Certified is a Windows machine having misconfigured ACL in Active Directory environment where initial access for a low-privileged user judith.mader is provided. Exploitation of the Active Directory Certificate Service (ADCS) is required to get access to the management_svc, ca_operator and Administrator account by abusing shadow credentials and ESC9.
Photobomb is a fun box on Hackthebox where we initially get hardcoded credentials in a Javascript file, which we can use to authenticate with basic auth to access the image resizing tool, which has command injection leading to us getting a reverse shell. After getting initial access as user wizard, we see a cleanup.sh script which can be run as root. We then abuse the redirection operator > clobbering the /etc/passwd file to escalate our privileges by adding user wizard to group root.
Legacy is a relatively easy box which has SMB running on Windows XP(2000) OS. We find the exploit with metasploit and get access to priviledged user NT AUTHORITY\SYSTEM directly.
Lame is the 1st box on HackTheBox which requires only one exploit in Samba to obtain root access. We also explore other ways during we reach to superuser’s shell.
Horizontall is a fun box which has an API, vulnerable to Improper Access Control and RCE. The box is running a laravel service which is vulnerable to RCE which lets us run commanad as root.