Posts by Year

2021

Delivery - Hack The Box

4 minuto(s) de lectura

Delivery is a quick and fun easy box where we have to create a MatterMost account and validate it by using automatic email accounts created by the OsTicket a...

Ready - Hack The Box

2 minuto(s) de lectura

Ready was a pretty straighforward box to get an initial shell on: We identify that’s it running a vulnerable instance of Gitlab and we use an exploit against...

Volver arriba ↑

2020

Unbalanced - Hack The Box

6 minuto(s) de lectura

To solve Unbalanced, we’ll find configuration backups files in EncFS and after cracking the password and figuring out how EncFS works, we get the Squid proxy...

Buff - Hack The Box

3 minuto(s) de lectura

Buff is pretty straightforward: Use a public exploit against the Gym Management System, then get RCE. Do some port-forwarding, then use another exploit (buff...

Intense - Hack The Box

6 minuto(s) de lectura

Intense starts with code review of a flask application where we find an SQL injection vulnerability that we exploit with a time-based technique. After retri...

Tabby - Hack The Box

2 minuto(s) de lectura

Tabby was an easy box with simple PHP arbitrary file ready, some password cracking, password re-use and abusing LXD group permissions to instantiate a new co...

Fuse - Hack The Box

3 minuto(s) de lectura

To solve Fuse, we’ll do some enumeration to gather potential usernames from the print jobs information then build a password list from the strings on the web...

Dyplesher - Hack The Box

9 minuto(s) de lectura

Dyplesher was a pretty tough box that took me more than 10 hours to get to the user flag. There’s quite a bit of enumeration required to get to the git repo ...

Blunder - Hack The Box

4 minuto(s) de lectura

Blunder was an easy box for beginners that required bruteforcing the login for a Bludit CMS, then exploiting a known CVE through Metasploit to get remote cod...

Cache - Hack The Box

12 minuto(s) de lectura

On Cache, we start off with bypassing a simple login form that uses client-side user/password validation, then find a vhost with a vulnerable OpenEMR applica...

Blackfield - Hack The Box

18 minuto(s) de lectura

Blackfield was a fun Windows box where we get a list of potential usernames from an open SMB share, validate that list using kerbrute, then find and crack th...

Admirer - Hack The Box

4 minuto(s) de lectura

Admirer is an easy box with the typical ‘gobuster/find creds on the webserver’ part, but after we use a Rogue MySQL server to read files from the server file...

Multimaster - Hack The Box

9 minuto(s) de lectura

Multimaster was a challenging Windows machine that starts with an SQL injection so we can get a list of hashes. The box author threw a little curve ball here...

Travel - Hack The Box

11 minuto(s) de lectura

Travel is an awesome box from my ATeam teammates xct and jkr. The box has a code review part where we analyze the source code of a PHP web app to find a comm...

Remote - Hack The Box

3 minuto(s) de lectura

Remote is a beginner’s box running a vulnerable version of the Umbraco CMS which can be exploited after we find the credentials from an exposed share. After ...

Quick - Hack The Box

11 minuto(s) de lectura

Quick was a hard box with multiple steps requiring the use of the QUIC protocol to access one section of the website and get the customer onboarding PDF with...

Magic - Hack The Box

3 minuto(s) de lectura

Magic starts with a classic PHP insecure upload vulnerability that let us place a webshell on the target host and then we exploit a subtle webserver misconfi...

Traceback - Hack The Box

2 minuto(s) de lectura

Traceback was an easy box where you had to look for an existing webshell on the box, then use it to get the initial foothold. Then there was some typical sud...

Oouch - Hack The Box

8 minuto(s) de lectura

Ooauth was a pretty tough box because I was unfamiliar with Oauth and it took a while to figure out the bits and pieces to chain together. The priv esc was p...

Cascade - Hack The Box

4 minuto(s) de lectura

Cascade was a simple and straightforward enumeration-focused Windows box. We find the credentials for the initial account in a custom LDAP attibute then enum...

Sauna - Hack The Box

3 minuto(s) de lectura

Sauna is a good beginner-friendly AD box that covers a few key Windows exploitation topics like AS-REP roasting, enumeration for credentials, using tools suc...

