PyUs3r

PyUs3r

Pentester, CTF player

Posts by Year

2025

Forest - Hack The Box

Forest is an easy Windows machine that showcases a Domain Controller (DC) for a domain in which Exchange Server has been installed. The DC allows anonymous LDAP binds, which are used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes, compromising the system.

Sauna - Hack The Box

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn't require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies their password. This second user also has Windows remote management permissions. BloodHound reveals that this user has the DS-Replication-Get-Changes-All extended right, which allows them to dump password hashes from the Domain Controller in a DCSync attack. Executing this attack returns the hash of the primary domain administrator, which can be used with Impacket-psexec.py in order to gain a shell on the bo...

Tenet - Hack The Box

Tenet is a Medium difficulty machine that features an Apache web server. It contains a Wordpress blog with a few posts. One of the comments on the blog mentions the presence of a PHP file along with it's backup. It is possible after identificaiton of the backup file to review it's source code. The code in PHP file is vulnerable to an insecure deserialisation vulnerability and by successful exploiting it a foothold on the system is achieved. While enumerating the system it was found that the Wordpress configuration file can be read and thus gaining access to a set of credentials. By using them we can move laterally from user ‘www-data’ to user ‘Neil’. Further system enumeration reveals that this user have root permissions to run a bash script through ‘sudo’. The script is writing SSH public keys to the ‘authorized_keys’ file of the ‘root’ user and is vulnerable to a race condition. After successful exploitation, attackers can write their own SSH keys to the ‘authorized_keys’ file and use t...

Writer - Hack The Box

Writer is a medium Linux machine that outlines poor coding practices and presents how a file read vulnerability through SQL injection can lead to disclosure of source code files which include credentials. The combination of password reuse on the SMB service with a blind SSRF exploitation via an image upload function can lead to a foothold on the system. By abusing Django features it is possible to extract and crack user credentials. Further abusing multiple misconfigurations in Postfix service leads to exploit privileges in the apt service folders allowing those users to execute commands as root through a script that updates the machine every minute.

Heal - Hack The Box

Heal is a medium-difficult Linux machine that features a website vulnerable to arbitrary file read, allowing us to extract sensitive credentials. The server also hosts a LimeSurvey instance, where the leaked credentials can be used to log in as an administrator. Since administrators can upload plugins, we can exploit this to upload a malicious plugin and gain a reverse shell as the ‘www-data’ user. Further enumeration reveals the database password for LimeSurvey, which is reused by the system user ‘ron’, allowing us to escalate access. The server also runs a local instance of the Consul Agent as ‘root’. By registering a malicious service via the Consul API, we can escalate privileges and gain root access.

Pit - Hack The Box

Pit is a medium difficulty Linux machine that focuses on SNMP enumeration and exploitation, while introducing basic SELinux restrictions and web misconfigurations. By enumerating SNMP via the default insecure public community, information about filesystems and users can be obtained. This allows attackers to discover and gain access to a vulnerable SeedDMS instance, which was incorrectly patched by applying Apache .htaccess rules to an Nginx server where they are not effective. Exploiting CVE-2019-12744 results in Remote Command Execution (with some SELinux restrictions) and subsequent access to a Cockpit console via password reuse. Privileges are escalated by writing a Bash script that is executed as an SNMP extension when the corresponding OID is queried.

Union - Hack The Box

Union is an medium difficulty linux machine featuring a web application that is vulnerable to SQL Injection. There are filters in place which prevent SQLMap from dumping the database. Users are intended to manually craft union statements to extract information from the database and website source code. The database contains a flag that can be used to authenticate against the machine and upon authentication the webserver runs an iptables command to enable port 22. The credentials for SSH are in the PHP Configuration file used to authenticate against MySQL. Once on the machine, users can examine the source code of the web application and find out by setting the X-FORWARDED-FOR header, they can perform command injection on the system command used by the webserver to whitelist IP Addresses.

Strutted - Hack The Box

‘Strutted’ is an medium-difficulty Linux machine featuring a website for a company offering image hosting solutions. The website provides a Docker container with the version of Apache Struts that is vulnerable to ‘CVE-2024-53677’, which is leveraged to gain a foothold on the system. Further enumeration reveals the ‘tomcat-users.xml’ file with a plaintext password used to authenticate as ‘james’. For privilege escalation, we abuse ‘tcpdump’ while being used with ‘sudo’ to create a copy of the ‘bash’ binary with the ‘SUID’ bit set, allowing us to gain a ‘root’ shell.

