Synopsis: # The engagement of the HTB x VL box Lock began with the discovery of an open Gitea service on TCP port 3000. An anonymous exploration of this service revealed a public code repository containing a Python script. Analysis of the script’s commit history uncovered a hardcoded Gitea personal access token. This token was leveraged to discover and clone a private ‘website’ repository, whose README file indicated a CI/CD pipeline was in place for automatic deployment to a webserver. By committing and pushing an ASP. NET web shell to this repository, the CI/CD pipeline was abused to gain initial code execution on the underlying webserver. A reverse shell was then established, granting access as the user ellen.freeman. Post-exploitation enumeration uncovered an mRemoteNG configuration file containing an encrypted password for a second user, Gale.Dekarios. After decrypting the password, the researcher performed lateral movement by logging in as this user via RDP. Further investigation on the new desktop revealed a vulnerable version of PDF 24 Creator (11.15.1), which was exploited through a flaw in its MSI installer service to escalate privileges to NT AUTHORITY\SYSTEM.
Synopsis: # Shibuya, a challenging hard-rated HTB x Vulnlab Active Directory box, requires a multi-stage attack chain involving credential harvesting, session hijacking, and a critical Active Directory Certificate Services (ADCS) misconfiguration. The initial foothold is gained by enumerating domain users via Kerberos and discovering a weak password for one user. This access is quickly leveraged to find a service account’s plaintext password stored in its user description, granting access to a critical SMB share. Inside the share, a Windows Imaging (.wim) file contains cached domain credentials for another user. By extracting the necessary registry hives from this image, a hash is recovered and used to reset the user’s password, enabling lateral movement to an interactive shell on the domain controller via SSH. Privilege escalation is a two-step process: first, a Cross-Session Relay attack is performed to capture and crack the hash of a high-privileged user with an active session. With these new credentials, the final pivot is made by exploiting a vulnerable ADCS certificate template (ESC1) to request a certificate as a domain administrator, ultimately yielding the administrator’s NT hash and achieving full domain compromise.
Synopsis: # The RetroTwo machine, a Windows Server 2008 R 2 Domain Controller for the retro2.vl domain, was targeted. Initial reconnaissance revealed several services, including SMB and LDAP. Anonymous SMB access led to the discovery of a Microsoft Access database file containing credentials for an ldapreader user. This user’s privileges were leveraged through BloodHound analysis to identify pathways for lateral movement, involving the manipulation of computer account passwords due to misconfigurations related to “Pre-Windows 2000 Compatible Access” and “GenericWrite” permissions. These actions allowed the ldapreader user to gain RDP access to the Domain Controller. Finally, a known vulnerability in the Windows Server 2008 R 2 operating system was exploited using the Perfusion tool to escalate privileges to nt authority\system, achieving full compromise of the server.
Synopsis: # The Retro machine from HTB x Vulnlab was a Windows Active Directory Domain Controller. Initial access was gained by leveraging anonymous SMB enumeration and weak credentials for a ‘trainee’ user. Post-exploitation involved discovering clues in text files, leading to the compromise of a machine account (‘BANKING$’) by guessing its password and then resetting it. This access was then pivotal for privilege escalation via an Active Directory Certificate Services (AD CS) misconfiguration (ESC1), allowing the attacker to request a certificate as the Domain Administrator, ultimately leading to full administrative control over the domain controller.
Synopsis: # This write-up details the penetration test conducted against the HTB x Vulnlab Build machine identified by the IP address 10.10.102.56. Initial reconnaissance revealed several open ports, including SSH, RSH-related services, RSYNC, and a Gitea instance on port 3000. Vulnerability analysis began with the Gitea service, where user registration was possible. After registering an account, exploration revealed a repository containing a Jenkinsfile. Attention then shifted to the open RSYNC service, which exposed a Jenkins backup archive (jenkins.tar.gz). This archive was downloaded and unpacked. Within the backup, an encrypted Jenkins password was found in configuration files (config.xml), along with necessary decryption keys (master.key, hudson.util.Secret). Using a publicly available script, the password was decrypted offline, revealing credentials for the buildadm user. These credentials granted authenticated access back into the Gitea instance. Exploitation proceeded by modifying the previously discovered Jenkinsfile within Gitea to include a reverse shell payload. Committing this change triggered the Jenkins pipeline, resulting in initial access as the root user within a Docker container. Post-exploitation within the container identified internal network routes and services, including a MariaDB database accessible via the container’s gateway IP. Lateral movement involved setting up a network pivot using Chisel to tunnel traffic from the attacker machine through the compromised container to the internal network. This allowed connection to the MariaDB service, which contained a powerdnsadmin database. Credentials (username admin and a bcrypt hash) for the PowerDNS-Admin service were found within this database. The hash was cracked offline, yielding the password. Using the cracked credentials and the pivot, the attacker accessed the PowerDNS-Admin web interface running on an internal IP. Privilege escalation was achieved by leveraging administrative access to PowerDNS-Admin to perform DNS poisoning, specifically altering the ‘A’ record for admin.build.vl (a hostname found listed in a .rhosts file discovered within the container) to point to the attacker’s IP address. This configuration, combined with the insecure .rhosts file on the target host which allowed passwordless root login from admin.build.vl, enabled the attacker to gain root access on the host machine via RSH.
