CTF Writeups
Saturday 12 of October of 2024
[30] <clearml/> <machine-learning/> <CVE-2024-24590/> <pickle/> <deserialization/> <python-torch/> <sudoers/>Blurry is a medium linux machine from HackTheBox that involves ClearML and pickle exploitation. First, I will abuse a ClearML instance by exploiting [CVE-2024-24590](https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/) to gain a reverse shell as jippity. From that access, I am able to execute a custom script as root because sudoers privileges that uses `torch.load` to import a pickle model. I will serialize data used to execute a shell and gain access as root.
Saturday 05 of October of 2024
[40] <forgot-password/> <idor/> <qrcode/> <mssql/> <xp_cmdshell/> <sql-configuration/> <crash-dump-analysis/> <active-directory-acls/> <genericwrite/> <nt-hashes/> <secretsdump/>Freelancer is a windows machine with a lot of techniques like web and active directory. First, I will activate my account with a forgot password functionality to take advantage of an IDOR in a QR code and login as admin. Then in the admin's panel, I have the ability to execute sql commands so I can use xp_cmdshell to execute a system command and gain a reverse shell as sql_svc. From that access, it's possible to see a sql installation configuration in the Downloads directory and a password that is reused for mikasa in the system. Now I have access to read email that leds to a .dmp file (which is a memory dump file) and I will dump its info to retrieve a password for lorra199. Finally, looking at the lorra199 ACLs, I can see that her group has GenericWrite on the DC so I can add a computer with specified credentials and dump all the nt hashes using secretsdump including the Administrator's one.
Saturday 28 of September of 2024
[20] <dolibarr/> <CVE-2023-30253/> <subdomain-enumeration/> <crm/> <erp/> <php-injection/> <php-configuration/> <mysql/> <password-reuse/> <suid/> <enlightenment/> <CVE-2022-37706/>Boardlight is a linux machine that involves dolibarr exploitation and an enlightenment cve. First, a discovered subdomain uses dolibarr 17.0.0 as crm which is vulnerable to php injection that I used to receive a reverse shell as www-data. With that access, I had permissions to read php configuration files where mysql password is saved and it's reused for larissa system user. Finally, looking for files with SUID permissions, I saw enlightenment_sys binary which is vulnerable to [CVE-2022-37706](https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit) (code injection) and as the owner is root I can access as him.
Saturday 21 of September of 2024
[30] <smb/> <spreadsheet/> <libreoffice/> <bruteforcing-web/> <rce/> <CVE-2023-33733/> <pdf/> <openfire-exploit/> <CVE-2023-32315/> <openfire-database/> <decrypt-password/> <java/>Solarlab is a windows machine that requires few steps to complete. First, I will extract passwords from a spreadsheet in the smb service of the victim. Then, I will use those usernames and passwords to bruteforce a web panel and have access to the report page. Inspecting the pdf generated in a report, I can see that its generated using "ReportHub pdf library", which has a RCE vulnerability that gives me access as blake. Then, I will abuse [CVE-2023-32315](https://www.vicarius.io/vsociety/posts/cve-2023-32315-path-traversal-in-openfire-leads-to-rce) to abuse an openfire instance that gives me access as openfire user. From `openfire` user, I can read the initialize script of the database to have the necessary things to decrypt the password which is reused for Administrator in the system.
Saturday 14 of September of 2024
[40] <xss/> <cookie-hijacking/> <cve-2023-24329/> <urllib/> <ssrf/> <ssrf-to-lfi/> <url-wrappers/> <ftp/> <ssh-key/> <ssh-key-comments/> <sqlite/> <hash-cracking/> <binary-analysis/> <suricata-logs/> <sudoers/> <ghidra/> <command-execution/>Intuition is a linux hard machine with a lot of steps involved. First, I will abuse a web application vulnerable to XSS to retrieve adam's and later admin's cookies. From admin panel, I will exploit [CVE-2023–24329](https://nvd.nist.gov/vuln/detail/CVE-2023-24329) to bypass url scheme restrictions in a "Create Report PDF" functionality and have LFI (file://) from the SSRF. I will use the LFI to analyze the source code of the flask application and see it's using a ftp credential for doing backup. With that ftp credential I will use the ftp:// wrapper and see a ssh private key with a welcome_note that says the private key passphrase that I can use to connect to ssh as dev_acc. From there, I will see an users.db sqlite file with the hash of user adam which I can crack and use for the ftp service to see some backup files of a binary called "runner1". Then, in the logs of suricata, I can see a credential used for user lopez in ftp that I can use to ssh as lopez. This lopez user has a sudoers privilege that lets him run /opt/runner2/runner2 as any user he wants. Analyzing the binary with ghidra, I can see that it's calling a system function without sanitization with a user-controlled input and I can execute a bash shell as root.