Compiled - Hack The Box

Compiled is a medium-difficulty Windows machine featuring a Gitea instance and a web application that clones Git repository URLs on the backend. The server’s Git version is vulnerable to CVE-2024-32002, which can be exploited to gain initial access with a Git Bash shell as Richard. By cracking the password hash retrieved from the Gitea database file, the password for user Emily can be obtained. Privilege escalation to Administrator is achieved by exploiting CVE-2024-20656, a vulnerability in the Visual Studio Code version installed on the server.

Bolt - Hack The Box

Bolt is a medium difficulty Linux machine featuring a custom web application providing a docker image file having multiple layers with deleted files. Enumerating deleted database file reveals credentials for an application revealing hints to demo site. Further enumeration of the docker image reveals an invitation token which allows registration to the site. The site is found to be vulnerable to Server Side Template Injection. Foothold can be gained by exploiting the SSTI vulnerability. Enumerating passbolt configuration reveals database credentials that can be used to achieve lateral movement. Root password can be obtained by exploiting the passbolt server.

Instant - Hack The Box

Instant is a medium difficulty machine that includes reverse engineering a mobile application, exploiting API endpoints, and cracking encrypted hashes and files. Players will analyze an APK to extract sensitive information and a hardcoded authorization token, then they will exploit an API endpoint vulnerable to Arbitrary File Read. Finally, they will achieve full system compromise by decrypting and analyzing encrypted session data from Solar-PuTTY.

Waldo - Hack The Box

Waldo is a medium difficulty machine, which highlights the risk of insufficient input validation, provides the challenge of rbash escape or bypassing, and showcases an interesting privilege escalation vector involving Linux Capabilities, all of which may be found in real environments.

Hawk - Hack The Box

Hawk is a medium to hard difficulty machine, which provides excellent practice in pentesting Drupal. The exploitable H2 DBMS installation is also realistic as web-based SQL consoles (RavenDB etc.) are found in many environments. The OpenSSL decryption challenge increases the difficulty of this machine.

Toolbox - Hack The Box

Toolbox is an easy difficulty Windows machine that features a Docker Toolbox installation. Docker Toolbox is used to host a Linux container, which serves a site that is found vulnerable to SQL injection. This is leveraged to gain a foothold on the Docker container. Docker Toolbox default credentials and host file system access are leveraged to gain a privileged shell on the host.

Devzat - Hack The Box

Devzat is a medium Linux machine that features a web server and the ‘Devzat’ chat application. Upon enumerating the web server, a new vhost called ‘pets’ can be discovered. The ‘pets’ vhost has a ‘.git’ directory with listing enabled, providing access to the source code of ‘pets’. Reviewing the source code, a command injection vulnerability is discovered allowing an attacker to gain a reverse shell as the user ‘patrick’. Logging to the ‘Devzat’ chat application as ‘patrick’ on the remote machine the chat history between ‘patrick’ and ‘admin’ reveals that ‘InfluxDB’ is installed on the remote system. Enumerating ‘InfluxDB’ it is discovered that the version installed is vulnerable to CVE-2019-20933, an authentication bypass vulnerability. Exploiting the aforementioned vulnerability an attacker is able to dump the contents of ‘InfluxDB’ revealing the password of the user ‘catherine’. Switching from ‘patrick’ to ‘catherine’ and logging in to the Devzat chat application as ‘catherine’ the chat history between t...

Previse - Hack The Box

Previse is a easy machine that showcases Execution After Redirect (EAR) which allows users to retrieve the contents and make requests to accounts.php whilst unauthenticated which leads to abusing PHP ‘exec()’ function since user inputs are not sanitized allowing remote code execution against the target, after gaining a www-data shell privilege escalation starts with the retrieval and cracking of a custom MD5Crypt hash which consists of a unicode salt and once cracked allows users to gain SSH access to the target then abusing a sudo executable script which does not include absolute paths of the functions it utilises which allows users to perform PATH hijacking on the target to compromise the machine.

Pilgrimage - Hack The Box

Pilgrimage is an easy-difficulty Linux machine featuring a web application with an exposed ‘Git’ repository. Analysing the underlying filesystem and source code reveals the use of a vulnerable version of ‘ImageMagick’, which can be used to read arbitrary files on the target by embedding a malicious ‘tEXT’ chunk into a PNG image. The vulnerability is leveraged to obtain a ‘SQLite’ database file containing a plaintext password that can be used to SSH into the machine. Enumeration of the running processes reveals a ‘Bash’ script executed by ‘root’ that calls a vulnerable version of the ‘Binwalk’ binary. By creating another malicious PNG, ‘CVE-2022-4510’ is leveraged to obtain Remote Code Execution (RCE) as ‘root’.

PermX - Hack The Box

‘PermX’ is an Easy Difficulty Linux machine featuring a learning management system vulnerable to unrestricted file uploads via CVE-2023-4220. This vulnerability is leveraged to gain a foothold on the machine. Enumerating the machine reveals credentials that lead to SSH access. A ‘sudo’ misconfiguration is then exploited to gain a ‘root’ shell.

