Recent posts

Book Write-Up: HackTheBox

3 minute read

Book was a medium machine on Hack The Box created by MrR3boot. Initial recon revealed a web application login that is vulnerable to SQL truncation attack, allowing login as admin. Once admin, we can inject XSS payloads to read local files through dynamically generated PDFs, which is used to extract a user’s private SSH key. Finally, logged in as the user reader via SSH, a vulnerable version of logrotate running as root is discovered, which is exploited to escalate to the root user.

Nest Write-Up: Hack The Box

4 minute read

Nest was an excellent easy-rated machine on Hack The Box created by VbScrub. Initial recon revealed an open SMB port and an uncommon HQK Reporting service. Enumerating SMB revealed some default credentials, which allowed further read access. Digging further we come across some encrypted credentials and a Visual Basic project. Building the project we are able to decrypt yet another password, but this time for an user c.smith. We use the new found creds to go further into the SMB gauntlet and discover the HQK Reporting binary. Tearing it apart with dnSpy, and a touch of reversing, we get the Administrator password and root flag.

Resolute Write-Up: Hack The Box

3 minute read

Resolute was a straight-forward medium-rated machine on Hack The Box created by egre55. Initial recon revealed an open LDAP service which leaked all local users and a default password. This allowed a password spray WinRM and a successful login as user melanie. As melanie, further machine enumeration revealed PowerShell transcripts that leaked a command containing user ryan’s password. User ryan is part of the Contractors group, which is also contained in the DnsAdmin group. Being a member of the DnsAdmin is abused to add the first compromised user melanie as a Domain Admin, owning the machine.