Hack The Box

From Luniwiki
Jump to: navigation, search

Walthroughts of retired challenges on HTB

Hack The Box is an online platform allowing you to test and advance your skills in cyber security. Use it responsibly and don't hack your fellow members...


  • Haystack (Fri Nov 1 05:14:35 EDT 2019)
    • Image Hidden text
    • ELK queries (Elastic search)
    • Kibana LFI
    • Logstach command execution (ELK)

  • Lame (Tue Nov 5 21:28:26 EST 2019)
    • Samba exploit

  • Legacy (Wed Nov 6 02:31:31 EST 2019)
    • Exploit MS08-067 (remote code execution) Windows XP
    • Exploit MS17-010 (Eternal romance) User escalation Windows XP

  • Devel (Fri Nov 8 04:18:51 EST 2019)
    • Open IIS FTP push cmd.aspx
    • Reverse shell from IIS Web
    • Exploit MS11-046 privilege escalation

  • Beep (Fri Nov 15 09:13:04 EST 2019)
    • Elastix LFI vulnerability
    • Elastix remote code execution
    • Sudo nmap

  • Optimum (Fri Nov 15 14:50:50 EST 2019)
    • Rejetto HTTP File Server vulnerability
    • MS16-098 Privilege escalation

  • Arctic (Fri Nov 15 22:55:59 EST 2019)
    • Adobe Coldfusion LFI
    • Adobe Coldfusion scheduled task
    • MS10.059 Privilege escalation

  • Grandpa (Sat Nov 16 23:19:37 EST 2019)
    • CVE-2017-7269 (Metasploit)
    • MS14-058 privilege escalation

  • Granny (Sun Nov 17 23:22:59 EST 2019)
    • CVE-2017-7269 (Metasploit)
    • MS14-058 privilege escalation

  • Bank (Sun Nov 17 23:52:44 EST 2019)
    • Web enumeration
    • Injection of php file
    • /etc/passwd writable add new user with password
    • SUID executable that provides shell

  • Blocky (Mon Nov 18 14:22:07 EST 2019)
    • Wordpress enumeration for username
    • Web enumeration
    • Decompilation of java files -> password
    • Reuse of user and password in ssh
    • sudo access

  • Blue (Tue Nov 19 08:57:27 EST 2019)
    • nmap discover vulnerability to MS17-010 (Eternal blue)
    • Metasploit direct access as NT authority

  • Mirai (Tue Nov 19 14:03:50 EST 2019)
    • Web enumeration
    • Default raspberry password by ssh
    • sudo full access
    • Root flag hidden in deleted partition

  • Shocker (Wed Nov 20 08:51:23 EST 2019)
    • Web enumeration -> CGI script
    • Shell socker vulnerable machine
    • sudo on perl -> reverse shell

  • Sense (Wed Nov 20 10:20:52 EST 2019)
    • Web enumeration -> user name & passord for pfsense application
    • Pfsense authenticated vulnerability -> reverse shell as root

  • Bashed (Mon Nov 25 13:14:47 EST 2019)
    • Web enumeration -> php shell
    • sudo to user scriptmanager (Lateral movement)
    • root crontab run python scripts -> root reverse shell

  • Nibbles (Mon Nov 25 23:11:36 EST 2019)
    • Web enumeration -> user
    • Password guess
    • Nibbleblog vulnerability allows upload of php files
    • root sudo to script file -> reverse shell
    • Linux Kernel vulnerability (RationalLove)

  • Valentine (Wed Nov 27 14:00:41 EST 2019)
    • nmap detect vulnerable to heartbleed
    • web enumeration discloses ssh key
    • Heartbleed discloses passphrase of ssh key
    • tmux session opened -> privileges escalation
    • Dirtycow 2 Linux kernel vulnerability (allow to write files with root privilege)

  • Sunday (Wed Nov 27 20:48:39 EST 2019)
    • Finger enumeration
    • Brute force against ssh (or guess)
    • root sudo on script
    • hashcat on shadow file backup
    • root sudo with wget
    • Overwrite of script with wget and gain access
    • Alternative overwrite sudoers file

  • Bounty (Sat Nov 30 09:48:54 EST 2019)
    • Custom aspx page allows upload config files
    • Remote command exexution with config files in IIS
    • Reverse shell by powershell Downloadstring
    • Metasploit local privilege escalation suggester in multiple ways (machine not patched)

  • Jerry (Tue Dec 3 18:00:47 EST 2019)
    • Tomcat manager accessible with default password
    • Deploy malicious war to gain reverse shell -> NT authority

