Lain-Kusanagi

BoardLight chains together a few classic techniques: subdomain discovery leading to an exposed ERP, authenticated RCE via a known CVE, credential reuse to pivot to a real user, and a SUID binary chain to root. Machine info Name BoardLight Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals crm.board.htb running Dolibarr 17.0.0 Default admin:admin credentials get us in CVE-2023-30253 - PHP code injection via the website module - gives shell as www-data Database credentials in conf.php are reused by user larissa for SSH CVE-2022-37706 - Enlightenment SUID LPE - escalates to root Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.0.0 ...

Next up: Analytics, an Easy Linux box. Pre-auth RCE on Metabase, Docker escape via environment variable credential leak, and a kernel exploit chain for root. Machine info Name Analytics Platform HackTheBox OS Linux Difficulty Easy TL;DR Metabase 0.46.6 vulnerable to pre-auth RCE (CVE-2023-38646) Initial shell lands inside a Docker container Environment variables leak SSH credentials (metalytics:An4lytics_ds20223#) SSH to the host as metalytics, then kernel exploit CVE-2023-2640 + CVE-2023-32629 (overlayfs) for root Recon RustScan + Nmap 1 rustscan -a 10.129.21.240 -- -sV -sC -Pn -A ...

Markup is done. A Very Easy Windows box, but with a solid lesson on XXE injection - from discovering the vulnerability to weaponizing it for file read and SSH key extraction. Clean privesc through AutoLogon credentials found by WinPEAS. Machine info Name Markup Platform HackTheBox OS Windows Difficulty Very Easy TL;DR Login with default credentials admin:password Order form submits XML - vulnerable to XXE injection XXE with PHP wrapper to read process.php source and confirm the vulnerability Extract Daniel’s SSH private key via XXE WinPEAS finds AutoLogon credentials for Administrator Recon RustScan + Nmap 1 rustscan -a 10.129.95.192 -- -sV -sC -Pn -A ...

Another one down from the Lain Kusanagi list - this time it’s Nibbles, an Easy Linux box. Classic web enumeration into authenticated RCE, with a clean sudo privesc to wrap it up. Machine info Name Nibbles Platform HackTheBox OS Linux Difficulty Easy TL;DR Nibbleblog v4.0.3 with default credentials (admin:nibbles) Authenticated file upload RCE (CVE-2015-6967) for initial shell as nibbler sudo -l reveals monitor.sh can be run as root with NOPASSWD Overwrite monitor.sh with SUID payload on /bin/bash to get root Recon RustScan + Nmap 1 rustscan -a 10.129.20.162 -- -sV -sC -Pn -A ...

Why this post exists This is the first in a series of write-ups I’m publishing as part of my OSCP preparation. The strategy is to follow the Lain Kusanagi curated list (a fork/evolution of the classic TJNull list), which selects HackTheBox machines with attack vectors and exploitation patterns similar to those found in the exam. The goal of these posts is not just to document the solution, but to consolidate what I’ve learned: each write-up is structured as a condensed pentest report - recon, enumeration, foothold, privesc and takeaways - in the same format OffSec expects in the exam. ...