HTB Medium

Escape is a medium-difficulty Windows machine on Hack The Box that revolves around Active Directory. The initial foothold is gained by finding credentials in a PDF file on an open SMB share. This access is then leveraged to connect to an MSSQL service, from which we capture and crack the NTLM hash of a service account. Lateral movement is achieved by discovering another user’s credentials in a log file. Finally, privilege escalation to Administrator is accomplished by exploiting a misconfiguration in Active Directory Certificate Services (ADCS), specifically the ESC1 vulnerability.

Resolute is a medium-difficulty Windows machine on HackTheBox that involves a realistic Active Directory penetration test. The initial foothold is gained by enumerating domain users via a null SMB session and discovering a default password in a user’s description, which is then reused to gain access as another user via WinRM. Lateral movement is achieved by discovering cleartext credentials for a more privileged user within PowerShell transcripts. Finally, privilege escalation to SYSTEM is accomplished by abusing the permissions of the DnsAdmins group to load a malicious DLL.

Certified is a Windows machine having misconfigured ACL in Active Directory environment where initial access for a low-privileged user judith.mader is provided. Exploitation of the Active Directory Certificate Service (ADCS) is required to get access to the management_svc, ca_operator and Administrator account by abusing shadow credentials and ESC9.

Box Info Name: Forge OS: Linux Difficulty: Medium IP: 10.10.11.111 Points: 30 Machine Creator: NoobHacker9999 Introduction Forge is a fun box on Hackthebox that has a File Upload functionality which is vulnerable to SSRF. This exposes the internal Admin panel and lets us read files with internal FTP service, which includes SSH key pair of the user. Listing the available commands we can run as a superuser, we have a python script which opens a socket connection. This calls PDB with an exception occurs, with which we get a shell as root. ...

Pit is a fun box where SNMP Data reveals that seeddms instance is running, which is vulnerable to RCE. The box has CentOS’s Cockpit Web Console on port 9090, which uses reused password from DB credentials. This gives access to user shell. LinPeas reveals there is a monitoring service, which runs bash scripts in a particular directory. Chaining this with SNMPwalk gives us root.

Tenet is a fun box where we find a backup of a staging PHP file which loads external code via deserialization, which leads to code-execution and a reverse shell. This leads to access to a script which the non-sudoer user can run to add ssh-key for getting root shell.

Ready is a fun box which is using an outdated GitLab community version. Which apparently has an exploit which gives RCE to authenticated users. This RCE gives access to docker container in which gitlab instance is running, and we have to breakout the container to escalate our privilages to get own root!