Saturday 07 of September of 2024
[20] <lfi/> <hMailServer/> <hMailServer-configuration/> <hash-cracking/> <outlook-vulnerabilities/> <CVE-2024-21413/> <ntlm-hash/> <libreoffice-odt-exploit/> <CVE-2023-2255/>Mailing is an easy Windows machine that teaches the following things. First, its needed to abuse a LFI to see hMailServer configuration and have a password. Then, that creds can be used to send an email to a user with a CVE-2024-21413 payload, which consists in a smb link that leaks his ntlm hash in a attacker-hosted smb server in case its opened with outlook. This hash can be cracked and consequently used to gain access to the machine. Finally, to gain access as Administrator, I will create a malicious odt file with a CVE-2023-2255 exploit which is opened by the Administrator.
Monday 02 of September of 2024
[50] <forbidden-bypass/> <minio-cloud/> <minio-cve/> <CVE-2023-28432/> <hashicorp-vault/> <vault-ssh/> <sudoers/> <vault-unseal/> <race-condition/>Skyfall is a linux insane machine that teaches things about cloud and secrets management using third parties software. It starts with a web that lets me upload files that has a "Metrics" page forbidden. This path its managed with nginx and because its bad configured, I can bypass the forbidden injecting a \n url-encoded. In this page, there are MinIO metrics that leaks a subdomain used for a MinIO instance, whose version is vulnerable to information leakage that leaks the secrets used to connect to this instance. When I have the secrets, I can read files of another users and there are 3 versions of a home backup corresponding to askyy, of which the version 2 has a VAULT_TOKEN and VAULT_API_ADDR leaked in .bashrc. After that, I can use this vault variable to connect to vault, list ssh roles and connect with ssh as askyy to skyfall without askyy's password but with the vault token. Then, to escalate to root, I will abuse a sudo privilege where I can execute vault-unseal that writes the vault key in a debug.log owned by root. This file is deleted each time is created so I can make a race condition to create it first so its owned by me and create a symlink to view its contents. Finally, I can use vault ssh with the new token to have access as root.
Saturday 24 of August of 2024
[30] <teamcity/> <cve-2023-42793/> <teamcity-api/> <teamcity-rce/> <hsql/> <bcrypt/> <hash-cracking/> <id_rsa/> <portainer/>Runner is a linux medium machine that teaches teamcity exploitation and portainer exploitation. First, I will abuse [CVE-2023-42793](https://nvd.nist.gov/vuln/detail/CVE-2023-42793) to have an admin token and have access to the teamcity's API. I will use this API to create an user and have access to the admin panel to retrieve some info. Also, I will use this api to create a process that gives me a reverse shell to gain access as tcuser in a container. Then, I will see an id_rsa for john user and also a password for matthew in the hsql database of teamcity that is not useful by now. When I have access as john in runner machine, I can forward a portainer instance and reuse the matthew password seen before. From there, I will create a container with a mount of / that I will use to introduce my ssh pub key in root's authorized_keys and gain access as root in runner.
