Granny IP : Navigate to your downloaded folder and run the python script with our target IP. If you wish to scan the host without AutoRecon, I would recommend the below nmap scan which will achieve the same results.
Our scans complete quickly and we find only one open port to work with, HTTP port After a bit of googling, we find this version of IIS had a critical vulnerability, CVE published back in A proof of concept in the form of a Metasploit module is also attached to this CVE, located on exploit-db.
We find two modules that appear would work for us based on their descriptions. While I enjoy doing everything manually, sometimes it just makes sense to use Metasploit and its post exploitation modules. To get around this, we can try to find a process that has appropriate permissions by using migrate in Metasploit. We will now dump the processes running on this host. We learned a lot with this box, especially how we can leverage Metasploits built-in migration, and post modules to get us quickly into a machine.
Save my name, email, and website in this browser for the next time I comment. Articles Hack The Box Writeups. Please enter your comment! Please enter your name here.
You have entered an incorrect email address! Esseum Tech delivers the latest technology, gaming, blockchain, and cybersecurity articles from across the web. Browse the top daily news, weekly curated cybersecurity articles, and expert blockchain reports. Follow us on Twitter and Facebook for the most up to date information. Bose noise-cancelling headphones arrive June 30th June 8, How to detect a Phishing email in 3 simple steps May 31, Then I check the folders found by gobuster and notice couple interesting files phpbash.
This allows you to execute commands as user www-data. So I make a copy of the reverse shell, update the ip address and port and then setup a webserver to serve the file.VulnHub - DC-9
With this sudo ability, I can receive a bash shell as user scriptmanager. But using that to search around the system does not find any additional useful information. This brings up a few possible exploits.
Until I try the exploit Since the target system is bit, I use -m64 flag to compile the file. Then I upload it to the system and try it:. However, when I looked at the test. So I thought there must be another member working on the system and poking around the script.
I should be more careful and pay more attention to out of place stuffs. Thank you author Arrexel for the box Bashed. Alan Chan October 20, Target: Does not find anything of interests. Click on phpbash. Pretty straight forward.
Privilege Escalation sudo -l reveals that I can perform sudo command as user scriptmanager With this sudo ability, I can receive a bash shell as user scriptmanager. Then I upload it to the system and try it: This one worked great. Received root shell. Shocker — HackTheBox writeup October 17, Leave a Reply Cancel reply.
Close Menu.The level of the Lab is set : Beginner to intermediate. Besides, port 22 is also open for ssh. As a result, we looked at the victim IP in the web browser and welcomed a web page shown in the image below. Well, thankfully! We found the description of the CMS used to build the website from inside the source code. When things are set, we run the following command to obtain the credential from inside the database by exploiting unauthorized SQL injection.
As a result we found salt value, username, email address, password hashes and its password. Since we have found the login credential, we can use it to access the ssh shell.
Hack The Box – Traverxec Box Writeup By Nikhil Sahoo
We successfully got the host machine shell and found the user. Now it was time to obtain the higher privilege shell by escalating the privilege of the user jkr. It was time to post enumeration to determine the concealed process running on the host machine. We try to enumerate the services running as root that can be abused, and to do this, we have to use pspy64 to identify the services running, because the manual approach failed to identify all processes running in the background.
So, we found that a suspicious process was underway, which was executing the following command:. Interestingly, we found that the above command was running when jkr connects to ssh to access the server, so we can assume that every time we connect to ssh as jkr, the script will run with the help of the command. So, in our local machine we write a script, to change the password for user root and save it as run-parts.
Then transfer this file on the host machine using HTTP python server. Your email address will not be published. Notify me of follow-up comments by email. Notify me of new posts by email.
Task: Capture the user. Like this: Like Loading Leave a Reply Cancel reply Your email address will not be published.GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
If nothing happens, download GitHub Desktop and try again. If nothing happens, download Xcode and try again. If nothing happens, download the GitHub extension for Visual Studio and try again.
Machines writeups until March are protected with the corresponding root flag. But since this date, HTB flags are dynamic and different for every user, so is not possible for us to maintain this kind of system. So from now we will accept only password protected challenges and retired machines that machine write-ups don't need password. It is totally forbidden to unprotect remove the password and distribute the pdf files of active machines, if we detect any misuse will be reported immediately to the HTB admins.
Anyway, all the authors of the writeups of active machines in this repository are not responsible for the misuse that can be given to the corresponding documents.
Please think that this is done to share techniques not for spoilers. In this way, you will be added to our top contributors list see below and you will also receive an invitation link to an exclusive Telegram group where several hints not spoilers are discussed for the HacktheBox machines. Please consider protecting the text of your writeup e. Of course, if someone leaks a writeup of an active machine it is not the responsibility of the author.
If we detect someone who does it, they will immediately report to the HTB Staff so they can take the appropriate measures. Note: the minimum requirement to enter the "special" Telegram group is also to have a hacker level or higher no script kiddies. Hack the Box is a superb platform to learn pentesting, there are many challenges and machines of different levels and with each one you manage to pass you learn a new thing.
But talking among ourselves we realized that many times there are several ways to get rooting a machine, get a flag That's why we created this repository, as a site to share different unofficial writeups to see different techniques and acquire even more knowledge.
That is our goal and our passion, to share to learn together. Some people have been distrustful because in this repository there are writeups of active machines, even knowing that absolutely each one of them is protected with the corresponding password root flag or challenge.