Book - Hack The Box

5 minuto(s) de lectura

I initially thought for Book that the goal was to get the administrator’s session cookie via an XSS but instead we have to create a duplicate admin account b...

Forwardslash - Hack The Box

7 minuto(s) de lectura

Forwardslash starts off like most classic Hack The Box machines with some enumeration of vhosts, files and directories with gobuster then we use a Server-Sid...

Monteverde - Hack The Box

7 minuto(s) de lectura

Monteverde was an Active Directory box on the easier side that requires enumerating user accounts then password spraying to get an initial shell. Then we fin...

P.O.O. - Hack The Box

30 minuto(s) de lectura

Professional Offensive Operations (P.O.O.) was the first endgame lab released by Hack The Box. It contained five different flags spread across two Windows ma...

Resolute - Hack The Box

7 minuto(s) de lectura

We start Resolute with enumeration of the domain user accounts using an anonymous bind session to the LDAP server and find an initial password in the descrip...

Obscurity - Hack The Box

7 minuto(s) de lectura

The Obscurity box has a vulnerable Python web application running. After finding the source code from a secret directory we find that the exec call can be co...

OpenAdmin - Hack The Box

4 minuto(s) de lectura

OpenAdmin is an easy box that starts with using an exploit for the OpenNetAdmin software to get initial RCE. Then we get credentials from the database config...

Control - Hack The Box

6 minuto(s) de lectura

Control runs a vulnerable PHP web application that controls access to the admin page by checking the X-Forwarded-For HTTP header. By adding the X-Forwarded-F...

Mango - Hack The Box

5 minuto(s) de lectura

Mango was a medium box with a NoSQSL injection in the login page that allows us to retrieve the username and password. The credentials we retrieve through th...

Traverxec - Hack The Box

2 minuto(s) de lectura

Sometimes you need a break from the hard boxes that take forever to pwn. Traverxec is an easy box that start with a custom vulnerable webserver with an unaut...

Registry - Hack The Box

6 minuto(s) de lectura

This writeup is outdated and the attack path presented for user bolt has been patched. Initially once we pivoted from the bolt user to www-data we could run ...

Sniper - Hack The Box

6 minuto(s) de lectura

Sniper is another box I got access to through an unintended method. The PHP application wasn’t supposed to be exploitable through Remote File Inclusion but b...

Forest - Hack The Box

4 minuto(s) de lectura

Forest is a nice easy box that go over two Active Directory misconfigurations / vulnerabilities: Kerberos Pre-Authentication (disabled) and ACLs misconfigura...

Postman - Hack The Box

5 minuto(s) de lectura

Postman was a somewhat frustrating box because we had to find the correct user directory where to write our SSH key using the unprotected Redis instance. I e...

Bankrobber - Hack The Box

8 minuto(s) de lectura

Bankrobber is a web app box with a simple XSS and SQL injection that we have to exploit in order to get the source code of the application and discover a com...

Zetta - Hack The Box

6 minuto(s) de lectura

Zetta is another amazing box by jkr. The first part was kinda tricky because you had to pay attention to the details on the webpage and spot the references t...

JSON - Hack The Box

8 minuto(s) de lectura

To get remote code execution on JSON, I exploited a deserialization vulnerability in the web application using the Json.net formatter. After getting a shell ...

RE - Hack The Box

10 minuto(s) de lectura

I had fun solving RE but I did it using an unintended path. After getting a shell with a macroed .ods file, I saw that the Winrar version had a CVE which all...

Mini WebSocket CTF

3 minuto(s) de lectura

During the holidays, @stackfault (sysop from the BottomlessAbyss BBS) ran a month long CTF with challenges being released every couple of days. Some of chall...

AI - Hack The Box

7 minuto(s) de lectura

Exploiting the simple SQL injection vulnerability on the AI box was harder than expected because of the text-to-speech conversion required. I had to use a fe...

Player - Hack The Box

16 minuto(s) de lectura

Player was a tough one. Getting the initial shell on Player took me quite some time. Every time I got new credentials I thought I would be able to log in but...

Bitlab - Hack The Box

4 minuto(s) de lectura

I solved this gitlab box the unintended way by exploiting the git pull command running as root and using git post-merge hooks to execute code as root. I was ...

