underlying vulnerable `JMX` service leads to remote code execution and gaining a remote shell as the `tomcat` user. Lateral movement to the `useradmin` account can be achieved by discovering a misconfigured backup archive which leaks sensitive files, including `SSH` keys and `OTP` codes. Finally, a `sudo` misconfiguration allows for creating a privileged user and achieving full privilege escalation.</description><pubDate>Tue, 29 Jul 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Era</title><link>https://blog.zumpyx.com/hackthebox/machines/0683-era/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0683-era/</guid><description>`Era` is a medium difficulty Linux machine that features an insecure `PHP` web application alongside a weakly protected system service. First, web enumeration reveals insecure file handling and authentication logic, which can be leveraged to obtain an administrator session. Further inspection of the application&amp;amp;#039;s source code reveals a vulnerable file-preview mechanism that enables remote code execution through `PHP` stream wrappers. Finally, upon gaining remote access, a root-executed scheduled task reveals a monitoring binary with an easily bypassed `ELF` signature check that can be overwritten to achieve full system compromise.</description><pubDate>Sat, 26 Jul 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Ten</title><link>https://blog.zumpyx.com/hackthebox/machines/0686-ten/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0686-ten/</guid><description>Ten is a Hard difficulty Linux machine that simulates a misconfigured shared-hosting environment.  Players enumerate a public sign-up portal that provisions FTP accounts, abuse weak MySQL/FTP integration to pivot into a real local user, and finally achieve root by poisoning an etcd-driven Apache configuration reload.</description><pubDate>Thu, 24 Jul 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[Blog] Ex. Note-taking for Pentest</title><link>https://blog.zumpyx.com/blog/ex-note-taking-for-pentest/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-note-taking-for-pentest/</guid><description>示例文：命令、截图与假设如何组织才方便写报告。</description><pubDate>Tue, 22 Jul 2025 00:00:00 GMT</pubDate><category>blog</category><category>report</category><category>notes</category><category>example</category></item><item><title>[HTB · Machines] Mirage</title><link>https://blog.zumpyx.com/hackthebox/machines/0682-mirage/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0682-mirage/</guid><description>`Mirage` is a hard difficulty Windows machine that starts with an unauthenticated NFS share, enabling the attacker to download sensitive penetration test reports. The attacker then discovers that the domain&amp;amp;#039;s NATS server&amp;amp;#039;s DNS record has been automatically removed from the DNS Server, and the DNS Server is configured to allow insecure DNS updates, enabling the attacker to add a DNS A record and capture all NATS server-client communication on its rogue NATS server. The attacker then discovers streams on the NATS server, which is running on the Domain Controller, leaking credentials for the `DAVID.JJACKSON` user account. The newly compromised user is used to request a Service Ticket for the `NATHAN.AADAM` Kerberoastable user and to crack the hashes locally. After establishing a WinRM session on the Domain Controller, the attacker discovers that the `MARK.BBOND` user is also logged in to the Domain Controller at the same time and performs a cross-session NET-NTLMV2 hash leak. The user being a member of the `IT SUPPORT` group enables, modifies logon hours, and changes the password for the `JAVIER.The MMARSHALL` user account was compromised to read the gMSA password for the `MIRAGE-SERVICES$` service account. The service account has privileges to write the Public-Information property set for the `MARK.BBOND`. The Certificate Authority is configured to allow UPN mapping, and Certificate Binding is set to Compatibility (not Full Enforcement), allowing Attackers to perform the `ESC10` attack and gain privileges to perform a DCSync attack, thereby obtaining Domain Admins.</description><pubDate>Sat, 19 Jul 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Redelegate</title><link>https://blog.zumpyx.com/hackthebox/machines/0681-redelegate/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0681-redelegate/</guid><description>Redelegate is a hard-difficultly Windows machine that starts with Anonymous FTP access, which allows the attacker to download sensitive Keepass Database files. The attacker then discovers that the credentials in the database are valid for MSSQL local login, which leads to enumerate SIDs and performs a password spray attack. Being a member of the `HelpDesk` group, the newly compromised user account `Marie.Curie` has a `User-Force-Change-Password` Access Control setup over the `Helen.Frost` user account; that user account has privileges to get a PS remoting session onto the Domain Controller. The `Helen.Frost` user account also has the `SeEnableDelegationPrivilege` assigned and has full control over the `FS01$` machine account, essentially allowing the attacker account to modify the `msDS-AllowedToDelegateTo` LDAP attribute and change the password of a computer object and perform a Constrained Delegation attack.</description><pubDate>Thu, 17 Jul 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Voleur</title><link>https://blog.zumpyx.com/hackthebox/machines/0670-voleur/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0670-voleur/</guid><description>`Voleur` is a medium-difficulty Windows machine designed around an assumed breach scenario, where the attacker is provided with low-privileged user credentials. The machine features an Active Directory environment, and `NTLM` authentication is disabled.  After Kerberos configuration and network enumeration, a password-protected Excel file is found on an exposed `SMB` share. We extract its password hash, crack it to recover the password, and use that password to access the spreadsheet. Enumeration reveals a service account with `WriteSPN` rights, which enables a targeted Kerberoasting attack that recovers credentials and grants remote access to the host. A previously deleted domain user is restored using group privileges, and a DPAPI-protected credential blob is recovered, which is decrypted with the user’s password to reveal a higher-privilege account. These credentials lead to discovering an `SSH` private key for a backup service account, allowing access to a Linux subsystem over a nonstandard port. From this, the `NTDS.dit`, `SYSTEM`, and `SECURITY` backup files are extracted and used to recover the `Administrator`&amp;amp;#039;s NT hash, ultimately allowing access as the `Administrator`.</description><pubDate>Sat, 05 Jul 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Data</title><link>https://blog.zumpyx.com/hackthebox/machines/0673-data/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0673-data/</guid><description>Data is an Easy Linux machine that involves exploiting `[CVE-2021-43798](https://nvd.nist.gov/vuln/detail/CVE-2021-43798)`, an arbitrary file read via path traversal in `Grafana`. By exploiting this vulnerability, the database file for Grafana is extracted, and the hashes in the database are converted to a format readable by `Hashcat`. The hash is then cracked and can be used for SSH access to the target as user `boris`. The compromised user has the privileges to execute `docker exec` as root on the system, allowing the user to escalate and obtain root access by adding the privileged flag to running containers and mounting the host filesystem.</description><pubDate>Tue, 01 Jul 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] RustyKey</title><link>https://blog.zumpyx.com/hackthebox/machines/0669-rustykey/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0669-rustykey/</guid><description>`RustyKey` is a hard difficulty Windows Machine which showcases a Timeroasting Attack, Active Directory ACL abuse following Windows Group Policy Enumeration to abuse the 7-Zip Shell Extension. For Privilege escalation, Active Directory Delegations are abused using a SPN-less Resource-Based Constrained Delegation attack.</description><pubDate>Sat, 28 Jun 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Retro</title><link>https://blog.zumpyx.com/hackthebox/machines/0671-retro/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0671-retro/</guid><description>`Retro` is an Easy Windows machine that showcases an Active Directory Domain Controller. Through SMB enumeration and pre-created machine account exploitation, we gain access to the system. Through the exploitation of the Active Directory Certificate Service and specifically by using the `ESC1` attack, which involves exploiting certificate templates to impersonate the Administrative user, privilege escalation is achieved.</description><pubDate>Tue, 24 Jun 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Artificial</title><link>https://blog.zumpyx.com/hackthebox/machines/0668-artificial/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0668-artificial/</guid><description>`Artificial` is an easy-difficulty Linux machine that showcases exploiting a web application used to run AI models with `Tensorflow` and the `Backrest` web UI by abusing the backup and restore functionalities and the `restic` utility used by the application.</description><pubDate>Sat, 21 Jun 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Shibuya</title><link>https://blog.zumpyx.com/hackthebox/machines/0667-shibuya/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0667-shibuya/</guid><description>Shibuya is a Medium Windows machine that starts of with the SMB port exposed. Enumerating possible usernames through Kerberos an attacker is able to find the valid machine account `red:red`. With these credentials, he can further enumerate the remote users and discover that the user `svc_autojoin` has a password in its description. With this account in hand, he is able to discover some  `Windows Imaging Format (.wmi)` files that contain hashes for the user `simon.watson`. Now, the attacker has command execution through SSH on the remote machine and is able to enumerate that another user has an active interactive session. By performing a cross-session relay attack he is able to steal the hash and crack the password for the user `nigel.mills`. The new user is member of the `t1_admin` groups which has enrolment rights on a certificate template that&apos;s vulnerable to `ESC1` and by exploiting it we are able to gain `SYSTEM` privileges on the machine.</description><pubDate>Thu, 19 Jun 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Down</title><link>https://blog.zumpyx.com/hackthebox/machines/0666-down/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0666-down/</guid><description>Down is an easy-rated Linux machine that involves exploiting an arbitrary file read by bypassing a protocol-based filter to discover the source code of the running PHP web app, eventually, a remote code execution to gain an initial foothold. The attacker finds a readable `pswm` encrypted file in the user&apos;s home directory. The `pwsm` uses Python&apos;s `cryptocode` module and a master password to encrypt and decrypt the data. The attacker is supposed to write a small script to decrypt the blob and compromise the user. The compromised user is a member of the `sudo` group, allowing the user to escalate and obtain root access.</description><pubDate>Tue, 17 Jun 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Sorcery</title><link>https://blog.zumpyx.com/hackthebox/machines/0665-sorcery/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0665-sorcery/</guid><description>`Sorcery` is a Linux machine that starts with an HTTPS web application. The web application is open source and gives an attacker full access to the application&apos;s code, including the authentication flow, passkey enrollment, and internal debug functionality. After registering, source code review reveals a custom Rust `Model` derive macro that builds `Neo4j` Cypher queries using string formatting. However, it does not use proper validation, leading to Cypher injection that allows an attacker to register a `seller` account. With a seller account, the attacker can create a product that is automatically visited by an administrator. The product description is rendered with `dangerouslySetInnerHTML`, resulting in stored XSS. By abusing this attack vector, the attacker can register a passkey and log in as the `admin` user. As an administrator, additional features become available. Some blog posts reveal that the user `tom_summers` is susceptible to phishing attacks. The attacker needs to craft a highly intricate phishing chain to trick  `tom_summers` into logging in so as to capture his credentials. To achieve this, the attacker exploits an SSRF primitive through the debug page to leak CA certificates from an `ftp` server, register a `.sorcery.htb` subdomain through Kafka, and send the final email. Privilege escalation begins by discovering an `Xvfb` display and a `mousepad` process running as `tom_summers_admin`. By capturing an image of that buffer, the attacker exfiltrates the password for `tom_summers_admin`. From there, Docker is configured to use a custom credential helper, and `sudo -l` permits running `docker login` and `strace` as `rebecca_smith`. By leveraging this combination, the attacker finds the password of the user `rebecca_smith` however, she is configured to use One Time Passwords (OTPs) as an added layer of security. By reversing the binary and extracting the OTP generation logic, the attacker is able to dump the Docker registry and find credentials for the user `donna_adams`. This user is a member on the `main` FreeIPA realm. Finally, the attacker can change the password of `ash_winter` over LDAP and grant the user extremely permissive `sudo` rules, thus allowing escalation to `root`.</description><pubDate>Sat, 14 Jun 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] TombWatcher</title><link>https://blog.zumpyx.com/hackthebox/machines/0664-tombwatcher/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0664-tombwatcher/</guid><description>`TombWatcher` is a medium-difficulty Windows machine that focuses on `Active Directory privilege escalation` through a chained abuse of domain object permissions. The attack starts with the provided credentials for the user `henry`, who possesses `WriteSPN` rights over the account alfred. This access is leveraged to carry out a `targeted Kerberoasting attack`, allowing the `alfred` user’s password to be cracked and yielding control over an account that can add itself to the `INFRASTRUCTURE` group. Being a member of this group allows you to retrieve the `gMSA password` for the `ansible_dev$` managed service account. This account has the privilege to reset the password for the user `sam`, which becomes the next pivot point. Through the `sam` user, `WriteOwner` permissions over the user `john` are abused to obtain a GenericAll ACE, enabling a password reset and full access to the john user, who is a member of the `Remote Management Users` group. This provides an interactive shell and access to the user flag. Privilege escalation to Administrator is then achieved by abusing `john` user’s `GenericAll` rights over the `ADCS` organizational unit. A previously deleted account, `cert_admin`, is restored using the `Active Directory Recycle Bin`, its password is reset, and it is leveraged to exploit `ESC15`  against a misconfigured WebServer certificate template. This ultimately allows the issuance of a certificate for Administrator, resulting in full domain compromise.</description><pubDate>Sat, 07 Jun 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Certificate</title><link>https://blog.zumpyx.com/hackthebox/machines/0663-certificate/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0663-certificate/</guid><description>`Certificate` is a hard Windows Active Directory machine that starts with an E-learning platform. The web application is vulnerable to `Null-Byte Injection` in its file upload feature, allowing a `PHP` reverse shell to be executed for initial access as `xamppuser`. Database credentials are retrieved, enabling lateral movement to the  `Sara.B` user. Further enumeration uncovers a network capture file that leaks `Lion.SK’s` credentials. Using these, Active Directory Certificate Services (`ADCS`) is enumerated, and a vulnerable template is exploited to request certificates on behalf of other users. A certificate for the `Ryan.K` user is then obtained, whose `SeManageVolumePrivilege` is leveraged to gain a shell as `NT AUTHORITY\NETWORK SERVICE`. Finally, `SeImpersonatePrivilege` is used to escalate to `NT AUTHORITY\SYSTEM`, dump `ntds.dit` and `registry` hives, and extract the Administrator’s `NTLM` hash, ultimately allowing access as the `Administrator`.</description><pubDate>Sat, 31 May 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Fluffy</title><link>https://blog.zumpyx.com/hackthebox/machines/0662-fluffy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0662-fluffy/</guid><description>`Fluffy` is an easy-difficulty Windows machine designed around an assumed breach scenario, where credentials for a low-privileged user are provided. By exploiting [CVE-2025-24071](https://nvd.nist.gov/vuln/detail/CVE-2025-24071), the credentials of another low-privileged user can be obtained. Further enumeration reveals the existence of ACLs over the `winrm_svc` and `ca_svc` accounts. `WinRM` can then be used to log in to the target using the `winrc_svc` account. Exploitation of an Active Directory Certificate service (`ESC16`) using the `ca_svc` account is required to obtain access to the `Administrator` account.</description><pubDate>Sat, 24 May 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Puppy</title><link>https://blog.zumpyx.com/hackthebox/machines/0661-puppy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0661-puppy/</guid><description>Puppy is a Medium Difficulty machine that features a non-default SMB share called `DEV`. With the provided credentials for user `levi.james`, enumeration of the domain is possible. The enumeration reveals that this user has `GenericWrite` privileges over the `Developers` group. After adding Levi to this group, we can access the previously inaccessible `DEV` share. This share contains the backup of a `KeePass` database, which we can download, export the hash of and crack. The database reveals a plethora of username and password combinations. A password spray attack shows that one of the passwords is valid for user `Ant.Edwards`. Furthermore, this new user has `GenericAll` privileges over the user `Adam.Silver`, which allow us to change their password to a password of our choice. After the password is changed, we must re-enable Adam&apos;s account, as it has been disabled, which then allows us to connect to the remote system over WinRM. Lateral movement is achieved by finding the backup of a website, which contains credentials for user `Steph.cooper`. Finally, privileges are escalated through `DPAPI` credentials that are decrypted using Steph&apos;s password. The credentials revealed belong to `Steph.cooper_adm`, presumably the Administrative account of Steph, and a connection can be made over WinRM.</description><pubDate>Sat, 17 May 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Planning</title><link>https://blog.zumpyx.com/hackthebox/machines/0660-planning/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0660-planning/</guid><description>`Planning` is an easy difficulty Linux machine that features web enumeration, subdomain fuzzing, and exploitation of a vulnerable `Grafana` instance to [CVE-2024-9264](https://nvd.nist.gov/vuln/detail/CVE-2024-9264). After gaining initial access to a Docker container, an exposed password enables lateral movement to the host system due to password reuse. Finally, a custom cron management application with `root` privileges can be leveraged to achieve full system compromise.</description><pubDate>Sat, 10 May 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[Blog] Ex. Container Escape Checklist</title><link>https://blog.zumpyx.com/blog/ex-container-escape-checklist/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-container-escape-checklist/</guid><description>示例文：privileged、sock 挂载与 capabilities 检查顺序。</description><pubDate>Sun, 04 May 2025 00:00:00 GMT</pubDate><category>blog</category><category>docker</category><category>cloud</category><category>example</category></item><item><title>[HTB · Machines] Scepter</title><link>https://blog.zumpyx.com/hackthebox/machines/0657-scepter/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0657-scepter/</guid><description>Scepter is a hard difficulty Windows machine that starts with an unauthenticated NFS share, allowing the attacker to download a sensitive PFX certificate file. The attacker then discovers that the compromised user has the `User-Force-Change-Password` ACL, allowing the password for the `A.CARTER` user account to be changed. The user account is a member of `IT SUPPORT,` enabling group members to have `GenericAll` ACL to the `STAFF ACCESS CERTIFICATE` Organisational Unit (OU). The attacker can then fully control all user accounts under the OU. Besides, the attacker discovers that the Certificate Authority is vulnerable to ESC14, explicit weak mapping. The attacker manages to compromise `H.BROWN` by modifying the `mail` LDAP attribute and requesting the StaffAccessCertificate certificate template. The `H.BROWN` user account is a member of the `CMS` group, having privileges to alter the `altSecurityIdentities` LDAP Attribute of any AD object under the `Helpdesk Enrollment Certificate` OU. As the CA is vulnerable to ESC14, the attacker can modify the LDAP attribute (Strong mapping, i.e., `X509IssuerSerialNumber`) and request a certificate as Domain Computer to compromise the `P.ADAMS` user account, who has DCSync privileges, allowing the attacker to compromise the domain. An alternate approach is to exploit the weak mapping  `X509RFC822`, then enrolling the certificate template as the `D.BAKER` user account and compromising the `P.ADAMS` user account.</description><pubDate>Sat, 19 Apr 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Nocturnal</title><link>https://blog.zumpyx.com/hackthebox/machines/0656-nocturnal/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0656-nocturnal/</guid><description>`Nocturnal` is a medium-difficulty Linux machine demonstrating an IDOR vulnerability in a PHP web application, allowing access to other users&amp;amp;amp;#039; uploaded files. Credentials are retrieved to log in to the admin panel, where the application&amp;amp;amp;#039;s source code is accessed. A command injection vulnerability is identified, providing a reverse shell as the `www-data` user. Password hashes are extracted from a SQLite database and cracked to obtain SSH access as the `tobias` user. Exploiting [CVE-2023-46818](https://nvd.nist.gov/vuln/detail/CVE-2023-46818) in the `ISPConfig` application grants remote command execution, leading to privilege escalation to the `root` user.</description><pubDate>Sat, 12 Apr 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] WhiteRabbit</title><link>https://blog.zumpyx.com/hackthebox/machines/0655-whiterabbit/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0655-whiterabbit/</guid><description>HTB machine: WhiteRabbit</description><pubDate>Sat, 05 Apr 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Haze</title><link>https://blog.zumpyx.com/hackthebox/machines/0654-haze/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0654-haze/</guid><description>Haze is a hard difficulty Windows machine focused on web exploitation, domain abuse, and Windows privilege escalation. Initial access is gained by exploiting a `Splunk Arbitrary File Read (CVE-2024-36991)` to extract an LDAP bind password, which is then decrypted using `splunk.secret`. With valid credentials, a BloodHound scan reveals further accounts, and password spraying provides access to a user with `GMSA` management rights. This allows abuse of the `PrincipalsAllowedToRetrieveManagedPassword` property to dump hashes and pivot into a privileged service account. Using Shadow Credentials, access is escalated to another user. Backup files expose more credentials, eventually giving admin access to `Splunk`. Finally, a custom app upload enables a reverse shell, and `SeImpersonatePrivilege` is abused to impersonate SYSTEM, completing the escalation chain.</description><pubDate>Sat, 29 Mar 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Code</title><link>https://blog.zumpyx.com/hackthebox/machines/0653-code/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0653-code/</guid><description>Code is an easy Linux machine featuring a Python Code Editor web application that is vulnerable to remote code execution by achieving a Python  Jail Bypass. After gaining access as the `app-production` user, crackable credentials can be found in an `sqlite3` database file. Using these credentials, access is granted to another user, `martin`, who has `sudo` permissions to a backup utility script, `backy.sh`. This script includes a section of vulnerable code, which, when exploited, allows us to escalate our privileges by creating a copy of the `root` folder.</description><pubDate>Sat, 22 Mar 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] TheFrizz</title><link>https://blog.zumpyx.com/hackthebox/machines/0652-thefrizz/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0652-thefrizz/</guid><description>`TheFrizz` is a medium-difficulty Windows machine featuring a web application showcasing Walkerville Elementary School and a Gibbon CMS instance. The Gibbon-LMS instance is susceptible to unauthenticated arbitrary file write (CVE-2023-45878), which is used to write a PHP shell to the web application and gain access to the target. After gaining access to the system, a database settings file containing credentials to access MySQL includes a hash and salt for the user f.frizzle that can be cracked. After cracking the password, we authenticate to the target using SSH with GSSAPI/Kerberos. We request a TGT, which is then used to authenticate via Kerberos authentication. A deleted 7Zip archive is discovered in the `fiona` user&amp;amp;#039;s recycling bin which is extracted revealing a WAPT setup and includes a configuration file with base64-encoded credentials used to authenticate as the `M.Schoolbus` user. `M.Schoolbus` is a member of the `Group Policy Creator Owners`, which allows them to create GPOs within the domain, which is leveraged to escalate privileges to `NT Authority\System`.</description><pubDate>Sat, 15 Mar 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Dog</title><link>https://blog.zumpyx.com/hackthebox/machines/0651-dog/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0651-dog/</guid><description>Dog is an easy-rated Linux machine that involves reading sensitive information through an exposed git repository and exposing credentials to get administrator access to `BackdropCMS`. The admin privileges allow an attacker to exploit Remote Code Execution by uploading a malicious archive containing a `PHP` backdoor to gain an initial foothold. The `johncusack` user account also reuses the `BackdropCMS` password. After compromising the `johncusack` account, the attacker finds that the user can run the `bee` executable with `sudo` privileges, which allows the attacker to gain root privileges.</description><pubDate>Sat, 08 Mar 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Cypher</title><link>https://blog.zumpyx.com/hackthebox/machines/0650-cypher/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0650-cypher/</guid><description>Cypher is a medium-difficulty Linux machine that requires exploiting a cypher injection vulnerability to bypass authentication on a login page. This grants users access to a custom web application to execute custom queries. A Java file is discovered by fuzzing the web application, revealing a command injection vulnerability that provides access to the machine as the `neo4j` user. A history file contains the credentials for the `graphasm` user, who has permission to execute `bbot` as `root` user. This privilege escalation is exploited by creating a custom module that allows executing commands.</description><pubDate>Sat, 01 Mar 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Checker</title><link>https://blog.zumpyx.com/hackthebox/machines/0649-checker/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0649-checker/</guid><description>Checker is a hard-level Linux machine running Teampass and Bookstack on separate ports. The Teampass version has a SQL injection vulnerability [CVE-2023-1545](https://nvd.nist.gov/vuln/detail/CVE-2023-1545) that can be exploited to obtain user password hashes. By cracking these hashes, we get the password for the Teampass user `bob`. Logging into Teampass reveals credentials for both Bookstack user `bob` and the SSH user `reader`. Attempting SSH login as `reader` user shows that two-factor authentication is enabled. Meanwhile, the Bookstack version is vulnerable to [CVE-2023-6199](https://nvd.nist.gov/vuln/detail/CVE-2023-6199), a local file read flaw via Blind SSRF, which can be exploited to retrieve the 2FA secret key for the `reader` user’s SSH account, enabling successful SSH login. We reverse engineer a binary for privilege escalation to root to discover a command injection vulnerability, which we then exploit using a custom script.</description><pubDate>Sat, 22 Feb 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Titanic</title><link>https://blog.zumpyx.com/hackthebox/machines/0648-titanic/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0648-titanic/</guid><description>Titanic is an easy difficulty Linux machine that features an Apache server listening on port 80. The website on port 80 advertises the amenities of the legendary Titanic ship and allows users to book trips. A second vHost is also identified after fuzzing, which points to a `Gitea` server. The Gitea server allows registrations, and exploration of the available repositories reveals some interesting information including the location of a mounted `Gitea` data folder, which is running via a Docker container. Back to the original website, the booking functionality is found to be vulnerable to an Arbitrary File Read exploit, and combining the directory identified from Gitea, it is possible to download the Gitea SQLite database locally. Said database contains hashed credentials for the `developer` user, which can be cracked. The credentials can then be used to login to the remote system over SSH. Enumeration of the file system reveals that a script in the `/opt/scripts` directory is being executed every minute. This script is running the `magick` binary in order to gather information about specific images. This version of `magick` is found to be vulnerable to an arbitrary code execution exploit assigned [CVE-2024-41817](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41817). Successful exploitation of this vulnerability results in elevation of privileges to the `root` user.</description><pubDate>Sat, 15 Feb 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] DarkCorp</title><link>https://blog.zumpyx.com/hackthebox/machines/0647-darkcorp/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0647-darkcorp/</guid><description>`DarkCorp` is an Insane-difficulty Windows machine with several computers joined. The initial foothold involves exploiting [CVE-2024-42009](https://nvd.nist.gov/vuln/detail/CVE-2024-42009), an XXS vulnerability and IDOR in `RoundCube`, via the Contact Page to read emails from a developer and leak a hidden, password-protected Analytics dashboard. By leveraging the XXS vulnerability, a separate vhost is accessed, which is vulnerable to a command injection vulnerability using `Postgres`, allowing us to gain an initial foothold on the machine. Then, an internal web application monitoring service is abused by relaying the authentication request to the domain controller. Furthermore, `PrinterBug` is used to coerce the web server within DarkCorp&apos;s internal network following a Kerberos relay attack to compromise the host. After enumerating `Credential Manager` installed in the web server, abusing ACLs using the credentials found, and exploiting [&amp;quot;A broken marriage, Abusing mixed vendor Kerberos stacks&amp;quot;](https://www.pentestpartners.com/security-blog/a-broken-marriage-abusing-mixed-vendor-kerberos-stacks/) to get an SSH session on the Drip machine, finally the cached credentials inside the host is extracted which can be leveraged to manage Group Policy Objects allowing us to add a local administrator account to get adminitrative access to the domain controller.</description><pubDate>Sat, 08 Feb 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Cat</title><link>https://blog.zumpyx.com/hackthebox/machines/0646-cat/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0646-cat/</guid><description>Cat is a medium-difficulty Linux machine that features a custom PHP web application vulnerable to cross-site scripting (XSS), which can trigger an `onerror` event to bypass the application&amp;amp;#039;s security filters. Leveraging this XSS vulnerability, we can perform cookie hijacking to steal an administrator&amp;amp;#039;s cookie and elevate our privileges in the application. We can then perform a SQL Injection on a SQLite database to get remote code execution by storing a malicious web shell in the database. With access to the internal application database, we can recover a password from the database by cracking its hash to gain access as a user who has group membership to read server logs.  These logs leak a clear-text password to a user accessing an internally hosted Gitea instance on version 1.22.0, vulnerable to an XSS attack via `[CVE-2024-6886](https://nvd.nist.gov/vuln/detail/CVE-2024-6886)` due to improper input sanitization.  By exploiting `[CVE-2024-6886](https://nvd.nist.gov/vuln/detail/CVE-2024-6886)`, we can read a private Gitea repository containing a credential for the root user.</description><pubDate>Sat, 01 Feb 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[Blog] Ex. HTTP Smuggling Primer</title><link>https://blog.zumpyx.com/blog/ex-http-smuggling-primer/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-http-smuggling-primer/</guid><description>示例文：CL.TE / TE.CL 的直觉理解与测试边界。</description><pubDate>Tue, 28 Jan 2025 00:00:00 GMT</pubDate><category>blog</category><category>web</category><category>http</category><category>example</category></item><item><title>[HTB · Machines] BigBang</title><link>https://blog.zumpyx.com/hackthebox/machines/0645-bigbang/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0645-bigbang/</guid><description>BigBang is a hard difficulty Linux machine involving a WordPress site with the BuddyForms plugin, starting by investigating the [CVE-2023-26326](https://nvd.nist.gov/vuln/detail/CVE-2023-26326) that lets us upload a polyglot file (PHAR/GIF). While this doesn’t immediately work, it provides insight into reading GIF files, which we can repurpose to access local files. By leveraging a tool based on PHP filters, we’ll exploit this to read arbitrary files and use the information to trigger [CVE-2024-2961](https://nvd.nist.gov/vuln/detail/CVE-2024-2961), a vulnerability in Glibc, enabling remote code execution. After gaining access, we locate the WordPress database credentials in the configuration files. The database holds password hashes, which we can crack to retrieve the password for the `shawking` user. Further file enumeration reveals the Grafana database, containing user password hashes, which we can crack to obtain the password for the `developer` user. For privilege escalation, we analyse an Android application present on the user `developer`&apos;s home directory, analyse its API, and exploit a command injection in one of the features to achieve root-level access.</description><pubDate>Sat, 25 Jan 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Strutted</title><link>https://blog.zumpyx.com/hackthebox/machines/0644-strutted/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0644-strutted/</guid><description>`Strutted` is an medium-difficulty Linux machine featuring a website for a company offering image hosting solutions. The website provides a Docker container with the version of Apache Struts that is vulnerable to `[CVE-2024-53677](https://nvd.nist.gov/vuln/detail/CVE-2024-53677)`, which is leveraged to gain a foothold on the system. Further enumeration reveals the `tomcat-users.xml` file with a plaintext password used to authenticate as `james`. For privilege escalation, we abuse `tcpdump` while being used with `sudo` to create a copy of the `bash` binary with the `SUID` bit set, allowing us to gain a `root` shell.</description><pubDate>Thu, 23 Jan 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Backfire</title><link>https://blog.zumpyx.com/hackthebox/machines/0643-backfire/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0643-backfire/</guid><description>Backfire is a medium-difficulty box that starts with an exposed Havoc command and control server, where the attacker exploits Server Side Request Forgery to ultimately establish a communication stream to Havoc&amp;amp;amp;#039;s WebSocket API and inject malicious commands to get remote code execution in Havoc&amp;amp;amp;#039;s payload compile process. Once the attacker gains the initial foothold, another C&amp;amp;amp;amp;C is running locally named Hardhat. The Hardhat C&amp;amp;amp;amp;C is open source, so the attacker crafts a JWT token with the default hardcoded JWT secret key. The user account can execute iptables &amp;amp;amp;amp; iptables-save for privilege escalation, allowing the attacker to achieve arbitrary file write.</description><pubDate>Sat, 18 Jan 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] EscapeTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0642-escapetwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0642-escapetwo/</guid><description>`EscapeTwo` is an easy difficulty Windows machine designed around a complete domain compromise scenario, where credentials for a low-privileged user are provided. We leverage these credentials to access a file share containing a corrupted Excel document. By modifying its byte structure, we extract credentials. These are then sprayed across the domain, revealing valid credentials for a user with access to `MSSQL`, granting us initial access. System enumeration reveals `SQL` credentials, which are sprayed to obtain `WinRM` access. Further domain analysis shows the user has write owner rights over an account managing `ADCS`. This is used to enumerate `ADCS`, revealing a misconfiguration in `Active Directory Certificate Services`. Exploiting this misconfiguration allows us to retrieve the `Administrator` account hash, ultimately leading to complete domain compromise.</description><pubDate>Sat, 11 Jan 2025 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] UnderPass</title><link>https://blog.zumpyx.com/hackthebox/machines/0641-underpass/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0641-underpass/</guid><description>Underpass is an Easy Linux machine starting with a default Apache Ubuntu page. This leads the attacker to enumerate the machine&amp;amp;#039;s UDP ports for alternative attack vectors. The attacker can enumerate SNMP and discover that `Daloradius` is running on the remote machine, and the operators panel can be accessed using the default credentials. Inside the panel, the password hash for the user `svcMosh` is stored, and it&amp;amp;#039;s crackable. Then, the attacker can log in to the remote machine using SSH with the credentials they have obtained. The user `svcMosh` is configured to run `mosdh-server` as `root`, which allows the attacker to connect to the server from their local machine and interact with the remote machine as the `root` user.</description><pubDate>Sat, 21 Dec 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Heal</title><link>https://blog.zumpyx.com/hackthebox/machines/0640-heal/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0640-heal/</guid><description>Heal is a medium-difficult Linux machine that features a website vulnerable to arbitrary file read, allowing us to extract sensitive credentials. The server also hosts a LimeSurvey instance, where the leaked credentials can be used to log in as an administrator. Since administrators can upload plugins, we can exploit this to upload a malicious plugin and gain a reverse shell as the `www-data` user. Further enumeration reveals the database password for LimeSurvey, which is reused by the system user `ron`, allowing us to escalate access. The server also runs a local instance of the Consul Agent as `root`. By registering a malicious service via the Consul API, we can escalate privileges and gain root access.</description><pubDate>Sat, 14 Dec 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] LinkVortex</title><link>https://blog.zumpyx.com/hackthebox/machines/0638-linkvortex/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0638-linkvortex/</guid><description>LinkVortex is an easy-difficulty Linux machine with various ways to leverage symbolic link files (symlinks). The initial foothold involves discovering an exposed `.git` directory that can be dumped to retrieve credentials. These credentials allow access to the Ghost content management system vulnerable to [CVE-2023-40028](https://nvd.nist.gov/vuln/detail/CVE-2023-40028). This vulnerability allows authenticated users to upload symlinks, enabling arbitrary file read within the Ghost container. The exposed credentials in the Ghost configuration file can then be leveraged to gain a shell as the user on the host system. Finally, the user can execute a script with sudo permissions that are vulnerable to a symlink race condition attack (TOCTOU). This presents an opportunity to escalate privileges by creating links to sensitive files on the system and ultimately gaining root access.</description><pubDate>Sat, 07 Dec 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Unrested</title><link>https://blog.zumpyx.com/hackthebox/machines/0639-unrested/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0639-unrested/</guid><description>Unrested is a medium difficulty `Linux` machine hosting a version of `Zabbix`. Enumerating the version of `Zabbix` shows that it is vulnerable to both [CVE-2024-36467](https://nvd.nist.gov/vuln/detail/CVE-2024-36467) (missing access controls on the `user.update` function within the `CUser` class) and [CVE-2024-42327](https://nvd.nist.gov/vuln/detail/CVE-2024-42327) (SQL injection in `user.get` function in `CUser` class) which is leveraged to gain user access on the target. Post-exploitation enumeration reveals that the system has a `sudo` misconfiguration allowing the `zabbix` user to execute `sudo /usr/bin/nmap`, an optional dependency in `Zabbix` servers that is leveraged to gain `root` access.</description><pubDate>Thu, 05 Dec 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Vintage</title><link>https://blog.zumpyx.com/hackthebox/machines/0637-vintage/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0637-vintage/</guid><description>Vintage is a hard difficulty Windows machine designed around an assumed breach scenario, where the attacker is provided with low-privileged user credentials. The machine features an Active Directory environment without ADCS installed, and NTLM authentication is disabled. There is a &amp;amp;quot;Pre-Created computer account,&amp;amp;quot; meaning the password is the same as the sAMAccountName of the machine account. The &amp;amp;quot;Domain Computer&amp;amp;quot; organisational unit (OU) has a configuration allowing attackers to read the service account password, which has gMSA configured. After obtaining the password, the service account can add itself to a privileged group. The group has complete control over a disabled user. The attacker is supposed to restore the disabled user and set a Service Principal Name (SPN) to perform Kerberoasting. After recovering the password, the user account has reused the same password. The newly compromised user has a password stored in the Credential Manager. The user can add itself to another privileged group configured for Resource-Based Constrained Delegation (RBCD) on the Domain Controller, allowing the attacker to compromise it.</description><pubDate>Sat, 30 Nov 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Alert</title><link>https://blog.zumpyx.com/hackthebox/machines/0636-alert/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0636-alert/</guid><description>Alert is an easy-difficulty Linux machine with a website to upload, view, and share markdown files. The site is vulnerable to cross-site scripting (XSS), which is exploited to access an internal page vulnerable to Arbitrary File Read and leveraged to gain access to a password hash. The hash is then cracked to reveal the credentials leveraged to gain `SSH` access to the target. Enumeration of processes running on the system shows a `PHP` file that is being executed regularly, which has excessive privileges for the management group our user is a member of and allows us to overwrite the file for code execution as root.</description><pubDate>Sat, 23 Nov 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category><category>alert</category></item><item><title>[HTB · Machines] BlockBlock</title><link>https://blog.zumpyx.com/hackthebox/machines/0635-blockblock/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0635-blockblock/</guid><description>BlockBlock is a hard-difficulty Linux machine hosting a decentralized chat application built on a blockchain with two primary smart contracts: `Users.sol` and `Database.sol`. The application includes a &amp;quot;Report User&amp;quot; functionality vulnerable to XSS, which can be exploited to steal the admin&apos;s token via an exposed API endpoint. Gaining admin access allows us to retrieve the authorization token needed to interact with the blockchain&apos;s `/api/json-rpc` endpoint. By enumerating transaction blocks, we extract credentials for user `keira`. Privilege escalation to user `paul` is achieved by leveraging `keira`&apos;s `sudo` permissions to execute the Forge CLI tool as `paul`. Finally, `paul` has root access to the `pacman` package manager, which can be exploited via the post-install hook feature to execute arbitrary commands as root.</description><pubDate>Sat, 16 Nov 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category><category>blockblock</category></item><item><title>[Blog] Ex. Kerberoast Review</title><link>https://blog.zumpyx.com/blog/ex-kerberoast-review/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-kerberoast-review/</guid><description>示例文：SPN 收集、请求票据与离线爆破流程回顾。