• Search for:

    Category Archives: Medium Machine

    1. Home  - Challenges HackTheBox
    2. Archive by category "Medium Machine"
      3. ( Page2 )
    7 Feb, 2026
    Hack The Box: Signed Machine Walkthrough – Medium Difficulity
    Medium Machine , , , , , , ,

    After escalating to a SYSTEM-level PowerShell reverse shell using xp_cmdshell and a base64-encoded payload that called back to my netcat listener on port 9007, I navigated to the user profile and read the user flag directly with type user.txt.

    With full sysadmin rights on the SQL instance as SIGNED\Administrator (thanks to a forged silver ticket with Domain Admins membership), I enabled xp_cmdshell, launched a reverse shell to land SYSTEM access, then grabbed the root flag from

    Box fully pwned — domain admin and SYSTEM in the bag!

    #HackTheBox #HTBSigned #PenetrationTesting #CyberSecurity #PrivilegeEscalation #ActiveDirectory #RedTeam #CTF #EthicalHacking #OffensiveSecurity …

    Learn MoreHack The Box: Signed Machine Walkthrough – Medium Difficulity

    24 Jan, 2026
    Hack The Box: Imagery Machine Walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , , , , , ,

    Just completed the Imagery machine on Hack The Box (Medium). The challenge involved identifying weaknesses in a custom web application, analysing exposed application logic and data, and chaining these issues to move laterally within the system to gain user-level access. Further investigation highlighted how overlooked privilege boundaries and misconfigured trusted utilities can be abused to escalate privileges and obtain full administrative control.

    #HackTheBox #CyberSecurity #WebSecurity #EthicalHacking #PenetrationTesting #PrivilegeEscalation #CTF #InfoSec

    Learn MoreHack The Box: Imagery Machine Walkthrough – Medium Difficulity

    17 Jan, 2026
    Hack The Box: HackNet Machine Walkthrough – Medium Diffucility
    Medium Machine

    Just wrapped up HackNet (Medium difficulty, Hack The Box) — what a ride!
    Started with deep web enumeration and uncovered a template injection vulnerability in how dynamic content gets rendered. Crafted a payload, injected it into a user-controlled field, triggered the vulnerable path through a specific page interaction, and extracted sensitive account details that handed me valid SSH credentials as a low-priv user. From there, grabbing the user flag was a clean win.
    For privilege escalation, enumeration from the foothold revealed a misconfigured, world-writable file-based cache backend in the Django app. Knowing the framework’s caching behavior and a known deserialization weakness, I built a malicious payload, poisoned the cache location, and triggered RCE as the web user. Further digging exposed encrypted database backups secured by public-key crypto; I obtained the key, cracked its passphrase, decrypted the dumps, and recovered a high-priv credential that let me escalate to root and snag the root flag.

    #HackTheBox #Cybersecurity #WebExploitation #PrivEsc #PickleRCE #DjangoSecurity #CTF #PenetrationTesting #OffensiveSecurity #BugBounty …

    Learn MoreHack The Box: HackNet Machine Walkthrough – Medium Diffucility

    10 Jan, 2026
    Hack The Box: Previous Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , , ,

    🎯 Just rooted the ‘Previous’ machine on Hack The Box!

    Started with a Next.js app exposing a path traversal bug in /api/download, leaked /etc/passwd → found user ‘jeremy’, then extracted the NextAuth provider code revealing credentials.

    Abused .terraformrc dev_overrides to load a malicious custom provider binary.
    Classic NextAuth misconfig + Terraform provider override chain. Loved the creativity!

    #HackTheBox #CTF #PrivilegeEscalation #PathTraversal #NextJS #Terraform #CyberSecurity #PenetrationTesting #BugBounty”

    Learn MoreHack The Box: Previous Machine Walkthrough – Medium Difficulty

    30 Nov, 2025
    Hack The Box: Era Machine Walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , ,

    Compromising the Era HTB machine involved chaining multiple weaknesses across the web layer and system layer. Initial access was obtained through an IDOR flaw in a file-sharing platform, allowing unrestricted file retrieval by enumerating numeric IDs. Leaked backups exposed source code, plaintext credentials, and an SSH private key, enabling lateral movement as eric. Further analysis uncovered a root-executed integrity-check binary in a world-writable directory. By extracting its signature, injecting it into a backdoored replacement, and waiting for the cron job to trigger, privileged execution was achieved. A resulting callback delivered full root access and allowed retrieval of the final flag.

