Absolute involved extracting usernames from image’s meta data, using a tool named anarchy to generate pattern for generating usernames, using kerbrute to find valid usernames, we’ll get a user d.klay who has pre-authentication disabled leading to AS-REP roasting, cracking the hash the credentials won’t work as NTLM auth is disabled…

Precious an easy rated linux machine which involved a site converting web pages to PDF using pdfkit which was vulnerable to command injection (CVE-2022–25765), giving us a shell as ruby user, password for henry was found through bundle config file, with henry a dependency checker script can be ran as…

Interface, a medium rated linux machine involved finding an api subdomain from the CSP header, fuzzing for endpoints, it had dompdf which was vulnerable to rce by loading a css having malicious php giving us a shell as www-data, with pspy we can see a bash script running as root…

Flight from HackTheBox which involved Forced NTLM Authentication, getting svc_apache’s hash, password spraying on the enumerated usernames will lead us to S.moon which had write access to Shared share allowing us to upload a desktop.ini and again performing forecd authentication to get c.bum’s hash, this user had access to web…

Meta-Two from HackTheBox was an easy rated linux machine that involved an un-authenticated SQL Injection in a plugin allowing us to login wordpress dashboard, further it had another plugin vulnerable to XXE allowing us to read wp-config.php, …

Photobomb from HackTheBox was an easy machine that involved finding credentials from a javascript file, giving access to a page which generates an image file, the POST parameter responsible for file extension was vulnerable to blind command injection, giving a shell as wizard user, escalation to root was straight forward…

Ambassador from hackthebox was medium rated machine which involved exploiting Local File Inclusion in Grafana through which we can view the sqlite database for grafana which will have the base64 encoded password for developer user through which we can login, from /opt directory we can find Consul API token through…

Updown, a medium rated linux machine involved fuzzing for subdomain leading to a dev domain which was accessible through a special header found from .git directory, the site had a file upload for the purpose of check the reachability of the sites in that file which lead to remote code…

Shoppy an easy rated linux machine involved bypassing authentication through NoSQLi, further getting the credentials through that again which was used on mattermost subdomain found from fuzzing, from there finding jaeger’s credentials and logging in through ssh, with sudo privileges this user can run the password-manager binary as deploy which…