Blog

HTB – Monitors

Christopher Soehnlein2021-10-09T10:46:17-05:00October 9th, 2021|Categories: HTB, Technology|Tags: Cacti, CAP_SYS_MODULE, docker, HTB, Monitors, Pivot, Tomcat, WordPress|

Monitors is an Hard box from HTB and created by TheCyberGeek. This box features a WordPress plugin exploit via wp-with-spritz allowing for LFI/RFI and an internal docker with Apache Tomcat running.

HTB – Blackfield

Christopher Soehnlein2020-10-10T10:39:40-05:00October 3rd, 2020|Categories: HTB, Technology|Tags: Blackfield, CrackMapExec, Evil-WinRM, HTB, john, Seatbelt, SeBackupPrivilege, smbmap, Windows|

Today in Blackfield from HTB I explore a real-world example of a Windows Server when an account used for a specific task is not removed after.

HTB – Talkative

Christopher Soehnlein2022-08-24T14:50:20-05:00August 24th, 2022|Categories: HTB, Technology|Tags: BoltCMS, chisel, CVE-2021-22911, jamovi, Linux, mongodb, pwncat, RjEditor, RocketChat, shocker|

Talkative HTB has an outdated Jamovi with an R code exploit. On the box you pivot to the 172 range, get creds on MongoDB and a web-hook on Rocketchat for root.

HTB – StreamIO

Christopher Soehnlein2022-08-19T13:39:23-05:00August 19th, 2022|Categories: HTB, Technology|Tags: BloodHound, Evil-WinRM, ffuf, Firefox, firefoxdecrypt, john, LAPS, LFI, PowerShell, SQLMap|

StreamIO from HTB features a website with an exploitable login and parameter. Once on the box we use BloodHound alongside the Firefox profile creds for root.

HTB – Trick

Christopher Soehnlein2022-08-19T12:59:44-05:00August 19th, 2022|Categories: HTB, Technology|Tags: dig, DNS, Fail2Ban, ffuf, LFI, Linux|

Trick from HTB features a hidden sub-domain vulnerable to LFI which gets us the SSH key to user. For root we enumerate the database and use fail2ban.

HTB – Paper

Christopher Soehnlein2022-07-01T09:55:41-05:00June 30th, 2022|Categories: HTB, Technology|Tags: CVE-2019-17671, CVE-2021-3560, Polkit, WordPress|

Paper from HTB features an outdated WordPress environment and hidden sub-domain. On the box you use PolKit exploit CVE-2021-3560 made by the author for root.

HTB – Meta

Christopher Soehnlein2022-06-08T15:33:21-05:00June 8th, 2022|Categories: HTB, Technology|Tags: CVE-2021-22204, ImageMagick, Linux, Mogrify, neofetch, sub-domain, XDG_CONFIG_HOME|

Paper from HTB features an outdated WordPress environment and hidden sub-domain. On the box you use PolKit exploit CVE-2021-3560 made by the author for root.

HTB – Pandora

Christopher Soehnlein2022-06-08T15:32:08-05:00June 8th, 2022|Categories: HTB, Technology|Tags: CVE-2021-32099, Linux, pandora_backup, PandoraFMS, PATH, PATH Abuse, PortForwarding, SNMP-Check, SSH, UDP, WSO|

Pandora from HTB features Port 161 running UDP which shows a password. Next you use CVE-2021-32099, a php web-shell and pandora_backup for root.

HTB – Search

Christopher Soehnlein2022-07-01T12:16:47-05:00June 8th, 2022|Categories: HTB, Technology|Tags: BloodHound, CrackMapExec, crackpfkcs12, exce, FeroxBuster, Impacket, KerBrute, password-reuse, Windows|

Search from HTB features a website with credential leakage via a image and a domain controller you exploit to escalate. Finally we use GenericAll for root.

HTB – Devzat

Christopher Soehnlein2022-06-08T15:34:54-05:00June 8th, 2022|Categories: HTB, Technology|Tags: .git, command injection, CVE-2019-20933, devzat, diff, FeroxBuster, ffuf, InfluxDB|

Devzat from HTB features a sub-domain with command injection. On the box you find an exploitable InfluxDB running and a dev chat with a file command for root.

HTB – Backdoor

Christopher Soehnlein2022-04-25T10:03:01-05:00April 23rd, 2022|Categories: HTB, Technology|Tags: ebook-download, ffuf, gdbserver, LFI, MSFVenom, proc, screen, WordPress|

Backdoor from HTB features a WordPress environment with an LFI. We use the LFI to find gdbserver which we exploit. Finally we use screen, which runs as root.

HTB – Shibboleth

Christopher Soehnlein2022-04-01T11:12:34-05:00April 1st, 2022|Categories: HTB, Technology|Tags: CVE-2021-27928, ffuf, IPMI, john, MariaDB, UDP, Zabbix|

Shibboleth from HTB features an exploitable IPMI open on UDP and Zabbix actions for a reverse shell. Once on the box we exploit a vulnerable MariaDB for root.