Skip to content
Home » Linux

Linux

Hack The Box: Backfire Machine Walkthrough – Medium Difficulty

Successfully rooted another Hack The Box machine by chaining multiple vulnerabilities across custom C2 frameworks. For the user flag, we exploited an SSRF vulnerability (CVE-2024-41570) in the Havoc C2 framework to access internal services, which we then chained with an authenticated RCE to execute arbitrary commands and gain a reverse shell as the ilya user. To maintain stable access, SSH keys were added for persistence, allowing us to retrieve the user.txt flag. For the root flag, we targeted the Hardhat C2 service by forging a valid JWT with a Python script to create an admin user, which provided shell access as sergej. Upon privilege escalation analysis, we found that sergej had sudo access to the iptables-save binary. This was abused to overwrite the /etc/sudoers file and escalate to root, ultimately retrieving the root.txt flag. Another great learning experience on the path to mastering offensive security!

#HackTheBox #CyberSecurity #InfoSec #RedTeam #CTF #PrivilegeEscalation #RCE #SSRF #Linux #HTB #EthicalHacking #PenetrationTesting #HavocC2 #HardhatC2 #JWT #SudoExploit #OSCP #BugBounty

Hack The Box: Checker Machine Walkthrough – Hard Difficulty

Successfully exploited CVE-2023-1545 in Teampass to extract user credentials and leveraged CVE-2023-6199 in BookStack to obtain an OTP, gaining user-level access on the Checker machine. Privilege escalation was achieved by exploiting a sudo script interacting with shared memory, setting the SUID bit on /bin/bash to capture the root flag. A great example of combining application vulnerabilities with creative privilege escalation techniques!

#Cybersecurity #EthicalHacking #HackTheBox #PenetrationTesting #InfoSec #VulnerabilityResearch #PrivilegeEscalation #CTF #SecurityResearch

Hack The Box: Heal Machine Walkthrough – Medium Difficulty

Writeup Summary: Heal (Hack The Box)

This box involved thorough enumeration that uncovered multiple subdomains, including a Ruby on Rails API. Initial access was gained by chaining a Local File Inclusion vulnerability with password cracking and exploiting a LimeSurvey plugin upload vulnerability. Privilege escalation was achieved by identifying and exploiting an exposed Consul service accessible through SSH port forwarding.

This challenge showcased key red teaming skills: web application exploitation, misconfiguration abuse, credential harvesting, and lateral movement.

#HackTheBox #CyberSecurity #RedTeam #PrivilegeEscalation #BugBounty #WebSecurity #Infosec #CTF #HTB #OffensiveSecurity #LinuxExploitation

Hack The Box: Underpass Machine Walkthrough – Easy Difficulty

Successfully completed the “Underpass” machine on Hack The Box! For the user flag, I enumerated SNMP to discover a Daloradius instance, logged in with default credentials, cracked an MD5-hashed password for the svcMosh account, and used SSH to access the user flag in its home directory. To capture the root flag, I escalated privileges by exploiting sudo permissions on mosh-server, obtaining a session key and port to establish a root session and retrieve the flag from /root/root.txt.

#Cybersecurity #HackTheBox #CaptureTheFlag #PenetrationTesting #LinuxSecurity #PrivilegeEscalation #SNMP #Daloradius #EthicalHacking #InformationSecurity

HackTheBox – BigBang Machine Walkthrough (Hard Difficulty)

Chained exploitation through misconfigured web app and internal services. We started by exploiting a WordPress plugin vulnerability (CVE-2023-26326) to upload files, followed by a file read vulnerability (CVE-2024-2961) for remote code execution. From there, we cracked the database credentials, gained SSH access as the shawking user, and leveraged a vulnerable API endpoint to escalate to root. This highlights how overlooked configurations and service misconfigurations can lead to a full server compromise.

