-
Feb 1, 2025
tags:
htb
medium-box
season-6
linux
webapp
cve
xss
mysql
john
lotl
ssh-tunneling
ssti
To begin this box and get a shell a 2024 CVE can be used for RCE on the specific PrestaShop version. Inside of the PrestaShop config file the mysql database credentials can be found, and used thereafter to dump the admin password for cracking. As james a docker service can be enumerated to find a webpage change detection service, boasting another 2024 CVE. Through some SSTI the service can be exploited to get root inside of a docker container, which has a history of the true root password of the base machine.
-
Jan 25, 2025
tags:
htb
hard-box
season-6
linux
webapp
git
h2-database
ssh-tunneling
thrift
python
A fairly easy hard box using some obscure technologies. Starting off is a gitbucket service with simple credentials. As root the backend h2 database can be interacted with to create an alias which runs commands through Runtime. With that shell root can be seen running the LogService repo's server file. After generating python code with thrift and creating a client the log reading service can be fed a malicious log to achieve rce as root.
-
Jan 18, 2025
tags:
htb
medium-box
season-6
linux
webapp
sqli
crypto
json
php
ssh-tunneling
mysql
sqlite3
Though I did not hack the first two Monitor boxes I can say this one makes me want to go back and experience them firsthand. Starts with an SQLi for credentials to a subdomain, then uploading a package for custom php execution. With that shell the local database files can be used to login and dump the marcus user's password. As marcus a quick ssh tunnel allows the backup service Duplicati to be leveraged to backup and restore any root file effectively pwning the box.
-
Jan 11, 2025
tags:
htb
easy-box
season-6
linux
webapp
ssti
john
ssh-tunneling
chrome
A potentially devious easy box with some interesting attack vectors and more reasons to hate Chrome. To start a subdomain referenced on the front page of port 80 can be exploited by SSTI when creating a new connection. Docker root is then used to crack a shadow hash for user as Michael. The debugging port of chrome allows for the reading of requests sent during a login to an admin portal, giving the password. That service can then be used to change a restart command for a service to run arbitrary code and achieve root.
-
Dec 19, 2024
tags:
htb
easy-box
season-6
linux
webapp
wondercms
xss
cve
ssh-tunneling
command-injection
A simple box with two options to become www-data and a couple rabbit holes. Starts on a webapp running WonderCMS which is vulnerable to a CVE. The remnants of a github poc being run against the box exist, and can be used for a reverse shell. Alternatively the exploit can be stripped and an XSS payload can be sent through the contact form, which will GET and run javascript to install a new theme containing a reverse shell. The database file contains amay's password. As amay port 8080 can be accessed through SSH tunneling. That service once intercepting its requests can be leveraged to inject commands that run as root, compromising the box.
-
Dec 10, 2024
tags:
python
25 days of coding challenges, found at https://adventofcode.com/ and solved by me in Python. Click any day of the calendar above to see the respective challenge and solution. Still working on porting over solutions and writeups.
-
Nov 30, 2024
tags:
htb
hard-box
season-6
linux
webapp
ssrf
proxy
dotnet
directory-traversal
dll
lfi
sqlite3
sudo
blob
Starts off simple with 2 webapps to explore, one using a vulnerable version of Skipper Proxy. Through that proxy SSRF can be used to fuzz internal ports and find the running blazor application, which can further be used to find a DLL for the internal webapp. Once downloaded and decompiled a basic database can be found where a comment leaks a password for the admin portal. In that portal exists modules that run DLL files, and the function to upload with directory traversal to that module directory. With a proper DLL remote code can be run to find the SSH key. The final step involves exporting the sudo procmon and filtering through the BLOB entry within that database to find a command piping the root password into a backup script.
-
Nov 23, 2024
tags:
htb
medium-box
season-6
linux
webapp
php
phar
ca-cert
custom-code
bash
sudo
An underrated box from 0xdf that utilizes perhaps a little too much key signing. Starting this off is a webapp which can pop a shell after using the phar:// protocol in conjunction with the zip file upload function. Look to ticket zip files for a .har log file which holds msainristil's password for SSH access. Once in this container a keypair can be generated and signed with a 'decommissioned' certificate authority key which allows SSH into zzinter*. As this new user a new keypair can be signed for the support user through a script provided in zzinter's home. The SSH into support is for port 2222, and next using parts from the script an API can be tricked into giving a zzinter certificate with yet another keypair. Lastly a sudo run bash script is vulnerable to wildcard exfiltration which leaks the ca key, allowing you to sign the last keypair and SSH into root.
