Compromising the Era HTB machine involved chaining multiple weaknesses across the web layer and system layer. Initial access was obtained through an IDOR flaw in a file-sharing platform, allowing unrestricted file retrieval by enumerating numeric IDs. Leaked backups exposed source code, plaintext credentials, and an SSH private key, enabling lateral movement as eric. Further analysis uncovered a root-executed integrity-check binary in a world-writable directory. By extracting its signature, injecting it into a backdoored replacement, and waiting for the cron job to trigger, privileged execution was achieved. A resulting callback delivered full root access and allowed retrieval of the final flag.

#HTB #HackTheBox #CyberSecurity #Pentesting #WebSecurity #IDOR #PrivilegeEscalation #LinuxSecurity #RedTeam #CTF #InfoSec …

Learn MoreHack The Box: Era Machine Walkthrough – Medium Difficulity

Compromising the Mirage domain started with a simple clue hidden in an exposed NFS share. Inside a PDF report was a missing DNS record—just enough to pivot. By hijacking the DNS entry, I intercepted NATS JetStream traffic and captured real authentication logs, including valid credentials. After fixing the system time and obtaining a Kerberos TGT, I gained my first foothold on the domain controller and captured the user flag.

From there, the path to domain dominance unfolded through Active Directory weaknesses. An SPN ticket leak led to a cracked password, which opened the door to BloodHound reconnaissance and more credentials. I reset a disabled user’s password, extracted a service account’s managed password, and used Certipy to transform certificate abuse into full machine-level impersonation. With Resource-Based Constrained Delegation enabled, I forged Kerberos tickets, dumped every domain hash, and finally authenticated as Administrator—securing the root flag.

#CyberSecurity #PenetrationTesting #Kerberos #ActiveDirectory #RedTeam #HackTheBox #Infosec #PrivilegeEscalation …

Learn MoreHack The Box: Mirage Machine Walkthrough – Hard Difficulity

Successfully completed the Outbound HTB machine. Initial access was gained by exploiting CVE‑2025‑49113 in Roundcube 1.6.10 using Tyler’s credentials, which allowed remote code execution.

Investigation of Roundcube’s configuration revealed database credentials, enabling decryption of Jacob’s session data and retrieval of his plaintext password. Using this, SSH access was obtained to capture the user flag.

Privilege escalation was achieved via CVE‑2025‑27591 by exploiting a world-writable /var/log/below directory, allowing command execution as root and retrieval of the root flag. This walkthrough highlights the importance of secure configuration, patching, and proper permission management.

#HackTheBox #CyberSecurity #PenTesting #EthicalHacking #VulnerabilityExploitation #Roundcube #PrivilegeEscalation #LinuxSecurity #CVE2025 …

Learn MoreHack The Box: Outbound Machine Walkthrough – Easy Difficulity

Authenticated to rustykey.htb as bb.morgan after exploiting Kerberos flows and resolving a time sync issue: obtained a TGT (bb.morgan.ccache), set KRB5CCNAME, and used evil‑winrm to capture the user flag.
Escalated to SYSTEM by abusing machine account and delegation: IT‑COMPUTER3$ was used to modify AD protections and reset ee.reed’s password, S4U2Self/S4U2Proxy impersonation produced backupadmin.ccache, and Impacket was used to deploy a service payload to achieve a SYSTEM shell and capture the root flag.

#CyberSecurity #RedTeam #Kerberos #ActiveDirectory #PrivilegeEscalation #HackTheBox #Impacket #WindowsAD …

Learn MoreHack The Box: RustyKey Machine Walkthrough – Hard Difficulity

Cracked a password-protected Excel on an SMB share to recover service-account credentials, used Kerberos to access a user account and capture user.txt, then leveraged AD write permissions to restore a deleted admin, decrypt DPAPI artefacts for high‑priv creds, and access the DC to grab root.txt.

#HackTheBox #ADSecurity #Kerberos #DPAPI #RedTeam #CTF
…

Learn MoreHack The Box: Voleur Machinen Walkthrough – Medium Difficulty

Hacking the “Artificial” Machine on Hack The Box!