</description><pubDate>Mon, 11 Nov 2024 00:00:00 GMT</pubDate><category>blog</category><category>ad</category><category>windows</category><category>example</category></item><item><title>[HTB · Machines] Administrator</title><link>https://blog.zumpyx.com/hackthebox/machines/0634-administrator/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0634-administrator/</guid><description>`Administrator` is a medium-difficulty Windows machine designed around a complete domain compromise scenario, where credentials for a low-privileged user are provided. To gain access to the `michael` account, ACLs (Access Control Lists) over privileged objects are enumerated, leading us to discover that the user `olivia` has `GenericAll` permissions over `michael`, allowing us to reset his password. With access as `michael`, it is revealed that he can force a password change on the user `benjamin`, whose password is reset. This grants access to `FTP`  where a `backup.psafe3` file is discovered, cracked, and reveals credentials for several users. These credentials are sprayed across the domain, revealing valid credentials for the user `emily`. Further enumeration shows that `emily` has `GenericWrite` permissions over the user `ethan`, allowing us to perform a targeted Kerberoasting attack. The recovered hash is cracked and reveals valid credentials for `ethan`, who is found to have `DCSync` rights ultimately allowing retrieval of the `Administrator` account hash and full domain compromise.</description><pubDate>Sat, 09 Nov 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Certified</title><link>https://blog.zumpyx.com/hackthebox/machines/0633-certified/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0633-certified/</guid><description>`Certified` is a medium-difficulty Windows machine designed around an assumed breach scenario, where credentials for a low-privileged user are provided. To gain access to the `management_svc` account, ACLs (Access Control Lists) over privileged objects are enumerated leading us to discover that `judith.mader` which has the `write owner` ACL over `management` group, management group has `GenericWrite` over the `management_svc` account where we can finally authenticate to the target using `WinRM` obtaining the user flag. Exploitation of the Active Directory Certificate Service (ADCS) is required to get access to the `Administrator` account by abusing shadow credentials and  `ESC9`.</description><pubDate>Sat, 02 Nov 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Chemistry</title><link>https://blog.zumpyx.com/hackthebox/machines/0631-chemistry/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0631-chemistry/</guid><description>Chemistry is an easy-difficulty Linux machine that showcases a Remote Code Execution (RCE) vulnerability in the `pymatgen` (CVE-2024-23346) Python library by uploading a malicious `CIF` file to the hosted `CIF Analyzer` website on the target. After discovering and cracking hashes, we authenticate to the target via SSH as `rosa` user. For privilege escalation, we exploit a Path Traversal vulnerability that leads to an Arbitrary File Read in a Python library called `AioHTTP` (CVE-2024-23334) which is used on the web application running internally to read the root flag.</description><pubDate>Sat, 19 Oct 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Instant</title><link>https://blog.zumpyx.com/hackthebox/machines/0630-instant/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0630-instant/</guid><description>Instant is a medium difficulty machine that includes reverse engineering a mobile application, exploiting API endpoints, and cracking encrypted hashes and files. Players will analyze an APK to extract sensitive information and a hardcoded authorization token, then they will exploit an API endpoint vulnerable to Arbitrary File Read. Finally, they will achieve full system compromise by decrypting and analyzing encrypted session data from Solar-PuTTY.</description><pubDate>Sat, 12 Oct 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Yummy</title><link>https://blog.zumpyx.com/hackthebox/machines/0628-yummy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0628-yummy/</guid><description>Yummy is a hard box that starts with a Restaurant web app using Caddy web service, on port 80, where an attacker finds an arbitrary file read HTTP Location header, which is not handled and sanitized properly by default Caddy default configuration. Reading the source code, the web app uses JWT RSA keypairs to forge an admin token and escalate privileges on the web app. The admin panel has an SQL injection, allowing arbitrary file write, the attacker now overwrites a file running periodically (`cronjob`). Improper directory permissions allow the attacker to move laterally to `www-data` and eventually `dev` user. The `dev` user can execute `rsync` binary as root, which helps escalate privileges to root.</description><pubDate>Sat, 05 Oct 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] EvilCUPS</title><link>https://blog.zumpyx.com/hackthebox/machines/0629-evilcups/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0629-evilcups/</guid><description>EvilCUPS is a Medium difficulty Linux machine that features a CUPS Command Injection Vulnerability [CVE-2024-47176](https://nvd.nist.gov/vuln/detail/CVE-2024-47176). This CVE allows remote unauthenticated users the ability to install a malicious printer on the vulnerable machine over `UDP/631`. This printer is configured to utilize [Foomatic-RIP](https://linux.die.net/man/1/foomatic-rip) which is used to process documents and where the command injection happens. In order to trigger the command execution, a document needs to be printed. The CUPS Webserver is configured to allow anonymous users access to `TCP/631`. Navigating here makes it possible to print a test page on the malicious printer and gain access as the &amp;quot;lp&amp;quot; user. This user the ability to retrieve past print jobs, one of which contains the root password to the box.</description><pubDate>Wed, 02 Oct 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Caption</title><link>https://blog.zumpyx.com/hackthebox/machines/0625-caption/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0625-caption/</guid><description>Caption is a Hard-difficulty Linux box, showcasing the chaining of niche vulnerabilities arising from different technologies such as HAProxy and Varnish. It begins with default credentials granting access to GitBucket, which exposes credentials for a web portal login through commits. The application caches a frequently visited page by an admin user, whose session can be hijacked by exploiting Web Cache Deception (WCD) via response poisoning exploited through a Cross-Site Scripting (XSS) payload. HAProxy controls can be bypassed by establishing an HTTP/2 cleartext tunnel, also known as an H2C Smuggling Attack, enabling the exploitation of a locally running service vulnerable to path traversal ([CVE-2023-37474](https://security.snyk.io/vuln/SNYK-PYTHON-COPYPARTY-5777718)). A foothold is gained by reading the SSH ECDSA private key. Root privileges are obtained by exploiting a command injection vulnerability in the Apache Thrift service running as root.</description><pubDate>Sat, 14 Sep 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Sightless</title><link>https://blog.zumpyx.com/hackthebox/machines/0624-sightless/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0624-sightless/</guid><description>`Sightless` is an easy-difficulty Linux machine featuring a website for a company offering various services. Enumeration of the website reveals an `SQLPad` instance vulnerable to template injection `[CVE-2022-0944](https://nvd.nist.gov/vuln/detail/CVE-2022-0944)`, which is leveraged to gain a foothold inside a Docker container. Further enumeration reveals the `/etc/shadow` file with a password hash, which is cracked to reveal the password, granting `SSH` access to the host. Post-exploitation enumeration reveals a `Froxlor` instance vulnerable to Blind `XSS` `[CVE-2024-34070](https://nvd.nist.gov/vuln/detail/CVE-2024-34070)`. This is leveraged to gain access to the `FTP` service, which contains a `KeePass` database. Accessing the database reveals the root `SSH` keys, leading to a privileged shell on the host.</description><pubDate>Sat, 07 Sep 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category><category>sightless</category></item><item><title>[HTB · Machines] Infiltrator</title><link>https://blog.zumpyx.com/hackthebox/machines/0623-infiltrator/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0623-infiltrator/</guid><description>Infiltrator is an Insane Windows Active Directory machine that starts with a website that an attacker can scrape for possible usernames on the machine. One user doesn&amp;amp;#039;t have Kerberos pre-authentication enabled, and his password can be cracked. Afterwards, an intricate attack chain focused on Active Directory permissions allows the attacker to get access to the machine over WinRM as the user `M.harris`. Once on the machine, the attacker can identify that the whole company communicates through the `Output Messenger` application. Infiltrating the application, switching users, reverse engineering a binary, and using the application&amp;amp;#039;s API, he can eventually land a shell as the user `O.martinez` on the remote machine. Afterwards, he discovers a network capture file with a backup archive and a BitLocker volume recovery key. Unlocking the volume, another backup folder contains an `ntds.dit` file from which he can read sensitive user information and find a valid password for the user `lan_managment`. This new user can read the GMSA password of the user `infiltrator_svc$`. This last user can exploit a vulnerable ESC4 certificate template. Finally, he can get the Administrator&amp;amp;#039;s hash and compromise the whole domain through the certificate exploitation.</description><pubDate>Sat, 31 Aug 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] MonitorsThree</title><link>https://blog.zumpyx.com/hackthebox/machines/0622-monitorsthree/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0622-monitorsthree/</guid><description>`MonitorsThree` is a Medium Difficulty Linux machine that features a website for a company offering networking solutions. The website has a forgotten password page vulnerable to `SQL injection`, which is leveraged to gain access to credentials. Further enumeration of the website reveals a subdomain featuring a `Cacti` instance that can be accessed with the credentials obtained from the `SQL injection`. The `Cacti` instance is vulnerable to `[CVE-2024-25641](https://nvd.nist.gov/vuln/detail/CVE-2024-25641)`, which is leveraged to gain a foothold on the system. Further enumeration of the system reveals credentials used to access the database, where hashes are found and cracked to obtain the user password. This is then used to gain access to `SSH` private keys, leading to `SSH` access to the system. Enumeration of open ports on the system reveals a vulnerable `Duplicati`instance, which is leveraged to gain a shell as root.</description><pubDate>Sat, 24 Aug 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category><category>monitorsthree</category></item><item><title>[HTB · Machines] Lantern</title><link>https://blog.zumpyx.com/hackthebox/machines/0621-lantern/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0621-lantern/</guid><description>Lantern is a Hard Linux machine that showcases a misconfiguration in the **Skipper Proxy** and a **Blazor-based** web application. To successfully complete this challenge, an attacker must first exploit a [Server-Side Request Forgery](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/) (**SSRF**) vulnerability to pivot into an internal service running locally. This will allow them to read files and upload new ones where the ultimate goal is to obtain a keypair that can be used to gain SSH access to the system. Privilege escalation is achieved by leveraging the misuse of the `procmon` utility, which allows for monitoring sensitive syscalls.  To succeed in this challenge, they player must conduct careful reconnaissance, exploit .NET binaries, and leverage privilege escalation techniques.</description><pubDate>Sat, 17 Aug 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category><category>lantern</category></item><item><title>[HTB · Machines] Sea</title><link>https://blog.zumpyx.com/hackthebox/machines/0620-sea/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0620-sea/</guid><description>`Sea` is an Easy Difficulty Linux machine that features [CVE-2023-41425](https://nvd.nist.gov/vuln/detail/CVE-2023-41425) in WonderCMS, a cross-site scripting (XSS) vulnerability that can be used to upload a malicious module, allowing access to the system. The privilege escalation features extracting and cracking a password from WonderCMS&apos;s database file, then exploiting a command injection in custom-built system monitoring software, giving us root access.</description><pubDate>Sat, 10 Aug 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Resource</title><link>https://blog.zumpyx.com/hackthebox/machines/0619-resource/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0619-resource/</guid><description>Resource is a hard difficulty Linux machine that intricately covers various ways to use `OpenSSH` private and public keys. It centers around the `SSG IT Resource Center` which offers a ticketing service to address the IT issues (`SSH` access, website and security issues, etc. ) of its customers. Upon creating a ticket through the website we can execute Local File Inclusion, trigger a reverse shell, and get access to what appears to be a docker container that hosts the ticketing website. From this point, there are various clues in past tickets and leftover `SSH` artifacts as well as a key signing API service that will lead to pivoting through other users and escaping the docker. Finally, the machine includes various scripts detailing the functions of its ticketing service and key signing API, one of which includes a vulnerable line of code allowing for brute forcing the final `SSH` key and achieving full privilege escalation.</description><pubDate>Sat, 03 Aug 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[Blog] Ex. Writing Repro Steps</title><link>https://blog.zumpyx.com/blog/ex-writing-repro-steps/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/ex-writing-repro-steps/</guid><description>示例文：复现步骤怎样写才让修复同学一次跑通。</description><pubDate>Fri, 02 Aug 2024 00:00:00 GMT</pubDate><category>blog</category><category>report</category><category>soft-skill</category><category>example</category></item><item><title>[HTB · Machines] Compiled</title><link>https://blog.zumpyx.com/hackthebox/machines/0618-compiled/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0618-compiled/</guid><description>Compiled is a medium-difficulty Windows machine featuring a Gitea instance and a web application that clones Git repository URLs on the backend. The server&apos;s Git version is vulnerable to [CVE-2024-32002](https://nvd.nist.gov/vuln/detail/CVE-2024-32002), which can be exploited to gain initial access with a Git Bash shell as Richard. By cracking the password hash retrieved from the Gitea database file, the password for user Emily can be obtained. Privilege escalation to Administrator is achieved by exploiting [CVE-2024-20656](https://nvd.nist.gov/vuln/detail/CVE-2024-20656), a vulnerability in the Visual Studio Code version installed on the server.</description><pubDate>Sat, 27 Jul 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] GreenHorn</title><link>https://blog.zumpyx.com/hackthebox/machines/0617-greenhorn/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0617-greenhorn/</guid><description>GreenHorn is an easy difficulty machine that takes advantage of an exploit in Pluck to achieve Remote Code Execution and then demonstrates the dangers of pixelated credentials. The machine also showcases that we must be careful when sharing open-source configurations to ensure that we do not reveal files containing passwords or other information that should be kept confidential.</description><pubDate>Sat, 20 Jul 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Ghost</title><link>https://blog.zumpyx.com/hackthebox/machines/0616-ghost/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0616-ghost/</guid><description>Ghost is an Insane Windows Active Directory machine that starts with an LDAP injection that an attacker can exploit to leak the credentials for a `Gitea` instance. Looking through the source code on the repositories, the attacker can combine an arbitrary file read attack with a remote code execution vulnerability to gain access to a Linux host connected to Active Directory. Enumerating the Linux host, the attacker can extract a Kerberos ticket for a domain user and use it to get access to the Active Directory environment. Then, the attacker can add a DNS entry and steal the hash of another domain user. The newly compromised user can read the GMSA password of a service account tied to ADFS services. With the service account compromised, the attacker can craft a Golden SAML response and get access to a database management panel. Exploiting a linked MSSQL database on a different domain, the attacker can get code execution on a machine that lies on a different domain. Elevating the privileges and exploiting the Bidirectional trust between the two domains, the attacker can craft a valid Golden Kerberos ticket across both domains, thus fully compromising the entire forest.</description><pubDate>Sat, 13 Jul 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] PermX</title><link>https://blog.zumpyx.com/hackthebox/machines/0613-permx/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0613-permx/</guid><description>`PermX` is an Easy Difficulty Linux machine featuring a learning management system vulnerable to unrestricted file uploads via [CVE-2023-4220](https://nvd.nist.gov/vuln/detail/CVE-2023-4220). This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A `sudo` misconfiguration is then exploited to gain a `root` shell.</description><pubDate>Sat, 06 Jul 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Blazorized</title><link>https://blog.zumpyx.com/hackthebox/machines/0614-blazorized/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0614-blazorized/</guid><description>HTB machine: Blazorized</description><pubDate>Sat, 29 Jun 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Axlle</title><link>https://blog.zumpyx.com/hackthebox/machines/0611-axlle/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0611-axlle/</guid><description>Axlle is a hard Windows machine that starts with a website on port `80`. The site, informs potential users that it&amp;amp;#039;s down for maintenance but Excel invoices that need processing can be sent over through email and they will get reviewed. An attacker is able to craft a malicious `XLL` file to bypass security checks that are in place and perform a phising attack. Once the attacker has code execution on the machine, he is able to create a malicious `.url` file that the user `dallon.matrix` will execute and will get comprised. This user, is member of a group that can change the password of the user `jacob.greeny` and use WinRM afterwards to authenticate as `jacob.greeny`. Finally, that user is a member of the `App Devs` group and the `StandaloneRunner` binary has been automated and it&amp;amp;#039;s running as `SYSTEM`. The attacker is able to exploit that automation and get a shell as the `Administrator` user.</description><pubDate>Sat, 22 Jun 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[Blog] Markdown Style Guide</title><link>https://blog.zumpyx.com/blog/markdown-style-guide/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/markdown-style-guide/</guid><description>Here is a sample of some basic Markdown syntax that can be used when writing Markdown content in Astro.</description><pubDate>Wed, 19 Jun 2024 00:00:00 GMT</pubDate><category>blog</category></item><item><title>[HTB · Machines] Editorial</title><link>https://blog.zumpyx.com/hackthebox/machines/0608-editorial/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0608-editorial/</guid><description>`Editorial` is an easy difficulty Linux machine that features a publishing web application vulnerable to `Server-Side Request Forgery (SSRF)`. This vulnerability is leveraged to gain access to an internal running API, which is then leveraged to obtain credentials that lead to `SSH` access to the machine. Enumerating the system further reveals a Git repository that is leveraged to reveal credentials for a new user. The `root` user can be obtained by exploiting [CVE-2022-24439](https://nvd.nist.gov/vuln/detail/CVE-2022-24439) and the sudo configuration.</description><pubDate>Sat, 15 Jun 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Blurry</title><link>https://blog.zumpyx.com/hackthebox/machines/0605-blurry/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0605-blurry/</guid><description>Blurry is a medium-difficulty Linux machine that features DevOps-related vectors surrounding machine learning. The foothold is comprised of a series of CVEs recently disclosed about the ClearML suite. The service provides a web platform, a fileserver, and an API; all of which contain vulnerabilities (`[CVE-2024-24590](https://nvd.nist.gov/vuln/detail/CVE-2024-24590)` - `[CVE-2024-24595](https://nvd.nist.gov/vuln/detail/CVE-2024-24595)`) that can be chained together for remote code execution. Once a shell on the target is obtained, a program that can be run with `sudo` is discovered. The program loads arbitrary `PyTorch` models to evaluate them against a protected dataset. While it is known that such models are susceptible to insecure deserialisation, `fickling` is used to scan the dataset for insecure `pickle` files , prior to loading the model. Malicious code can be injected into a model, using `runpy` to bypass the `fickling` checks.</description><pubDate>Sat, 08 Jun 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[Blog] Using MDX</title><link>https://blog.zumpyx.com/blog/using-mdx/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/using-mdx/</guid><description>Lorem ipsum dolor sit amet</description><pubDate>Sat, 01 Jun 2024 00:00:00 GMT</pubDate><category>blog</category></item><item><title>[HTB · Machines] Freelancer</title><link>https://blog.zumpyx.com/hackthebox/machines/0604-freelancer/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0604-freelancer/</guid><description>Freelancer is a Hard Difficulty machine is designed to challenge players with a series of vulnerabilities that are frequently encountered in real-world penetration testing scenarios. It covers a broad range of skills, including identifying business logic flaws in web applications, exploiting common vulnerabilities like insecure direct object reference (IDOR) and authorization bypass, and engaging with SQL impersonation attacks, which may not be common but are still critical to understand. Players will work through various scenarios, such as exposing sensitive information through directory enumeration and manually building SQL queries, which mimic the tasks typically required in real-life assessments. Advanced exploitation techniques are introduced, including remote code execution via SQL features and Windows memory forensics, which add depth to the challenges. Active Directory attacks are featured heavily, focusing on exploiting the AD Recycle Bin and the &amp;quot;Backup Operators&amp;quot; group, both of which have practical implications in modern environments. Password spraying, hash cracking, and bypassing antivirus tools also form part of the lab, ensuring a comprehensive experience that tests basic and advanced penetration testing techniques. Expect a blend of logical reasoning, technical exploitation, and real-world problem-solving throughout this lab.</description><pubDate>Sat, 01 Jun 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] BoardLight</title><link>https://blog.zumpyx.com/hackthebox/machines/0603-boardlight/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0603-boardlight/</guid><description>BoardLight is an easy difficulty Linux machine that features a `Dolibarr` instance vulnerable to [CVE-2023-30253](https://nvd.nist.gov/vuln/detail/CVE-2023-30253). This vulnerability is leveraged to gain access as `www-data`. After enumerating and dumping the web configuration file contents, plaintext credentials lead to `SSH` access to the machine. Enumerating the system, a `SUID` binary related to `enlightenment` is identified which is vulnerable to privilege escalation via [CVE-2022-37706]( https://nvd.nist.gov/vuln/detail/CVE-2022-37706) and can be abused to leverage a root shell.</description><pubDate>Sat, 25 May 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] MagicGardens</title><link>https://blog.zumpyx.com/hackthebox/machines/0602-magicgardens/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0602-magicgardens/</guid><description>MagicGardens is an insane box that starts with an e-commerce store on port 80, where an attacker sets up a rouge HTTP server and exploits an SSRF to escalate privileges on their user account. Followed by the SSRF, the attacker eventually abuses an XSS vulnerability in the form of a QR code, which subsequently leads to the Django Administrator panel, which allows reading of the encrypted hashes and ultimately gives SSH access. Furthermore, the attack path involves reversing and exploiting a traffic analyzer program to move to another user laterally. For privilege escalation, an image is downloaded from the docker registry, which helps abuse insecure deserialization in the Django application, giving us a reverse shell in a container. The attacker creates and loads a kernel module to break out of the docker container and obtain a root shell.</description><pubDate>Sat, 18 May 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] SolarLab</title><link>https://blog.zumpyx.com/hackthebox/machines/0601-solarlab/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0601-solarlab/</guid><description>SolarLab is a medium Windows machine that starts with a webpage featuring a business site. Moreover, an SMB share is accessible using a guest session that holds files with sensitive information for users on the remote machine. An attacker can extract valid credentials from this file and log in to a page allowing employees to fill out forms for company purposes. These forms are turned into PDFs using the `ReportLab` library, which is vulnerable to [CVE-2023-33733](https://nvd.nist.gov/vuln/detail/CVE-2023-33733). After some exploit development/modification, the attacker can get code execution as the user `blake` on the remote machine. Further enumeration of the remote machine, reveals that `Openfire` is installed and running locally. By using a SOCKS tunnel, the attacker can access the Administrator Console for Openfire. It turns out, that the version installed, is vulnerable to [CVE-2023-32315](https://nvd.nist.gov/vuln/detail/CVE-2023-32315) which allows the attacker to bypass the authentication screen, upload a malicious plugin, and get code execution as the `openfire` user. The `openfire` user can read the logs from when the server was installed and extract all the necessary information to crack the Administrator&amp;amp;amp;#039;s password and it turns out that this password is re-used for the local `Administrator` account.</description><pubDate>Sat, 11 May 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Mailing</title><link>https://blog.zumpyx.com/hackthebox/machines/0600-mailing/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0600-mailing/</guid><description>Mailing is an easy Windows machine that runs `hMailServer` and hosts a website vulnerable to `Path Traversal`. This vulnerability can be exploited to access the `hMailServer` configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage [CVE-2024-21413](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21413) in the Windows Mail application on the remote host to capture the NTLM hash for user `maya`. We can then crack this hash to obtain the password and log in as user `maya` via WinRM. For privilege escalation, we exploit [CVE-2023-2255](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2255) in `LibreOffice`.</description><pubDate>Sat, 04 May 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Intuition</title><link>https://blog.zumpyx.com/hackthebox/machines/0599-intuition/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0599-intuition/</guid><description>Intuition is a Hard Linux machine highlighting a CSRF (Cross-Site Request Forgery) attack during the initial foothold, along with several other intriguing attack vectors. To gain a foothold, you must first exploit a CSRF vulnerability, followed by exploiting [CVE-2023-24329](https://github.com/python/cpython/issues/102153) in the Python `urllib` module to access files on the server. This allows you to disclose the application&amp;amp;#039;s source code, leading to the discovery of credentials needed to access the FTP server via an LFI (Local File Inclusion) vulnerability. Once inside the box, you must perform log analysis to progress to the next user and code review combined with a small amount of scripting. To achieve root access, you need to reverse engineer and exploit a custom binary, which is then leveraged to exploit [CVE-2023-5115](https://nvd.nist.gov/vuln/detail/CVE-2023-5115), a path traversal attack in the Ansible automation platform.</description><pubDate>Sat, 27 Apr 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Runner</title><link>https://blog.zumpyx.com/hackthebox/machines/0598-runner/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0598-runner/</guid><description>Runner is a medium difficulty Linux box that contains a vulnerability ([CVE-2023-42793](https://nvd.nist.gov/vuln/detail/CVE-2023-42793)) in `TeamCity`. This vulnerability allows users to bypass authentication and extract an API token, which can be used to enable debug features for executing system commands. By gaining access to a `TeamCity` docker container and compressing the `HSQLDB` database files, we can extract credentials for the user `matthew` and find an `SSH` key for `john`. After cracking the password, we can authenticate on the host filesystem. Upon inspecting the `/etc/hosts` file, we discover a running `Portainer` instance. Using `matthew&amp;amp;amp;#039;s` credentials, we access the subdomain externally. While authenticated, we find that we can create images, but our privileges are limited. After checking the version of `runc` on the host, we exploit a vulnerability ([CVE-2024-21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626)) through the image build function of `Portainer`, which allows us to create a SUID bash file on the host.</description><pubDate>Sat, 20 Apr 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Usage</title><link>https://blog.zumpyx.com/hackthebox/machines/0597-usage/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0597-usage/</guid><description>Usage is an easy Linux machine that features a blog site vulnerable to SQL injection, which allows the administrator&amp;amp;amp;amp;#039;s hashed password to be dumped and cracked. This leads to access to the admin panel, where an outdated `Laravel` module is abused to upload a PHP web shell and obtain remote code execution. On the machine, plaintext credentials stored in a file allow SSH access as another user, who can run a custom binary as `root`. The tool makes an insecure call to `7zip`, which is leveraged to read the `root` user&amp;amp;amp;amp;#039;s private SSH key and fully compromise the system.</description><pubDate>Sat, 13 Apr 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] IClean</title><link>https://blog.zumpyx.com/hackthebox/machines/0596-iclean/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0596-iclean/</guid><description>IClean is a medium-difficulty Linux machine featuring a website for a cleaning services company. The website contains a form where users can request a quote, which is found to be vulnerable to Cross-Site Scripting (XSS). This vulnerability is exploited to steal an admin cookie, which is then used to access the administrator dashboard. The page is vulnerable to Server-Side Template Injection (SSTI), allowing us to obtain a reverse shell on the box. Enumeration reveals database credentials, which are leveraged to gain access to the database, leading to the discovery of a user hash. Cracking this hash provides `SSH` access to the machine. The user’s mail mentions working with PDFs. By examining the `sudo` configuration, it is found that the user can run `qpdf` as `root`. This is leveraged to attach the `root` private key to a PDF, which is then used to gain privileged access to the machine.</description><pubDate>Sat, 06 Apr 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Mist</title><link>https://blog.zumpyx.com/hackthebox/machines/0595-mist/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0595-mist/</guid><description>Mist is an Insane-difficulty machine that provides a comprehensive scenario for exploiting various misconfigurations and vulnerabilities in an Active Directory (AD) environment. The machine has multiple layers, starting with a public-facing CMS running on Apache with a path traversal vulnerability, allowing us to retrieve a backup file containing hashed credentials. Cracking this hash grants initial access as a low-privileged web user. Exploiting file-write permissions on a shared directory further elevates our access by allowing a reverse shell connection as another domain user. From there, enumeration reveals several AD misconfigurations, including LDAP signing disabled, WebDAV exploitation, and misconfigurations in ADCS templates, each step designed to escalate privileges through different AD entities. The final exploit involves creating shadow credentials to acquire the machine account’s NTLM hash, enabling a `DCSync` attack to obtain the Domain Administrator hash.</description><pubDate>Sat, 30 Mar 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Headless</title><link>https://blog.zumpyx.com/hackthebox/machines/0594-headless/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0594-headless/</guid><description>Headless is an easy-difficulty Linux machine that features a `Python Werkzeug` server hosting a website. The website has a customer support form, which is found to be vulnerable to blind Cross-Site Scripting (XSS) via the `User-Agent` header. This vulnerability is leveraged to steal an admin cookie, which is then used to access the administrator dashboard. The page is vulnerable to command injection, leading to a reverse shell on the box. Enumerating the user’s mail reveals a script that does not use absolute paths, which is leveraged to get a shell as root.</description><pubDate>Sat, 23 Mar 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] WifineticTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0593-wifinetictwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0593-wifinetictwo/</guid><description>WifineticTwo is a medium-difficulty Linux machine that features OpenPLC running on port 8080, vulnerable to Remote Code Execution through the manual exploitation of `[CVE-2021-31630](https://nvd.nist.gov/vuln/detail/CVE-2021-31630)`. After obtaining an initial foothold on the machine, a WPS attack is performed to acquire the Wi-Fi password for an Access Point (AP). This access allows the attacker to target the router running `OpenWRT` and gain a root shell via its web interface.</description><pubDate>Sat, 16 Mar 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] FormulaX</title><link>https://blog.zumpyx.com/hackthebox/machines/0592-formulax/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0592-formulax/</guid><description>FormulaX is a hard difficulty Linux machine featuring a chat application vulnerable to Cross-Site Scripting (XSS), which can be exploited to uncover a hidden subdomain. This subdomain runs simple-git version 3.14, susceptible to [CVE-2022-25912](https://www.cve.org/CVERecord?id=CVE-2022-25912), allowing access as user `www-data`. We then crack the MongoDB password hash to escalate to user `frank_dorky`. Next, we exploit an SNMP trap vulnerability in the internal LibreNMS instance to gain a shell as user `librenms`. Credentials found in files provide the password for user `kai_relay`. Finally, privilege escalation to `root` is achieved by exploiting a formula injection vulnerability in a LibreOffice Calc instance to access the root private SSH key.</description><pubDate>Sat, 09 Mar 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Perfection</title><link>https://blog.zumpyx.com/hackthebox/machines/0590-perfection/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0590-perfection/</guid><description>Perfection is an easy Linux machine that features a web application with functionality to calculate student scores. This application is vulnerable to Server-Side Template Injection (SSTI) via regex filter bypass. A foothold can be gained by exploiting the SSTI vulnerability. Enumerating the user reveals they are part of the `sudo` group. Further enumeration uncovers a database with password hashes, and the user&amp;amp;amp;amp;#039;s mail reveals a possible password format. Using a mask attack on the hash, the user&amp;amp;amp;amp;#039;s password is obtained, which is leveraged to gain `root` access.</description><pubDate>Sat, 02 Mar 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Jab</title><link>https://blog.zumpyx.com/hackthebox/machines/0589-jab/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0589-jab/</guid><description>Jab is a medium-difficulty Windows machine that features an Openfire XMPP server, hosted on a Domain Controller (DC). Public registration on the XMPP server allows the user to register an account. Then, by retrieving a list of all the users on the domain, a kerberoastable account is found, which allows the attacker to crack the retrieved hash for the user&amp;amp;#039;s password. By visiting the account&amp;amp;#039;s XMPP chat rooms, another account&amp;amp;#039;s password is retrieved. This new account has DCOM privileges over the DC, thus granting the attacker local access on the machine. Finally, a malicious plugin uploaded through the locally-hosted Openfire Administration Panel gives the user SYSTEM access.</description><pubDate>Sat, 24 Feb 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Office</title><link>https://blog.zumpyx.com/hackthebox/machines/0588-office/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0588-office/</guid><description>Office is a hard-difficulty Windows machine featuring various vulnerabilities including Joomla web application abuse, PCAP analysis to identify Kerberos credentials, abusing LibreOffice macros after disabling the `MacroSecurityLevel` registry value, abusing MSKRP to dump DPAPI credentials and abusing Group Policies due to excessive Active Directory privileges.</description><pubDate>Sat, 17 Feb 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Builder</title><link>https://blog.zumpyx.com/hackthebox/machines/0591-builder/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0591-builder/</guid><description>Builder is a medium-difficulty Linux machine that features a Jenkins instance. The Jenkins instance is found to be vulnerable to the [CVE-2024-23897](https://www.cvedetails.com/cve/[CVE-2024-23897](https://nvd.nist.gov/vuln/detail/CVE-2024-23897)/) vulnerability that allows unauthenticated users to read arbitrary files on the Jenkins controller file system. An attacker is able to extract the username and password hash of the Jenkins user `jennifer`. Using the credentials to login into the remote Jenkins instance, an encrypted SSH key is exploited to obtain root access on the host machine.</description><pubDate>Mon, 12 Feb 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Crafty</title><link>https://blog.zumpyx.com/hackthebox/machines/0587-crafty/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0587-crafty/</guid><description>Crafty is an easy-difficulty Windows machine featuring the exploitation of a `Minecraft` server. Enumerating the version of the server reveals that it is vulnerable to pre-authentication Remote Code Execution (RCE), by abusing `Log4j Injection`. After obtaining a reverse shell on the target, enumerating the filesystem reveals that the administrator composed a Java-based `Minecraft` plugin, which when reverse engineered reveals `rcon` credentials. Those credentials are leveraged with the `RunAs` utility to gain Administrative access, compromising the system.</description><pubDate>Sat, 10 Feb 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Skyfall</title><link>https://blog.zumpyx.com/hackthebox/machines/0586-skyfall/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0586-skyfall/</guid><description>Skyfall is an Insane Linux machine that features a company launching their new beta cloud storage application that `MinIO`, an S3 object storage service, backs. The web application is written in Python with Flask. It has a restricted section of the site that is vulnerable to a `Nginx` ACL and Flask-specific bypass which is specific to its configuration. The restricted section contains Prometheus metrics for a `MinIO` cluster that exposes internal host names and the `MinIO` version which has a known security vulnerability for information disclosure `[CVE-2023-28432](https://nvd.nist.gov/vuln/detail/CVE-2023-28432)`. This information disclosure leaks the `MinIO` root credentials which allows access to the S3 buckets it&amp;amp;#039;s hosting. Using the `MinIO client` with these credentials, a file in a user&amp;amp;#039;s bucket contains a home directory backup with version history. One of these versions contains a `Vault` token for an internal `Hashicorp Vault` instance and by enumerating the `Vault` policies with this token it is noted that it is configured for SSH OTP. The player needs to request an OTP from Vault to gain SSH access. The user has a `sudo` rule that allows the execution of binary that will unseal the `Hashicorp Vault` so that the user may gain access to their specific tokens and secrets. The `sudo` rule allows us to run this binary with a flag that generates a `debug.log` file owned by `root`. The player needs to exfil these files to bypass Linux permissions by leveraging a `Fuse` mount using ``sshfs``. This file reveals a root token for the `Hashicorp Vault` instance and can be used to generate an OTP to login as `root` via SSH.</description><pubDate>Sat, 03 Feb 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Pov</title><link>https://blog.zumpyx.com/hackthebox/machines/0585-pov/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0585-pov/</guid><description>Pov is a medium Windows machine that starts with a webpage featuring a business site. Enumerating the initial webpage, an attacker is able to find the subdomain `dev.pov.htb`. Navigating to the newly discovered subdomain, a `download` option is vulnerable to remote file read, giving an attacker the means to get valuable information from the `web.config` file. The subdomain uses the `ViewState` mechanism, which, in combination with the secrets leaked from the `web.config` file, is vulnerable to insecure deserialization, leading to remote code execution as the user `sfitz`. Looking at the remote filesystem, an attacker can discover and manipulate a file that reveals the credentials for the user `alaading`. Once the attacker has code execution as the user `alaading` the `SeDebugPrivilege` is abused to gain code execution in the context of a privileged application, ultimately resulting in code execution as `nt authority\system`.</description><pubDate>Sat, 27 Jan 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Analysis</title><link>https://blog.zumpyx.com/hackthebox/machines/0584-analysis/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0584-analysis/</guid><description>Analysis is a hard-difficulty Windows machine, featuring various vulnerabilities, focused on web applications, Active Directory (AD) privileges and process manipulation. Initially, an LDAP Injection vulnerability provides us with credentials to authenticate on a protected web application. Through this application, access to the local system is obtained by gaining command execution through an HTA file upload. On the target system, credentials for another user are found in the web application&amp;amp;amp;#039;s log files. Subsequently, by implementing an API Hook on `BCTextEncoder`, an encrypted password is decrypted and used to pivot to another user. Finally, by changing the password of an account that has `DCSync` rights against the domain, administrative access to the domain controller is obtained.</description><pubDate>Sat, 20 Jan 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Monitored</title><link>https://blog.zumpyx.com/hackthebox/machines/0583-monitored/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0583-monitored/</guid><description>Monitored is a medium-difficulty Linux machine that features a Nagios instance. Credentials for the service are obtained via the SNMP protocol, which reveals a username and password combination provided as command-line parameters. Using the Nagios API, an authentication token for a disabled account is obtained, which leads to access to the application&amp;amp;amp;#039;s dashboard. From there, a SQL injection (`[CVE-2023-40931](https://nvd.nist.gov/vuln/detail/CVE-2023-40931)`) is abused to obtain an administrator API key, with which a new admin account is created and used to run arbitrary commands on the instance, leading to a reverse shell. Finally, `sudo` access to a bash script is abused to read the `root` user&amp;amp;amp;#039;s SSH key and authenticate as `root`.</description><pubDate>Sat, 13 Jan 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Bizness</title><link>https://blog.zumpyx.com/hackthebox/machines/0582-bizness/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0582-bizness/</guid><description>Bizness is an easy Linux machine showcasing an Apache OFBiz pre-authentication, remote code execution (RCE) foothold, classified as `[CVE-2023-49070](https://nvd.nist.gov/vuln/detail/CVE-2023-49070)`. The exploit is leveraged to obtain a shell on the box, where enumeration of the OFBiz configuration reveals a hashed password in the service&amp;amp;#039;s Derby database. Through research and little code review, the hash is transformed into a more common format that can be cracked by industry-standard tools. The obtained password is used to log into the box as the root user.</description><pubDate>Sat, 06 Jan 2024 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Corporate</title><link>https://blog.zumpyx.com/hackthebox/machines/0581-corporate/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0581-corporate/</guid><description>Corporate is an insane-difficulty Linux machine featuring a feature-rich web attack surface that requires chaining various vulnerabilities to bypass strict Content Security Policies (CSP) and steal an authentication cookie via Cross-Site Scripting (XSS). This results in staff-level access to internal web applications, from where a file-sharing service&amp;amp;amp;#039;s access controls can be bypassed to access other users&amp;amp;amp;#039; files. This leads to an onboarding document revealing the default password template. Password spraying the SSO endpoint returns valid credentials, which can be used to SSH into a workstation that authenticates via LDAP. Data in the user&amp;amp;amp;#039;s home directory can be used to brute force the pin to a Bitwarden vault, enabling the attacker to pass multi-factor authentication (MFA) on Gitea and enumerate private repositories, discovering a private key used to sign JWT tokens. Forging a token and authenticating as a user in the engineering group, the LDAP password is changed to obtain system access to the group and a docker socket, which is leveraged to obtain `root` privileges inside a `Proxmox` environment. The container is escaped using a private SSH key belonging to the sysadmin group. Finally, [CVE-2022-35508](https://nvd.nist.gov/vuln/detail/CVE-2022-35508) is used to exploit PVE and obtain access to the `root` account on the host machine.