But We did not want to give up this because we think the most interesting thing for a HTB player is to check other users' walkthroughs right after they get it, that is, not wait for weeks or months afterwards. For this reason, we have asked the HTB admins and they have given us a pleasant surprise: in the future, they are going to add the ability for users to submit writeups directly to HTB which can automatically be unlocked after owning a machine.
And also, they merge in all of the writeups from this github page.
Hack The Box Write-Up Sauna – 10.10.10.175
Simply great! Therefore it is a real pride that they have decided to include the functionality of this repo directly on their platform. When this is done, this Github will be migrated and will be inactive but with a pleasantly fulfilled mission.So, I spawned the Traverxec a while ago. This Linux machine actually says an easy one. The initial foothold and user was too easy!.
Once you are in, a light enumeration gives you user. If you remember a recent CVE…. Vote count: 2. No votes so far! Be the first to rate this post. I started this blog to share my knowledge.
I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. Hi, There are few improvements I can see you can do to make your write up more friendly: 1 How did you find out a vulnerability to use? There is no explanation. Write ups and challenges are used for education. Andy, thank you for the honest feedback, I greatly appreciate.
I will amend the writeup this weekend with missing info. In docs for nostromo we can saw how structure work. Is the server running on host "localhost" Matching Modules. Session completed. Using default input encoding : UTF - 8. Cost 2 iteration count is 1 for all loaded hashes.
Hack the Box: Writeup Walkthrough
Will run 2 OpenMP threads. Note : This format may emit false positivesso it will keep trying even after. Press 'q' or Ctrl - C to abortalmost any other key for status. Linux traverxec 4. Last login : Tue Nov 19 03 : 51 : 04 from Nov 18 traverxec sudo: Nov 18 traverxec sudo: Nov 18 traverxec crontab[!
Nov 18 22 : 30 : 48 traverxec sudo [ ] :. Nov 18 22 : 30 : 50 traverxec sudo [ ] :. Nov 18 22 : 30 : 52 traverxec crontab [ How useful was this post? Click on a star to rate it! We are sorry that this post was not useful for you! Let us improve this post! Tell us how we can improve this post? Submit Feedback. Post Views: 13, Like this: Like Loading You might also like.I did this box quite some time ago as it was one of the first ones I did when first starting HackTheBox.
I recently helped out someone who was working on this box so I decided to reorganize my notes, as they were somewhat of a mess and restructure them for a proper writeup. After a quick search online we find that ColdFusion 8 is vulnerable to directory traversal. ColdFusion 8 also stores the administrator hash locally in a file called password. So we can grab the administrator hash using the directory traversal using the following URL:.
A quick Google search online yields the cracked password - happyday. Usually easiest to start here before firing up hashcat. The scheduled task setup gives you the ability to download a file from a webserver and save the output locally. At this point we need to generate a shell. We could upload a cfexec. After submitting we run the task on demand under Actions, and we can see the reponse on our python http server.
One of the first things I do for privilege escalation on Windows is grab system information, so that we can identify the OS and also see if its missing any patches. From here we identify the box is running Server R2 and also has no patches installed according to the output under Hotfix s. After looking through the output I found a few privilege escalation exploits that could work. I settled on looking into MS The Exploit-DB download only contained source files and no compiled exe.
For whatever reason the exploit has an alias name of Chimichurri as referenced on Exploit-DB so I also searched by that and was able to find a compiled exe on Github here. Based on the source code it looks like the exploit will send us a reverse shell by feeding our IP address and desired port as parameters. Once again we setup a python http server on Kali and to download to our target a simple powershell script will do the trick.
Toggle navigation absolomb's security blog. All rights reserved.This is my second write-up for a machine from Hack The Box. It is again a rather easy one but still lots of fun. Lots of opportunities to do some oldschool telnet work on email servers. It starts with port scanning and illustrates the importance of scanning also more unpopular ports. After finding the email server with default credentials, you must use your administrator power to get code execution.
Once on the box, all you have to do is finding an insecure cron job and you are root. Again, some statistics for this machine first. As it is an easy box, many people got the user flag and a considerable part managed the privesc too. While the current version of James is 3. If you would read the docs, you would discover that is offers an admin interface called RemoteManager.
By default, it runs on portwhich does not show up in the list above. A full port scan though reveals this port too:. A full scan may show important services. This one is quite useless though. It is merely a static page with a single contact form.
You could run sqlmap on it but would not find anything. As an email server, James opens up ports 25 and for sending and receving emails. There is one odd port offereing something called nntpd. It is a protocol for Usenet news articles. Finally, we have the telet admin interface on port Checking out exploitdb, we find an exploit for exaclty that version It sounds interesting since it prommises code execution.
You can check out the details of the exploit here. These seem to be the default user. Cross-checking this article about installing James, we find the same credentials too. Funny side note: the blog is from Nov There actually are people who still install this piece of software in the real world.
Now, we could go directly for the exploit mentioned above. But reading it carefully, you will see it needs someone to login to the system. To read the mail, reset all the passwords via the setpassword [username] [password] command in the admin tool.
For example, we can do setpassword john newpasswdwhich James confirms with Password for john reset. Then, we connect to port POP3log into each user, and fetch the mails. For example, this is how to do it for john.