-
Nov 2, 2024
tags:
htb
easy-box
season-4
linux
webapp
xss
command-injection
Begins with XXS into stealing an admin cookie. Post accessing the admin dashboard the tool present can be injected with linux commands, including curl which is used to download a shell. The script the user can run as sudo can be exploited to run arbitrary code and gain a root shell.
-
Oct 19, 2024
tags:
htb
easy-box
ssrf
linux
git
python
cve
season-5
Quick 3 parter of simple easy box tropes. Entry with some SSRF, pivot with git logs, and code exploitation for root.
-
Oct 12, 2024
tags:
htb
medium-box
linux
webapp
python
pytorch
pickle
sudo
season-5
There's an old saying: a pickle in the hand is worth two in the Blurry. That is to mean starting this box is configuring a ClearML agent+account, then using a python script to create a .pkl file and upload it for a shell as jippity. Sudo is enabled for a custom python script to evaluate models. An exploit online can be used to inject the .pkl file in that archive utilizing runpy to import a maliciously crafted module to gain a shell as root. I feel like the name Dill would have been more suited given the box's solutions.
-
Sep 28, 2024
tags:
htb
easy-box
linux
webapp
php
binary-exploitation
cve
season-5
From default credentials and a service specific CVE to hard coded credentials and a tool CVE, this box is straightforward and can be solved exclusively with simple enumeration.
-
Sep 9, 2024
tags:
htb
easy-box
windows
webapp
cve
smtp
lfi
directory-traversal
responder
libreoffice
season-5
A semi-standard windows experience of a box fit with outdated software and common Active Directory exploit vectors. To start the webapp is vulnerable to directory traversal and gives LFI on the windows system. The .ini file for the hMailServer service can be read to give an admin account login password. Through that mail service the user maya can be emailed to exploit an outlook CVE to capture an NTLM hash upon SMB resource access attempt. That hash when cracked gives a foothold to discover an outdated LibreOffice version and a suspicious directory. Another CVE can be leveraged to run commands as local admin and change maya's permissions to compromise the box.
-
Aug 24, 2024
tags:
htb
medium-box
linux
webapp
cve
docker
john
season-5
This box starts with a CVE affecting TeamCity which creates and admin user. The new admin user can enable the debugging processes to allow for RCE from the same exploit, giving a foothold as tcuser. An ssh key can be found and after testing for both home users it can be determined to be john's. A local portainer service can be accessed after backing up the teamcity webapp and grepping for an admin hash. Lastly a CVE allows for setting the working directory to a specific location to get a root shell.
-
Aug 17, 2024
tags:
htb
hard-box
season-4
xss
chatbot
webapp
cve
john
ssh-tunneling
libreoffice
A cool combination of some popular web vulnerabilities get you both a foothold and a pivot later. Databases as usual hold reused passwords and sudo carries with itself a LibreOffice command which can be exploited to use its API. Neat and straightforward box.
-
Aug 16, 2024
tags:
htb
easy-box
chrome-os
webapp
wordpress
sudo
The last old box I had to rehack and create a writeup for due to the lack of documentation. Starts basic with a test site hosting wordpress files containing wp-fonfig.php leaking the database credentials. Those credentials double as the administrator password for the wordpress site which through a template edit gives us a shell as nginx. An insecure autologin script uses a hard coded password input giving an SSH session as katie. Sudo is the last step after editing a service we have access to then running the service with sudo to achieve rce and a root shell.
-
Aug 14, 2024
tags:
htb
easy-box
linux
webapp
git
flask
python
cve
command-injection
One of the last old boxes I needed to get around to rehacking and posting. Starts off simple with downloading an open source cloud service into using git logs to reveal a dev password. Then the contents can be examined to determine a vulnerability within the view.py file which allows the overwriting of any file within the webapp. After adding your own route RCE is achieved and shortly after a shell. To obtain root it is as simple as adding a variable to the git config file and running arbitrary commands.
-
Aug 10, 2024
tags:
htb
easy-box
linux
webapp
sqli
php
sudo
binary-exploitation
Usage is an easy box which begins with SQL injection on the password reset endpoint. After grabbing the admin username and password the admin profile page has a profile picture upload which can be abused to upload a reverse shell. Within the dash user's home directory is a hard coded password which is for the xander user. Finally xander can use a binary with sudo and through exploiting some 7zip logic arbitrary file reading can be achieved as root, giving both the root flag and the root ssh key.
