python3 Archives - Threatninja.net

4 Apr, 2026

Hack The Box: Darkzero Machine – Hard Difficulity

Hard Machine Bloodhound, certif, Certify, Challenges, chisel, evil-winrm, HackTheBox, ligolo, mssqlclient, openssl, Penetration Testing, proxychains, python3, rubeus.exe, secretdump, ticketconverter, Windows

Just completed the DarkZero machine from HackTheBox (Hard difficulty)!

After gaining a foothold on DC02 via a misconfigured MSSQL linked server and escalating to local Administrator using SigmaPotato token impersonation + RunasCs, we successfully captured the user flag from the Administrator’s desktop.

Dumped the domain Administrator NT hash with secretsdump, then used Evil-WinRM to get a full shell as Administrator on DC02 and retrieved the root flag.

#HackTheBox #HTB #Pentesting #ActiveDirectory #RedTeam #CyberSecurity #PrivilegeEscalation …

Learn MoreHack The Box: Darkzero Machine – Hard Difficulity

21 Mar, 2026

Hack The Box: Conversor Machine Walkhtrough – Easy Difficulity

Medium Machine Challenges, HackTheBox, john the ripper, Linux, needrestart, Penetration Testing, python3, source code review, sqlite3, xml, xslt

Successfully completed the Conversor machine on Hack The Box, focusing on web exploitation and privilege escalation techniques.

For the user flag, initial access was gained by exploiting an insecure XSLT file upload feature. By leveraging EXSLT, I was able to write and execute a malicious script on the server, resulting in a reverse shell as a low-privileged user. Further enumeration uncovered a SQLite database containing hashed credentials, which were cracked to obtain valid SSH access and retrieve the user flag.

For the root flag, privilege escalation was achieved through a misconfigured sudo permission allowing execution of needrestart. This was abused to run a crafted script that modified system binaries, ultimately granting root-level access via a SUID bash shell and completing the machine.

#HackTheBox #CyberSecurity #EthicalHacking #PenetrationTesting #WebSecurity #PrivilegeEscalation #RedTeam #InfoSec #CaptureTheFlag #CTF …

Learn MoreHack The Box: Conversor Machine Walkhtrough – Easy Difficulity

28 Feb, 2026

Hack The Box: Guardian Machine Walkthrough – Hard Difficulty

Hard Machine Challenges, cookie session, CVE‑2025‑22131, CVE‑2025‑23210, ghidra, HackTheBox, Linux, MySQL, Penetration Testing, python3, safeapache2ctl, ssh, XSS

🔐 User Flag — Compromising the Application Layer

Successfully rooted the Guardian (Hard) machine on Hack The Box by chaining multiple real-world web vulnerabilities.Initial access was achieved through credential abuse and IDOR within the student portal. Leaked chat credentials exposed internal Gitea repositories containing hardcoded database secrets. A vulnerable XLSX file upload feature allowed formula injection → XSS → session hijacking. Leveraging CSRF, I created a rogue admin account and escalated privileges within the application. From there, an LFI vulnerability combined with a PHP filter chain led to Remote Code Execution. After gaining a shell as www-data, I reused leaked credentials to pivot laterally to user jamil, capturing the user flag.

👑 Root Flag — From Code Injection to Full System Compromise

Privilege escalation started with sudo -l, revealing that jamil could execute a Python utility as user mark without a password. Since one of the Python files was writable, I injected code to spawn a shell as mark. Further enumeration uncovered a custom binary (safeapache2ctl) executable as root. A flawed validation mechanism in its Apache config parsing allowed path traversal and arbitrary file inclusion. By crafting a malicious shared object (evil.so) and abusing the wrapper’s improper include validation, I achieved root-level code execution and obtained a root shell. …

Learn MoreHack The Box: Guardian Machine Walkthrough – Hard Difficulty

31 Jan, 2026

Hack The Box: CodePartTwo Machine Walkthrough – Easy Diffculty

Easy Machine Challenges, CVE-2024-28397, HackTheBox, js2py, Linux, npbackup-cli, python3, Sandbox bypass, sqlite3, ssh, ssti

Just finished CodePartTwo on Hack The Box — a fun Easy-rated Linux box that taught me a lot!