Craft - Hack The Box

9 minuto(s) de lectura

Craft was a fun Silicon Valley themed box where we have to exploit a vulnerable REST API eval function call to get RCE. After getting a shell on the app cont...

Volver arriba ↑

2019

Smasher2 - Hack The Box

16 minuto(s) de lectura

Just its predecessor, Smasher2 is a very difficult box with reverse engineering and binary exploitation. Unfortunately, the initial step required some insane...

Wall - Hack The Box

5 minuto(s) de lectura

Wall is running a vulnerable version of the Centreon application that allows authenticated users to gain RCE. The tricky part of this box was finding the pat...

Heist - Hack The Box

5 minuto(s) de lectura

Heist starts off with a support page with a username and a Cisco IOS config file containing hashed & encrypted passwords. After cracking two passwords fr...

Chainsaw - Hack The Box

7 minuto(s) de lectura

I learned a bit about Ethereum and smart contracts while doing the Chainsaw box from Hack the Box. There’s a command injection vulnerability in a smart contr...

Networked - Hack The Box

6 minuto(s) de lectura

Networked was an easy box that starts off with a classic insecure upload vulnerability in an image gallery web application. The Apache server is misconfigure...

Jarvis - Hack The Box

4 minuto(s) de lectura

The entrypoint for Jarvis is an SQL injection vulnerability in the web application to book hotel rooms. There is a WAF but I was able to easily get around it...

Haystack - Hack The Box

5 minuto(s) de lectura

Haystack is an easy ctf-like box where the initial credentials can be found hidden in an ElasticSearch database. Knowing some ES API syntax it’s very easy to...

Safe - Hack The Box

8 minuto(s) de lectura

Safe was a bit of a surprise because I didn’t expect a 20 points box to start with a buffer overflow requiring ropchains. The exploit is pretty straightforwa...

Writeup - Hack The Box

5 minuto(s) de lectura

Writeup starts off easy with an unauthenticated vulnerability in CMS Made Simple that I exploit to dump the database credentials. After cracking the user has...

Ghoul - Hack The Box

17 minuto(s) de lectura

Ghoul was a tricky box from Minatow that required pivoting across 3 containers to find the bits and pieces needed to get root. To get a shell I used a Zip Sl...

Swagshop - Hack The Box

3 minuto(s) de lectura

SwagShop is one of those easy boxes where you can pop a shell just by using public exploits. It’s running a vulnerable Magento CMS on which we can create an ...

Kryptos - Hack The Box

21 minuto(s) de lectura

I loved the Kryptos machine from Adamm and no0ne. It starts with a cool parameter injection in the DSN string so I can redirect the DB queries to my VM and h...

Luke - Hack The Box

4 minuto(s) de lectura

Luke is a easy machine that doesn’t have a lot steps but we still learn a few things about REST APIs like how to authenticate to the service and get a JWT to...

Bastion - Hack The Box

6 minuto(s) de lectura

Bastion was an easy box where we had to find an open SMB share that contained a Windows backup. Once we mounted the disk image file, we could recover the sys...

Onetwoseven - Hack The Box

13 minuto(s) de lectura

OneTwoSeven starts with enumeration of various files on the system by creating symlinks from the SFTP server. After finding the credentials for the ots-admin...

Unattended - Hack The Box

18 minuto(s) de lectura

Unattended was a pretty tough box with a second order SQL injection in the PHP app. By injecting PHP code into the web server access logs through the User-Ag...

Helpline - Hack The Box

13 minuto(s) de lectura

I did Helpline the unintended way by gaining my initial shell access as NT AUTHORITY\SYSTEM and then working my way back to the root and user flags. Both fla...

Arkham - Hack The Box

11 minuto(s) de lectura

Arkham was a medium difficulty box that shows how Java deserialization can be used by attackers to get remote code execution. After finding the JSF viewstate...

Fortune - Hack The Box

11 minuto(s) de lectura

In this box, I use a simple command injection on the web fortune application that allows me to find the Intermediate CA certificate and its private key. Afte...

LaCasaDePapel - Hack The Box

6 minuto(s) de lectura

I had trouble with the OTP token on this box: I never figured out why but whenever I scanned the QR code with my Google Authenticator app it would always gen...

CTF - Hack The Box

14 minuto(s) de lectura

This time it’s a very lean box with no rabbit holes or trolls. The box name does not relate to a Capture the Flag event but rather the Compressed Token Forma...