-
Aug 1, 2024
tags:
htb
medium-box
linux
webapp
sqli
lfi
sudo
capabilities
gdb
Another old box that I needed to rehack to post. Starts off with a simple webapp vulnerability into SQL injection to gain access to the admin dashboard. Once there the library creating PDFs can be exploited for LFI to leak the database credentials. Those credentials are shared with a user on the machine and with that foothold sudo can be used to pivot to developer. ptrace the capability is present on gdb and allows us to attach to a root process and inject a shell into memory, pwning the box.
-
Jul 30, 2024
tags:
htb
easy-box
linux
dns
webapp
sqli
lfi
sudo
This was an old box I hacked without the notes to create a writeup without rehacking. This box starts with dig-ing for a subdomain which reveals a subdomain naming scheme. After fuzzing for more preprod-FUZZ.trick.htb subdomains marketing can be found which is vulnerable to directory traversal and LFI. With a foothold gained a Fail2ban config file can be overwritten to add a new actionban command to run on failed login attempts as root, compromising the box
-
Jul 20, 2024
tags:
htb
easy-box
season-4
linux
webapp
xss
command-injection
Begins with XXS into stealing an admin cookie. Post accessing the admin dashboard the tool present can be injected with linux commands, including curl which is used to download a shell. The script the user can run as sudo can be exploited to run arbitrary code and gain a root shell.
-
Jul 6, 2024
tags:
htb
easy-box
linux
webapp
ruby
john
season-4
Short and simple box. First find a way to inject ruby commands into an online calculator, then find mail with a reference to a password scheme and the corresponding db for cracking to sudo into root.
-
Jun 16, 2024
tags:
htb
easy-box
log4j
minecraft
webapp
windows
java
season-4
A blast from the past of a box. Uses the infamous log4shell vulnerability to compromise a Minecraft server, and the icing on the cake is a Minecraft plugin leaks the admin password. Truly a great exploration of the potential vulnerable environments present on many game server hosting machines.
-
Jun 8, 2024
tags:
htb
medium-box
windows
webapp
lfi
directory-traversal
deserialization
meterpreter
season-4
This box was a fun experience to daisy chain together a handful of shells until I finally had nt authority. Starting off this box involves some webapp enumeration and LFI, followed shortly by a deserialization exploit.
-
May 25, 2024
tags:
htb
easy-box
linux
webapp
deserialization
custom-code
season-4
An authentication bypass + a java deserialization exploit can get user on this machine. Then after many hours of searching a root hash and salt can be found which allows for hashing rockyou to compare.
-
Apr 27, 2024
tags:
htb
easy-box
linux
webapp
joomla
cve
mysql
john
php
The start of this box is a vulnerable version of Joomla which can be used to get a shell as www-data. Mysql and john can be used to find a password for pivoting to a user account. Then to gain root a service has a cve utilizing crash reports for privesc.
-
Apr 13, 2024
tags:
htb
medium-box
windows
webapp
upload-bypass
cve
Starting off this box is an upload bypass in a webapp for uploading medical records. OverlayFS rears its head to give us root in a container. The /etc/shadow file leaks a user's hash which lets us login to the mail service and send a ghostscript payload email to another user. Root can be obtained by finding an inherited escalated permission directory and placing a shell inside of it.
-
Apr 12, 2024
tags:
htb
easy-box
bash
javascript
custom-code
linux
cve
Foothold for this box begins with a sandbox escape through error messages which can then be used to sift through a database for user credentials. A bash script can then be abused to fuzz the root password with a custom bash script.
-
Mar 31, 2024
tags:
htb
easy-box
linux
webapp
cve
python
command-injection
bash
As an avid puzzle game enjoyer I have a deep appreciation for this box from a design perspective. The initial foothold post-nmap scan is determinable with the tools presented on the webpage. Once user is gained you need to pivot with command injection, then use a GTFObin for root.
-
Mar 30, 2024
tags:
htb
medium-box
linux
webapp
git
upload-bypass
command-injection
python
This box starts by finding a .git directory, then using the files and commits to determine the functionality of a subdomain. After finding that subdomain and upload bypass and proc_open shell is acquired. A binary is used to laterally move to developer and lastly GTFObins can be leveraged for root.
-
Mar 23, 2024
tags:
htb
easy-box
linux
webapp
cve
To start this box a framework specific CVE can be used to find a leaked setup token and use javascript runtime to run bash commands. The environment variables leak an ssh login password for a free user. OverlayFS can exploited in the final step to get root.
