I write about cyber, security and random stuff

Welcome to my blog, I will post things about cybersecurity, development and Linux. For more info check my about page and my socials.

📦 HTB - Previse

TL;DR Bypass PHP redirect to access restricted page, create low priv web account, get website backup. Audit code and find OS command injection + MySQL creds, get reverse shell and dump database, get password hash and crack it to SSH. Privesc via path injection. Footholds nmap gives us only ports 22 and 80. We first get this website: Nothing we can deal with here, no SQL injection :( For more info I used dirsearch to fuzz the web pages, and it found the following:

📦 HTB - Schooled

Cool box, not too CTF-like and real-life applicable, my first FreeBSD 😄 But root part was too quick. TL;DR XSS to steal Moodle creds of teacher, privesc as manager and then RCE. Get MySQL in config file, dump users and get password hash. Break the hash with john to ssh as user. Common pkg install exploit for root. Footholds 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 # Nmap 7.

📦 HTB - BountyHunter

⚠️ writeup wrote months after root so informations are not accurate. TL;DR JS source code disclosure to forge internal requests, leak PHP source code with XXE in custom request, get DB credentials. Privesc with code injection in custom code without input validation. Recon Only HTTP and SSH, nothing special. Footholds We have here a simple web server, with custom SJ script to send bounty tickets. The portal tells us to go to /log_submit.

📦 HTB - Explore

Pretty interesting box, first time seeing Android in HTB. TL;DR Exfilter files on device using ES File explorer exploit, get user credentials. Root is straightforward with ADB. Footholds With nmap we get the following: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 # Nmap 7.91 scan initiated Wed Jul 28 14:49:28 2021 as: nmap -A -p- -o nmap.out explore.htb Nmap scan report for explore.