Skip to main content


Showing posts from August, 2018

Hack The Box Arctic

Testing Methodologies
We can start the enumeration by starting a nmap scan

The output shows that the ports 135,8500 and 49154 are open

By visiting port 8500 we have an directory listing
 By visiting the CFIDE directory we have a coldfusion 
 By googling about cold fusion there is Path Traversal Vulnerability that can be used to extract password of admin
 Seems like the password is encrypted which is SHA1 we can use hashcat to crack the password 

The password is "happyday" now we can login to coldfusion

We can now upload a cfexec.cfm script to execute code on the system

Now we can upload a meterpreter shell which can be generated using Veil Evasion which will bypass any antivirus running on the system

We have a meterpreter session now but our session is 32 bit we can convert to to 64 bit using the payload_inject module
By running payload suggester over the session it seems like it is vulnerable to schelevator exploit

Hack The Box Devel

Testing Methadologies

We can start the enumeration with a nmap scan

nmap -sC -sC
The nmap scan output shows that only two ports are open 21 (FTP) and 80 (HTTP)

FTP has anonymous login enabled and nmap has already done that for us by looking at the output we can see some files like "iisstart.htm" which is the index page of IIS so it shows that the ftp root folder is actually the web server root folder, Now we can create a shell and upload it via FTP and access the file through HTTP

Now we have generated an aspx shell using msfpc which is metasploit payload generator, We can then upload the shell using the put command in ftp and access it from the browser

By accessing the shell from the browser we get a callback to metasploit and we can execute code on the server,

Privilege escalation 

Since we are a low privilege user we have to escalate to administrator in order to get the root flag 

METASPLOIT HAS A module that checks for local exploits on a machine we can use that to c…

Hack The Box Legacy

Legacy was a windows machine made by ch4p

Testing methodologies

We can start the enumeration process by doing a nmap scan

nmap -sC -sV

The following output of the nmap scan shows a few ports are open
139 Net bios445 SMB3389 RDP By looking at the output its obvious that its related to SMB , We can use nse scripts to look for vulnerabilities

By looks of the output the server is vulnerable to MS-08-067

We have NT Authority\system which is the root equivalent in Windows System

Hack The Box Popcorn


We can start the enumeration using nmap scan

nmap -sC -sV

The output shows that there are two ports open 22 (SSH) , 80 (HTTP)

 By visiting HTTP we get a It works page

Seems like there is no interesting so we can do further enumeration by doing a directory brute force

So there is a directory called torrent , By visiting this we have page called torrent hoster 

Now we can see that we have an upload page but we need an account by creating an account we can create a torrent 

By uploading an torrent file there is an option to add an image as a thumbnail

We can upload a php shell by uploading a php shell with an image extension and intercepting the request on burpsuite and changing the extension to php

By changing the gif extension to php the file gets uploaded and we can access it in the /uploads directory

Privilege escalation

There are two privilege escalation methods in this box 

First one is a kernel exploitLinux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Ne…

Hack The Box Lame

Lame was a Linux machine made by ch4p

Testing Methodologies

We can start the enumeration process with an NMAP scan
nmap -sC -sV
 The following output of the nmap scan shows a few ports are open
21 FTP which has anonymous login enabled which means that we can login to the FTP server by using the username anonymous  and some random password of our choice.22 Open SSH   139 NetBios (Samba 3.X)445 SMB (Samba 3.0.20)
Now we have an outline of what all services are running in the machine .

Seems like there is nothing in FTP, Now the next thing is SMB by searching the Version number from the Nmap Scan on google there is a Code Execution Vulnerability on Samba when using the non-default "username map script" configuration option.By specifying a username containing  shell meta characters we can execute code on the server.

Seems like SAMBA is running as root which makes everything easy

Hack The Box Tenten

Testing Methodologies

We can start the enumeration with a nmap scan.

The output shows that there are two ports 22(SSH) and 80(HTTP)
By visiting http we have a WordPress website

By running wpscan we can enumerate usernames and installed plugins

By running wpscan seems like there is a vulnerable plugin called Job Manager and there is a user called takis
 By  checking the job posts we can apply for a job.

By changing the apply parameter we can look for other job postings by using BurpSuite Intruder we can look for any valid jobs

By starting intruder we get a valid job title at id 13
Visiting job application 13 there is an image 
After further enumerating WordPress it seems like there is nothing interesting other than this image.
By using steghide we can see if there is anything embedded in the image
Looks like there is a file hidden in the image a RSA private key
Upon extraction there was no passphrase required but the key has been encrypted so we cant use it to login because a password should be pro…