Default-Creds

Default credentials. WAR file upload. SYSTEM. Jerry is short, but it covers a technique that shows up on real engagements more often than you would expect. Machine info Name Jerry Platform HackTheBox OS Windows Difficulty Easy TL;DR Apache Tomcat 7.0.88 on port 8080 with default credentials (tomcat:s3cret) Uploaded a malicious WAR reverse shell via the Tomcat Manager Shell landed directly as NT AUTHORITY\SYSTEM - both flags in a single session Recon Nmap 1 nmap -sV -sC -Pn 10.129.34.208 ...

Netmon is a good reminder that “stale” does not mean “useless.” An old config backup with a 2018 password becomes the key to everything once you notice the pattern in the timestamps. Machine info Name Netmon Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous FTP exposes the full C:\ drive, including PRTG Network Monitor config backups Old backup (PRTG Configuration.old.bak) leaks the password PrTg@dmin2018 Other config files are dated 2019 - guessing PrTg@dmin2019 logs into the PRTG web interface PRTG 18.1.37 is vulnerable to CVE-2018-9276 (authenticated RCE) - the exploit creates a local admin user Dump SAM with nxc, psexec as Administrator Recon RustScan 1 rustscan -a 10.129.230.176 ...

Default credentials and a comment field that should never have held a password - two very human mistakes that open the door all the way to root. Machine info Name Keeper Platform HackTheBox OS Linux Difficulty Easy TL;DR Web server redirects to tickets.keeper.htb running Request Tracker (RT) - default credentials (root:password) work A user profile comment reads “Initial password set to Welcome2023!” - SSH access as lnorgaard Home directory contains RT30000.zip with a KeePass dump and .kdbx file keepass_dump recovers a partial master password; context clues complete it KeePass vault holds a PuTTY SSH key for root - convert and log in Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.229.41 ...