  • Active (Tue Dec 3 18:45:38 EST 2019)
    • Active directory enumeration
    • Group policy service password disclosure
    • Kerberoasting to gain Administrator password
    • imapcket psexec shell from impacket

  • Access (Tue Jan 21 17:08:17 EST 2020)
    • FTP enumeration
    • Access file with credentials
    • Password for encrypted pst file -> password for local user
    • runas with saved credentials
    • Crack of saved credentials with mimikatz

  • Frolic (Sat Jan 25 21:27:10 EST 2020)
    • Web Enumeration
    • PHP application vulnerability (PlaySMS)
    • Linux Kernel vulnerability
    • Local Buffer Overflow

  • Curling (Tue Jan 27 19:21:03 EST 2020)
    • Web Enumeration
    • Jommla! reverse shell
    • Curl on crontab abuse

  • Irked (Tue Jan 28 14:56:06 EST 2020)
    • IRC Unreal backdoor
    • Steganography
    • SUID custom file abuse

  • Teacher (Tue Jan 28 20:31:31 EST 2020)
    • Password clue
    • Brute force web password with burp
    • Moodle vulnerability (Evil teacher)
    • Mysql access with user root, find md5 password
    • Crack of md5 password with hashcat
    • Cron job abuse to modify /etc/passwd

  • Help (Wed Jan 29 19:34:01 EST 2020)
    • PHP application vulnerability (Helpdeskz)
    • Linux Kernel vulnerability

  • FriendZone (Thu Jan 30 19:25:10 EST 2020)
    • DNS Enumeration
    • Multiple web enumeration
    • Samba enumeration
    • PHP LFI
    • Abuse of writable python library and cron job run as root

  • Netmon (Sat Feb 1 10:35:23 EST 2020)
    • Anonymous ftp access
    • PRTG vulnerability allows to create admin user
    • Access with psexec from impacket

  • LaCasaDePapel (Sat Feb 1 12:00:18 EST 2020)
    • vsftp backdoor -> psysh shell
    • CA key -> Create http client certificate
    • Web application abuse -> ssh key file
    • Cronjob restart node.js application, abuse of ini file owner root but on user folder -> Gain privilege reverse shell

  • Bastion (Sat Feb 1 18:00:47 EST 2020)
    • Guest network share with workstation Windows backup
    • Mount vhd file -> dump SAM computer
    • Crack SAM -> user domain credentials
    • ssh over windows activated
    • Administrative domain credentials stored in mRemoteNG config file

  • SwagShop (Sat Feb 1 20:48:41 EST 2020)
    • Magento vulnerability to create magento admin user
    • Magento vulnerability allows remote execution
    • Abuse of sudo vi to gain a root shell

  • Writeup (Sun Feb 2 00:24:44 EST 2020)
    • CMS Made Simple SQL injection vulnerability -> User and password --> ssh session
    • Path abuse to rewrite command uname to gain root reverse shell when normal user log into the system

  • Safe (Sat Nov 2 21:42:40 EDT 2019)
    • app in port 1337 -> buffer overflow
    • ROP bof abuse -> gain user shell
    • crack of keepass file -> root

  • Heist (Thu Feb 27 08:44:06 EST 2020)
    • Crack Cisco-IOS encrypted passwords 5 and 7
    • crackmapexec to find valid AD credentials (hazard)
    • RID cycling to find additional users
    • crackmapexec to find valid AD credentials (Chase)
    • Evil-WinRM access with user in group BUILTIN\Remote Management Users (Chase)
    • Procdump of firefox process -> find Administrator credentials
    • Administrator Shell access with psexec or Evil-WinRM

  • Networked (Sat Mar 7 17:46:14 EST 2020)
    • PHP source code found in folder backup
    • Apache misconfiguration allows to interpret PHP in any file with .php in the name. -> Upload of an Image with reverse shell concatenated.
    • Abuse non sanitized file name in PHP script on a crontab to gain user shell
    • Sudo access to a script to modify CentOS network scripts
    • Abuse of network scripting shell to gain root

  • Popcorn (Sun Mar 8 22:43:00 EDT 2020)
    • Register Torrent application
    • Upload php file abusing file type detection tampering HTTP request -> Reverse shell
    • Old Ubuntu version and old kernel -> At least 4 ways to pwn the machine.
      • CVE-2010-0832 pam_motd module vulnerability
      • Full Nelson CVE-2010-4258 CVE-2010-3850 CVE-2010-3849
      • RDS Protocol CVE-2010-3904
      • Dirty Cow CVE-2016-5195

