Ready - Hack The Box
Ready was a pretty straighforward box to get an initial shell on: We identify that’s it running a vulnerable instance of Gitlab and we use an exploit against...
Posts by Tag
- linux 24
- php 24
- sqli 18
- unintended 11
- command injection 11
- windows 9
- winrm 8
- slae 7
- assembly 7
- hackthebox 7
- cronjob 7
- python 7
- ad 6
- ssh 6
- mysql 6
- ldap 5
- suid 5
- cve 5
- lfi 5
- vhosts 5
- sudo 5
- containers 4
- powershell 4
- ctf 4
- buffer overflow 4
- xss 4
- waf 4
- ftp 4
- smb 4
- sqlite 4
- git 4
- bloodhound 4
- password spray 4
- api 3
- metasploit 3
- enumeration 3
- reversing 3
- flask 3
- port forward 3
- postgresql 3
- deserialization 3
- ipv6 3
- crypto 3
- gogs 3
- docker 3
- crackmapexec 3
- egghunter 2
- encoding 2
- binary exploit 2
- kerberos 2
- capabilities 2
- lxc 2
- pass-the-hash 2
- efs 2
- snmp 2
- mitm 2
- easy 2
- firewall 2
- pivoting 2
- nss 2
- keepass 2
- ntfs ads 2
- john 2
- password cracking 2
- asp 2
- pdf 2
- meterpreter 2
- port forwarding 2
- kerberoasting 2
- responder 2
- screen 2
- mssql 2
- impacket 2
- fuzzing 2
- dns 2
- injection 2
- otp 2
- openssl 2
- nfs 2
- luks 2
- mimikatz 2
- vhost 2
- sqlmap 2
- vim 2
- jwt 2
- upload 2
- centreon 2
- bruteforce 2
- gitlab 2
- javascript 2
- rsync 2
- dcsync 2
- gtfobins 2
- race condition 2
- hashcat 2
- plaintext creds 2
- ssrf 2
- asrep 2
- powerview 2
- lua 2
- memcache 2
- backup operators 2
- tcp bind shellcode 1
- tcp reverse shellcode 1
- drupal 1
- polymorphic 1
- crypter 1
- go 1
- ssti 1
- wsl 1
- csrf 1
- openbsd 1
- ca 1
- zabbix 1
- telnet 1
- access 1
- outlook 1
- credential manager 1
- ms-dos 1
- dns exfiltration 1
- rotten potato 1
- networking 1
- bgp 1
- esoteric language 1
- rop 1
- binary exploitation 1
- joomla 1
- cron 1
- openvpn 1
- gpg 1
- pgsql 1
- moodle 1
- tar 1
- stego 1
- exploit development 1
- asm 1
- nginx 1
- insane 1
- caps 1
- tcpdump 1
- ipsec 1
- vpn 1
- rotten tomato 1
- wordpress 1
- weak credentials 1
- LaTeX 1
- firefox 1
- saved credentials 1
- scf 1
- apache 1
- kernel exploit 1
- helpdeskz 1
- smtp 1
- exploit 1
- tamper script 1
- weak ssh keys 1
- hardcoded credentials 1
- gpp 1
- prtg 1
- nishang 1
- config backups 1
- gophish 1
- alpc 1
- regeorg 1
- proxychains 1
- smbmap 1
- axfr 1
- secureid 1
- 7zip 1
- vsftpd 1
- certificates 1
- ssh rsa auth 1
- psysh 1
- nodejs 1
- certificate 1
- pgadmin 1
- java 1
- readpst 1
- ServiceDesk 1
- incognito 1
- tokens 1
- xxe 1
- evtx 1
- windows logs 1
- 2nd order injection 1
- uinitrd 1
- apt 1
- swapfile 1
- sftp 1
- web 1
- symlink 1
- mremoteng 1
- backup 1
- ajenti 1
- json 1
- jail escape 1
- magento 1
- vi 1
- zipslip 1
- cms 1
- elasticsearch 1
- ctf-like 1
- logstash 1
- kibana 1
- CVE-2018-17246 1
- systemd 1
- double extension 1
- smart contract 1
- ethereum 1
- ipfs 1
- hidden 1
- bmap 1
- cisco 1
- hashes 1
- creds spray 1
- rpcclient 1
- procdump 1
- memory forensics 1
- CVE-2019-13024 1
- kernel module 1
- re 1
- vault 1
- eval 1
- obfuscated 1
- codiad 1
- ffmpeg 1
- lshell 1
- openssh xauth 1
- pspy 1
- php deserialization 1
- tts 1
- jdwp 1
- websockets 1
- yara 1
- usosvc 1
- libreoffice 1
- macros 1
- ods 1
- CVE-2018-20253 1
- juicy potato 1
- dnspy 1
- ssfr 1
- brute force 1
- redis 1
- webmin 1
- aclpwn 1
- rfi 1
- plink 1
- chm 1
- registry 1
- restic 1
- nostromo 1
- journalctl 1
- mango 1
- nosql 1
- jjs 1
- x-forwarded-for 1
- services 1
- opennetadmin 1
- db creds 1
- custom webserver 1
- rid cycling 1
- creds in plaintext 1
- endgame 1
- ds_store 1
- iis shortname 1
- linked servers 1
- mssql python 1
- kerberoast 1
- azure ad 1
- ltrace 1
- ssh keys 1
- logrotate 1
- bash_completion.d 1
- kerbrute 1
- secretsdump 1
- vnc 1
- tombstone 1
- oauth 1
- dbus 1
- uwsgi 1
- webshell 1
- update-motd.d 1
- path hijack 1
- quic 1
- esi 1
- xslt 1
- umbraco 1
- teamviewer 1
- gopher 1
- viminfo 1
- keccak 1
- vs code 1
- chisel 1
- server operators 1
- gobuster 1
- rogue mysql 1
- setenv 1
- lsass 1
- pypykatz 1
- usodllloader 1
- client-side validation 1
- openemr 1
- memcached 1
- bludit cms 1
- wordlist 1
- cewl 1
- minecraft 1
- pcap 1
- amqp 1
- rabbitmq 1
- smbpasswd 1
- print operators 1
- capcom 1
- tomcat 1
- zip 1
- password re-use 1
- lxd 1
- hash length extension 1
- path traversal 1
- file upload 1
- cloudme sync 1
- encfs 1
- squid 1
- xpath 1
- CVE-2020-11108 1
- privileged container 1
- osticket 1
- mattermost 1
- rules 1
linux
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
Blunder - Hack The Box
Blunder was an easy box for beginners that required bruteforcing the login for a Bludit CMS, then exploiting a known CVE through Metasploit to get remote cod...
Oouch - Hack The Box
Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...
Wall - Hack The Box
Wall is running a vulnerable version of the Centreon application that allows authenticated users to gain RCE. The tricky part of this box was finding the pat...
Heist - Hack The Box
Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords. After cracking two passwords fr...
Chainsaw - Hack The Box
I learned a bit about Ethereum and smart contracts while doing the Chainsaw box from Hack the Box. There’s a command injection vulnerability in a smart contr...
Networked - Hack The Box
Networked was an easy box that starts off with a classic insecure upload vulnerability in an image gallery web application. The Apache server is misconfigure...
Jarvis - Hack The Box
The entrypoint for Jarvis is an SQL injection vulnerability in the web application to book hotel rooms. There is a WAF but I was able to easily get around it...
Haystack - Hack The Box
Haystack is an easy ctf-like box where the initial credentials can be found hidden in an ElasticSearch database. Knowing some ES API syntax it’s very easy to...
Safe - Hack The Box
Safe was a bit of a surprise because I didn’t expect a 20 points box to start with a buffer overflow requiring ropchains. The exploit is pretty straightforwa...
Writeup - Hack The Box
Writeup starts off easy with an unauthenticated vulnerability in CMS Made Simple that I exploit to dump the database credentials. After cracking the user has...
Ghoul - Hack The Box
Ghoul was a tricky box from Minatow that required pivoting across 3 containers to find the bits and pieces needed to get root. To get a shell I used a Zip Sl...
Swagshop - Hack The Box
SwagShop is one of those easy boxes where you can pop a shell just by using public exploits. It’s running a vulnerable Magento CMS on which we can create an ...
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
Help - Hack The Box
Help showed that a small programming mistake in a web application can introduce a critical security vulnerability. In this case, the PHP application errors o...
Redcross - Hack The Box
Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, lig...
Vault - Hack The Box
This is the writeup for Vault, a machine with pivoting across different network segments.
Zipper - Hack The Box
This is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.
Oz - Hack The Box
This blog post is a writeup of the Oz machine from Hack the Box.
Mischief - Hack The Box
This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.
Waldo - Hack The Box
Linux / 10.10.10.87
php
Tabby - Hack The Box
Tabby was an easy box with simple PHP arbitrary file ready, some password cracking, password re-use and abusing LXD group permissions to instantiate a new co...
