Hard Machine Archives - Threatninja.net

4 Apr, 2026

Hack The Box: Darkzero Machine – Hard Difficulity

Hard Machine Bloodhound, certif, Certify, Challenges, chisel, evil-winrm, HackTheBox, ligolo, mssqlclient, openssl, Penetration Testing, proxychains, python3, rubeus.exe, secretdump, ticketconverter, Windows

Just completed the DarkZero machine from HackTheBox (Hard difficulty)!

After gaining a foothold on DC02 via a misconfigured MSSQL linked server and escalating to local Administrator using SigmaPotato token impersonation + RunasCs, we successfully captured the user flag from the Administrator’s desktop.

Dumped the domain Administrator NT hash with secretsdump, then used Evil-WinRM to get a full shell as Administrator on DC02 and retrieved the root flag.

#HackTheBox #HTB #Pentesting #ActiveDirectory #RedTeam #CyberSecurity #PrivilegeEscalation …

Learn MoreHack The Box: Darkzero Machine – Hard Difficulity

28 Feb, 2026

Hack The Box: Guardian Machine Walkthrough – Hard Difficulty

Hard Machine Challenges, cookie session, CVE‑2025‑22131, CVE‑2025‑23210, ghidra, HackTheBox, Linux, MySQL, Penetration Testing, python3, safeapache2ctl, ssh, XSS

🔐 User Flag — Compromising the Application Layer

Successfully rooted the Guardian (Hard) machine on Hack The Box by chaining multiple real-world web vulnerabilities.Initial access was achieved through credential abuse and IDOR within the student portal. Leaked chat credentials exposed internal Gitea repositories containing hardcoded database secrets. A vulnerable XLSX file upload feature allowed formula injection → XSS → session hijacking. Leveraging CSRF, I created a rogue admin account and escalated privileges within the application. From there, an LFI vulnerability combined with a PHP filter chain led to Remote Code Execution. After gaining a shell as www-data, I reused leaked credentials to pivot laterally to user jamil, capturing the user flag.

👑 Root Flag — From Code Injection to Full System Compromise

Privilege escalation started with sudo -l, revealing that jamil could execute a Python utility as user mark without a password. Since one of the Python files was writable, I injected code to spawn a shell as mark. Further enumeration uncovered a custom binary (safeapache2ctl) executable as root. A flawed validation mechanism in its Apache config parsing allowed path traversal and arbitrary file inclusion. By crafting a malicious shared object (evil.so) and abusing the wrapper’s improper include validation, I achieved root-level code execution and obtained a root shell. …

Learn MoreHack The Box: Guardian Machine Walkthrough – Hard Difficulty

22 Nov, 2025

Hack The Box: Mirage Machine Walkthrough – Hard Difficulity

Hard Machine autologon, BloodHoundCE, bloodyAD, Certipy, Challenges, HackTheBox, hashcat, impacket, john the ripper, nats, nfs, nxc, Penetration Testing, Windows, winpeas

Compromising the Mirage domain started with a simple clue hidden in an exposed NFS share. Inside a PDF report was a missing DNS record—just enough to pivot. By hijacking the DNS entry, I intercepted NATS JetStream traffic and captured real authentication logs, including valid credentials. After fixing the system time and obtaining a Kerberos TGT, I gained my first foothold on the domain controller and captured the user flag.

From there, the path to domain dominance unfolded through Active Directory weaknesses. An SPN ticket leak led to a cracked password, which opened the door to BloodHound reconnaissance and more credentials. I reset a disabled user’s password, extracted a service account’s managed password, and used Certipy to transform certificate abuse into full machine-level impersonation. With Resource-Based Constrained Delegation enabled, I forged Kerberos tickets, dumped every domain hash, and finally authenticated as Administrator—securing the root flag.

