Posts by Tag

slae

Creating a custom shellcode crypter

For this last SLAE assignment, I’ve created a custom shellcode crypter using the Salsa20 stream cipher. Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project.

Polymorphic Linux Shellcode

This blog post shows 3 polymorphic variants of common shellcodes found on shell-storm.org.

Msfvenom shellcode analysis

This blog post provides an analysis of various common shellcodes generated by the msfvenom utility which is part of Metasploit.

Custom shellcode encoder

A shellcode encoder can be used for different purposes such as modify an existing shellcode to make it harder to detect by AV engines or simply avoid bad characters (such as null-bytes).

Egghunter Linux Shellcode

An egghunter can be useful in situations where the buffer space the attacker controls is limited and doesn’t allow for a full shellcode to be placed on the stack. The egghunter acts as a staged payload: the smaller payload which is executed first looks through the entire process memory space for a marker (the egg) indicating the start of the larger payload. Once the egg is found, the stager jumps to the memory address following the egg and executes the shellcode.

TCP reverse shellcode

A TCP reverse shell connects back to the attacker machine, then executes a shell and redirects all input & output to the socket. This is especially useful when a firewall denies incoming connections but allows outgoing connections.

TCP bind shellcode

A bind shellcode listens on a socket, waiting for a connection to be made to the server then executes arbitrary code, typically spawning shell for the connecting user. This post demonstrates a simple TCP bind shellcode that executes a shell.

Back to Top ↑

assembly

Creating a custom shellcode crypter

For this last SLAE assignment, I’ve created a custom shellcode crypter using the Salsa20 stream cipher. Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project.

Polymorphic Linux Shellcode

This blog post shows 3 polymorphic variants of common shellcodes found on shell-storm.org.

Msfvenom shellcode analysis

This blog post provides an analysis of various common shellcodes generated by the msfvenom utility which is part of Metasploit.

Custom shellcode encoder

A shellcode encoder can be used for different purposes such as modify an existing shellcode to make it harder to detect by AV engines or simply avoid bad characters (such as null-bytes).

Egghunter Linux Shellcode

An egghunter can be useful in situations where the buffer space the attacker controls is limited and doesn’t allow for a full shellcode to be placed on the stack. The egghunter acts as a staged payload: the smaller payload which is executed first looks through the entire process memory space for a marker (the egg) indicating the start of the larger payload. Once the egg is found, the stager jumps to the memory address following the egg and executes the shellcode.

TCP reverse shellcode

A TCP reverse shell connects back to the attacker machine, then executes a shell and redirects all input & output to the socket. This is especially useful when a firewall denies incoming connections but allows outgoing connections.

TCP bind shellcode

A bind shellcode listens on a socket, waiting for a connection to be made to the server then executes arbitrary code, typically spawning shell for the connecting user. This post demonstrates a simple TCP bind shellcode that executes a shell.

Back to Top ↑

hackthebox

Secnotes - Hack The Box

This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.

Oz - Hack The Box

This blog post is a writeup of the Oz machine from Hack the Box.

Mischief - Hack The Box

This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.

Back to Top ↑

linux

Redcross - Hack The Box

Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration.

Vault - Hack The Box

This is the writeup for Vault, a machine with pivoting across different network segments.

Zipper - Hack The Box

This is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.

Oz - Hack The Box

This blog post is a writeup of the Oz machine from Hack the Box.

Mischief - Hack The Box

This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.

Back to Top ↑

php

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Vault - Hack The Box

This is the writeup for Vault, a machine with pivoting across different network segments.

Curling - Hack The Box

This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.

Carrier - Hack The Box

This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.

Back to Top ↑

sqli

Redcross - Hack The Box

Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration.

Giddy - Hack The Box

This is the writeup for Giddy, a Windows machine with an interesting twist on SQL injection, PowerShell Web Access and a priv exploiting improper permissions.

Secnotes - Hack The Box

This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.

Oz - Hack The Box

This blog post is a writeup of the Oz machine from Hack the Box.

Back to Top ↑

ctf

Irked - Hack The Box

Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary.

Teacher - Hack The Box

Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root.

Curling - Hack The Box

This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.

Frolic - Hack The Box

This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.

Back to Top ↑

containers

Carrier - Hack The Box

This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.

Oz - Hack The Box

This blog post is a writeup of the Oz machine from Hack the Box.

Mischief - Hack The Box

This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.

Back to Top ↑

windows

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Access - Hack The Box

This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.

Secnotes - Hack The Box

This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.

Back to Top ↑

command injection

Redcross - Hack The Box

Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration.

Carrier - Hack The Box

This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.

Ethereal - Hack The Box

This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the HTB staff.

Back to Top ↑

egghunter

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Egghunter Linux Shellcode

An egghunter can be useful in situations where the buffer space the attacker controls is limited and doesn’t allow for a full shellcode to be placed on the stack. The egghunter acts as a staged payload: the smaller payload which is executed first looks through the entire process memory space for a marker (the egg) indicating the start of the larger payload. Once the egg is found, the stager jumps to the memory address following the egg and executes the shellcode.

Back to Top ↑

encoding

Msfvenom shellcode analysis

This blog post provides an analysis of various common shellcodes generated by the msfvenom utility which is part of Metasploit.