NodeBlog - Hack The Box

This UHC qualifier box was a neat take on some common NodeJS vulnerabilities. First there’s a NoSQL authentication bypass. Then I’ll use XXE in some post upload ability to leak files, including the site source. With that, I’ll spot a deserialization vulnerability which I can abuse to get RCE. I’ll get the user’s password from Mongo via the shell or through the NoSQL injection, and use that to escalate to root. In Beyond Root, a look at characters that broke the deserialization payload, and scripting the NoSQL injection.

Networked - Hack The Box

Networked is an Easy difficulty Linux box vulnerable to file upload bypass, leading to code execution. Due to improper sanitization, a crontab running as the user can be exploited to achieve command execution. The user has privileges to execute a network configuration script, which can be leveraged to execute commands as root.

Mirai - Hack The Box

Mirai demonstrates one of the fastest-growing attack vectors in modern times; improperly configured IoT devices. This attack vector is constantly on the rise as more and more IoT devices are being created and deployed around the globe, and is actively being exploited by a wide variety of botnets. Internal IoT devices are also being used for long-term persistence by malicious actors.

Love - Hack The Box

Love is an easy windows machine where it features a voting system application that suffers from an authenticated remote code execution vulnerability. Our port scan reveals a service running on port 5000 where browsing the page we discover that we are not allowed to access the resource. Furthermore a file scanner application is running on the same server which is though effected by a SSRF vulnerability where it's exploitation gives access to an internal password manager. We can then gather credentials for the voting system and by executing the remote code execution attack as phoebe user we get the initial foothold on system. Basic windows enumeration reveals that the machine suffers from an elevated misconfiguration. Bypassing the applocker restriction we manage to install a malicious msi file that finally results in a reverse shell as the system account.

Keeper - Hack The Box

Keeper is an easy-difficulty Linux machine that features a support ticketing system that uses default credentials. Enumerating the service, we are able to see clear text credentials that lead to SSH access. With ‘SSH’ access, we can gain access to a KeePass database dump file, which we can leverage to retrieve the master password. With access to the ‘Keepass’ database, we can access the root ‘SSH’ keys, which are used to gain a privileged shell on the host.

Horizontall - Hack The Box

Horizontall is an easy difficulty Linux machine were only HTTP and SSH services are exposed. Enumeration of the website reveals that it is built using the Vue JS framework. Reviewing the source code of the Javascript file, a new virtual host is discovered. This host contains the ‘Strapi Headless CMS’ which is vulnerable to two CVEs allowing potential attackers to gain remote code execution on the system as the ‘strapi’ user. Then, after enumerating services listening only on localhost on the remote machine, a Laravel instance is discovered. In order to access the port that Laravel is listening on, SSH tunnelling is used. The Laravel framework installed is outdated and running on debug mode. Another CVE can be exploited to gain remote code execution through Laravel as ‘root’.

GoodGames - Hack The Box

GoodGames is an Easy linux machine that showcases the importance of sanitising user inputs in web applications to prevent SQL injection attacks, using strong hashing algorithms in database structures to prevent the extraction and cracking of passwords from a compromised database, along with the dangers of password re-use. It also highlights the dangers of using render_template_string in a Python web application where user input is reflected, allowing Server Side Template Injection (SSTI) attacks. Privilege escalation involves docker hosts enumeration and shows how having admin privileges in a container and a low privilege user on the host machine can be dangerous, allowing attackers to escalate privileges to compromise the system.

Editorial - Hack The Box

Editorial is an easy difficulty Linux machine that features a publishing web application vulnerable to ‘Server-Side Request Forgery (SSRF)’. This vulnerability is leveraged to gain access to an internal running API, which is then leveraged to obtain credentials that lead to SSH access to the machine. Enumerating the system further reveals a Git repository that is leveraged to reveal credentials for a new user. The ‘root’ user can be obtained by exploiting CVE-2022-24439 and the sudo configuration.

Driver - Hack The Box

Driver is an easy Windows machine that focuses on printer exploitation. Enumeration of the machine reveals that a web server is listening on port 80, along with SMB on port 445 and WinRM on port 5985. Navigation to the website reveals that it protected using basic HTTP authentication. While trying common credentials the ‘admin:admin’ credential is accepted and we are able to visit the webpage. The webpage provides a feature to upload printer firmwares on an SMB share for a remote team to test and verify. Uploading a Shell Command File that contains a command to fetch a remote file from our local machine, leads to the NTLM hash of the user ‘tony’ relayed back to us. Cracking the captured hash to retrieve a plaintext password we are able login as ‘tony’, using WinRM. Then, switching over to a meterpreter session it is discovered that the machine is vulnerable to a local privilege exploit that abuses a specific printer driver that is present on the remote machine. Using the exploit we can get a session as ‘NT...