</description><pubDate>Sat, 16 Dec 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Surveillance</title><link>https://blog.zumpyx.com/hackthebox/machines/0580-surveillance/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0580-surveillance/</guid><description>Surveillance is a medium-difficulty Linux machine that showcases a vulnerability (`[CVE-2023-41892](https://nvd.nist.gov/vuln/detail/CVE-2023-41892)`) in Craft CMS, which abuses PHP object injection to inject PHP content into the Craft CMS web log files to gain Remote Code Execution (RCE). The privilege escalation abuses ZoneMinder with an authenticated remote code injection in the `HostController.php` API endpoint to gain a shell as the `zoneminder` user. As this user, a `sudo` entry is abused by adding a configuration environment variable `LD_PRELOAD` via the admin panel and loading the malicious library file through `zmdc.dl` on the target, compromising the system.</description><pubDate>Sat, 09 Dec 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Ouija</title><link>https://blog.zumpyx.com/hackthebox/machines/0579-ouija/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0579-ouija/</guid><description>Ouija is an Insane difficulty Linux machine, featuring a small number of vulnerabilities but with lengthy and complicated steps needed to exploit them. Initially, a web application that is protected behind `HAProxy` is encountered, where exploiting `[CVE-2021-40346](https://nvd.nist.gov/vuln/detail/CVE-2021-40346)` leads to access to a protected subdomain. Through this subdomain, the source code of the API hosted on port `3000` and its initialisation script are found, leading to the discovery of a hash length extension attack which when exploited, grants access to a file-reading endpoint of the API, through which SSH private keys can be retrieved. After gaining access to the local system, an internal `PHP` web application will be discovered, which uses a C-shared-object function vulnerable to an integer overflow. Exploiting it leads to root access to the system.</description><pubDate>Sat, 02 Dec 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Devvortex</title><link>https://blog.zumpyx.com/hackthebox/machines/0577-devvortex/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0577-devvortex/</guid><description>Devvortex is an easy-difficulty Linux machine that features a Joomla CMS that is vulnerable to information disclosure. Accessing the service&amp;amp;amp;#039;s configuration file reveals plaintext credentials that lead to Administrative access to the Joomla instance. With administrative access, the Joomla template is modified to include malicious PHP code and gain a shell.  After gaining a shell and enumerating the database contents, hashed credentials are obtained, which are cracked and lead to SSH access to the machine. Post-exploitation enumeration reveals that the user is allowed to run apport-cli as root, which is leveraged to obtain a root shell.</description><pubDate>Sat, 25 Nov 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Hospital</title><link>https://blog.zumpyx.com/hackthebox/machines/0576-hospital/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0576-hospital/</guid><description>Hospital is a medium-difficulty Windows machine that hosts an Active Directory environment, a web server, and a `RoundCube` instance. The web application has a file upload vulnerability that allows the execution of arbitrary PHP code, leading to a reverse shell on the Linux virtual machine hosting the service. Enumerating the system reveals an outdated Linux kernel that can be exploited to gain root privileges, via `[CVE-2023-35001](https://nvd.nist.gov/vuln/detail/CVE-2023-35001)`. Privileged access allows `/etc/shadow` hashes to be read and subsequently cracked, yielding credentials for the `RoundCube` instance. Emails on the service hint towards the use of `GhostScript`, which opens up the target to exploitation via `[CVE-2023-36664](https://nvd.nist.gov/vuln/detail/CVE-2023-36664)`, a vulnerability exploited by crafting a malicious Embedded PostScript (EPS) file to achieve remote code execution on the Windows host. System access is then obtained by either of two ways: using a keylogger to capture `administrator` credentials, or by abusing misconfigured `XAMPP` permissions.</description><pubDate>Sat, 18 Nov 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Napper</title><link>https://blog.zumpyx.com/hackthebox/machines/0575-napper/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0575-napper/</guid><description>Napper is a hard difficulty Windows machine which hosts a static blog website that is backdoored with the NAPLISTENER malware, which can be exploited to gain a foothold on the machine. Privilege escalation involves reversing a Golang binary and decrypting the password for a privileged user by utilizing the seed value and password hash stored in an Elasticsearch database. Being a member of the `administrators`  group, the user can obtain a system token and escalate to the `Administrator` user.</description><pubDate>Sat, 11 Nov 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Broker</title><link>https://blog.zumpyx.com/hackthebox/machines/0578-broker/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0578-broker/</guid><description>Broker is an easy difficulty `Linux` machine hosting a version of `Apache ActiveMQ`. Enumerating the version of `Apache ActiveMQ` shows that it is vulnerable to `Unauthenticated Remote Code Execution`, which is leveraged to gain user access on the target. Post-exploitation enumeration reveals that the system has a `sudo` misconfiguration allowing the `activemq` user to execute `sudo /usr/sbin/nginx`, which is similar to the recent `Zimbra` disclosure and is leveraged to gain `root` access.</description><pubDate>Thu, 09 Nov 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Codify</title><link>https://blog.zumpyx.com/hackthebox/machines/0574-codify/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0574-codify/</guid><description>Codify is an easy Linux machine that features a web application that allows users to test `Node.js` code. The application uses a vulnerable `vm2` library, which is leveraged to gain remote code execution. Enumerating the target reveals a `SQLite` database containing a hash which, once cracked, yields `SSH` access to the box. Finally, a vulnerable `Bash` script can be run with elevated privileges to reveal the `root` user&amp;amp;amp;#039;s password, leading to privileged access to the machine.</description><pubDate>Sat, 04 Nov 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Appsanity</title><link>https://blog.zumpyx.com/hackthebox/machines/0573-appsanity/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0573-appsanity/</guid><description>Appsanity is a hard-difficulty Windows machine focused on application misconfigurations both on the web and locally. The web applications showcase several vulnerabilities, including an Access Control issue during sign-up, enabling unauthorized access to a higher-privileged account. Additionally, flawed session management permits attackers to use a `JWT token` from one domain to access a subdomain. This secondary domain has a file upload vulnerability, which, coupled with Server-Side Request Forgery (SSRF), allows the uploading and execution of an `.aspx` file to establish a reverse shell. Locally, two attack vectors are present: one involves decompiling a `C#` binary to uncover a registry key holding a user password, and the other entails analyzing a `C++` binary to spot a DLL Hijacking opportunity, granting the attacker administrative code execution.</description><pubDate>Sat, 28 Oct 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Manager</title><link>https://blog.zumpyx.com/hackthebox/machines/0572-manager/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0572-manager/</guid><description>Manager is a medium difficulty Windows machine which hosts an Active Directory environment with AD CS (Active Directory Certificate Services), a web server, and an SQL server. The foothold involves enumerating users using RID cycling and performing a password spray attack to gain access to the MSSQL service. The `xp_dirtree` procedure is then used to explore the filesystem, uncovering a website backup in the web-root. Extracting the backup reveals credentials that are reused to WinRM to the server. Finally, the attacker escalates privileges through AD CS via ESC7 exploitation.</description><pubDate>Sat, 21 Oct 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Drive</title><link>https://blog.zumpyx.com/hackthebox/machines/0570-drive/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0570-drive/</guid><description>Drive is a hard Linux machine featuring a file-sharing service susceptible to Insecure Direct Object Reference (IDOR), through which a plaintext password is obtained, leading to SSH access to the box. Encrypted database backups are discovered, which are unlocked using a hardcoded password exposed in a Gitea repository. Hashes within the backups are cracked, leading to access to another user on the system whom has access to a root-owned binary with the SUID bit set. The program is reverse engineered, revealing the misuse of a printf function, which is used to read and subsequently bypass the canary on the stack. Finally, a sequence of ROP gadgets is used to obtain a shell on the target.</description><pubDate>Sat, 14 Oct 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Analytics</title><link>https://blog.zumpyx.com/hackthebox/machines/0569-analytics/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0569-analytics/</guid><description>Analytics is an easy difficulty Linux machine with exposed HTTP and SSH services. Enumeration of the website reveals a `Metabase` instance, which is vulnerable to Pre-Authentication Remote Code Execution (`[CVE-2023-38646](https://nvd.nist.gov/vuln/detail/CVE-2023-38646)`), which is leveraged to gain a foothold inside a Docker container. Enumerating the Docker container we see that the environment variables set contain credentials that can be used to SSH into the host. Post-exploitation enumeration reveals that the kernel version that is running on the host is vulnerable to `GameOverlay`, which is leveraged to obtain root privileges.</description><pubDate>Sat, 07 Oct 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Visual</title><link>https://blog.zumpyx.com/hackthebox/machines/0568-visual/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0568-visual/</guid><description>Visual is a Medium Windows machine featuring a web service that accepts user-submitted `.NET 6.0` project repositories, building and returning the executables. By setting up a local Git repository containing a project with the `PreBuild` option set, a payload can be executed, leading to a reverse shell on the machine as the user `enox`. The user is able to write files on the web root directory and thus an attacker can get a reverse shell as the `nt authority\local service` account. Looking at the privileges of the service account, one is able to deduce that the basic privileges have been stripped off of the account. Nonetheless, there is a way to recover the privileges of the `local service` account, including the `SeImpersonate` privilege. Once this privilege is restored, the attacker is able to use a Potato exploit and get a shell as `nt authority\system`.</description><pubDate>Sat, 30 Sep 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category><category>visual</category></item><item><title>[HTB · Machines] Aero</title><link>https://blog.zumpyx.com/hackthebox/machines/0571-aero/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0571-aero/</guid><description>Aero is a medium-difficulty Windows machine featuring two recent CVEs: CVE-2023-38146 , affecting Windows 11 themes, and CVE-2023-28252 , targeting the Common Log File System (CLFS). Initial access is achieved through the crafting of a malicious payload using the ThemeBleed proof-of-concept, resulting in a reverse shell. Upon gaining a foothold, a CVE disclosure notice is found in the user&amp;amp;amp;amp;#039;s home directory, indicating vulnerability to CVE-2023-28252 . Modification of an existing proof-of-concept is required to facilitate privilege escalation to administrator level or code execution as NT Authority\SYSTEM.</description><pubDate>Thu, 28 Sep 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Clicker</title><link>https://blog.zumpyx.com/hackthebox/machines/0564-clicker/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0564-clicker/</guid><description>Clicker is a Medium Linux box featuring a Web Application hosting a clicking game. Enumerating the box, an attacker is able to mount a public NFS share and retrieve the source code of the application, revealing an endpoint susceptible to SQL Injection. Exploiting this vulnerability, an attacker can elevate the privileges of their account and change the username to include malicious PHP code. Accessing the admin panel, an export feature is abused to create a PHP file including the modified username, leading to arbitrary code execution on the machine as `www-data`. Enumeration reveals an `SUID` binary that can access files under the home folder of the user `jack`. By performing a path traversal attack on the binary, the attacker is able to get the SSH key of `jack`, who is allowed to run a monitoring script with arbitrary environment variables with `sudo`. The monitoring script expects a response to a `curl` request in XML format. The attacker, by setting the `http_proxy` variable, is able to intercept and alter the response to the script, in order to include an XXE payload to read the SSH key of the `root` user. Finally, the attacker is able to use the SSH key and get access as the `root` user on the remote machine.</description><pubDate>Sat, 23 Sep 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Wifinetic</title><link>https://blog.zumpyx.com/hackthebox/machines/0563-wifinetic/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0563-wifinetic/</guid><description>Wifinetic is an easy difficulty Linux machine which presents an intriguing network challenge, focusing on wireless security and network monitoring. An exposed FTP service has anonymous authentication enabled which allows us to download available files. One of the file being an OpenWRT backup which contains Wireless Network configuration that discloses an Access Point password. The contents of shadow or passwd files further disclose usernames on the server. With this information, a password reuse attack can be carried out on the SSH service, allowing us to gain a foothold as the netadmin user. Using standard tools and with the provided wireless interface in monitoring mode, we can brute force the WPS PIN for the Access Point to obtain the pre-shared key ( PSK ). The pass phrase can be reused on SSH service to obtain root access on the server.</description><pubDate>Wed, 13 Sep 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Rebound</title><link>https://blog.zumpyx.com/hackthebox/machines/0560-rebound/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0560-rebound/</guid><description>Rebound is an Insane Windows machine featuring a tricky Active Directory environment. User enumeration via RID cycling reveals an AS-REP-roastable user, whose TGT is used to Kerberoast another user with a crackable password. Weak ACLs are abused to obtain access to a group with FullControl over an OU, performing a Descendant Object Takeover (DOT), followed by a ShadowCredentials attack on a user with winrm access. On the target system, cross-session relay is leveraged to obtain the NetNTLMv2 hash of a logged-in user, which, once cracked, leads to a gMSA password read. Finally, the gMSA account allows delegation, but without protocol transition. Resource-Based Constrained Delegation (RBCD) is used to impersonate the Domain Controller, enabling a DCSync attack, leading to fully elevated privileges.</description><pubDate>Sat, 09 Sep 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] CozyHosting</title><link>https://blog.zumpyx.com/hackthebox/machines/0559-cozyhosting/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0559-cozyhosting/</guid><description>CozyHosting is an easy-difficulty Linux machine that features a  `Spring Boot` application. The application has the `Actuator` endpoint enabled. Enumerating the endpoint leads to the discovery of a user&amp;amp;amp;#039;s session cookie, leading to authenticated access to the main dashboard. The application is vulnerable to command injection, which is leveraged to gain a reverse shell on the remote machine. Enumerating the application&amp;amp;amp;#039;s `JAR` file, hardcoded credentials are discovered and used to log into the local database. The database contains a hashed password, which once cracked is used to log into the machine as the user `josh`. The user is allowed to run `ssh` as `root`, which is leveraged to fully escalate privileges.</description><pubDate>Sat, 02 Sep 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Zipping</title><link>https://blog.zumpyx.com/hackthebox/machines/0558-zipping/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0558-zipping/</guid><description>Zipping is a medium-difficulty Linux machine that features a variety of attack vectors. This machine starts off by identifying a file upload capability within the web application that is vulnerable to a zip-file symlink attack, leading to arbitrary file-reads on the target. Leveraging this attack we can identify key pieces of information about the underlying web application to exploit an SQL injection to write a PHP webshell to the filesystem and leverage an LFI vulnerability to load the webshell to gain code execution. Once initial access is gained a binary is available with `sudo` privileges that requires basic reverse engineering to recover the binary password. Further analysis of the binary shows that it is vulnerable to a library injection, where we can create a malicious library to be loaded with the binary and gain root access when it is executed with `sudo` privileges.</description><pubDate>Sat, 26 Aug 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Cybermonday</title><link>https://blog.zumpyx.com/hackthebox/machines/0557-cybermonday/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0557-cybermonday/</guid><description>Cybermonday is a hard difficulty Linux machine that showcases vulnerabilities such as off-by-slash, mass assignment, and Server-Side Request Forgery (SSRF). The initial foothold involves exploiting a mass assignment vulnerability in the web application and executing Redis commands through SSRF using CRLF injection. For lateral movement, the source code of the API is analyzed, followed by exploiting an LFI vulnerability to retrieve the password for the user `john`. The privilege escalation to `root` is achieved by leveraging SUDO privileges, allowing user `john` to build and run a docker container from any Docker Compose file.</description><pubDate>Sat, 19 Aug 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Keeper</title><link>https://blog.zumpyx.com/hackthebox/machines/0556-keeper/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0556-keeper/</guid><description>Keeper is an easy-difficulty Linux machine that features a support ticketing system that uses default credentials. Enumerating the service, we are able to see clear text credentials that lead to SSH access.  With `SSH` access, we can gain access to a KeePass database dump file, which we can leverage to retrieve the master password. With access to the `Keepass` database, we can access the root `SSH` keys, which are used to gain a privileged shell on the host.</description><pubDate>Sat, 12 Aug 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Download</title><link>https://blog.zumpyx.com/hackthebox/machines/0555-download/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0555-download/</guid><description>Download is a hard difficulty Linux machine that highlights the exploitation of Object-Relational Mapping (ORM) injection. The initial step is to identify a Local File Inclusion (LFI ) vulnerability in the web application. Through this vulnerability, we gain access to the source code and obtain the cookie secret, enabling us to create and sign our own cookies. Additionally, the source code exposes an ORM injection vulnerability, which allows us to extract the hashed password of a user. By cracking the hash we obtain SSH access to the box. To escalate privileges, we exploit a bug in TIOCSTI to push arbitrary commands character-by-character into the STDIN stream of a higher-privileged terminal, ultimately achieving `root` access.</description><pubDate>Sat, 05 Aug 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Gofer</title><link>https://blog.zumpyx.com/hackthebox/machines/0554-gofer/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0554-gofer/</guid><description>Gofer is a Hard Difficulty Linux machine featuring a web proxy secured by Basic HTTP authentication, which can be circumvented through an unfiltered method. The web proxy permits select protocols, including HTTP/HTTPS and gopher—a vintage rival of HTTP that some tools like `cURL` still support. Its key advantage lies in facilitating interaction with internal services such as FTP, SSH, and SMTP. With the presence of an SSRF vulnerability and the utility of gopher, the machine allows us to engage with these internal services as though we were part of the network. The aim is to exploit this by sending a malicious `OpenDocument` via email to an employee known for opening all received documents, capitalizing on the SSRF flaw. After gaining our initial shell, further network sniffing reveals a developer testing the proxy without encryption, exposing clear-text credentials. The final step involves exploiting a binary through a &amp;amp;amp;quot;Use after free&amp;amp;amp;quot; vulnerability to escalate privileges.</description><pubDate>Sat, 29 Jul 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] RegistryTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0552-registrytwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0552-registrytwo/</guid><description>RegistryTwo is an Insane Linux machine that starts with a webpage that presents a web hosting service. Moreover, the Docker registry is exposed and allows anonymous authentication. From the Docker registry, an attacker is able to download an exact replica of the container that hosts the web application. Inside the container resides the `WAR` file that is hosted using Tomcat, and Nginx is acting as a reverse proxy to the service. Reading through the source code of the `WAR` file an attacker is able to chain a Tomcat path traversal exploit, a leftover `SessionExample` snippet and an RCE vulnerability on `jdbc` in order to get a shell inside the container on the remote machine. Once inside the container, the attacker is able to exploit Java Remote Method Invocation (RMI) to get a pseudo-shell and read the password for the user `developer`. Now, logged into the main host using SSH, one can notice that `Clam-AV` is present. Manipulating RMI once again, the attacker is able to extract files from the `/root` directory and find another pair of credentials that are re-used by the `root` user.</description><pubDate>Sat, 22 Jul 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Authority</title><link>https://blog.zumpyx.com/hackthebox/machines/0553-authority/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0553-authority/</guid><description>Authority is a medium-difficulty Windows machine that highlights the dangers of misconfigurations, password reuse, storing credentials on shares, and demonstrates how default settings in Active Directory (such as the ability for all domain users to add up to 10 computers to the domain)  can be combined with other issues (vulnerable AD CS certificate templates) to take over a domain.</description><pubDate>Sat, 15 Jul 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Sau</title><link>https://blog.zumpyx.com/hackthebox/machines/0551-sau/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0551-sau/</guid><description>`Sau` is an Easy Difficulty Linux machine that features a  `Request Baskets` instance that is vulnerable to Server-Side Request Forgery (SSRF) via  `[CVE-2023-27163](https://nvd.nist.gov/vuln/detail/CVE-2023-27163)`. Leveraging the vulnerability we are to gain access to a `Maltrail` instance that is vulnerable to Unauthenticated OS Command Injection, which allows us to gain a reverse shell on the machine as `puma`. A `sudo` misconfiguration is then exploited to gain a `root` shell.</description><pubDate>Sat, 08 Jul 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Intentions</title><link>https://blog.zumpyx.com/hackthebox/machines/0550-intentions/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0550-intentions/</guid><description>Intentions is a hard Linux machine that starts off with an image gallery website which is prone to a second-order SQL injection leading to the discovery of BCrypt hashes. Further enumeration reveals a v2 API endpoint that allows authentication via hashes instead of passwords, leading to admin access to the site. Within the admin panel the attacker will find a page that allows them to edit the images within the gallery with the help of Imagick. The attacker is able to exploit the Imagick object instantiation and gain code execution. Once the attacker has a shell as www-data they will need to examine the Git history for the current project, where they will find credentials for the user greg. Once logged in as greg the user will enumerate and find that they have access to the /opt/scanner/scanner binary with extended capabilities, specifically CAP_DAC_READ_SEARCH. This capability allows the attacker to exfiltrate sensitive files such as the private SSH key of the root user, byte-by-byte. With the key the attacker is able to authenticate through SSH as the root user.</description><pubDate>Sat, 01 Jul 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Pilgrimage</title><link>https://blog.zumpyx.com/hackthebox/machines/0549-pilgrimage/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0549-pilgrimage/</guid><description>Pilgrimage is an easy-difficulty Linux machine featuring a web application with an exposed `Git` repository. Analysing the underlying filesystem and source code reveals the use of a vulnerable version of `ImageMagick`, which can be used to read arbitrary files on the target by embedding a malicious `tEXT` chunk into a PNG image. The vulnerability is leveraged to obtain a `SQLite` database file containing a plaintext password that can be used to SSH into the machine. Enumeration of the running processes reveals a `Bash` script executed by `root` that calls a vulnerable version of the `Binwalk` binary. By creating another malicious PNG, `CVE-2022-4510` is leveraged to obtain Remote Code Execution (RCE) as `root`.</description><pubDate>Sat, 24 Jun 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Sandworm</title><link>https://blog.zumpyx.com/hackthebox/machines/0548-sandworm/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0548-sandworm/</guid><description>Sandworm is a Medium Difficulty Linux machine that hosts a web application featuring a `PGP` verification service which is vulnerable to a Server-Side Template Injection (`SSTI`), leading to Remote Code Execution (`RCE`) inside a `Firejail` jail. Plaintext credentials can be discovered within the jail, which lead to `SSH` access to the machine as one of its users. From there, a cronjob is discovered, which compiles and runs a `Rust` binary. The program relies on a custom, external logging crate to which the user has write access, which is then used to obtain a shell as the `atlas` user running the cronjob. Finally, a recent `Firejail` exploit (`CVE-2022-31214`) is used to create a sandbox where the attacker can run the `su` command and obtain a `root` shell on the target system.</description><pubDate>Sat, 17 Jun 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Topology</title><link>https://blog.zumpyx.com/hackthebox/machines/0546-topology/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0546-topology/</guid><description>Topology is an Easy Difficulty Linux machine that showcases a `LaTeX` web application susceptible to a Local File Inclusion (LFI) vulnerability. Exploiting the LFI flaw allows for the retrieval of an `.htpasswd` file that contains a hashed password. By cracking the password hash, `SSH` access to the machine is obtained, revealing a `root` cronjob that executes `gnuplot` files. Crafting a malicious `.plt` file enables privilege escalation.</description><pubDate>Sat, 10 Jun 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] TwoMillion</title><link>https://blog.zumpyx.com/hackthebox/machines/0547-twomillion/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0547-twomillion/</guid><description>TwoMillion is an Easy difficulty Linux box that was released to celebrate reaching 2 million users on HackTheBox. The box features an old version of the HackTheBox platform that includes the old hackable invite code. After hacking the invite code an account can be created on the platform. The account can be used to enumerate various API endpoints, one of which can be used to elevate the user to an Administrator. With administrative access the user can perform a command injection in the admin VPN generation endpoint thus gaining a system shell. An .env file is found to contain database credentials and owed to password re-use the attackers can login as user admin on the box. The system kernel is found to be outdated and CVE-2023-0386 can be used to gain a root shell.</description><pubDate>Wed, 07 Jun 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] PC</title><link>https://blog.zumpyx.com/hackthebox/machines/0543-pc/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0543-pc/</guid><description>PC is an Easy Difficulty Linux machine that features a `gRPC` endpoint that is vulnerable to SQL Injection. After enumerating and dumping the database&amp;amp;amp;amp;#039;s contents, plaintext credentials lead to `SSH` access to the machine. Listing locally running ports reveals an outdated version of the `pyLoad` service, which is susceptible to pre-authentication Remote Code Execution (RCE) via `CVE-2023-0297`. As the service is run by `root`, exploiting this vulnerability leads to fully elevated privileges.</description><pubDate>Sat, 20 May 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Format</title><link>https://blog.zumpyx.com/hackthebox/machines/0542-format/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0542-format/</guid><description>Format is a medium-difficulty Linux machine that highlights security problems caused by how a solution is structured. The foothold involves PHP source code review, uncovering and exploiting a local file read/write vulnerability and capitalising on a misconfiguration in Nginx to execute commands on a Redis Unix socket. Lateral movement includes exploring the Redis database to uncover user passwords, while privilege escalation revolves around a Python script running with root privileges, which is susceptible to code injection.</description><pubDate>Sat, 13 May 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Snoopy</title><link>https://blog.zumpyx.com/hackthebox/machines/0541-snoopy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0541-snoopy/</guid><description>Snoopy is a Hard Difficulty Linux machine that involves the exploitation of an LFI vulnerability to extract the configuration secret of `Bind9`. The obtained secret allows the redirection of the `mail` subdomain to the attacker&amp;amp;amp;amp;#039;s IP address, facilitating the interception of password reset requests within the `Mattermost` chat client. Within that service, a custom plugin designed for web admins to log into remote servers is manipulated to direct them to a server set up as an `SSH honeypot`, leading to the interception of `cbrown`&amp;amp;amp;amp;#039;s credentials. Exploiting the privileges of `cbrown`, the attacker utilizes the ability to execute `git apply` as `sbrown`, resulting in a unique symlinking attack for privilege escalation. The final stage involves the abuse of `CVE-2023-20052` to include the `root` user&amp;amp;amp;amp;#039;s `SSH` key into a file via `XXE`, with the payload scanned by `clamscan` to trigger the `XXE` output in the debug response.</description><pubDate>Sat, 06 May 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] MonitorsTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0539-monitorstwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0539-monitorstwo/</guid><description>MonitorsTwo is an Easy Difficulty Linux machine showcasing a variety of vulnerabilities and misconfigurations. Initial enumeration exposes a web application prone to pre-authentication Remote Code Execution (RCE) through a malicious X-Forwarded-For header. Exploiting this vulnerability grants a shell within a Docker container. A misconfigured capsh binary with the SUID bit set allows for root access inside the container. Uncovering MySQL credentials enables the dumping of a hash, which, once cracked, provides SSH access to the machine. Further enumeration reveals a vulnerable Docker version ( CVE- 2021-41091 ) that permits a low-privileged user to access mounted container filesystems. Leveraging root access within the container, a bash binary with the SUID bit set is copied, resulting in privilege escalation on the host.</description><pubDate>Sat, 29 Apr 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] OnlyForYou</title><link>https://blog.zumpyx.com/hackthebox/machines/0540-onlyforyou/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0540-onlyforyou/</guid><description>OnlyForYou is a Medium Difficulty Linux machine that features a web application susceptible to a Local File Inclusion (LFI), which is used to access source code that reveals a Blind Command Injection vulnerability, leading to a shell on the target system. The machine runs several local services, one of which uses default credentials and exposes an endpoint vulnerable to a `Cypher` injection. Exploiting this vulnerability leaks hashes from the `Neo4j` database, granting `SSH` access to the machine. Finally, a misconfigured `sudoers` file allows the `pip3 download` command to be run with `root` privileges. Privilege escalation is achieved by creating and hosting a malicious `Python` package on the local `Gogs` service and downloading it.</description><pubDate>Sat, 22 Apr 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Socket</title><link>https://blog.zumpyx.com/hackthebox/machines/0535-socket/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0535-socket/</guid><description>Socket is a Medium Difficulty Linux machine that features reversing a Linux/Windows desktop application to get its source code, from where an `SQL` injection in its web socket service is discovered. Dumping the database reveals a hash that once cracked yields `SSH` access to the box. Finally, a `PyInstaller` script that can be ran with elevated privileges is used to read the `root` user&amp;amp;amp;amp;amp;#039;s private `SSH` key, leading to `root` access to the machine.</description><pubDate>Sat, 25 Mar 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Agile</title><link>https://blog.zumpyx.com/hackthebox/machines/0532-agile/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0532-agile/</guid><description>Agile is a medium difficulty Linux box that features a password management website on port 80. Upon creating an account and adding a couple of passwords, the export to CSV functionality of the website is found to be vulnerable to Arbitrary File Read. Enumeration of the other endpoints shows that `/download` throws an error when accessed and brings up the `Werkzeug` debug console. This console is protected via a PIN, however a combination of this console with the ability to read files through the previously mentioned vulnerability allows users to reverse engineer this PIN and execute system commands as `www-data`. Database credentials can then be identified in order to connect to the password manager website&amp;amp;amp;#039;s SQL database, which holds credentials for the `corum` user on the system. A second version of the website is found to be running and an automated system performs tests on it through the `Selenium` web driver. The debug port for `Selenium` is open and through SSH tunnelling, attackers can access the test environment of the website and acquire credentials for user `edwards`. Finally, a combination of `CVE-2023-22809`, a custom entry in the global `bashrc` file, and incorrect permissions on a Python virtual environment activation script, lead to privilege escalation.</description><pubDate>Sat, 04 Mar 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Escape</title><link>https://blog.zumpyx.com/hackthebox/machines/0531-escape/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0531-escape/</guid><description>Escape is a Medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an attacker is able to get command execution on the machine using WinRM. Enumerating the machine, a log file reveals the credentials for the user `ryan.cooper`. Further enumeration of the machine, reveals that a Certificate Authority is present and one certificate template is vulnerable to the ESC1 attack, meaning that users who are legible to use this template can request certificates for any other user on the domain including Domain Administrators. Thus, by exploiting the ESC1 vulnerability, an attacker is able to obtain a valid certificate for the Administrator account and then use it to get the hash of the administrator user.</description><pubDate>Sat, 25 Feb 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Bagel</title><link>https://blog.zumpyx.com/hackthebox/machines/0530-bagel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0530-bagel/</guid><description>Bagel is a Medium Difficulty Linux machine that features an e-shop that is vulnerable to a path traversal attack, through which the source code of the application is obtained. The vulnerability is then used to download a `.NET` WebSocket server, which once disassembled reveals plaintext credentials. Further analysis reveals an insecure deserialization vulnerability which is leveraged to read arbitrary files, including a user&amp;amp;amp;amp;amp;#039;s private `SSH` key. Using the key to obtain a foothold on the machine, the previously discovered password is used to pivot to another user, who can use the `dotnet` tool with `root` permissions. This misconfiguration is used to execute a malicious `.NET` application, leading to fully escalated privileges.</description><pubDate>Sat, 18 Feb 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Interface</title><link>https://blog.zumpyx.com/hackthebox/machines/0527-interface/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0527-interface/</guid><description>Interface is a medium difficulty Linux machine that features a `DomPDF` API endpoint that is vulnerable to remote command execution by injecting `CSS` into the processed data. `DomPDF` can be tricked into storing a malicious font with a `PHP` file extension in its font cache, which can then be executed by accessing it from its exposed directories. Privilege escalation involves abusing a quoted expression injection inside a bash script.</description><pubDate>Sat, 11 Feb 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Encoding</title><link>https://blog.zumpyx.com/hackthebox/machines/0526-encoding/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0526-encoding/</guid><description>Encoding is a Medium difficulty Linux machine that features a web application vulnerable to Local File Read. Through the ability to read arbitrary files on the target, the attacker can first exploit a PHP LFI vulnerability in the web application to gain access to the server as the `www-data` user. They can then discover a script on the server, called `git-commit.sh`, which allows them to commit code as the James user. By inspecting the `utils.php` file, the attacker can discover that the script is run as the `svc` user with sudo privileges. Through a malicious Git hook, the attacker can grab the SSH key for the `svc` user. This user can restart services as the root user through sudo. The attacker could abuse this privilege to execute arbitrary code as root by modifying an existing service file or creating a new one.</description><pubDate>Sat, 28 Jan 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Investigation</title><link>https://blog.zumpyx.com/hackthebox/machines/0525-investigation/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0525-investigation/</guid><description>Investigation is a Linux box rated as medium difficulty, which features a web application that provides a service for digital forensic analysis of image files. The server utilizes the ExifTool utility to analyze the image, however, the version being used has a command injection vulnerability that can be exploited to gain an initial foothold on the box as the user `www-data`. By analyzing logs found in a Windows Event logs file, it is possible to escalate privileges to the user `smorton`. To achieve the final goal of gaining root access, the user must reverse engineer a binary that can be run by the user `smorton` with sudo access and then exploit it to elevate privileges to root.</description><pubDate>Sat, 21 Jan 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Stocker</title><link>https://blog.zumpyx.com/hackthebox/machines/0523-stocker/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0523-stocker/</guid><description>Stocker is a medium difficulty Linux machine that features a website running on port 80 that advertises various house furniture. Through vHost enumeration the hostname `dev.stocker.htb` is identified and upon accessing it a login page is loaded that seems to be built with `NodeJS`. By sending JSON data and performing a `NoSQL` injection, the login page is bypassed and access to an e-shop is granted. Enumeration of this e-shop reveals that upon submitting a purchase order, a PDF is crafted that contains details about the items purchased. This functionality is vulnerable to HTML injection and can be abused to read system files through the usage of iframes. The `index.js` file is then read to acquire database credentials and owed to password re-use users can log into the system over `SSH`. Privileges can then be escalated by performing a path traversal attack on a command defined in the sudoers file, which contains a wildcard for executing `JavaScript` files.</description><pubDate>Sat, 14 Jan 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] BroScience</title><link>https://blog.zumpyx.com/hackthebox/machines/0521-broscience/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0521-broscience/</guid><description>BroScience is a Medium Difficulty Linux machine that features a web application vulnerable to `LFI`. Through the ability to read arbitrary files on the target, the attacker gains an insight into how account activation codes are generated, and is thus able to create a set of potentially valid tokens to activate a newly created account. Once logged in, further enumeration reveals that the site&amp;amp;amp;amp;amp;amp;#039;s theme-picker functionality is vulnerable to PHP deserialisation using a custom gadget chain, allowing an attacker to copy files on the target system, eventually leading to remote code execution. Once a foothold has been established, a handful of hashes are recovered from a database, which once cracked prove to contain a valid `SSH` password for the machine&amp;amp;amp;amp;amp;amp;#039;s main user `bill`. Finally, the privilege escalation is based on a cronjob executing a Bash script that is vulnerable to command injection through a certificate generated by `openssl`, forfeiting `root` access to the attacker.</description><pubDate>Sat, 07 Jan 2023 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Soccer</title><link>https://blog.zumpyx.com/hackthebox/machines/0519-soccer/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0519-soccer/</guid><description>Soccer is an easy difficulty Linux machine that features a foothold based on default credentials, forfeiting access to a vulnerable version of the `Tiny File Manager`, which in turn leads to a reverse shell on the target system (`CVE-2021-45010`). Enumerating the target reveals a subdomain which is vulnerable to a blind SQL injection through websockets. Leveraging the SQLi leads to dumped `SSH` credentials for the `player` user, who can run `dstat` using `doas`- an alternative to `sudo`. By creating a custom `Python` plugin for `doas`, a shell as `root` is then spawned through the `SUID` bit of the `doas` binary, leading to fully escalated privileges.</description><pubDate>Sat, 17 Dec 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Funnel</title><link>https://blog.zumpyx.com/hackthebox/machines/0520-funnel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0520-funnel/</guid><description>Funnel is a very easy Linux machine that explores SSH tunneling techniques. The machine features a misconfigured FTP server that allows anonymous authentication, in which a file containing cleartext credentials can be found. Hydra is then used to perform a password spray and get remote access. Upon enumerating the services running locally on the machine, PostgreSQL can be exploited by leveraging port-forwarding.</description><pubDate>Mon, 12 Dec 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Mentor</title><link>https://blog.zumpyx.com/hackthebox/machines/0518-mentor/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0518-mentor/</guid><description>Mentor is a medium difficulty Linux machine whose path includes pivoting through four different users before arriving at root. After scanning an `SNMP` service with a community string that can be brute forced, plaintext credentials are discovered which are used for an `API` endpoint, which proves to be vulnerable to blind remote code execution and leads to a foothold on a docker container. Enumerating the container&amp;amp;amp;amp;amp;amp;#039;s network reveals a `PostgreSQL` service on another container, which can be leveraged into RCE by authenticating using default credentials. Examining an old database backup on the `PostgreSQL` container reveals a hash, which once cracked is used to `SSH` into the machine. Finally, by examining the configuration files on the host, the attacker is able to retrieve a password for user `james`, who is able run the `/bin/sh` command with sudo privileges, thereby instantly forfeiting `root` privileges.</description><pubDate>Sat, 10 Dec 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Precious</title><link>https://blog.zumpyx.com/hackthebox/machines/0513-precious/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0513-precious/</guid><description>Precious is an Easy Difficulty Linux machine, that focuses on the `Ruby` language. It hosts a custom `Ruby` web application, using an outdated library, namely pdfkit, which is vulnerable to `CVE-2022-25765`, leading to an initial shell on the target machine. After a pivot using plaintext credentials that are found in a Gem repository `config` file, the box concludes with an insecure deserialization attack on a  custom, outdated,  `Ruby`  script.