Ssh

Jenkins is one of those tools that organizations often spin up quickly and forget to harden. Builder is a medium-difficulty Linux box that demonstrates exactly what happens when that oversight meets a known CVE and a stored credential that wasn’t meant to be found. Machine Info Field Value Name Builder Platform HackTheBox OS Linux Difficulty Medium IP 10.129.230.220 TL;DR Jenkins 2.441 is vulnerable to a Local File Inclusion (CVE-2024-23897). The LFI lets us read arbitrary files from the server, which is enough to enumerate Jenkins users, steal a password hash, crack it, log in as that user, and execute a Groovy reverse shell from the Script Console. The shell lands inside a Docker container. From there, the Jenkins home directory contains an encrypted SSH private key in credentials.xml. We use pwn_jenkins to decrypt it with master.key and hudson.util.Secret, then SSH in as root. ...

Error pages usually get ignored. On CozyHosting, the /error page is what gives the whole game away. Machine info Name CozyHosting Platform HackTheBox OS Linux Difficulty Easy TL;DR A Spring Boot Whitelabel Error page reveals the framework; a targeted wordlist uncovers /actuator/sessions leaking a valid session token Cookie swap into /admin exposes an SSH connection form; the username field is injectable but blocks spaces - bypassed with ${IFS} Shell lands as app, a .jar in /app contains application.properties with PostgreSQL credentials Crack the bcrypt admin hash with John, su josh, find sudo /usr/bin/ssh *, and GTFOBins the ProxyCommand to root Recon Nmap 1 nmap -sV -sC -Pn -A cozyhosting.htb ...

Markup is done. A Very Easy Windows box, but with a solid lesson on XXE injection - from discovering the vulnerability to weaponizing it for file read and SSH key extraction. Clean privesc through AutoLogon credentials found by WinPEAS. Machine info Name Markup Platform HackTheBox OS Windows Difficulty Very Easy TL;DR Login with default credentials admin:password Order form submits XML - vulnerable to XXE injection XXE with PHP wrapper to read process.php source and confirm the vulnerability Extract Daniel’s SSH private key via XXE WinPEAS finds AutoLogon credentials for Administrator Recon RustScan + Nmap 1 rustscan -a 10.129.95.192 -- -sV -sC -Pn -A ...