Initial access came via a js2py sandbox escape in their online JavaScript code editor (CVE-2024-28397 style prototype chain abuse) → reverse shell as ‘app’.
Post-exploitation: found users.db in /app/instance → quick Python HTTP server exfil → local sqlite3 dump → two MD5 hashes. CrackStation instantly revealed marco’s password (sweetangelbabylove).
Lateral move: SSH as marco → user.txt claimed.

Privesc: sudo -l gave NOPASSWD /usr/local/bin/npbackup-cli. After inspecting npbackup.conf (stdin_from_command hint), I used –external-backend-binary to point to my malicious reverse shell script → root shell → root.txt captured.

Loved how it combined modern sandbox escape with classic sudo misconfig abuse. Solid box for anyone practicing foothold → lateral → root paths.

#HackTheBox #CTF #PenetrationTesting #Cybersecurity #PrivilegeEscalation #SandboxEscape #LinuxPrivilegeEscalation #RedTeamOps #BugBountyHunter #EthicalHacking …

Learn MoreHack The Box: CodePartTwo Machine Walkthrough – Easy Diffculty

24 Jan, 2026

Hack The Box: Imagery Machine Walkthrough – Medium Difficulity

Medium Machine backup recovery, BurpSuite, Challenges, Charcol, HackTheBox, hashcat, javascript, json, Linux, Local File Inclusion (LFI), Penetration Testing, python3, RCE, ssh

Just completed the Imagery machine on Hack The Box (Medium). The challenge involved identifying weaknesses in a custom web application, analysing exposed application logic and data, and chaining these issues to move laterally within the system to gain user-level access. Further investigation highlighted how overlooked privilege boundaries and misconfigured trusted utilities can be abused to escalate privileges and obtain full administrative control.

#HackTheBox #CyberSecurity #WebSecurity #EthicalHacking #PenetrationTesting #PrivilegeEscalation #CTF #InfoSec
…

Learn MoreHack The Box: Imagery Machine Walkthrough – Medium Difficulity

10 Jan, 2026

Hack The Box: Previous Machine Walkthrough – Medium Difficulty

Medium Machine BurpSuite, Challenges, CVECVE-2025-29927, gcc, gobuster, HackTheBox, Linux, Path Traversal, Penetration Testing, PreviousJS, python3, ssh, terraform

🎯 Just rooted the ‘Previous’ machine on Hack The Box!

Started with a Next.js app exposing a path traversal bug in /api/download, leaked /etc/passwd → found user ‘jeremy’, then extracted the NextAuth provider code revealing credentials.

Abused .terraformrc dev_overrides to load a malicious custom provider binary.
Classic NextAuth misconfig + Terraform provider override chain. Loved the creativity!

#HackTheBox #CTF #PrivilegeEscalation #PathTraversal #NextJS #Terraform #CyberSecurity #PenetrationTesting #BugBounty”
…

Learn MoreHack The Box: Previous Machine Walkthrough – Medium Difficulty

13 Dec, 2025

Hack The Box: WhiteRabbit Machine Walkthough – Insane Difficulity

Insane Machine 7zip, Authentication Bypass, BurpSuite, Challenges, ffuf, ghidra, gobuster, HackTheBox, Linux, n8n, neo-password-generator, Penetration Testing, python3, restic, SQL Injection, ssh, Uptime Kuma, webhook

Initial access was achieved through exposed monitoring and documentation services, which leaked internal service names and an unauthenticated workflow configuration. This disclosure revealed sensitive secrets, a vulnerable webhook parameter, and ultimately credentials for a backup system. Abuse of misconfigured backup tooling and sudo privileges allowed extraction of private SSH keys, enabling lateral movement across multiple user accounts and retrieval of the user flag.