Saturday 17 of August of 2024
[40] <xss/> <websocket/> <simple-git-cve/> <CVE-2022-24066/> <mongodb/> <hash-cracking/> <librenms/> <librenms-abuse-template/> <laravel-blade/> <php/> <env-creds/> <sudoers/> <libreoffice-server-abuse/> <apache-uno-api/>FormulaX starts with a website used to chat with a bot. Here, there is a contact section where I can contact to admin and inject XSS. I will use this XSS to retrieve the admin's chat history to my host as its the most interesting functionality and I can't retrieve the cookie because it has HttpOnly flag enabled. This story chat reveals a new subdomain, dev.git.auto.update.chatbot.htb, which uses simple-git v3.14 vulnerable to [CVE-2022-24066](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221). Exploiting this gives a shell for www-data, where I can access the mongo database used for the web, crack frank_dorky's hash and see user.txt. Then, it's possible to see port 3000 open internally in localhost, which I will forward and see it's using librenms. The source its located at /opt/librenms and have 771 permissions which gives execute permissions on others. I can execute adduser.php and add a new user. In the web panel, I can create a new [Blade Template](https://laravel.com/docs/11.x/blade#raw-php) as shown in the [documentation](https://docs.librenms.org/Alerting/Templates/) and execute php code that gives me a reverse shell as librenms. As this user, I have read access in the source directory, so I can read .env and have credentials for kai_relay. With kai_relay, I have the sudo privilege to execute as root a script that starts a Libreoffice Apache UNO API instance. This is vulnerable to RCE as seen in [this article](https://hackdefense.com/publications/finding-rce-capabilities-in-the-apache-uno-api/), so I can execute a command that gives me a reverse shell as root.
Saturday 10 of August of 2024
[20] <sql-injection/> <boolean-based-sql-injection/> <hash-cracking/> <upload-vulnerabilities/> <monit/> <sudoers/> <abuse-symlinks/> <zip/>Usage is a linux easy machine which start with a SQL injection in a forgot password functionality. With this SQL injection, I will extract a hash for admin that gives me access to the administration panel. From there, I will abuse a profile picture upload to upload a php reverse shell that gives me access as dash user. Then, in dash's home directory, I will find a .monitrc that gives me credentials for xander, which has a sudo privilege that allows to backup the web directory and introduce our symlinks there. I will abuse this to retrieve root's id_rsa.
Saturday 03 of August of 2024
[30] <xss/> <ssti/> <sql/> <password-reuse/> <qpdf/> <sudoers/>IClean is a Linux medium machine where we will learn different things. First, there is a web that offers a cleaning service where I will exploit an XSS vulnerability to retrieve admin's cookie. Then, I will exploit SSTI vulnerability to gain access as www-data. From there, I can get credentials for the database and crack a hash for consuela user. Finally, I will abuse the --add-attachment option of qpdf to exploit a sudoers privilege.
Saturday 27 of July of 2024
[30] <openplc/> <cve-2021-31630/> <wifi-scanning/> <pixiedust/> <port-scanning/> <ssh/>WifineticTwo is a linux medium machine where we can practice wifi hacking. First, I will exploit a OpenPLC runtime instance that is vulnerable to [CVE-2021-31630](https://nvd.nist.gov/vuln/detail/CVE-2021-31630) that gives C code execution on a machine with hostname "attica03". From there, I have noticed a wlan0 interface which is strange in HackTheBox. Using iw command, I'm able to scan wifi network and see a router vulnerable to pixiedust. When I have retrieved the password, I can connect to the wifi network and see ports opened in the AP. Port 22 is open and we can connect without password to the router as root (OpenWrt defaults).
Saturday 20 of July of 2024
[20] <xss/> <command-injection/> <sudoers/> <path-hijacking-.//>Headless is an Easy Linux machine of HackTheBox where first its needed to make a XSS attack in the User-Agent as its reflected on the admin's dashboard. Then, we have to inject a command in a user-input field to gain access to the machine. Finally, in the sudo privileges its possible to see that a file is being executed from the current directory without an absolute path, so we can create ours and execute the command we want.
