Blog

Hackthebox released a new machine called mentor. On this machine, first we enumerate the new vhost which gives the api documentation that lists all the endpoints. Then there we get the command injection and get the rev shell, find the creads of database dump the hashes from the database and get the user password from snmp config files and for root we have the permission to execute the sh binary.

Hackthebox released a new machine called precious. On this machine, first we got the web service which converts the web-page to a PDF, which is vulnerable to command injection. Using that, get the rev shell, and for privilege escalation, use code execution through yaml deserialization attack.

Hackthebox released a new machine called metatwo. On this machine, we got the wordpress server, which one of the plugin is vulnerable unauthenticated sql injection using that get the wp-admin user password after login inside admin panel abuse the functionality of uplaoding file get the ftp creads using that get the user creads through ftp and for root crack a pgp private key block.

Hackthebox released a new machine called awkward. On this machine, we got the web server where there is a JS file which gives us a route and manipulating the token gives access to the dashboard and also reveals the api endpoints which give the user info and ssrf through ssrf. We got the bean user. After that, abuse the sed command to get the www-data user, then to root abuse the mail command.

Hackthebox released a new machine called photobomb. On this machine, we got the web server where there is a JS file where we get the username and password to access the protected route, then abuse the filetype parameter to get a rev shell as photobomb and for Privilege Escalation using path traverse to get a root shell.

Hackthebox release new machine called routerspace, in this machine we get the apk file on port 80 after analyzing the apk we get a new endpoint which is vulnerable with rce and we get the shell through that rce and for privilege escalation the sudo version is vulnerable through a very famous CVE-2021-3156.

Hackthebox release new machine called undetected, in this machine we find a info file which get us the password and vendor directory reveal the phpunit that vernable to CVE-2017-9841 through that we get the rev shell and for user we use the password which we crack before and get the steven user and for privilege escalation we need to reverse engineering the sshd binary to get root password.

Hackthebox release new machine called paper, in this machine on port 80 it's first leak the new vhost called office.paper on responce header X-Backend-Server after that wordpress version is vernable through Unauthenticated View Private/Draft Posts and we got the hint already with nick comment using the vernability we check the draft message that leak to another vhost and register ourself to that and get the directory Path Traversal and get the .env secret and login through ssh and for Privilege escalation we run linpeas that lead us to CVE-2021-3560.

Hackthebox release new machine called timing, in this machine we need to first find LFI with some fuzzing through LFI we need to dump the sorce code of file and get useful information and get the admin panel through admin panel we will upload imges abusing that function to get RFI and dump the git directory to find old password and get ssh session after that abuse the netutils to overwrite the authorized_keys.

In this machine we need to exploit the wordpress plugin called ebook-download to check the file inside server and find one process running gdbserver on port 1337 exploit that to get rev shell as user and for privexec abuse the GNU Screen 4.5.0 to get root.

Hackthebox release new machine called secret, in this machine we need to analyze too much code and find hard coded jwt secret and then abuse that jwt secret to get rev shell. privesc is bit tricky we need to crash the application running as root and get the root id_rsa inside coredump file.

Hackthebox release new machine called devzat, in this machine we need to analyze too much code and find a species field directly executed without any filter inside exec command and we use that to get rev shell after that finding a service on port 8086 and this service running InfluxDB http admin use that to get catherine user password and after that find two different zip after extract that it's similar to each other but new functionality is added inside that use that functionality to get root id_rsa.

Hackthebox release new machine called driver, in this machine we have permission to upload Firmware Update and we abuse that permission with SMB Share SCF File Attacks and get the hash of tony user crack that hash and login with his account with help of evil-winrm and for privesc i use PrintNightmare LPE exploit for generate user as administrator and login with that user with help of evil-winrm.

Hackthebox release new machine called forge, in this machine we need to abuse a upload from url functionality to access a subdomain page and from there we got the creads for ftp user and we use that to see file inside ftp server and get id_rsa for user and for privexec we need to crash a python file and hop into pdb mode and get root shell.

Hackthebox release new machine called Horizontall, in this machine we need to abuse the forgot password functionality to reset the admin password after login inside admin panel we got the vernable version of strapi and exploit that to get rev shell back. inside the machine i found hidden service running laravel vernable version exploit that to get root shell.

Hackthebox release new machine called static, in this machine we need to fix the gz format file first after fixing that file creads for login page after that we find butch of vpn file to download downloading 1 file and fix that file and connect with vpn we got an another page which running php xdebug exploit that to get rev shell a hidden service is running on server port forward that and find running PHP-FPM vulnerable version exploit get to get shell as user find a binary which running as root exploit that to get root.