Privilege escalation to root involved reverse-engineering a custom SUID binary. Analysis exposed a predictable pseudorandom password generator caused by unsafe seeding logic and an integer overflow, significantly reducing entropy. Recreating the binary locally and brute-forcing the constrained seed space yielded valid credentials, granting SSH access to a privileged user with unrestricted sudo rights and full system compromise.

This machine was a strong example of how exposed internal tooling, poor secret handling, and flawed custom binaries can combine into a complete attack chain.

#HackTheBox #CyberSecurity #OffensiveSecurity #PenetrationTesting #RedTeam #PrivilegeEscalation #ReverseEngineering #LinuxSecurity #Infosec #CTF …

Learn MoreHack The Box: WhiteRabbit Machine Walkthough – Insane Difficulity

6 Dec, 2025

Hack The Box: Editor Machine Walkthrugh – Easy Difficulity

Easy Machine Challenges, cve-2025-24893, HackTheBox, Linux, ndsudo, nvme, Penetration Testing, python3, ssh, xwiki

User access was achieved by enumerating an XWiki instance running on port 8080, identifying its vulnerable version, and exploiting an unauthenticated RCE in the Solr component (CVE-2025-24893). The foothold exposed plaintext database credentials in the XWiki configuration file, which were reused for the system user, allowing a successful SSH login as oliver.

Root access came from a misconfigured Netdata installation. Several root-owned plugins were SUID and group-writable, and oliver belonged to the netdata group. Replacing the ndsudo plugin with a custom SUID payload allowed Netdata to execute it as root, granting full system compromise and the root flag.

#HackTheBox #CyberSecurity #PenetrationTesting #PrivilegeEscalation #EthicalHacking #RedTeam #CTF #XWiki #CVE2025 #Netdata #LinuxSecurity …

Learn MoreHack The Box: Editor Machine Walkthrugh – Easy Difficulity

8 Nov, 2025

Hack The Box: RustyKey Machine Walkthrough – Hard Difficulity

Hard Machine BloodHoundCE, bloodyAD, Challenges, evil-winrm, HackTheBox, hashcat, impacket, kerberos, LDAP, nxc, Penetration Testing, python3, RunasCs, timeroast

Authenticated to rustykey.htb as bb.morgan after exploiting Kerberos flows and resolving a time sync issue: obtained a TGT (bb.morgan.ccache), set KRB5CCNAME, and used evil‑winrm to capture the user flag.
Escalated to SYSTEM by abusing machine account and delegation: IT‑COMPUTER3$ was used to modify AD protections and reset ee.reed’s password, S4U2Self/S4U2Proxy impersonation produced backupadmin.ccache, and Impacket was used to deploy a service payload to achieve a SYSTEM shell and capture the root flag.

#CyberSecurity #RedTeam #Kerberos #ActiveDirectory #PrivilegeEscalation #HackTheBox #Impacket #WindowsAD …

Learn MoreHack The Box: RustyKey Machine Walkthrough – Hard Difficulity

4 Oct, 2025

Hack The Box: Certificate Machine Walkthrough – Hard Difficulty

Hard Machine BloodHoundCE, Certipy, certutil, Challenges, ESC3, evil-winrm, HackTheBox, hashcat, kerberos, MySQL, Penetration Testing, python3, SeManageVolumePrivilege, Windows, Wireshark, zip slip

I recently completed the “Certificate” challenge on Hack The Box: after extracting and cracking a captured authentication hash I gained access to a user account (lion.sk) and retrieved the user flag, then progressed to full system compromise by responsibly exploiting weak certificate‑based authentication controls—obtaining and converting certificate material into elevated credentials to capture the root flag. The exercise reinforced how misconfigurations in certificate services and poor time synchronization can create powerful escalation paths, and highlighted the importance of least‑privilege, strict enrollment policies, and monitoring certificate issuance. Great hands‑on reminder that defensive hygiene around PKI and identity services matters.

#CyberSecurity #HTB #Infosec #ADCS #Certificates #PrivilegeEscalation #RedTeam #Pentesting …

Learn MoreHack The Box: Certificate Machine Walkthrough – Hard Difficulty

Threatninja.net

Threatninja.net

Tag Archives: python3