Suid

Another medium box that starts with just a web form and ends with a root shell through a surprisingly elegant chain. Editorial is all about knowing what to look for — and what to ask the server to fetch for you. Machine Info Field Value Name Editorial Platform HackTheBox OS Linux Difficulty Medium IP 10.129.1.101 TL;DR SSRF on the book cover URL field → internal API on port 5000 → /api/latest/metadata/messages/authors leaks SSH creds for dev → git history in ~/apps reveals prod credentials → prod can run a GitPython clone script as root → ext:: protocol injection sets SUID on /bin/bash → root. ...

BoardLight chains together a few classic techniques: subdomain discovery leading to an exposed ERP, authenticated RCE via a known CVE, credential reuse to pivot to a real user, and a SUID binary chain to root. Machine info Name BoardLight Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals crm.board.htb running Dolibarr 17.0.0 Default admin:admin credentials get us in CVE-2023-30253 - PHP code injection via the website module - gives shell as www-data Database credentials in conf.php are reused by user larissa for SSH CVE-2022-37706 - Enlightenment SUID LPE - escalates to root Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.0.0 ...

Another one down from the Lain Kusanagi list - this time it’s Nibbles, an Easy Linux box. Classic web enumeration into authenticated RCE, with a clean sudo privesc to wrap it up. Machine info Name Nibbles Platform HackTheBox OS Linux Difficulty Easy TL;DR Nibbleblog v4.0.3 with default credentials (admin:nibbles) Authenticated file upload RCE (CVE-2015-6967) for initial shell as nibbler sudo -l reveals monitor.sh can be run as root with NOPASSWD Overwrite monitor.sh with SUID payload on /bin/bash to get root Recon RustScan + Nmap 1 rustscan -a 10.129.20.162 -- -sV -sC -Pn -A ...