#CTF #PrivilegeEscalation #WebSecurity #CommandInjection #SSH #WordPress #LinuxPentesting #BugBounty #HackTheBox #RedTeam #CyberSecurity

Hack The Box: LinkVortex Machine Walkthrough Easy Difficulty

Successfully demonstrated advanced cybersecurity skills by exploiting a Ghost CMS vulnerability (CVE-2023-40028) to access sensitive credentials and secure the user flag. Identified and leveraged a sudo misconfiguration with the CHECK_CONTENT variable to escalate privileges and retrieve the root flag from /root/root.txt. Thrived in this hands-on challenge, sharpening penetration testing expertise! #HackTheBox #Cybersecurity #EthicalHacking #PenetrationTesting #CTF

Hack The Box: Ghost Machine Walkthrough – Insane Difficulty

The initial foothold was gained by exploiting command injection on intranet.ghost.htb:8008/api-dev/scan/, which provided a reverse shell inside a Docker container. From there, I enumerated the environment and discovered credentials that allowed SSH access as Florence Ramirez. By extracting and converting a Kerberos ticket, I authenticated as a legitimate user, escalating access within the system. With access to the Windows environment, I retrieved NTLM hashes for the adfs_gmsa account and leveraged evil-winrm for lateral movement. A reverse shell was established using JokerShell, and privileges were escalated by enabling xp_cmdshell through a debug interface. After uploading EfsPotato.cs and disabling antivirus, I used Mimikatz and Rubeus.exe to dump credentials, ultimately achieving SYSTEM access. This led to the extraction of domain admin credentials and the retrieval of the root flag. Another Insane box down! 💀💻

#HackTheBox #RedTeam #CyberSecurity #PenTesting #PrivilegeEscalation #EthicalHacking

Hack The Box: BlockBlock Machine Walkthrough – Hard Difficulty

This walkthrough examines the BlockBlock machine from Hack The Box, classified as a medium-difficulty challenge. The assessment began with the exploitation of an XSS vulnerability, which facilitated credential theft through the Ethereum JSON-RPC API, granting SSH access. Privilege escalation was achieved by leveraging the forge binary to obtain higher privileges, followed by exploiting a misconfigured pacman package manager to gain root access. This engagement underscores the critical importance of securing APIs, implementing robust input validation, and enforcing strict privilege escalation controls to mitigate security risks.

#HackTheBox #CyberSecurity #PenetrationTesting #CTF #EthicalHacking #XSS #PrivilegeEscalation #BlockchainSecurity

Hack The Box: Alert Machine Walkthrough – Easy Difficulty

We discovered an XSS vulnerability in .md file uploads and the Contacts tab. By embedding an XSS payload and sharing the link, we extracted data from messages.php, revealing a file parameter vulnerable to LFI. This led us to /var/www/statistics.alert.htb/.htpasswd, which contained a hashed password. Using hashid, we identified it as MD5 (APR1-MD5) and cracked it with Hashcat, retrieving the password ManchesterUnited. With these credentials, we accessed the system and captured the user flag.

After logging into statistics.alert.htb, we found port 8080 open. Using SSH port forwarding, we accessed a monitoring site but needed to locate its directory. Checking ps aux, we found it in /opt/website-monitor. We confirmed file access by testing a basic PHP file, which worked. We then uploaded a PentestMonkey reverse shell, but it didn’t execute. To ensure success, we crafted a reliable PHP shell, triggered it, and gained root access.

🔍 #CyberSecurity #BugBounty #EthicalHacking #PenTesting #CTF #HTB #WebSecurity #XSS #LFI #PrivilegeEscalation #Hacking

Hack The Box: Chemistry Machine Walkthrough – Easy Difficulty

A vulnerability in **Pymatgen (CVE-2024-23346)** allowed for **Remote Code Execution (RCE)** through a **malicious CIF file**. By injecting code into the **_space_group_magn.transform_BNS_Pp_abc** field and uploading it to the dashboard, nothing happened initially. However, clicking the **View button** triggered execution, leading to a **reverse shell**. With remote access secured, an **SQLite3 database** was explored, revealing **password hashes**, which were cracked to obtain valid credentials and retrieve the **user flag**.

Further exploration uncovered an **aiohttp/3.9.1** service running on **port 8080**, restricting access to the **assets directory** with a **403 Forbidden** response. Leveraging an **LFI attack**, an **SSH key** was extracted, allowing for **privilege escalation** and access to the **root flag**.

This scenario highlights the importance of **sanitizing file uploads, restricting directory access, and keeping dependencies updated** to mitigate security risks.

#CyberSecurity #BugBounty #EthicalHacking #PrivilegeEscalation #RedTeam #WebSecurity #InfoSec #CTF