</description><pubDate>Sat, 26 Nov 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Derailed</title><link>https://blog.zumpyx.com/hackthebox/machines/0512-derailed/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0512-derailed/</guid><description>Derailed is an insane difficulty Linux machine that focuses on chaining web vulnerabilities such as Stored Cross-Site Scripting, Session Riding, Arbitrary File Inclusion and command injection in a `Rails` application. A buffer overflow vulnerability in a `WebAssembly` function is exploited in order to write an XSS payload into a secondary parameter, leading to a vulnerable administrative page that allows attackers to retrieve arbitrary system files; this can be leveraged to read the application source code from the `/proc` pseudo-filesystem and discover a command injection vulnerability, resulting in Remote Command Execution. Password re-use then gives access to an `openmediavault` user who has the rights to install `.deb` packages by calling a specific function from an `RPC` endpoint, ultimately resulting in the escalation of privileges through the execution of arbitrary code during the post-installation step.</description><pubDate>Sat, 19 Nov 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Forgot</title><link>https://blog.zumpyx.com/hackthebox/machines/0511-forgot/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0511-forgot/</guid><description>Forgot is a Medium Difficulty Linux machine that features an often neglected part of web exploitation, namely Web Cache Deception (`WCD`). The box&amp;amp;amp;amp;amp;amp;#039;s foothold consists of a Host Header Injection, enabling an initial bypass of authentication, which is then coupled with careful enumeration of the underlying services and behaviors to leverage WCD into leaking SSH credentials on an admin panel. Moreover, the machine then pivots into the territory of Code Injection, where after careful enumeration of a `Python` script, `CVE-2022-29216` is discovered, leading to privilege escalation using a vulnerable  `Tensorflow` function.</description><pubDate>Sat, 12 Nov 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Squashed</title><link>https://blog.zumpyx.com/hackthebox/machines/0514-squashed/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0514-squashed/</guid><description>Squashed is an Easy Difficulty Linux machine that features a combination of both identifying and leveraging misconfigurations in NFS shares through impersonating users. Additionally, the box incorporates the enumeration of an X11 display into the privilege escalation by having the attacker take a screenshot of the current Desktop.</description><pubDate>Thu, 10 Nov 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Synced</title><link>https://blog.zumpyx.com/hackthebox/machines/0515-synced/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0515-synced/</guid><description>Synced is a very easy Linux machine that explores the Rsync protocol, how to interact with it and the dangers of improper configuration allowing anonymous authentication.</description><pubDate>Wed, 09 Nov 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Flight</title><link>https://blog.zumpyx.com/hackthebox/machines/0510-flight/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0510-flight/</guid><description>Flight is a hard Windows machine that starts with a website with two different virtual hosts. One of them is vulnerable to LFI and allows an attacker to retrieve an NTLM hash. Once cracked, the obtained clear text password will be sprayed across a list of valid usernames to discover a password re-use scenario. Once the attacker has SMB access as the user `s.moon` he is able to write to a share that gets accessed by other users. Certain files can be used to steal the NTLMv2 hash of the users that access the share. Once the second hash is cracked the attacker will be able to write a reverse shell in a share that hosts the web files and gain a shell on the box as low privileged user. Having credentials for the user `c.bum`, it will be possible to gain a shell as this user, which will allow the attacker to write an `aspx` web shell on a web site that&amp;amp;amp;amp;amp;#039;s configured to listen only on localhost. Once the attacker has command execution as the Microsoft Virtual Account he is able to run Rubeus to get a ticket for the machine account that can be used to  perform a DCSync attack ultimately obtaining the hashes for the Administrator user.</description><pubDate>Sat, 05 Nov 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] MetaTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0504-metatwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0504-metatwo/</guid><description>MetaTwo is an easy Linux machine that features a website running Wordpress, which is using a plugin vulnerable to unauthenticated SQL injection ([CVE-2022-0739](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0739)). It can be exploited to reveal the password hash of the Wordpress users which can be cracked to obtain the password for the Wordpress user `manager`. The Wordpress version in use is vulnerable to an XXE Vulnerability in the Media Library ([CVE-2021-29447](https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/)), which can be exploited to obtain credentials for the FTP server. A file on the FTP server reveals the SSH credentials for user `jnelson`. For privilege escalation, the `passpie` utility on the remote host can be exploited to obtain the password for the `root` user.</description><pubDate>Sat, 29 Oct 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Awkward</title><link>https://blog.zumpyx.com/hackthebox/machines/0503-awkward/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0503-awkward/</guid><description>Awkward is a Medium difficulty machine that highlights code injection vulnerabilities that do not result in RCE, but rather SSRF, LFI, and Arbitrary File Write/Append. Additionally, the box involves authentication bypass through poor password practices, such as password re-use, as well as storing passwords in plain text.</description><pubDate>Sat, 22 Oct 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] RainyDay</title><link>https://blog.zumpyx.com/hackthebox/machines/0502-rainyday/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0502-rainyday/</guid><description>RainyDay is a hard Linux machine that starts with a web application that allows registered users to create and run containers on the remote machine. Enumerating the application it is discovered that registrations are closed. Further enumeration, reveals a REST API endpoint that suffers from an IDOR vulnerability, which leaks sensitive information such as usernames and password hashes. One of these hashes belonging to user `gary` can be cracked, which allows a potential attacker access to the web application. Once logged in, an attacker is able to create Docker containers and execute any command he wants on them. It turns out that the network that the containers are connected to is treated as an `internal` network and can be used to tunnel traffic to the `dev` vhost and the `/api/healthcheck` endpoint. The `healthcheck` endpoint can be used to read the secret token that&amp;amp;amp;amp;amp;#039;s used to sign Flask session cookies. With this token, an attacker is able to forge a cookie for the user `jack` and access the container `secrets`. Once inside the container a very peculiar running process is discovered to be sharing its PID with the host system. The `cwd` of the process is linked to the `/home/jack` folder on the host machine. With the SSH key of `jack` in hand, the attacker is able to authenticate to the host machine. There, they discover that they are able to execute Python scripts as the user `jack_adm` but with heavy safety restrictions. These restrictions can be bypassed using a Use-After-Free vulnerability and execute arbitrary commands.  The user `jack_adm` is able to execute a hashing script as the user `root`. The script uses the algorithm `bcrypt` which has a maximum length restriction. Due to bad design, an attacker is able to bruteforce the secret `salt` and crack the `root` password that was acquired from the web application. Finally, a password re-use scenario comes in to play and the cracked password works for the `root` user on the remote machine.</description><pubDate>Sat, 15 Oct 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Photobomb</title><link>https://blog.zumpyx.com/hackthebox/machines/0500-photobomb/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0500-photobomb/</guid><description>Photobomb is an easy Linux machine where plaintext credentials are used to access an internal web application with a `Download` functionality that is vulnerable to a blind command injection. Once a foothold as the machine&apos;s main user is established, a poorly configured shell script that references binaries without their full paths is leveraged to obtain escalated privileges, as it can be ran with `sudo`.</description><pubDate>Sat, 08 Oct 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Ambassador</title><link>https://blog.zumpyx.com/hackthebox/machines/0499-ambassador/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0499-ambassador/</guid><description>Ambassador is a medium difficulty Linux machine addressing the issue of hard-coded plaintext credentials being left in old versions of code. Firstly, a `Grafana` CVE ( `CVE-2021-43798`) is used to read arbitrary files on the target. After researching how the service is commonly configured, credentials for the web portal are discovered in one of the default locations. Once logged in, further enumeration reveals another configuration file containing `MySQL` credentials, which are used to retrieve a password to a user account and gain a foothold on the machine. Lastly, a misconfigured `Consul` service is used to obtain escalated privileges, by retrieving an authentication token from a prior commit of a `Git` repository.</description><pubDate>Sat, 01 Oct 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Mongod</title><link>https://blog.zumpyx.com/hackthebox/machines/0501-mongod/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0501-mongod/</guid><description>Mongod is a very easy Linux machine which introduces the MongoDB database and how to use the MongoDB shell utility to interact with it. Misconfiguring the database by leaving the anonymous user enabled, allows exploitation and full enumeration of the database.</description><pubDate>Thu, 29 Sep 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Absolute</title><link>https://blog.zumpyx.com/hackthebox/machines/0498-absolute/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0498-absolute/</guid><description>Absolute is an Insane Windows Active Directory machine that starts with a webpage displaying some images, whose metadata is used to create a wordlist of possible usernames that may exist on the machine. It turns out that one of these users doesn&amp;amp;amp;amp;amp;#039;t require Pre-authentication, therefore posing a valuable target for an `ASREP` roast attack. The discovered credentials are then used to enumerate `LDAP` and discover credentials for the user `svc_smb`, who has access to an `SMB` share containing a Windows binary. Performing dynamic analysis on the binary reveals that it tries to perform an `LDAP` connection to the Domain Controller with clear text credentials for the `m.lovegod` user, who owns the `Network Audit` group, which in turn has `Generic Write` over the `winrm_user`. Following this attack path and performing a shadow credential attack on the `winrm_user`, one can then `WinRM` and access the machine. Finally, the `KrbRelay` tool is used to add the `winrm_user` user to the Administrators group, leading to fully elevated privileges.</description><pubDate>Sat, 24 Sep 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Shoppy</title><link>https://blog.zumpyx.com/hackthebox/machines/0496-shoppy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0496-shoppy/</guid><description>Shoppy is an easy Linux machine that features a website with a login panel and a user search functionality, which is vulnerable to NoSQL injection. It can be exploited to obtain the password hashes of all the users. Upon cracking the password hash for one of the users we can authenticate into the Mattermost chat running on the server where we obtain the SSH credentials for user `jaeger`. The lateral movement to user `deploy` is performed by reverse engineering a password manager binary, which reveals the password for the user. We discover that the user `deploy` is a member of the group `docker`. Its privileges can be exploited to read the root flag.</description><pubDate>Sat, 17 Sep 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Sekhmet</title><link>https://blog.zumpyx.com/hackthebox/machines/0495-sekhmet/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0495-sekhmet/</guid><description>Sekhmet is an insane difficulty Windows machine that focuses on web exploitation, pivoting and bypassing Windows restrictions such as PowerShell Constrained Language Mode and AppLocker policies. Initial access is gained through an insecure deserialization vulnerability in a public facing NodeJS web application, which is hosted on a Linux virtual machine running on top of the target Windows system. In order to trigger RCE, the payload has to be adjusted to bypass a Web Application Firewall, which can be accomplished with the use of unicode characters. Once an interactive shell is obtained on the system, a ZipCrypto encrypted archive is found in the user&amp;amp;amp;amp;amp;#039;s home directory; encryption can be broken by mounting a known plaintext attack, allowing to retrieve Kerberos credentials from an SSSD cache file contained in the Zip archive and ultimately resulting in `root` access to the Linux machine. To pivot from the VM to the host, a command injection vulnerability is discovered in a scheduled script that processes data from LDAP attributes; this allows to sniff NTLM hashes and obtain a password that grants access to the Windows machine as a low-privileged user. Constrained Language Mode is enforced on the user together with strict AppLocker policies, but it can be bypassed with the aid of `InstallUtil.exe`. Once a Full Language Mode session is gained, Microsoft Edge stored passwords, including those of an administrative user that are also valid for Kerberos authentication, can be retrieved by running `Invoke-Mimikatz`.</description><pubDate>Sat, 10 Sep 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] UpDown</title><link>https://blog.zumpyx.com/hackthebox/machines/0493-updown/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0493-updown/</guid><description>UpDown is a medium difficulty Linux machine with SSH and Apache servers exposed. On the Apache server a web application is featured that allows users to check if a webpage is up. A directory named `.git` is identified on the server and can be downloaded to reveal the source code of the `dev` subdomain running on the target, which can only be accessed with a special `HTTP` header. Furthermore, the subdomain allows files to be uploaded, leading to remote code execution using the `phar://` PHP wrapper. The Pivot consists of injecting code into a `SUID` `Python` script and obtaining a shell as the `developer` user, who may run `easy_install` with `Sudo`, without a password. This can be leveraged by creating a malicious python script and running `easy_install` on it, as the elevated privileges are not dropped, allowing us to maintain access as `root`.</description><pubDate>Sat, 03 Sep 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Vessel</title><link>https://blog.zumpyx.com/hackthebox/machines/0492-vessel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0492-vessel/</guid><description>Vessel is a hard Linux machine that begins with directory enumeration which reveals a `.git` source for a web application running on port 80. After extracting the contents of the web application using a tool called `git-dumper` , we find out that the application is using the `MySQLJs` NPM library which is vulnerable to SQL injection. Using SQL injection, an attacker can bypass authentication and get admin access on `vessel.htb`. In the admin dashboard of `vessel.htb` we discover a subdomain called `openwebanalytics`. The `openwebanalytics.vessel.htb` is hosting `Open Web Analytics` version 1.7.3 which is vulnerable to [CVE-2022-24637](https://devel0pment.de/?p=2494) which allows the attacker to reset the admin&amp;amp;amp;amp;amp;#039;s password and alter configurations to inject PHP code into a log file leading to remote code execution. After getting RCE there is a binary file named `passwordGenerator` and a password-protected PDF file in the `steven` user&amp;amp;amp;amp;amp;#039;s home directory. Reverse engineering `PasswordGenerator` with `Uncompyle6` reveals a hashing algorithm that is used to compose our brute force to crack the previously found PDF which contains the password for the  `Ethan` user. Running `LinPEAS` on the machine shows that there is an unknown SUID binary named `pinns` that it&amp;amp;amp;amp;amp;#039;s related to CRI-O engine. Additional investigation reveals a [recent vulnerability in CRI-O](https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/), which leads the attacker to gain code execution as the `root` user.</description><pubDate>Sat, 27 Aug 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Health</title><link>https://blog.zumpyx.com/hackthebox/machines/0491-health/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0491-health/</guid><description>Health is a medium Linux machine that features an SSRF vulnerability on the main webpage that can be exploited to access services that are available only on localhost. More specifically, a Gogs instance is accessible only through localhost and this specific version is vulnerable to an SQL injection attack. Due to the way that an attacker can interact with the Gogs instance the best approach in this scenario is to replicate the remote environment by installing the same Gogs version on a local machine and then using automated tools to produce a valid payload. After retrieving the hashed password of the user `susanne` an attacker is able to crack the hash and reveal the plain text password of that user. The same credentials can be used to authenticate to the remote machine using SSH. Privilege escalation relies on cron jobs that are running under the user `root`. These cron jobs are related to the functionality of the main web application and process unfiltered data from a database. Thus, an attacker is able to inject a malicious task inside the database and exfiltrate the SSH key file of the user `root`, thus, allowing him to gain a root session on the remote machine.</description><pubDate>Sat, 20 Aug 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Outdated</title><link>https://blog.zumpyx.com/hackthebox/machines/0490-outdated/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0490-outdated/</guid><description>Outdated is a Medium Difficulty Linux machine that features a foothold based on the `Follina` CVE of 2022. The box further encompasses an Active Directory scenario, where we must pivot from domain user to domain controller, using an array of tools to leverage the `AD`&amp;amp;amp;amp;amp;amp;#039;s configuration and adjacent edges to our advantage. The final step includes taking advantage of Windows Server Update Services- WSUS and using its poor configuration to compromise the domain controller.</description><pubDate>Sat, 13 Aug 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Moderators</title><link>https://blog.zumpyx.com/hackthebox/machines/0485-moderators/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0485-moderators/</guid><description>Moderators is a hard Linux machine that features a blog, which holds security reports. Through Insecure Direct Object Reference (IDOR) undisclosed reports can be found, which lead to a log page where it is possible to upload PDF files. Using basic filter bypasses it&amp;amp;amp;amp;#039;s possible to upload a PHP shell and gain access as `www-data`. A WordPress site can then be found running internally on port 8080. The site contains two plugins, `brandfolder` and `password-manager`, the former of which has a Local File Inclusion vulnerability, exploitation of which leads to a shell as the `lexi` user. An SSH key can be found in the WordPress database, which needs to be cracked from the `password-manager` plugin. Modifying said plugin allows for the SSH key to be decrypted, yielding access to a second user called `john`. In the second user&amp;amp;amp;amp;#039;s home folder there is a Virtual Disk Image (.vdi) file, which is encrypted. Using a `.vbox` password cracker the password can be recovered. On the disk there is a LUKS encrypted file system which can also be brute forced by using a bash script. Once decrypted, the file system contains scripts, one of which holds the password to the second user. The password can be used to run any command with sudo.</description><pubDate>Sat, 06 Aug 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Three</title><link>https://blog.zumpyx.com/hackthebox/machines/0489-three/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0489-three/</guid><description>Three is a very easy Linux machine featuring a website using a misconfigured AWS S3 bucket as its cloud-storage device. The machine explores web application enumeration and subdomain fuzzing to detect the hidden domain corresponding to the S3 bucket. Then it showcases using the AWS command line interface to access the vulnerable S3 bucket as well as how to exploit it by uploading and triggering a reverse shell.</description><pubDate>Wed, 03 Aug 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Support</title><link>https://blog.zumpyx.com/hackthebox/machines/0484-support/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0484-support/</guid><description>Support is an Easy difficulty Windows machine that features an SMB share that allows anonymous authentication. After connecting to the share, an executable file is discovered that is used to query the machine&amp;amp;amp;amp;amp;amp;#039;s LDAP server for available users. Through reverse engineering, network analysis or emulation, the password that the binary uses to bind the LDAP server is identified and can be used to make further LDAP queries. A user called `support` is identified in the users list, and the `info` field is   found to contain his password, thus allowing for a WinRM connection to the machine. Once on the machine, domain information can be gathered through `SharpHound`, and `BloodHound` reveals that the `Shared Support Accounts` group that the `support` user is a member of, has `GenericAll` privileges on the Domain Controller. A Resource Based Constrained Delegation attack is performed, and a shell as `NT Authority\System` is received.</description><pubDate>Sat, 30 Jul 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Shared</title><link>https://blog.zumpyx.com/hackthebox/machines/0483-shared/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0483-shared/</guid><description>Shared is a Medium Difficulty Linux machine that features a Cookie SQL Injection leading to a foothold, which is then used to escalate privileges by reverse engineering a Golang binary and leveraging two CVEs to gain a root shell.</description><pubDate>Sat, 23 Jul 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[Blog] Third post</title><link>https://blog.zumpyx.com/blog/third-post/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/third-post/</guid><description>Lorem ipsum dolor sit amet</description><pubDate>Fri, 22 Jul 2022 00:00:00 GMT</pubDate><category>blog</category></item><item><title>[HTB · Machines] Extension</title><link>https://blog.zumpyx.com/hackthebox/machines/0482-extension/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0482-extension/</guid><description>Extension is a hard difficulty Linux machine with only `SSH` and `Nginx` exposed. Enumeration reveals a multitude of domains and sub-domains. An exposed API endpoint reveals a handful of hashed passwords, which can be cracked and used to log into a mail server, where password reset requests can be read. The application&amp;amp;amp;amp;amp;#039;s underlying logic allows the attacker to brute-force the reset tokens, forfeiting access to an admin account and by *extension* API credentials for another vHost running `Gitea`. A repository hosted there is vulnerable to Cross-Site Scripting (XSS) and can be leveraged to make API calls to download a private repository, containing an SSH key for a user account on the target system. Moving laterally using re-used credentials reveals another Git repository, where we find source code that is vulnerable to Remote Code Execution by command injection. Exploitation of the vulnerability requires a hash length extension attack to deliver the payload. Obtaining a reverse shell makes it clear that the shell is in a docker container, which features a Unix socket that the user can access. This misconfiguration means that the host&amp;amp;amp;amp;amp;#039;s file system can be mounted to a new docker container, from where a root SSH key can be acquired.</description><pubDate>Sat, 16 Jul 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[Blog] Second post</title><link>https://blog.zumpyx.com/blog/second-post/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/second-post/</guid><description>Lorem ipsum dolor sit amet</description><pubDate>Fri, 15 Jul 2022 00:00:00 GMT</pubDate><category>blog</category></item><item><title>[HTB · Machines] RedPanda</title><link>https://blog.zumpyx.com/hackthebox/machines/0481-redpanda/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0481-redpanda/</guid><description>RedPanda is an easy Linux machine that features a website with a search engine made using the Java Spring Boot framework. This search engine is vulnerable to Server-Side Template Injection and can be exploited to gain a shell on the box as user `woodenk`. Enumerating the processes running on the system reveals a `Java` program that is being run as a cron job as user `root`. Upon reviewing the source code of this program, we can determine that it is vulnerable to XXE. Elevation of privileges is achieved by exploiting the XXE vulnerability in the cron job to obtain the SSH private key for the `root` user. We can then log in as user `root` over SSH and obtain the root flag.</description><pubDate>Sat, 09 Jul 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[Blog] First post</title><link>https://blog.zumpyx.com/blog/first-post/</link><guid isPermaLink="true">https://blog.zumpyx.com/blog/first-post/</guid><description>Lorem ipsum dolor sit amet</description><pubDate>Fri, 08 Jul 2022 00:00:00 GMT</pubDate><category>blog</category></item><item><title>[HTB · Machines] Faculty</title><link>https://blog.zumpyx.com/hackthebox/machines/0480-faculty/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0480-faculty/</guid><description>Faculty is a medium Linux machine that features a PHP web application that uses a library which is vulnerable to local file inclusion. Exploiting the LFi in this library reveals a password which can be used to log in as a low-level user called `gbyolo` over SSH. The user `gbyolo` has permission to run an `npm` package called `meta-git` as the `developer` user. The version of the `meta-git` installed on this box is vulnerable to code injection, whi换行ch can be exploited to escalate the privileges to the user `developer`. The privilege escalation to `root` can be performed by exploiting the `CAP_SYS_PTRACE` capability to inject shellcode into a process running as `root`.</description><pubDate>Sat, 02 Jul 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Carpediem</title><link>https://blog.zumpyx.com/hackthebox/machines/0478-carpediem/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0478-carpediem/</guid><description>Carpediem is a hard difficulty Linux machine that focuses on enumeration, web exploitation, VoIP, network sniffing and container breakout. Initial foothold is obtained by abusing some still-in-development functions in a custom built web application, gaining access to an administrative dashboard where a web shell can be uploaded by modifying a POST request, resulting in arbitrary code execution inside a Docker container. Enumeration of Trudesk tickets leads to VoIP credentials, which in turn allow to retrieve a user password by listening to a voicemail message, resulting in low-privileged SSH access to the system. Sniffing TLS-encrypted traffic, which can be decrypted using a world-readable private key file, reveals credentials to access an internal instance of Backdrop CMS, where remote command execution on a second container can be obtained by uploading a custom module. A cron job running with `root` privileges can be exploited to escalate privileges inside the container, and finally escape the container by exploiting CVE-2022-0492, obtaining `root` access to the host.</description><pubDate>Sat, 25 Jun 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Trick</title><link>https://blog.zumpyx.com/hackthebox/machines/0477-trick/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0477-trick/</guid><description>Trick is an Easy Linux machine that features a DNS server and multiple vHost&amp;amp;amp;amp;amp;amp;amp;#039;s that all require various steps to gain a foothold. It requires basic knowledge of DNS in order to get a domain name and then subdomain that can be used to access the first vHost. On the first vHost we are greeted with a Payroll Management System that is vulnerable to SQL Injection. Using `sqlmap` we find we have file privileges and can read system files. Reading an Nginx configuration file reveals another vHost. This vHost contains a Local File Inclusion (LFI) vulnerability that can be exploited. Sending a mail to one of the users with PHP code embedded and then including that mail with the LFI allows for Remote Code Execution (RCE). After the initial foothold we find a Sudo command that can be executed without a password. The command restarts the `fail2ban` service. The configuration directory of fail2ban contains a directory that is owned by a group that the current user is part of. The user has write access to the directory and can rename a configuration file and replace it with their own, which leads to Remote Code Execution  as root once a ban is triggered.</description><pubDate>Sat, 18 Jun 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Base</title><link>https://blog.zumpyx.com/hackthebox/machines/0479-base/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0479-base/</guid><description>Base is a very easy Linux machine that focuses on exploiting PHP misconfigurations and insecure coding practices. A vulnerable web application with a listable login folder reveals a swap file containing the PHP code for the web-app. A brief analysis of the code reveals a comparison vulnerability in the login function which allows authentication bypass. With authorized access to the web-app, a reverse shell can be uploaded to grant initial access to the host machine. Then, the web application configuration files can be examined to find a plaintext password allowing SSH access to a more privileged user. Finally, privilege escalation can be achieved abusing misconfigured sudo permissions on the find binary.</description><pubDate>Thu, 16 Jun 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Scrambled</title><link>https://blog.zumpyx.com/hackthebox/machines/0476-scrambled/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0476-scrambled/</guid><description>Scrambled is a medium Windows Active Directory machine. Enumerating the website hosted on the remote machine a potential attacker is able to deduce the credentials for the user `ksimpson`. On the website, it is also stated that NTLM authentication is disabled meaning that Kerberos authentication is to be used. Accessing the `Public` share with the credentials of `ksimpson`, a PDF file states that an attacker retrieved the credentials of an SQL database. This is a hint that there is an SQL service running on the remote machine. Enumerating the normal user accounts, it is found that the account `SqlSvc` has a `Service Principal Name` (SPN) associated with it. An attacker can use this information to perform an attack that is knows as `kerberoasting` and get the hash of `SqlSvc`. After cracking the hash and acquiring the credentials for the `SqlSvc` account an attacker can perform a `silver ticket` attack to forge a ticket and impersonate the user `Administrator` on the remote MSSQL service. Enumeration of the database reveals the credentials for user `MiscSvc`, which can be used to execute code on the remote machine using PowerShell remoting. System enumeration as the new user reveals a `.NET` application, which is listening on port `4411`.  Reverse engineering the application reveals that it is using the insecure `Binary Formatter` class to transmit data, allowing the attacker to upload their own payload and get code execution as `nt authority\system`.</description><pubDate>Sat, 11 Jun 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Seventeen</title><link>https://blog.zumpyx.com/hackthebox/machines/0473-seventeen/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0473-seventeen/</guid><description>Seventeen is a hard Linux machine that features an SQL injection vulnerability in an `exam management system` web application, which allows dumping the available databases from the remote machine. From there, a new vhost can be discovered which is an old file management system. Enumerating the available files, another vhost that runs a Roundcube instance can be found. Combining some clues, like the date that the files were uploaded to the management system and the contents of the files, it turns out that the version of the installed Roundcube instance is vulnerable to a PHP file inclusion vulnerability, enabling an attacker to get a reverse shell. Then, enumerating the remote system as `www-data` some hard coded credentials can be found. It turns out that these credentials are valid for the user `mark` over SSH. Afterwards, it is discovered that on the remote machine a local `npm` registry is running. Installing a private npm module reveales another set of hard-coded credentials, this time for the user `kavi`.  For the root part, `kavi` is able to run a package dependency resolve script  as `root`. The script uses `npm` again to install the packages, so an attacker can create a private registry to his machine, host a malicious npm package and point the script to that registry. Then after the malicious package is executed a reverse shell as `root` can be obtained.</description><pubDate>Sat, 28 May 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] OpenSource</title><link>https://blog.zumpyx.com/hackthebox/machines/0471-opensource/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0471-opensource/</guid><description>OpenSource is an easy difficulty linux machine that features a Python HTTP server listening on port 80. After downloading the web application&amp;amp;amp;amp;amp;#039;s source code, a Git repository is identified. Viewing the previous commits on the repository reveals a Virtual Studio Code settings file that contains a set of credentials for user `dev01`. Analysis of the application source code reveals that it is vulnerable to unrestricted file uploading and Directory traversal attacks, which can be abused in order to overwrite `views.py` and obtain Remote Command Execution. Users can leverage the RCE to obtain a reverse shell inside a Docker container. The container network can be used to enumerate the host machine internally and identify a `Gitea` instance running on port 3000. The credentials that were identified earlier can be used to login to the `Gitea` instance and download a backup of `dev01` user&amp;amp;amp;amp;amp;#039;s SSH keys. After connecting to the host system with SSH, `Pspy` can be used to identify a cron job that is running as `root` and searches for changes in a repository found in the home directory of user `dev01`. The Git configuration file can be edited by the low level user and the `fsmonitor` parameter can be leveraged to obtain a root shell.</description><pubDate>Sat, 21 May 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Response</title><link>https://blog.zumpyx.com/hackthebox/machines/0468-response/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0468-response/</guid><description>Response is an Insane Linux machine that simulates an Internet facing server of a company, which provides automated scanning services to their customers. An `SSRF` vulnerability in the public website allows a potential attacker to query websites on the internal network. One of those internal websites is a chat application, which uses the `socket.io` library. Using some advanced SSRF techniques the attacker can access the internal chat application and retrieve the source code. The source code of the internal chat application reveals that the authentication is performed through an `LDAP` server. The attacker can change the `LDAP` server used by the application to one that he controls thus, performing an authentication bypass. Now, the attacker is logged in as the `admin` user on the internal chat application. The employee `bob` is willing to share sensitive information with the `admin` user including the credentials for an internal `FTP` server. The employee, also asks `admin` to send him a link, which he will open in his browser. This allows the attacker to craft and host a malicious Javascript payload, which queries the internal `FTP` server with the provided credentials by leveraging `Cross-Protocol Request Forgery`. Since the `FTP` server uses the `active mode` by default, data can be exfiltrated from the server to the attackers local machine. This data includes credentials for the user `bob`, which now can be used to access the box via `SSH`. Once on the box the attacker can inspect the automated scanning engine of the company, which is basically a `bash` script using `nmap`. This script retrieves the IP address of the servers supposed to be scanned as well as the email address of the corresponding customer via `LDAP`. The scan result is converted to a `PDF` file, which is sent to the customer&amp;amp;amp;amp;amp;amp;amp;#039;s email address. One of the used `nmap` `nse` scripts (`ssl-cert`) is slightly modified introducing a directory traversal vulnerability. This vulnerability can be used to read arbitrary files by creating a malicious `TLS` certificate with a directory traversal payload on the `State or Province Name` field, running an `HTTPS` server using this certificate and adding an `LDAP` entry for this server, so that it is scanned and the payload gets triggered. To receive the results of the scanning process an email address must be placed on the LDAP info for this server while setting up both a `DNS` and an `SMTP` server locally to resolve the DNS requests. With this setup, an attacker can leverage this vulnerability to acquire the `SSH` private key of the user `scryh`. The user `scryh` has access to a recent incident report as well as to all the related files. The report describes an attack where the attacker was able to trick the server `admin` into executing a meterpreter binary. The files attached to the report are a core dump of the running process as well as the related network capture. The attacker is able to combine all the clues to decrypt the meterpreter traffic and retrieve a `zip` archive. The archive contains the `authorized_keys` file of the `root` user as well as a screenshot, which shows the last few lines of the `root` private SSH key. By extracting the `RSA` values `N` and `e` from the `authorized_keys` file and the `q` value from the partial private key, the attacker can re-create the private key of `root` and use it to login as `root` through SSH.</description><pubDate>Sat, 14 May 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Redeemer</title><link>https://blog.zumpyx.com/hackthebox/machines/0472-redeemer/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0472-redeemer/</guid><description>Redeemer is a very easy Linux machine which explores the enumeration and exploitation of a Redis database server while showcasing the redis-cli command line utility and basic commands to interact with the Redis service.</description><pubDate>Wed, 11 May 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] BackendTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0469-backendtwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0469-backendtwo/</guid><description>BackendTwo is a medium-difficulty Linux machine that extends the initial Backend UHC box, incorporating some fresh vulnerabilities alongside a few minor repetitions of steps that remained unexploited in UHC competitions. The process begins with an API whose functions are revealed through fuzzing to identify a registration endpoint. Following this, a mass assignment vulnerability is exploited to assign administrative privileges to a user. Subsequently, access is obtained to a file-read endpoint, allowing for the reading of /proc to uncover the page source, and ultimately, the JWT&amp;amp;amp;#039;s signing secret. This knowledge enables the forging of a new token, granting access to the file-write API. Here, a backdoor is discreetly inserted into an endpoint, which facilitates shell access (the method for forcefully gaining entry is also demonstrated). Escalation involves leveraging password reuse and exploiting weaknesses in pam-wordle.</description><pubDate>Mon, 02 May 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] OverGraph</title><link>https://blog.zumpyx.com/hackthebox/machines/0464-overgraph/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0464-overgraph/</guid><description>Overgraph is a hard Linux machine that starts of with a static webpage on port 80. Enumerating for possible vhosts an attacker is able to identify `graph.htb`, `internal.graph.htb` and `internal-api.graph.htb` as valid vhosts. The `internal` vhost is protected by a login screen. An attacker, is able to register a new account and using a NoSQL injection he can bypass the OTP mail validation step. After logging in to the web application and enumerating the new environment it is discovered that two cookies define if the user is an administrator or not. One of the cookies is set to the simple value `false` so the attacker can simply change that to `true`. The other cookie is a token and it is uncertain if the attacker can generate a valid administrator token. Further enumeration of the web application reveals that there is a chat application implemented and another user is asking for a link. Using an intricate combination of Cross Site Scripting and Cross Server Request Forgery an attacker is able to steal the administrator token from the other user and get administrative privileges. At this point, a new functionality is available, which allows the upload of video files. These files seem to undergo some kind of processing after they are uploaded. By exploiting a bug in `FFmpeg`, the SSH key of the user `user` can be exfiltrated. Enumerating the remote machine as the user `user` reveals that `root` is executing a binary that listens only on localhost. The binary is vulnerable to a `Use After Free` attack. By exploiting this vulnerability the attacker is able to gain code execution as `root`.</description><pubDate>Sat, 30 Apr 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Late</title><link>https://blog.zumpyx.com/hackthebox/machines/0463-late/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0463-late/</guid><description>Late is an Easy Linux machine that features a Server Side Template Injection (SSTI) vulnerability in a text reading application, which leads to Remote Code Execution as user `svc_acc`. Enumeration for files owned by this user reveals a script that is executed whenever an SSH connection to the system is initiated or dropped. This script runs as the `root` user, however, enumeration of the file attributes show that it cannot be directly edited, but data can be appended. A reverse shell can be added at the end of this script in order to gain a shell as `root`.</description><pubDate>Sat, 23 Apr 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Backend</title><link>https://blog.zumpyx.com/hackthebox/machines/0462-backend/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0462-backend/</guid><description>Backend is a medium-difficulty Linux machine that features a backend API without a frontend. By fuzzing the API using the HTTP `POST` request method, additional endpoints can be discovered, enabling user registration and authentication. By referring to the `FastAPI` documentation, an endpoint can be identified that allows updating the admin user&apos;s password. Gaining administrative access grants the ability to read files from the server. Analyzing the application&apos;s source code reveals the JWT cookie, which can be modified to edit the JWT token. Utilizing the `debug` parameter, a specific endpoint can be accessed that permits command execution on the server. With an initial shell as a low-privileged user, a log file containing the root user&apos;s password can be found, allowing escalation to root access.</description><pubDate>Tue, 12 Apr 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Talkative</title><link>https://blog.zumpyx.com/hackthebox/machines/0458-talkative/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0458-talkative/</guid><description>Talkative is a hard Linux machine that starts off with a command injection in the `Jamovi` web application, which leads us into the `Jamovi` docker in which we find an `omv` file. Decompressing this `omv` file gives us the credentials for the `admin` user in Bolt CMS. This leads us to get a shell as user `www-data` by exploiting a Server Side Template Injection in `twig`. Further network enumeration gives us a shell as user `saul` on the host.  For `root` we need to leverage port forwarding for connecting to a `MongoDB` server running in a separate container and through that we need to modify RocketChat&amp;amp;amp;amp;amp;#039;s registered user role in order to access the admin&amp;amp;amp;amp;amp;#039;s dashboard in the RocketChat web GUI. Further exploitation of the RocketChat&amp;amp;amp;amp;amp;#039;s webhook functionality gives us a `root` shell in the RocketChat docker container. Since we are `root` in the docker container, we can install `libcap2` and view the system capabilities, which lead to abusing the `CAP_DAC_READ_SEARCH` capability to run the `shocker` exploit and read the root flag.</description><pubDate>Sat, 09 Apr 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Responder</title><link>https://blog.zumpyx.com/hackthebox/machines/0461-responder/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0461-responder/</guid><description>Responder is a very easy Windows machine that focuses on exploring the File Inclusion vulnerability on a web application and how this can be leveraged to collect the NetNTLMv2 challenge of the user that is running the web server. The machine showcases the Responder utility and the hash cracking tool John The Ripper to obtain a cleartext password from an NTLM hash. Finally, the Evil-WinRM tool can be used to get a terminal on the machine using the acquired credentials.