Lain-Kusanagi

Sometimes the vulnerability is not in your target’s code - it is in their supply chain. Knife is a good example of what happens when a poisoned release slips through. Machine info Name Knife Platform HackTheBox OS Linux Difficulty Easy TL;DR A web server running PHP 8.1.0-dev - a version that shipped with a backdoor - allows arbitrary command execution via a custom HTTP header Initial shell as james, sudo -l reveals the knife CLI can be run as root without a password sudo knife exec -E "exec('/bin/bash')" drops a root shell immediately Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.68 ...

A PDF converter hiding a command injection CVE, credentials buried in a Ruby config file, and a YAML deserialization gadget to finish it off - Precious stacks three clean techniques on top of each other. Machine info Name Precious Platform HackTheBox OS Linux Difficulty Easy TL;DR Web app converts URLs to PDFs using pdfkit v0.8.6, which is vulnerable to CVE-2022-25765 (command injection) Initial shell as ruby, Bundler config at ~/.bundle/config leaks credentials for user henry Henry can run a Ruby script as root with sudo; the script uses YAML.load - exploitable via deserialization to get a root shell Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.228.98 ...

HTTP gave nothing. The real entry point was hiding on UDP - a reminder that TCP-only scans miss half the attack surface. Machine info Name Underpass Platform HackTheBox OS Linux Difficulty Easy TL;DR UDP scan reveals SNMP and RADIUS; SNMP walk with the public community string leaks hostname and username daloRADIUS web interface accessible with default credentials (administrator:radius) User svcMosh has an MD5 password hash in the RADIUS database - John cracks it SSH as svcMosh, sudo -l shows mosh-server without a password - run it as root and connect with mosh-client to get a root shell Recon Nmap TCP 1 nmap -sV -sC -Pn -A 10.129.231.213 ...

Directory brute-force gets you nowhere on Devvortex. The win is one layer up - in the subdomains. Machine info Name Devvortex Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals dev.devvortex.htb, running Joomla 4.2.6 joomscan identifies the exact version; CVE-2023-23752 leaks usernames and the admin password via unauthenticated REST API endpoints Log in as lewis, edit the active Cassiopeia template to plant a PHP webshell, get a shell as www-data configuration.php re-exposes the MySQL password; query the sd4fg_users table and crack logan’s bcrypt hash with John su logan, check sudo: (ALL:ALL) /usr/bin/apport-cli - escape through the less pager to root Recon Nmap 1 nmap -sV -sC -Pn -A devvortex.htb ...

Sometimes nmap does half the work for you. .git on port 80 is all the hint you need. Machine info Name Dog Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap’s http-git script flags an exposed .git directory; a browser extension confirms it gitdumper.py reconstructs the repository and surfaces the Backdrop CMS settings file with database credentials: root:BackDropJ2024DS2024 The git log commit message references the Backdrop URL aliases docs, which reveals the /accounts/[user:name] pattern - wfuzz enumerates valid usernames, and the DB password logs in as tiffany Backdrop 1.27.1 has a known authenticated RCE (EDB 52021); the module installer only accepts tar/tgz/gz/bz2, so the exploit’s zip output needs repackaging before upload - shell as www-data Two users on the box; the same DB credential switches to johncusack sudo -l shows bee (Backdrop’s CLI) without a password; bee php-eval with --root gives root Recon Nmap ...

CVE-2023-46604 dropped while this machine was live - a critical Apache ActiveMQ RCE with a public PoC, CVSS 10.0. The privesc flips the script: instead of running code, nginx becomes a file server for the entire filesystem. Machine info Name Broker Platform HackTheBox OS Linux Difficulty Easy TL;DR Rustscan reveals port 61616 running Apache ActiveMQ 5.15.15 - vulnerable to CVE-2023-46604 Clone and adapt the public PoC: serve a malicious ClassInfo XML and trigger the RCE to land a shell as activemq sudo -l shows activemq can run /usr/sbin/nginx as root without a password Craft an evil nginx config with WebDAV PUT and root /; to expose the entire filesystem on port 1337 Read root.txt directly, or overwrite /etc/passwd to add a new root-level user Recon Port scan ...

Version numbers in page footers exist for a reason. Searchor 2.4.0 handed over the foothold; a kernel exploit closed it out. Machine info Name Busqueda Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap reveals a web app on port 80 - the page footer discloses “Powered by Flask and Searchor 2.4.0” Searchor 2.4.0 is vulnerable to arbitrary command injection; a public exploit delivers a reverse shell as svc Privilege escalation via DirtyFrag (universal Linux LPE): compile and run the PoC to get root Recon Add host to /etc/hosts ...

Sandboxes are only as strong as their implementation. Codify gives you a Node.js code editor to play with - and a vm2 version that plays right back. Machine info Name Codify Platform HackTheBox OS Linux Difficulty Easy TL;DR Web app runs Node.js snippets in a vm2 sandbox; child_process is blocked, but vm2’s context escaping lets you break out entirely Shell as svc, linpeas finds a SQLite database with a bcrypt hash for joshua - cracked with John + rockyou SSH as joshua, sudo -l shows /opt/scripts/mysql-backup.sh as root; the script uses unquoted [[ $DB_PASS == $USER_PASS ]] enabling glob-based password brute-forcing Alternatively, compile and run the dirtyfrag LPE directly as svc and skip joshua entirely Recon Nmap 1 nmap -sV -sC -Pn -A codify.htb ...

Error pages usually get ignored. On CozyHosting, the /error page is what gives the whole game away. Machine info Name CozyHosting Platform HackTheBox OS Linux Difficulty Easy TL;DR A Spring Boot Whitelabel Error page reveals the framework; a targeted wordlist uncovers /actuator/sessions leaking a valid session token Cookie swap into /admin exposes an SSH connection form; the username field is injectable but blocks spaces - bypassed with ${IFS} Shell lands as app, a .jar in /app contains application.properties with PostgreSQL credentials Crack the bcrypt admin hash with John, su josh, find sudo /usr/bin/ssh *, and GTFOBins the ProxyCommand to root Recon Nmap 1 nmap -sV -sC -Pn -A cozyhosting.htb ...

Bashed is a good reminder that developers are the best pentesters’ allies - a web shell left in /dev does most of the work for you, and the path to root runs through a misconfigured sudo and a predictable job. Machine info Name Bashed Platform HackTheBox OS Linux Difficulty Easy TL;DR FeroxBuster finds a /dev directory hosting phpbash.php - an interactive PHP web shell Shell as www-data, sudo -l reveals we can run anything as scriptmanager without a password A job runs /scripts/test.py as root - overwrite it with a reverse shell payload to escalate Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.0.0 ...