Chatterbox - HTB Writeup
Chatterbox is a Windows 7 server running an application called Achat. Achat and Windows are both significantly out of date which leaves the machine at risk. ...
HackTheBox Writeups
All HackTheBox writeups I’ve created so far are listed below. If you have any issues with these writeups or any other boxes I’m happy to help! Please reach out on Discord if you would like to inquire about anything on this site.
FluxCapacitor - HTB Writeup
FluxCapacitor is a web server hosting a web application firewall called SuperWAF on port 80. This service is vulnerable to remote code execution and can crea...
Reel - HTB Writeup
Reel is a small business FTP and Mail server that has remote management over SSH. After phishing a user and creating a shell session on the target, attackers...
Bart - HTB Writeup
Bart is a web server running multiple services that appear to be written on custom code. Multiple brute-forcible pages exist to allow for user enumeration an...
Oz - HTB Writeup
Oz is a docker host that is running three containers to support a Python web application. The API for the web application is vulnerable to SQL injection. The...
Stratosphere - HTB Writeup
Stratosphere is a web server that is running an out-of-date version of Apache Struts that is vulnerable to remote code execution. The machine is running MySQ...
Zipper - HTB Writeup
Zipper is a Zabbix server orchestrating two other Linux servers, a simple password is used that provides administrative API level access and remote code exec...
Canape - HTB Writeup
Canape is a web server that is running Python Flask. The source code is publicly available on the site which exposes a Python Pickle deserialization vulnerab...
Conceal - HTB Writeup
Conceal is a web server running behind an IPsec VPN connection with IPsec and SNMP exposed to the public. The SNMP community string is default set to ‘public...
Silo - HTB Writeup
Silo is an Oracle database server with its services exposed to the local network. The service uses an insecure SID configuration and default/weak user creden...
Dab - HTB Writeup
Dab is a database and web server that uses basic authentication mechanisms to reveal a database web app that is utilizing Memcache. The exploitation of the M...
Helpline - HTB Writeup
Nmap performs automated port scanning to identify open services and ports available on the local network. A full port scan identifies ports 135, 445, and 598...
SecNotes - HTB Writeup
SecNotes is a custom web application server that hosts a note-taking web application. The custom application is vulnerable to SQL injection that allows a rem...
Waldo - HTB Writeup
Waldo is a web server with limited functionality running inside of a docker container on the target host. The web service is vulnerable to local file inclusi...
OneTwoSeven - HTB Writeup
A statically configured password hash is found for the admin user. We can also see that there is a template site running on top of Jekyll 3.8.5.
DevOops - HTB Writeup
DevOops is a web server running a development site that is noted to still be under construction. An XML file upload allows for local file inclusion, revealin...
Ghoul - HTB Writeup
The Tomcat page was accessible with the weak credentials of admin:admin. This appears to be another basic template website with minimal features. The file u...
Tartarsauce - HTB Writeup
Tartarsauce is a Linux web server that has a WordPress website over HTTP running an out-of-date version of the GWolle DB plugin that allows for remote file i...
Carrier - HTB Writeup
Nmap performs an automated port scan against the target server to identify open ports and services that may be vulnerable to exploitation. A quick scan of th...
Ypuffy - HTB Writeup
Nmap performs automated port scanning against the target server to identify open ports and services. After an initial scan, it appears that there are several...
Lightweight - HTB Writeup
The service indicates that users are automatically generated on the target server and we can use our IP address as the username and password to SSH into the ...
RedCross - HTB Writeup
Nmap performs automated port scanning to identify open ports and services on the local network against the target server. An initial scan against the top 100...
Arkham - HTB Writeup
There is a file on the BatShare called appserver.zip but it is too big to pull down over smbclient so we have to mount and then copy it over.
Querier - HTB Writeup
After performing basic enumeration on the SMB service an Excel file is stored in a guest-accessible share. Downloading this Excel file and investigating it s...
Jarvis - HTB Writeup
The SQL parameter that is used to load bedroom options on the site appears to be SQL injectable. The service simply shows the room number and then renders th...
Luke - HTB Writeup
Web service enumeration reveals a config.php file that appears to be malformed PHP with typos that allow it to be rendered to the screen as ASCII text. Becau...
Bitlab - HTB Writeup
After thorough web service enumeration, a blog can be found at /profile which refers to the /help endpoint. The /help directory has a bookmarks.html file. Up...
Wall - HTB Writeup
While we cannot access the /monitoring endpoint through the browser, moving this request into Burp Suite and simply changing the request verb allows us to by...
Mango - HTB Writeup
The login request is moved to Burp for further enumeration. Basic SQL injection tests show that the database is not SQL injectable. Testing with an [$ne]= (t...
Sniper - HTB Writeup
The lang parameter on the /blog/ endpoint is vulnerable to local file inclusion. The curl request below shows the basic local file inclusion of the win.ini f...
Obscurity - HTB Writeup
The /devlop/SuperSecureServer.py endpoint has a Python file for the custom web server. This is supposed to be the web server that is running on port 8080 so ...
Resolute - HTB Writeup
Using Impacket’s GetADUsers.py program we can enumerate the Active Directory server for anonymous binding. It appears that anonymous binding is enabled which...
Nineveh - HTB Writeup
The HTTPS service is running phpLIteAdmin version 1.9. While a username is not required a simple password is used for authentication for users connecting to ...
Node - HTB Writeup
After some enumeration on the HTTP service visiting /api/users on port 3000 shows a list of users and their password hashes. These can be exfiltrated to the...
Forest - HTB Writeup
Forest is a Windows Active Directory server running on an outdated build that is vulnerable to CVE 2020-1472, also called ZeroLogon. By performing the enumer...
Sauna - HTB Writeup
Sauna is an Active Directory server with a web service and DNS served onto the local network. After utilizing brute force username enumeration with a pre-aut...
Support - HTB Writeup
Support is an Active Directory server for a small organization. Simple credentials allow a custom binary to be stolen off of the file share on the server. St...
Blackfield - HTB Writeup
Blackfield is a Hard rated box from HackTheBox. It features a fairly common exploitation path for Windows Active Directory. In this guide we will freshen up ...