Cve

SQL injection doesn’t always mean dumping a database. Sometimes it just means coaxing the server into making a network connection it shouldn’t - and that’s enough to steal credentials. Giddy is a great example of that, paired with a creative privesc that requires bypassing Windows Defender with a custom payload. Machine Info Field Details Name Giddy Platform HackTheBox OS Windows Difficulty Medium IP 10.129.96.140 TL;DR ASP.NET MVC app has a search endpoint vulnerable to SQL injection. We use xp_dirtree to force the SQL Server to authenticate outbound to our Responder instance, capturing Stacy’s NTLMv2 hash. After cracking it, Evil-WinRM gives us a shell. On the machine we find a unifivideo folder hinting at CVE-2016-6914 - Ubiquiti UniFi Video’s service hijacks taskkill.exe on stop. Defender blocks msfvenom, so we cross-compile a custom Go payload to add a local admin user and RDP in as root. ...

BoardLight chains together a few classic techniques: subdomain discovery leading to an exposed ERP, authenticated RCE via a known CVE, credential reuse to pivot to a real user, and a SUID binary chain to root. Machine info Name BoardLight Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals crm.board.htb running Dolibarr 17.0.0 Default admin:admin credentials get us in CVE-2023-30253 - PHP code injection via the website module - gives shell as www-data Database credentials in conf.php are reused by user larissa for SSH CVE-2022-37706 - Enlightenment SUID LPE - escalates to root Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.0.0 ...