Ambassador from hackthebox was medium rated machine which involved exploiting Local File Inclusion in Grafana through which we can view the sqlite database for grafana which will have the base64 encoded password for developer user through which we can login, from /opt directory we can find Consul API token through…

Updown, a medium rated linux machine involved fuzzing for subdomain leading to a dev domain which was accessible through a special header found from .git directory, the site had a file upload for the purpose of check the reachability of the sites in that file which lead to remote code…

Shoppy an easy rated linux machine involved bypassing authentication through NoSQLi, further getting the credentials through that again which was used on mattermost subdomain found from fuzzing, from there finding jaeger’s credentials and logging in through ssh, with sudo privileges this user can run the password-manager binary as deploy which…

Health was medium rated linux machine that involved performing Server Side Request Forgery (SSRF) on webhook which the site was using, it had input sanitization through which SSRF couldn’t be performed normally, by using the monitored url field to host a php file to redirect to port 3000 on the…

Support form HackTheBox was an easy rated AD machine which involved enumerating SMB share to find a custom exe which was authenticating to LDAP, on either reversing or analyzing the traffic from the exe we can find the password for ldap user, having access to ldap service we can find…

Outdated was a medium rated windows machine which involved enumerating smb shares, from there getting a list of cve’s and an email, using follina by sending an email on smtp, getting a shell on a container as btables, by running sharphound to enumerate the domain, btables can add shadow credentials…

Carpediem, a hard linux machine that involved registering for account and escalating to admin user by changing the login_type value, on registering a file can be uploaded which doesn’t allow php extensions which can be bypassed with ex iftool by adding a php code in the comment giving us www-data…

Red panda, an easy rated linux machine, involved a spring boot application vulnerable Server Side Template Injection (SSTI) which was blocking few characters to not allow remote code execution, using any encoder for generating payload for java runtime exec, we get the shell as woodenk user, running pspy a jar…

Hathor was an insane windows machine that involved logging to mojopotral using default admin creds, uploading aspx web shell, enumerating the system to get BeatriceMill credentials, being a web service user we can perform IIS Impersonatation to get a reverse shell as BeatriceMill, on further enumeration, 7zip is being executed…