HTB

Synopsis Cypher is a Medium Linux machine from HackTheBox that features a Cypher injection vulnerability in its web application login form, which allows for initial access via a reverse shell, lateral movement using credentials discovered in bash history, and privilege escalation by exploiting a sudo misconfiguration for the bbot binary to load a malicious custom module. + − ⌂ [https://i.ibb.co/JjzkJ3NR/user-removebg-preview.png]Scan for Services [https://i.ibb.co/HDPF8ZMm/website-removebg-preview-1.png]Discover Web App & Login Form [https://i.ibb.co/ksTD4Kyw/bug-malicious-removebg-preview.png]Exploit Cypher Injection [https://i.ibb.co/Gwv4v4g/shell-exploit-removebg-preview.png]Get Reverse Shell as 'neo4j' [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Find Password in Bash History [https://i.ibb.co/JR4shsmH/login-removebg-preview.png]SSH as 'graphasm' & Get User Flag [https://i.ibb.co/0ybfPw9J/password-removebg-preview.png]Abuse Sudo rule for 'bbot' [https://i.ibb.co/ksTD4Kyw/bug-malicious-removebg-preview.png]Create Malicious Module for SUID Shell [https://i.ibb.co/679DN5x7/rooted-removebg-preview.png]Execute SUID Shell to get Root Skills Required Web application enumeration SQL/NoSQL injection (specifically Cypher) Linux privilege escalation techniques Familiarity with SUID binaries and sudo misconfigurations 1. Reconnaissance (TA0043) The reconnaissance phase involves actively scanning the target to identify services and enumerate the web application. ...

Sypnosis Scepter is a Hard Windows machine from HackTheBox featuring an exposed NFS share that contains user certificate files, which after being cracked, allow for initial access and a series of chained Active Directory Certificate Services (ADCS) abuses (ESC9 and ESC14) to pivot through multiple user accounts, ultimately gaining DCSync rights for full domain compromise. + − ⌂ [https://i.ibb.co/JjzkJ3NR/user-removebg-preview.png]Scan for Services [https://i.ibb.co/LzdxQFPv/computer-removebg-preview.png]Enumerate NFS Share [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Crack Certificate Passwords [https://i.ibb.co/JR4shsmH/login-removebg-preview.png]Authenticate as User 'd.baker' [https://i.ibb.co/0ybfPw9J/password-removebg-preview.png]Abuse 'ForceChangePassword' to become 'a.carter' [https://i.ibb.co/HDPF8ZMm/website-removebg-preview-1.png]Abuse ADCS (ESC9) to become 'h.brown' [https://i.ibb.co/Gwv4v4g/shell-exploit-removebg-preview.png]Capture User Flag [https://i.ibb.co/HDPF8ZMm/website-removebg-preview-1.png]Abuse ADCS (ESC14) to become 'p.adams' [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Abuse DCSync rights to dump all hashes [https://i.ibb.co/679DN5x7/rooted-removebg-preview.png]Use Administrator hash to get Root Shell Skills Required Active Directory (AD) Enumeration NFS Enumeration Password Cracking (John the Ripper) AD Certificate Services (ADCS) Abuse Familiarity with BloodHound, Certipy, Impacket, and BloodyAD 1. Reconnaissance (TA0043) The reconnaissance phase involves actively scanning the target to identify services and potential vulnerabilities. ...