#CyberSecurity #PenetrationTesting #Kerberos #ActiveDirectory #RedTeam #HackTheBox #Infosec #PrivilegeEscalation …

Learn MoreHack The Box: Mirage Machine Walkthrough – Hard Difficulity

8 Nov, 2025

Hack The Box: RustyKey Machine Walkthrough – Hard Difficulity

Hard Machine BloodHoundCE, bloodyAD, Challenges, evil-winrm, HackTheBox, hashcat, impacket, kerberos, LDAP, nxc, Penetration Testing, python3, RunasCs, timeroast

Authenticated to rustykey.htb as bb.morgan after exploiting Kerberos flows and resolving a time sync issue: obtained a TGT (bb.morgan.ccache), set KRB5CCNAME, and used evil‑winrm to capture the user flag.
Escalated to SYSTEM by abusing machine account and delegation: IT‑COMPUTER3$ was used to modify AD protections and reset ee.reed’s password, S4U2Self/S4U2Proxy impersonation produced backupadmin.ccache, and Impacket was used to deploy a service payload to achieve a SYSTEM shell and capture the root flag.

#CyberSecurity #RedTeam #Kerberos #ActiveDirectory #PrivilegeEscalation #HackTheBox #Impacket #WindowsAD …

Learn MoreHack The Box: RustyKey Machine Walkthrough – Hard Difficulity

4 Oct, 2025

Hack The Box: Certificate Machine Walkthrough – Hard Difficulty

Hard Machine BloodHoundCE, Certipy, certutil, Challenges, ESC3, evil-winrm, HackTheBox, hashcat, kerberos, MySQL, Penetration Testing, python3, SeManageVolumePrivilege, Windows, Wireshark, zip slip

I recently completed the “Certificate” challenge on Hack The Box: after extracting and cracking a captured authentication hash I gained access to a user account (lion.sk) and retrieved the user flag, then progressed to full system compromise by responsibly exploiting weak certificate‑based authentication controls—obtaining and converting certificate material into elevated credentials to capture the root flag. The exercise reinforced how misconfigurations in certificate services and poor time synchronization can create powerful escalation paths, and highlighted the importance of least‑privilege, strict enrollment policies, and monitoring certificate issuance. Great hands‑on reminder that defensive hygiene around PKI and identity services matters.

#CyberSecurity #HTB #Infosec #ADCS #Certificates #PrivilegeEscalation #RedTeam #Pentesting …

Learn MoreHack The Box: Certificate Machine Walkthrough – Hard Difficulty

30 Aug, 2025

Hack The Box: Eureka Machine Walkthrough – Hard Dificulty

Hard Machine actuator, Challenges, Cloud-Gateway, curl, feroxbuster, gobuster, HackTheBox, Linux, Penetration Testing, pspy64, springboot, springeureka

I enumerated Spring Boot Actuator endpoints, including /actuator/heapdump, which revealed plaintext credentials for oscar190. SSH login as oscar190 was successful, though the home directory was empty. Analysis of application.properties exposed Eureka credentials (EurekaSrvr:0scarPWDisTheB3st), granting access to the Eureka dashboard. By registering a malicious microservice, I retrieved miranda.wise credentials and captured the user flag. For privilege escalation, I identified a vulnerable log_analyse.sh script, performed command injection, and created a SUID bash shell in /tmp/bash. Executing this shell provided root access, allowing retrieval of the root flag and full control of the machine.

#CyberSecurity #EthicalHacking #HackTheBox #PenTesting #PrivilegeEscalation #WebSecurity #SpringBoot #CTF #BugHunting #InfoSec #RedTeam #OffensiveSecurity …

Learn MoreHack The Box: Eureka Machine Walkthrough – Hard Dificulty

19 Jul, 2025

Hack The Box: Scepter Machine Walkthrough – Hard Difficulty

Hard Machine ADCS, Bloodhound, bloodyAD, Certipy, Challenges, ESC14, ESC9, evil-winrm, HackTheBox, hashcat, ldapsearch, nfs, openssl, Penetration Testing, showmount, Windows

I conquered the “Scepter” machine on Hack The Box, a challenging Active Directory exploit! Initially, I cracked weak .pfx certificate passwords using pfx2john and rockyou.txt. After syncing time, I extracted D.BAKER’s NTLM hash via Certipy and used BloodHound to reveal A.CARTER’s password reset privileges, exploiting ESC9 to capture the user flag. Subsequently, H.BROWN’s access to P.ADAMS’s altSecurityIdentities enabled an ESC14 attack, forging a certificate for passwordless authentication. Consequently, P.ADAMS’s DCSync rights allowed domain hash extraction, securing the root flag via Evil-WinRM.