  • Bastard (Tue Mar 10 10:02:46 EDT 2020)
    • Drupal Service module vulnerability allows to upload php file
    • Upload of php script to upload files and execute commands
    • Upload nc.exe -> reverse shell
    • Upload MS-10-059 exploit -> Gain NT authority

  • Tenten (Tue Mar 10 16:12:14 EDT 2020)
    • WPScan -> provide user and vulnerabilities
    • Job Manager filename disclosure
    • Image with private key hidden by steganography
    • Crack passphrase private key with John
    • Abuse sudo allowed command without password to gain root shell

  • Postman (Sat Nov 2 14:19:03 EDT 2019)
    • Write authorized_keys files with redis abuse
    • Crack passphrase from ssh private key
    • Reuse of user password obtain user flag
    • Reuse of credential for access to Webmin
    • Remote execution Webmin update vulnerability obtain root reverse shell

  • Cronos (Wed Mar 18 20:56:29 EDT 2020)
    • DNS enumeration -> hosts names
    • By pass the authentication by SQL injection
    • Alternative By pass the authentication tampering the server response
    • Form with command execution abused to execute reverse shell
    • Cronjob execute php file
    • update of file -> root reverse shell

  • October (Wed Mar 18 15:13:33 EDT 2020)
    • October CMS guess admin password
    • October CMS allows upload of php5 files -> reverse shell and User flag
    • SUID program ovrflw
    • Exploit of buffer over flow brute forcing the ASLR

  • Forest (Fri Apr 3 23:14:53 EDT 2020)
    • AD User enumeration
    • User svc-alfresco has "Do not require Kerberos preauthentication" -> ASREPRoast -> crack password
    • Bloodhound graph -> Path to Domain Admins
    • svc-alfresco in group Account operator -> Create user into group Exchange Windows Permissions
    • Provide user WriteDacl DCSync privilege
    • Dump NTLM hashes -> psexec with administrator hash

  • Lazy (Mon Apr 27 06:40:44 EDT 2020)
    • Registered user on web
    • Tamper auth cookie raises -> Invalid Padding error
    • padbuster to find cookie structure
    • padbuster to encrypt admin auth cookie
    • Download of ssh key
    • Path abuse on setuid program to gain shell

  • Traverxec (Thu Apr 30 10:45:08 EDT 2020)
    • Nostromo web server remote code execution -> Reverse shell
    • Crack htpasswd file
    • Public_www user folder accessible -> backup file with ssh key
    • Crack ssh key
    • A script calls sudo journalctl without password
    • spawn a root shell from the less invoked by journalctl

  • Sneaky (Fri May 1 06:37:00 EDT 2020)
    • Login page vulnerable to SQL injection -> Ssh key and user
    • Snmp enumeration -> IPv6 address
    • SSH via IPv6 address
    • Found Setuid program vulnerable to buffer overflow attack
    • Bufferoverflow by calling system function
    • Alternative buffer overflow by injection system shell code in stack
    • Alternative buffer overflow by injection of a line in etc passwd line in stack

  • Openadmin (Mon May 4 15:38:55 EDT 2020)
    • Opennetadmin running on server
    • Opennetadmin RCE -> shell with www-data user
    • Database config file disclose Jimmy password
    • Internal server runs as user Joanna, and Jimmy can modify source code.
    • Add php file to open reverse shell as Joanna -> User flag
    • Abuse of sudo command of nano from user Joanna -> Root Flag

  • Haircut (Mon May 4 21:40:03 EDT 2020)
    • PHP page download web page with curl -> curl abuse to write our PHP reverse shell on server
    • Call reverse shell -> User flag
    • screen 4.5.0 is setuid and allows to change owner of file to root
    • Compilation of rootshell and shared library
    • Call of shared library creating file /etc/ld.so.preload as root with screen
    • Call screen to load the shared library as root (screen is setuid) and change rights on our rootshell
    • Call rootshell

  • Europa (Thu May 7 14:35:33 EDT 2020)
    • Admin portal with php login page
    • SQL injection allows access application
    • Tools page with PHP perl compatible regular expression allows remote code execution adding modifier e -> Open reverse shell
    • Cronjob execute script writable by www-data -> root reverse shell

  • Nineveh (Thu May 7 21:04:29 EDT 2020)
    • Dictionary brute force on custom php page
    • Find ssh key appended to image file
    • Dictionary brute force on phpliteadmin
    • Upload of embedded php script in SQLite database with phpliteadmin
    • LFI abuse in custom php application -> execution of php script embedded in SQLite database -> reverse shell
    • Knock port daemon -> know with port sequence unlock ssh port
    • periodic execution of chkrootkit detected
    • Creation of file /tmp/update executed by chkrootkit as root -> root reverse shell