Conquered the “Artificial” machine on Hack The Box! 🕵️‍♂️ I scanned the target, identified a web server on port 80, and created an account to access its dashboard, where I uploaded a malicious .h5 file to trigger a reverse shell. Using a Docker environment, I gained a shell as the app user, found a SQLite database (users.db), and cracked its password hashes to reveal credentials for user “gael,” allowing me to grab the user flag via SSH from user.txt. For root, I discovered port 9898 running Backrest, forwarded it, and enumerated backup files, finding a bcrypt-hashed password in config.json. Decoding a base64 value yielded a plaintext password, granting access to the Backrest dashboard, where I exploited the RESTIC_PASSWORD_COMMAND to trigger a root shell and secure the root flag from root.txt.

#Cybersecurity #HackTheBox #CTF #PenetrationTesting #PrivilegeEscalation …

Learn MoreHack The Box: Artificial Machine Walkthrough – Easy Diffucilty

Finished the Insane-level DarkCorp box on Hack The Box. Initial foothold came from registering on a webmail portal and abusing a contact form to deliver a payload that resulted in a reverse shell. From there I enumerated the app and DB, identified SQL injection and extracted hashes (cracked one to thePlague61780), recovered DPAPI master key material and additional credentials (Pack_beneath_Solid9!), and used those artifacts to escalate to root and retrieve root.txt. Valuable practice in web vectors, SQLi exploitation, credential harvesting, DPAPI analysis, and Windows privilege escalation. Happy to share high-level notes or mitigations.

#HackTheBox #Infosec #RedTeam #Pentesting #WindowsSecurity #CredentialHunting #CTF …

Learn MoreHack The Box: DarkCorp Machine Walkthrough – Insane Difficulity

I cracked a Kerberos TGS for Alfred (password: basketballl), used BloodHound-guided enumeration and account takeover to obtain John’s machine credentials and retrieved the user flag (type user.txt); then I abused a misconfigured certificate template (ESC15) with Certipy to request an Administrator certificate, obtained a TGT (administrator.ccache), extracted the Administrator NT hash and used it to access the DC and read the root flag (type root.txt).

#HackTheBox #RedTeam #ActiveDirectory #Kerberos #CertAuth #BloodHound #OffensiveSecurity #Infosec #PrivilegeEscalation …

Learn MoreHack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty

I recently completed the “Certificate” challenge on Hack The Box: after extracting and cracking a captured authentication hash I gained access to a user account (lion.sk) and retrieved the user flag, then progressed to full system compromise by responsibly exploiting weak certificate‑based authentication controls—obtaining and converting certificate material into elevated credentials to capture the root flag. The exercise reinforced how misconfigurations in certificate services and poor time synchronization can create powerful escalation paths, and highlighted the importance of least‑privilege, strict enrollment policies, and monitoring certificate issuance. Great hands‑on reminder that defensive hygiene around PKI and identity services matters.

#CyberSecurity #HTB #Infosec #ADCS #Certificates #PrivilegeEscalation #RedTeam #Pentesting …

Learn MoreHack The Box: Certificate Machine Walkthrough – Hard Difficulty

Crushed the Puppy machine on HTB with surgical precision! Unlocked the user flag by leveraging levi.james credentials to access the DEV share, cracking recovery.kdbx with “Liverpool,” and using ant.edwards:Antman2025! to reset ADAM.SILVER’s password, followed by a swift WinRM login to grab user.txt. For the root flag, extracted steph.cooper:ChefSteph2025! from C:\Backups, accessed a WinRM shell, and exfiltrated DPAPI keys via SMB. Impacket unveiled steph.cooper_adm:FivethChipOnItsWay2025!, opening the Administrator directory to claim root.txt.

#Cybersecurity #HackTheBox #CTF #Pentesting #PrivilegeEscalation …

Learn MoreHack The Box: Puppy Machine Walkthrough – Medium Difficulty