• Search for:

    Category Archives: Medium Machine

    1. Home  - Challenges HackTheBox
    2. Archive by category "Medium Machine"
      3. ( Page2 )
    11 Oct, 2025
    Hack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , ,

    I cracked a Kerberos TGS for Alfred (password: basketballl), used BloodHound-guided enumeration and account takeover to obtain John’s machine credentials and retrieved the user flag (type user.txt); then I abused a misconfigured certificate template (ESC15) with Certipy to request an Administrator certificate, obtained a TGT (administrator.ccache), extracted the Administrator NT hash and used it to access the DC and read the root flag (type root.txt).

    #HackTheBox #RedTeam #ActiveDirectory #Kerberos #CertAuth #BloodHound #OffensiveSecurity #Infosec #PrivilegeEscalation …

    Learn MoreHack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty

    27 Sep, 2025
    Hack The Box: Puppy Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , , ,

    Crushed the Puppy machine on HTB with surgical precision! Unlocked the user flag by leveraging levi.james credentials to access the DEV share, cracking recovery.kdbx with “Liverpool,” and using ant.edwards:Antman2025! to reset ADAM.SILVER’s password, followed by a swift WinRM login to grab user.txt. For the root flag, extracted steph.cooper:ChefSteph2025! from C:\Backups, accessed a WinRM shell, and exfiltrated DPAPI keys via SMB. Impacket unveiled steph.cooper_adm:FivethChipOnItsWay2025!, opening the Administrator directory to claim root.txt.

    #Cybersecurity #HackTheBox #CTF #Pentesting #PrivilegeEscalation …

    Learn MoreHack The Box: Puppy Machine Walkthrough – Medium Difficulty

    6 Sep, 2025
    Hack The Box: Environment Machine Walkthough-Medium Difficulty
    Medium Machine , , , , , , , , , , , , ,

    Environment HTB: Full User & Root Flag Capture Through Exploitation

    Captured both the user and root flags on the Environment HTB machine! We exploited Laravel 11.30.0 (PHP 8.2.28) vulnerabilities, including argument injection (CVE-2024-52301) and UniSharp Laravel Filemanager code injection. By bypassing authentication with `–env=preprod` and leveraging the profile upload feature, we executed a PHP reverse shell and retrieved the user flag via `cat user.txt`. For root access, we decrypted `keyvault.gpg` from the `.gnupg` directory to obtain credentials and exploited sudo with preserved BASH\_ENV by crafting a script that spawned a privileged shell, ultimately gaining full control of the system.

    #CyberSecurity #HTB #PenTesting #EthicalHacking #LaravelExploits #PrivilegeEscalation #PHP #Infosec #BugBounty #RedTeam

    Learn MoreHack The Box: Environment Machine Walkthough-Medium Difficulty

    23 Aug, 2025
    Hack The Box: TheFrizz Machine Walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , , , , , , , ,

    I successfully captured both user and root flags by exploiting a file upload vulnerability to gain a web shell, extracting database credentials from config.php, and cracking the user hash to reveal the password Jenni_Luvs_Magic23. Using these credentials, I accessed the web application, discovered an SSH migration hint, and leveraged a Kerberos ticket (f.frizzle.ccache) to gain SSH access and retrieve the user flag with type user.txt. For the root flag, I escalated privileges using M.SchoolBus and SharpGPOAbuse to manipulate SleepGPO, applied changes with gpupdate.exe /force, extracted credentials with secretdump, and used wmiexec to secure a root-level shell, ultimately reading the root flag with type root.txt.

    #Cybersecurity #CTF #EthicalHacking #PenetrationTesting …

    Learn MoreHack The Box: TheFrizz Machine Walkthrough – Medium Difficulity

    26 Jul, 2025
    Hack The Box: Cypher Machine Walkthrough – Medium Difficultyy
    Medium Machine , , , , , , , , , , ,

    Successfully exploited a vulnerable Neo4j database via Cypher injection to extract credentials, gain SSH access, and retrieve the user flag. Then leveraged a misconfigured `bbot` binary with sudo rights to set the SUID bit on `/bin/bash`, escalating privileges to root and capturing the root flag. #Cybersecurity #Neo4j #CypherInjection #PrivilegeEscalation #Pentesting #EthicalHacking #InfoSec …

    Learn MoreHack The Box: Cypher Machine Walkthrough – Medium Difficultyy

    5 Jul, 2025
    Hack The Box: Cat Machine Walkthrough – Medium Diffculity
    Medium Machine , , , , , , , , , , , , , , , ,

    Hack The Box Success: Cat Machine Write-Up Published!

