New Write-Up Published: Haze [Medium | Windows | Active Directory] – Hack The Box

Just released a walkthrough for Haze, a medium-difficulty Windows machine on Hack The Box. Initial access was obtained by exploiting CVE-2024-36991, a local file inclusion vulnerability in Splunk, to extract LDAP credentials. This enabled a Shadow Credentials attack using PyWhisker and Certipy, allowing lateral movement to a high-privileged domain user. For privilege escalation, I utilized Splunk admin access to deploy a reverse shell via a crafted app package. Upon gaining shell access, I escalated privileges to NT SYSTEM by abusing SeImpersonatePrivilege with SweetPotato. This box offers great insight into chained Active Directory abuse and Splunk misconfigurations.

#HackTheBox #RedTeam #ActiveDirectory #Splunk #CVE202436991 #ShadowCredentials #PrivilegeEscalation #SweetPotato #CTF #InfoSec #WriteUp #CyberSecurity …

Learn MoreHack The Box: Haze Machine Walkthrough – Hard Difficulty

Just wrapped up a detailed walkthrough of the Hack The Box Titanic machine — an easy-rated challenge packed with valuable learning opportunities!

The journey started with exploiting a directory traversal vulnerability to access sensitive Gitea configuration files and extract user credentials. From there, I gained SSH access as the developer user and retrieved the user flag.

Privilege escalation was achieved by exploiting a critical ImageMagick vulnerability (CVE-2024-41817) in a writable directory, allowing arbitrary code execution via a crafted shared library. I also discovered the developer user had unrestricted sudo privileges, providing a straightforward path to root.

#HackTheBox #CyberSecurity #Pentesting #CTF #PrivilegeEscalation #LinuxSecurity #ImageMagick #CVE202441817 #EthicalHacking #DirectoryTraversal

…

Learn MoreHack The Box: Titanic Machine Walkthrough – Easy Difficulty

Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

#CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF
Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag.

#CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF
…

Learn MoreHack The Box: Inflitrator Machine Walkthrough – Insane Difficulity

Successfully rooted another Hack The Box machine by chaining multiple vulnerabilities across custom C2 frameworks. For the user flag, we exploited an SSRF vulnerability (CVE-2024-41570) in the Havoc C2 framework to access internal services, which we then chained with an authenticated RCE to execute arbitrary commands and gain a reverse shell as the ilya user. To maintain stable access, SSH keys were added for persistence, allowing us to retrieve the user.txt flag. For the root flag, we targeted the Hardhat C2 service by forging a valid JWT with a Python script to create an admin user, which provided shell access as sergej. Upon privilege escalation analysis, we found that sergej had sudo access to the iptables-save binary. This was abused to overwrite the /etc/sudoers file and escalate to root, ultimately retrieving the root.txt flag. Another great learning experience on the path to mastering offensive security!

#HackTheBox #CyberSecurity #InfoSec #RedTeam #CTF #PrivilegeEscalation #RCE #SSRF #Linux #HTB #EthicalHacking #PenetrationTesting #HavocC2 #HardhatC2 #JWT #SudoExploit #OSCP #BugBounty …

Learn MoreHack The Box: Backfire Machine Walkthrough – Medium Difficulty

Successfully exploited CVE-2023-1545 in Teampass to extract user credentials and leveraged CVE-2023-6199 in BookStack to obtain an OTP, gaining user-level access on the Checker machine. Privilege escalation was achieved by exploiting a sudo script interacting with shared memory, setting the SUID bit on /bin/bash to capture the root flag. A great example of combining application vulnerabilities with creative privilege escalation techniques!

