Write-Up

Old school. Access is a machine that takes you through a chain of credential pivoting across legacy protocols and file formats you do not see every day - no exploits, no CVEs, just enumeration and following the breadcrumbs wherever they lead. Machine info Name Access Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous FTP exposes backup.mdb (Microsoft Access database) and Access Control.zip (AES-encrypted) backup.mdb contains an auth_user table with credentials - including the password to decrypt the ZIP The ZIP holds a PST file; reading the extracted email reveals the security account password in plaintext Telnet login as security -> user shell cmdkey /list shows saved credentials for ACCESS\Administrator; runas /savecred gives Administrator access Enumeration Port 21 was open and I went straight for it - anonymous FTP is one of those findings you want to verify immediately. ...

GPP credentials. Still out there in the wild. Active is one of those machines that aged into a legend - the technique it teaches was patched in 2014, but the lesson sticks forever. Classic AD box, clean attack path, zero fluff. Machine info Name Active Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous SMB access exposes the Replication share, which contains a Groups.xml file with a GPP-encrypted password for SVC_TGS gpp-decrypt recovers the plaintext: GPPstillStandingStrong2k18 Authenticated as SVC_TGS, the Users share is readable - user flag sitting in SVC_TGS\Desktop Kerberoasting as SVC_TGS returns an Administrator TGS ticket; John cracks it to Ticketmaster1968 impacket-psexec with Administrator creds gives a SYSTEM shell Recon Port scan The scan reveals a textbook Domain Controller fingerprint - DNS on 53, RPC on 135 and 593, SMB on 445, LDAP Global Catalog on 3269, Active Directory Web Services on 9389, and a pile of dynamic RPC ports in the high range. ...

This one plays out like a relay race - each user passes the baton to the next. No exploitation, no CVEs. Just ACL abuse all the way down until you’re dumping the domain. Machine info Name Administrator Platform HackTheBox OS Windows Difficulty Medium Starting credentials olivia / ichliebedich TL;DR Starting with pre-provided credentials for Olivia, we RID-brute SMB to enumerate domain users, then log in via WinRM and run SharpHound to feed BloodHound. The graph reveals a chain of ACL abuse: Olivia holds GenericAll over Michael, Michael holds ForceChangePassword over Benjamin. We reset their passwords in sequence. Benjamin’s only access is FTP - where he has a Backup.psafe3 file. We crack the master password with john and pull credentials for three more users from the vault. Emily’s credentials are the key - she has GenericWrite over Ethan, which enables targeted Kerberoasting. After syncing the clock with the DC, we roast Ethan’s TGS and crack it to limpbizkit. Ethan has DCSync rights on the domain, so we dump all NTLM hashes with secretsdump, then psexec in as Administrator. ...

Old software on an old OS - a combination that keeps on giving. ColdFusion 8, Windows Server 2008 R2, and a privilege that lets you impersonate basically anyone. Arctic is a nice reminder of why patch management matters. Machine info Name Arctic Platform HackTheBox OS Windows Difficulty Easy TL;DR Port scan reveals a ColdFusion 8 server on port 8500. Browsing to it exposes a directory listing and an admin login page. Searchsploit surfaces CVE-2009-2265, a file upload RCE for ColdFusion 8. We mirror the exploit, set our LHOST/RHOST, and catch a shell as arctic\tolis. The service account has SeImpersonatePrivilege - classic potato territory. The OS is Windows Server 2008 R2 (Build 7600), which JuicyPotato handles well. We transfer JuicyPotato via SMB, use it to create a local admin account, then either catch a SYSTEM reverse shell or enable RDP and connect via xfreerdp3. ...

