πŸ“¦ HTB - Schooled

Cool box, not too CTF-like and real-life applicable, my first FreeBSD πŸ˜„ But root part was too quick. TL;DR XSS to steal Moodle creds of teacher, privesc as manager and then RCE. Get MySQL in config file, dump users and get password hash. Break the hash with john to ssh as user. Common pkg install exploit for root. Footholds # Nmap 7.91 scan initiated Mon Aug 2 22:40:05 2021 as: nmap -A -p- -T4 -o nmap....

August 4, 2021 Β· 4 min Β· 0xNinja

πŸ“¦ HTB - Cap

Simple easy box, perfect to warmup before the FIC 2021 and get more confidence in 1337 h4ck1n9 TL;DR Find PCAP file on server, get SSH credentials, execute code as root with Python. Footholds I did not even use nmap here, as we had a web server serving on port tcp:80. This website looked like this: It seems to be a security dashboard for a server, we don’t have any info about that....

July 28, 2021 Β· 3 min Β· 0xNinja

πŸ“¦ HTB - Ready

Cool box, maybe too easy for a medium? Got reverse shell in minutes, but stuck for root’s password for hours πŸ˜… TL;DR Gitlab RCE, get reverse shell. Privesc with cleartext root password, escape Docker to own the box. Footholds nmap Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 16:00 UTC Nmap scan report for 10.10.10.220 Host is up (0.035s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8....

March 20, 2021 Β· 3 min Β· 0xNinja

πŸ“¦ HTB - Magic

TL;DR HTTP redirect bypass (unintended 😁), PHP code execution through file upload to get a reverse shell. User with hardcoded SQL credentials on server, privesc with custom binary with no $PATH check. As I am an idiot, I reinstalled my distribution without making a backup of my files πŸ™ˆ So I don’t have any screenshot or payloads I used for this box to show you Footholds With a basic nmap we found only two ports: 22 and 80....

August 20, 2020 Β· 3 min Β· 0xNinja

πŸ“¦ HTB - Obscurity

Obscurity is my first medium box so I was very happy when I got that root.txt :D TL;DR Custom Python web server, get source code, get revserse shell, crack user password for custom encryption system, use john to privesc. Footholds To make things easier, I added the box to my /etc/hosts. Recon Let’s start with nmap to discover the open ports : > nmap -A obscurity.htb -o nmap.out Nmap scan report for obscurity....

April 12, 2020 Β· 5 min Β· 0xNinja