Hackthebox LoveTok writeup image

This Challenge is currently active , You need to complete the challenge first and then try to decrypt the writeup with the help of flag

Hackthebox Laboratory writeup image

This machine is currently active on hackthebox wait until it gets retired or if have owned iyout then you need to get the Administrator NTLM hash or the root password hash from the file /etc/shadow file.And enjoy the writeup.

Hackthebox Academy writeup image

Altering the administrator username by changing the roleid and login as admin on the web , two ways to get user one is admin page revealing a new VHOST which is running on laravel , and the lavarel is exposing its app_key so its is vulnerable to RCE , Exploiting the RCE and get a shell as www-data . and second is reading the .env file and get the password for the user from academy dir , Hit and trial that password on all console users , got lucky with one user .And second is reading the .env file and get the password for the user from academy dir and login with onw of the user metioned on admin page. Now got mrb3n user password from audit-logs and logged in as mrb3n. mrb3n can run composer as sudo , making a custom script and running it with composer as root, Thats how i pwned it

Hackthebox Time writeup image

There are two features on webiste ONLINE JSON BEAUTIFIER & VALIDATOR the validator feature is vulnerable to a CVE and after searching about it bit more got initial shell as user , Privlege escaltion was bit easy there is a timer_backup script that is in cronjobs and running as root, and we have write permissions to it , writing our rev shell to it and got root

HackTheBox was vulnerable to reverse tabnapping image

There was a reverse tabnapping in hackthebox in the walkthrough section due to the html link opener using target=”_blank” without any rel=”noopener nofollow” , that results redireting the victim user to a new phishing page.

Hackthebox Buff writeup image

This is relatively an easy box which is based on the 2 CVE’S , The PHP webapp that is hosted on port 8080 is vulnerable to a Unauthenticated Remote Code Execution from that exploit got first initial shell , There is a Binary Cloudme.exe running on the local port that is vulnerable to the buffer over flow and exploting it to get shell as Administrator

Hackthebox Sneakymailer writeup image

Nmap exposing a new domain , Grabbing employees emails from a webpage . Using swaks to send Spoofed email to all the 57 emails to phish an employee . Got a Username and password , Login into the imap and reading some messages and got another credentials , Using them to login to ftp , The Dir which is being shared on ftp is a new subdomain itself . On Ftp we have rights to write into Ftp dir so uploading a shell and executing it on website. Got a hash from .htpasswd file, cracking it and building a package and Exploiting the Pypi server to get shell as low and the user low can run pip3 as root . Abusing pip3 and got shell as root

Hackthebox Tabby writeup image

Discvering a new domain and adding it to the hosts file , Identifying a Local-file-Inclusion and extracting sensitive information . Fuzzing some dirs and got the tomcat-users.xml which contain username and password for tomcat-manager , Generating a java-payload and uploading it to get an initial reverse shell . or using metasploit to exploit the tomcat-deploy . Got a zip file cracking it with john and the password that is cracked is of user ash , The user ash is in lxd group . By importing and initialization lxd image and mouting the root dir , We got shell as root

Hackthebox Fuse writeup image

Got few usernames from the files from the website itself and making a custom wordlist from the website itself using cewl . Password Sparying using metasploit on the smb protocol , Got the correct username and password . Changed the password using smbpasswd and login to the rpcclient. Enumerating about printers . Got a password from the result , Again password sparying using crackmapexec on the winrm protocol got the username associated with it .Logged in using evil-winrm . The user is privileged to load the drivers as , And following an article compiling the necessary files using visual-studio and exploiting the SeLoadDriverPrivilege to get shell as administartor.

Fortress Akerva writeup image

The Fortress is currently active , Better you just own it first and then enter the last flag to decrypt the writeup.If you completed the fortress then you can simply enter the last flag of the Akerva fortress , Thanks for visiting

© 2021 Prashant Saini.