Skip to content
Home » Challenges » HackTheBox » Medium Machine » Page 2

Medium Machine

Hack The Box: Heal Machine Walkthrough – Medium Difficulty

Writeup Summary: Heal (Hack The Box)

This box involved thorough enumeration that uncovered multiple subdomains, including a Ruby on Rails API. Initial access was gained by chaining a Local File Inclusion vulnerability with password cracking and exploiting a LimeSurvey plugin upload vulnerability. Privilege escalation was achieved by identifying and exploiting an exposed Consul service accessible through SSH port forwarding.

This challenge showcased key red teaming skills: web application exploitation, misconfiguration abuse, credential harvesting, and lateral movement.

#HackTheBox #CyberSecurity #RedTeam #PrivilegeEscalation #BugBounty #WebSecurity #Infosec #CTF #HTB #OffensiveSecurity #LinuxExploitation

Hack The Box: Administrator Walkthrough Medium Difficulty

Chained privilege escalation on an AD environment via misconfigured permissions — no CVEs, just clever abuse of default rights. From Olivia to Emily to Ethan, we pivoted through user relationships using BloodHound, CrackMapExec, Kerberoasting, and WinRM access. Highlighting how overlooked configurations can lead to full domain compromise.

#ActiveDirectory #PrivilegeEscalation #BloodHound #Kerberoasting #HackTheBox #RedTeam #CyberSecurity #WindowsPentest

Hack The Box: Certified Machine Walkthrough – Medium Difficulty

Access is gained using Judith Mader’s credentials, allowing enumeration of network resources. CrackMapExec identifies key accounts like management_svc and ca_operator. Privilege escalation is performed using a Shadow Credentials attack with Certipy, taking control of management_svc. With valid credentials, Evil-WinRM establishes a remote session, leading to the user flag.

For root access, the attack exploits Active Directory Certificate Services by modifying ca_operator’s User Principal Name (UPN) to Administrator, enabling a privileged certificate request. A vulnerable ESC9 certificate is issued without linking back to ca_operator, effectively granting Administrator access. The UPN is restored to avoid detection, and authentication via Kerberos retrieves the NT hash of the Administrator account. Full system control is confirmed by obtaining the root flag.

#HackTheBox #Pentesting #ActiveDirectory #PrivilegeEscalation #CyberSecurity #EthicalHacking