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
Quick - Hack The Box
Quick was a hard box with multiple steps requiring the use of the QUIC protocol to access one section of the website and get the customer onboarding PDF with...
Magic - Hack The Box
Magic starts with a classic PHP insecure upload vulnerability that let us place a webshell on the target host and then we exploit a subtle webserver misconfi...
Traceback - Hack The Box
Traceback was an easy box where you had to look for an existing webshell on the box, then use it to get the initial foothold. Then there was some typical sud...
Forwardslash - Hack The Box
Forwardslash starts off like most classic Hack The Box machines with some enumeration of vhosts, files and directories with gobuster then we use a Server-Sid...
Control - Hack The Box
Control runs a vulnerable PHP web application that controls access to the admin page by checking the X-Forwarded-For HTTP header. By adding the X-Forwarded-F...
Sniper - Hack The Box
Sniper is another box I got access to through an unintended method. The PHP application wasn’t supposed to be exploitable through Remote File Inclusion but b...
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
Networked - Hack The Box
Networked was an easy box that starts off with a classic insecure upload vulnerability in an image gallery web application. The Apache server is misconfigure...
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
Luke - Hack The Box
Luke is a easy machine that doesn’t have a lot steps but we still learn a few things about REST APIs like how to authenticate to the service and get a JWT to...
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
CTF - Hack The Box
This time it’s a very lean box with no rabbit holes or trolls. The box name does not relate to a Capture the Flag event but rather the Compressed Token Forma...
Friendzone - Hack The Box
Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to g...
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
Help - Hack The Box
Help showed that a small programming mistake in a web application can introduce a critical security vulnerability. In this case, the PHP application errors o...
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
Vault - Hack The Box
This is the writeup for Vault, a machine with pivoting across different network segments.
Curling - Hack The Box
This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.
Carrier - Hack The Box
This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.
Waldo - Hack The Box
Linux / 10.10.10.87
sqli
Intense - Hack The Box
Intense starts with code review of a flask application where we find an SQL injection vulnerability that we exploit with a time-based technique. After retri...
Cache - Hack The Box
On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
Magic - Hack The Box
Magic starts with a classic PHP insecure upload vulnerability that let us place a webshell on the target host and then we exploit a subtle webserver misconfi...
Control - Hack The Box
Control runs a vulnerable PHP web application that controls access to the admin page by checking the X-Forwarded-For HTTP header. By adding the X-Forwarded-F...
Bankrobber - Hack The Box
Bankrobber is a web app box with a simple XSS and SQL injection that we have to exploit in order to get the source code of the application and discover a com...
Zetta - Hack The Box
Zetta is another amazing box by jkr. The first part was kinda tricky because you had to pay attention to the details on the webpage and spot the references t...
AI - Hack The Box
Exploiting the simple SQL injection vulnerability on the AI box was harder than expected because of the text-to-speech conversion required. I had to use a fe...
Smasher2 - Hack The Box
Just its predecessor, Smasher2 is a very difficult box with reverse engineering and binary exploitation. Unfortunately, the initial step required some insane...
Jarvis - Hack The Box
The entrypoint for Jarvis is an SQL injection vulnerability in the web application to book hotel rooms. There is a WAF but I was able to easily get around it...
Writeup - Hack The Box
Writeup starts off easy with an unauthenticated vulnerability in CMS Made Simple that I exploit to dump the database credentials. After cracking the user has...
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
Flujab - Hack The Box
Flujab was without a doubt one of the toughest HTB box. It’s got a ton of vhosts that force you to enumerate a lot of things and make sure you don’t get dist...
Redcross - Hack The Box
Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, lig...
Giddy - Hack The Box
This is the writeup for Giddy, a Windows machine with an interesting twist on SQL injection, PowerShell Web Access and a priv exploiting improper permissions.
Secnotes - Hack The Box
This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.
Oz - Hack The Box
This blog post is a writeup of the Oz machine from Hack the Box.
unintended
Forwardslash - Hack The Box
Forwardslash starts off like most classic Hack The Box machines with some enumeration of vhosts, files and directories with gobuster then we use a Server-Sid...
OpenAdmin - Hack The Box
OpenAdmin is an easy box that starts with using an exploit for the OpenNetAdmin software to get initial RCE. Then we get credentials from the database config...
Registry - Hack The Box
This writeup is outdated and the attack path presented for user bolt has been patched. Initially once we pivoted from the bolt user to www-data we could run ...
Sniper - Hack The Box
Sniper is another box I got access to through an unintended method. The PHP application wasn’t supposed to be exploitable through Remote File Inclusion but b...
JSON - Hack The Box
To get remote code execution on JSON, I exploited a deserialization vulnerability in the web application using the Json.net formatter. After getting a shell ...
RE - Hack The Box
I had fun solving RE but I did it using an unintended path. After getting a shell with a macroed .ods file, I saw that the Winrar version had a CVE which all...
Bitlab - Hack The Box
I solved this gitlab box the unintended way by exploiting the git pull command running as root and using git post-merge hooks to execute code as root. I was ...
Ghoul - Hack The Box
Ghoul was a tricky box from Minatow that required pivoting across 3 containers to find the bits and pieces needed to get root. To get a shell I used a Zip Sl...
Arkham - Hack The Box
Arkham was a medium difficulty box that shows how Java deserialization can be used by attackers to get remote code execution. After finding the JSF viewstate...
Ethereal - Hack The Box
This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the ...
Mischief - Hack The Box
This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.
command injection
Unbalanced - Hack The Box
To solve Unbalanced, we’ll find configuration backups files in EncFS and after cracking the password and figuring out how EncFS works, we get the Squid proxy...
Obscurity - Hack The Box
The Obscurity box has a vulnerable Python web application running. After finding the source code from a secret directory we find that the exec call can be co...
Bankrobber - Hack The Box
Bankrobber is a web app box with a simple XSS and SQL injection that we have to exploit in order to get the source code of the application and discover a com...
Chainsaw - Hack The Box
I learned a bit about Ethereum and smart contracts while doing the Chainsaw box from Hack the Box. There’s a command injection vulnerability in a smart contr...
Networked - Hack The Box
Networked was an easy box that starts off with a classic insecure upload vulnerability in an image gallery web application. The Apache server is misconfigure...
Jarvis - Hack The Box
The entrypoint for Jarvis is an SQL injection vulnerability in the web application to book hotel rooms. There is a WAF but I was able to easily get around it...
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
Redcross - Hack The Box
Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, lig...
Carrier - Hack The Box
This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.
Ethereal - Hack The Box
This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the ...
windows
Buff - Hack The Box
Buff is pretty straightforward: Use a public exploit against the Gym Management System, then get RCE. Do some port-forwarding, then use another exploit (buff...
Bastion - Hack The Box
Bastion was an easy box where we had to find an open SMB share that contained a Windows backup. Once we mounted the disk image file, we could recover the sys...
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
Querier - Hack The Box
To solve Querier, we find an Excel spreadsheet that contains a VBA macro then use Responder to capture NTLM hashes from the server by forcing it to connect b...
Sizzle - Hack The Box
Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Se...
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
Access - Hack The Box
This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.
Secnotes - Hack The Box
This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.
winrm
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
Monteverde - Hack The Box
Monteverde was an Active Directory box on the easier side that requires enumerating user accounts then password spraying to get an initial shell. Then we fin...
Sniper - Hack The Box
Sniper is another box I got access to through an unintended method. The PHP application wasn’t supposed to be exploitable through Remote File Inclusion but b...
Heist - Hack The Box
Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords. After cracking two passwords fr...
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
Querier - Hack The Box
To solve Querier, we find an Excel spreadsheet that contains a VBA macro then use Responder to capture NTLM hashes from the server by forcing it to connect b...
Sizzle - Hack The Box
Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Se...
slae
Creating a custom shellcode crypter
For this last SLAE assignment, I’ve created a custom shellcode crypter using the Salsa20 stream cipher. Salsa20 is a family of 256-bit stream ciphers designe...
Polymorphic Linux Shellcode
This blog post shows 3 polymorphic variants of common shellcodes found on shell-storm.org.
Msfvenom shellcode analysis
This blog post provides an analysis of various common shellcodes generated by the msfvenom utility which is part of Metasploit.
Custom shellcode encoder
A shellcode encoder can be used for different purposes such as modify an existing shellcode to make it harder to detect by AV engines or simply avoid bad cha...
Egghunter Linux Shellcode
An egghunter can be useful in situations where the buffer space the attacker controls is limited and doesn’t allow for a full shellcode to be placed on the s...
TCP reverse shellcode
A TCP reverse shell connects back to the attacker machine, then executes a shell and redirects all input & output to the socket. This is especially usefu...