Synopsis: # POV, a medium machine on HackTheBox, was vulnerable to Local File Inclusion (LFI) through the “cv download” option. This LFI allowed for the disclosure of the “web.config” file, which in turn exposed the validation key for ASP pages. By manipulating the __VIEWSTATE payload using the validation key, attackers achieved Remote Code Execution (RCE) on the machine. Further exploration within the “sfitz” user’s documents folder revealed a “connection.xml” file containing credentials for another user, “alaading.” After escalating privileges to “alaading,” the attacker discovered the “sedebugprivilege,” which was subsequently exploited to gain complete control over the host.
Synopsis: # Cozy hosting is a project hosting service web app hosted on nginx 1.18.0. From directory busting a few endpoints were discovered which disclosed a user’s session cookie via replacing the session cookie the attacker logged in the /admin endpoint. And in that page there was a functionality to check for live hosts using SSH which found out to be vulnerable to OS Command Injection. By exploiting that vulnerability the attacker gained the initial foothold and landed as the user apps. From the /apps directory a java archive was found upon decompiling the archive file the postgres user’s password was found which was later used to login into the database, from the database the admin user’s password hash was captured and got cracked via hashcat later. Using the cracked hash it was possible to login on behalf of the user josh via SSH. After landing on the host as the user josh it was found out that the user could run SSH with sudo privilege which lead to sudo abuse and the host got compromised completely.
Synopsis: # Keeper is a Linux easy machine that hosts the Request Ticket (RT 4.4.4) web application. A password for the user lnorgaard was found in the web application, which was then used to log into the host via SSH. Upon logging in as lnorgaard, a zip file for the KeePass application was found. Unzipping the file revealed a dump file and a database file. The KeePass dump files are vulnerable to CVE-2023–32784, which allows an attacker to dump the master password. After cracking the database file, a PuTTY key was found. This key was then converted into an SSH key, which allowed the attacker to compromise the entire host.
Synopsis: # MonitorsTwo is an easy-to-hack Linux machine that is vulnerable to the CVE-2022–46169 vulnerability. This vulnerability allows an attacker to execute arbitrary code on a server running Cacti. After exploiting this vulnerability, it was found that the Cacti web app was running in a Docker container.
Synopsis: # On the host Busqueda a vulnerable web app was running, by exploiting the web app’s query parameter the attacker gained RCE & the initial foothold. The attacker then enumerated the system and compromised the password for the cody user, which was reused for the user svc account. The attacker also discovered a new virtual host (VHOST) where a self-hosted Git service was running. Using the sudo privileges of the svc user, the attacker was able to dump the configuration files of running Docker containers, which led to the compromise of a few additional user passwords. The attacker then logged into the administrator’s Git account and found a number of scripts. One of these scripts, named full-checkup.sh, did not have its full path specified. The attacker abused this oversight by creating a file named full-checkup.sh in the /tmp directory that contained a reverse shell. This allowed the attacker to gain complete control of the host.
Synopsis: # The Agile HTB Linux machine hosted a password manager that was vulnerable to IDOR and LFI. An attacker could exploit the IDOR to obtain the user corum’s SSH password and exploit the LFI to disclose the source code and other confidential files. Upon landing on the host, an attacker could build a SSH local port forwarding to find a test web application. The test web application was not significantly different from the main application, but it was vulnerable to the same IDOR vulnerability. By exploiting this vulnerability, an attacker could find a pair of credentials for the user edwards. The user edwards was able to run sudoedit commands only as the user “dev_admin” on two files. The host was also vulnerable to CVE-2023–22809, which could be exploited to add a reverse shell to the app/venv/bin/activate file and compromise the host.
Synopsis: # Traverxec is a HTB machine that hosted an outdated Nostromo web server which was vulnerable to RCE. An attacker could gain a foothold on the machine by exploiting this vulnerability and then laterally move to the user david by inspecting the web config file. A bash script in the user’s home directory revealed that the user could execute journalctl as root. This could be used to escalate privilege and gain full control of the machine.
Synopsis: # Sau is a Linux machine that focused on some recently exposed CVEs and security misconfigurations. The first step was to exploit a vulnerable REST API through SSRF to access an internal malicious traffic detection system running a web service. The login page of that web service was vulnerable to OS command injection. RCE was gained by exploiting this vulnerability, and privileges were escalated by abusing the puma user’s permissions.