Monday 15 of July of 2024
[50] <xss/> <bypass-csp/> <cookie-hijacking/> <idor/> <vpn/> <password-spraying/> <.mozilla-enumeration/> <bruteforce-bitwarden-pin/> <source-code-analysis/> <cookie-forging/> <jwt/> <docker-privesc/> <abupve/>Corporate is an Insane linux machines featuring a lot of interesting exploitation techniques. First, we have to bypass Content Security Policy rules in order to exploit a XSS vulnerability by abusing a js file in corporate.htb that can execute arbitrary functions. Once we have the cookie of a staff user, we can abuse a IDOR vulnerability to share ourselfs (in reality other users we have cookie hijacked) all files other users have. In one of these files there is a document for the new Corporate users that advice how is the default password format. We will create a python script that test this password format through all the users and we will see that four users use this default password format. In the web, there's nothing useful to do with this credentials, but since they share a vpn to connect to the internal resources, we can connect to a vm of the machine with the same user and password. In one of the user's home directory, there is a .mozilla directory with interesting data for bitwarden password manager extension that we can use to bruteforce the pin that would led us to gitea credential that will leak a jwt token. With this jwt token, we can forge a cookie to change a password for a user that belongs to a interesting group that will gives us access to a docker socket (this is possible because the vm uses LDAP authentication to manage the users as the web and if we change the password in the web, we also change the password in the linux machine). Since this user have access to the docker socket, we can create a docker container with a mount of / and have access as root in this proxmox environment. To escape the container, a SSH key of sysadmin will be used since we have access as root in the container and we can access as any user. Finally, to escalate as root, we can abuse PVE api to change password of root and in consequence, have access.
Saturday 06 of July of 2024
[20] <ssti/> <ruby/> <crlf-injection/> <sqlite/> <hash-cracking/> <sudo-group/>Perfection is a easy linux machine which starts with a ruby SSTI in a grade calculator combined with a CRLF injection to bypass restrictions. Once, we have access as susan to the linux machine, it's possible to see a mail from Tina that tells Susan how to generate her password. Using this information and cracking the hash from a sqlite database we can obtain password for susan and use it to execute any command as root because we belong to the sudo group.
Friday 28 of June of 2024
[30] <xmpp/> <xmpp-user-enumeration/> <asreproast/> <hash-cracking/> <executedcom/> <dcomexec.py/> <openfire-rce/> <CVE-2023-32315/>Jab is a Windows machine in which we need to do the following things to pwn it. First, we have a xmpp service that allows us to register a user and see all the users because of its functionality (*). Then, with that list of users, we are able to perform a ASRepRoast attack where we receive a crackable hash for jmontgomery. This credential is reused for xmpp and in his messages, we can see a pentester of the company who shares a hash for svc_openfire, which has ExecuteDCOM privileges in jab.htb and we can connect using dcomexec.py in order to have access as svc_openfire. Finally, there is a internal port that consists in a openfire old version vulnerable to RCE that allows us to gain access as Administrator.
Friday 21 of June of 2024
[40] <joomla-information-disclosure/> <CVE-2023-23752/> <smb-enumeration/> <pcap-tcp-packet-analysis/> <wireshark/> <krb-hash/> <joomla-rce/> <runascs/> <password-reuse/> <port-forwading/> <libreoffice-odt-exploitation/> <CVE-2023-2255/> <dpapi-creds/> <mimikatz/> <bloodhound/> <modifying-group-policy/>Office is a Hard Windows machine in which we have to do the following things. First, we have a Joomla web vulnerable to a [unauthenticated information disclosure](https://github.com/Acceis/exploit-CVE-2023-23752) that later will give us access to SMB with user dwolfe that we enumerated before with kerbrute. In this SMB access, we have a "SOC Analysis" share that we have access which has a pcap file in which we can see a krb5 hash for user tstark. This hash is crackable and we can login into joomla to later modify a template and gain access as web_account. Then, we can see user.txt by executing a command as user tstark with the password cracked before using RunasCs. Next, it's possible to gain access as user ppotts by using a internal web and upload a .odt file crafted to exploit CVE-2023-2255 of LibreOffice. Consequently, we can see some DPAPI credentials that when decrypted with mimikatz, it reveals password for hhogan. Finally, in bloodhound we can see that a group which hhogan belongs can modify the Group Policy and consequently add himself to administrators group.