TCP bind shellcode
A bind shellcode listens on a socket, waiting for a connection to be made to the server then executes arbitrary code, typically spawning shell for the connec...
assembly
Creating a custom shellcode crypter
For this last SLAE assignment, I’ve created a custom shellcode crypter using the Salsa20 stream cipher. Salsa20 is a family of 256-bit stream ciphers designe...
Polymorphic Linux Shellcode
This blog post shows 3 polymorphic variants of common shellcodes found on shell-storm.org.
Msfvenom shellcode analysis
This blog post provides an analysis of various common shellcodes generated by the msfvenom utility which is part of Metasploit.
Custom shellcode encoder
A shellcode encoder can be used for different purposes such as modify an existing shellcode to make it harder to detect by AV engines or simply avoid bad cha...
Egghunter Linux Shellcode
An egghunter can be useful in situations where the buffer space the attacker controls is limited and doesn’t allow for a full shellcode to be placed on the s...
TCP reverse shellcode
A TCP reverse shell connects back to the attacker machine, then executes a shell and redirects all input & output to the socket. This is especially usefu...
TCP bind shellcode
A bind shellcode listens on a socket, waiting for a connection to be made to the server then executes arbitrary code, typically spawning shell for the connec...
hackthebox
Secnotes - Hack The Box
This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.
Oz - Hack The Box
This blog post is a writeup of the Oz machine from Hack the Box.
Mischief - Hack The Box
This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.
Waldo - Hack The Box
Linux / 10.10.10.87
Active - Hack The Box
Windows / 10.10.10.100
Hawk - Hack The Box
Linux / 10.10.10.102
Smasher - Hack The Box
Linux / 10.10.10.89
cronjob
Book - Hack The Box
I initially thought for Book that the goal was to get the administrator’s session cookie via an XSS but instead we have to create a duplicate admin account b...
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
Networked - Hack The Box
Networked was an easy box that starts off with a classic insecure upload vulnerability in an image gallery web application. The Apache server is misconfigure...
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
CTF - Hack The Box
This time it’s a very lean box with no rabbit holes or trolls. The box name does not relate to a Capture the Flag event but rather the Compressed Token Forma...
Friendzone - Hack The Box
Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to g...
Teacher - Hack The Box
Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle appl...
python
Admirer - Hack The Box
Admirer is an easy box with the typical ‘gobuster/find creds on the webserver’ part, but after we use a Rogue MySQL server to read files from the server file...
Oouch - Hack The Box
Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...
Forwardslash - Hack The Box
Forwardslash starts off like most classic Hack The Box machines with some enumeration of vhosts, files and directories with gobuster then we use a Server-Sid...
Craft - Hack The Box
Craft was a fun Silicon Valley themed box where we have to exploit a vulnerable REST API eval function call to get RCE. After getting a shell on the app cont...
Smasher2 - Hack The Box
Just its predecessor, Smasher2 is a very difficult box with reverse engineering and binary exploitation. Unfortunately, the initial step required some insane...
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
Friendzone - Hack The Box
Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to g...
ad
Blackfield - Hack The Box
Blackfield was a fun Windows box where we get a list of potential usernames from an open SMB share, validate that list using kerbrute, then find and crack th...
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
Sauna - Hack The Box
Sauna is a good beginner-friendly AD box that covers a few key Windows exploitation topics like AS-REP roasting, enumeration for credentials, using tools suc...
Monteverde - Hack The Box
Monteverde was an Active Directory box on the easier side that requires enumerating user accounts then password spraying to get an initial shell. Then we fin...
Forest - Hack The Box
Forest is a nice easy box that go over two Active Directory misconfigurations / vulnerabilities: Kerberos Pre-Authentication (disabled) and ACLs misconfigura...
Active - Hack The Box
Windows / 10.10.10.100
ssh
Postman - Hack The Box
Postman was a somewhat frustrating box because we had to find the correct user directory where to write our SSH key using the unprotected Redis instance. I e...
Ghoul - Hack The Box
Ghoul was a tricky box from Minatow that required pivoting across 3 containers to find the bits and pieces needed to get root. To get a shell I used a Zip Sl...
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
Ypuffy - Hack The Box
This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.
mysql
Delivery - Hack The Box
Delivery is a quick and fun easy box where we have to create a MatterMost account and validate it by using automatic email accounts created by the OsTicket a...
Quick - Hack The Box
Quick was a hard box with multiple steps requiring the use of the QUIC protocol to access one section of the website and get the customer onboarding PDF with...
Magic - Hack The Box
Magic starts with a classic PHP insecure upload vulnerability that let us place a webshell on the target host and then we exploit a subtle webserver misconfi...
Control - Hack The Box
Control runs a vulnerable PHP web application that controls access to the admin page by checking the X-Forwarded-For HTTP header. By adding the X-Forwarded-F...
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
Teacher - Hack The Box
Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle appl...
ldap
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
Cascade - Hack The Box
Cascade was a simple and straightforward enumeration-focused Windows box. We find the credentials for the initial account in a custom LDAP attibute then enum...
CTF - Hack The Box
This time it’s a very lean box with no rabbit holes or trolls. The box name does not relate to a Capture the Flag event but rather the Compressed Token Forma...
Lightweight - Hack The Box
Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP ses...
Ypuffy - Hack The Box
This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.
suid
Magic - Hack The Box
Magic starts with a classic PHP insecure upload vulnerability that let us place a webshell on the target host and then we exploit a subtle webserver misconfi...
Chainsaw - Hack The Box
I learned a bit about Ethereum and smart contracts while doing the Chainsaw box from Hack the Box. There’s a command injection vulnerability in a smart contr...
Jarvis - Hack The Box
The entrypoint for Jarvis is an SQL injection vulnerability in the web application to book hotel rooms. There is a WAF but I was able to easily get around it...
Irked - Hack The Box
Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials f...
Zipper - Hack The Box
This is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.
cve
Ready - Hack The Box
Ready was a pretty straighforward box to get an initial shell on: We identify that’s it running a vulnerable instance of Gitlab and we use an exploit against...
Buff - Hack The Box
Buff is pretty straightforward: Use a public exploit against the Gym Management System, then get RCE. Do some port-forwarding, then use another exploit (buff...
Cache - Hack The Box
On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...
Irked - Hack The Box
Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials f...
Redcross - Hack The Box
Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, lig...
lfi
Tabby - Hack The Box
Tabby was an easy box with simple PHP arbitrary file ready, some password cracking, password re-use and abusing LXD group permissions to instantiate a new co...
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
vhosts
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
Forwardslash - Hack The Box
Forwardslash starts off like most classic Hack The Box machines with some enumeration of vhosts, files and directories with gobuster then we use a Server-Sid...
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
Friendzone - Hack The Box
Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to g...
sudo
Blunder - Hack The Box
Blunder was an easy box for beginners that required bruteforcing the login for a Bludit CMS, then exploiting a known CVE through Metasploit to get remote cod...
Admirer - Hack The Box
Admirer is an easy box with the typical ‘gobuster/find creds on the webserver’ part, but after we use a Rogue MySQL server to read files from the server file...
Networked - Hack The Box
Networked was an easy box that starts off with a classic insecure upload vulnerability in an image gallery web application. The Apache server is misconfigure...
Swagshop - Hack The Box
SwagShop is one of those easy boxes where you can pop a shell just by using public exploits. It’s running a vulnerable Magento CMS on which we can create an ...
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
containers
Ghoul - Hack The Box
Ghoul was a tricky box from Minatow that required pivoting across 3 containers to find the bits and pieces needed to get root. To get a shell I used a Zip Sl...
Carrier - Hack The Box
This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.
Oz - Hack The Box
This blog post is a writeup of the Oz machine from Hack the Box.
Mischief - Hack The Box
This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.
powershell
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
Netmon - Hack The Box
I think Netmon had the quickest first blood on HTB yet. The user flag could be grabbed by just using anonymous FTP and retrieving it from the user directory....
Giddy - Hack The Box
This is the writeup for Giddy, a Windows machine with an interesting twist on SQL injection, PowerShell Web Access and a priv exploiting improper permissions.
ctf
Irked - Hack The Box
Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials f...
Teacher - Hack The Box
Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle appl...
Curling - Hack The Box
This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.
Frolic - Hack The Box
This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.
buffer overflow
Buff - Hack The Box
Buff is pretty straightforward: Use a public exploit against the Gym Management System, then get RCE. Do some port-forwarding, then use another exploit (buff...
Bankrobber - Hack The Box
Bankrobber is a web app box with a simple XSS and SQL injection that we have to exploit in order to get the source code of the application and discover a com...
Safe - Hack The Box
Safe was a bit of a surprise because I didn’t expect a 20 points box to start with a buffer overflow requiring ropchains. The exploit is pretty straightforwa...
Frolic - Hack The Box
This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.
xss
Oouch - Hack The Box
Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...
