πŸ“¦ HTB - Ready

Cool box, maybe too easy for a medium? Got reverse shell in minutes, but stuck for root’s password for hours πŸ˜… TL;DR Gitlab RCE, get reverse shell. Privesc with cleartext root password, escape Docker to own the box. Footholds nmap Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 16:00 UTC Nmap scan report for 10.10.10.220 Host is up (0.035s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8....

March 20, 2021 Β· 3 min Β· 0xNinja

πŸ“¦ HTB - Magic

TL;DR HTTP redirect bypass (unintended 😁), PHP code execution through file upload to get a reverse shell. User with hardcoded SQL credentials on server, privesc with custom binary with no $PATH check. As I am an idiot, I reinstalled my distribution without making a backup of my files πŸ™ˆ So I don’t have any screenshot or payloads I used for this box to show you Footholds With a basic nmap we found only two ports: 22 and 80....

August 20, 2020 Β· 3 min Β· 0xNinja

πŸ“¦ HTB - Obscurity

Obscurity is my first medium box so I was very happy when I got that root.txt :D TL;DR Custom Python web server, get source code, get revserse shell, crack user password for custom encryption system, use john to privesc. Footholds To make things easier, I added the box to my /etc/hosts. Recon Let’s start with nmap to discover the open ports : > nmap -A obscurity.htb -o nmap.out Nmap scan report for obscurity....

April 12, 2020 Β· 5 min Β· 0xNinja