• Search for:

    Tag Archives: ssh

    1. Home  - 
    2. Posts tagged "ssh"
    17 Jun, 2026
    Hack The Box: Abducted Machine Walkthrough – Medium Difficulty
    Medium Machine , , , , , , , , , , ,

    Recently completed the Abducted machine from Hack The Box, a Medium-difficulty challenge that combined SMB enumeration, Samba exploitation, credential discovery, lateral movement, and Linux privilege escalation techniques.

    The path to user access involved enumerating SMB shares and anonymous RPC services before exploiting a vulnerable Samba printer configuration to gain an initial foothold. Further enumeration revealed backup credentials stored within an Rclone configuration file, which were decrypted and reused to obtain access as a legitimate user. From there, a misconfigured Samba share enabled lateral movement to another account, ultimately leading to a systemd-based privilege escalation path and root access.

    This machine provided valuable practice in chaining multiple weaknesses together and demonstrated how exposed credentials, insecure service configurations, and share misconfigurations can collectively lead to full system compromise.

    Key takeaways:
    ✅ SMB and RPC enumeration can reveal valuable attack paths
    ✅ Exposed credentials often provide opportunities for lateral movement
    ✅ Misconfigured Samba shares can introduce serious security risks
    ✅ Service configuration weaknesses can lead to privilege escalation
    ✅ Small misconfigurations can be chained into complete system compromise

    #CyberSecurity #EthicalHacking #PenetrationTesting #PrivilegeEscalation #RedTeam #LinuxSecurity #SMB #Samba #CTF #HackTheBox #InfoSec #SecurityResearch …

    Learn MoreHack The Box: Abducted Machine Walkthrough – Medium Difficulty

    13 Jun, 2026
    Hack The Box – VariaType Machine Walkthrough Medium Difficulty
    Medium Machine , , , , , , , , , , , , , ,

    Recently completed a Medium-difficulty machine that combined web exploitation, file-processing abuse, and privilege escalation techniques.

    The path to user access involved leveraging a vulnerable backend font-processing workflow and a ZIP-based exploitation chain to obtain a reverse shell and pivot to a legitimate user account. From there, further enumeration uncovered a misconfigured sudo rule that allowed privilege escalation to root through a Python-based validation script.

    This machine provided valuable practice in identifying attack paths, chaining vulnerabilities, and understanding how seemingly minor misconfigurations can lead to full system compromise.

    Key takeaways:
    ✅ Thorough enumeration is critical
    ✅ File-processing functionality can introduce unexpected attack surfaces
    ✅ Misconfigured sudo permissions remain a common privilege-escalation vector

    #CyberSecurity #EthicalHacking #PenetrationTesting #PrivilegeEscalation #RedTeam #LinuxSecurity #CTF #HackTheBox #InfoSec #SecurityResearch …

    Learn MoreHack The Box – VariaType Machine Walkthrough Medium Difficulty

    6 Jun, 2026
    Hack The Box: Facts Machine Walkthrough – Easy Difficulty
    Easy Machine , , , , , , , , , , , ,

    Completed the Facts machine from Hack The Box, an easy-rated Linux challenge that combined web exploitation, cloud storage enumeration, SSH key recovery, and privilege escalation.

    The initial foothold came from exploiting CVE-2025-2304, a mass assignment vulnerability in Camaleon CMS 2.9.0, which allowed privilege escalation from a low-privileged user to administrator. Access to the administration panel exposed S3 configuration details and credentials, leading to enumeration of an internal bucket containing an encrypted SSH private key. After recovering the key’s passphrase with John the Ripper, SSH access as the trivia user was obtained.

    Privilege escalation to root involved abusing facter, a Ruby-based utility executable via sudo without a password. By leveraging its –custom-dir option to load a malicious custom fact, arbitrary commands were executed as root, resulting in full system compromise.

    A great machine that highlights the impact of insecure parameter handling, cloud storage exposure, and the risks associated with misconfigured sudo privileges.

    #HackTheBox #HTB #Facts #CyberSecurity #PenetrationTesting #EthicalHacking #RedTeam #PrivilegeEscalation #Linux #AWS #S3 #CamaleonCMS #CVE20252304 #JohnTheRipper #Ruby #Infosec #CTF #CyberSecurityLearning …

    Learn MoreHack The Box: Facts Machine Walkthrough – Easy Difficulty

    16 May, 2026
    Hack The Box: Pterodactyl Machine Walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , , , , ,

    Completed the Pterodactyl machine on Hack The Box, focusing on end-to-end exploitation.