Friendzone - Hack The Box

9 minuto(s) de lectura

Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to g...

Hackback - Hack The Box

20 minuto(s) de lectura

Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall...

Netmon - Hack The Box

4 minuto(s) de lectura

I think Netmon had the quickest first blood on HTB yet. The user flag could be grabbed by just using anonymous FTP and retrieving it from the user directory....

Querier - Hack The Box

7 minuto(s) de lectura

To solve Querier, we find an Excel spreadsheet that contains a VBA macro then use Responder to capture NTLM hashes from the server by forcing it to connect b...

Flujab - Hack The Box

15 minuto(s) de lectura

Flujab was without a doubt one of the toughest HTB box. It’s got a ton of vhosts that force you to enumerate a lot of things and make sure you don’t get dist...

Help - Hack The Box

5 minuto(s) de lectura

Help showed that a small programming mistake in a web application can introduce a critical security vulnerability. In this case, the PHP application errors o...

Sizzle - Hack The Box

19 minuto(s) de lectura

Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Se...

Chaos - Hack The Box

7 minuto(s) de lectura

Chaos starts with some enumeration to find a hidden wordpress site that contains a set of credentials for a webmail site. There’s some simple crypto we have ...

Conceal - Hack The Box

6 minuto(s) de lectura

Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerati...

Lightweight - Hack The Box

6 minuto(s) de lectura

Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP ses...

Bighead - Hack The Box

28 minuto(s) de lectura

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver soft...

Irked - Hack The Box

3 minuto(s) de lectura

Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials f...

Teacher - Hack The Box

8 minuto(s) de lectura

Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle appl...

Redcross - Hack The Box

16 minuto(s) de lectura

Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, lig...

Vault - Hack The Box

7 minuto(s) de lectura

This is the writeup for Vault, a machine with pivoting across different network segments.

Curling - Hack The Box

6 minuto(s) de lectura

This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.

Frolic - Hack The Box

8 minuto(s) de lectura

This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.

Carrier - Hack The Box

12 minuto(s) de lectura

This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.

Ethereal - Hack The Box

16 minuto(s) de lectura

This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the ...

Access - Hack The Box

5 minuto(s) de lectura

This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.

Zipper - Hack The Box

6 minuto(s) de lectura

This is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.

Giddy - Hack The Box

8 minuto(s) de lectura

This is the writeup for Giddy, a Windows machine with an interesting twist on SQL injection, PowerShell Web Access and a priv exploiting improper permissions.

Ypuffy - Hack The Box

9 minuto(s) de lectura

This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.

Secnotes - Hack The Box

7 minuto(s) de lectura

This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.

Oz - Hack The Box

16 minuto(s) de lectura

This blog post is a writeup of the Oz machine from Hack the Box.

Mischief - Hack The Box

7 minuto(s) de lectura

This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.

Volver arriba ↑

2018

Creating a custom shellcode crypter

3 minuto(s) de lectura

For this last SLAE assignment, I’ve created a custom shellcode crypter using the Salsa20 stream cipher. Salsa20 is a family of 256-bit stream ciphers designe...

Polymorphic Linux Shellcode

3 minuto(s) de lectura

This blog post shows 3 polymorphic variants of common shellcodes found on shell-storm.org.

Msfvenom shellcode analysis

13 minuto(s) de lectura

This blog post provides an analysis of various common shellcodes generated by the msfvenom utility which is part of Metasploit.

Custom shellcode encoder

6 minuto(s) de lectura

A shellcode encoder can be used for different purposes such as modify an existing shellcode to make it harder to detect by AV engines or simply avoid bad cha...

Egghunter Linux Shellcode

7 minuto(s) de lectura

An egghunter can be useful in situations where the buffer space the attacker controls is limited and doesn’t allow for a full shellcode to be placed on the s...

TCP reverse shellcode

7 minuto(s) de lectura

A TCP reverse shell connects back to the attacker machine, then executes a shell and redirects all input & output to the socket. This is especially usefu...

TCP bind shellcode

15 minuto(s) de lectura

A bind shellcode listens on a socket, waiting for a connection to be made to the server then executes arbitrary code, typically spawning shell for the connec...

Volver arriba ↑