-
Mar 20, 2024
tags:
htb
medium-box
linux
webapp
wordpress
php
deserialization
bash
race-condition
Simple old box I hacked 3 years ago but my notes were shoddy so I rehacked it from scratch. Insecure deserialization to www-data, then bash script exploitation to root. There is probably a better writeup present on HTB if you want something more thorough. If you prefer my rambling then get in here.
-
Mar 16, 2024
tags:
htb
medium-box
windows
webapp
smb
mssql
lfi
esc7
certipy
Through an rid brute usernames can be found which can then be used for a login brute force as operator. MSSQL contains an LFI vulnerability to find a backup and associated credentials located on the webapp. Certipy is then used to exploit an ESC7 cert to request and approve a certificate to login as administrator.
-
Mar 2, 2024
tags:
htb
easy-box
linux
webapp
command-injection
postgres
john
session-hijacking
The foothold can be obtained from hijacking a session to gain access to an admin portal, then command injecting into an ssh utility within the admin utilities. Postgres dumps a credential which john can crack for another user. A little stdin/stdout redirecting can be used to gain a root shell with sudo.
-
Feb 10, 2024
tags:
htb
easy-box
pki
webapp
cve
Simple and short. Looking through the ticket tracking service we find a way to login as the user, after that we can dump the credentials to a password manager and ssh in as root.
-
Jan 27, 2024
tags:
htb
medium-box
linux
webapp
nfs
php
sqli
binary-exploitation
perl
If you like reading code and searching for vulnerabilities within this box will be a blast. This webapp hosts a game which contains a backup in an NFS share. The save_game.php file shows a the role parameter which needs to be bypassed with mysql comment characters, then the database export admin utility can be leveraged to gain a shell. One binary exploitation and perl exploit later and root is obtained.
-
Jan 13, 2024
tags:
htb
medium-box
upload-bypass
webapp
php
binary-exploitation
After completing this machine and reading some other user's experiences this one feels at best a low medium and at worst a hard easy. There is some cool LFI with a file upload and subsequent RCE with SQLi, not very hard though. The null byte vector was patched for anyone reading this.
-
Jan 6, 2024
tags:
htb
easy-box
linux
ssrf
webapp
cve
The challenge of this box comes from searching of esoteric service versions and a small understanding of some Linux commands. There is a cool use of SSRF which uses a previous exploit to exploit a locally hosted service.
-
Dec 19, 2023
tags:
thm
pentest-report
smb
suid
This is an old mock pentest I did back in 2021. Could use some improvement on the wording and vocabulary avenue, clarity of information is also a small problem. Nice to see how far we've come though, right?
-
Dec 10, 2023
tags:
htb
medium-box
smb
pwm
adcs
certipy
impacket
active-directory
windows
In classic Windows environment fashion this box starts by grabbing some configuration files from smb on port 445. Then after some PWM config shuffling we can scan to find a certificate template that is used to grant Domain Admin to the user we have.
-
Nov 25, 2023
tags:
htb
easy-box
linux
webapp
upload-bypass
cve
If bypassing image upload restrictions is your favorite activity then look no further than this box. After tEXt-ing your way into the machine pspy64 can find a file which is vulnerable to a CVE that can be exploited gain a root shell.
-
Nov 20, 2023
tags:
htb
easy-box
windows
eternal-blue
An even easier box utilizing Eternal Blue as the one and only step to compromise this machine. Again as with Jerry this is a great example of how simple old HTB machines are and with how simple older Windows versions can be to compromise.
-
Nov 20, 2023
tags:
htb
easy-box
windows
apache
msvenom
An easy box with a brute force login into a reverse shell upload. A demonstration of how simple many of the earlier boxes in HTB are.
-
Nov 18, 2023
tags:
htb
medium-box
linux
ssti
gpg
rust
custom-code
Sandworm's https site is meant to emulate a secure message transferring site, modelled after some over government sites. Getting past that uses a script I made to exploit SSTI. Through some config sifting and code manipulation you can gain user, and to finish it off a vulnerable service to obtain root.
-
Nov 5, 2023
tags:
htb
easy-box
linux
LaTeX
john
gnuplot
If obscure math programming languages and plotting tools are up your wheelhouse then this box will be a breeze. An interesting look at the vulnerabilities that lie waiting within academia though either outdated or improperly used tools.
