• Search for:

    Tag Archives: ssh

    1. Home  - 
    2. Posts tagged "ssh"
    14 Mar, 2026
    Hack The Box: Gavel Machine Walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , , , , ,

    Completed the Gavel (Medium) machine on Hack The Box. The initial foothold came from an exposed .git directory that leaked the application’s source code and bcrypt password hashes. After cracking the credentials with John the Ripper, I gained access and achieved a reverse shell through command injection in the admin rule field. Reusing the cracked credentials allowed privilege escalation to the application user and retrieval of the user flag.

    Root access was obtained by abusing the gavel-util submission feature, which executed YAML rule fields using PHP system(). By overwriting the custom php.ini to remove restrictions and creating a SUID Bash binary, it was possible to spawn a root shell and capture the final flag.

    #HackTheBox #HTB #CyberSecurity #EthicalHacking #PenetrationTesting #RedTeam #LinuxSecurity #WebSecurity #PrivilegeEscalation #CTF …

    Learn MoreHack The Box: Gavel Machine Walkthrough – Medium Difficulity

    7 Mar, 2026
    Hack The Box: Expressway Machine – Easy Difficulity
    Easy Machine , , , , , , , , , ,

    Just completed Expressway on Hack The Box (Easy difficulty) – a solid box that blends weak IKE PSK cracking with a straightforward sudo privilege escalation!
    Enumeration started with UDP scanning, which revealed ISAKMP on port 500. I ran ike-scan in Aggressive Mode to leak the peer identity ike@expressway.htb and capture crackable parameters. Next I used psk-crack against rockyou.txt and recovered the PSK freakingrockstarontheroad in under 13 seconds. I logged in via SSH as ike using that password and quickly grabbed user.txt.

    For privilege escalation, sudo -l confirmed no rights for the ike user. Checking sudo -V showed version 1.9.17 vulnerable to CVE-2025-32463 (chwoot). I cloned the PoC repository on my attack machine, hosted sudo-chwoot.sh with a Python HTTP server, transferred it to the target using curl, made it executable, and ran it. The script printed “woot!” and dropped an instant root shell. From there I read root.txt.
    Nice and clean chain: weak PSK for initial access followed by a known sudo vulnerability for root. Perfect easy box to sharpen IKE enumeration and Linux local exploitation skills.

    #HackTheBox #CTF #PenetrationTesting #Cybersecurity #EthicalHacking #IKE #PSKCracking #PrivilegeEscalation #LinuxExploitation #CVE202532463 #RedTeam …

    Learn MoreHack The Box: Expressway Machine – Easy Difficulity

    28 Feb, 2026
    Hack The Box: Guardian Machine Walkthrough – Hard Difficulty
    Hard Machine , , , , , , , , , , , ,

    🔐 User Flag — Compromising the Application Layer

    Successfully rooted the Guardian (Hard) machine on Hack The Box by chaining multiple real-world web vulnerabilities.Initial access was achieved through credential abuse and IDOR within the student portal. Leaked chat credentials exposed internal Gitea repositories containing hardcoded database secrets. A vulnerable XLSX file upload feature allowed formula injection → XSS → session hijacking. Leveraging CSRF, I created a rogue admin account and escalated privileges within the application. From there, an LFI vulnerability combined with a PHP filter chain led to Remote Code Execution. After gaining a shell as www-data, I reused leaked credentials to pivot laterally to user jamil, capturing the user flag.

