Blog
About
Tags
Blogs
Apr 29, 23
Hack the Box - Meta 2
MetaTwo is an easy Linux machine that features a website running Wordpress, which is using a plugin vulnerable to unauthenticated SQL injection (CVE-2022-0739). It can be exploited to reveal the password hash of the Wordpress users which can be cracked to obtain the password for the Wordpress user manager. The Wordpress version in use is vulnerable to an XXE Vulnerability in the Media Library (CVE-2021-29447), which can be exploited to obtain credentials for the FTP server. A file on the FTP server reveals the SSH credentials for user jnelson. For privilege escalation, the passpie utility on the remote host can be exploited to obtain the password for the root user.
Apr 29, 23
Hack the Box - Keeper
Apr 29, 23
Hack the Box - Busqueda
Jan 14, 23
Hack the Box - Shoppy
Dec 22, 22
Hack the Box - Support
Support is an Easy difficulty Windows machine that features an SMB share that allows anonymous authentication. After connecting to the share, an executable file is discovered that is used to query the machines LDAP server for available users. Through reverse engineering, network analysis or emulation, the password that the binary uses to bind the LDAP server is identified and can be used to make further LDAP queries. A user called support is identified in the users list, and the info field is found to contain his password, thus allowing for a WinRM connection to the machine. Once on the machine, domain information can be gathered through SharpHound, and BloodHound reveals that the Shared Support Accounts group that the support user is a member of, has GenericAll privileges on the Domain Controller. A Resource Based Constrained Delegation attack is performed, and a shell as NT Authority System is received.
Nov 26, 22
Hack the Box - RedPanda
RedPanda is an easy Linux machine that features a website with a search engine made using the Java Spring Boot framework. This search engine is vulnerable to Server-Side Template Injection and can be exploited to gain a shell on the box as user woodenk. Enumerating the processes running on the system reveals a Java program that is being run as a cron job as user root. Upon reviewing the source code of this program, we can determine that it is vulnerable to XXE. Elevation of privileges is achieved by exploiting the XXE vulnerability in the cron job to obtain the SSH private key for the root user. We can then log in as user root over SSH and obtain the root flag.
««
«
1
2
3
4
5
»
»»
Follow me
I hack things and tweet about things...
Search
Results
No results found
Try adjusting your search query