Privilege Escalation

Overview Dog is an easy box from HackTheBox that focuses on web application vulnerabilities, specifically a misconfigured Git repository and a vulnerable Backdrop CMS. We start by discovering an exposed .git directory, which allows us to dump the repository and uncover database credentials. These credentials lead to an authenticated web panel, where we exploit a known Remote Code Execution (RCE) vulnerability in Backdrop CMS to gain an initial shell as www-data. For privilege escalation, we discover that a user (johncusack) can execute a PHP utility (bee) as root, which we then abuse to spawn a root shell. ...

Overview Ra is a Hard machine on TryHackme it started with exploiting a weak password reset mechanism on a web application. After finding employee names and guessing a security question based on a pet’s name found in an image file, we get our initial credentials. This leads us to an SMB share with an installer for a vulnerable Spark XMPP client. The real challenge begins here: we have to set up a sandboxed environment to run the client, debug Java and audio errors within Docker, and finally exploit a Cross-Site Scripting (XSS) vulnerability (CVE-2020-12772) to capture another user’s NTLM hash. ...

Overview This box focuses on web application vulnerabilities, specifically Cross-Site Scripting (XSS) and SQL Injection, leading to privilege escalation. We start with an Nmap scan to identify open ports and services. We then enumerate the web application, discovering an exposed Git repository and an XSS vulnerability in the cat registration feature. Exploiting the XSS allows us to capture an admin session cookie, granting access to an administrative panel. From there, we identify and exploit a SQL Injection vulnerability to dump user credentials, which leads to SSH access as a low-privileged user. Finally, we leverage another XSS vulnerability within a local Gitea instance, triggered by an internal mail service, to compromise a higher-privileged user and obtain the root flag. ...