Thursday 13 of June of 2024
[20] <minecraft/> <log4j/> <jdgui/> <analyzing-jar/> <minecraft-plugins/>Crafty is a easy windows machine in HackTheBox in which we have to abuse the following things. In first place, is needed to install a minecraft client to abuse the famous Log4j Shell in a minecraft server to gain access as svc_minecraft. Finally, we have to analyze a minecraft plugin (.jar) with jdgui and we can see that is using a password that it's also for user Administrator.
Saturday 08 of June of 2024
[30] <lfi/> <web.config/> <deserialization/> <exploiting-viewstate/> <decrypting-securestring/> <sedebugprivilege/>Pov is a Windows machine with a medium difficulty rating in which we have to do the following things. First, we have to abuse a LFI, to see web.config and consequently craft a serialized payload for VIEWSTATE with ysoserial.exe to gain access as sfitz. Then, to gain access as alaading, we can see a powershell SecureString password in a XML file. Finally, we can abuse SeDebugPrivilege of alaading for attaching to a process running as administrator and gain a shell as administrator.
Wednesday 05 of June of 2024
[40] <fuzzing/> <ldap-injection/> <php-shell/> <upload-vulnerabilities/> <autologon/> <dll-injection/>Analysis is a hard machine of HackTheBox in which we have to do the following things. First, we have to enumerate files and directories recursively with a tool like feroxbuster. Then, I will abuse LDAP injection to see the password of a user in the description with a python script. Also, we can abuse a php upload vulnerability to gain access to the system as svc_web. Later, we can see saved credentials in AutoLogon to have access as jdoe. Finally, we can abuse a DLL injection in Snort dynamic preprocessor that Administrator will execute and we gain access as him.
Friday 24 of May of 2024
[20] <apache_ofbiz/> <CVE-2023-51467/> <CVE-2023-49070/> <hash_cracking/> <hash_salt/> <su/>Bizness is an easy machine in which we gain access by exploiting CVE-2023-51467 and CVE-2023-49070 vulnerabilitites of Apache Ofbiz. Then, we have to see in some files a hash with a salt that we have to crack and see the password for root.
Saturday 18 of May of 2024
[50] <fuzzing/> <html_inspection/> <information_leakage/> <haproxy/> <http_request_smuggling/> <CVE-2021-40346/> <source_code_inspection/> <hash_extension_attack/> <lfi/> <proc_files/> <php_plugin/> <integer_overflow/> <buffer_overflow/> <webshell/>Ouija is a insane machine in which we have to complete the following steps. In first place, we have to fuzz the port 80 to see an index.php file that is not the default page of this web service and it redirects to ouija.htb. In second place, we have to fuzz subdomains of ouija.htb to discover that it has the dev.ouija.htb subdomain which retrieves a 403 Forbidden status code so it's not accessible. Then, we can see in the html source code of ouija.htb that it's calling a script file from gitea.ouija.htb where we can see a repository containing instructions on how to install this web page and we can see it's using haproxy 2.2.16 which is vulnerable to HTTP request smuggling ([CVE-2021-40346](https://www.cvedetails.com/cve/CVE-2021-40346/)). Next, we have to abuse this vulnerability to see the dev.ouija.htb subdomain where we can see the source code of the service running on port 3000 and where we will see how the auth works to make a hash extension attack to convert to admin. Then, we will abuse a LFI there to see the id_rsa of user leila abusing a /proc mount in current directory because the ../ and the files that starts with / are filtered and using /proc/self/root we are able to see it. Then, we will inspect a custom php plugin that is used for the post data username of a service running by root in port 9999 and we will be able to abuse it via a integer overflow and write a webshell in this working directory to gain access as root.