#Cybersecurity #HackTheBox #ActiveDirectory #PrivilegeEscalation #CTF #EthicalHacking …

Learn MoreHack The Box: Scepter Machine Walkthrough – Hard Difficulty

28 Jun, 2025

Hack The Box: Haze Machine Walkthrough – Hard Difficulty

Hard Machine Active Directory, Bloodhound, bloodyAD, Certipy, Challenges, CVE-2024-36991, evil-winrm, HackTheBox, Linux, Local File Inclusion (LFI), NetExec, Penetration Testing, pywhisker, Splunk, splunksecrets, SweetPotato

New Write-Up Published: Haze [Medium | Windows | Active Directory] – Hack The Box

Just released a walkthrough for Haze, a medium-difficulty Windows machine on Hack The Box. Initial access was obtained by exploiting CVE-2024-36991, a local file inclusion vulnerability in Splunk, to extract LDAP credentials. This enabled a Shadow Credentials attack using PyWhisker and Certipy, allowing lateral movement to a high-privileged domain user. For privilege escalation, I utilized Splunk admin access to deploy a reverse shell via a crafted app package. Upon gaining shell access, I escalated privileges to NT SYSTEM by abusing SeImpersonatePrivilege with SweetPotato. This box offers great insight into chained Active Directory abuse and Splunk misconfigurations.

#HackTheBox #RedTeam #ActiveDirectory #Splunk #CVE202436991 #ShadowCredentials #PrivilegeEscalation #SweetPotato #CTF #InfoSec #WriteUp #CyberSecurity …

Learn MoreHack The Box: Haze Machine Walkthrough – Hard Difficulty

31 May, 2025

Hack The Box: Checker Machine Walkthrough – Hard Difficulty

Hard Machine BookStack, BurpSuite, Challenges, CVE-2023-1545, CVE-2023-6199, gobuster, HackTheBox, Linux, OTP, Penetration Testing, python3, ssh, Teampass

Successfully exploited CVE-2023-1545 in Teampass to extract user credentials and leveraged CVE-2023-6199 in BookStack to obtain an OTP, gaining user-level access on the Checker machine. Privilege escalation was achieved by exploiting a sudo script interacting with shared memory, setting the SUID bit on /bin/bash to capture the root flag. A great example of combining application vulnerabilities with creative privilege escalation techniques!

#Cybersecurity #EthicalHacking #HackTheBox #PenetrationTesting #InfoSec #VulnerabilityResearch #PrivilegeEscalation #CTF #SecurityResearch …

Learn MoreHack The Box: Checker Machine Walkthrough – Hard Difficulty

3 May, 2025

HackTheBox – BigBang Machine Walkthrough (Hard Difficulty)

Hard Machine Android, BuddyForms, BurpSuite, Challenges, chisel, CVE-2023-26326, CVE-2024-2961, file upload, gobuster, grafana, grafana2hashcat, HackTheBox, hashcat, Linux, Local File Inclusion (LFI), MySQL, Penetration Testing, port forwarding, python3, Remote Code Execution (RCE) in WordPress, Server Misconfigurations, Wordpress

Chained exploitation through misconfigured web app and internal services. We started by exploiting a WordPress plugin vulnerability (CVE-2023-26326) to upload files, followed by a file read vulnerability (CVE-2024-2961) for remote code execution. From there, we cracked the database credentials, gained SSH access as the shawking user, and leveraged a vulnerable API endpoint to escalate to root. This highlights how overlooked configurations and service misconfigurations can lead to a full server compromise.

#CTF #PrivilegeEscalation #WebSecurity #CommandInjection #SSH #WordPress #LinuxPentesting #BugBounty #HackTheBox #RedTeam #CyberSecurity …

Learn MoreHackTheBox – BigBang Machine Walkthrough (Hard Difficulty)

Threatninja.net

Threatninja.net

Category Archives: Hard Machine