Delivery - Hack The Box

Delivery is an easy difficulty Linux machine that features the support ticketing system osTicket where it is possible by using a technique called TicketTrick, a non-authenticated user to be granted with access to a temporary company email. This permits the registration at MatterMost and the join of internal team channel. It is revealed through that channel that users have been using same password variant "PleaseSubscribe!" for internal access. In channel it is also disclosed the credentials for the mail user which can give the initial foothold to the system. While enumerating the file system we come across the mattermost configuration file which reveals MySQL database credentials. By having access to the database a password hash can be extracted from Users table and crack it using the "PleaseSubscribe!" pattern. After cracking the hash it is possible to login as user root.

CozyHosting - Hack The Box

CozyHosting is an easy-difficulty Linux machine that features a ‘Spring Boot’ application. The application has the ‘Actuator’ endpoint enabled. Enumerating the endpoint leads to the discovery of a user's session cookie, leading to authenticated access to the main dashboard. The application is vulnerable to command injection, which is leveraged to gain a reverse shell on the remote machine. Enumerating the application ‘JAR’ file, hardcoded credentials are discovered and used to log into the local database. The database contains a hashed password, which once cracked is used to log into the machine as the user ‘josh’. The user is allowed to run ‘ssh’ as ‘root’, which is leveraged to fully escalate privileges.

Chemistry - Hack The Box

Chemistry is an easy-difficulty Linux machine that showcases a Remote Code Execution (RCE) vulnerability in the pymatgen (CVE-2024-23346) Python library by uploading a malicious CIF file to the hosted CIF Analyzer website on the target. After discovering and cracking hashes, we authenticate to the target via SSH as rosa user. For privilege escalation, we exploit a Path Traversal vulnerability that leads to an Arbitrary File Read in a Python library called AioHTTP (CVE-2024-23334) which is used on the web application running internally to read the root flag.

Cap - Hack The Box

Cap is an easy difficulty Linux machine running an HTTP server that performs administrative functions including performing network captures. Improper controls result in Insecure Direct Object Reference (IDOR) giving access to another user’s capture. The capture contains plaintext credentials and can be used to gain foothold. A Linux capability is then leveraged to escalate to root.

Boardlight - Hack The Box

BoardLight is an easy difficulty Linux machine that features a Dolibarr instance vulnerable to CVE-2023-30253. This vulnerability is leveraged to gain access as www-data. After enumerating and dumping the web configuration file contents, plaintext credentials lead to SSH access to the machine. Enumerating the system, a SUID binary related to enlightenment is identified which is vulnerable to privilege escalation via CVE-2022-37706 and can be abused to leverage a root shell.

Blocky - Hack The Box

Blocky is fairly simple overall, and was based on a real-world machine. It demonstrates the risks of bad password practices as well as exposing internal files on a public facing system. On top of this, it exposes a massive potential attack vector: Minecraft. Tens of thousands of servers exist that are publicly accessible, with the vast majority being set up and configured by young and inexperienced system administrators.

Alert - Hack The Box

Alert is an easy-difficulty Linux machine with a website to upload, view, and share markdown files. The site is vulnerable to cross-site scripting (XSS), which is exploited to access an internal page vulnerable to Arbitrary File Read and leveraged to gain access to a password hash. The hash is then cracked to reveal the credentials leveraged to gain ‘SSH’ access to the target. Enumeration of processes running on the system shows a ‘PHP’ file that is being executed regularly, which has excessive privileges for the management group our user is a member of and allows us to overwrite the file for code execution as root.

SymFonos 6.1 - VulnHub

In this machine, we are exploiting XSS to perform CSRF and abusing APIs to achieve RCE. Additionally, we are taking advantage of a Golang binary with sudoers configuration.

Vaccine - Hack The Box

In this machine, we take advantage of an FTP misconfiguration to obtain credentials and crack hashes. Additionally, we exploit a PostgreSQL database using SQL Injection and leverage the sudoers file.

Oopsie - Hack The Box

In this machine, we are exploiting an IDOR with RCE. With respect to privilege escalation, we are taking advantage of leaked credential files and exploiting SUID files through PATH Hijacking.

Crocodile - Hack The Box

In this machine, we are taking advantage of FTP anonymous login and exploiting the login anel with Hydra.

Meow - Hack The Box

In this machine, we are taking advantage of a misconfigured Telnet service using blank password.

Dancing - Hack The Box

In this machine we are taking advantage of resource sharing misconfiguration in SMB service.

Back to Top ↑