HackTheBox - BountyHunter

BountyHunter is a fun Linux box on HackTheBox that has XXE injection on a PHP form, which exposes DB credentials. This DB credential is reused as a password for a user on the box. The box also has an internal python3 script which could be run as elevated privileges. This script uses eval by which we get command injection, which leads to superuser access to this box.

November 20, 2021 · 7 min · Aditya Telange

HackTheBox - Cap

Cap is a fun box where we find a flask web app which lets us download network log, where we find FTP and SSH credentials for user nathan. The box has python which has capability to set UIDs, which lets us access roots shell, when UID is set to 0.

October 2, 2021 · 4 min · Aditya Telange

HackTheBox - Pit

Pit is a fun box where SNMP Data reveals that seeddms instance is running, which is vulnerable to RCE. The box has CentOS’s Cockpit Web Console on port 9090, which uses reused password from DB credentials. This gives access to user shell. LinPeas reveals there is a monitoring service, which runs bash scripts in a particular directory. Chaining this with SNMPwalk gives us root.

September 25, 2021 · 6 min · Aditya Telange

HackTheBox - Knife

Knife is a fun box which uses a PHP version having backdoor, which leads to RCE. The box has a command named knife which lets non-superusers run commanad as root.

August 28, 2021 · 2 min · Aditya Telange

HackTheBox - Tenet

Tenet is a fun box where we find a backup of a staging PHP file which loads external code via deserialization, which leads to code-execution and a reverse shell. This leads to access to a script which the non-sudoer user can run to add ssh-key for getting root shell.

June 12, 2021 · 6 min · Aditya Telange
This site uses cookies to improve your experience on our website. By using and continuing to navigate this website, you accept this. Privacy Policy