    The attack started with a path traversal vulnerability (CVE-2025-49132) in the Pterodactyl Panel, leading to unauthenticated RCE. This access allowed database extraction, credential recovery, and SSH access as a low-privileged user.

    Privilege escalation was achieved through PAM environment variable poisoning (CVE-2025-6018), followed by a more stable root shell using a libblockdev/udisks race condition (CVE-2025-6019).

    A solid exercise in chaining web exploitation with local privilege escalation techniques.

    #HackTheBox #CyberSecurity #EthicalHacking #PenetrationTesting #RedTeam #CTF #Linux #PrivilegeEscalation #WebSecurity …

    Learn MoreHack The Box: Pterodactyl Machine Walkthrough – Medium Difficulity

    25 Apr, 2026
    Hack The Box: Sorcery Machine Walkthrough – Insane Difficulty
    Insane Machine , , , , , , , , , , , , , ,

    Recently, I completed the “Sorcery” machine on Hack The Box (Insane difficulty), which provided a deep, multi-layered challenge combining modern web exploitation, internal pivoting, and complex privilege escalation.

    The attack began with reconnaissance of a self-hosted Gitea instance, where exposed source code revealed the application architecture. This led to identifying a Cypher injection vulnerability in functionality backed by Neo4j, which enabled SSRF to leak sensitive data such as password hashes and a registration key. After gaining seller access, a stored XSS payload was used to hijack an admin session and access a restricted debug feature. This interface allowed interaction with internal services, ultimately achieving remote code execution via a Kafka-based payload. From there, pivoting with Ligolo-ng exposed internal services, including an FTP server containing an encrypted private key, which was cracked offline to gain SSH access and retrieve the user flag.

    Privilege escalation required chaining multiple subtle misconfigurations. A running Xvfb instance exposed a screen dump containing credentials for a higher-privileged user. With limited sudo access, strace was used to capture plaintext credentials from running processes. Further enumeration revealed activity tied to FreeIPA, where identity management controls were abused to gain full sudo privileges. After applying the changes, this ultimately led to root access and full system compromise.

    #HackTheBox #CyberSecurity #PenetrationTesting #RedTeam #EthicalHacking #CTF #Infosec #PrivilegeEscalation #WebSecurity …

    Learn MoreHack The Box: Sorcery Machine Walkthrough – Insane Difficulty

    18 Apr, 2026
    Hack The Box: Airtouch Mahcine Walkthrough – Medium Diffiiculty
    Medium Machine , , , , , , , , ,

    Recently, I completed the “Airtouch” machine on Hack The Box (Medium difficulty), which provided a great hands-on experience in combining system exploitation with wireless attack techniques.

    The challenge started with basic reconnaissance and service enumeration, leading to initial access via SSH as a low-privileged user. From there, misconfigured sudo permissions allowed quick privilege escalation on the host. What made this machine particularly interesting was its setup as a wireless attack platform, requiring interaction with a simulated corporate Wi-Fi environment.

    By cracking a WPA2-PSK handshake and connecting to the internal network, I was able to pivot further, access an internal access point, and exploit an unrestricted file upload vulnerability to gain remote shell access. Additional enumeration revealed credentials that enabled lateral movement to a management server, ultimately leading to full root compromise.

    Overall, this machine was a great reminder of how misconfigurations, weak credentials, and insecure file handling can chain together into a full system compromise—especially in complex environments involving internal networks and wireless infrastructure.

    #HackTheBox #CyberSecurity #PenetrationTesting #RedTeam #EthicalHacking #CTF #Infosec #PrivilegeEscalation #NetworkSecurity …

    Learn MoreHack The Box: Airtouch Mahcine Walkthrough – Medium Diffiiculty

    14 Mar, 2026
    Hack The Box: Gavel Machine Walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , , , , ,

    Completed the Gavel (Medium) machine on Hack The Box. The initial foothold came from an exposed .git directory that leaked the application’s source code and bcrypt password hashes. After cracking the credentials with John the Ripper, I gained access and achieved a reverse shell through command injection in the admin rule field. Reusing the cracked credentials allowed privilege escalation to the application user and retrieval of the user flag.

    Root access was obtained by abusing the gavel-util submission feature, which executed YAML rule fields using PHP system(). By overwriting the custom php.ini to remove restrictions and creating a SUID Bash binary, it was possible to spawn a root shell and capture the final flag.