Book - Hack The Box
I initially thought for Book that the goal was to get the administrator’s session cookie via an XSS but instead we have to create a duplicate admin account b...
Bankrobber - Hack The Box
Bankrobber is a web app box with a simple XSS and SQL injection that we have to exploit in order to get the source code of the application and discover a com...
Redcross - Hack The Box
Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, lig...
waf
Smasher2 - Hack The Box
Just its predecessor, Smasher2 is a very difficult box with reverse engineering and binary exploitation. Unfortunately, the initial step required some insane...
Wall - Hack The Box
Wall is running a vulnerable version of the Centreon application that allows authenticated users to gain RCE. The tricky part of this box was finding the pat...
Jarvis - Hack The Box
The entrypoint for Jarvis is an SQL injection vulnerability in the web application to book hotel rooms. There is a WAF but I was able to easily get around it...
Flujab - Hack The Box
Flujab was without a doubt one of the toughest HTB box. It’s got a ton of vhosts that force you to enumerate a lot of things and make sure you don’t get dist...
ftp
Admirer - Hack The Box
Admirer is an easy box with the typical ‘gobuster/find creds on the webserver’ part, but after we use a Rogue MySQL server to read files from the server file...
Oouch - Hack The Box
Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...
Luke - Hack The Box
Luke is a easy machine that doesn’t have a lot steps but we still learn a few things about REST APIs like how to authenticate to the service and get a JWT to...
Netmon - Hack The Box
I think Netmon had the quickest first blood on HTB yet. The user flag could be grabbed by just using anonymous FTP and retrieving it from the user directory....
smb
Cascade - Hack The Box
Cascade was a simple and straightforward enumeration-focused Windows box. We find the credentials for the initial account in a custom LDAP attibute then enum...
Bastion - Hack The Box
Bastion was an easy box where we had to find an open SMB share that contained a Windows backup. Once we mounted the disk image file, we could recover the sys...
Arkham - Hack The Box
Arkham was a medium difficulty box that shows how Java deserialization can be used by attackers to get remote code execution. After finding the JSF viewstate...
Friendzone - Hack The Box
Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to g...
sqlite
Intense - Hack The Box
Intense starts with code review of a flask application where we find an SQL injection vulnerability that we exploit with a time-based technique. After retri...
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
git
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
Bitlab - Hack The Box
I solved this gitlab box the unintended way by exploiting the git pull command running as root and using git post-merge hooks to execute code as root. I was ...
Craft - Hack The Box
Craft was a fun Silicon Valley themed box where we have to exploit a vulnerable REST API eval function call to get RCE. After getting a shell on the app cont...
Ghoul - Hack The Box
Ghoul was a tricky box from Minatow that required pivoting across 3 containers to find the bits and pieces needed to get root. To get a shell I used a Zip Sl...
bloodhound
Blackfield - Hack The Box
Blackfield was a fun Windows box where we get a list of potential usernames from an open SMB share, validate that list using kerbrute, then find and crack th...
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
Resolute - Hack The Box
We start Resolute with enumeration of the domain user accounts using an anonymous bind session to the LDAP server and find an initial password in the descrip...
Forest - Hack The Box
Forest is a nice easy box that go over two Active Directory misconfigurations / vulnerabilities: Kerberos Pre-Authentication (disabled) and ACLs misconfigura...
password spray
Fuse - Hack The Box
To solve Fuse, we’ll do some enumeration to gather potential usernames from the print jobs information then build a password list from the strings on the web...
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
Monteverde - Hack The Box
Monteverde was an Active Directory box on the easier side that requires enumerating user accounts then password spraying to get an initial shell. Then we fin...
Resolute - Hack The Box
We start Resolute with enumeration of the domain user accounts using an anonymous bind session to the LDAP server and find an initial password in the descrip...
api
Oouch - Hack The Box
Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...
Craft - Hack The Box
Craft was a fun Silicon Valley themed box where we have to exploit a vulnerable REST API eval function call to get RCE. After getting a shell on the app cont...
Zipper - Hack The Box
This is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.
metasploit
Remote - Hack The Box
Remote is a beginner’s box running a vulnerable version of the Umbraco CMS which can be exploited after we find the credentials from an exposed share. After ...
Irked - Hack The Box
Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials f...
Frolic - Hack The Box
This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.
enumeration
Flujab - Hack The Box
Flujab was without a doubt one of the toughest HTB box. It’s got a ton of vhosts that force you to enumerate a lot of things and make sure you don’t get dist...
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
Teacher - Hack The Box
Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle appl...
reversing
Cascade - Hack The Box
Cascade was a simple and straightforward enumeration-focused Windows box. We find the credentials for the initial account in a custom LDAP attibute then enum...
JSON - Hack The Box
To get remote code execution on JSON, I exploited a deserialization vulnerability in the web application using the Json.net formatter. After getting a shell ...
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
flask
Intense - Hack The Box
Intense starts with code review of a flask application where we find an SQL injection vulnerability that we exploit with a time-based technique. After retri...
Oouch - Hack The Box
Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
port forward
Quick - Hack The Box
Quick was a hard box with multiple steps requiring the use of the QUIC protocol to access one section of the website and get the customer onboarding PDF with...
Magic - Hack The Box
Magic starts with a classic PHP insecure upload vulnerability that let us place a webshell on the target host and then we exploit a subtle webserver misconfi...
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
postgresql
Zetta - Hack The Box
Zetta is another amazing box by jkr. The first part was kinda tricky because you had to pay attention to the details on the webpage and spot the references t...
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
deserialization
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
JSON - Hack The Box
To get remote code execution on JSON, I exploited a deserialization vulnerability in the web application using the Json.net formatter. After getting a shell ...
Arkham - Hack The Box
Arkham was a medium difficulty box that shows how Java deserialization can be used by attackers to get remote code execution. After finding the JSF viewstate...
ipv6
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
Zetta - Hack The Box
Zetta is another amazing box by jkr. The first part was kinda tricky because you had to pay attention to the details on the webpage and spot the references t...
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
crypto
Cascade - Hack The Box
Cascade was a simple and straightforward enumeration-focused Windows box. We find the credentials for the initial account in a custom LDAP attibute then enum...
Mini WebSocket CTF
During the holidays, @stackfault (sysop from the BottomlessAbyss BBS) ran a month long CTF with challenges being released every couple of days. Some of chall...
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
gogs
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
Craft - Hack The Box
Craft was a fun Silicon Valley themed box where we have to exploit a vulnerable REST API eval function call to get RCE. After getting a shell on the app cont...
Ghoul - Hack The Box
Ghoul was a tricky box from Minatow that required pivoting across 3 containers to find the bits and pieces needed to get root. To get a shell I used a Zip Sl...
docker
Ready - Hack The Box
Ready was a pretty straighforward box to get an initial shell on: We identify that’s it running a vulnerable instance of Gitlab and we use an exploit against...
Cache - Hack The Box
On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...
Registry - Hack The Box
This writeup is outdated and the attack path presented for user bolt has been patched. Initially once we pivoted from the bolt user to www-data we could run ...
crackmapexec
Fuse - Hack The Box
To solve Fuse, we’ll do some enumeration to gather potential usernames from the print jobs information then build a password list from the strings on the web...
Sauna - Hack The Box
Sauna is a good beginner-friendly AD box that covers a few key Windows exploitation topics like AS-REP roasting, enumeration for credentials, using tools suc...
Monteverde - Hack The Box
Monteverde was an Active Directory box on the easier side that requires enumerating user accounts then password spraying to get an initial shell. Then we fin...
egghunter
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
Egghunter Linux Shellcode
An egghunter can be useful in situations where the buffer space the attacker controls is limited and doesn’t allow for a full shellcode to be placed on the s...
encoding
Msfvenom shellcode analysis
This blog post provides an analysis of various common shellcodes generated by the msfvenom utility which is part of Metasploit.
Custom shellcode encoder
A shellcode encoder can be used for different purposes such as modify an existing shellcode to make it harder to detect by AV engines or simply avoid bad cha...
binary exploit
Safe - Hack The Box
Safe was a bit of a surprise because I didn’t expect a 20 points box to start with a buffer overflow requiring ropchains. The exploit is pretty straightforwa...
Smasher - Hack The Box
Linux / 10.10.10.89
kerberos
Forest - Hack The Box
Forest is a nice easy box that go over two Active Directory misconfigurations / vulnerabilities: Kerberos Pre-Authentication (disabled) and ACLs misconfigura...
Active - Hack The Box
Windows / 10.10.10.100
capabilities
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
Waldo - Hack The Box
Linux / 10.10.10.87
lxc
Carrier - Hack The Box
This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.
Mischief - Hack The Box
This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.
pass-the-hash
Sizzle - Hack The Box
Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Se...