</description><pubDate>Wed, 06 Apr 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>windows</category></item><item><title>[HTB · Machines] Retired</title><link>https://blog.zumpyx.com/hackthebox/machines/0456-retired/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0456-retired/</guid><description>Retired is a medium difficulty Linux machine that focuses on simple web attacks, stack-based binary exploitation and insecure kernel features. Initial foothold is gained by exploiting a path traversal vulnerability in a web application, which leads to the discovery of an internal service that is handling uploaded data. The corresponding binary file, its dependencies and memory map can be downloaded via the same path traversal vector, and analysed to identify a buffer overflow vulnerability and obtain the necessary memory addresses and ROP gadgets to develop a working exploit, resulting in an interactive shell on the system. Lateral movement to a second low-privileged user is possible by performing a symlink attack on a scheduled backup script, gaining access to the user&amp;amp;amp;amp;amp;amp;#039;s home directory and their private SSH key file. Finally, a helper program that allows the user to write data to `/proc/sys/fs/binfmt_misc/register` is found, allowing for privilege escalation by leveraging the `credentials` flag when registering a custom handler for `root`-owned setuid files.</description><pubDate>Sat, 02 Apr 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Timelapse</title><link>https://blog.zumpyx.com/hackthebox/machines/0452-timelapse/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0452-timelapse/</guid><description>Timelapse is an Easy Windows machine, which involves accessing a publicly accessible SMB share that contains a zip file. This zip file requires a password which can be cracked by using John. Extracting the zip file outputs a password encrypted PFX file, which can be cracked with John as well, by converting the PFX file to a hash format readable by John. From the PFX file an SSL certificate and a private key can be extracted, which is used to login to the system over WinRM. After authentication we discover a PowerShell history file containing login credentials for the `svc_deploy` user. User enumeration shows that `svc_deploy` is part of a group named `LAPS_Readers`. The `LAPS_Readers` group has the ability to manage passwords in LAPS and any user in this group can read the local passwords for machines in the domain. By abusing this trust we retrieve the password for the Administrator and gain a WinRM session.</description><pubDate>Sat, 26 Mar 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Ransom</title><link>https://blog.zumpyx.com/hackthebox/machines/0457-ransom/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0457-ransom/</guid><description>Ransom is a medium-difficulty Linux machine that starts with a password-protected web application, hosting some files. An attacker is able to bypass the authentication process by modifying the request type and type juggling the arguments. Once access to the files is obtained, a Zip archive of a home directory is downloaded. The archive is encrypted using a legacy method that is vulnerable to a known-plaintext attack. Upon decrypting the archive, the attacker can access the box via SSH, using the uncovered private key. Enumerating the remote machine, the hardcoded password that was required by the webpage is found and reused to authenticate as the root user.</description><pubDate>Tue, 15 Mar 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Catch</title><link>https://blog.zumpyx.com/hackthebox/machines/0450-catch/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0450-catch/</guid><description>Catch is a medium difficulty Linux machine that features several web applications listening on different ports. Port `80` provides a potential attacker with an `APK` file. Inside the `APK` file are leftover tokens for various other services/applications. On port `3000` there is an instance of `Gitea` running. Unfortunately, the token for `Gitea` that was found inside the `APK` is no longer valid and there is no way to progress further on this port. Next, on port `5000` there is a `Let&amp;amp;amp;amp;amp;amp;#039;s chat` application present. The token that was inside the `APK` for this application works and an attacker is able to dump clear text credentials for the user `john`. Finally, on port `8000` there is an instance of the `Cachet` application. It is found that the credentials for the user `john` are valid for this application and that the version present on the system suffers from a remote command execution vulnerability. Leveraging this vulnerability, an attacker is able to get a reverse shell inside a Docker container on the remote machine. Enumerating the container an attacker will find clear text credentials for the user `will`. Trying to SSH to the host machine using the credentials for the user `will` is a success. Enumerating the remote machine an attacker is able to find that a script that validates `APK` files is executed every minute by the user `root`. Analyzing the script it is found that it&amp;amp;amp;amp;amp;amp;#039;s vulnerable to command injection. Thus, an attacker is able to craft a malicious `APK` file, wait for `root` to execute the script and ultimately get a shell as the user `root`.</description><pubDate>Sat, 12 Mar 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Phoenix</title><link>https://blog.zumpyx.com/hackthebox/machines/0448-phoenix/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0448-phoenix/</guid><description>Phoenix is a hard Linux machine that features with a `WordPress` site. Enumerating the website an attacker is able to find that a plugin vulnerable to SQL injection is installed. Unfortunately, the SQL injection is a `blind time-based` attack, which takes a long time to complete. To avoid spending a lot of time the attacker has to make very specific queries to dump only the data he needs to progress further. Dumping the credentials for the `Phoenix` user, which is an administrator, allows the attacker to authenticate but there is a two factor authentication plugin in place which prevents further access. Since the attacker has access to the WordPress database, the secret key to generate valid `One Time Password` can be retrieved and decrypted, thus allowing him to bypass the two factor authentication mechanism. Having access to the Administrator&amp;amp;amp;amp;#039;s panel another vulnerbale plugin is discovered. This time, an attacker is able to upload and execute `.phtml` malicious files in order to get a reverse shell on the remote machine as the `wp_user`. Once on the machine, the attacker is able to enumerate the database further without any constraints on the queries. This enumeration step reveals that the credentials for the WordPress user `Jsmith` are the same for the machine user `editor`. Trying to establish an SSH connection as the user `editor` reveals that there is another two factor authentication mechanism in place. To bypass it this time the attacker needs to investigate the SSH pam authentication mechanism. It is discovered that connections from a specific local subnet are allowed to authenticate without providing a verification password. So, if the attacker makes an SSH connection to the remote machine on the specific subnet he is able to authenticate as the `editor` user. Enumerating the remote machine as the `editor` user reveals a peculiar file with the `.sh.x` extension inside the `PATH`. It turns out that this file is an encrypted compiled shell script. Using `pspy` the clear text source code of this script can be extracted. It turns out it&amp;amp;amp;amp;#039;s a backup script that&amp;amp;amp;amp;#039;s executed every three minutes by the user `root` and it&amp;amp;amp;amp;#039;s vulnerable to wildcard injection attacks. Leveraging this vulnerability the attacker is able to get a reverse shell as the user `root`.</description><pubDate>Sat, 05 Mar 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Bike</title><link>https://blog.zumpyx.com/hackthebox/machines/0449-bike/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0449-bike/</guid><description>Bike is a very easy Linux machine that introduces Server-Side Template Injection (SSTI) in a Node.js application using the Handlebars template engine. The SSTI in the web application can be leveraged to escape the sandbox environment and achieve command execution via Node.js global objects.</description><pubDate>Tue, 01 Mar 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] RouterSpace</title><link>https://blog.zumpyx.com/hackthebox/machines/0444-routerspace/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0444-routerspace/</guid><description>RouterSpace is an Easy Linux machine that features a web page on port 80. The webpage allows the download of an APK package, which is an Android application. Attempts to reverse engineer the APK are unsuccessful as the code is heavily obfuscated. Instead an Android emulator is used to check the functionality of the Android application and a proxy is set up in order to capture the network requests that the application is making. The request captured leads to a hidden API endpoint on the main web application, which is found to be vulnerable to command injection. Through the injection, SSH keys are written to the users home directory and an SSH shell on the system is acquired. Privilege escalation can be achieved by enumerating the system with `LinPEAS` and identifying that it is vulnerable to the `Sudo Baron Samedit` exploit assigned `CVE-2021-3156`. Running the Python exploit produces a root shell.</description><pubDate>Sat, 26 Feb 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] GoodGames</title><link>https://blog.zumpyx.com/hackthebox/machines/0446-goodgames/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0446-goodgames/</guid><description>GoodGames is an Easy linux machine that showcases the importance of sanitising user inputs in web applications to prevent SQL injection attacks, using strong hashing algorithms in database structures to prevent the extraction and cracking of passwords from a compromised database, along with the dangers of password re-use. It also highlights the dangers of using `render_template_string` in a Python web application where user input is reflected, allowing Server Side Template Injection (SSTI) attacks. Privilege escalation involves docker hosts enumeration and shows how having admin privileges in a container and a low privilege user on the host machine can be dangerous, allowing attackers to escalate privileges to compromise the system.</description><pubDate>Mon, 21 Feb 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Epsilon</title><link>https://blog.zumpyx.com/hackthebox/machines/0442-epsilon/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0442-epsilon/</guid><description>Epsilon is a medium difficulty Linux machine which exposes a Git repository on the webserver. AWS credentials are leaked in Git commits, which allows downloading the AWS Lambda function code. Secret key found in the source code can be used to forge a cookie to gain access to the web application. Foothold is obtained by exploiting the Server Side Template Injection vulnerability in the application feature. Abusing the tar symlink in a cronjob gives root access.</description><pubDate>Mon, 07 Feb 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Paper</title><link>https://blog.zumpyx.com/hackthebox/machines/0432-paper/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0432-paper/</guid><description>Paper is an easy Linux machine that features an Apache server on ports 80 and 443, which are serving the HTTP and HTTPS versions of a website respectively. The website on port 80 returns a default server webpage but the HTTP response header reveals a hidden domain. This hidden domain is running a WordPress blog, whose version is vulnerable to [CVE-2019-17671](https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2). This vulnerability allows us to view the confidential information stored in the draft posts of the blog, which reveal another URL leading to an employee chat system. This chat system is based on Rocketchat. Reading through the chats we find that there is a bot running which can be queried for specific information. We can exploit the bot functionality to obtain the password of a user on the system. Further host enumeration reveals that the sudo version is vulnerable to [CVE-2021-3560](https://www.exploit-db.com/exploits/50011) and can be exploited to elevate to root privileges.</description><pubDate>Sat, 05 Feb 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Pressed</title><link>https://blog.zumpyx.com/hackthebox/machines/0440-pressed/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0440-pressed/</guid><description>HTB machine: Pressed</description><pubDate>Thu, 03 Feb 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Unified</title><link>https://blog.zumpyx.com/hackthebox/machines/0441-unified/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0441-unified/</guid><description>Unified is a very easy Linux machine that demonstrates the exploitation of the Log4Shell (CVE-2021-44228) vulnerability in the UniFi Network application. Enumeration reveals a vulnerable UniFi instance where a remote execution can be achieved by crafting and injecting a JNDI payload into a POST request. Then a local MongoDB database can be leveraged to reset the administrator password and gain access to the UniFi admin panel. Plaintext SSH credentials can be discovered in the application settings leading to final privilege escalation.</description><pubDate>Wed, 02 Feb 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Scanned</title><link>https://blog.zumpyx.com/hackthebox/machines/0431-scanned/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0431-scanned/</guid><description>Scanned is an Insane Linux machine that starts with a webpage of a malware scanning application. The source code for both the web application and a sandboxing application is available for review through the webpage. A potential attacker will have to review the source code and trace some minor coding mistakes that combined could lead to a full system compromise. An attacker can exploit these mistakes and craft a binary that can bypass the sandbox and leak sensitive information from the remote machine. The attacker can retrieve a password hash that once cracked, reveals a valid password for the user `clarence` through SSH. Once the attacker has proper access to the remote machine, enumerating for possible privilege escalation paths yields no fruitful results. So, they have to re-use the context of the original foothold to exploit the `chroot` mechanism of the sandbox by hijacking a library used by a SUID binary. Through this exploitation process, an attacker can create a backdoor on the system and gain `root` privileges.</description><pubDate>Sat, 29 Jan 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] AdmirerToo</title><link>https://blog.zumpyx.com/hackthebox/machines/0427-admirertoo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0427-admirertoo/</guid><description>AdmirerToo is a hard rated Linux machine. The initial port scan reveals a few filtered/internal ports along with port 22 running SSH &amp;amp;amp;amp;amp;amp; port 80, which is serving a photo gallery webpage. Enumerating the website leads us to the Adminer service running on one of the sub-domains. The installed version of the Adminer service is vulnerable to an SSRF vulnerability, [CVE-2021-21311](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21311) which can be exploited to enumerate the service running on the internal port 4242. The internal port 4242 is running the OpenTSDB service which is vulnerable to [CVE-2020-35476](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35476), allowing command injection via HTTP requests, through which we eventually get a shell as user `opentsdb`. System enumeration reveals credentials that can be used to move laterally and SSH into the remote host as user `jennifer`. Further host enumeration reveals that OpenCATS service is running on the internal port 8080 which is vulnerable to [PHP Object Injection vulnerability](https://snoopysecurity.github.io/web-application-security/2021/01/16/09_opencats_php_object_injection.html) that results in arbitrary file write ([CVE-2021-25294](https://www.cvedetails.com/cve/CVE-2021-25294/)). The remote host is also running `fail2ban` with mailing configuration that can be exploited by chaining together with the vulnerability present in OpenCATS to override the `whois` configuration file and obtain a `root` user shell.</description><pubDate>Sat, 15 Jan 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] NodeBlog</title><link>https://blog.zumpyx.com/hackthebox/machines/0430-nodeblog/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0430-nodeblog/</guid><description>HTB machine: NodeBlog</description><pubDate>Mon, 10 Jan 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Pandora</title><link>https://blog.zumpyx.com/hackthebox/machines/0423-pandora/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0423-pandora/</guid><description>Pandora is an easy rated Linux machine. The port scan reveals a SSH, web-server and SNMP service running on the box. Initial foothold is obtained by enumerating the SNMP service, which reveals cleartext credentials for user `daniel`. Host enumeration reveals Pandora FMS running on an internal port, which can be accessed through port forwarding. Lateral movement to another user called `matt` is achieved by chaining SQL injection &amp;amp;amp;amp;amp;amp; RCE vulnerabilities in the PandoraFMS service. Privilege escalation to user `root` is performed by exploiting a SUID binary for PATH variable injection.</description><pubDate>Sat, 08 Jan 2022 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] LogForge</title><link>https://blog.zumpyx.com/hackthebox/machines/0428-logforge/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0428-logforge/</guid><description>LogForge was is box that developed for the Ultimate Hacking Championship event which focused on the Log4j / Log4Shell exploit. To start, there’s an Orange Tsai attack against how Apache is hosting Tomcat, allowing the bypass of restrictions to get access to the manager page. From there, I’ll exploit Log4j to get a shell as the tomcat user. With a foothold on the machine, there’s an FTP server running as root listening only on localhost. This FTP server is Java based, and reversing it shows it’s using Log4j to log usernames. I’ll exploit this to leak the environment variables used to store the username and password needed to access the FTP server, and use that to get access to the root flag. The password also works to get a root shell. In Beyond Root I’ll look at using netcat to read the LDAP requests and do some binary reverse engineering of LDAP on the wire.</description><pubDate>Thu, 23 Dec 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Search</title><link>https://blog.zumpyx.com/hackthebox/machines/0422-search/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0422-search/</guid><description>Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After importing the certificates into a web browser, Windows PowerShell Web Access can be used to obtain an interactive shell on the system. Due to misconfigured ACLs, the user can retrieve the password of a group managed service account which can change the password of an administrative user, resulting in high-privileged access to the system via `wmiexec` or `psexec`.</description><pubDate>Sat, 18 Dec 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Timing</title><link>https://blog.zumpyx.com/hackthebox/machines/0421-timing/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0421-timing/</guid><description>Timing is a Medium difficulty Linux machine that features an Apache web server running on port 80. A login page on the server is found to be vulnerable to a Side Channel Enumeration attack that allows us to identify valid users. The username `aaron` is identified through the enumeration attack, as well as their password. Upon successful login a profile settings page can be used to increase the privileges of user Aaron by setting the initially hidden `role` parameter. The administrative panel allows users to upload avatars for their account. A JavaScript file found in the HTML source code is used to identify a Local File Inclusion vulnerability that is present in the `images.php` file. This vulnerability can be used to read the source code of the web application files and specifically the mechanism that handles the avatar uploads. This mechanism uses a pseudo random calculation that takes into account the current time in order to randomise the names of the files that are uploaded so that users cannot find them. By brute forcing this mechanism a JPG file that contains PHP code can be uploaded and identified on the server. This combined with the LFI is used to get Remote Code Execution on the remote system. Lateral Movement is achieved by identifying a backup of the web files that contain a Git repository, in a previous commit of which valid SSH credentials are found. Finally, privileges are escalated by abusing a script that the user can run as root via Sudo, that uses the Axel command line utility to download files from the internet. An Axel configuration file is placed in the user&amp;amp;amp;amp;amp;#039;s home directory that instructs the utility to place a downloaded file in the SSH directory of the root user thus granting SSH access as root.</description><pubDate>Sat, 11 Dec 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Fingerprint</title><link>https://blog.zumpyx.com/hackthebox/machines/0417-fingerprint/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0417-fingerprint/</guid><description>Fingerprint is an insane difficulty Linux machine which mainly focuses on web-based vulnerabilities such as HQL injection, Cross-Site Scripting and Java deserialization (with a custom gadget chain), with some additional focus on cryptography. Initial foothold requires the concatenation of multiple steps, involving two separate web applications: HQL injection and XSS are exploited to bypass multi-factor authentication and gain access to a page where serialized Java data can be uploaded; path traversal is used to read Flask source code and obtain the application secret, which can be used to forge malicious JWT tokens and trigger deserialization of the uploaded data, leading to remote code execution. Lateral movement is possible due to a setuid binary that matches regular expressions on files, allowing to brute force the private SSH key of the user. Finally, privileges are escalated by accessing a local development version of the initial web application (still vulnerable to arbitrary file read via directory traversal) with added cookie cryptography. The insecure ECB mode is used, which allows attackers to forge an administrative cookie, gaining access to the vulnerable page where `root`&amp;amp;amp;#039;s private key file can be read, and ultimately resulting in an interactive shell with `root` privileges.</description><pubDate>Sat, 04 Dec 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Unicode</title><link>https://blog.zumpyx.com/hackthebox/machines/0415-unicode/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0415-unicode/</guid><description>Unicode is a medium difficulty Linux machine. The machine begins with the enumeration of a webserver. Upon registering a new account on the webserver a JWT cookie is used to authenticate the current session. Inspecting the JWT cookie reveals that it is signed through a `jwks.json` file stored on the server. Further enumeration reveals a `/redirect?url=` endpoint. Combining the findings so far an attacker could use the `jwt_tool` to craft a cookie that authenticates the Administrator user. Replacing the authentication cookie with the newly crafted one, the attacker is able to access a new dashboard. Searching around the dashboard an heavily filtered LFI endpoint is discovered. To bypass the filtration a `HostSplit` attack can be used since the webserver converts Unicode characters back to ASCII. Enumerating the local file system a YAML file can be found inside the `code` user&amp;amp;amp;amp;amp;#039;s home directory. The YAML file contains credential that allows SSH authentication on the remote machine as the user `code`. The user `code` is able to execute a binary as the `root` user. Inspecting the binary it is revealed that it is a Python compiled binary. The attacker is able to transfer the binary to a local machine and extract the source code using `pyinstxtractor` and `uncompyle6`. Reviewing the source code the attacker is able to spot a filtering bypass to inject command arguments to a `curl` call, thus allowing him to place an SSH key inside root&amp;amp;amp;amp;amp;#039;s directory and ultimately authenticate as `root` on the remote machine using SSH.</description><pubDate>Sat, 27 Nov 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Union</title><link>https://blog.zumpyx.com/hackthebox/machines/0418-union/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0418-union/</guid><description>Union is an medium difficulty linux machine featuring a web application that is vulnerable to SQL Injection. There are filters in place which prevent SQLMap from dumping the database. Users are intended to manually craft union statements to extract information from the database and website source code. The database contains a flag that can be used to authenticate against the machine and upon authentication the webserver runs an iptables command to enable port 22. The credentials for SSH are in the PHP Configuration file used to authenticate against MySQL. Once on the machine, users can examine the source code of the web application and find out by setting the X-FORWARDED-FOR header, they can perform command injection on the system command used by the webserver to whitelist IP Addresses.</description><pubDate>Mon, 22 Nov 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Backdoor</title><link>https://blog.zumpyx.com/hackthebox/machines/0416-backdoor/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0416-backdoor/</guid><description>Backdoor is an easy difficulty Linux machine which is hosting a Wordpress blog with an installed plugin that is vulnerable to a directory traversal exploit. This allows us to read the files in the /proc directory and identify the gdbserver running on one of the ports of the server. An RCE exploit for gdbserver can be used to gain foothold. Further, on analyzing the processes running on the system, it is discovered that a screen session is running with root privileges. Attaching to this screen session leads to root access.</description><pubDate>Sat, 20 Nov 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Toby</title><link>https://blog.zumpyx.com/hackthebox/machines/0409-toby/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0409-toby/</guid><description>Toby, is a linux box categorized as Insane. The initial foothold on this box is about enumeration and exploiting a leftover backdoor in a Wordpress blog that was previously compormised. Eventually, a shell can be retrivied to a docker container. Enumerating the Docker environment, we can identify more Docker containers on the same internal network. Having access to the internal network a pivot can be made on an exposed MySQL server to extract some password hashes. Upon cracking the password hashes and testing for password re-use on previously exposed services the source code for a web application running on the internal Docker network can be found. The source code exposes a way to make the MySQL server connect back to a local machine. Using a rogue MySQL server and monitoring the inbound traffic a MySQL network authentication hash can be constructed and then cracked to reveal a plain text password. Testing for password re-use on the internal network containers, with SSH enabled, results in a valid authentication. Then, monitoring for interesting process shows a way to read a private SSH key for the user `jack` on the host machine. For the privilige escalation step, a malicious PAM module should be identified. Upon reversing it, it becomes clear that a time based bruteforce can be implemented to extract a hardcoded password character-by-character and then use this password to get `root`.</description><pubDate>Sat, 06 Nov 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Nunchucks</title><link>https://blog.zumpyx.com/hackthebox/machines/0414-nunchucks/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0414-nunchucks/</guid><description>Nunchucks is a easy machine that explores a NodeJS-based Server Side Template Injection (SSTI) leading to an AppArmor bug which disregards the binary&amp;amp;amp;#039;s AppArmor profile while executing scripts that include the shebang of the profiled application.</description><pubDate>Tue, 02 Nov 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Secret</title><link>https://blog.zumpyx.com/hackthebox/machines/0408-secret/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0408-secret/</guid><description>Secret is an easy Linux machine that features a website that provides the source code for a custom authentication API. Enumeration of the provided source code reveals that it is in fact a `git` repository. Reviewing previous commits reveals the secret required to sign the JWT tokens that are used by the API to authenticate users. Reviewing  the source code the endpoint `/logs` is found to be vulnerable to command injection attacks provided that the user accessing it has a token to verify his identity as `theadmin`. Having the secret to sign a JWT token we can forge a malicious token to spoof our identity as `theadmin` and exploit the vulnerable endpoint in order to get a reverse shell on the remote machine as the user `dasith`.  Enumerating the remote file system, a SUID binary is found along with it&amp;amp;amp;amp;amp;#039;s source code. The SUID binary runs as `root` and reads any file on the remote system. Furthermore, core dumps are enabled meaning that if a crash occurs during the operation of the binary and a sensitive file is loaded, the core dump will have the file&amp;amp;amp;amp;amp;#039;s contents. Exploiting this path we can get the contents of root&amp;amp;amp;amp;amp;#039;s SSH key and get a shell as`root` on the remote machine.</description><pubDate>Sat, 30 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Spooktrol</title><link>https://blog.zumpyx.com/hackthebox/machines/0413-spooktrol/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0413-spooktrol/</guid><description>Spooktrol is a hard-difficulty Linux machine that demonstrates exploitation of a malware C2 server. The tasking message is hijacked to upload a file using a directory traversal vulnerability. This vulnerability allows the SSH key to be written to the root user&apos;s `authorized_keys` file within the container. By exploiting the C2 framework&apos;s database, a task is written to another agent, granting access to a shell on the system.</description><pubDate>Tue, 26 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Archetype</title><link>https://blog.zumpyx.com/hackthebox/machines/0287-archetype/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0287-archetype/</guid><description>Archetype is a very easy Windows machine that features a misconfigured Microsoft SQL server, exposed SMB shares and sensitive data exposure. An exposed SMB share can be accessed without authentication in which sensitive files can be found containing plaintext credentials. These credentials can be used to authenticate to MSSQL as the service account user through Impacket&apos;s mssqlclient tool. Command execution can then be achieved by enabling xp_cmdshell after which a reverse shell can be uploaded and triggered to get access to the host. Finally, WinPeas can be used to search for vulnerabilities which reveals a Powershell history file containing the password needed to achieve full privilege escalation.</description><pubDate>Mon, 25 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>windows</category></item><item><title>[HTB · Machines] Oopsie</title><link>https://blog.zumpyx.com/hackthebox/machines/0288-oopsie/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0288-oopsie/</guid><description>Oopsie is a very easy Linux machine that highlights the impact of information disclosure and broken access control in web applications. Website enumeration reveals a guest login with manipulatable cookies and user IDs allowing escalation to an admin role and access to a file upload feature. A PHP reverse shell is then uploaded to gain an initial foothold. Further enumeration exposes hardcoded credentials enabling lateral movement to another user. Finally, privilege escalation is achieved by abusing a misconfigured SUID binary through PATH hijacking.</description><pubDate>Mon, 25 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Vaccine</title><link>https://blog.zumpyx.com/hackthebox/machines/0289-vaccine/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0289-vaccine/</guid><description>Vaccine is a very easy Linux machine that emphasizes enumeration and password cracking. Anonymous FTP access exposes a password-protected backup archive which can be cracked to recover web application credentials. These credentials grant access to a PHP application vulnerable to SQL injection which leads to command execution and an initial shell as the postgres user. Finally, privilege escalation can be achieved by abusing misconfigured sudo permissions on vi.</description><pubDate>Mon, 25 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Markup</title><link>https://blog.zumpyx.com/hackthebox/machines/0293-markup/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0293-markup/</guid><description>Markup is a very easy Windows machine that explores XML External Entity (XXE) vulnerabilities, insecure file permissions and misconfigured scheduled tasks. A vulnerable web application allows for user-supplied XML input to be parsed allowing the retrieval of sensitive files on the host machine, including the user&apos;s private SSH key. Privilege escalation can be achieved by identifying and overwriting a scheduled batch script with insecure permissions to execute a reverse shell.</description><pubDate>Mon, 25 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>windows</category></item><item><title>[HTB · Machines] Overflow</title><link>https://blog.zumpyx.com/hackthebox/machines/0399-overflow/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0399-overflow/</guid><description>Overflow is a hard difficulty Linux machine that showcases different vulnerabilities and exploitation techniques such as Padding Oracle attacks, SQL Injection, Remote Code Execution in ExifTool (CVE-2021-22204) and binary exploitation. Foothold is obtained by running a Padding Oracle attack on a session cookie, obtaining administrator access to a web application. Next, an SQL Injection vulnerability is exploited to retrieve credentials that allow access to a second web application, which in turn contains information for accessing a third application, where image files can be uploaded resulting in Remote Command Execution through ExifTool. Lateral movement to a second user is possible due to password reuse. Having the ability to overwrite the `/etc/hosts` file, a scheduled job can be hijacked to execute an attacker-hosted payload, granting access to a third unprivileged user. Finally, exploiting a buffer overflow in a `setuid` binary results in the escalation of privileges to `root`.</description><pubDate>Sat, 23 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Devzat</title><link>https://blog.zumpyx.com/hackthebox/machines/0398-devzat/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0398-devzat/</guid><description>Devzat is a medium Linux machine that features a web server and the `Devzat` chat application. Upon enumerating the web server, a new vhost called `pets` can be discovered. The `pets` vhost has a  `.git` directory with listing enabled, providing access to the source code of `pets`. Reviewing the source code, a command injection vulnerability is discovered allowing an attacker to gain a reverse shell as the user `patrick`. Logging to the `Devzat` chat application as `patrick` on the remote machine the chat history between `patrick` and `admin` reveals that `InfluxDB` is installed on the remote system. Enumerating `InfluxDB` it is discovered that the version installed is vulnerable to [CVE-2019-20933](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20933), an authentication bypass vulnerability. Exploiting the aforementioned vulnerability an attacker is able to dump the contents of `InfluxDB` revealing the password of the user `catherine`. Switching from `patrick` to `catherine` and logging in to the Devzat chat application as `catherine` the chat history between the two reveals that a `dev` application is running on the remote machine and it&amp;amp;amp;amp;#039;s source code is located on the `backups` of `catherine`. Reviewing the source code of the `dev` service, it is revealed that it&amp;amp;amp;amp;#039;s the same Devzat chat application with an extra authenticated command to include files on the chat.  The credentials to perform this action are hard-coded on the source code and the command is vulnerable to LFI. Meaning that `catherine` can login to the `dev` chat, dump the contents of the SSH key of `root` and ultimately gain a shell as `root` on the remote machine using the SSH key.</description><pubDate>Sat, 16 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Appointment</title><link>https://blog.zumpyx.com/hackthebox/machines/0402-appointment/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0402-appointment/</guid><description>Appointment is a very easy Linux machine which showcases beginner SQL Injection techniques against an SQL database enabled web application.</description><pubDate>Wed, 06 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Sequel</title><link>https://blog.zumpyx.com/hackthebox/machines/0403-sequel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0403-sequel/</guid><description>Sequel is a very easy Linux machine that introduces a vulnerable MySQL service misconfigured to allow access without a password. The machine showcases how to enumerate and interact with the database through SQL queries to extract critical information.</description><pubDate>Wed, 06 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Crocodile</title><link>https://blog.zumpyx.com/hackthebox/machines/0404-crocodile/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0404-crocodile/</guid><description>Crocodile is a very easy Linux machine which showcases the dangers of misconfigured authentication and sensitive data exposure. A vulnerable FTP server instance is misconfigured to allow anonymous authentication and upon enumerating the server, sensitive files can be found containing cleartext credentials. Enumerating and fuzzing the website will reveal a hidden login endpoint where the previously acquired credentials can be used to gain access to the admin panel.</description><pubDate>Wed, 06 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Ignition</title><link>https://blog.zumpyx.com/hackthebox/machines/0405-ignition/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0405-ignition/</guid><description>Ignition is a very easy Linux machine that features basic enumeration of web applications and virtual host resolution. Upon enumerating open services, an Nginx web server is discovered which requires local domain name resolution to be accessed properly. After enumerating the website and conducting directory fuzzing, a Magento admin panel can be found with weak credentials.</description><pubDate>Wed, 06 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Pennyworth</title><link>https://blog.zumpyx.com/hackthebox/machines/0406-pennyworth/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0406-pennyworth/</guid><description>Pennyworth is a very easy Linux machine that focuses on exploiting weak credentials and remote command execution in Jenkins. Default credentials can be used to get administrative access into Jenkins with which the Script Console can be leveraged to execute Groovy code and obtain a reverse shell.</description><pubDate>Wed, 06 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Tactics</title><link>https://blog.zumpyx.com/hackthebox/machines/0407-tactics/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0407-tactics/</guid><description>Tactics is a very easy Windows machine that features misconfigured SMB shares where an Administrator account without a password allows access to administrative shares. This misconfiguration can be abused manually with the SMB command line interface to retrieve sensitive files, or Impacket&apos;s psexec can be used to obtain a SYSTEM-level shell.</description><pubDate>Wed, 06 Oct 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>windows</category></item><item><title>[HTB · Machines] Fawn</title><link>https://blog.zumpyx.com/hackthebox/machines/0393-fawn/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0393-fawn/</guid><description>Fawn is a very easy Linux machine which explores the File Transfer Protocol (FTP) and its exploitation when misconfigured to allow anonymous access.</description><pubDate>Thu, 30 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Meow</title><link>https://blog.zumpyx.com/hackthebox/machines/0394-meow/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0394-meow/</guid><description>Meow is a very easy Linux machine which guides players on setting up their attacking machines, connecting to HTB labs via VPN and demonstrates the strategy of how to complete them. The machine focuses on beginner enumeration techniques and showcases the exploitation of a vulnerable Telnet service through default credentials.</description><pubDate>Thu, 30 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Dancing</title><link>https://blog.zumpyx.com/hackthebox/machines/0395-dancing/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0395-dancing/</guid><description>Dancing is a very easy Windows machine which introduces the Server Message Block (SMB) protocol, its enumeration and its exploitation when misconfigured to allow access without a password.</description><pubDate>Thu, 30 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>windows</category></item><item><title>[HTB · Machines] Explosion</title><link>https://blog.zumpyx.com/hackthebox/machines/0396-explosion/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0396-explosion/</guid><description>Explosion is a very easy Windows machine that showcases the Remote Desktop Protocol (RDP), how to interact with it using the xfreerdp client and how improper configurations can allow unauthenticated access.</description><pubDate>Thu, 30 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>windows</category></item><item><title>[HTB · Machines] Preignition</title><link>https://blog.zumpyx.com/hackthebox/machines/0397-preignition/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0397-preignition/</guid><description>Preignition is a very easy Linux machine which explores beginner enumeration and directory fuzzing of web applications. Upon finding a vulnerable Admin login endpoint, the web app showcases the dangers of improper configuration and default credentials.</description><pubDate>Thu, 30 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>very-easy</category><category>linux</category></item><item><title>[HTB · Machines] Antique</title><link>https://blog.zumpyx.com/hackthebox/machines/0400-antique/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0400-antique/</guid><description>Antique is an easy Linux machine featuring a network printer disclosing credentials through SNMP string which allows logging into telnet service. Foothold can be obtained by exploiting a feature in printer. CUPS administration service running locally. This service can be exploited further to gain root access on the server.</description><pubDate>Mon, 27 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Return</title><link>https://blog.zumpyx.com/hackthebox/machines/0401-return/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0401-return/</guid><description>Return is an easy difficulty Windows machine featuring a network printer administration panel that stores LDAP credentials. These credentials can be captured by inputting a malicious LDAP server which allows obtaining foothold on the server through the WinRM service. User found to be part of a privilege group which further exploited to gain system access.</description><pubDate>Mon, 27 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Stacked</title><link>https://blog.zumpyx.com/hackthebox/machines/0379-stacked/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0379-stacked/</guid><description>Stacked is an insane difficulty Linux machine that focuses on LocalStack / AWS exploitation. Initial access is obtained by exploiting a Cross-Site Scripting vulnerability in a web form, redirecting the client to an internal mail system where details about a LocalStack implementation are disclosed. An interactive shell on the LocalStack container is gained by exploiting [CVE-2021-32090](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32090). After escalating privileges in the container via a command injection vulnerability in the `docker create` command that is automatically triggered whenever a lambda function is executed, a new container with a mapping to the host file system can be created, resulting in `root` access to the host.</description><pubDate>Sat, 18 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Forge</title><link>https://blog.zumpyx.com/hackthebox/machines/0376-forge/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0376-forge/</guid><description>Forge is a medium linux machine that features an SSRF vulnerability on the main webpage that can be exploited to access services that are available only on localhost. Specifically, an FTP server is running but it&amp;amp;amp;amp;#039;s behind a firewall that prevents any connection except from localhost. Virtual host brute forcing reveals a new admin virtual host that is also blocked from external connections. The main webpage provides the ability to upload image files from URLs, but there are no checks in place to validate if the file is a real image or not. Thus allowing an attacker to specify a URL to a machine he controls in order to redirect the traffic to the internal services running on the box. Data exfiltration from the internal admin virtual host reveals credentials that can be used to access the FTP server, exploiting the same SSRF vulnerability. Through the FTP, the SSH key for `user` can be extracted. Privilege escalation relies on a Python script that `user` is able to execute using sudo. Triggering an error on the script will cause it to execute `Pdb`, an interactive Python debugger that can interpret Python commands. Since `Pdb` is running as `root`, because the main script was executed using `sudo`, a root shell can be spawned.