    #HackTheBox #HTB #CyberSecurity #EthicalHacking #PenetrationTesting #RedTeam #LinuxSecurity #WebSecurity #PrivilegeEscalation #CTF …

    Learn MoreHack The Box: Gavel Machine Walkthrough – Medium Difficulity

    7 Mar, 2026
    Hack The Box: Expressway Machine – Easy Difficulity
    Easy Machine , , , , , , , , , ,

    Just completed Expressway on Hack The Box (Easy difficulty) – a solid box that blends weak IKE PSK cracking with a straightforward sudo privilege escalation!
    Enumeration started with UDP scanning, which revealed ISAKMP on port 500. I ran ike-scan in Aggressive Mode to leak the peer identity ike@expressway.htb and capture crackable parameters. Next I used psk-crack against rockyou.txt and recovered the PSK freakingrockstarontheroad in under 13 seconds. I logged in via SSH as ike using that password and quickly grabbed user.txt.

    For privilege escalation, sudo -l confirmed no rights for the ike user. Checking sudo -V showed version 1.9.17 vulnerable to CVE-2025-32463 (chwoot). I cloned the PoC repository on my attack machine, hosted sudo-chwoot.sh with a Python HTTP server, transferred it to the target using curl, made it executable, and ran it. The script printed “woot!” and dropped an instant root shell. From there I read root.txt.
    Nice and clean chain: weak PSK for initial access followed by a known sudo vulnerability for root. Perfect easy box to sharpen IKE enumeration and Linux local exploitation skills.

    #HackTheBox #CTF #PenetrationTesting #Cybersecurity #EthicalHacking #IKE #PSKCracking #PrivilegeEscalation #LinuxExploitation #CVE202532463 #RedTeam …

    Learn MoreHack The Box: Expressway Machine – Easy Difficulity

    28 Feb, 2026
    Hack The Box: Guardian Machine Walkthrough – Hard Difficulty
    Hard Machine , , , , , , , , , , , ,

    🔐 User Flag — Compromising the Application Layer

    Successfully rooted the Guardian (Hard) machine on Hack The Box by chaining multiple real-world web vulnerabilities.Initial access was achieved through credential abuse and IDOR within the student portal. Leaked chat credentials exposed internal Gitea repositories containing hardcoded database secrets. A vulnerable XLSX file upload feature allowed formula injection → XSS → session hijacking. Leveraging CSRF, I created a rogue admin account and escalated privileges within the application. From there, an LFI vulnerability combined with a PHP filter chain led to Remote Code Execution. After gaining a shell as www-data, I reused leaked credentials to pivot laterally to user jamil, capturing the user flag.

    👑 Root Flag — From Code Injection to Full System Compromise

    Privilege escalation started with sudo -l, revealing that jamil could execute a Python utility as user mark without a password. Since one of the Python files was writable, I injected code to spawn a shell as mark. Further enumeration uncovered a custom binary (safeapache2ctl) executable as root. A flawed validation mechanism in its Apache config parsing allowed path traversal and arbitrary file inclusion. By crafting a malicious shared object (evil.so) and abusing the wrapper’s improper include validation, I achieved root-level code execution and obtained a root shell. …

    Learn MoreHack The Box: Guardian Machine Walkthrough – Hard Difficulty

    21 Feb, 2026
    Hack The Box: GiveBack machine walkthrough – Medium Difficulity
    Medium Machine , , , , , , , , , ,

    Just completed the Giveback machine on Hack The Box (Medium difficulty).
    Started with Nmap → WordPress + vulnerable GiveWP 3.14.0 (CVE-2024-5932 / CVE-2024-8353 PHP Object Injection) → unauthenticated RCE via donation form PoC → reverse shell as bitnami in a Bitnami Kubernetes pod.
    Pivoted using mounted K8s service account token → abused the API + exploited a vulnerable legacy PHP-CGI intranet service → broke out to the host as user babywyrm → grabbed user.txt.

    For root: passwordless sudo on custom /opt/debug binary → used dumped secret as admin password → crafted malicious OCI config.json → ran privileged container via runc breakout → read root.txt.
    Great chain: web vuln → container escape → K8s lateral → sudo abuse.
    Loved the real-world Kubernetes misconfig + runc wrapper elements.

    #HackTheBox #CTF #PenetrationTesting #KubernetesSecurity #ContainerEscape #RCE #PrivilegeEscalation #Cybersecurity …

    Learn MoreHack The Box: GiveBack machine walkthrough – Medium Difficulity