Two vulnerabilities, zero authentication required for either one. Buff is a good reminder that public exploits sometimes just work - and that internal services running on non-standard ports are always worth the extra look. Machine info Name Buff Platform HackTheBox OS Windows Difficulty Easy TL;DR Web app running Gym Management System 1.0 is vulnerable to unauthenticated RCE (EDB-48506) - drops a webshell and a shell as buff\shaun Internal port 8888 is running CloudMe 1.1.12, accessible only from localhost Uploaded Chisel for port forwarding, then fired a buffer overflow exploit (EDB-48389) against CloudMe to get a SYSTEM shell Recon Nmap 1 nmap -sV -sC -Pn 10.129.2.18 ...

Cicada is a textbook Active Directory enumeration chain. Each step surfaces something that unlocks the next user - a default password in an HR notice, a credential in a PowerShell script description field, a privilege that lets you dump the SAM. Good practice for the AD portion of OSCP. Machine info Name Cicada Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous SMB access exposes an HR onboarding notice with a default password Password spraying with nxc identifies michael.wrightson as the matching user Listing users without RID brute reveals david.orelious has his password in his description field David can access the DEV share, which contains a PowerShell script with emily.oscars credentials Emily has SeBackupPrivilege via WinRM - used to dump SAM/SYSTEM and pass-the-hash as Administrator Recon RustScan 1 rustscan -a 10.129.231.149 ...

Default credentials. WAR file upload. SYSTEM. Jerry is short, but it covers a technique that shows up on real engagements more often than you would expect. Machine info Name Jerry Platform HackTheBox OS Windows Difficulty Easy TL;DR Apache Tomcat 7.0.88 on port 8080 with default credentials (tomcat:s3cret) Uploaded a malicious WAR reverse shell via the Tomcat Manager Shell landed directly as NT AUTHORITY\SYSTEM - both flags in a single session Recon Nmap 1 nmap -sV -sC -Pn 10.129.34.208 ...

Netmon is a good reminder that “stale” does not mean “useless.” An old config backup with a 2018 password becomes the key to everything once you notice the pattern in the timestamps. Machine info Name Netmon Platform HackTheBox OS Windows Difficulty Easy TL;DR Anonymous FTP exposes the full C:\ drive, including PRTG Network Monitor config backups Old backup (PRTG Configuration.old.bak) leaks the password PrTg@dmin2018 Other config files are dated 2019 - guessing PrTg@dmin2019 logs into the PRTG web interface PRTG 18.1.37 is vulnerable to CVE-2018-9276 (authenticated RCE) - the exploit creates a local admin user Dump SAM with nxc, psexec as Administrator Recon RustScan 1 rustscan -a 10.129.230.176 ...

Return is one of those machines where the initial foothold is almost embarrassingly easy - and then it hands you a privilege escalation path that is genuinely worth knowing. Server Operators is not talked about as much as SeBackupPrivilege, but it is just as dangerous. Machine info Name Return Platform HackTheBox OS Windows Difficulty Easy TL;DR A printer admin web panel allows changing the LDAP server address - pointing it at Kali captures cleartext credentials for svc-printer svc-printer has WinRM access and is a member of Server Operators, which allows stopping and reconfiguring Windows services Abused sc.exe to hijack a service binary path and create a local admin user Ran secretsdump, passed the Administrator hash via evil-winrm Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.34.220 Open ports include 80 (HTTP), 88 (Kerberos), 389 (LDAP), 445 (SMB), 5985 (WinRM). Standard Windows domain controller spread. Port 80 is the interesting one. ...

Default credentials and a comment field that should never have held a password - two very human mistakes that open the door all the way to root. Machine info Name Keeper Platform HackTheBox OS Linux Difficulty Easy TL;DR Web server redirects to tickets.keeper.htb running Request Tracker (RT) - default credentials (root:password) work A user profile comment reads “Initial password set to Welcome2023!” - SSH access as lnorgaard Home directory contains RT30000.zip with a KeePass dump and .kdbx file keepass_dump recovers a partial master password; context clues complete it KeePass vault holds a PuTTY SSH key for root - convert and log in Recon Nmap 1 nmap -sV -sC -Pn -A 10.129.229.41 ...