Ypuffy - Hack The Box
This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.
efs
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
Ethereal - Hack The Box
This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the ...
snmp
Intense - Hack The Box
Intense starts with code review of a flask application where we find an SQL injection vulnerability that we exploit with a time-based technique. After retri...
Carrier - Hack The Box
This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.
mitm
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
Carrier - Hack The Box
This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.
easy
Haystack - Hack The Box
Haystack is an easy ctf-like box where the initial credentials can be found hidden in an ElasticSearch database. Knowing some ES API syntax it’s very easy to...
Curling - Hack The Box
This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.
firewall
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
Vault - Hack The Box
This is the writeup for Vault, a machine with pivoting across different network segments.
pivoting
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
Vault - Hack The Box
This is the writeup for Vault, a machine with pivoting across different network segments.
nss
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
Redcross - Hack The Box
Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, lig...
keepass
Safe - Hack The Box
Safe was a bit of a surprise because I didn’t expect a 20 points box to start with a buffer overflow requiring ropchains. The exploit is pretty straightforwa...
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
ntfs ads
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
john
Cache - Hack The Box
On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...
Lightweight - Hack The Box
Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP ses...
password cracking
Tabby - Hack The Box
Tabby was an easy box with simple PHP arbitrary file ready, some password cracking, password re-use and abusing LXD group permissions to instantiate a new co...
Lightweight - Hack The Box
Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP ses...
asp
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
Conceal - Hack The Box
Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerati...
Book - Hack The Box
I initially thought for Book that the goal was to get the administrator’s session cookie via an XSS but instead we have to create a duplicate admin account b...
Chaos - Hack The Box
Chaos starts with some enumeration to find a hidden wordpress site that contains a set of credentials for a webmail site. There’s some simple crypto we have ...
meterpreter
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
Sizzle - Hack The Box
Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Se...
port forwarding
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
Sizzle - Hack The Box
Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Se...
kerberoasting
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
Sizzle - Hack The Box
Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Se...
responder
Querier - Hack The Box
To solve Querier, we find an Excel spreadsheet that contains a VBA macro then use Responder to capture NTLM hashes from the server by forcing it to connect b...
Sizzle - Hack The Box
Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Se...
screen
Wall - Hack The Box
Wall is running a vulnerable version of the Centreon application that allows authenticated users to gain RCE. The tricky part of this box was finding the pat...
Flujab - Hack The Box
Flujab was without a doubt one of the toughest HTB box. It’s got a ton of vhosts that force you to enumerate a lot of things and make sure you don’t get dist...
mssql
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
Querier - Hack The Box
To solve Querier, we find an Excel spreadsheet that contains a VBA macro then use Responder to capture NTLM hashes from the server by forcing it to connect b...
impacket
Blackfield - Hack The Box
Blackfield was a fun Windows box where we get a list of potential usernames from an open SMB share, validate that list using kerbrute, then find and crack th...
Querier - Hack The Box
To solve Querier, we find an Excel spreadsheet that contains a VBA macro then use Responder to capture NTLM hashes from the server by forcing it to connect b...
fuzzing
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
dns
Resolute - Hack The Box
We start Resolute with enumeration of the domain user accounts using an anonymous bind session to the LDAP server and find an initial password in the descrip...
Friendzone - Hack The Box
Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to g...
injection
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
CTF - Hack The Box
This time it’s a very lean box with no rabbit holes or trolls. The box name does not relate to a Capture the Flag event but rather the Compressed Token Forma...
otp
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
CTF - Hack The Box
This time it’s a very lean box with no rabbit holes or trolls. The box name does not relate to a Capture the Flag event but rather the Compressed Token Forma...
openssl
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
nfs
Remote - Hack The Box
Remote is a beginner’s box running a vulnerable version of the Umbraco CMS which can be exploited after we find the credentials from an exposed share. After ...
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
luks
Forwardslash - Hack The Box
Forwardslash starts off like most classic Hack The Box machines with some enumeration of vhosts, files and directories with gobuster then we use a Server-Sid...
Arkham - Hack The Box
Arkham was a medium difficulty box that shows how Java deserialization can be used by attackers to get remote code execution. After finding the JSF viewstate...
mimikatz
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
vhost
Cache - Hack The Box
On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
sqlmap
Jarvis - Hack The Box
The entrypoint for Jarvis is an SQL injection vulnerability in the web application to book hotel rooms. There is a WAF but I was able to easily get around it...
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
vim
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
jwt
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
Luke - Hack The Box
Luke is a easy machine that doesn’t have a lot steps but we still learn a few things about REST APIs like how to authenticate to the service and get a JWT to...
upload
Magic - Hack The Box
Magic starts with a classic PHP insecure upload vulnerability that let us place a webshell on the target host and then we exploit a subtle webserver misconfi...
Networked - Hack The Box
Networked was an easy box that starts off with a classic insecure upload vulnerability in an image gallery web application. The Apache server is misconfigure...
centreon
Wall - Hack The Box
Wall is running a vulnerable version of the Centreon application that allows authenticated users to gain RCE. The tricky part of this box was finding the pat...
Wall - Hack The Box
Wall is running a vulnerable version of the Centreon application that allows authenticated users to gain RCE. The tricky part of this box was finding the pat...
bruteforce
Blunder - Hack The Box
Blunder was an easy box for beginners that required bruteforcing the login for a Bludit CMS, then exploiting a known CVE through Metasploit to get remote cod...
Smasher2 - Hack The Box
Just its predecessor, Smasher2 is a very difficult box with reverse engineering and binary exploitation. Unfortunately, the initial step required some insane...
gitlab
Ready - Hack The Box
Ready was a pretty straighforward box to get an initial shell on: We identify that’s it running a vulnerable instance of Gitlab and we use an exploit against...
Bitlab - Hack The Box
I solved this gitlab box the unintended way by exploiting the git pull command running as root and using git post-merge hooks to execute code as root. I was ...
javascript
Cache - Hack The Box
On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...
Bitlab - Hack The Box
I solved this gitlab box the unintended way by exploiting the git pull command running as root and using git post-merge hooks to execute code as root. I was ...
rsync
Unbalanced - Hack The Box
To solve Unbalanced, we’ll find configuration backups files in EncFS and after cracking the password and figuring out how EncFS works, we get the Squid proxy...
Zetta - Hack The Box
Zetta is another amazing box by jkr. The first part was kinda tricky because you had to pay attention to the details on the webpage and spot the references t...
dcsync
Sauna - Hack The Box
Sauna is a good beginner-friendly AD box that covers a few key Windows exploitation topics like AS-REP roasting, enumeration for credentials, using tools suc...
Forest - Hack The Box
Forest is a nice easy box that go over two Active Directory misconfigurations / vulnerabilities: Kerberos Pre-Authentication (disabled) and ACLs misconfigura...
gtfobins
OpenAdmin - Hack The Box
OpenAdmin is an easy box that starts with using an exploit for the OpenNetAdmin software to get initial RCE. Then we get credentials from the database config...
Traverxec - Hack The Box
Sometimes you need a break from the hard boxes that take forever to pwn. Traverxec is an easy box that start with a custom vulnerable webserver with an unaut...
race condition
Quick - Hack The Box
Quick was a hard box with multiple steps requiring the use of the QUIC protocol to access one section of the website and get the customer onboarding PDF with...
Obscurity - Hack The Box
The Obscurity box has a vulnerable Python web application running. After finding the source code from a secret directory we find that the exec call can be co...
hashcat
Delivery - Hack The Box
Delivery is a quick and fun easy box where we have to create a MatterMost account and validate it by using automatic email accounts created by the OsTicket a...
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
plaintext creds
Admirer - Hack The Box
Admirer is an easy box with the typical ‘gobuster/find creds on the webserver’ part, but after we use a Rogue MySQL server to read files from the server file...
Monteverde - Hack The Box
Monteverde was an Active Directory box on the easier side that requires enumerating user accounts then password spraying to get an initial shell. Then we fin...
ssrf
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
Forwardslash - Hack The Box
Forwardslash starts off like most classic Hack The Box machines with some enumeration of vhosts, files and directories with gobuster then we use a Server-Sid...
asrep
Blackfield - Hack The Box
Blackfield was a fun Windows box where we get a list of potential usernames from an open SMB share, validate that list using kerbrute, then find and crack th...
Sauna - Hack The Box
Sauna is a good beginner-friendly AD box that covers a few key Windows exploitation topics like AS-REP roasting, enumeration for credentials, using tools suc...
powerview
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
Sauna - Hack The Box
Sauna is a good beginner-friendly AD box that covers a few key Windows exploitation topics like AS-REP roasting, enumeration for credentials, using tools suc...
lua
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
Traceback - Hack The Box
Traceback was an easy box where you had to look for an existing webshell on the box, then use it to get the initial foothold. Then there was some typical sud...
memcache
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
backup operators
Blackfield - Hack The Box
Blackfield was a fun Windows box where we get a list of potential usernames from an open SMB share, validate that list using kerbrute, then find and crack th...
