Credential-Reuse

Machine #73 on the Lain Kusanagi list. Flight earns its Hard rating not through any single clever trick, but through sheer chain length - each hop unlocks exactly one new thing, and you have to string six or seven of them together to reach SYSTEM. It’s a patience test as much as a technical one. Machine Info Name Flight Platform HackTheBox OS Windows Difficulty Hard IP 10.129.7.136 Domain flight.htb TL;DR Nmap shows a full AD port set. Gobuster vhost finds school.flight.htb, a PHP app with a ?view= parameter vulnerable to LFI. UNC path inclusion leaks svc_apache’s NTLMv2 hash via Responder - john cracks it to S@Ss!K@*t13. Password spray finds S.Moon reuses the same password. S.Moon has WRITE on the Shared share - use ntlm_theft to drop a desktop.ini coercion file, Responder captures C.Bum’s hash, john cracks it to Tikkycoll_431012284. C.Bum has WRITE on the Web share - upload a PHP webshell, get a reverse shell as svc_apache. Generate a msfvenom payload, catch it in msfconsole, upload RunasCs via meterpreter, run as C.Bum to get a second session. Port-forward port 8000 (internal IIS dev site) through the C.Bum session, discover C:\inetpub\development is writable, upload an ASPX webshell, get a shell as IIS AppPool\DefaultAppPool. That account has SeImpersonatePrivilege - msfconsole getsystem uses Named Pipe Impersonation (EfsPotato variant) to land NT AUTHORITY\SYSTEM. ...

Sauna is an Easy Windows box from HackTheBox built around a classic Active Directory attack chain. From open-source name enumeration to ASREPRoasting, autologon credential exposure, and a DCSync to finish it off - this one hits all the fundamentals. Machine Info Name Sauna Platform HackTheBox OS Windows Difficulty Easy IP 10.129.95.180 TL;DR Scraped employee names off the bank’s “About” page, ran them through username-anarchy to generate AD-style usernames, and ASREPRoasted fsmith whose account had Kerberos pre-auth disabled. Cracked the hash with rockyou.txt and logged in via WinRM. Found autologon credentials for svc_loanmanager stored in plaintext in the registry. BloodHound showed that account has DCSync rights over the domain - used secretsdump to pull the Administrator hash and psexec to get SYSTEM. ...

Another medium box that starts with just a web form and ends with a root shell through a surprisingly elegant chain. Editorial is all about knowing what to look for — and what to ask the server to fetch for you. Machine Info Field Value Name Editorial Platform HackTheBox OS Linux Difficulty Medium IP 10.129.1.101 TL;DR SSRF on the book cover URL field → internal API on port 5000 → /api/latest/metadata/messages/authors leaks SSH creds for dev → git history in ~/apps reveals prod credentials → prod can run a GitPython clone script as root → ext:: protocol injection sets SUID on /bin/bash → root. ...

Machine Info Field Value Name Escape Platform HackTheBox OS Windows Difficulty Medium IP 10.129.228.253 TL;DR An unauthenticated SMB Public share exposes a PDF that contains SQL Server credentials. Connecting to MSSQL with those creds, we abuse xp_dirtree to capture the NTLMv2 hash of sql_svc via Responder and crack it with John. From there, SQL Server error logs left cleartext credentials for Ryan.Cooper lying around. As Ryan, certipy reveals an ESC1-vulnerable certificate template that allows anyone in Domain Users to request a cert on behalf of Administrator. One certificate later, we get the Administrator NT hash and land a SYSTEM shell via psexec. ...

Machine Information Field Details Name Chatterbox Platform HackTheBox OS Windows Difficulty Medium TL;DR AChat 0.150 beta7 is running on a non-standard port with a known buffer overflow. A public Python PoC gets us a shell as alfred after generating an x86 unicode-compatible reverse shell payload with msfvenom. Once in, the registry gives away autologon credentials (Alfred:Welcome1!) that also work for Administrator — straightforward credential reuse to SYSTEM. Recon 1 nmap -sC -sV -p- 10.129.1.92 Most of the ports are standard Windows noise — RPC, SMB. The interesting ones are 9255 and 9256, both identified as AChat. That’s a Windows chat application that barely anyone runs outside of CTFs, which is a big hint there’s something exploitable there. ...

Sometimes nmap does half the work for you. .git on port 80 is all the hint you need. Machine info Name Dog Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap’s http-git script flags an exposed .git directory; a browser extension confirms it gitdumper.py reconstructs the repository and surfaces the Backdrop CMS settings file with database credentials: root:BackDropJ2024DS2024 The git log commit message references the Backdrop URL aliases docs, which reveals the /accounts/[user:name] pattern - wfuzz enumerates valid usernames, and the DB password logs in as tiffany Backdrop 1.27.1 has a known authenticated RCE (EDB 52021); the module installer only accepts tar/tgz/gz/bz2, so the exploit’s zip output needs repackaging before upload - shell as www-data Two users on the box; the same DB credential switches to johncusack sudo -l shows bee (Backdrop’s CLI) without a password; bee php-eval with --root gives root Recon Nmap ...