Box Info Name: Forge OS: Linux Difficulty: Medium IP: 10.10.11.111 Points: 30 Machine Creator: NoobHacker9999 Introduction Forge is a fun box on Hackthebox that has a File Upload functionality which is vulnerable to SSRF. This exposes the internal Admin panel and lets us read files with internal FTP service, which includes SSH key pair of the user. Listing the available commands we can run as a superuser, we have a python script which opens a socket connection....
Previse is a fun Linux box on HackTheBox that has insecure redirect implementation which leaks information on the page. This can then be used to create a new user in the application and get access to backup.zip of it. Backup revels that there is a command injection vulnerability present in the logs fetching feature, which gets us a basic shell. We have a MySQL server running inside the box which has reused credenrials from the backup.zip. We get hashed/salted credentials inside this database and crack it by writing a custom PHP script. We again have a username and password reuse for a SSH user, which gives us a user shell. Listing sudo privilegs we get to know there is a script which we can run as root, that does not mention absolute $PATH for a command being used. Thus can be overriden by $PATH variable set by current USER.
BountyHunter is a fun Linux box on HackTheBox that has XXE injection on a PHP form, which exposes DB credentials. This DB credential is reused as a password for a user on the box. The box also has an internal python3 script which could be run as elevated privileges. This script uses eval by which we get command injection, which leads to superuser access to this box.
Cap is a fun box where we find a flask web app which lets us download network log, where we find FTP and SSH credentials for user nathan. The box has python which has capability to set UIDs, which lets us access roots shell, when UID is set to 0.
Pit is a fun box where SNMP Data reveals that seeddms instance is running, which is vulnerable to RCE. The box has CentOS’s Cockpit Web Console on port 9090, which uses reused password from DB credentials. This gives access to user shell. LinPeas reveals there is a monitoring service, which runs bash scripts in a particular directory. Chaining this with SNMPwalk gives us root.