    👑 Root Flag — From Code Injection to Full System Compromise

    Privilege escalation started with sudo -l, revealing that jamil could execute a Python utility as user mark without a password. Since one of the Python files was writable, I injected code to spawn a shell as mark. Further enumeration uncovered a custom binary (safeapache2ctl) executable as root. A flawed validation mechanism in its Apache config parsing allowed path traversal and arbitrary file inclusion. By crafting a malicious shared object (evil.so) and abusing the wrapper’s improper include validation, I achieved root-level code execution and obtained a root shell. …

    Learn MoreHack The Box: Guardian Machine Walkthrough – Hard Difficulty

    21 Feb, 2026
    Hack The Box: GiveBack machine walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , , ,

    Just completed the Giveback machine on Hack The Box (Medium difficulty).
    Started with Nmap → WordPress + vulnerable GiveWP 3.14.0 (CVE-2024-5932 / CVE-2024-8353 PHP Object Injection) → unauthenticated RCE via donation form PoC → reverse shell as bitnami in a Bitnami Kubernetes pod.
    Pivoted using mounted K8s service account token → abused the API + exploited a vulnerable legacy PHP-CGI intranet service → broke out to the host as user babywyrm → grabbed user.txt.

    For root: passwordless sudo on custom /opt/debug binary → used dumped secret as admin password → crafted malicious OCI config.json → ran privileged container via runc breakout → read root.txt.
    Great chain: web vuln → container escape → K8s lateral → sudo abuse.
    Loved the real-world Kubernetes misconfig + runc wrapper elements.

    #HackTheBox #CTF #PenetrationTesting #KubernetesSecurity #ContainerEscape #RCE #PrivilegeEscalation #Cybersecurity …

    Learn MoreHack The Box: GiveBack machine walkthrough – Medium Difficulity

    14 Feb, 2026
    Hack The Box: Soulmate machine walkthrough – Easy Difficulitty
    Easy Machine , , , , , , , , ,

    Just completed the Soulmate machine on Hack The Box — rated Easy, but packed with a satisfying vuln chain!
    Started with subdomain enumeration → discovered an exposed CrushFTP admin panel on ftp.soulmate.htb. Exploited an unauthenticated API flaw (CVE-2025-31161 style) in the /WebInterface/function/ endpoint to enumerate users and create a backdoor admin account. From there, abused broken access controls in User Manager to reset the “ben” account password. Logged in as “ben” → gained VFS access to /webProd (the main web root), uploaded a PHP webshell → got RCE as www-data with a reverse shell.
    Credential reuse let me su ben and grab user.txt

    Root came via a backdoored Erlang SSH daemon on localhost:2222 (hardcoded always-true auth, running as root) → trivial escalation to root Eshell and root.txt

    Key takeaways: exposed admin panels are goldmines, weak API auth leads to quick takeovers, credential reuse is still everywhere, and custom services with backdoors can hand you root on a platter.
    Loved the progression from web misconfig → file write → RCE → local privesc. Solid learning box!

    #HackTheBox #HTB #CyberSecurity #PenetrationTesting #CTF #PrivilegeEscalation #RCE #BugBounty #RedTeam …

    Learn MoreHack The Box: Soulmate machine walkthrough – Easy Difficulitty

    31 Jan, 2026
    Hack The Box: CodePartTwo Machine Walkthrough – Easy Diffculty
    Easy Machine , , , , , , , , , ,

    Just finished CodePartTwo on Hack The Box — a fun Easy-rated Linux box that taught me a lot!

    Initial access came via a js2py sandbox escape in their online JavaScript code editor (CVE-2024-28397 style prototype chain abuse) → reverse shell as ‘app’.
    Post-exploitation: found users.db in /app/instance → quick Python HTTP server exfil → local sqlite3 dump → two MD5 hashes. CrackStation instantly revealed marco’s password (sweetangelbabylove).
    Lateral move: SSH as marco → user.txt claimed.

    Privesc: sudo -l gave NOPASSWD /usr/local/bin/npbackup-cli. After inspecting npbackup.conf (stdin_from_command hint), I used –external-backend-binary to point to my malicious reverse shell script → root shell → root.txt captured.

    Loved how it combined modern sandbox escape with classic sudo misconfig abuse. Solid box for anyone practicing foothold → lateral → root paths.

