Sau is an Easy Difficulty Linux machine that features a Request Baskets instance that is vulnerable to Server-Side Request Forgery (SSRF) via CVE-2023-27163. Leveraging the vulnerability we are to gain access to a Maltrail instance that is vulnerable to Unauthenticated OS Command Injection, which allows us to gain a reverse shell on the machine as puma. A sudo misconfiguration is then exploited to gain a root shell.
Setup mkdir -p ~/ctf/HackTheBox/voleur/scans && cd ~/ctf/HackTheBox/voleur IP Address: 10.10.11.76 Add to /etc/hosts (requires sudo): echo "10.10.11.76 voleur.htb" | sudo tee -a /etc/hosts 10.10.11.76 voleur.htb As this is a assumed breach scenario, we are provided with a low privilege account with credentials: ryan.naylor:HollowOct31Nyt Enumeration Fast sweep variant: nmap -sC -sV -p- -T4 --min-rate 2000 -vv voleur.htb -oN ~/ctf/HackTheBox/voleur/scans/nmap_fast_20250814-112058.txt # nmap findings PORT STATE SERVICE REASON 53/tcp open domain syn-ack ttl 127 88/tcp open kerberos-sec syn-ack ttl 127 135/tcp open msrpc syn-ack ttl 127 139/tcp open netbios-ssn syn-ack ttl 127 389/tcp open ldap syn-ack ttl 127 445/tcp open microsoft-ds syn-ack ttl 127 464/tcp open kpasswd5 syn-ack ttl 127 593/tcp open http-rpc-epmap syn-ack ttl 127 636/tcp open ldapssl syn-ack ttl 127 2222/tcp open ssh syn-ack ttl 127 3268/tcp open globalcatLDAP syn-ack ttl 127 3269/tcp open globalcatLDAPssl syn-ack ttl 127 5985/tcp open wsman syn-ack ttl 127 9389/tcp open adws syn-ack ttl 127 49664/tcp open unknown syn-ack ttl 127 49669/tcp open unknown syn-ack ttl 127 55183/tcp open unknown syn-ack ttl 127 55184/tcp open unknown syn-ack ttl 127 55197/tcp open unknown syn-ack ttl 127 55203/tcp open unknown syn-ack ttl 127 55217/tcp open unknown syn-ack ttl 127 Using NetExec and given credentials we enumerate the following: ...
This writeup covers the assumed breach scenario for HackTheBox Certified, demonstrating enumeration, privilege escalation, and exploitation of Active Directory and ADCS vulnerabilities to achieve domain administrator access.
This writeup demonstrates enumeration and exploitation of Windows services on HackTheBox Aero, including web and network service attacks.
This writeup covers the exploitation of Jenkins and Windows services on HackTheBox Jeeves, including reverse shell generation and privilege escalation.