Rce

Old software on an old OS - a combination that keeps on giving. ColdFusion 8, Windows Server 2008 R2, and a privilege that lets you impersonate basically anyone. Arctic is a nice reminder of why patch management matters. Machine info Name Arctic Platform HackTheBox OS Windows Difficulty Easy TL;DR Port scan reveals a ColdFusion 8 server on port 8500. Browsing to it exposes a directory listing and an admin login page. Searchsploit surfaces CVE-2009-2265, a file upload RCE for ColdFusion 8. We mirror the exploit, set our LHOST/RHOST, and catch a shell as arctic\tolis. The service account has SeImpersonatePrivilege - classic potato territory. The OS is Windows Server 2008 R2 (Build 7600), which JuicyPotato handles well. We transfer JuicyPotato via SMB, use it to create a local admin account, then either catch a SYSTEM reverse shell or enable RDP and connect via xfreerdp3. ...

Two vulnerabilities, zero authentication required for either one. Buff is a good reminder that public exploits sometimes just work - and that internal services running on non-standard ports are always worth the extra look. Machine info Name Buff Platform HackTheBox OS Windows Difficulty Easy TL;DR Web app running Gym Management System 1.0 is vulnerable to unauthenticated RCE (EDB-48506) - drops a webshell and a shell as buff\shaun Internal port 8888 is running CloudMe 1.1.12, accessible only from localhost Uploaded Chisel for port forwarding, then fired a buffer overflow exploit (EDB-48389) against CloudMe to get a SYSTEM shell Recon Nmap 1 nmap -sV -sC -Pn 10.129.2.18 ...

Netmon is a good reminder that “stale” does not mean “useless.” An old config backup with a 2018 password becomes the key to everything once you notice the pattern in the timestamps. Machine info Name Netmon Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous FTP exposes the full C:\ drive, including PRTG Network Monitor config backups Old backup (PRTG Configuration.old.bak) leaks the password PrTg@dmin2018 Other config files are dated 2019 - guessing PrTg@dmin2019 logs into the PRTG web interface PRTG 18.1.37 is vulnerable to CVE-2018-9276 (authenticated RCE) - the exploit creates a local admin user Dump SAM with nxc, psexec as Administrator Recon RustScan 1 rustscan -a 10.129.230.176 ...

Sometimes nmap does half the work for you. .git on port 80 is all the hint you need. Machine info Name Dog Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap’s http-git script flags an exposed .git directory; a browser extension confirms it gitdumper.py reconstructs the repository and surfaces the Backdrop CMS settings file with database credentials: root:BackDropJ2024DS2024 The git log commit message references the Backdrop URL aliases docs, which reveals the /accounts/[user:name] pattern - wfuzz enumerates valid usernames, and the DB password logs in as tiffany Backdrop 1.27.1 has a known authenticated RCE (EDB 52021); the module installer only accepts tar/tgz/gz/bz2, so the exploit’s zip output needs repackaging before upload - shell as www-data Two users on the box; the same DB credential switches to johncusack sudo -l shows bee (Backdrop’s CLI) without a password; bee php-eval with --root gives root Recon Nmap ...

Next up: Analytics, an Easy Linux box. Pre-auth RCE on Metabase, Docker escape via environment variable credential leak, and a kernel exploit chain for root. Machine info Name Analytics Platform HackTheBox OS Linux Difficulty Easy TL;DR Metabase 0.46.6 vulnerable to pre-auth RCE (CVE-2023-38646) Initial shell lands inside a Docker container Environment variables leak SSH credentials (metalytics:An4lytics_ds20223#) SSH to the host as metalytics, then kernel exploit CVE-2023-2640 + CVE-2023-32629 (overlayfs) for root Recon RustScan + Nmap 1 rustscan -a 10.129.21.240 -- -sV -sC -Pn -A ...

Another one down from the Lain Kusanagi list - this time it’s Nibbles, an Easy Linux box. Classic web enumeration into authenticated RCE, with a clean sudo privesc to wrap it up. Machine info Name Nibbles Platform HackTheBox OS Linux Difficulty Easy TL;DR Nibbleblog v4.0.3 with default credentials (admin:nibbles) Authenticated file upload RCE (CVE-2015-6967) for initial shell as nibbler sudo -l reveals monitor.sh can be run as root with NOPASSWD Overwrite monitor.sh with SUID payload on /bin/bash to get root Recon RustScan + Nmap 1 rustscan -a 10.129.20.162 -- -sV -sC -Pn -A ...

Why this post exists This is the first in a series of write-ups I’m publishing as part of my OSCP preparation. The strategy is to follow the Lain Kusanagi curated list (a fork/evolution of the classic TJNull list), which selects HackTheBox machines with attack vectors and exploitation patterns similar to those found in the exam. The goal of these posts is not just to document the solution, but to consolidate what I’ve learned: each write-up is structured as a condensed pentest report - recon, enumeration, foothold, privesc and takeaways - in the same format OffSec expects in the exam. ...