Posts
0xPrashant
Cancel
Hackthebox Blunder writeup image

The file todo.txt tells about a username and making a custom-wordlist using cewl , Brute forcing the login using custom python script , We logged into the CMS and exploiting the bludit using manually and metasploit , We got our initial shell . And the file users.php reveals a hash by cracking it we are logged into as hugo . Privielge escalation is all about the sudo vulnerability.

Hackthebox Travel writeup image

Dumping the .git dir and bypassing the ssrf along with chaining it with the php-deserialization and php-memcache to get a rce then doing some ldapmodify to modify some users entries to get the shell as root……..

Hackthebox Cache writeup image

Using cewl to make a custom wordlist from thr page author.html , used wfuzz to find the another domain and sqli in the add_edit_event_user.php , using sqlmap to dump the table user_secure and got the credentials for the openEmr panel.Editing the file config.php and embeding php reverse shell to get initial shell as www-data.The file jquery/functionality.js contains user ash password.Memcached service is ruuning locally. Getting user luffy credentials By dumping data from memcache by Monitoring using Watchers and manually.The user luffy is in the group docker.Displaying docker images got ubuntu and Spawning a root-shell.

Hackthebox obscurity writeup image

Fuzzing the hidden dir and then analyzing the python script to excute the command and get an initial shell,And after decrypting the key using superSecureCrypt.py we can get password of user robert robert can run Betterssh.py i mentioned both unintended and Two intended ways to get root.

Hackthebox Admirer writeup image

Nmap results and Gobuster reveals robot.txt file which is dissallowing a dir called admin-dir running wfuzz against it we got two files contacts.txt and credentials.txt which contains ftp user and pass.Got some files in ftp server.We got an another directory utility-scripts and fuzzing the dir we got another file adminer.php which is running the adminer-database on it.Connecting our mysql database with the adminer we can write adminer-db data to our data and so we got a password for user waldo.And the user waldo can run a script as root.Privilege escalation via python library path hijacking and running script as root we got a root shell by using netcat bind shell.

Hackthebox Openadmin writeup image

Exploiting the openadmin service we get an initial shell and after getting credentials of jimmy in db.php logged in using ssh,Enumerating on a local high port we are joanna and privesc using nano is the journey of openadmin.

Hackthebox Quick writeup image

This Box is currently in hackthbox active category , You can access the writeup only if you have either the Administrator user ntlm or the root user password hash from file /etc/shadow.

Hackthebox Magic writeup image

This Box is currently in hackthbox active category , You can access the writeup only if you have the Administrator user ntlm in md5 format. For More information Go to http://0xprashant.github.io/pages/decryption-instruction

Hackthebox Servmon writeup image

Anonymous access to ftp protocol and found that there exist a interesting file , Directory traversal on the nvms-1000 and grabbing that files and login in as a regular user ,Exploiting Nsclient that is running on port 8443 to get root.

Hackthebox Forwardslash writeup image

Finding a new subdomain and a tricky lfi using php Wrapper and getting a users creds , Abusing a suid that is somehow linked to another file . Got user and analyzing a python script and getting password to mount images and got ssh-keys for root

© 2020 Prashant Saini.