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
tcp bind shellcode
TCP bind shellcode
A bind shellcode listens on a socket, waiting for a connection to be made to the server then executes arbitrary code, typically spawning shell for the connec...
tcp reverse shellcode
TCP reverse shellcode
A TCP reverse shell connects back to the attacker machine, then executes a shell and redirects all input & output to the socket. This is especially usefu...
drupal
Hawk - Hack The Box
Linux / 10.10.10.102
polymorphic
Polymorphic Linux Shellcode
This blog post shows 3 polymorphic variants of common shellcodes found on shell-storm.org.
crypter
Creating a custom shellcode crypter
For this last SLAE assignment, I’ve created a custom shellcode crypter using the Salsa20 stream cipher. Salsa20 is a family of 256-bit stream ciphers designe...
go
Creating a custom shellcode crypter
For this last SLAE assignment, I’ve created a custom shellcode crypter using the Salsa20 stream cipher. Salsa20 is a family of 256-bit stream ciphers designe...
ssti
Oz - Hack The Box
This blog post is a writeup of the Oz machine from Hack the Box.
wsl
Secnotes - Hack The Box
This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.
csrf
Secnotes - Hack The Box
This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.
openbsd
Ypuffy - Hack The Box
This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.
ca
Ypuffy - Hack The Box
This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.
zabbix
Zipper - Hack The Box
This is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.
telnet
Access - Hack The Box
This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.
access
Access - Hack The Box
This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.
outlook
Access - Hack The Box
This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.
credential manager
Access - Hack The Box
This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.
ms-dos
Ethereal - Hack The Box
This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the ...
dns exfiltration
Ethereal - Hack The Box
This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the ...
rotten potato
Ethereal - Hack The Box
This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the ...
networking
Carrier - Hack The Box
This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.
bgp
Carrier - Hack The Box
This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.
esoteric language
Frolic - Hack The Box
This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.
rop
Frolic - Hack The Box
This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.
binary exploitation
Frolic - Hack The Box
This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.
joomla
Curling - Hack The Box
This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.
cron
Curling - Hack The Box
This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.
openvpn
Vault - Hack The Box
This is the writeup for Vault, a machine with pivoting across different network segments.
gpg
Vault - Hack The Box
This is the writeup for Vault, a machine with pivoting across different network segments.
pgsql
Redcross - Hack The Box
Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, lig...
moodle
Teacher - Hack The Box
Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle appl...
tar
Teacher - Hack The Box
Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle appl...
stego
Irked - Hack The Box
Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials f...
exploit development
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
asm
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
nginx
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
insane
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...
caps
Lightweight - Hack The Box
Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP ses...
tcpdump
Lightweight - Hack The Box
Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP ses...
ipsec
Conceal - Hack The Box
Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerati...
vpn
Conceal - Hack The Box
Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerati...
rotten tomato
Conceal - Hack The Box
Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerati...
wordpress
Chaos - Hack The Box
Chaos starts with some enumeration to find a hidden wordpress site that contains a set of credentials for a webmail site. There’s some simple crypto we have ...
weak credentials
Chaos - Hack The Box
Chaos starts with some enumeration to find a hidden wordpress site that contains a set of credentials for a webmail site. There’s some simple crypto we have ...
LaTeX
Chaos - Hack The Box
Chaos starts with some enumeration to find a hidden wordpress site that contains a set of credentials for a webmail site. There’s some simple crypto we have ...
firefox
Chaos - Hack The Box
Chaos starts with some enumeration to find a hidden wordpress site that contains a set of credentials for a webmail site. There’s some simple crypto we have ...
saved credentials
Chaos - Hack The Box
Chaos starts with some enumeration to find a hidden wordpress site that contains a set of credentials for a webmail site. There’s some simple crypto we have ...
scf
Sizzle - Hack The Box
Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Se...
apache
Help - Hack The Box
Help showed that a small programming mistake in a web application can introduce a critical security vulnerability. In this case, the PHP application errors o...
kernel exploit
Help - Hack The Box
Help showed that a small programming mistake in a web application can introduce a critical security vulnerability. In this case, the PHP application errors o...
helpdeskz
Help - Hack The Box
Help showed that a small programming mistake in a web application can introduce a critical security vulnerability. In this case, the PHP application errors o...
smtp
Flujab - Hack The Box
Flujab was without a doubt one of the toughest HTB box. It’s got a ton of vhosts that force you to enumerate a lot of things and make sure you don’t get dist...
exploit
Flujab - Hack The Box
Flujab was without a doubt one of the toughest HTB box. It’s got a ton of vhosts that force you to enumerate a lot of things and make sure you don’t get dist...
tamper script
Flujab - Hack The Box
Flujab was without a doubt one of the toughest HTB box. It’s got a ton of vhosts that force you to enumerate a lot of things and make sure you don’t get dist...
weak ssh keys
Flujab - Hack The Box
Flujab was without a doubt one of the toughest HTB box. It’s got a ton of vhosts that force you to enumerate a lot of things and make sure you don’t get dist...
hardcoded credentials
Querier - Hack The Box
To solve Querier, we find an Excel spreadsheet that contains a VBA macro then use Responder to capture NTLM hashes from the server by forcing it to connect b...
gpp
Querier - Hack The Box
To solve Querier, we find an Excel spreadsheet that contains a VBA macro then use Responder to capture NTLM hashes from the server by forcing it to connect b...
prtg
Netmon - Hack The Box
I think Netmon had the quickest first blood on HTB yet. The user flag could be grabbed by just using anonymous FTP and retrieving it from the user directory....
nishang
Netmon - Hack The Box
I think Netmon had the quickest first blood on HTB yet. The user flag could be grabbed by just using anonymous FTP and retrieving it from the user directory....
config backups
Netmon - Hack The Box
I think Netmon had the quickest first blood on HTB yet. The user flag could be grabbed by just using anonymous FTP and retrieving it from the user directory....
gophish
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
alpc
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
regeorg
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
proxychains
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...
smbmap
Friendzone - Hack The Box
Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to g...
axfr
Friendzone - Hack The Box
Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to g...
secureid
CTF - Hack The Box
This time it’s a very lean box with no rabbit holes or trolls. The box name does not relate to a Capture the Flag event but rather the Compressed Token Forma...
7zip
CTF - Hack The Box
This time it’s a very lean box with no rabbit holes or trolls. The box name does not relate to a Capture the Flag event but rather the Compressed Token Forma...
vsftpd
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
certificates
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
ssh rsa auth
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
psysh
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
nodejs
LaCasaDePapel - Hack The Box
I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...
certificate
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
pgadmin
Fortune - Hack The Box
In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...
java
Arkham - Hack The Box
Arkham was a medium difficulty box that shows how Java deserialization can be used by attackers to get remote code execution. After finding the JSF viewstate...
readpst
Arkham - Hack The Box
Arkham was a medium difficulty box that shows how Java deserialization can be used by attackers to get remote code execution. After finding the JSF viewstate...
ServiceDesk
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
incognito
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
tokens
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
xxe
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
evtx
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
windows logs
Helpline - Hack The Box
I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...
2nd order injection
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
uinitrd
Unattended - Hack The Box
Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...
apt
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
swapfile
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
sftp
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
web
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
symlink
Onetwoseven - Hack The Box
OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...
mremoteng
Bastion - Hack The Box
Bastion was an easy box where we had to find an open SMB share that contained a Windows backup. Once we mounted the disk image file, we could recover the sys...
backup
Bastion - Hack The Box
Bastion was an easy box where we had to find an open SMB share that contained a Windows backup. Once we mounted the disk image file, we could recover the sys...
ajenti
Luke - Hack The Box
Luke is a easy machine that doesn’t have a lot steps but we still learn a few things about REST APIs like how to authenticate to the service and get a JWT to...
json
Luke - Hack The Box
Luke is a easy machine that doesn’t have a lot steps but we still learn a few things about REST APIs like how to authenticate to the service and get a JWT to...
jail escape
Kryptos - Hack The Box
I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...
magento
Swagshop - Hack The Box
SwagShop is one of those easy boxes where you can pop a shell just by using public exploits. It’s running a vulnerable Magento CMS on which we can create an ...
vi
Swagshop - Hack The Box
SwagShop is one of those easy boxes where you can pop a shell just by using public exploits. It’s running a vulnerable Magento CMS on which we can create an ...
zipslip
Ghoul - Hack The Box
Ghoul was a tricky box from Minatow that required pivoting across 3 containers to find the bits and pieces needed to get root. To get a shell I used a Zip Sl...
cms
Writeup - Hack The Box
Writeup starts off easy with an unauthenticated vulnerability in CMS Made Simple that I exploit to dump the database credentials. After cracking the user has...
elasticsearch
Haystack - Hack The Box
Haystack is an easy ctf-like box where the initial credentials can be found hidden in an ElasticSearch database. Knowing some ES API syntax it’s very easy to...
ctf-like
Haystack - Hack The Box
Haystack is an easy ctf-like box where the initial credentials can be found hidden in an ElasticSearch database. Knowing some ES API syntax it’s very easy to...
logstash
Haystack - Hack The Box
Haystack is an easy ctf-like box where the initial credentials can be found hidden in an ElasticSearch database. Knowing some ES API syntax it’s very easy to...
kibana
Haystack - Hack The Box
Haystack is an easy ctf-like box where the initial credentials can be found hidden in an ElasticSearch database. Knowing some ES API syntax it’s very easy to...