-
Oct 28, 2023
tags:
htb
hard-box
linux
binary-exploitation
ssrf
smb
smtp
As the first active hard box I've gone out of my way to try I would say this was a serene experience. Learning about the protocol gopher:// along with using SSRF to exploit SMTP was rather unique. And I'm never one to shy away from a nice binary exploitation.
-
Oct 22, 2023
tags:
htb
medium-box
linux
postgres
yaml
binary
This box started by finding raw SQL queries within a Grafana service. After abusing that query we can gain RCE and thusly a shell. Next a network testing script with an SUID bit can be abused to pivot to a user. An SSH tunnel can be used to access the locally hosted Jupyter notetaking service, which contains a python interpreter to pivot to another user. Finally a sudo permission can be leveraged to access root files and download an auth_keys file into root's ssh folder.
-
Oct 7, 2023
tags:
htb
easy-box
linux
grpc
sqlite
Normally boxes don't give you the opportunity to learn and use completely new ports/protocols but this box is an exception. After interfacing with the new service SQL can be injected to dump credentials, after which a simple exploit can be leveraged to run RCE on a webserver for root.
-
Aug 12, 2023
tags:
htb
easy-box
linux
webapp
python
git
Much like RedPanda this box starts with exploiting a search engine. I hope your python is up to the test. Next we look for an exploit using docker inspect to get into a git repo and gain access to private scripts running on the machine, which are then exploited for root.
-
Jul 16, 2023
tags:
htb
easy-box
linux
webapp
nosqli
xss
Webdevs will cry after seeing this box. Imagine sanitizing your json that interacts with your API, or not using a vulnerable login portal. A healthy lack of trust in webdevs is all you need to hack this box.
-
Jun 17, 2023
tags:
htb
easy-box
linux
webapp
sqli
Rev up that default credential list and reverse shell, since to get www-data you need to find the CMS and abuse both. Next your knowledge of websockets better be up to par, as a middleman server is needed to scrape an SQL database on a websocket. Last and certainly least GTFOBins gives us root.
-
Jun 17, 2023
tags:
htb
medium-box
webapp
deserialization
lfi
websockets
Bagel is a box which uses some interesting use of local file reading to let you piece together how the application runs. Once you've figured that a few clever file reads can give you the source material running the application, and you better have dnSpy ready. From that analysis with dnSpy initial foothold through insecure deserialization can be obtained, after which you can use a hard coded password for developer. And in poetic fashion root is gained with the dotnet command.
-
May 21, 2023
tags:
htb
easy-box
linux
webapp
deserialization
cve
ruby
yaml
We start this machine by exploiting a command injection of a ruby package to gain a foothold, and escalate that to user with hard coded credentials. For root a simple ruby script exploitation of a load() function will do the trick.
-
Apr 29, 2023
tags:
htb
easy-box
linux
webapp
sqli
xxe
john
cve
upload-bypass
pgp
Wordpress in little surprise to anyone gives us both an initial foothold account and the credentials for a user account. The former through a vulnerable scheduling plugin, and the latter through an image upload bypass to read a config file. The root password is obtained through brute forcing a pgp key to access a passpie password.
-
Apr 26, 2023
tags:
htb
medium-box
linux
webapp
sqli
redis
SQLi, ipython, and Redis (oh my). This box starts off with fuzzing a store page to find an SQLi where you get the password for a user. Next that user has access to a script testing/reviewing directory which could be exploited to run commands at another user. The cherry on top is the redis sandbox escape after finding a binary which leaked the redis password.
-
Apr 24, 2023
tags:
htb
medium-box
linux
webapp
ghidra
binary-exploitation
cve
Solving this box can be a bit of an eye opener. Exiftool is normally not thought of as an attack vector but this machine eloquently uses a vulnerable version for a foothold. After a quick grep-ing through some Event Logs user can be obtained. The final piece of the puzzle is dissecting a binary file and running it with sudo to gain root.
-
Apr 20, 2023
tags:
htb
easy-box
linux
webapp
xxe
ssti
The name of the game for this box is trial and error. RedPanda the search engine for red panda pictures is vulnerable to SSTI. Post user there are two jar files being run which need to be investigated. After understanding how they work the user needs to change image metadata, abuse directory traversal, and use an XXE to get the root ssh key.
-
Apr 9, 2023
tags:
htb
medium-box
linux
webapp
deserialization
john
bash
During the pentest, I identified multiple vulnerabilities. Firstly, I was able to exploit directory traversal to access sensitive files. Additionally, I leveraged an activation code generating script to create an account and then utilized insecure deserialization to rewrite a class that could download a shell from a webserver I controlled. With the help of hard-coded database credentials, I generated a custom salted wordlist to crack user passwords, and finally, I injected code into a bash script that insecurely used a variable in a command.
