Hack the Box Write-up #7: Bart

After doing a couple more machines on Hack The Box, Bart was one that I definitely wanted to do a write-up for. We start with a bunch of web enumeration and discovering different directories and hostnames. Eventually, we discover a chat application, register our own user and do log poisoning to get our first low priv shell. Privilege escalation to Administrator is then accomplished by identifying AutoLogon credentials stored in the registry. On the way we read some source code, learn about 32/64-bit registry queries and running commands in a different user context. ...

March 21, 2020 · David Hamann

Hack the Box Write-up #6: Kotarak

In this write-up we’re looking at getting into the retired machine Kotarak from Hack the Box. Kotarak was a really fun box as it required lots of different techniques and was just a longer journey to root. Our first foothold comes via leaked credentials that we can retrieve using server side request forgery. These credentials give us admin access to a Tomcat manager application where we can upload our first reverse shell. From there, we get access to both a NTDS.DIT file and a Windows SYSTEM registry hive which we can leverage to extract user hashes. Cracking these hashes, we level up to another user and eventually use a vulnerability in wget to write our SSH key into the authorized_keys file on another (virtual) host and through that get access to the root flag on there. ...

February 23, 2020 · David Hamann

Hack the Box Write-up #5: TartarSauce

In this write-up we’re looking at solving the retired machine “TartarSauce” from Hack The Box. After spending some time on the hosted web applications, we’ll eventually get the first foothold via an outdated Wordpress plugin. From there we can upgrade to a user shell by abusing the tar command. Eventually, we get root by abusing tar once more, but this time as part of a backup script and in a bit more involved way. ...

February 10, 2020 · David Hamann

Hack the Box Write-up #4: Cronos

In this post we’ll walk through the steps of getting root on the retired box “Cronos” from Hack the Box. We will discover a few subdomains by DNS enumeration and get our first shell via command injection on an admin portal suffering from SQL injection. To elevate our privileges, we will abuse a cron job set up to run as root. All in all a fun box with a lot of classic vulnerabilities. ...

February 2, 2020 · David Hamann

Hack the Box Write-up #3: Netmon

In today’s write-up we’re going to take a look at getting into Hack the Box’s retired Netmon machine, which was a relatively easy box if you just remembered that people tend to have bad password habits. Recon We start with an nmap scan which gives us quite a few open ports: > nmap -sV -sC -oN nmap/init 10.10.10.152 Nmap scan report for 10.10.10.152 Host is up (0.035s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 02-02-19 11:18PM 1024 .rnd | 02-25-19 09:15PM <DIR> inetpub | 07-16-16 08:18AM <DIR> PerfLogs | 02-25-19 09:56PM <DIR> Program Files | 02-02-19 11:28PM <DIR> Program Files (x86) | 02-03-19 07:08AM <DIR> Users |_02-25-19 10:49PM <DIR> Windows | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor) |_http-server-header: PRTG/18.1.37.13946 | http-title: Welcome | PRTG Network Monitor (NETMON) |_Requested resource was /index.htm |_http-trane-info: Problem with XML parsing of /evox/about 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds What immediately catches the eye is the ftpd which allows anonymous access on what appears to be the root directory. But before we start exploring this further, let’s have a quick look at port 80 to confirm the nmap result. ...

January 22, 2020 · David Hamann