CVE-2018-17246
Haystack - Hack The Box
Haystack is an easy ctf-like box where the initial credentials can be found hidden in an ElasticSearch database. Knowing some ES API syntax it’s very easy to...
systemd
Jarvis - Hack The Box
The entrypoint for Jarvis is an SQL injection vulnerability in the web application to book hotel rooms. There is a WAF but I was able to easily get around it...
double extension
Networked - Hack The Box
Networked was an easy box that starts off with a classic insecure upload vulnerability in an image gallery web application. The Apache server is misconfigure...
smart contract
Chainsaw - Hack The Box
I learned a bit about Ethereum and smart contracts while doing the Chainsaw box from Hack the Box. There’s a command injection vulnerability in a smart contr...
ethereum
Chainsaw - Hack The Box
I learned a bit about Ethereum and smart contracts while doing the Chainsaw box from Hack the Box. There’s a command injection vulnerability in a smart contr...
ipfs
Chainsaw - Hack The Box
I learned a bit about Ethereum and smart contracts while doing the Chainsaw box from Hack the Box. There’s a command injection vulnerability in a smart contr...
bmap
Chainsaw - Hack The Box
I learned a bit about Ethereum and smart contracts while doing the Chainsaw box from Hack the Box. There’s a command injection vulnerability in a smart contr...
cisco
Heist - Hack The Box
Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords. After cracking two passwords fr...
hashes
Heist - Hack The Box
Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords. After cracking two passwords fr...
creds spray
Heist - Hack The Box
Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords. After cracking two passwords fr...
rpcclient
Heist - Hack The Box
Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords. After cracking two passwords fr...
procdump
Heist - Hack The Box
Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords. After cracking two passwords fr...
memory forensics
Heist - Hack The Box
Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords. After cracking two passwords fr...
CVE-2019-13024
Wall - Hack The Box
Wall is running a vulnerable version of the Centreon application that allows authenticated users to gain RCE. The tricky part of this box was finding the pat...
kernel module
Smasher2 - Hack The Box
Just its predecessor, Smasher2 is a very difficult box with reverse engineering and binary exploitation. Unfortunately, the initial step required some insane...
re
Smasher2 - Hack The Box
Just its predecessor, Smasher2 is a very difficult box with reverse engineering and binary exploitation. Unfortunately, the initial step required some insane...
vault
Craft - Hack The Box
Craft was a fun Silicon Valley themed box where we have to exploit a vulnerable REST API eval function call to get RCE. After getting a shell on the app cont...
eval
Craft - Hack The Box
Craft was a fun Silicon Valley themed box where we have to exploit a vulnerable REST API eval function call to get RCE. After getting a shell on the app cont...
obfuscated
Bitlab - Hack The Box
I solved this gitlab box the unintended way by exploiting the git pull command running as root and using git post-merge hooks to execute code as root. I was ...
codiad
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
ffmpeg
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
lshell
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
openssh xauth
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
pspy
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
php deserialization
Player - Hack The Box
Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...
tts
AI - Hack The Box
Exploiting the simple SQL injection vulnerability on the AI box was harder than expected because of the text-to-speech conversion required. I had to use a fe...
jdwp
AI - Hack The Box
Exploiting the simple SQL injection vulnerability on the AI box was harder than expected because of the text-to-speech conversion required. I had to use a fe...
websockets
Mini WebSocket CTF
During the holidays, @stackfault (sysop from the BottomlessAbyss BBS) ran a month long CTF with challenges being released every couple of days. Some of chall...
yara
RE - Hack The Box
I had fun solving RE but I did it using an unintended path. After getting a shell with a macroed .ods file, I saw that the Winrar version had a CVE which all...
usosvc
RE - Hack The Box
I had fun solving RE but I did it using an unintended path. After getting a shell with a macroed .ods file, I saw that the Winrar version had a CVE which all...
libreoffice
RE - Hack The Box
I had fun solving RE but I did it using an unintended path. After getting a shell with a macroed .ods file, I saw that the Winrar version had a CVE which all...
macros
RE - Hack The Box
I had fun solving RE but I did it using an unintended path. After getting a shell with a macroed .ods file, I saw that the Winrar version had a CVE which all...
ods
RE - Hack The Box
I had fun solving RE but I did it using an unintended path. After getting a shell with a macroed .ods file, I saw that the Winrar version had a CVE which all...
CVE-2018-20253
RE - Hack The Box
I had fun solving RE but I did it using an unintended path. After getting a shell with a macroed .ods file, I saw that the Winrar version had a CVE which all...
juicy potato
JSON - Hack The Box
To get remote code execution on JSON, I exploited a deserialization vulnerability in the web application using the Json.net formatter. After getting a shell ...
dnspy
JSON - Hack The Box
To get remote code execution on JSON, I exploited a deserialization vulnerability in the web application using the Json.net formatter. After getting a shell ...
ssfr
Bankrobber - Hack The Box
Bankrobber is a web app box with a simple XSS and SQL injection that we have to exploit in order to get the source code of the application and discover a com...
brute force
Bankrobber - Hack The Box
Bankrobber is a web app box with a simple XSS and SQL injection that we have to exploit in order to get the source code of the application and discover a com...
redis
Postman - Hack The Box
Postman was a somewhat frustrating box because we had to find the correct user directory where to write our SSH key using the unprotected Redis instance. I e...
webmin
Postman - Hack The Box
Postman was a somewhat frustrating box because we had to find the correct user directory where to write our SSH key using the unprotected Redis instance. I e...
aclpwn
Forest - Hack The Box
Forest is a nice easy box that go over two Active Directory misconfigurations / vulnerabilities: Kerberos Pre-Authentication (disabled) and ACLs misconfigura...
rfi
Sniper - Hack The Box
Sniper is another box I got access to through an unintended method. The PHP application wasn’t supposed to be exploitable through Remote File Inclusion but b...
plink
Sniper - Hack The Box
Sniper is another box I got access to through an unintended method. The PHP application wasn’t supposed to be exploitable through Remote File Inclusion but b...
chm
Sniper - Hack The Box
Sniper is another box I got access to through an unintended method. The PHP application wasn’t supposed to be exploitable through Remote File Inclusion but b...
registry
Registry - Hack The Box
This writeup is outdated and the attack path presented for user bolt has been patched. Initially once we pivoted from the bolt user to www-data we could run ...
restic
Registry - Hack The Box
This writeup is outdated and the attack path presented for user bolt has been patched. Initially once we pivoted from the bolt user to www-data we could run ...
nostromo
Traverxec - Hack The Box
Sometimes you need a break from the hard boxes that take forever to pwn. Traverxec is an easy box that start with a custom vulnerable webserver with an unaut...
journalctl
Traverxec - Hack The Box
Sometimes you need a break from the hard boxes that take forever to pwn. Traverxec is an easy box that start with a custom vulnerable webserver with an unaut...
mango
Mango - Hack The Box
Mango was a medium box with a NoSQSL injection in the login page that allows us to retrieve the username and password. The credentials we retrieve through th...
nosql
Mango - Hack The Box
Mango was a medium box with a NoSQSL injection in the login page that allows us to retrieve the username and password. The credentials we retrieve through th...
jjs
Mango - Hack The Box
Mango was a medium box with a NoSQSL injection in the login page that allows us to retrieve the username and password. The credentials we retrieve through th...
x-forwarded-for
Control - Hack The Box
Control runs a vulnerable PHP web application that controls access to the admin page by checking the X-Forwarded-For HTTP header. By adding the X-Forwarded-F...
services
Control - Hack The Box
Control runs a vulnerable PHP web application that controls access to the admin page by checking the X-Forwarded-For HTTP header. By adding the X-Forwarded-F...
opennetadmin
OpenAdmin - Hack The Box
OpenAdmin is an easy box that starts with using an exploit for the OpenNetAdmin software to get initial RCE. Then we get credentials from the database config...
db creds
OpenAdmin - Hack The Box
OpenAdmin is an easy box that starts with using an exploit for the OpenNetAdmin software to get initial RCE. Then we get credentials from the database config...
custom webserver
Obscurity - Hack The Box
The Obscurity box has a vulnerable Python web application running. After finding the source code from a secret directory we find that the exec call can be co...