    #HackTheBox #CTF #PenetrationTesting #Cybersecurity #PrivilegeEscalation #SandboxEscape #LinuxPrivilegeEscalation #RedTeamOps #BugBountyHunter #EthicalHacking …

    Learn MoreHack The Box: CodePartTwo Machine Walkthrough – Easy Diffculty

    24 Jan, 2026
    Hack The Box: Imagery Machine Walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , , , , , ,

    Just completed the Imagery machine on Hack The Box (Medium). The challenge involved identifying weaknesses in a custom web application, analysing exposed application logic and data, and chaining these issues to move laterally within the system to gain user-level access. Further investigation highlighted how overlooked privilege boundaries and misconfigured trusted utilities can be abused to escalate privileges and obtain full administrative control.

    #HackTheBox #CyberSecurity #WebSecurity #EthicalHacking #PenetrationTesting #PrivilegeEscalation #CTF #InfoSec

    Learn MoreHack The Box: Imagery Machine Walkthrough – Medium Difficulity

    10 Jan, 2026
    Hack The Box: Previous Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , , ,

    🎯 Just rooted the ‘Previous’ machine on Hack The Box!

    Started with a Next.js app exposing a path traversal bug in /api/download, leaked /etc/passwd → found user ‘jeremy’, then extracted the NextAuth provider code revealing credentials.

    Abused .terraformrc dev_overrides to load a malicious custom provider binary.
    Classic NextAuth misconfig + Terraform provider override chain. Loved the creativity!

    #HackTheBox #CTF #PrivilegeEscalation #PathTraversal #NextJS #Terraform #CyberSecurity #PenetrationTesting #BugBounty”

    Learn MoreHack The Box: Previous Machine Walkthrough – Medium Difficulty

    13 Dec, 2025
    Hack The Box: WhiteRabbit Machine Walkthough – Insane Difficulity
    Insane Machine , , , , , , , , , , , , , , , , ,

    Initial access was achieved through exposed monitoring and documentation services, which leaked internal service names and an unauthenticated workflow configuration. This disclosure revealed sensitive secrets, a vulnerable webhook parameter, and ultimately credentials for a backup system. Abuse of misconfigured backup tooling and sudo privileges allowed extraction of private SSH keys, enabling lateral movement across multiple user accounts and retrieval of the user flag.

    Privilege escalation to root involved reverse-engineering a custom SUID binary. Analysis exposed a predictable pseudorandom password generator caused by unsafe seeding logic and an integer overflow, significantly reducing entropy. Recreating the binary locally and brute-forcing the constrained seed space yielded valid credentials, granting SSH access to a privileged user with unrestricted sudo rights and full system compromise.

    This machine was a strong example of how exposed internal tooling, poor secret handling, and flawed custom binaries can combine into a complete attack chain.

    #HackTheBox #CyberSecurity #OffensiveSecurity #PenetrationTesting #RedTeam #PrivilegeEscalation #ReverseEngineering #LinuxSecurity #Infosec #CTF …

    Learn MoreHack The Box: WhiteRabbit Machine Walkthough – Insane Difficulity

    6 Dec, 2025
    Hack The Box: Editor Machine Walkthrugh – Easy Difficulity
    Easy Machine , , , , , , , , ,

    User access was achieved by enumerating an XWiki instance running on port 8080, identifying its vulnerable version, and exploiting an unauthenticated RCE in the Solr component (CVE-2025-24893). The foothold exposed plaintext database credentials in the XWiki configuration file, which were reused for the system user, allowing a successful SSH login as oliver.

    Root access came from a misconfigured Netdata installation. Several root-owned plugins were SUID and group-writable, and oliver belonged to the netdata group. Replacing the ndsudo plugin with a custom SUID payload allowed Netdata to execute it as root, granting full system compromise and the root flag.

    #HackTheBox #CyberSecurity #PenetrationTesting #PrivilegeEscalation #EthicalHacking #RedTeam #CTF #XWiki #CVE2025 #Netdata #LinuxSecurity …

    Learn MoreHack The Box: Editor Machine Walkthrugh – Easy Difficulity