Synopsis: # The engagement of the HTB x VL box Lock began with the discovery of an open Gitea service on TCP port 3000. An anonymous exploration of this service revealed a public code repository containing a Python script. Analysis of the script’s commit history uncovered a hardcoded Gitea personal access token. This token was leveraged to discover and clone a private ‘website’ repository, whose README file indicated a CI/CD pipeline was in place for automatic deployment to a webserver. By committing and pushing an ASP. NET web shell to this repository, the CI/CD pipeline was abused to gain initial code execution on the underlying webserver. A reverse shell was then established, granting access as the user ellen.freeman. Post-exploitation enumeration uncovered an mRemoteNG configuration file containing an encrypted password for a second user, Gale.Dekarios. After decrypting the password, the researcher performed lateral movement by logging in as this user via RDP. Further investigation on the new desktop revealed a vulnerable version of PDF 24 Creator (11.15.1), which was exploited through a flaw in its MSI installer service to escalate privileges to NT AUTHORITY\SYSTEM.
Synopsis: # Shibuya, a challenging hard-rated HTB x Vulnlab Active Directory box, requires a multi-stage attack chain involving credential harvesting, session hijacking, and a critical Active Directory Certificate Services (ADCS) misconfiguration. The initial foothold is gained by enumerating domain users via Kerberos and discovering a weak password for one user. This access is quickly leveraged to find a service account’s plaintext password stored in its user description, granting access to a critical SMB share. Inside the share, a Windows Imaging (.wim) file contains cached domain credentials for another user. By extracting the necessary registry hives from this image, a hash is recovered and used to reset the user’s password, enabling lateral movement to an interactive shell on the domain controller via SSH. Privilege escalation is a two-step process: first, a Cross-Session Relay attack is performed to capture and crack the hash of a high-privileged user with an active session. With these new credentials, the final pivot is made by exploiting a vulnerable ADCS certificate template (ESC1) to request a certificate as a domain administrator, ultimately yielding the administrator’s NT hash and achieving full domain compromise.
Synopsis: # The Retro machine from HTB x Vulnlab was a Windows Active Directory Domain Controller. Initial access was gained by leveraging anonymous SMB enumeration and weak credentials for a ‘trainee’ user. Post-exploitation involved discovering clues in text files, leading to the compromise of a machine account (‘BANKING$’) by guessing its password and then resetting it. This access was then pivotal for privilege escalation via an Active Directory Certificate Services (AD CS) misconfiguration (ESC1), allowing the attacker to request a certificate as the Domain Administrator, ultimately leading to full administrative control over the domain controller.
Synopsis: # POV, a medium machine on HackTheBox, was vulnerable to Local File Inclusion (LFI) through the “cv download” option. This LFI allowed for the disclosure of the “web.config” file, which in turn exposed the validation key for ASP pages. By manipulating the __VIEWSTATE payload using the validation key, attackers achieved Remote Code Execution (RCE) on the machine. Further exploration within the “sfitz” user’s documents folder revealed a “connection.xml” file containing credentials for another user, “alaading.” After escalating privileges to “alaading,” the attacker discovered the “sedebugprivilege,” which was subsequently exploited to gain complete control over the host.