    #HTB #HackTheBox #CyberSecurity #Pentesting #WebSecurity #IDOR #PrivilegeEscalation #LinuxSecurity #RedTeam #CTF #InfoSec …

    Learn MoreHack The Box: Era Machine Walkthrough – Medium Difficulity

    1 Nov, 2025
    Hack The Box: Voleur Machinen Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , , ,

    Cracked a password-protected Excel on an SMB share to recover service-account credentials, used Kerberos to access a user account and capture user.txt, then leveraged AD write permissions to restore a deleted admin, decrypt DPAPI artefacts for high‑priv creds, and access the DC to grab root.txt.

    #HackTheBox #ADSecurity #Kerberos #DPAPI #RedTeam #CTF

    Learn MoreHack The Box: Voleur Machinen Walkthrough – Medium Difficulty

    11 Oct, 2025
    Hack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , ,

    I cracked a Kerberos TGS for Alfred (password: basketballl), used BloodHound-guided enumeration and account takeover to obtain John’s machine credentials and retrieved the user flag (type user.txt); then I abused a misconfigured certificate template (ESC15) with Certipy to request an Administrator certificate, obtained a TGT (administrator.ccache), extracted the Administrator NT hash and used it to access the DC and read the root flag (type root.txt).

    #HackTheBox #RedTeam #ActiveDirectory #Kerberos #CertAuth #BloodHound #OffensiveSecurity #Infosec #PrivilegeEscalation …

    Learn MoreHack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty

    27 Sep, 2025
    Hack The Box: Puppy Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , , ,

    Crushed the Puppy machine on HTB with surgical precision! Unlocked the user flag by leveraging levi.james credentials to access the DEV share, cracking recovery.kdbx with “Liverpool,” and using ant.edwards:Antman2025! to reset ADAM.SILVER’s password, followed by a swift WinRM login to grab user.txt. For the root flag, extracted steph.cooper:ChefSteph2025! from C:\Backups, accessed a WinRM shell, and exfiltrated DPAPI keys via SMB. Impacket unveiled steph.cooper_adm:FivethChipOnItsWay2025!, opening the Administrator directory to claim root.txt.

    #Cybersecurity #HackTheBox #CTF #Pentesting #PrivilegeEscalation …

    Learn MoreHack The Box: Puppy Machine Walkthrough – Medium Difficulty

    6 Sep, 2025
    Hack The Box: Environment Machine Walkthough-Medium Difficulty
    Medium Machine , , , , , , , , , , , , ,

    Environment HTB: Full User & Root Flag Capture Through Exploitation

    Captured both the user and root flags on the Environment HTB machine! We exploited Laravel 11.30.0 (PHP 8.2.28) vulnerabilities, including argument injection (CVE-2024-52301) and UniSharp Laravel Filemanager code injection. By bypassing authentication with `–env=preprod` and leveraging the profile upload feature, we executed a PHP reverse shell and retrieved the user flag via `cat user.txt`. For root access, we decrypted `keyvault.gpg` from the `.gnupg` directory to obtain credentials and exploited sudo with preserved BASH\_ENV by crafting a script that spawned a privileged shell, ultimately gaining full control of the system.

    #CyberSecurity #HTB #PenTesting #EthicalHacking #LaravelExploits #PrivilegeEscalation #PHP #Infosec #BugBounty #RedTeam

    Learn MoreHack The Box: Environment Machine Walkthough-Medium Difficulty

    23 Aug, 2025
    Hack The Box: TheFrizz Machine Walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , , , , , , , ,

    I successfully captured both user and root flags by exploiting a file upload vulnerability to gain a web shell, extracting database credentials from config.php, and cracking the user hash to reveal the password Jenni_Luvs_Magic23. Using these credentials, I accessed the web application, discovered an SSH migration hint, and leveraged a Kerberos ticket (f.frizzle.ccache) to gain SSH access and retrieve the user flag with type user.txt. For the root flag, I escalated privileges using M.SchoolBus and SharpGPOAbuse to manipulate SleepGPO, applied changes with gpupdate.exe /force, extracted credentials with secretdump, and used wmiexec to secure a root-level shell, ultimately reading the root flag with type root.txt.

    #Cybersecurity #CTF #EthicalHacking #PenetrationTesting …

    Learn MoreHack The Box: TheFrizz Machine Walkthrough – Medium Difficulity