    I’ve just published my personal write-up for the Cat machine on Hack The Box. In this challenge, I gained the user flag by exploiting a Stored XSS vulnerability to capture the admin session cookie, followed by an SQL Injection to extract credentials and gain SSH access. For the root flag, I took advantage of a vulnerable image processing script owned by root, crafting a payload to gain a root shell and retrieve the flag. The full write-up dives into each step, the logic behind the attacks, and key takeaways.

    #CyberSecurity #HackTheBox #PenetrationTesting #EthicalHacking #CTF #WriteUp #XSS #SQLi #PrivilegeEscalation #InfoSec #CTFWriteup …

    Learn MoreHack The Box: Cat Machine Walkthrough – Medium Diffculity

    7 Jun, 2025
    Hack The Box: Backfire Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , ,

    Successfully rooted another Hack The Box machine by chaining multiple vulnerabilities across custom C2 frameworks. For the user flag, we exploited an SSRF vulnerability (CVE-2024-41570) in the Havoc C2 framework to access internal services, which we then chained with an authenticated RCE to execute arbitrary commands and gain a reverse shell as the ilya user. To maintain stable access, SSH keys were added for persistence, allowing us to retrieve the user.txt flag. For the root flag, we targeted the Hardhat C2 service by forging a valid JWT with a Python script to create an admin user, which provided shell access as sergej. Upon privilege escalation analysis, we found that sergej had sudo access to the iptables-save binary. This was abused to overwrite the /etc/sudoers file and escalate to root, ultimately retrieving the root.txt flag. Another great learning experience on the path to mastering offensive security!

    #HackTheBox #CyberSecurity #InfoSec #RedTeam #CTF #PrivilegeEscalation #RCE #SSRF #Linux #HTB #EthicalHacking #PenetrationTesting #HavocC2 #HardhatC2 #JWT #SudoExploit #OSCP #BugBounty …

    Learn MoreHack The Box: Backfire Machine Walkthrough – Medium Difficulty

    17 May, 2025
    Hack The Box: Heal Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , , , , ,

    Writeup Summary: Heal (Hack The Box)

    This box involved thorough enumeration that uncovered multiple subdomains, including a Ruby on Rails API. Initial access was gained by chaining a Local File Inclusion vulnerability with password cracking and exploiting a LimeSurvey plugin upload vulnerability. Privilege escalation was achieved by identifying and exploiting an exposed Consul service accessible through SSH port forwarding.

    This challenge showcased key red teaming skills: web application exploitation, misconfiguration abuse, credential harvesting, and lateral movement.

    #HackTheBox #CyberSecurity #RedTeam #PrivilegeEscalation #BugBounty #WebSecurity #Infosec #CTF #HTB #OffensiveSecurity #LinuxExploitation …

    Learn MoreHack The Box: Heal Machine Walkthrough – Medium Difficulty

    19 Apr, 2025
    Hack The Box: Administrator Walkthrough Medium Difficulty
    Medium Machine , , , , , , , , , ,

    Chained privilege escalation on an AD environment via misconfigured permissions — no CVEs, just clever abuse of default rights. From Olivia to Emily to Ethan, we pivoted through user relationships using BloodHound, CrackMapExec, Kerberoasting, and WinRM access. Highlighting how overlooked configurations can lead to full domain compromise.

    #ActiveDirectory #PrivilegeEscalation #BloodHound #Kerberoasting #HackTheBox #RedTeam #CyberSecurity #WindowsPentest …

    Learn MoreHack The Box: Administrator Walkthrough Medium Difficulty

    15 Mar, 2025
    Hack The Box: Certified Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , , ,

    Access is gained using Judith Mader’s credentials, allowing enumeration of network resources. CrackMapExec identifies key accounts like management_svc and ca_operator. Privilege escalation is performed using a Shadow Credentials attack with Certipy, taking control of management_svc. With valid credentials, Evil-WinRM establishes a remote session, leading to the user flag.

    For root access, the attack exploits Active Directory Certificate Services by modifying ca_operator’s User Principal Name (UPN) to Administrator, enabling a privileged certificate request. A vulnerable ESC9 certificate is issued without linking back to ca_operator, effectively granting Administrator access. The UPN is restored to avoid detection, and authentication via Kerberos retrieves the NT hash of the Administrator account. Full system control is confirmed by obtaining the root flag.

    #HackTheBox #Pentesting #ActiveDirectory #PrivilegeEscalation #CyberSecurity #EthicalHacking …

    Learn MoreHack The Box: Certified Machine Walkthrough – Medium Difficulty