</description><pubDate>Sat, 11 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] EarlyAccess</title><link>https://blog.zumpyx.com/hackthebox/machines/0375-earlyaccess/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0375-earlyaccess/</guid><description>EarlyAccess is a Hard Linux machine featuring a web server that is vulnerable to XSS. Exploiting the XSS vulnerability allows the users to get administrative access to the web page. Upon accessing the administrator&amp;amp;amp;#039;s panel two more endpoints are discovered and an offline validation script can be downloaded. Upon reverse engineering the offline validation script, a `game-key` can be generated, which allows the user to access the `game` virtual host. The `game` vhost is vulnerable to an SQL injection that allows the user to retrieve and crack the password hash of the `admin` account. Using the administrator&amp;amp;amp;#039;s credentials the `dev` vhost can be accessed and two new menu entries are revealed. One entry features an LFI vulnerability that can be used to disclose the source code of the second entry. After reviewing the source code of the second entry, a command injection vulnerability can lead to RCE as `www-data` on the box, which upon enumerating the file system is revealed to be a docker container. A password reuse scenario allows a privilege escalation from `www-data` to `www-adm`. An unencrypted file with plain text credentials allows the access of a database endpoint that reveals plain text credentials for `drew` user. The user `drew` can use SSH to login on the host machine. An SSH key inside the home folder of `drew` can be used to access another docker container. The container hosts a Node JS game and whenever the server hangs and restarts, a script executes all Bash scripts that exist inside a directory mounted from the host machine as `root`. After planting a malicious Bash script on the mounted directory and crashing the web server,  `root` access can be obtained on the docker container and a password hash for the user `game-adm`  can be retrieved and cracked. Back on the host machine, the user `game-adm` uses the same password, so `drew` can switch to `game-adm`. Enumerating the host machine as `game-adm` reveals that `arp` can be essentially executed as a SUID binary, thus leading to arbitrary file read. The SSH key of the `root` user can be read though `arp` and then used to gain a `root` shell on the machine.</description><pubDate>Sat, 04 Sep 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Horizontall</title><link>https://blog.zumpyx.com/hackthebox/machines/0374-horizontall/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0374-horizontall/</guid><description>Horizontall is an easy difficulty Linux machine were only HTTP and SSH services are exposed. Enumeration of the website reveals that it is built using the Vue JS framework. Reviewing the source code of the Javascript file, a new virtual host is discovered. This host contains the `Strapi Headless CMS` which is vulnerable to two CVEs allowing potential attackers to gain remote code execution on the system as the `strapi` user. Then, after enumerating services listening only on localhost on the remote machine, a Laravel instance is discovered. In order to access the port that Laravel is listening on, SSH tunnelling is used. The Laravel framework installed is outdated and running on debug mode. Another CVE can be exploited to gain remote code execution through Laravel as `root`.</description><pubDate>Sat, 28 Aug 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Gobox</title><link>https://blog.zumpyx.com/hackthebox/machines/0378-gobox/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0378-gobox/</guid><description>HTB machine: Gobox</description><pubDate>Mon, 23 Aug 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Developer</title><link>https://blog.zumpyx.com/hackthebox/machines/0372-developer/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0372-developer/</guid><description>Developer is a hard machine that outlines the severity of tabnabbing vulnerability in web applications where attackers can control the input of an input field with  `target=&amp;amp;amp;amp;quot;_blank&amp;amp;amp;amp;quot;` allowing attackers to open a new tab to access their malicious page and redirect the previous tab to an attacker controlled location if mixed with an XSS injection. This attack leads to fooling site users and administrators into entering their credentials into a phishing template of the original site&amp;amp;amp;amp;#039;s login. Subdomain enumeration via the administration panel in Django leads to abusing the debug mode in Sentry&amp;amp;amp;amp;#039;s monitoring application which reveals a secret key which can then be used to perform django de-serialization attacks through cookie deserialization. Privelege escalation involves reversing a Rust application which contains a hardcoded nonce, key and ciphertext which users can retieve and decoded through AES-CTR algorithm to gain the application&amp;amp;amp;amp;#039;s password to gain a system shell on the target.</description><pubDate>Sat, 21 Aug 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Anubis</title><link>https://blog.zumpyx.com/hackthebox/machines/0371-anubis/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0371-anubis/</guid><description>Anubis is an insane difficulty Windows machine that showcases how a writable certificate template in the Windows Public Key Infrastructure can lead to the escalation of privileges to Domain Administrator in an Active Directory environment. An interactive shell on a Windows container can be obtained by exploiting a simple ASP code injection vulnerability in a public-facing web application. Pivoting from the initial shell, further access is gained to an internal web application that can be tricked into sending requests to an attacker-controlled Responder server, allowing to steal valid domain credentials that can be used to access an internal SMB share where malicious Jamovi files can be uploaded, resulting in a shell on the Windows host. After adding the smart card logon extended usage attribute to an available certificate template and requesting a new client certificate, PKINIT can be configured on an attacking Linux machine to request a Kerberos ticket and login to the system as Administrator.</description><pubDate>Sat, 14 Aug 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Previse</title><link>https://blog.zumpyx.com/hackthebox/machines/0373-previse/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0373-previse/</guid><description>Previse is a easy machine that showcases Execution After Redirect (EAR) which allows users to retrieve the contents and make requests to `accounts.php` whilst unauthenticated which leads to abusing PHP&amp;amp;amp;amp;amp;amp;#039;s `exec()` function since user inputs are not sanitized allowing remote code execution against the target, after gaining a www-data shell privilege escalation starts with the retrieval and cracking of a custom MD5Crypt hash which consists of a unicode salt and once cracked allows users to gain SSH access to the target then abusing a sudo executable script which does not include absolute paths of the functions it utilises which allows users to perform PATH hijacking on the target to compromise the machine.</description><pubDate>Sat, 07 Aug 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Writer</title><link>https://blog.zumpyx.com/hackthebox/machines/0361-writer/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0361-writer/</guid><description>Writer is a medium Linux machine that outlines poor coding practices and presents how a file read vulnerability through SQL injection can lead to disclosure of source code files which include credentials. The combination of password reuse on the SMB service with a blind SSRF exploitation via an image upload function can lead to a foothold on the system. By abusing Django features it is possible to extract and crack user credentials. Further abusing multiple misconfigurations in Postfix service leads to exploit privileges in the apt service folders allowing those users to execute commands as root through a script that updates the machine every minute.</description><pubDate>Sat, 31 Jul 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] BountyHunter</title><link>https://blog.zumpyx.com/hackthebox/machines/0359-bountyhunter/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0359-bountyhunter/</guid><description>BountyHunter is an easy Linux machine that uses XML external entity injection to read system files. Being able to read a PHP file where credentials are leaked gives the opportunity to get a foothold on system as development user. A message from John mentions a contract with Skytrain Inc and states about a script that validates tickets. Auditing the source code of the python script reveals that it uses the eval function on ticket code, which can be injected, and as the python script can be run as root with sudo by the development user it is possible to get a root shell.</description><pubDate>Sat, 24 Jul 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Pikaboo</title><link>https://blog.zumpyx.com/hackthebox/machines/0360-pikaboo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0360-pikaboo/</guid><description>Pikaboo is a Hard Linux machine where only FTP, SSH, and Web services are exposed. The website is hosting on Apache a pokatmon collection page. Common misconfigurations in the NGINX proxy server allow performing a path traversal attack. Exploiting this, it is possible to get access in the administration panel where a vulnerable to LFI page gives the opportunity to perform FTP Log poisoning and gain a foothold to the system. Performing basic enumeration it is possible to locate a cron job where a Perl script with root privileges is running periodically. By further enumerating the system it is also possible to get valid LDAP credentials. Using them to enumerate local LDAP service reveals the credentials for user pwnmeow. These can be used to log in to the FTP server where it is possible to create and upload malicious files that can exploit a Perl function vulnerability in the script in order to execute code and get a reverse shell as root.</description><pubDate>Sat, 17 Jul 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Seal</title><link>https://blog.zumpyx.com/hackthebox/machines/0358-seal/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0358-seal/</guid><description>Seal is a medium difficulty Linux machine that features an admin dashboard protected by mutual authentication. Enumeration of git logs from Gitbucket reveals tomcat manager credentials. Exploitation of Nginx path normalization leads to mutual authentication bypass which allows tomcat manager access. Foothold is obtained by deploying a shell on tomcat manager. An ansible playbook found to be running at intervals and vulnerable to arbitrary file read thus allows us moving laterally. Root shell is gained by exploiting a sudo entry.</description><pubDate>Sat, 10 Jul 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Intelligence</title><link>https://blog.zumpyx.com/hackthebox/machines/0357-intelligence/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0357-intelligence/</guid><description>Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute-forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users, password spraying leads to the discovery of a valid user account, granting initial foothold on the system. A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname is discovered; by adding a custom DNS record, it is possible to force a request that can be intercepted to capture the hash of a second user, which is easily crackable. This user is allowed to read the password of a group managed service account, which in turn has constrained delegation access to the domain controller, resulting in a shell with administrative privileges.</description><pubDate>Sat, 03 Jul 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Explore</title><link>https://blog.zumpyx.com/hackthebox/machines/0356-explore/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0356-explore/</guid><description>Explore is an easy difficulty Android machine. Network enumeration reveals a vulnerable service that is exploitable via a Metasploit module, and gives restricted read access to the machine. Further enumeration of the files, reveals the SSH credentials of a system user, allowing this way remote access to the machine. Finally, the attacker is able to forward a filtered port locally using SSH tunneling, in order to access the Android shell over the Android Debug Bridge. This eventuality allows the attacker to execute commands as the root user.</description><pubDate>Sat, 26 Jun 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>android</category></item><item><title>[HTB · Machines] Static</title><link>https://blog.zumpyx.com/hackthebox/machines/0355-static/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0355-static/</guid><description>Static is a hard difficulty machine that features a web server running on port 8080. The website features a login page that can be easily bypassed by using default credentials, however, further access to the administrative panel is obstructed by a 2FA prompt. A corrupt Gzip archive is also identified on the website and after downloading it, its contents can be recovered. The archive holds a database backup that contains the OTP code for the administrative user. Once the OTP code is identified, further enumeration reveals an NTP server also running on the host. With the above information at hand, a script is created to generate a 2FA code and login to the administrative panel. The administrative panel can be used to generate a VPN configuration, which in turn can be used to access the internal networking of the remote host. By altering the routing, a new host is identified, which is also running a web server. This server is running Xdebug with remote mode enabled and can be abused to execute commands. After a shell as `www-data` is acquired another internal network is discovered with two more hosts. One of them is responsible for the generation of the VPN configuration files and does so through the usage of an Nginx installation with PHP-FPM. This installation is found to be vulnerable to a Remote Code Execution exploit, successful exploitation of which leads to a shell on the `pki` system. Privilege escalation can be achieved by exploiting a Format String vulnerability in the binary that is responsible for the VPN file generation.</description><pubDate>Sat, 19 Jun 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Dynstr</title><link>https://blog.zumpyx.com/hackthebox/machines/0352-dynstr/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0352-dynstr/</guid><description>Dynstr is a medium difficulty Linux machine featuring a blog providing Dynamic DNS services. The application API is vulnerable to command injection using which a foothold can be gained. Enumerating one of the users folders leaks SSH private key. Updating DNS zone records allows SSH access which helps in lateral movement. By exploiting a wildcard injection in a bash script root access can be obtained.</description><pubDate>Sat, 12 Jun 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Cap</title><link>https://blog.zumpyx.com/hackthebox/machines/0351-cap/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0351-cap/</guid><description>Cap is an easy difficulty Linux machine running an HTTP server that performs administrative functions including performing network captures. Improper controls result in Insecure Direct Object Reference (IDOR) giving access to another user&apos;s capture. The capture contains plaintext credentials and can be used to gain foothold. A Linux capability is then leveraged to escalate to root.</description><pubDate>Sat, 05 Jun 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Spider</title><link>https://blog.zumpyx.com/hackthebox/machines/0350-spider/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0350-spider/</guid><description>Spider is a hard difficulty Linux machine which focuses on web-based injection attacks. Server-Side Template Injection (SSTI) is first exploited to read the `config` object of a Flask application and obtain the `SECRET_KEY` string, which can be used to sign and verify session cookies. An SQL injection attack carried through forged cookies allows attackers to retrieve login data from the database and gain administrative access to the web application. A second SSTI vulnerability is found in a support ticket portal. Exploiting this vulnerability, which requires bypassing a Web Application Firewall, results in arbitrary code execution and ultimately in an interactive shell on the system. Privileges can then be escalated by exploiting an XML External Entity (XXE) injection vulnerability in a beta web application running locally.</description><pubDate>Sat, 29 May 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Knife</title><link>https://blog.zumpyx.com/hackthebox/machines/0347-knife/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0347-knife/</guid><description>Knife is an easy difficulty Linux machine that features an application which is running on a backdoored version of PHP. This vulnerability is leveraged to obtain the foothold on the server. A sudo misconfiguration is then exploited to gain a root shell.</description><pubDate>Sat, 22 May 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] PivotAPI</title><link>https://blog.zumpyx.com/hackthebox/machines/0345-pivotapi/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0345-pivotapi/</guid><description>Pivotapi is an insane machine that involves user enumeration through the metadata of PDFs which are downloaded from a FTP file share server. Since the user has not got preauth with Kerberos  it is possible to request a TGT for him which can be cracked with Hashcat. With the provided credentials an SMB enumeration exposes an executable which when reversed engineered reveals credentials to authenticate to MSSQL. After gaining access to the system it is possible to locate a keepass database on the target, leading to further misconfiguration abuse through Active Directory which leads obtaining the Administrator&amp;amp;#039;s password through LAPS and thus get execution on the target through `psexec` as user Administrator.</description><pubDate>Sat, 08 May 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Love</title><link>https://blog.zumpyx.com/hackthebox/machines/0344-love/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0344-love/</guid><description>Love is an easy windows machine where it features a voting system application that suffers from an authenticated remote code execution vulnerability. Our port scan reveals a service running on port 5000 where browsing the page we discover that we are not allowed to access the resource. Furthermore a file scanner application is running on the same server which is though effected by a SSRF vulnerability where it&amp;amp;amp;amp;#039;s exploitation gives access to an internal password manager. We can then gather credentials for the voting system and by executing the remote code execution attack as phoebe user we get the initial foothold on system. Basic windows enumeration reveals that the machine suffers from an elevated misconfiguration. Bypassing the applocker restriction we manage to install a malicious msi file that finally results in a reverse shell as the system account.</description><pubDate>Sat, 01 May 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Monitors</title><link>https://blog.zumpyx.com/hackthebox/machines/0341-monitors/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0341-monitors/</guid><description>Monitors is a hard Linux machine that involves `WordPress plugin` exploitation leading to a `command injection` via `SQL injection` through a well known network management web application in order to get a shell on the system. Then by performing basic service file enumeration one can gain the user password and thus a foothold to the system through SSH. The root stage consists of a `Java based XML RPC deserialization` attack against `Apache OFBiz` to gain a shell in a Docker container. Then it is possible by abusing the `CAP_SYS_MODULE` capability to load a malicious kernel module against the host and escalate privileges to root.</description><pubDate>Sat, 24 Apr 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Unobtainium</title><link>https://blog.zumpyx.com/hackthebox/machines/0338-unobtainium/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0338-unobtainium/</guid><description>Unobtainium is a hard difficulty Linux machine which features kubernetes exploitation and electron application reversing. Frontend web application serve unobtainium chat application created with electron which can be downloaded in three different packages (deb, rpm &amp;amp;amp;amp;amp;amp; snap). Electron application exposes a Node JS API which is affected with prototype pollution. Exploiting prototype pollution and gain reverse shell give us access inside a kubernetes pod. Understanding the Kubernetes RBAC system is critical in order to switch service accounts and create a malicious pod to mount root filesystem and escape the pod.</description><pubDate>Sat, 10 Apr 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Schooled</title><link>https://blog.zumpyx.com/hackthebox/machines/0335-schooled/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0335-schooled/</guid><description>Schooled is a medium difficulty FreeBSD machine that showcases two recently disclosed vulnerabilities affecting the Moodle platform (labeled CVE-2020-25627 and CVE-2020-14321), which have to be chained together in order to gain access as a `teacher` user, escalate privileges to a `manager` user and install a malicious plugin resulting in remote command execution. Cracking a hash obtained from the Moodle database allows SSH access to the system via password reuse. Privileges can then be escalated to `root` by installing a malicious package (which is possible due to `sudo` permissions and write access to the `/etc/hosts` file).</description><pubDate>Sat, 03 Apr 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>freebsd</category></item><item><title>[HTB · Machines] Armageddon</title><link>https://blog.zumpyx.com/hackthebox/machines/0323-armageddon/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0323-armageddon/</guid><description>Armageddon is an easy difficulty machine.  An exploitable Drupal website allows access to the remote host. Enumeration of the Drupal file structure reveals credentials that allows us to connect to the MySQL server, and eventually extract the hash that is reusable for a system user. Using these credentials, we can connect to the remote machine over SSH. This user is allowed to install applications using the `snap` package manager. Privilege escalation is possible by uploading and installing to the host, a malicious application using Snapcraft.</description><pubDate>Sat, 27 Mar 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] CrossFitTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0322-crossfittwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0322-crossfittwo/</guid><description>CrossFit2 is an insane difficulty BSD machine running a web server and an exposed unbound instance. An arbitrary file read is exploited to read relayd configuration. This gives access to vhosts with member applications. A password reset form vulnerable to host header injection can be exploited to register users and then exfiltrate chat via Cross Site Websocket Hijacking. Lateral movement involves exploiting nodejs path preference. Finally, a custom binary vulnerable to privileged file read is used to generate an OTP and get root.</description><pubDate>Sat, 20 Mar 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>openbsd</category></item><item><title>[HTB · Machines] Proper</title><link>https://blog.zumpyx.com/hackthebox/machines/0321-proper/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0321-proper/</guid><description>Proper is a hard difficulty Linux machine which features a web application loading products using an Ajax call leaking a secret key which helps in generating token that allows performing SQL Injection. The data obtained allows us to login to License portal having a feature to change the themes of the application. This feature leaks source code and found to be vulnerable to race condition using which foothold can be gained. A service having client server model allowing privileged writes which can be abused to gain system access.</description><pubDate>Sat, 13 Mar 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Toolbox</title><link>https://blog.zumpyx.com/hackthebox/machines/0339-toolbox/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0339-toolbox/</guid><description>Toolbox is an easy difficulty Windows machine that features a Docker Toolbox installation. Docker Toolbox is used to host a Linux container, which serves a site that is found vulnerable to SQL injection. This is leveraged to gain a foothold on the Docker container. Docker Toolbox default credentials and host file system access are leveraged to gain a privileged shell on the host.</description><pubDate>Fri, 12 Mar 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] TheNotebook</title><link>https://blog.zumpyx.com/hackthebox/machines/0320-thenotebook/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0320-thenotebook/</guid><description>TheNotebook is a medium difficulty Linux machine that showcases an insecure JWT implementation, which allows unprivileged users to obtain administrative access by forging and signing tokens with arbitrary attributes. This is possible because the private key used for signing tokens is fetched from an external source, which can be easily modified to point to an attacker-controlled location. Once access to the administration panel is obtained, it is possible to upload and execute PHP files resulting in remote command execution. A private SSH key can then be obtained from a world-readable backup archive, allowing lateral movement to a user that has the privileges to run Docker commands via `sudo`. The Docker version installed to the system is vulnerable to CVE-2019-5736, which allows to escalate privileges on the host system.</description><pubDate>Sat, 06 Mar 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Spectra</title><link>https://blog.zumpyx.com/hackthebox/machines/0317-spectra/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0317-spectra/</guid><description>Spectra is an easy difficulty Linux machine which features an Issue Software Tracker build on Wordpress. The server through directory listing discloses some credentials which can be used to gain access to administration dashboard. Initial foothold is possible by using a custom crafted malicious plugin. By further enumerating the system new credentials can be captured and thus lateral movement can be achieved to another user. Finally wrong permissions to configuration file permits a sudo action to manipulate the init processes in order to gain root.</description><pubDate>Sat, 27 Feb 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>other</category></item><item><title>[HTB · Machines] Breadcrumbs</title><link>https://blog.zumpyx.com/hackthebox/machines/0316-breadcrumbs/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0316-breadcrumbs/</guid><description>Breadcrumbs is a hard difficulty Windows machine running Apache web server with a library application. Directory enumeration and file read is leveraged to forge cookies and login as the administrator. A foothold is gained via unrestricted file upload. Plaintext credentials in a SQLite database assists in lateral movement. Finally, exploitation of SQL injection results in privilege escalation to windows administrator user.</description><pubDate>Sat, 20 Feb 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] ScriptKiddie</title><link>https://blog.zumpyx.com/hackthebox/machines/0314-scriptkiddie/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0314-scriptkiddie/</guid><description>ScriptKiddie is an easy difficulty Linux machine that presents a Metasploit vulnerability ([CVE-2020-7384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-7384)), along with classic attacks such as OS command injection and an insecure passwordless `sudo` configuration. Initial foothold on the machine is gained by uploading a malicious `.apk` file from a web interface that calls a vulnerable version of `msfvenom` to generate downloadable payloads. Once shell is obtained, lateral movement to a second user is performed by injecting commands into a log file which provides unsanitized input to a Bash script that is triggered on file modification. This user is allowed to run `msfconsole` as `root` via `sudo` without supplying a password, resulting in the escalation of privileges.</description><pubDate>Sat, 06 Feb 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Sink</title><link>https://blog.zumpyx.com/hackthebox/machines/0313-sink/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0313-sink/</guid><description>Sink is an insane Linux machine that features an application which is vulnerable to HTTP Desync attack. Exploiting this vulnerability gives access to a high privileged user on the application. This privilege gives access to Gitea service. Enumeration of repositories lead to a private key leak which can be used to gain a foothold on system.  Enumerating SecretsManager service reveals credentials which assists in moving laterally. System access can be obtained by decrypting a file using the KMS service.</description><pubDate>Sat, 30 Jan 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Tentacle</title><link>https://blog.zumpyx.com/hackthebox/machines/0310-tentacle/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0310-tentacle/</guid><description>Tentacle is a Hard linux machine featuring a Squid proxy server. Bypassing Squid proxy authentication reveals a host which is making use of a vulnerable OpenSMTPD service. Initial foothold can be achieved by the exploitation of it. A SMTP client configuration file discloses a password which assists in generating a valid Kerberos ticket. This ticket then can be used to move laterally.  Finally a cronjob can be exploited to escalate to another user who has privileges to add root user to Kerberos principals. This gives us a root shell.</description><pubDate>Sat, 23 Jan 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Delivery</title><link>https://blog.zumpyx.com/hackthebox/machines/0308-delivery/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0308-delivery/</guid><description>Delivery is an easy difficulty Linux machine that features the support ticketing system osTicket where it is possible by using a technique called TicketTrick, a non-authenticated user to be granted with access to a temporary company email. This &amp;amp;amp;quot;feature&amp;amp;amp;quot; permits the registration at MatterMost and the join of internal team channel. It is revealed through that channel that users have been using same password variant &amp;amp;amp;quot;PleaseSubscribe!&amp;amp;amp;quot; for internal access. In channel it is also disclosed the credentials for the mail user which can give the initial foothold to the system. While enumerating the file system we come across the mattermost configuration file which reveals MySQL database credentials. By having access to the database a password hash can be extracted from Users table and crack it using the &amp;amp;amp;quot;PleaseSubscribe!&amp;amp;amp;quot; pattern. After cracking the hash it is possible to login as user root.</description><pubDate>Sat, 09 Jan 2021 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Attended</title><link>https://blog.zumpyx.com/hackthebox/machines/0307-attended/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0307-attended/</guid><description>Attended is an insane difficulty OpenBSD machine that presents a variety of different concepts like phishing, exploiting CVEs, bypassing outbound traffic restrictions, detecting misconfigurations and binary exploitation (with an interesting twist in the way the payload had to be delivered). Foothold is gained by exploiting a Vim modeline vulnerability in a text attachment sent as an email message. This results in remote command execution but since only HTTP outbound traffic is allowed a workaround is featured by using a simple HTTP client/server application. System enumeration leads to a shared directory where `ssh` configuration files can be written to be executed by another user (`freshness`), allowing to run arbitrary commands via the `ProxyCommand` configuration directive. An executable binary vulnerable to a stack-based buffer overflow is then exploited to gain code execution as root (on a different host) by delivering a malicious payload through an SSH private key (the vulnerable program is configured as the `AuthorizedKeysCommand` in the `sshd` configuration).</description><pubDate>Sat, 19 Dec 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>openbsd</category></item><item><title>[HTB · Machines] Ready</title><link>https://blog.zumpyx.com/hackthebox/machines/0304-ready/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0304-ready/</guid><description>Ready is a medium difficulty Linux machine. A vulnerable version of GitLab server leads to a remote command execution, by exploiting a combination of SSRF and CRLF vulnerabilities. Bad permission on a backed up configuration file of the Gitlab server, reveals a password that is found to be reusable for the user `root`, inside a docker container. After root access is acquired, escaping the container is possible since it is running in privileged mode.</description><pubDate>Sat, 12 Dec 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Sharp</title><link>https://blog.zumpyx.com/hackthebox/machines/0303-sharp/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0303-sharp/</guid><description>Sharp is a hard difficulty Windows machine which features `.NET` remoting services. Reversing a software accessible from open SMB share reveals user credentials. These credentials can be used to access a `.NET` remoting services application, which can be later downloaded from a private SMB share. By exploiting this service it is possible to get a foothold on the server. `WCF` service project is accessible and service can be exploited to gain root access on the system.</description><pubDate>Sat, 05 Dec 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Luanne</title><link>https://blog.zumpyx.com/hackthebox/machines/0302-luanne/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0302-luanne/</guid><description>Luanne is an easy difficulty NetBSD Linux machine. Network enumeration reveals a Medusa Supervisor Process Manager that is found to be using the default login credentials. Enumeration of a monitoring script that is accessible from the Supervisor Process Manager reveals a Lua script that is vulnerable to code injection. It is running in a custom weather web application on a `bozohttpd` server. A second misconfigured `bozohttpd` server that is found to be running in development mode, which is leveraged to obtain the private SSH key for the system user `r.michaels`. Using `netpgp`, we can decrypt an encrypted `tar` backup file that contains the password for the user `r.michaels`, who is found to be able to execute commands as root, using the command `doas`.</description><pubDate>Sat, 28 Nov 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>other</category></item><item><title>[HTB · Machines] Laboratory</title><link>https://blog.zumpyx.com/hackthebox/machines/0298-laboratory/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0298-laboratory/</guid><description>Laboratory is an easy difficulty Linux machine that features a GitLab web application in a docker. This application is found to suffer from an arbitrary read file vulnerability, which is leveraged along with a remote command execution to gain a foothold on a docker instance. By giving administration permissions to our GitLab user it is possible to steal private ssh-keys and get a foothold on the box. Post-exploitation enumeration reveals that the system Laboratory has an executable program set as setuid. This is leveraged to gain a root shell on the server.</description><pubDate>Sat, 14 Nov 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Academy</title><link>https://blog.zumpyx.com/hackthebox/machines/0297-academy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0297-academy/</guid><description>Academy is an easy difficulty Linux machine that features an Apache server hosting a PHP website. The website is found to be the HTB Academy learning platform. Capturing the user registration request in Burp reveals that we are able to modify the Role ID, which allows us to access an admin portal. This reveals a vhost, that is found to be running on Laravel. Laravel debug mode is enabled, the exposed API Key and vulnerable version of Laravel allow us carry out a deserialization attack that results in Remote Code Execution. Examination of the Laravel `.env` file for another application reveals a password that is found to work for the `cry0l1t3` user, who is a member of the `adm` group. This allows us to read system logs, and the TTY input audit logs reveals the password for the `mrb3n` user. `mrb3n` has been granted permission to execute composer as root using `sudo`, which we can leverage in order to escalate our privileges.</description><pubDate>Sat, 07 Nov 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] APT</title><link>https://blog.zumpyx.com/hackthebox/machines/0296-apt/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0296-apt/</guid><description>APT is an insane difficulty Windows machine where RPC and HTTP services are only exposed. Enumeration of existing RPC interfaces provides an interesting object that can be used to disclose the IPv6 address. The box is found to be protected by a firewall exemption that over IPv6 can give access to a backup share. User enumeration and bruteforce attacks can give us access to the registry which contains login credentials. The machine is configured to allow authentication via the NTLMv1 protocol, which can be leveraged to gain system access.</description><pubDate>Sat, 31 Oct 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Time</title><link>https://blog.zumpyx.com/hackthebox/machines/0286-time/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0286-time/</guid><description>Time is a medium difficulty Linux machine that features an online JSON parser web application. This application is found to suffer from a Java Deserialization vulnerability, which is leveraged to gain a foothold on the box. Post-exploitation enumeration reveals that a system timer is executing a word-writable bash script. This is leveraged to gain a root shell on the server.</description><pubDate>Sat, 24 Oct 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Bucket</title><link>https://blog.zumpyx.com/hackthebox/machines/0283-bucket/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0283-bucket/</guid><description>Bucket is a medium difficulty Linux machine that features [LocalStack](https://github.com/localstack/localstack) which simulates a local AWS environment. Web application  is running on Apache server and the files are hosted on an open S3 bucket which allows us dropping a malicious PHP file and thus gain a reverse shell. At user&amp;amp;amp;#039;s home directory we can find an unfinished project which utilizes DynamoDB for database. Enumerating DynamoDB reveals credentials which can be reused to move laterally. An internal application found to be running as root, which is exploited to gain root access.</description><pubDate>Sat, 17 Oct 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Jewel</title><link>https://blog.zumpyx.com/hackthebox/machines/0282-jewel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0282-jewel/</guid><description>Jewel is a medium difficulty Linux machine that features source code analysis of a Ruby on Rails web application. This reveals an unsafe use of RedisCacheStore (CVE-2020-8165), which is leveraged to get RCE. After archiving a foothold, we get command execution in the context of the unprivileged user `bill`. This user is allowed to run the `gem` command as root, but requires two-factor authentication to do so. In order to get around 2FA, we search for and find bill&amp;amp;amp;#039;s password, and can then use the Google Authenticator utility to generate an OTP for sudo, in order to execute commands as root.</description><pubDate>Sat, 10 Oct 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Reel2</title><link>https://blog.zumpyx.com/hackthebox/machines/0281-reel2/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0281-reel2/</guid><description>Reel2 is a Hard difficulty Windows machine that features an open source Social Networking application, which allows us to find  usernames. Outlook Web Access access can be gained by performing a password spraying attack the OWA endpoint. A password hash can be captured and cracked by performing a spear phishing attack, which allows us to gain a foothold on the server. Using PowerShell functions, JEA restrictions can be bypassed. Enumerating stickynotes processes reveals a set of credentials which can be used to move laterally. Exploiting a vulnerable JEA function allows us to read files as the administrator.</description><pubDate>Sat, 03 Oct 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Doctor</title><link>https://blog.zumpyx.com/hackthebox/machines/0278-doctor/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0278-doctor/</guid><description>Doctor is an easy machine that features an Apache server running on port 80. Users can identify a virtual host on the main webpage, and after adding it to their hosts file, acquire access to the `Doctor Messaging System`. The system is found to be vulnerable to Server Side Template Injection, and successful exploitation of the vulnerability results in a shell as the user `web`. This user belongs to the `adm` group and is able to read various system logs. Enumeration of the logs reveals a misplaced password that can be used to login as the user `shaun`. Enumeration of system services reveals that a Splunk Universal Forwarder is running on port 8089, in the context of `root`. Research reveals an exploit that can be used with valid credentials in order to execute code remotely and escalate our privileges.</description><pubDate>Sat, 26 Sep 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Compromised</title><link>https://blog.zumpyx.com/hackthebox/machines/0276-compromised/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0276-compromised/</guid><description>Compromised is a hard Linux machine that features an `Apache` web server running on port 80. The web server features a `LiteCart` installation, and enumeration reveals a backup copy of the live website. Analysis of the backup suggests that the website has already been compromised. Malicious code in one of the PHP files leads to a hidden log on the server, which contains valid credentials for the `LiteCart` admin panel. These credentials can be used to exploit an `Arbitrary File Upload` vulnerability in version `2.1.2` of the `LiteCart` software, in order to upload and execute `PHP` code. This proves difficult as most code execution related functions have been disabled. However, a bypass is found for PHP versions `7.0-7.4`. Through code execution and the analysis of the web server files, valid credentials for the `MySQL` database are found. Enumeration of the database for `User Defined Functions` identifies a backdoor for executing code in the context of the MySQL user. This is leveraged to gain SSH access to the machine in the context of the MySQL user. The user&amp;amp;amp;#039;s home folder contains a log file, the contents of which are identified as the output of an `strace` keylogger. Analysis of the logged keys reveals the password for the `sysadmin` user, who we move to. In order to achieve privilege escalation to the `root` account, users must undertake a forensic analysis of the affected system, which reveals that two rootkits are installed. The first is a shared library called `libdate.so`, which has been set to execute during `read` system calls using LD_PRELOAD. The second is a malicious `pam_unix.so`, which was used to replace the original file of the same name, and is called every time an authentication request is made. Both of these files contain hardcoded master keys that once inputted, allow users to escalate to the `root` account.</description><pubDate>Sat, 12 Sep 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Passage</title><link>https://blog.zumpyx.com/hackthebox/machines/0275-passage/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0275-passage/</guid><description>Passage is a medium difficulty Linux machine that hosts a CuteNews web application. This is found to suffer from a remote command execution vulnerability, which is leveraged to gain a foothold. A CuteNews password hash for the application user `paul` is discovered and cracked. Owing to password reuse, we can use this to move laterally to the `paul` system user. A private SSH key is found to be shared between the system users, which allows us to move laterally to `nadav`. This user is found to be a member of the sudo group. Enumeration of the vim command line history reveals that the `com.ubuntu.USBCreator.conf` policy has been edited, in order to allow users of the `sudo` group to invoke methods of the `usb-creator` service.  The D-Bus service USBCreator is found to suffer from a vulnerability, allowing the password security policy imposed by `sudo` binary to be bypassed. This is leveraged in order to read privileged files as root.</description><pubDate>Sat, 05 Sep 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Feline</title><link>https://blog.zumpyx.com/hackthebox/machines/0274-feline/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0274-feline/</guid><description>Feline is a hard difficulty Linux machine that features an Apache Tomcat installation. This hosts a Java application that allows users to upload files of any type. The version of Tomcat 9.0.35 is found vulnerable to RCE via session persistence. After uploading a malicious session file and triggering it, we get a foothold as the Tomcat user. Enumeration reveals that SaltStack is running locally, which suffers from authentication bypass and directory traversal vulnerabilities, leading to RCE. We take advantage of an exposed Docker unix socket file in order to interact with Docker API and escape the container.</description><pubDate>Sat, 29 Aug 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Omni</title><link>https://blog.zumpyx.com/hackthebox/machines/0271-omni/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0271-omni/</guid><description>Omni is an easy difficulty Windows IoT Core machine. Network enumeration reveals that a web page titled `Windows Device Portal` is hosted on the remote machine, which indicates that Windows IoT Core OS that is installed. This OS implements a vulnerable service named Sirep Test Service, that allows remote command execution on the host. Exporting and cracking hashes from the registry hives reveals the password for the user `app`, which is used to access to the Windows Device Portal web application. Enumeration of the file system reveals a sequence of Powershell Credential files, that eventually leads to the password for the `administrator` user. Finally, logging into the web application as the `administrator`, we get the root.txt.