Threatninja.net

Hack The Box: Tombwatcher Machine Walkthrough – Medium Difficulty

by darknite
2025-10-11

I cracked a Kerberos TGS for Alfred (password: basketballl), used BloodHound-guided enumeration and account takeover to obtain John’s machine credentials and retrieved the user flag (type user.txt); then I abused a misconfigured certificate template (ESC15) with Certipy to request an Administrator certificate, obtained a TGT (administrator.ccache), extracted the Administrator NT hash and used it to access the DC and read the root flag (type root.txt).

#HackTheBox #RedTeam #ActiveDirectory #Kerberos #CertAuth #BloodHound #OffensiveSecurity #Infosec #PrivilegeEscalation

Hack The Box: Certificate Machine Walkthrough – Hard Difficulty

by darknite
2025-10-04

I recently completed the “Certificate” challenge on Hack The Box: after extracting and cracking a captured authentication hash I gained access to a user account (lion.sk) and retrieved the user flag, then progressed to full system compromise by responsibly exploiting weak certificate‑based authentication controls—obtaining and converting certificate material into elevated credentials to capture the root flag. The exercise reinforced how misconfigurations in certificate services and poor time synchronization can create powerful escalation paths, and highlighted the importance of least‑privilege, strict enrollment policies, and monitoring certificate issuance. Great hands‑on reminder that defensive hygiene around PKI and identity services matters.

#CyberSecurity #HTB #Infosec #ADCS #Certificates #PrivilegeEscalation #RedTeam #Pentesting

Hack The Box: Puppy Machine Walkthrough – Medium Difficulty

by darknite
2025-09-27

Crushed the Puppy machine on HTB with surgical precision! Unlocked the user flag by leveraging levi.james credentials to access the DEV share, cracking recovery.kdbx with “Liverpool,” and using ant.edwards:Antman2025! to reset ADAM.SILVER’s password, followed by a swift WinRM login to grab user.txt. For the root flag, extracted steph.cooper:ChefSteph2025! from C:\Backups, accessed a WinRM shell, and exfiltrated DPAPI keys via SMB. Impacket unveiled steph.cooper_adm:FivethChipOnItsWay2025!, opening the Administrator directory to claim root.txt.

#Cybersecurity #HackTheBox #CTF #Pentesting #PrivilegeEscalation

Hack The Box: Fluffy Machine Walkthrough – Easy Difficulity

by darknite
2025-09-20

Introduction to Fluffy: In this write-up, we will explore the “Fluffy” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will… Read More »Hack The Box: Fluffy Machine Walkthrough – Easy Difficulity

Hack The Box: Planning Machine Walkthrouh – Easy Diffucilty

by darknite
2025-09-15

Introduction to Planning: In this write-up, we will explore the “Planning” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will… Read More »Hack The Box: Planning Machine Walkthrouh – Easy Diffucilty

Hack The Box: Environment Machine Walkthough-Medium Difficulty

by darknite
2025-09-06

Environment HTB: Full User & Root Flag Capture Through Exploitation

Captured both the user and root flags on the Environment HTB machine! We exploited Laravel 11.30.0 (PHP 8.2.28) vulnerabilities, including argument injection (CVE-2024-52301) and UniSharp Laravel Filemanager code injection. By bypassing authentication with `–env=preprod` and leveraging the profile upload feature, we executed a PHP reverse shell and retrieved the user flag via `cat user.txt`. For root access, we decrypted `keyvault.gpg` from the `.gnupg` directory to obtain credentials and exploited sudo with preserved BASH\_ENV by crafting a script that spawned a privileged shell, ultimately gaining full control of the system.

#CyberSecurity #HTB #PenTesting #EthicalHacking #LaravelExploits #PrivilegeEscalation #PHP #Infosec #BugBounty #RedTeam

Hack The Box: Eureka Machine Walkthrough – Hard Dificulty

by darknite
2025-08-30

I enumerated Spring Boot Actuator endpoints, including /actuator/heapdump, which revealed plaintext credentials for oscar190. SSH login as oscar190 was successful, though the home directory was empty. Analysis of application.properties exposed Eureka credentials (EurekaSrvr:0scarPWDisTheB3st), granting access to the Eureka dashboard. By registering a malicious microservice, I retrieved miranda.wise credentials and captured the user flag. For privilege escalation, I identified a vulnerable log_analyse.sh script, performed command injection, and created a SUID bash shell in /tmp/bash. Executing this shell provided root access, allowing retrieval of the root flag and full control of the machine.

#CyberSecurity #EthicalHacking #HackTheBox #PenTesting #PrivilegeEscalation #WebSecurity #SpringBoot #CTF #BugHunting #InfoSec #RedTeam #OffensiveSecurity

Hack The Box: TheFrizz Machine Walkthrough – Medium Difficulity

by darknite
2025-08-23

I successfully captured both user and root flags by exploiting a file upload vulnerability to gain a web shell, extracting database credentials from config.php, and cracking the user hash to reveal the password Jenni_Luvs_Magic23. Using these credentials, I accessed the web application, discovered an SSH migration hint, and leveraged a Kerberos ticket (f.frizzle.ccache) to gain SSH access and retrieve the user flag with type user.txt. For the root flag, I escalated privileges using M.SchoolBus and SharpGPOAbuse to manipulate SleepGPO, applied changes with gpupdate.exe /force, extracted credentials with secretdump, and used wmiexec to secure a root-level shell, ultimately reading the root flag with type root.txt.

#Cybersecurity #CTF #EthicalHacking #PenetrationTesting

Hack The Box: Nocturnal Machine Walkthrough – Easy Difficulty

by darknite
2025-08-16

Captured the user flag by exploiting a file upload feature, unpacking .odt files to reveal a hidden password with xmllint, and injecting a reverse shell via the backup feature to get a www-data shell. Retrieved hashes from the nocturnal_database, cracked Tobias’s password (slowmotionapocalypse), and obtained the user flag. For the root flag, enumerated open ports, found port 8080 running ISPConfig, accessed it with admin credentials, identified the version, executed a public exploit, and gained root shell to capture the root flag.

#HTB #HackTheBox #CyberSecurity #RedTeam #CTF #PenTesting #Nocturnal #LinuxExploitation #WebExploitation #PrivilegeEscalation

Hack The Box: University Machine Walkthrough – Insane Walkthrough

by darknite
2025-08-16

Compromised university.htb by exploiting ReportLab RCE (CVE-2023-33733) to gain initial access as wao. Forged a professor certificate to impersonate george, then uploaded a malicious lecture to compromise Martin.T.

Escalated privileges by exploiting a scheduled task with a malicious .url file, used LocalPotato (CVE-2023-21746) for elevation on WS-3, and abused SeBackupPrivilege to extract NTDS.dit, ultimately retrieving Domain Admin credentials.

🔍 A great hands-on challenge combining web exploitation, privilege escalation, and Active Directory abuse.

#CyberSecurity #RedTeam #CTF #PrivilegeEscalation #HTB #InfoSec #WindowsExploitation #PenetrationTesting #EthicalHacking #HackTheBox

« Previous
1
2
3
4
5
…
36
Next »