Saturday 11 of May of 2024
[40] <udp/> <snmp/> <nagiosxi/> <api/> <nagios_rce/> <sudoers/> <abusing_nagios_scripts/>In this machine, we have a snmp service that leaks credentials that we can use to nagiosxi using the api because in the normal login is disabled. Then, we can abuse a nagiosxi version 5.11.3 SQL injection vulnerability to retrive the api key of the nagiosadmin user and create a new user with admin privileges with this apikey. Next, we create a command in nagiosxi commmand utility to receive a reverse shell as nagios user. Finally, we can abuse sudoers privilege to run a nagios script that has a vulnerability that allow us to create a symlink to /root/.ssh/id_rsa of one of the file that is going for backup and escalate to root.
Friday 03 of May of 2024
[40] <information_disclosure/> <abusing_backdoor/> <naplistener/> <elasticsearch/> <reverse_engineering/> <go_reverse_engineering/> <decryption_with_AES/> <runascs/>In this machine, we have a information disclosure in a posts page. Next, we have to exploit a backdoor (NAPLISTENER) present in the machine to gain access as Ruben. Then, we have to forward the port of elastic search to our machine, in which we can see a blob and seed for the backup user. Also, we have to reverse engineer a go compiled binary with Ghidra newest version to see how is used this information from elasticsearch db to retrieve the password of user backup. Finally, with RunasCs we can execute a command as backup, who belongs to the Administrators group and we can see root.txt.
Friday 26 of April of 2024
[20] <joomla/> <CVE-2023-23752/> <information_leakage/> <password_reuse/> <joomla_rce/> <database_enumeration/> <hash_cracking/> <ssh/> <sudoers/> <apport-cli/> <CVE-2023-1326/>In this machine, we have a joomla web vulnerable to [CVE-2023-23752](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/joomla#api-unauthenticated-information-disclosure) that gives us the password of lewis user to the database and is reused for joomla login. With this login we can perform RCE editing a joomla template. Then, to escalate as logan, we can connect to the database, retrieve the hash and crack it. Finally, for privilege escalation we have a sudoers privilege that let us run the apport-cli command, whose version is vulnerable to [CVE-2023-1326](https://github.com/canonical/apport/commit/e5f78cc89f1f5888b6a56b785dddcb0364c48ecb).
Wednesday 17 of April of 2024
[30] <craft_cms/> <hash_cracking/> <zoneminder_exploit/> <sudoers/> <abusing_zmupdate.pl/>In this machine, we have a web service vulnerable to RCE of [Craft CMS 4.4.14 exploit](https://github.com/Faelian/CraftCMS_CVE-2023-41892) that give us access to www-data. Next, we can see the hash of matthew in a sql file and crack it to give us the password. Then, we can see a port opened on localhost that has a web service running a zoneminder video surveillance software system version which is vulnerable to [RCE](https://github.com/rvizx/CVE-2023-26035) and give us access to zoneminder user. Last, we have a sudoers privilege on zoneminder user that let us run any perl script related to zoneminder like root. We can exploit it because one script has the --user parameter to execute a command without any validations that let us inject a command in the --user parameter.
Monday 08 of April of 2024
[30] <webshell_upload/> <kernel_exploits/> <hash_cracking/> <pivoting/> <phishing/> <ghostscript_rce/>In this machine, we have a web service vulnerable to webshell upload in which we have to bypass the filters using a .phar file instead of .php and we gain access to another machine in the same network which is linux instead of Windows. Then, we have to use [CVE-2023-32629](https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629) to exploit a kernel vulnerability and have access as root. Later, we can extract drwilliams password from /etc/shadow hash to gain access to roundcube webmail service. When we have access to that mail service, we have a inbox message of drbrown that saids us to send a .eps file to open with Ghostscript, so we can do phishing to send him a malicious file that exploits [CVE-2023-36664](https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection). Then, we try to access to the one who owns the xampp https server and we gain access as nt authority/system.
Friday 05 of April of 2024
[20] <nodejs/> <rce/> <sqlite3/> <hashes/> <sudoers/> <bash-bruteforcing/>In this machine, first we have a web vulnerable to nodejs rce that give us access to as "svc" user, then we can move to user "joshua" because the credential is hashed in a sqlite3 db file. Later, to escalate as root we have to abuse sudoers privilege to bruteforce a password with the "*" character in bash (because a misconfiguration in the script) that is reused for "root" password in system.