</description><pubDate>Sat, 22 Aug 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>other</category></item><item><title>[HTB · Machines] Worker</title><link>https://blog.zumpyx.com/hackthebox/machines/0270-worker/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0270-worker/</guid><description>Worker is a medium box that teaches about software development environments and Azure DevOps pipeline abuse. It starts with extraction of source code from a SVN server, and then moves to a local Azure DevOps installation, which can be abused to gain a foothold and escalate privileges.</description><pubDate>Sat, 15 Aug 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Laser</title><link>https://blog.zumpyx.com/hackthebox/machines/0269-laser/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0269-laser/</guid><description>Laser is an insane difficulty Linux machine that features an exposed printer. The service is queried for information and used to decrypt a file that is present in the print queue. This gives access to sensitive information that is leveraged to perform a Server Side Request Forgery (SSRF). Leveraging the Server Side Request Forgery, an outdated Apache Solr instance is exploited in order to gain a foothold. A race condition is then exploited, which allows for lateral movement to a container. The container is used to redirect SSH connections, finally giving root access.</description><pubDate>Sat, 08 Aug 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Unbalanced</title><link>https://blog.zumpyx.com/hackthebox/machines/0268-unbalanced/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0268-unbalanced/</guid><description>Unbalanced is a hard difficulty Linux machine featuring a rsync service that stores an encrypted backup module. Upon decryption we find Squid proxy configuration details, which allow us to access internal hosts. One of the hosts is found vulnerable to a blind XPath injection, which is leveraged to obtain a set of credentials. These credentials allows us to gain foothold on the server. A vulnerable Pi-hole Docker instance is discovered, which is exploited and allows us to obtain a password that can be reused for the root account.</description><pubDate>Sat, 01 Aug 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] OpenKeyS</title><link>https://blog.zumpyx.com/hackthebox/machines/0267-openkeys/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0267-openkeys/</guid><description>OpenKeyS is a medium difficulty OpenBSD machine that features a web server on port 80. Enumeration of the server using `GoBuster` reveals a `Vim` swap file. This contains the code that the website uses for authentication, and was last edited by a user called `Jennifer`. Analysis of the code reveals the file `check_auth` which uses the OpenBSD authentication framework, and allows web users to login using server credentials. This version of the authentication framework is found to be insecure, and after successful exploitation the login page is bypassed. Due to insecure PHP coding, it is possible to set the username to `Jennifer` through the usage of cookies, and acquire SSH credentials. Enumeration of the server confirms the OS version in use to be `6.6` which is vulnerable to a privilege escalation exploit.  Attackers can leverage the file `/usr/X11R6/bin/xlock` to become a member of the `auth` group, after which they can leverage the `S/Key` authentication option to add an entry for the `root` user and escalate their privileges.</description><pubDate>Sat, 25 Jul 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>openbsd</category></item><item><title>[HTB · Machines] Buff</title><link>https://blog.zumpyx.com/hackthebox/machines/0263-buff/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0263-buff/</guid><description>`Buff` is an easy-difficulty Windows machine that features an instance of `Gym Management System 1.0`. This is found to be vulnerable to an unauthenticated remote code execution vulnerability. Enumeration of the internal network reveals a service running on port `8888`. The installation file for this service can be found on disk, allowing us to debug it locally. We can perform port forwarding to make the service available and exploit it.</description><pubDate>Sat, 18 Jul 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] SneakyMailer</title><link>https://blog.zumpyx.com/hackthebox/machines/0262-sneakymailer/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0262-sneakymailer/</guid><description>SneakyMailer is a medium difficulty Linux machine that features a phishing scenario, from which a set of credentials are gained. These credentials provide access to a mailbox, which reveals another set of credentials to access the FTP service. FTP file upload allows a foothold to be gained. PyPI server package installation can be exploited to move laterally. Root access can be obtained by leveraging sudo privileges.</description><pubDate>Sat, 11 Jul 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] RopeTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0260-ropetwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0260-ropetwo/</guid><description>RopeTwo is an insane difficulty Linux machine that showcases a variety of exploit development concepts. The foothold requires analysis of a patch for the V8 JavaScript engine in order to get a shell. A SUID binary suffering from improper memory handling is then leveraged to get a user shell. Finally, a vulnerable Linux Kernel Module is used to escalate privileges and execute code as root.</description><pubDate>Sat, 27 Jun 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Tabby</title><link>https://blog.zumpyx.com/hackthebox/machines/0259-tabby/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0259-tabby/</guid><description>Tabby is a easy difficulty Linux machine. Enumeration of the website reveals a second website that is hosted on the same server under a different vhost. This website is vulnerable to Local File Inclusion. Knowledge of the OS version is used to identify the `tomcat-users.xml` file location. This file yields credentials for a Tomcat user that is authorized to use the `/manager/text` interface. This is leveraged to deploy of a war file and upload a webshell, which in turn is used to get a reverse shell. Enumeration of the filesystem reveals a password protected zip file, which can be downloaded and cracked locally. The cracked password can be used to login to the remote machine as a low privileged user. However this user is a member of the LXD group, which allows privilege escalation by creating a privileged container, into which the host&amp;amp;amp;amp;#039;s filesystem is mounted. Eventually, access to the remote machine is gained as `root` using SSH.</description><pubDate>Sat, 20 Jun 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Fuse</title><link>https://blog.zumpyx.com/hackthebox/machines/0256-fuse/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0256-fuse/</guid><description>Fuse is a medium difficulty Windows box made that starts with enumeration of a print job logging application From this we can harvest usernames and possible  passwords for use in a password spray attack. This successfully identifies that three domain accounts have the same password set, although their passwords are expired. We can use the Windows API to set a new password. With valid credentials we can enumerate shared printers, which yields credentials for the printer service account. This account can be used to establish a WinRM shell on the machine. From this foothold we can abuse the SeLoadDriver privilege and get a shell as SYSTEM.</description><pubDate>Sat, 13 Jun 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Blackfield</title><link>https://blog.zumpyx.com/hackthebox/machines/0255-blackfield/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0255-blackfield/</guid><description>Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows us to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump.  This contains a username and a password for a user with WinRM privileges, who is also a member of the Backup Operators group. The privileges conferred by this privileged group are used to dump the Active Directory database, and retrieve the hash of the primary domain administrator.</description><pubDate>Sat, 06 Jun 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Blunder</title><link>https://blog.zumpyx.com/hackthebox/machines/0254-blunder/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0254-blunder/</guid><description>Blunder is an Easy difficulty Linux machine that features a Bludit CMS instance running on port 80. The website contains various facts about different genres. Using GoBuster, we identify a text file that hints to the existence of user fergus, as well as an admin login page that is protected against brute force. An exploit that bypasses the brute force protection is identified, and a dictionary attack is run against the login form. This attack grants us access to the admin panel as fergus. A GitHub issue detailing an arbitrary file upload and directory traversal vulnerability is identified, which is used to gain a shell as www-data. The system is enumerated and a newer version of the Bludit CMS is identified in the /var/www folder. The updated version contains the SHA1 hash of user hugo&amp;amp;amp;amp;#039;s password. The password can be cracked online, allowing us to move laterally to this user. Enumeration reveals that the user can run commands as any system user apart from root using sudo. The sudo binary is identified to be outdated, and vulnerable to CVE-2019-14287. Successful exploitation of this vulnerability returns a root shell.</description><pubDate>Sat, 30 May 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Dyplesher</title><link>https://blog.zumpyx.com/hackthebox/machines/0253-dyplesher/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0253-dyplesher/</guid><description>Dyplesher is an insane difficulty Linux machine featuring multiple technologies and vulnerabilities. Vhost enumeration reveals a Git repository containing source code, in which we find credentials. These credentials are used to enumerate the Memcache service and obtain further credentials. These are in turn used to gain access to a Gogs server which has multiple private repositories. Enumeration of release files in one repository reveals another set of credentials that are used to access a Minecraft server application. A foothold can be gained by uploading a Minecraft plugin. Credentials found in a network capture can be used to escalate to another user. Publishing a Cuberite plugin over the AMQP protocol leads to a root shell.</description><pubDate>Sat, 23 May 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Travel</title><link>https://blog.zumpyx.com/hackthebox/machines/0252-travel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0252-travel/</guid><description>Travel is a hard difficulty Linux machine that features a WordPress instance along with a development server. The server is found to host an exposed Git repository, which reveals sensitive source code. The source code is analyzed and an SSRF and unsafe deserialization vulnerability are identified. These are leveraged to gain code execution. A backup password is cracked and used to move laterally. The user is found to be an LDAP administrator and can edit user attributes. This is leveraged to modify group membership and gain root privileges.</description><pubDate>Sat, 16 May 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Cache</title><link>https://blog.zumpyx.com/hackthebox/machines/0251-cache/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0251-cache/</guid><description>Cache is a medium difficulty Linux machine. Enumeration of the website reveals a second website that is hosted on the same server under a different vhost. This website is an OpenEMR instance that suffers from a SQL injection vulnerability. Exploiting this vulnerability enables the attacker to retrieve the hashed password for user `openemr_admin`, which can be cracked offline in order to recover the plaintext password. These credentials can be used to exploit an authenticated Remote Command Execution vulnerability and achieve reverse shell as `www-data`, due to the outdated version of the OpenEMR instance. Inspection of the initial website reveals a JavaScript file containing credentials for the user `ash`, who is found to be a system user. Enumeration of the Memcached caching system also reveals the password for user `luffy`, who is a member of the docker group. This enables the user `luffy` to run any commands as root, from within a docker container.</description><pubDate>Sat, 09 May 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Admirer</title><link>https://blog.zumpyx.com/hackthebox/machines/0248-admirer/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0248-admirer/</guid><description>Admirer is an easy difficulty Linux machine that features a vulnerable version of Adminer (caused by an underlying MySQL protocol flaw), and an interesting Python library hijacking vector. After thorough enumeration, lots of pieces of information can be combined to get a foothold and then escalate privileges to root.</description><pubDate>Sat, 02 May 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Quick</title><link>https://blog.zumpyx.com/hackthebox/machines/0244-quick/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0244-quick/</guid><description>Quick is a hard difficulty Linux machine that features a website running on the HTTP/3 protocol. Enumeration of the website reveals default credentials. The client portal is found to be vulnerable to ESI (Edge Side Includes) injection. This is used to obtain code execution and gain a foothold. A weak password gives access to a printer console, which permits the addition of new printers. Weak file permissions are exploited to move laterally. Plaintext credentials exposed in a configuration are reused to escalate to root.</description><pubDate>Sat, 25 Apr 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Magic</title><link>https://blog.zumpyx.com/hackthebox/machines/0241-magic/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0241-magic/</guid><description>Magic is an easy difficulty Linux machine that features a custom web application. A SQL injection vulnerability in the login form is exploited, in order to bypass the login and gain access to an upload page. Weak whitelist validation allows for uploading a PHP webshell, which is used to gain command execution. The MySQL database is found to contain plaintext credentials, which are re-used for lateral movement. A path hijacking vector combined with assigned SUID permissions leads to full system compromise.</description><pubDate>Sat, 18 Apr 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] ServMon</title><link>https://blog.zumpyx.com/hackthebox/machines/0240-servmon/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0240-servmon/</guid><description>ServMon is an easy Windows machine featuring an HTTP server that hosts an NVMS-1000 (Network Surveillance Management Software) instance. This is found to be vulnerable to LFI, which is used to read a list of passwords on a user&amp;amp;amp;amp;#039;s desktop. Using the credentials, we can SSH to the server as a second user. As this low-privileged user, it&amp;amp;amp;amp;#039;s possible enumerate the system and find the password for `NSClient++` (a system monitoring agent). After creating an SSH tunnel, we can access the NSClient++ web app. The app contains functionality to create scripts that can be executed in the context of `NT AUTHORITY\SYSTEM`. Users have been given permissions to restart the `NSCP` service, and after creating a malicious script, the service is restarted and command execution is achieved as SYSTEM.</description><pubDate>Sat, 11 Apr 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] ForwardSlash</title><link>https://blog.zumpyx.com/hackthebox/machines/0239-forwardslash/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0239-forwardslash/</guid><description>ForwardSlash is a hard Linux machine featuring a compromised server. Through directory busting it is possible to identify a virtual host that points to a backup instance of the website. After registering a new account, an LFI vulnerability is identified through a disabled HTML form. The LFI vulnerability can be used to access the `dev` endpoint, which only allows local connections. The `dev` page accepts XML input and an XXE vulnerability is identified. Successful exploitation of the vulnerability leads to the disclosure of FTP credentials for the user `chiv`. As the credentials have been reused for SSH, it is possible to gain a foothold on the server. A SUID binary is found that attempts to read files whose name is the MD5 hash of the time the binary is run. A symbolic link is created that points to a backup of a PHP configuration, leading to disclosure of credentials for the user `pain`. These new credentials also work with SSH, and the user flag is acquired. Finally a cipher text is found in the user&amp;amp;#039;s home directory along with the code used to encrypt it. Upon successful creation of a decryption script, a password is revealed. This can be used to decrypt a `LUKS` image found at `/var/backups/recovery`. The image contains the RSA private key for the `root` account.</description><pubDate>Sat, 04 Apr 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Cascade</title><link>https://blog.zumpyx.com/hackthebox/machines/0235-cascade/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0235-cascade/</guid><description>Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user `r.thompson`, which gives access to a `TightVNC` registry backup. The backup is decrypted to gain the password for `s.smith`. This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the `ArkSvc` account. This account belongs to the `AD Recycle Bin` group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded password, which can be reused to login as the primary domain administrator.</description><pubDate>Sat, 28 Mar 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Remote</title><link>https://blog.zumpyx.com/hackthebox/machines/0234-remote/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0234-remote/</guid><description>Remote is an easy difficulty Windows machine that features an Umbraco CMS installation. Credentials are found in a world-readable NFS share. Using these, an authenticated Umbraco CMS exploit is leveraged to gain a foothold. A vulnerable TeamViewer version is identified, from which we can gain a password. This password has been reused with the local administrator account. Using `psexec` with these credentials returns a SYSTEM shell.</description><pubDate>Sat, 21 Mar 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Multimaster</title><link>https://blog.zumpyx.com/hackthebox/machines/0232-multimaster/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0232-multimaster/</guid><description>Multimaster is an insane difficulty Windows machine featuring a web application that is vulnerable to SQL Injection. This vulnerability is leveraged to obtain the foothold on the server. Examination the file system reveals that a vulnerable version of VS Code is installed, and VS Code processes and found to be running on the server. By exploiting debug functionality, a shell as the user `cyork` can be gained. A password is found in a DLL, which due to password reuse, results in a shell as `sbauer`. This user is found to have `GenericWrite` permissions on the user `jorden`. Abusing this privilege allows us to gain access to the server as this user. `jorden` is be member of `Server Operators` group, whose privileges we exploit to get a SYSTEM shell.</description><pubDate>Sat, 07 Mar 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Oouch</title><link>https://blog.zumpyx.com/hackthebox/machines/0231-oouch/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0231-oouch/</guid><description>Oouch is a hard difficulty Linux machine featuring web applications that use the OAuth authorization framework. Absence of a CSRF Token is leveraged to link an administrative account to our account, providing access to sensitive information. This information is used to register a new client application and steal the authorization code. This code is used to gain an access token, which provides unrestricted access to user resources. A misconfigured DBus server is then exploited through uWSGI in order to execute code in the context of root.</description><pubDate>Sat, 29 Feb 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Book</title><link>https://blog.zumpyx.com/hackthebox/machines/0230-book/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0230-book/</guid><description>Book is a medium difficulty Linux machine hosting a Library application. It allows users to sign up and add books, as well as provide feedback. The back-end database is found to be vulnerable to SQL truncation, which is leveraged to register an account as admin and escalate privileges. The admin panel contains additional functionality to export PDFs, which is exploited through XSS to gain SSH access. Finally, misconfigured logs are exploited to get root.</description><pubDate>Sat, 22 Feb 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Fatty</title><link>https://blog.zumpyx.com/hackthebox/machines/0227-fatty/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0227-fatty/</guid><description>Fatty is an insane difficulty Linux machine featuring a three-tier client-server architecture that has multiple vulnerabilities. Modification of the client application allows for a path traversal, which is used to download the server application. Admin access can be obtained by exploiting a SQL injection vulnerability in the login function. Exploiting a deserialization vulnerability in the change password function provides a foothold. A root shell can be gained by exploiting the cronjob.</description><pubDate>Sat, 08 Feb 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Nest</title><link>https://blog.zumpyx.com/hackthebox/machines/0225-nest/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0225-nest/</guid><description>Nest is an easy difficulty Windows machine featuring an SMB server that permits guest access. The shares can be enumerated to gain credentials for a low privileged user. This user is found to have access to configuration files containing sensitive information. Another user&amp;amp;amp;amp;#039;s password is found through source code analysis, which is used to gain a foothold on the box. A custom service is found to be running, which is enumerated to find and decrypt Administrator credentials.</description><pubDate>Sat, 25 Jan 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Monteverde</title><link>https://blog.zumpyx.com/hackthebox/machines/0223-monteverde/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0223-monteverde/</guid><description>Monteverde is a Medium Windows machine that features Azure AD Connect. The domain is enumerated and a user list is created. Through password spraying, the `SABatchJobs` service account is found to have the username as a password. Using this service account, it is possible to enumerate SMB Shares on the system, and the `$users` share is found to be world-readable. An XML file used for an Azure AD account is found within a user folder and contains a password. Due to password reuse, we can connect to the domain controller as `mhope` using WinRM. Enumeration shows that `Azure AD Connect` is installed. It is possible to extract the credentials for the account that replicates the directory changes to Azure (in this case the default domain administrator).</description><pubDate>Sat, 11 Jan 2020 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] PlayerTwo</title><link>https://blog.zumpyx.com/hackthebox/machines/0221-playertwo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0221-playertwo/</guid><description>PlayerTwo is an insane difficulty Linux machine featuring multiple technologies and vulnerabilities. Vhost and directory enumeration yields source code for the protobuf service, that is used to query the server. This provides credentials used to login and gain access to firmware. The firmware is modified in order to execute commands on the server and gain a foothold. The server is found to be passing messages over MQTT, and contain a user&amp;amp;amp;#039;s SSH key. This user is found to have access to a SUID binary that is vulnerable to multiple vectors, leading to a root shell.</description><pubDate>Sat, 14 Dec 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Resolute</title><link>https://blog.zumpyx.com/hackthebox/machines/0220-resolute/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0220-resolute/</guid><description>Resolute is an medium difficulty Windows machine that features Active Directory. The Active Directory anonymous bind is used to obtain a password that the sysadmins set for new user accounts, although it seems that the password for that account has since changed. A password spray reveals that this password is still in use for another domain user account, which gives us access to the system over WinRM. A PowerShell transcript log is discovered, which has captured credentials passed on the command-line. This is used to move laterally to a user that is a member of the DnsAdmins group. This group has the ability to specify that the DNS Server service loads a plugin DLL. After restarting the DNS service, we achieve command execution on the domain controller in the context of `NT_AUTHORITY\SYSTEM`.</description><pubDate>Sat, 07 Dec 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Obscurity</title><link>https://blog.zumpyx.com/hackthebox/machines/0219-obscurity/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0219-obscurity/</guid><description>Obscurity is medium difficulty Linux machine that features a custom web server. A code injection vulnerability is exploited to gain an initial foothold as `www-data`. Weak folder permissions reveal a custom cryptography algorithm, that has been used to encrypt the user&amp;amp;amp;#039;s password. A known-plaintext attack reveals the encryption key, which is used to decrypt the password. This password is used to move laterally to the user `robert`, who is allowed to run a faux terminal as root. This can be used to escalate privileges to root via winning a race condition or by overwriting `sudo` arguments.</description><pubDate>Sat, 30 Nov 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Control</title><link>https://blog.zumpyx.com/hackthebox/machines/0218-control/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0218-control/</guid><description>Control is a hard difficulty Windows machine featuring a site that is found vulnerable to SQL injection. This is leveraged to extract MySQL user password hashes, and also to write a webshell and gain a foothold. The password hash for the SQL user `hector` is cracked, which is used to move laterally to their Windows account. Examination of the PowerShell history file reveals that the Registry permissions may have been modified. After enumerating Registry service permissions and other service properties, a service is abused to gain a shell as `NT AUTHORITY\SYSTEM`.</description><pubDate>Sat, 23 Nov 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] AI</title><link>https://blog.zumpyx.com/hackthebox/machines/0216-ai/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0216-ai/</guid><description>AI is a medium difficulty Linux machine running a speech recognition service on Apache. This service is found to be vulnerable to SQL injection and is exploited with audio files. The injection is leveraged to gain SSH credentials for a user.  Enumeration of running processes yields a Tomcat application running on localhost, which has debugging enabled. This port is forwarded and exploited to gain code execution as root.</description><pubDate>Sat, 09 Nov 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Postman</title><link>https://blog.zumpyx.com/hackthebox/machines/0215-postman/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0215-postman/</guid><description>Postman is an easy difficulty Linux machine, which features a Redis server running without authentication. This service can be leveraged to write an SSH public key to the user&amp;amp;amp;#039;s folder. An encrypted SSH private key is found, which can be cracked to gain user access. The user is found to have a login for an older version of Webmin. This is exploited through command injection to gain root privileges.</description><pubDate>Sat, 02 Nov 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Mango</title><link>https://blog.zumpyx.com/hackthebox/machines/0214-mango/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0214-mango/</guid><description>Mango is a medium difficulty Linux machine hosting a website that is found vulnerable to NoSQL injection. The NoSQL database is discovered to be MongoDB, from which we exfiltrate user credentials. We can use one set of credentials to gain a foothold using SSH, and the other to move laterally within the box. A SUID binary is then exploited to escalate our privileges to root.</description><pubDate>Sat, 26 Oct 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Registry</title><link>https://blog.zumpyx.com/hackthebox/machines/0213-registry/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0213-registry/</guid><description>Registry is a hard difficulty Linux machine, which features Docker and the Bolt CMS running on Nginx. Docker registry API access is configured with default credentials, which allows us to pull the repository files. Using the disclosed information it is possible to obtain an initial foothold. User credentials for Bolt CMS can be obtained, and exploiting the CMS provides us with access to the `www-data` user, who has a sudo entry to perform backups as root using the `restic` program. After taking a backup of the root folder remotely and mounting the repository with restic, the root flag is obtained.</description><pubDate>Sat, 19 Oct 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Sniper</title><link>https://blog.zumpyx.com/hackthebox/machines/0211-sniper/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0211-sniper/</guid><description>Sniper is a medium difficulty Windows machine which features a PHP server. The server hosts a file that is found vulnerable to local and remote file inclusion. Command execution is gained on the server in the context of `NT AUTHORITY\iUSR` via local inclusion of maliciously crafted PHP Session files. Exposed database credentials are used to gain access as the user `Chris`, who has the same password. Enumeration reveals that the administrator is reviewing CHM (Compiled HTML Help) files, which can be used the leak the administrators NetNTLM-v2 hash. This can be captured, cracked and used to get a reverse shell as administrator using a PowerShell credential object.</description><pubDate>Sat, 05 Oct 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Json</title><link>https://blog.zumpyx.com/hackthebox/machines/0210-json/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0210-json/</guid><description>JSON is a medium difficulty Windows machine running an IIS server with an ASP.NET application. The application is found to be vulnerable to .NET deserialization, which is exploited using ysoserial.net. A custom .NET program is found to be installed, which on reverse engineering reveals encrypted credentials for an administrator. These credentials can be decrypted and used to gain access to the FTP folder.</description><pubDate>Sat, 28 Sep 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Wall</title><link>https://blog.zumpyx.com/hackthebox/machines/0208-wall/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0208-wall/</guid><description>Wall is a medium difficulty Linux machine running a vulnerable version of Centreon network monitoring software, which can be accessed through HTTP Verb Tampering. The login page can be brute-forced to gain Admin access, which is exploited to gain RCE. A compiled python file is decompiled to extract user credentials This provides access to an SUID, resulting in a root shell.</description><pubDate>Sat, 14 Sep 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Zetta</title><link>https://blog.zumpyx.com/hackthebox/machines/0204-zetta/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0204-zetta/</guid><description>Zetta is a hard difficulty Linux machine running an FTP server with FXP enabled, which allows us to leak the server&amp;amp;#039;s IPv6 address and scan it. An rsync server is found to be running on the IPv6 interface, that can be brute-forced to gain access to a user&amp;amp;#039;s home folder. Enumeration yields a git repository containing a vulnerable template for rsyslog. This is exploited via SQL injection to execute code as the postgres user. A predictable password scheme is then leveraged to gain a root shell.</description><pubDate>Sat, 31 Aug 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Networked</title><link>https://blog.zumpyx.com/hackthebox/machines/0203-networked/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0203-networked/</guid><description>Networked is an Easy difficulty Linux box vulnerable to file upload bypass, leading to code execution. Due to improper sanitization, a crontab running as the user can be exploited to achieve command execution. The user has privileges to execute a network configuration script, which can be leveraged to execute commands as root.</description><pubDate>Sat, 24 Aug 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Scavenger</title><link>https://blog.zumpyx.com/hackthebox/machines/0202-scavenger/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0202-scavenger/</guid><description>Scavenger is a hard difficulty Linux machine running various services such as DNS, SMTP, Whois etc. The whois service is found to be vulnerable to SQL injection, exploitation of which reveals vhosts. The vhosts are enumerated to find a hidden PHP backdoor, which is used to execute code on the server. A forward shell is used to gain access to FTP credentials, resulting in access to a compromised user account. The user&amp;amp;amp;#039;s home profile contains a hidden rootkit, which is decompiled. The information gained from this is used to elevate to a root shell.</description><pubDate>Sat, 17 Aug 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Heist</title><link>https://blog.zumpyx.com/hackthebox/machines/0201-heist/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0201-heist/</guid><description>Heist is an easy difficulty Windows box with an &amp;amp;amp;amp;quot;Issues&amp;amp;amp;amp;quot; portal accessible on the web server, from which it is possible to gain Cisco password hashes. These hashes are cracked, and subsequently RID bruteforce and password spraying are used to gain a foothold on the box. The user is found to be running Firefox. The firefox.exe process can be dumped and searched for the administrator&amp;amp;amp;amp;#039;s password.</description><pubDate>Sat, 10 Aug 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Rope</title><link>https://blog.zumpyx.com/hackthebox/machines/0200-rope/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0200-rope/</guid><description>Rope is an insane difficulty Linux machine covering different aspects of binary exploitation. The web server can be exploited to gain access to the file system and download the binary. The binary is found to be vulnerable to format string exploitation, which is leveraged to get remote code execution. After gaining foothold, the user is found to have access to a shared library, which can be modified to execute code as another user. A service running on localhost can be exploited via a ROP (Return Oriented Programming) attack to gain a root shell.</description><pubDate>Sat, 03 Aug 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Safe</title><link>https://blog.zumpyx.com/hackthebox/machines/0199-safe/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0199-safe/</guid><description>Safe is an Easy difficulty Linux VM with a vulnerable service running on a port. The binary is found to be vulnerable to buffer overflow, which needs to be exploited through Return Oriented Programming (ROP) to get a shell. The user&amp;amp;amp;#039;s folder contain images and a keepass database which can be cracked using John the ripper to gain the root password.</description><pubDate>Sat, 27 Jul 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] RE</title><link>https://blog.zumpyx.com/hackthebox/machines/0198-re/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0198-re/</guid><description>RE is a hard difficulty Linux machine, featuring analysis of ODS documents using Yara. A maliciously crafted document can be used to evade detection and gain a foothold. The box uses an old version of WinRAR, which is vulnerable to path traversal. This is exploited to drop a shell to the web root and land a shell as the IIS user who has write access to the project folder. A Ghidra project is then uploaded to the folder to exploit XXE and steal admin hashes.</description><pubDate>Sat, 20 Jul 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Craft</title><link>https://blog.zumpyx.com/hackthebox/machines/0197-craft/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0197-craft/</guid><description>Craft is a medium difficulty Linux box, hosting a Gogs server with a public repository. One of the issues in the repository talks about a broken feature, which calls the eval function on user input. This is exploited to gain a shell on a container, which can query the database containing a user credential. After logging in, the user is found to be using vault to manage the SSH server, and the secret for which is in their Gogs account. This secret is used to create an OTP which can be used to SSH in as root.</description><pubDate>Sat, 13 Jul 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Player</title><link>https://blog.zumpyx.com/hackthebox/machines/0196-player/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0196-player/</guid><description>Player is a Hard difficulty Linux box featuring multiple vhosts and a vulnerable SSH server. Sensitive information gained from a chat can be leveraged to find source code. This is used to gain access to an internal application vulnerable to LFI through FFMPEG, leading to credential disclosure. The vulnerable SSH server is exploited to login to a Codiad instance, which can be used to gain a foothold. Process enumeration reveals a cron job which executes a script that is vulnerable to PHP deserialization. The script is exploited to write files and gain a shell as root.</description><pubDate>Sat, 06 Jul 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Haystack</title><link>https://blog.zumpyx.com/hackthebox/machines/0195-haystack/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0195-haystack/</guid><description>Haystack is an Easy difficulty Linux box running the ELK stack ( Elasticsearch, Logstash and Kibana). The elasticsearch DB is found to contain many entries, among which are base64 encoded credentials, which can be used for SSH. The kibana server running on localhost is found vulnerable to file inclusion, leading to code execution. The kibana user has access to the Logstash configuration which is set to execute files as root based on a certain filter.</description><pubDate>Sat, 29 Jun 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Chainsaw</title><link>https://blog.zumpyx.com/hackthebox/machines/0193-chainsaw/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0193-chainsaw/</guid><description>Chainsaw is a Hard Linux machine with various components in place. The server is running an Ethereum node, which is used to store and retrieve data. This can be modified by an attacker to set malicious data on the latest block and get code execution. The box contains an installation of IPFS ( Interplanetary File System ), and further enumeration reveals that it contains an encrypted SSH key, which can be cracked to gain lateral movement. This user has execute permissions on a SUID file, which interacts with another node running on localhost. This is exploited in a similar way as earlier to get a root shell.</description><pubDate>Sat, 15 Jun 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Writeup</title><link>https://blog.zumpyx.com/hackthebox/machines/0192-writeup/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0192-writeup/</guid><description>Writeup is an easy difficulty Linux box with DoS protection in place to prevent brute forcing. A CMS susceptible to a SQL injection vulnerability is found, which is leveraged to gain user credentials. The user is found to be in a non-default group, which has write access to part of the PATH. A path hijacking results in escalation of privileges to root.</description><pubDate>Sat, 08 Jun 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Smasher2</title><link>https://blog.zumpyx.com/hackthebox/machines/0191-smasher2/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0191-smasher2/</guid><description>Smasher2 is an insane difficult linux machine, which requires knowledge of Python, C and kernel换行exploitation. A folder protected by Basic Authentication is brute-forced to gain source code for a换行session manager on one of the vhosts. A shared object file is used by the session manager which换行has a vulnerable function leading to credential leakage. Then a kernel module is found which换行uses a weak mmap handler and is exploited to gain a root shell.</description><pubDate>Sat, 01 Jun 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Luke</title><link>https://blog.zumpyx.com/hackthebox/machines/0190-luke/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0190-luke/</guid><description>Luke is a medium difficulty Linux box featuring server enumeration and credential reuse. A configuration file leads to credential disclosure, which can be used to authenticate to a NodeJS server. The server in turn stores user credentials, and one of these provides access to a password protected folder containing configuration files. From this, the Ajenti password can be obtained and used to sign in, and execute commands in the context of root.</description><pubDate>Sat, 25 May 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>freebsd</category></item><item><title>[HTB · Machines] Ellingson</title><link>https://blog.zumpyx.com/hackthebox/machines/0189-ellingson/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0189-ellingson/</guid><description>Ellingson is a hard difficulty Linux box running a python flask server in debug mode, behind a nginx proxy. The debugger can be abused to execute code on the server in the context of the user running it. The user is found to be in the adm group which has access to the shadow.bak file, from which hashes can be gained and cracked, which allows for lateral movement. A SUID binary is found to be vulnerable to a buffer overflow - but as ASLR and NX are enabled - a ROP based exploitation needs to be performed to gain a root shell.</description><pubDate>Sat, 18 May 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] SwagShop</title><link>https://blog.zumpyx.com/hackthebox/machines/0188-swagshop/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0188-swagshop/</guid><description>SwagShop is an easy-difficulty Linux box running an old version of Magento which is vulnerable to SQLi and RCE vulnerabilities leading to a shell. The low-level user can run `vim` with &apos;sudo&apos; privileges, which can be abused to escalate privileges and obtain a root shell.</description><pubDate>Sat, 11 May 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Unattended</title><link>https://blog.zumpyx.com/hackthebox/machines/0184-unattended/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0184-unattended/</guid><description>Unattended is a medium difficulty Linux box which needs a good knowledge of SQL and its programming flaws. A path traversal on the web server can be exploited to get the source code of the PHP pages. A SQL injection flaw is found, which can be exploited using nested unions to gain LFI. The LFI can then be leveraged to RCE via log files or sessions file. Database access allows the www user to change the configuration and inject commands into a cronjob running as a user. The user is a member of the grub group, which has access to the kernel image through which the root password can be obtained.</description><pubDate>Sat, 13 Apr 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Kryptos</title><link>https://blog.zumpyx.com/hackthebox/machines/0183-kryptos/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0183-kryptos/</guid><description>KryptOS is an insane difficulty Linux box which requires knowledge of how cryptographic algorithms work. A login page is found to be vulnerable to PDO injection, and can be hijacked to gain access to the encrypting page. The page uses RC4 to encrypt files, which can be subjected to a known plaintext attack. This can be used to abuse a SQL injection in an internal web application to dump code into a file, and execute it to gain a shell. A Vimcrypt file is found, which uses a broken algorithm and can be decrypted. A vulnerable python app running on the local host is found using a weak RNG (Random Number Generator) which can be brute forced to gain RCE via the eval function.</description><pubDate>Sat, 06 Apr 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] LaCasaDePapel</title><link>https://blog.zumpyx.com/hackthebox/machines/0181-lacasadepapel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0181-lacasadepapel/</guid><description>LaCasaDePapel is an easy difficulty Linux box, which is running a backdoored vsftpd server. The backdoored port is running a PHP shell with disabled_functions. This is used to read a CA certificate, from which a client certificate can be created. The HTTPS page is vulnerable to LFI, leading to exposure of SSH keys. A configuration file can be hijacked to gain code execution as root.</description><pubDate>Sat, 30 Mar 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Helpline</title><link>https://blog.zumpyx.com/hackthebox/machines/0180-helpline/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0180-helpline/</guid><description>Helpline is a hard difficulty windows box which needs a good amount of enumeration at each stage. A ServiceDesk web application is found to be vulnerable to XXE exposing sensitive data which gives a foothold. There are hashes on the PostgreSQL database which can be cracked to gain access to a user who can read Windows Event Logs. These logs contain user credentials and can be used to move laterally. Enumeration of the file system reveals a script vulnerable to command injection, which allow for code execution in the context of another user. The local Administrator credentials are then found in the form of powershell securestring.</description><pubDate>Sat, 23 Mar 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Arkham</title><link>https://blog.zumpyx.com/hackthebox/machines/0179-arkham/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0179-arkham/</guid><description>Arkham is a medium difficulty Windows box which needs knowledge about encryption, java deserialization and Windows exploitation. A disk image present in an open share is found which is a LUKS encrypted disk. The disk is cracked to obtain configuration files. The Apache MyFaces page running on tomcat is vulnerable to deserialization but the viewstate needs to encrypted. After establishing a foothold an Outlook OST file is found, which contains a screenshot with a password. The user is found to be in the Administrators group, and a UAC bypass can be performed to gain a SYSTEM shell.