HackTheBox - Photobomb

Photobomb is a fun box on Hackthebox where we initially get hardcoded credentials in a Javascript file, which we can use to authenticate with basic auth to access the image resizing tool, which has command injection leading to us getting a reverse shell. After getting initial access as user wizard, we see a cleanup.sh script which can be run as root. We then abuse the redirection operator > clobbering the /etc/passwd file to escalate our privileges by adding user wizard to group root.

February 11, 2023 · 7 min · Aditya Telange

HackTheBox - Lame

Lame is the 1st box on HackTheBox which requires only one exploit in Samba to obtain root access. We also explore other ways during we reach to superuser’s shell.

June 3, 2022 · 3 min · Aditya Telange

HackTheBox - Horizontall

Horizontall is a fun box which has an API, vulnerable to Improper Access Control and RCE. The box is running a laravel service which is vulnerable to RCE which lets us run commanad as root.

February 5, 2022 · 7 min · Aditya Telange

HackTheBox - Forge

Box Info Name: Forge OS: Linux Difficulty: Medium IP: 10.10.11.111 Points: 30 Machine Creator: NoobHacker9999 Introduction Forge is a fun box on Hackthebox that has a File Upload functionality which is vulnerable to SSRF. This exposes the internal Admin panel and lets us read files with internal FTP service, which includes SSH key pair of the user. Listing the available commands we can run as a superuser, we have a python script which opens a socket connection. This calls PDB with an exception occurs, with which we get a shell as root. ...

January 22, 2022 · 5 min · Aditya Telange

HackTheBox - Previse

Previse is a fun Linux box on HackTheBox that has insecure redirect implementation which leaks information on the page. This can then be used to create a new user in the application and get access to backup.zip of it. Backup revels that there is a command injection vulnerability present in the logs fetching feature, which gets us a basic shell. We have a MySQL server running inside the box which has reused credenrials from the backup.zip. We get hashed/salted credentials inside this database and crack it by writing a custom PHP script. We again have a username and password reuse for a SSH user, which gives us a user shell. Listing sudo privilegs we get to know there is a script which we can run as root, that does not mention absolute $PATH for a command being used. Thus can be overriden by $PATH variable set by current USER.

January 8, 2022 · 10 min · Aditya Telange
This site uses cookies to improve your experience on our website. By using and continuing to navigate this website, you accept this. More details in Privacy Statement.