rid cycling
Resolute - Hack The Box
We start Resolute with enumeration of the domain user accounts using an anonymous bind session to the LDAP server and find an initial password in the descrip...
creds in plaintext
Resolute - Hack The Box
We start Resolute with enumeration of the domain user accounts using an anonymous bind session to the LDAP server and find an initial password in the descrip...
endgame
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
ds_store
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
iis shortname
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
linked servers
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
mssql python
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
kerberoast
P.O.O. - Hack The Box
Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...
azure ad
Monteverde - Hack The Box
Monteverde was an Active Directory box on the easier side that requires enumerating user accounts then password spraying to get an initial shell. Then we fin...
ltrace
Forwardslash - Hack The Box
Forwardslash starts off like most classic Hack The Box machines with some enumeration of vhosts, files and directories with gobuster then we use a Server-Sid...
ssh keys
Book - Hack The Box
I initially thought for Book that the goal was to get the administrator’s session cookie via an XSS but instead we have to create a duplicate admin account b...
logrotate
Book - Hack The Box
I initially thought for Book that the goal was to get the administrator’s session cookie via an XSS but instead we have to create a duplicate admin account b...
bash_completion.d
Book - Hack The Box
I initially thought for Book that the goal was to get the administrator’s session cookie via an XSS but instead we have to create a duplicate admin account b...
kerbrute
Sauna - Hack The Box
Sauna is a good beginner-friendly AD box that covers a few key Windows exploitation topics like AS-REP roasting, enumeration for credentials, using tools suc...
secretsdump
Sauna - Hack The Box
Sauna is a good beginner-friendly AD box that covers a few key Windows exploitation topics like AS-REP roasting, enumeration for credentials, using tools suc...
vnc
Cascade - Hack The Box
Cascade was a simple and straightforward enumeration-focused Windows box. We find the credentials for the initial account in a custom LDAP attibute then enum...
tombstone
Cascade - Hack The Box
Cascade was a simple and straightforward enumeration-focused Windows box. We find the credentials for the initial account in a custom LDAP attibute then enum...
oauth
Oouch - Hack The Box
Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...
dbus
Oouch - Hack The Box
Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...
uwsgi
Oouch - Hack The Box
Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...
webshell
Traceback - Hack The Box
Traceback was an easy box where you had to look for an existing webshell on the box, then use it to get the initial foothold. Then there was some typical sud...
update-motd.d
Traceback - Hack The Box
Traceback was an easy box where you had to look for an existing webshell on the box, then use it to get the initial foothold. Then there was some typical sud...
path hijack
Magic - Hack The Box
Magic starts with a classic PHP insecure upload vulnerability that let us place a webshell on the target host and then we exploit a subtle webserver misconfi...
quic
Quick - Hack The Box
Quick was a hard box with multiple steps requiring the use of the QUIC protocol to access one section of the website and get the customer onboarding PDF with...
esi
Quick - Hack The Box
Quick was a hard box with multiple steps requiring the use of the QUIC protocol to access one section of the website and get the customer onboarding PDF with...
xslt
Quick - Hack The Box
Quick was a hard box with multiple steps requiring the use of the QUIC protocol to access one section of the website and get the customer onboarding PDF with...
umbraco
Remote - Hack The Box
Remote is a beginner’s box running a vulnerable version of the Umbraco CMS which can be exploited after we find the credentials from an exposed share. After ...
teamviewer
Remote - Hack The Box
Remote is a beginner’s box running a vulnerable version of the Umbraco CMS which can be exploited after we find the credentials from an exposed share. After ...
gopher
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
viminfo
Travel - Hack The Box
Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...
keccak
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
vs code
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
chisel
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
server operators
Multimaster - Hack The Box
Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...
gobuster
Admirer - Hack The Box
Admirer is an easy box with the typical ‘gobuster/find creds on the webserver’ part, but after we use a Rogue MySQL server to read files from the server file...
rogue mysql
Admirer - Hack The Box
Admirer is an easy box with the typical ‘gobuster/find creds on the webserver’ part, but after we use a Rogue MySQL server to read files from the server file...
setenv
Admirer - Hack The Box
Admirer is an easy box with the typical ‘gobuster/find creds on the webserver’ part, but after we use a Rogue MySQL server to read files from the server file...
lsass
Blackfield - Hack The Box
Blackfield was a fun Windows box where we get a list of potential usernames from an open SMB share, validate that list using kerbrute, then find and crack th...
pypykatz
Blackfield - Hack The Box
Blackfield was a fun Windows box where we get a list of potential usernames from an open SMB share, validate that list using kerbrute, then find and crack th...
usodllloader
Blackfield - Hack The Box
Blackfield was a fun Windows box where we get a list of potential usernames from an open SMB share, validate that list using kerbrute, then find and crack th...
client-side validation
Cache - Hack The Box
On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...
openemr
Cache - Hack The Box
On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...
memcached
Cache - Hack The Box
On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...
bludit cms
Blunder - Hack The Box
Blunder was an easy box for beginners that required bruteforcing the login for a Bludit CMS, then exploiting a known CVE through Metasploit to get remote cod...
wordlist
Blunder - Hack The Box
Blunder was an easy box for beginners that required bruteforcing the login for a Bludit CMS, then exploiting a known CVE through Metasploit to get remote cod...
cewl
Blunder - Hack The Box
Blunder was an easy box for beginners that required bruteforcing the login for a Bludit CMS, then exploiting a known CVE through Metasploit to get remote cod...
minecraft
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
pcap
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
amqp
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
rabbitmq
Dyplesher - Hack The Box
Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...
smbpasswd
Fuse - Hack The Box
To solve Fuse, we’ll do some enumeration to gather potential usernames from the print jobs information then build a password list from the strings on the web...
print operators
Fuse - Hack The Box
To solve Fuse, we’ll do some enumeration to gather potential usernames from the print jobs information then build a password list from the strings on the web...
capcom
Fuse - Hack The Box
To solve Fuse, we’ll do some enumeration to gather potential usernames from the print jobs information then build a password list from the strings on the web...
tomcat
Tabby - Hack The Box
Tabby was an easy box with simple PHP arbitrary file ready, some password cracking, password re-use and abusing LXD group permissions to instantiate a new co...
zip
Tabby - Hack The Box
Tabby was an easy box with simple PHP arbitrary file ready, some password cracking, password re-use and abusing LXD group permissions to instantiate a new co...
password re-use
Tabby - Hack The Box
Tabby was an easy box with simple PHP arbitrary file ready, some password cracking, password re-use and abusing LXD group permissions to instantiate a new co...
lxd
Tabby - Hack The Box
Tabby was an easy box with simple PHP arbitrary file ready, some password cracking, password re-use and abusing LXD group permissions to instantiate a new co...
hash length extension
Intense - Hack The Box
Intense starts with code review of a flask application where we find an SQL injection vulnerability that we exploit with a time-based technique. After retri...
path traversal
Intense - Hack The Box
Intense starts with code review of a flask application where we find an SQL injection vulnerability that we exploit with a time-based technique. After retri...
file upload
Buff - Hack The Box
Buff is pretty straightforward: Use a public exploit against the Gym Management System, then get RCE. Do some port-forwarding, then use another exploit (buff...
cloudme sync
Buff - Hack The Box
Buff is pretty straightforward: Use a public exploit against the Gym Management System, then get RCE. Do some port-forwarding, then use another exploit (buff...
encfs
Unbalanced - Hack The Box
To solve Unbalanced, we’ll find configuration backups files in EncFS and after cracking the password and figuring out how EncFS works, we get the Squid proxy...
squid
Unbalanced - Hack The Box
To solve Unbalanced, we’ll find configuration backups files in EncFS and after cracking the password and figuring out how EncFS works, we get the Squid proxy...
xpath
Unbalanced - Hack The Box
To solve Unbalanced, we’ll find configuration backups files in EncFS and after cracking the password and figuring out how EncFS works, we get the Squid proxy...
CVE-2020-11108
Unbalanced - Hack The Box
To solve Unbalanced, we’ll find configuration backups files in EncFS and after cracking the password and figuring out how EncFS works, we get the Squid proxy...
privileged container
Ready - Hack The Box
Ready was a pretty straighforward box to get an initial shell on: We identify that’s it running a vulnerable instance of Gitlab and we use an exploit against...
osticket
Delivery - Hack The Box
Delivery is a quick and fun easy box where we have to create a MatterMost account and validate it by using automatic email accounts created by the OsTicket a...
mattermost
Delivery - Hack The Box
Delivery is a quick and fun easy box where we have to create a MatterMost account and validate it by using automatic email accounts created by the OsTicket a...
rules
Delivery - Hack The Box
Delivery is a quick and fun easy box where we have to create a MatterMost account and validate it by using automatic email accounts created by the OsTicket a...