</description><pubDate>Sat, 16 Mar 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Fortune</title><link>https://blog.zumpyx.com/hackthebox/machines/0178-fortune/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0178-fortune/</guid><description>Fortune is an insane difficulty OpenBSD box which hosts a web app vulnerable to RCE. Using the RCE the CA key can be read, which is used to create HTTPS client certificates. The client certificate leads to an SSH login, which helps to bypass the firewall. This allows mounting of an NFS share and dropping a suid to be executed as the user. An application is found to be using faulty encryption logic, which allows for escalation of privileges to root.</description><pubDate>Sat, 09 Mar 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>other</category></item><item><title>[HTB · Machines] Netmon</title><link>https://blog.zumpyx.com/hackthebox/machines/0177-netmon/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0177-netmon/</guid><description>Netmon is an easy difficulty Windows box with simple enumeration and exploitation. PRTG is running, and an FTP server with anonymous access allows reading of PRTG Network Monitor configuration files. The version of PRTG is vulnerable to RCE which can be exploited to gain a SYSTEM shell.</description><pubDate>Sat, 02 Mar 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Hackback</title><link>https://blog.zumpyx.com/hackthebox/machines/0176-hackback/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0176-hackback/</guid><description>Hackback is an insane difficulty Windows box with some good techniques at play. A GoPhish website is discovered which leads us to some phishing vhosts. While fuzzing for files a javascript file is discovered which is rot13 encoded. It contains sensitive information about an admin page which leads to RCE vulnerability. PHP disabled_functions are in effect, and so ASPX code is used to tunnel and bypass the firewall. Enumeration of the file system leads to a code injection vulnerability in a configuration file, from which named pipe impersonation can be performed. Enumeration reveals that the user has permissions on a service, which allows for arbitrary writes to the file system. This is exploited to copy a DLL to System32, and triggering it using the DiagHub service to gain a SYSTEM shell.</description><pubDate>Sat, 23 Feb 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] FriendZone</title><link>https://blog.zumpyx.com/hackthebox/machines/0173-friendzone/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0173-friendzone/</guid><description>FriendZone is an easy difficulty Linux box which needs fair amount enumeration. By doing a zone transfer vhosts are discovered. There are open shares on samba which provides credentials for an admin panel. From there, an LFI is found which is leveraged to get RCE. A cron is found running which uses a writable module, making it vulnerable to hijacking.</description><pubDate>Sat, 09 Feb 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] FluJab</title><link>https://blog.zumpyx.com/hackthebox/machines/0171-flujab/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0171-flujab/</guid><description>FluJab is a hard difficulty Linux box with lot of components and needs a fair amount of enumeration. After gaining a list of vhosts from the certificate one is found to be useful. Cookie tampering allows an unauthorized user to gain access to SMTP configuration which can be changed in order to receive mails. A parameter is found to be Union SQL injectable result of which can be seen in the Emails. Another vhost and a set of credentials is gained from the database which leads to Ajenti management console. The console is found to be misconfigured allowing overwriting and reading files, from which SSH access can be gained. Privileges can be escalated through a screens suid which is found to be vulnerable.</description><pubDate>Sat, 26 Jan 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Help</title><link>https://blog.zumpyx.com/hackthebox/machines/0170-help/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0170-help/</guid><description>Help is an Easy Linux box which has a GraphQL endpoint which can be enumerated get a set of credentials for a HelpDesk software. The software is vulnerable to blind SQL injection which can be exploited to get a password for SSH Login. Alternatively an unauthenticated arbitrary file upload can be exploited to get RCE. Then the kernel is found to be vulnerable and can be exploited to get a root shell.</description><pubDate>Sat, 19 Jan 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Sizzle</title><link>https://blog.zumpyx.com/hackthebox/machines/0169-sizzle/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0169-sizzle/</guid><description>Sizzle is an &amp;amp;amp;quot;Insane&amp;amp;amp;quot; difficulty WIndows box with an Active Directory environment. A writable directory in an SMB share allows to steal NTLM hashes which can be cracked to access the Certificate Services Portal. A self signed certificate can be created using the CA and used for PSRemoting. A SPN associated with a user allows a kerberoast attack on the box. The user is found to have Replication rights which can be abused to get Administrator hashes via DCSync.</description><pubDate>Sat, 12 Jan 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Conceal</title><link>https://blog.zumpyx.com/hackthebox/machines/0168-conceal/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0168-conceal/</guid><description>Conceal is a &amp;amp;amp;quot;hard&amp;amp;amp;quot; difficulty Windows which teaches enumeration of IKE protocol and Conceal configuring IPSec in transport mode. Once configured and working the firewall goes down and a shell can be uploaded via FTP and executed. On listing the hotfixes the box is found vulnerable to ALPC Task Scheduler LPE. Alternatively, SeImpersonatePrivilege granted to the user allows to obtain a SYSTEM shell.</description><pubDate>Sat, 05 Jan 2019 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Chaos</title><link>https://blog.zumpyx.com/hackthebox/machines/0167-chaos/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0167-chaos/</guid><description>Chaos is a &amp;amp;amp;amp;quot;medium&amp;amp;amp;amp;quot; difficulty box which provides an array of challenges to deal with. It requires a fair amount enumeration of the web server as well as enumerating vhosts which leads to a wordpress site which provides a file containing credentials for an IMAP server. The drafts folder contained sensitive information which needed cryptographical knowledge to decipher. The decrypted information leads to a page hosting a vulnerable Latex application which helps to gain a foothold. Password reuse helps to land a shell as a user but in a restricted shell which can be bypassed by abusing a GTFObin. Escaping the shell gives access to the user&amp;amp;amp;amp;#039;s firefox folder containing saved logins which on decrypting gives access to a webadmin console and the root shell.</description><pubDate>Sat, 15 Dec 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Lightweight</title><link>https://blog.zumpyx.com/hackthebox/machines/0166-lightweight/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0166-lightweight/</guid><description>Lightweight is a pretty unique and challenging box which showcases the common mistakes made by system administrators and the need for encryption in any kind protocol used. It deals with the abuse of Linux capabilities which can be harmful in bad hands and how unencrypted protocols like LDAP can be sniffed to gain information and credentials.</description><pubDate>Sat, 08 Dec 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Teacher</title><link>https://blog.zumpyx.com/hackthebox/machines/0165-teacher/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0165-teacher/</guid><description>Teacher is a &amp;amp;amp;amp;quot;medium&amp;amp;amp;amp;quot; difficulty machine, which teaches techniques for identifying and exploiting logical flaws and vulnerabilities of outdated modules within popular CMS (in this instance Moodle), enumeration of sensitive information within the backend database and leverage misconfigurations on the operating system, which lead to a complete compromise of a system.</description><pubDate>Sat, 01 Dec 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] BigHead</title><link>https://blog.zumpyx.com/hackthebox/machines/0164-bighead/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0164-bighead/</guid><description>Bighead is an &amp;amp;quot;Insane&amp;amp;quot; difficulty windows box which deals with advanced binary exploitation, registry enumeration, code review and NTFS ADS. The source code of the web server is found on github which needs to be analyzed to find an overflow in a HEAD request. It can be exploited using heap spraying and egg hunting which results in a shell. Registry enumeration leads to hex encoded password for nginx which is used to obtain an ssh shell through port forward. On reviewing the PHP code a file vulnerable to LFI is found which is exploited to gain a root shell. The root flag has an ADS which is a keepass database. This is cracked using the key to gain the final flag.</description><pubDate>Sat, 24 Nov 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Irked</title><link>https://blog.zumpyx.com/hackthebox/machines/0163-irked/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0163-irked/</guid><description>Irked is a pretty simple and straight-forward box which requires basic enumeration skills. It shows the need to scan all ports on machines and to investigate any out of the place binaries found while enumerating a system.</description><pubDate>Sat, 17 Nov 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] RedCross</title><link>https://blog.zumpyx.com/hackthebox/machines/0162-redcross/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0162-redcross/</guid><description>RedCross is a medium difficulty box that features XSS, OS commanding, SQL injection, remote exploitation of a vulnerable application, and privilege escalation via PAM/NSS.</description><pubDate>Sat, 10 Nov 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Curling</title><link>https://blog.zumpyx.com/hackthebox/machines/0160-curling/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0160-curling/</guid><description>Curling is an Easy difficulty Linux box which requires a fair amount of enumeration. The password is saved in a file on the web root. The username can be download through a post on the CMS which allows a login. Modifying the php template gives a shell. Finding a hex dump and reversing it gives a user shell. On enumerating running processes a cron is discovered which can be exploited for root.</description><pubDate>Sat, 27 Oct 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Zipper</title><link>https://blog.zumpyx.com/hackthebox/machines/0159-zipper/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0159-zipper/</guid><description>Zipper is a medium difficulty machine that highlights how privileged API access can be leveraged to gain RCE, and the risk of unauthenticated agent access. It also provides an interesting challenge in terms of overcoming command processing timeouts, and also highlights the dangers of not specifying absolute paths in privileged admin scripts/binaries.</description><pubDate>Sat, 20 Oct 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Ethereal</title><link>https://blog.zumpyx.com/hackthebox/machines/0157-ethereal/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0157-ethereal/</guid><description>Ethereal is an &amp;amp;quot;insane&amp;amp;quot; difficulty machine, which showcases how DNS can be used to exfiltrate information from a system, and is applicable to many externally facing applications. It also features a very restrictive environment, which is made more hospitable by the use of the OpenSSL &amp;amp;quot;LOLBIN&amp;amp;quot;. It highlights how malicious shortcut files can be used to move laterally and vertically within a system or network. Finally, it shows how an attacker would be able use trusted certificates to defeat a stringent application whitelisting configuration. Finally, it showcases techniques for creating and signing Windows Installer (MSI) files.</description><pubDate>Sat, 06 Oct 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Access</title><link>https://blog.zumpyx.com/hackthebox/machines/0156-access/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0156-access/</guid><description>Access is an &amp;amp;amp;quot;easy&amp;amp;amp;quot; difficulty machine, that highlights how machines associated with the physical security of an environment may not themselves be secure. Also highlighted is how accessible FTP/file shares can often lead to getting a foothold or lateral movement. It teaches techniques for identifying and exploiting saved credentials.</description><pubDate>Sat, 29 Sep 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Carrier</title><link>https://blog.zumpyx.com/hackthebox/machines/0155-carrier/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0155-carrier/</guid><description>Carrier is a medium machine with a unique privilege escalation that involves BGP hijacking. The initial access is pretty straight forward but with a little twist to it.</description><pubDate>Sat, 22 Sep 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] YPuffy</title><link>https://blog.zumpyx.com/hackthebox/machines/0154-ypuffy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0154-ypuffy/</guid><description>Ypuffy is medium difficulty machine which highlights the danger of allowing LDAP null sessions. It also features an interesting SSH CA authentication privilege escalation, via the OpenBSD doas command. An additional privilege escalation involving Xorg is also possible.</description><pubDate>Sat, 15 Sep 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>openbsd</category></item><item><title>[HTB · Machines] Giddy</title><link>https://blog.zumpyx.com/hackthebox/machines/0153-giddy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0153-giddy/</guid><description>Giddy is a medium difficulty machine, which highlights how low privileged SQL Server logins can be used to compromise the underlying SQL Server service account. This is an issue in many environments, and depending on the configuration, the service account may have elevated privileges across the domain. It also features Windows registry enumeration and custom payload creation.</description><pubDate>Sat, 08 Sep 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Oz</title><link>https://blog.zumpyx.com/hackthebox/machines/0152-oz/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0152-oz/</guid><description>Oz is a hard to insane difficulty machine which teaches about web application enumeration, SQL Injection, Server-Side Template Injection, SSH tunnelling, and how Portainer functionality can be abused to compromise the host operating system. The techniques learned here are directly applicable to real-world situations.</description><pubDate>Sat, 01 Sep 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] SecNotes</title><link>https://blog.zumpyx.com/hackthebox/machines/0151-secnotes/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0151-secnotes/</guid><description>SecNotes is a medium difficulty machine, which highlights the risks associated with weak password change mechanisms, lack of CSRF protection and insufficient validation of user input. It also teaches about Windows Subsystem for Linux enumeration.</description><pubDate>Sat, 25 Aug 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Dab</title><link>https://blog.zumpyx.com/hackthebox/machines/0150-dab/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0150-dab/</guid><description>Dab is a challenging machine, that features an interesting enumeration and exploitation path. It teaches techniques and concepts that are useful to know when assessing Web and Linux environments.</description><pubDate>Sat, 18 Aug 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Waldo</title><link>https://blog.zumpyx.com/hackthebox/machines/0149-waldo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0149-waldo/</guid><description>Waldo is a medium difficulty machine, which highlights the risk of insufficient input validation, provides the challenge of rbash escape or bypassing, and showcases an interesting privilege escalation vector involving Linux Capabilities, all of which may be found in real environments.</description><pubDate>Sat, 04 Aug 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Reddish</title><link>https://blog.zumpyx.com/hackthebox/machines/0147-reddish/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0147-reddish/</guid><description>Reddish is a very challenging but rewarding machine, which teaches concepts and techniques applicable to many situations. This writeup serves as a written compliment to IppSec&amp;amp;amp;#039;s Reddish video, which is a masterclass in tunneling, and directly references it. IppSec&amp;amp;amp;#039;s videos are packed full of learning and are highly recommended!</description><pubDate>Sat, 21 Jul 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Hawk</title><link>https://blog.zumpyx.com/hackthebox/machines/0146-hawk/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0146-hawk/</guid><description>Hawk is a medium to hard difficulty machine, which provides excellent practice in pentesting Drupal. The exploitable H2 DBMS installation is also realistic as web-based SQL consoles (RavenDB etc.) are found in many environments. The OpenSSL decryption challenge increases the difficulty of this machine.</description><pubDate>Sat, 14 Jul 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Mischief</title><link>https://blog.zumpyx.com/hackthebox/machines/0145-mischief/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0145-mischief/</guid><description>Mischief is hard to insane difficulty machine that highlights the risks involved with exposing SNMP, and the dangers of passing credentials over the command line. It also features a &amp;amp;quot;ping&amp;amp;quot; admin page - functionality often found on appliances, which is worth testing for RCE vulnerabilities.</description><pubDate>Sat, 07 Jul 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Jerry</title><link>https://blog.zumpyx.com/hackthebox/machines/0144-jerry/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0144-jerry/</guid><description>Jerry is an easy-difficulty Windows machine that showcases how to exploit Apache Tomcat, leading to an `NT Authority\SYSTEM` shell, thus fully compromising the target.</description><pubDate>Sat, 30 Jun 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Reel</title><link>https://blog.zumpyx.com/hackthebox/machines/0143-reel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0143-reel/</guid><description>Reel is medium to hard difficulty machine, which requires a client-side attack to bypass the perimeter, and highlights a technique for gaining privileges in an Active Directory environment.</description><pubDate>Sat, 23 Jun 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Smasher</title><link>https://blog.zumpyx.com/hackthebox/machines/0141-smasher/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0141-smasher/</guid><description>Smasher is a very challenging machine, that requires exploit development, scripting, source code review and Linux exploitation skills. A vulnerable web server is found to be running, which can be exploited to gain a shell using ROP. A program running on a port locally is vulnerable to padding oracle and can be exploited to gain sensitive information. After logging in, the user is found to have access to a SUID file which can be exploited due to a race condition.</description><pubDate>Sat, 09 Jun 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] DevOops</title><link>https://blog.zumpyx.com/hackthebox/machines/0140-devoops/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0140-devoops/</guid><description>DevOops is a relatively quick machine to complete which focuses on XML external entities and Python pickle vulnerabilities to gain a foothold.</description><pubDate>Sat, 02 Jun 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Dropzone</title><link>https://blog.zumpyx.com/hackthebox/machines/0139-dropzone/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0139-dropzone/</guid><description>Dropzone is an interesting machine that highlights a technique used by the Stuxnet worm. The discovery of NTFS data streams provides an additional challenge.</description><pubDate>Sat, 19 May 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] TartarSauce</title><link>https://blog.zumpyx.com/hackthebox/machines/0138-tartarsauce/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0138-tartarsauce/</guid><description>TartarSauce is a fairly challenging box that highlights the importance of a broad remote enumeration instead of focusing on obvious but potentially less fruitful attack vectors. It features a quite realistic privilege escalation requiring abuses of the tar command. Attention to detail when reviewing tool output is beneficial when attempting this machine.</description><pubDate>Sat, 12 May 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Olympus</title><link>https://blog.zumpyx.com/hackthebox/machines/0135-olympus/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0135-olympus/</guid><description>Olympia is not overly difficult, however there are many steps involved in getting access to the main system. There is a heavy focus on the use of Docker, with a variety of topics and techniques along the way.</description><pubDate>Sat, 21 Apr 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Canape</title><link>https://blog.zumpyx.com/hackthebox/machines/0134-canape/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0134-canape/</guid><description>Canape is a moderate difficulty machine, however the use of a file (.git) that is not included in the dirbuster wordlists can greatly increase the difficulty for some users. This machine also requires a basic understanding of Python to be able to find the exploitable point in the application.</description><pubDate>Sat, 14 Apr 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Rabbit</title><link>https://blog.zumpyx.com/hackthebox/machines/0133-rabbit/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0133-rabbit/</guid><description>Rabbit is a fairly realistic machine which provides excellent practice for client-side attacks and web app enumeration. The large potential attack surface of the machine and lack of feedback for created payloads increases the difficulty of the machine.</description><pubDate>Sat, 31 Mar 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Poison</title><link>https://blog.zumpyx.com/hackthebox/machines/0132-poison/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0132-poison/</guid><description>Poison is a fairly easy machine which focuses mainly on log poisoning and port forwarding/tunneling. The machine is running FreeBSD which presents a few challenges for novice users as many common binaries from other distros are not available.</description><pubDate>Sat, 24 Mar 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>freebsd</category></item><item><title>[HTB · Machines] Silo</title><link>https://blog.zumpyx.com/hackthebox/machines/0131-silo/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0131-silo/</guid><description>Silo focuses mainly on leveraging Oracle to obtain a shell and escalate privileges. It was intended to be completed manually using various tools, however Oracle Database Attack Tool greatly simplifies the process, reducing the difficulty of the machine substantially.</description><pubDate>Sat, 17 Mar 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Celestial</title><link>https://blog.zumpyx.com/hackthebox/machines/0130-celestial/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0130-celestial/</guid><description>Celestial is a medium difficulty machine which focuses on deserialization exploits. It is not the most realistic, however it provides a practical example of abusing client-size serialized objects in NodeJS framework.</description><pubDate>Sat, 10 Mar 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Stratosphere</title><link>https://blog.zumpyx.com/hackthebox/machines/0129-stratosphere/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0129-stratosphere/</guid><description>Stratosphere focuses on the use of an Apache Struts code execution vulnerability which was leveraged in a large-scale breach, resulting in the disclosure of millions of peoples&amp;amp;amp;#039; credit information.</description><pubDate>Sat, 03 Mar 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Bart</title><link>https://blog.zumpyx.com/hackthebox/machines/0128-bart/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0128-bart/</guid><description>Bart is a fairly realistic machine, mainly focusing on proper enumeration techniques. There are several security policies in place which can increase the difficulty for those who are not familiar with Windows environments.</description><pubDate>Sat, 24 Feb 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Valentine</title><link>https://blog.zumpyx.com/hackthebox/machines/0127-valentine/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0127-valentine/</guid><description>Valentine is a very unique medium difficulty machine which focuses on the Heartbleed vulnerability, which had devastating impact on systems across the globe.</description><pubDate>Sat, 17 Feb 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Aragog</title><link>https://blog.zumpyx.com/hackthebox/machines/0126-aragog/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0126-aragog/</guid><description>Aragog is not overly challenging, however it touches on several common real-world vulnerabilities, techniques and misconfigurations.</description><pubDate>Sat, 10 Feb 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Falafel</title><link>https://blog.zumpyx.com/hackthebox/machines/0124-falafel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0124-falafel/</guid><description>Falafel is not overly challenging, however it requires several unique tricks and techniques in order to successfully exploit. Numerous hints are provided, although proper enumeration is needed to find them.</description><pubDate>Sat, 03 Feb 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Chatterbox</title><link>https://blog.zumpyx.com/hackthebox/machines/0123-chatterbox/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0123-chatterbox/</guid><description>Chatterbox is a fairly straightforward machine that requires basic exploit modification or Metasploit troubleshooting skills to complete.</description><pubDate>Sat, 27 Jan 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Nightmare</title><link>https://blog.zumpyx.com/hackthebox/machines/0122-nightmare/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0122-nightmare/</guid><description>Nightmare is a very challenging machine which has many access restrictions in place. It focuses mainly on several unique topics and exploit modification, however since its release a valid 32-bit version of the exploit PoC has been released.</description><pubDate>Sat, 20 Jan 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] CrimeStoppers</title><link>https://blog.zumpyx.com/hackthebox/machines/0120-crimestoppers/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0120-crimestoppers/</guid><description>CrimeStoppers is a fairly challenging machine, requiring several unique techniques in order to be successfully exploited. There are many hints and easter eggs present on the machine, with a heavy focus on avoiding the use of automated tools.</description><pubDate>Sat, 06 Jan 2018 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] FluxCapacitor</title><link>https://blog.zumpyx.com/hackthebox/machines/0119-fluxcapacitor/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0119-fluxcapacitor/</guid><description>FluxCapacitor focuses on intermediate/advanced enumeration of web applications as well as bypassing web application firewall rules. Overall, FluxCapacitor is not overly challenging and provides a good learning experience for fuzzing HTTP parameters.</description><pubDate>Sat, 16 Dec 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Bashed</title><link>https://blog.zumpyx.com/hackthebox/machines/0118-bashed/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0118-bashed/</guid><description>Bashed is an easy Linux machine focused on web fuzzing and locating exposed development files. After discovering a functional phpbash instance, access is gained as `www-data` and escalated to `scriptmanager` through sudo permissions. As direct crontab access is restricted, root escalation relies on identifying writable scripts executed by a root-owned scheduled task.</description><pubDate>Sat, 09 Dec 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Inception</title><link>https://blog.zumpyx.com/hackthebox/machines/0117-inception/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0117-inception/</guid><description>Inception is a fairly challenging box and is one of the few machines that requires pivoting to advance. There are many different steps and techniques needed to successfully achieve root access on the main host operating system. Good enumeration skills are an asset when attempting this machine.</description><pubDate>Sat, 02 Dec 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Ariekei</title><link>https://blog.zumpyx.com/hackthebox/machines/0115-ariekei/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0115-ariekei/</guid><description>Ariekei is a complex machine focusing mainly on web application firewalls and pivoting techniques. This machine is by far one of the most challenging, requiring multiple escalations and container breakouts.</description><pubDate>Sat, 18 Nov 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Jeeves</title><link>https://blog.zumpyx.com/hackthebox/machines/0114-jeeves/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0114-jeeves/</guid><description>Jeeves is not overly complicated, however it focuses on some interesting techniques and provides a great learning experience. As the use of alternate data streams is not very common, some users may have a hard time locating the correct escalation path.</description><pubDate>Sat, 11 Nov 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Tally</title><link>https://blog.zumpyx.com/hackthebox/machines/0113-tally/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0113-tally/</guid><description>Tally can be a very challenging machine for some. It focuses on many different aspects of real Windows environments and requires users to modify and compile an exploit for escalation. Not covered in this document is the use of Rotten Potato, which is an unintended alternate method for privilege escalation.</description><pubDate>Sat, 04 Nov 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] Enterprise</title><link>https://blog.zumpyx.com/hackthebox/machines/0112-enterprise/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0112-enterprise/</guid><description>Enterprise is one of the more challenging machines on Hack The Box. It requires a wide range of knowledge and skills to successfully exploit. It features a custom wordpress plugin and a buffer overflow vulnerability that can be exploited both locally and remotely.</description><pubDate>Sat, 28 Oct 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Sense</title><link>https://blog.zumpyx.com/hackthebox/machines/0111-sense/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0111-sense/</guid><description>Sense, while not requiring many steps to complete, can be challenging for some as the proof of concept exploit that is publicly available is very unreliable. An alternate method using the same vulnerability is required to successfully gain access.</description><pubDate>Sat, 21 Oct 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>openbsd</category></item><item><title>[HTB · Machines] Node</title><link>https://blog.zumpyx.com/hackthebox/machines/0110-node/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0110-node/</guid><description>Node focuses mainly on newer software and poor configurations. The machine starts out seemingly easy, but gets progressively harder as more access is gained. In-depth enumeration is required at several steps to be able to progress further into the machine.</description><pubDate>Sat, 14 Oct 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Minion</title><link>https://blog.zumpyx.com/hackthebox/machines/0109-minion/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0109-minion/</guid><description>Minion is quite a challenging machine, and requires fairly advanced knowledge of Windows and PowerShell to complete. This machine touches on many different topics and can be a great learning experience.</description><pubDate>Sat, 07 Oct 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>windows</category></item><item><title>[HTB · Machines] Shocker</title><link>https://blog.zumpyx.com/hackthebox/machines/0108-shocker/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0108-shocker/</guid><description>Shocker, while fairly simple overall, demonstrates the severity of the renowned Shellshock exploit, which affected millions of public-facing servers.</description><pubDate>Sat, 30 Sep 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Kotarak</title><link>https://blog.zumpyx.com/hackthebox/machines/0101-kotarak/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0101-kotarak/</guid><description>Kotarak focuses on many different attack vectors and requires quite a few steps for completion. It is a great learning experience as many of the topics are not covered by other machines on Hack The Box.</description><pubDate>Sat, 23 Sep 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Mantis</title><link>https://blog.zumpyx.com/hackthebox/machines/0098-mantis/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0098-mantis/</guid><description>Mantis can definitely be one of the more challenging machines for some users. For successful exploitation, a fair bit of knowledge or research of Windows Servers and the domain controller system is required.</description><pubDate>Sat, 16 Sep 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>windows</category></item><item><title>[HTB · Machines] SolidState</title><link>https://blog.zumpyx.com/hackthebox/machines/0085-solidstate/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0085-solidstate/</guid><description>SolidState is a medium difficulty machine that requires chaining of multiple attack vectors in order to get a privileged shell. As a note, in some cases the exploit may fail to trigger more than once and a machine reset is required.</description><pubDate>Fri, 08 Sep 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Mirai</title><link>https://blog.zumpyx.com/hackthebox/machines/0064-mirai/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0064-mirai/</guid><description>Mirai demonstrates one of the fastest-growing attack vectors in modern times; improperly configured IoT devices. This attack vector is constantly on the rise as more and more IoT devices are being created and deployed around the globe, and is actively being exploited by a wide variety of botnets. Internal IoT devices are also being used for long-term persistence by malicious actors.</description><pubDate>Fri, 01 Sep 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Shrek</title><link>https://blog.zumpyx.com/hackthebox/machines/0058-shrek/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0058-shrek/</guid><description>Shrek, while not the most realistic machine, touches on many different subjects and is definitely one of the more challenging machines on Hack The Box. This machine features several fairly uncommon topics and requires a fair bit of research to complete.</description><pubDate>Fri, 25 Aug 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Apocalyst</title><link>https://blog.zumpyx.com/hackthebox/machines/0057-apocalyst/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0057-apocalyst/</guid><description>Apocalyst is a fairly straightforward machine, however it requires a wide range of tools and techniques to complete. It touches on many different topics and can be a great learning resource for many.</description><pubDate>Fri, 18 Aug 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Nineveh</title><link>https://blog.zumpyx.com/hackthebox/machines/0054-nineveh/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0054-nineveh/</guid><description>Nineveh is not overly challenging, however several exploits must be chained to gain initial access. Several uncommon services are running on the machine, and some research is required to enumerate them.</description><pubDate>Fri, 04 Aug 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Blue</title><link>https://blog.zumpyx.com/hackthebox/machines/0051-blue/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0051-blue/</guid><description>Blue, while possibly the most simple machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks since it was leaked publicly.</description><pubDate>Fri, 28 Jul 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Blocky</title><link>https://blog.zumpyx.com/hackthebox/machines/0048-blocky/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0048-blocky/</guid><description>Blocky is fairly simple overall, and was based on a real-world machine. It demonstrates the risks of bad password practices as well as exposing internal files on a public facing system. On top of this, it exposes a massive potential attack vector: Minecraft. Tens of thousands of servers exist that are publicly accessible, with the vast majority being set up and configured by young and inexperienced system administrators.</description><pubDate>Fri, 21 Jul 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Jail</title><link>https://blog.zumpyx.com/hackthebox/machines/0045-jail/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0045-jail/</guid><description>Jail, like the name implies, involves escaping multiple sandbox environments and escalating between multiple user accounts. It is definitely one of the more challenging machines on Hack The Box and requires fairly advanced knowledge in several areas to complete.</description><pubDate>Fri, 14 Jul 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>insane</category><category>linux</category></item><item><title>[HTB · Machines] Bank</title><link>https://blog.zumpyx.com/hackthebox/machines/0026-bank/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0026-bank/</guid><description>Bank is a relatively simple machine, however proper web enumeration is key to finding the necessary data for entry. There also exists an unintended entry method, which many users find before the correct data is located.</description><pubDate>Fri, 16 Jun 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Holiday</title><link>https://blog.zumpyx.com/hackthebox/machines/0022-holiday/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0022-holiday/</guid><description>Holiday is definitely one of the more challenging machines on HackTheBox. It touches on many different subjects and demonstrates the severity of stored XSS, which is leveraged to steal the session of an interactive user. The machine is very unique and provides an excellent learning experience.</description><pubDate>Fri, 02 Jun 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>hard</category><category>linux</category></item><item><title>[HTB · Machines] Haircut</title><link>https://blog.zumpyx.com/hackthebox/machines/0021-haircut/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0021-haircut/</guid><description>Haircut is a medium-difficulty Linux machine, featuring several useful attack vectors. The challenge begins with web enumeration, where a PHP site invoking `curl` is discovered. Parameter injection is leveraged to write a webshell to the server, allowing for code execution. Further enumeration of the filters enables command execution directly within the page. For privilege escalation, a vulnerable version of `screen` with SUID permissions is identified and exploited to achieve `root` access.</description><pubDate>Fri, 26 May 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Sneaky</title><link>https://blog.zumpyx.com/hackthebox/machines/0019-sneaky/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0019-sneaky/</guid><description>Sneaky, while not requiring many steps to complete, can be difficult for some users. It explores enumeration through SNMP and has a beginner level buffer overflow vulnerability which can be leveraged for privilege escalation.</description><pubDate>Sun, 14 May 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Lazy</title><link>https://blog.zumpyx.com/hackthebox/machines/0018-lazy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0018-lazy/</guid><description>Lazy mainly focuses on the use of padding oracle attacks, however there are several unintended workarounds that are relatively easier, and many users miss the intended attack vector. Lazy also touches on basic exploitation of SUID binaries and using environment variables to aid in privilege escalation.</description><pubDate>Wed, 03 May 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] October</title><link>https://blog.zumpyx.com/hackthebox/machines/0015-october/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0015-october/</guid><description>October is a fairly easy machine to gain an initial foothold on, however it presents a fair challenge for users who have never worked with NX/DEP or ASLR while exploiting buffer overflows.</description><pubDate>Thu, 20 Apr 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Grandpa</title><link>https://blog.zumpyx.com/hackthebox/machines/0013-grandpa/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0013-grandpa/</guid><description>Grandpa is one of the simpler machines on Hack The Box, however it covers the widely-exploited CVE-2017-7269. This vulnerability is trivial to exploit and granted immediate access to thousands of IIS servers around the globe when it became public knowledge.</description><pubDate>Wed, 12 Apr 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Granny</title><link>https://blog.zumpyx.com/hackthebox/machines/0014-granny/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0014-granny/</guid><description>Granny, while similar to Grandpa, can be exploited using several different methods. The intended method of solving this machine is the widely-known Webdav upload vulnerability.</description><pubDate>Wed, 12 Apr 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Tenten</title><link>https://blog.zumpyx.com/hackthebox/machines/0008-tenten/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0008-tenten/</guid><description>Tenten is a medium difficulty machine that requires some outside-the-box/CTF-style thinking to complete. It demonstrates the severity of using outdated Wordpress plugins, which is a major attack vector that exists in real life.</description><pubDate>Wed, 22 Mar 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Cronos</title><link>https://blog.zumpyx.com/hackthebox/machines/0011-cronos/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0011-cronos/</guid><description>CronOS focuses mainly on different vectors for enumeration and also emphasises the risks associated with adding world-writable files to the root crontab. This machine also includes an introductory-level SQL injection vulnerability.</description><pubDate>Wed, 22 Mar 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Optimum</title><link>https://blog.zumpyx.com/hackthebox/machines/0006-optimum/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0006-optimum/</guid><description>Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete.</description><pubDate>Sat, 18 Mar 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Bastard</title><link>https://blog.zumpyx.com/hackthebox/machines/0007-bastard/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0007-bastard/</guid><description>Bastard is not overly challenging, however it requires some knowledge of PHP in order to modify and use the proof of concept required for initial entry. This machine demonstrates the potential severity of vulnerabilities in content management systems.</description><pubDate>Sat, 18 Mar 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>windows</category></item><item><title>[HTB · Machines] Legacy</title><link>https://blog.zumpyx.com/hackthebox/machines/0002-legacy/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0002-legacy/</guid><description>Legacy is a fairly straightforward beginner-level machine which demonstrates the potential security risks of SMB on Windows. Only one publicly available exploit is required to obtain administrator access.</description><pubDate>Wed, 15 Mar 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Devel</title><link>https://blog.zumpyx.com/hackthebox/machines/0003-devel/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0003-devel/</guid><description>Devel, while relatively simple, demonstrates the security risks associated with some default program configurations. It is a beginner-level machine which can be completed using publicly available exploits.</description><pubDate>Wed, 15 Mar 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>windows</category></item><item><title>[HTB · Machines] Popcorn</title><link>https://blog.zumpyx.com/hackthebox/machines/0004-popcorn/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0004-popcorn/</guid><description>Popcorn, while not overly complicated, contains quite a bit of content and it can be difficult for some users to locate the proper attack vector at first. This machine mainly focuses on different methods of web exploitation.</description><pubDate>Wed, 15 Mar 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>medium</category><category>linux</category></item><item><title>[HTB · Machines] Beep</title><link>https://blog.zumpyx.com/hackthebox/machines/0005-beep/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0005-beep/</guid><description>Beep has a very large list of running services, which can make it a bit challenging to find the correct entry method. This machine can be overwhelming for some as there are many potential attack vectors. Luckily, there are several methods available for gaining access.</description><pubDate>Wed, 15 Mar 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item><item><title>[HTB · Machines] Lame</title><link>https://blog.zumpyx.com/hackthebox/machines/0001-lame/</link><guid isPermaLink="true">https://blog.zumpyx.com/hackthebox/machines/0001-lame/</guid><description>Lame is an easy Linux machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.</description><pubDate>Tue, 14 Mar 2017 00:00:00 GMT</pubDate><category>hackthebox</category><category>machines</category><category>easy</category><category>linux</category></item></channel></rss>