-
Apr 1, 2023
tags:
april-fools
blog
ai
**This post is an information hazard that could lead to the mental harm of yourself or the harm of others. Read at your own risk.**
-
Mar 16, 2023
tags:
htb
medium-box
linux
cloud
aws
cve
The steps outlined in this summary involve identifying a hidden subdomain, scanning for directories, using the AWS Command Line Interface (CLI) to grab credentials from a NoSQL database named DynamoDB, uploading a reverse shell to an S3 bucket using the AWS CLI, and exploiting a vulnerable version of Polkit for root access.
-
Feb 20, 2023
tags:
htb
easy-box
android
cve
ssh-tunneling
Android can be a beast to pentest and enumerate, but this box does a decent job of giving leads. The credentials are found in what I can only assume is the user writing it down and taking a picture not to forget. Then root can be gained through the locally open 5555 port for android debug bridge.
-
Feb 19, 2023
tags:
htb
easy-box
linux
webapp
sudo
Simplicity at its finest. A quick backdoor exploit from a vulnerable php version, and then a trip to GTFOBins can root this box. Bare bones and to the point.
-
Feb 17, 2023
tags:
htb
easy-box
linux
webapp
cve
This box is a great example of how much information can be leaked by basic scripts and services. A javascript file leaks a subdomain with an api, and then the login portal leaks the vulnerable version of strapi being run. To gain root there is a somewhat clever way of ssh tunneling to manipulate a vulnerable local service on the box.
-
Feb 16, 2023
tags:
easy-box
htb
linux
webapp
wordpress
plugins
This box involves quite a bit of enumeration and creativity to solve for an easy box. First you need to identify the plugins of the wordpress site, then identify the vulnerable one. After that the processes are to be read and scoured for a foothold after discovering a vulnerable service on port 1337. Root can then be obtained by attaching a detached root screen.
-
Feb 11, 2023
tags:
htb
easy-box
linux
webapp
idor
wireshark
capabilities
Cap is a clever name for this box as it involves looking through a pcap file for credentials to login as the user nathan. To obtain root the user must use a cap_setuid capability set for python. Overall basic but a pretty good test of some fundamentals.
-
Feb 10, 2023
tags:
htb
easybox
linux
webapp
wordpress
chat-bot
The box Paper had an integration of the Dunder Mifflin paper company from the show 'The Office'. Michael Scott or otherwise known as Prisonmike leaves a secret draft with the registration for an internal chat service Rocket Chat. After a brief exploiting of the dwight created bot recyclops for user, root can be gained from a polkit vulnerability.
-
Feb 4, 2023
tags:
htb
easy-box
linux
webapp
xxe
python
sudo
User for this box incorporates XML XXE in a bug reporting forum and using that exploit to read a discovered database. Root is obtained through a python sandbox escape from a custom script with NOPASSWD sudo access.
-
Jan 26, 2023
tags:
htb
easy-box
active-directory
smb
john
windows
The steps to solve this box require knowledge in certificate/key infrastructure, Windows services, command history files, and LAPS permissions. Initial foothold steps utilize password cracking for both a zip and pfx file to yield public and private keys. Then a hard coded password can be found and the local admin password can be read after pivoting to that new account.
-
Jan 15, 2023
tags:
ctf
kringlecon
blockchain
smart-contract
cloud
aws
ci/cd
sandbox-escape
windows
wireshark
suricata
html
xxe
A quick and dirty summary/solution combo of the 2022 Kringlecon. This is backlogged content and is not as verbose or well produced as the rest of what you'll find here. I would advise trying these challenges for yourself before looking up these solutions since they are geared towards beginners.
-
Jan 13, 2023
tags:
htb
medium-box
webapp
upload-bypass
linux
The solution to Passage is quite research heavy and not so technically demanding. The CMS is vulnerable due to its specific version which gives a foothold, a pivot takes place to gain better permissions, and root can be obtained from a usbcreator d-bus service which allows for copying files as root.
-
Jan 12, 2023
tags:
htb
easy-box
webapp
ssti
flask
bash
linux
suid
Late was a box with practically two parts. The first was to identify the image upload function on the http site was vulnerable to SSTI and crafting an image to serve as the payload. The second was to find an SSH login alert bash script that was run as root and writable by everyone.