  • Apocalyst (Tue May 12 07:04:52 EDT 2020)
    • Wpscan enumerate wordpress user
    • tool cewl used to generate a word list with the web content
    • Webenumeration with generated word list -> find image with steganography -> extract list.txt
    • Brute force wordpress with hydra the user name and the word list
    • Add php reverse shell to index.php template -> reverse shell as www-data -> User flag
    • Find password of user falaraki in hidden file.
    • /etc/passwd writable -> change uid of user falaraki to 0 -> root access
    • Alternative /etc/passwd writable -> Add new line for a root user -> root access
    • Alternative user falaraki in lxd group -> create container with root disk mapped -> access to host file as root

  • Solidstate (Wed May 13 20:07:47 EDT 2020)
    • James remote administration tool default password -> Change users passwords
    • With user password -> Read mails -> User and password -> access to restricted shell
    • By pass restricted shell
      • Changing pseudo terminal to bash
      • James Remote command execution (alternative)
    • Writable python file owned by root executed by crontab each 3 minutes
      • Privileges escalation python file by writting a new line in /etc/passwd -> Access by new user
      • Privileges escalation python file by launching a root reverse shell
      • Privileges escalation python file by changing rights and setuid to /bin/dash or /bin/bash -> Effective user is root

  • Node (Fri May 15 18:09:22 EDT 2020)
    • Node js application on port 3000
    • Hydra over login page find 2 passwords for normal users.
    • API users shows 1 admin user and password hashes
    • Hashcat brute force the admin user password.
    • Admin portal download a backup file encoded in base 64 -> encrypted zip file
    • Brute force zip file with john -> zip file password
    • Zip file contains the source code -> Database credentials to the database for user mark
    • Reuse of credentials with ssh
    • Background node js task run with user tom
    • Insert into MongoDB database a document to be executed by background task -> reverse shell as tom -> User flag
    • Tom is in group admin and gid (1002) is unusually high for an admin group -> handmade admin group
    • Found setuid program backup as root and group admin
    • decompilation and analyze of backup program -> program does folder backup passed as argument but discard some bad characters -> possible buffer overflow in a display function
    • Bufferoverflow allows external program execution -> root access
    • Alternatively, \n character is not controlled, we can abuse the program to execute new lines of command passed on the third argument -> execute /bin/bash -> root access.

  • Enterprise (Thu May 21 17:03:27 EDT 2020)
    • Port scan discover 3 web servers 80 443 and 8080 and a custom application on port 32812
    • dirsearch port 443 found zip file -> wordpress plugin vulnerable to sql injection
    • Sqlmap -> find wordpress users and hash, jommmla users and hash and list of passwords
    • hascat wp user -> access console -> reverse shell with template -> but reverse shell inside docker instance
    • hascat joomla user -> access console -> reverse shell with template -> but reverse shell inside docker instance
      • folder shared with host and host web server (port 443) /files -> create php reverse shell
    • Call reverse shell -> host access
    • find program running on port 32812 with user root
    • ASLR is disabled locally and prg vulnerable to buffer overflow -> remote exploit to run a root shell

  • Jeeves (Tue May 26 15:07:14 EDT 2020)
    • Dirsearch find jenkins on port 50000
    • Jenkins executes reverse shell groove script.
    • Keepass file in Document folder
    • Setup samba to transfer keepass file
    • John crack keepass file -> NTLM hash
    • Impacket psexec with NTLM hash access as adminitrator
    • root flag hidden in alternate data stream (ADS)

  • Inception (Wed May 27 14:28:07 EDT 2020)
    • dompdf 0.6 running on web server -> Vulnerability allows read files from target
    • Apache config contains WebDAV config -> upload files to web server
    • Upload reverse shell doesn't work, but webshell works
    • Recon -> IP address doesn't correspond with target -> possibly a container
    • Word press config file shows a database password
    • SSH through proxy (direct or with proxychains) -> use find password -> ssh access to container -> user flag
    • Port scan of host from container discovers ssh, ftp and tftp
    • Ftp as anonymous helps to recon host
    • SSH doesn't allow root access by password
    • Crontab runs apt update every 5 minutes
    • Add APT Update Pre-Invoke command in /etc/apt/apt.conf.d folder allows to insert new line in /etc/passwd with new user in group sudo
    • After crontab ran access by ssh with our new user -> sudo -i access as root