#Cybersecurity #EthicalHacking #HackTheBox #PenetrationTesting #InfoSec #VulnerabilityResearch #PrivilegeEscalation #CTF #SecurityResearch …

Learn MoreHack The Box: Checker Machine Walkthrough – Hard Difficulty

🔒 My Write-Up for the EscapeTwo Machine on Hack The Box 🔍

I’m excited to share my detailed write-up for solving the beginner-friendly “EscapeTwo” machine on Hack The Box, showcasing skills in network enumeration and privilege escalation. First, to capture the user flag, I scanned for open ports, accessed SMB shares, uncovered a password, and leveraged the Ryan account’s elevated permissions to retrieve the flag remotely. Next, for the root flag, I escalated privileges by exploiting an Active Directory misconfiguration. Then, using the Ryan account, I employed tools to identify and modify permissions, thereby gaining control over a privileged account. With this control, I acquired a certificate, subsequently authenticated as an administrator, and finally captured the root flag. This challenge strengthened my expertise in Active Directory security and penetration testing. Check out the full write-up for a deep dive!

#Cybersecurity #HackTheBox #EthicalHacking #PenetrationTesting #ActiveDirectory …

Learn MoreHack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty

Writeup Summary: Heal (Hack The Box)

This box involved thorough enumeration that uncovered multiple subdomains, including a Ruby on Rails API. Initial access was gained by chaining a Local File Inclusion vulnerability with password cracking and exploiting a LimeSurvey plugin upload vulnerability. Privilege escalation was achieved by identifying and exploiting an exposed Consul service accessible through SSH port forwarding.

This challenge showcased key red teaming skills: web application exploitation, misconfiguration abuse, credential harvesting, and lateral movement.

#HackTheBox #CyberSecurity #RedTeam #PrivilegeEscalation #BugBounty #WebSecurity #Infosec #CTF #HTB #OffensiveSecurity #LinuxExploitation …

Learn MoreHack The Box: Heal Machine Walkthrough – Medium Difficulty

Successfully completed the “Underpass” machine on Hack The Box! For the user flag, I enumerated SNMP to discover a Daloradius instance, logged in with default credentials, cracked an MD5-hashed password for the svcMosh account, and used SSH to access the user flag in its home directory. To capture the root flag, I escalated privileges by exploiting sudo permissions on mosh-server, obtaining a session key and port to establish a root session and retrieve the flag from /root/root.txt.

#Cybersecurity #HackTheBox #CaptureTheFlag #PenetrationTesting #LinuxSecurity #PrivilegeEscalation #SNMP #Daloradius #EthicalHacking #InformationSecurity …

Learn MoreHack The Box: Underpass Machine Walkthrough – Easy Difficulty

Chained exploitation through misconfigured web app and internal services. We started by exploiting a WordPress plugin vulnerability (CVE-2023-26326) to upload files, followed by a file read vulnerability (CVE-2024-2961) for remote code execution. From there, we cracked the database credentials, gained SSH access as the shawking user, and leveraged a vulnerable API endpoint to escalate to root. This highlights how overlooked configurations and service misconfigurations can lead to a full server compromise.

#CTF #PrivilegeEscalation #WebSecurity #CommandInjection #SSH #WordPress #LinuxPentesting #BugBounty #HackTheBox #RedTeam #CyberSecurity …

Learn MoreHackTheBox – BigBang Machine Walkthrough (Hard Difficulty)

Recently completed an Active Directory penetration test where I obtained both the user and root flags through a series of Kerberos and privilege escalation attacks. I first exploited a weak password on a legacy computer account (fs01$) to retrieve a Kerberos TGT and extract the gMSA password. After reactivating a disabled service account (svc_sql), making it ASREPRoastable, and cracking its hash, I gained credentials for another domain user and authenticated via Evil-WinRM to capture the user flag. For the root flag, I decrypted DPAPI-protected secrets to access a higher-privileged account (c.neri_adm), added a compromised service account to a privileged group, assigned an SPN, and performed a Kerberos delegation attack to impersonate a domain admin, ultimately achieving SYSTEM-level access and capturing the root flag. Great experience applying Kerberos exploitation techniques and privilege escalation strategies in a real-world scenario!

hashtag#ActiveDirectory hashtag#PenetrationTesting hashtag#Kerberos hashtag#OffensiveSecurity hashtag#RedTeam hashtag#CyberSecurity hashtag#ASREPRoasting hashtag#DPAPI hashtag#PrivilegeEscalation hashtag#HackTheBox hashtag#Infosec hashtag#HacktheBox …

Learn MoreHack The Box: Vintage Machine Walkthrough – Hard Difficulty