Oscp

Netmon is a good reminder that “stale” does not mean “useless.” An old config backup with a 2018 password becomes the key to everything once you notice the pattern in the timestamps. Machine info Name Netmon Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous FTP exposes the full C:\ drive, including PRTG Network Monitor config backups Old backup (PRTG Configuration.old.bak) leaks the password PrTg@dmin2018 Other config files are dated 2019 - guessing PrTg@dmin2019 logs into the PRTG web interface PRTG 18.1.37 is vulnerable to CVE-2018-9276 (authenticated RCE) - the exploit creates a local admin user Dump SAM with nxc, psexec as Administrator Recon RustScan 1 rustscan -a 10.129.230.176 ...

Return is one of those machines where the initial foothold is almost embarrassingly easy - and then it hands you a privilege escalation path that is genuinely worth knowing. Server Operators is not talked about as much as SeBackupPrivilege, but it is just as dangerous. Machine info Name Return Platform HackTheBox OS Windows Difficulty Easy TL;DR A printer admin web panel allows changing the LDAP server address - pointing it at Kali captures cleartext credentials for svc-printer svc-printer has WinRM access and is a member of Server Operators, which allows stopping and reconfiguring Windows services Abused sc.exe to hijack a service binary path and create a local admin user Ran secretsdump, passed the Administrator hash via evil-winrm Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.220 Open ports include 80 (HTTP), 88 (Kerberos), 389 (LDAP), 445 (SMB), 5985 (WinRM). Standard Windows domain controller spread. Port 80 is the interesting one. ...

Default credentials and a comment field that should never have held a password - two very human mistakes that open the door all the way to root. Machine info Name Keeper Platform HackTheBox OS Linux Difficulty Easy TL;DR Web server redirects to tickets.keeper.htb running Request Tracker (RT) - default credentials (root:password) work A user profile comment reads “Initial password set to Welcome2023!” - SSH access as lnorgaard Home directory contains RT30000.zip with a KeePass dump and .kdbx file keepass_dump recovers a partial master password; context clues complete it KeePass vault holds a PuTTY SSH key for root - convert and log in Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.229.41 ...

Sometimes the vulnerability is not in your target’s code - it is in their supply chain. Knife is a good example of what happens when a poisoned release slips through. Machine info Name Knife Platform HackTheBox OS Linux Difficulty Easy TL;DR A web server running PHP 8.1.0-dev - a version that shipped with a backdoor - allows arbitrary command execution via a custom HTTP header Initial shell as james, sudo -l reveals the knife CLI can be run as root without a password sudo knife exec -E "exec('/bin/bash')" drops a root shell immediately Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.68 ...

A PDF converter hiding a command injection CVE, credentials buried in a Ruby config file, and a YAML deserialization gadget to finish it off - Precious stacks three clean techniques on top of each other. Machine info Name Precious Platform HackTheBox OS Linux Difficulty Easy TL;DR Web app converts URLs to PDFs using pdfkit v0.8.6, which is vulnerable to CVE-2022-25765 (command injection) Initial shell as ruby, Bundler config at ~/.bundle/config leaks credentials for user henry Henry can run a Ruby script as root with sudo; the script uses YAML.load - exploitable via deserialization to get a root shell Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.228.98 ...

HTTP gave nothing. The real entry point was hiding on UDP - a reminder that TCP-only scans miss half the attack surface. Machine info Name Underpass Platform HackTheBox OS Linux Difficulty Easy TL;DR UDP scan reveals SNMP and RADIUS; SNMP walk with the public community string leaks hostname and username daloRADIUS web interface accessible with default credentials (administrator:radius) User svcMosh has an MD5 password hash in the RADIUS database - John cracks it SSH as svcMosh, sudo -l shows mosh-server without a password - run it as root and connect with mosh-client to get a root shell Recon Nmap TCP 1 nmap -sV -sC -Pn -A 10.129.231.213 ...

Directory brute-force gets you nowhere on Devvortex. The win is one layer up - in the subdomains. Machine info Name Devvortex Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals dev.devvortex.htb, running Joomla 4.2.6 joomscan identifies the exact version; CVE-2023-23752 leaks usernames and the admin password via unauthenticated REST API endpoints Log in as lewis, edit the active Cassiopeia template to plant a PHP webshell, get a shell as www-data configuration.php re-exposes the MySQL password; query the sd4fg_users table and crack logan’s bcrypt hash with John su logan, check sudo: (ALL:ALL) /usr/bin/apport-cli - escape through the less pager to root Recon Nmap 1 nmap -sV -sC -Pn -A devvortex.htb ...

Sometimes nmap does half the work for you. .git on port 80 is all the hint you need. Machine info Name Dog Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap’s http-git script flags an exposed .git directory; a browser extension confirms it gitdumper.py reconstructs the repository and surfaces the Backdrop CMS settings file with database credentials: root:BackDropJ2024DS2024 The git log commit message references the Backdrop URL aliases docs, which reveals the /accounts/[user:name] pattern - wfuzz enumerates valid usernames, and the DB password logs in as tiffany Backdrop 1.27.1 has a known authenticated RCE (EDB 52021); the module installer only accepts tar/tgz/gz/bz2, so the exploit’s zip output needs repackaging before upload - shell as www-data Two users on the box; the same DB credential switches to johncusack sudo -l shows bee (Backdrop’s CLI) without a password; bee php-eval with --root gives root Recon Nmap ...

CVE-2023-46604 dropped while this machine was live - a critical Apache ActiveMQ RCE with a public PoC, CVSS 10.0. The privesc flips the script: instead of running code, nginx becomes a file server for the entire filesystem. Machine info Name Broker Platform HackTheBox OS Linux Difficulty Easy TL;DR Rustscan reveals port 61616 running Apache ActiveMQ 5.15.15 - vulnerable to CVE-2023-46604 Clone and adapt the public PoC: serve a malicious ClassInfo XML and trigger the RCE to land a shell as activemq sudo -l shows activemq can run /usr/sbin/nginx as root without a password Craft an evil nginx config with WebDAV PUT and root /; to expose the entire filesystem on port 1337 Read root.txt directly, or overwrite /etc/passwd to add a new root-level user Recon Port scan ...

Version numbers in page footers exist for a reason. Searchor 2.4.0 handed over the foothold; a kernel exploit closed it out. Machine info Name Busqueda Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap reveals a web app on port 80 - the page footer discloses “Powered by Flask and Searchor 2.4.0” Searchor 2.4.0 is vulnerable to arbitrary command injection; a public exploit delivers a reverse shell as svc Privilege escalation via DirtyFrag (universal Linux LPE): compile and run the PoC to get root Recon Add host to /etc/hosts ...