The journey begins on Hack The Box, navigating through Season 5 Machines. It starts by exploiting a Server-Side Request Forgery (SSRF), which exposes access credentials in an endpoint, allowing you to pwn a machine. The response endpoint leaks critical information that leads to owning a user account. Following this, a…
This box was very interesting, starting with exploiting a vulnerability in the ClearML open-source platform, which is used to automate the development of machine learning solutions, to get a shell as a user. By exploiting CVE-2024-24590, we were able to gain initial access. The process involved creating and uploading a…
This box involves exploiting Dolibarr 17.0.0 for remote code execution (RCE) as an authenticated user, gaining access as the www-data user. By understanding the exploit and examining the configuration files, credentials can be found to escalate privileges to user. Additionally, the system is vulnerable to CVE-2022-37706, which allows…
The journey begins by using a custom word list to find a subdomain running TeamCity 2023.05.03, which is vulnerable to CVE-2023-42793. This vulnerability allows the creation of a privileged user without authentication. Next, a backup containing a private key is found, providing the first SSH access as a…
Box overview MonitorsTwo is an easy box created by kavigihan combining the exploitation of Cacti (CVE-2022-46169) as entry point then privilege escalation by exploiting the CVE-2021-41091. Initial foothold Add the IP to the hosts file Firstly, I will update the hosts file entry with the box hostname and its IP.…
Admirer is an easy difficulty Linux machine that showcases a variety of security challenges. One key vulnerability is the web database interface Adminer, which is susceptible due to an underlying flaw in the MySQL protocol. This flaw can be exploited to gain access to the database, demonstrating the importance of…
The process begins by finding a reverse shell present on the box to get a reverse shell. Then, it involves pivoting to another user to own user using Lua. Finally, by exploiting a cleanup script running as root, we can obtain the root shell. Nmap scan Usually I start with…
Monteverde is a Medium Windows machine that features Azure AD Connect. The domain is enumerated and a user list is created. Through password spraying, the SABatchJobs service account is found to have the username as a password. Using this service account, it is possible to enumerate SMB Shares on the…