Gtfobins

Sometimes the vulnerability is not in your target’s code - it is in their supply chain. Knife is a good example of what happens when a poisoned release slips through. Machine info Name Knife Platform HackTheBox OS Linux Difficulty Easy TL;DR A web server running PHP 8.1.0-dev - a version that shipped with a backdoor - allows arbitrary command execution via a custom HTTP header Initial shell as james, sudo -l reveals the knife CLI can be run as root without a password sudo knife exec -E "exec('/bin/bash')" drops a root shell immediately Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.68 ...

HTTP gave nothing. The real entry point was hiding on UDP - a reminder that TCP-only scans miss half the attack surface. Machine info Name Underpass Platform HackTheBox OS Linux Difficulty Easy TL;DR UDP scan reveals SNMP and RADIUS; SNMP walk with the public community string leaks hostname and username daloRADIUS web interface accessible with default credentials (administrator:radius) User svcMosh has an MD5 password hash in the RADIUS database - John cracks it SSH as svcMosh, sudo -l shows mosh-server without a password - run it as root and connect with mosh-client to get a root shell Recon Nmap TCP 1 nmap -sV -sC -Pn -A 10.129.231.213 ...

Directory brute-force gets you nowhere on Devvortex. The win is one layer up - in the subdomains. Machine info Name Devvortex Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals dev.devvortex.htb, running Joomla 4.2.6 joomscan identifies the exact version; CVE-2023-23752 leaks usernames and the admin password via unauthenticated REST API endpoints Log in as lewis, edit the active Cassiopeia template to plant a PHP webshell, get a shell as www-data configuration.php re-exposes the MySQL password; query the sd4fg_users table and crack logan’s bcrypt hash with John su logan, check sudo: (ALL:ALL) /usr/bin/apport-cli - escape through the less pager to root Recon Nmap 1 nmap -sV -sC -Pn -A devvortex.htb ...

Sometimes nmap does half the work for you. .git on port 80 is all the hint you need. Machine info Name Dog Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap’s http-git script flags an exposed .git directory; a browser extension confirms it gitdumper.py reconstructs the repository and surfaces the Backdrop CMS settings file with database credentials: root:BackDropJ2024DS2024 The git log commit message references the Backdrop URL aliases docs, which reveals the /accounts/[user:name] pattern - wfuzz enumerates valid usernames, and the DB password logs in as tiffany Backdrop 1.27.1 has a known authenticated RCE (EDB 52021); the module installer only accepts tar/tgz/gz/bz2, so the exploit’s zip output needs repackaging before upload - shell as www-data Two users on the box; the same DB credential switches to johncusack sudo -l shows bee (Backdrop’s CLI) without a password; bee php-eval with --root gives root Recon Nmap ...

Error pages usually get ignored. On CozyHosting, the /error page is what gives the whole game away. Machine info Name CozyHosting Platform HackTheBox OS Linux Difficulty Easy TL;DR A Spring Boot Whitelabel Error page reveals the framework; a targeted wordlist uncovers /actuator/sessions leaking a valid session token Cookie swap into /admin exposes an SSH connection form; the username field is injectable but blocks spaces - bypassed with ${IFS} Shell lands as app, a .jar in /app contains application.properties with PostgreSQL credentials Crack the bcrypt admin hash with John, su josh, find sudo /usr/bin/ssh *, and GTFOBins the ProxyCommand to root Recon Nmap 1 nmap -sV -sC -Pn -A cozyhosting.htb ...