Custom shellcode encoder

A shellcode encoder can be used for different purposes such as modify an existing shellcode to make it harder to detect by AV engines or simply avoid bad characters (such as null-bytes).

Back to Top ↑

lxc

Carrier - Hack The Box

This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.

Mischief - Hack The Box

This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.

Back to Top ↑

unintended

Ethereal - Hack The Box

This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the HTB staff.

Mischief - Hack The Box

This blog post is a writeup of the Mischief machine from Hack the Box using the unintended LXC container privesc method.

Back to Top ↑

ldap

Lightweight - Hack The Box

Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP session. We then find more credentials in the source code of the web application and finally priv esc to root by abusing a copy of the openssl program that all has Linux caps set on it.

Ypuffy - Hack The Box

This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.

Back to Top ↑

suid

Irked - Hack The Box

Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary.

Zipper - Hack The Box

This is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.

Back to Top ↑

metasploit

Irked - Hack The Box

Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary.

Frolic - Hack The Box

This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.

Back to Top ↑

cve

Irked - Hack The Box

Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary.

Redcross - Hack The Box

Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration.

Back to Top ↑

enumeration

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Teacher - Hack The Box

Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root.

Back to Top ↑

tcp bind shellcode

TCP bind shellcode

A bind shellcode listens on a socket, waiting for a connection to be made to the server then executes arbitrary code, typically spawning shell for the connecting user. This post demonstrates a simple TCP bind shellcode that executes a shell.

Back to Top ↑

tcp reverse shellcode

TCP reverse shellcode

A TCP reverse shell connects back to the attacker machine, then executes a shell and redirects all input & output to the socket. This is especially useful when a firewall denies incoming connections but allows outgoing connections.

Back to Top ↑

binary exploit

Back to Top ↑

drupal

Back to Top ↑

kerberos

Back to Top ↑

polymorphic

Polymorphic Linux Shellcode

This blog post shows 3 polymorphic variants of common shellcodes found on shell-storm.org.

Back to Top ↑

crypter

Creating a custom shellcode crypter

For this last SLAE assignment, I’ve created a custom shellcode crypter using the Salsa20 stream cipher. Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project.

Back to Top ↑

go

Creating a custom shellcode crypter

For this last SLAE assignment, I’ve created a custom shellcode crypter using the Salsa20 stream cipher. Salsa20 is a family of 256-bit stream ciphers designed in 2005 and submitted to eSTREAM, the ECRYPT Stream Cipher Project.

Back to Top ↑

capabilities

Back to Top ↑

ssti

Oz - Hack The Box

This blog post is a writeup of the Oz machine from Hack the Box.

Back to Top ↑

wsl

Secnotes - Hack The Box

This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.

Back to Top ↑

csrf

Secnotes - Hack The Box

This blog post is a writeup of the Hack the Box SecNotes machine from 0xdf.

Back to Top ↑

openbsd

Ypuffy - Hack The Box

This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.

Back to Top ↑

ssh

Ypuffy - Hack The Box

This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.

Back to Top ↑

pass-the-hash

Ypuffy - Hack The Box

This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.

Back to Top ↑

ca

Ypuffy - Hack The Box

This is the writeup for Ypuffy, an OpenBSD machine from Hack the Box involving a somewhat easy shell access followed by a privesc using CA signed SSH keys.

Back to Top ↑

powershell

Giddy - Hack The Box

This is the writeup for Giddy, a Windows machine with an interesting twist on SQL injection, PowerShell Web Access and a priv exploiting improper permissions.

Back to Top ↑

zabbix

Zipper - Hack The Box

This is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.

Back to Top ↑

api

Zipper - Hack The Box

This is the writeup for Zipper, a Linux box running the Zabbix network monitoring software inside a docker container.

Back to Top ↑

telnet

Access - Hack The Box

This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.

Back to Top ↑

access

Access - Hack The Box

This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.

Back to Top ↑

outlook

Access - Hack The Box

This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.

Back to Top ↑

credential manager

Access - Hack The Box

This is the writeup for Access, a Windows machine involving some enumeration of an Access DB, an Outlook PST and a priv esc using Windows Credential Manager.

Back to Top ↑

ms-dos

Ethereal - Hack The Box

This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the HTB staff.

Back to Top ↑

dns exfiltration

Ethereal - Hack The Box

This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the HTB staff.

Back to Top ↑

rotten potato

Ethereal - Hack The Box

This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the HTB staff.

Back to Top ↑

efs

Ethereal - Hack The Box

This is the writeup for Ethereal, a very difficult Windows machine that I solved using the unintented rotten potato method before the box was patched by the HTB staff.

Back to Top ↑

networking

Carrier - Hack The Box

This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.

Back to Top ↑

bgp

Carrier - Hack The Box

This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.

Back to Top ↑

snmp

Carrier - Hack The Box

This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.

Back to Top ↑

mitm

Carrier - Hack The Box

This is the writeup for Carrier, a Linux machine I created for Hack the Box requiring some networking knowledge to perform MITM with BGP prefix hijacking.

Back to Top ↑

esoteric language

Frolic - Hack The Box

This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.

Back to Top ↑

rop

Frolic - Hack The Box

This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.

Back to Top ↑

buffer overflow

Frolic - Hack The Box

This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.

Back to Top ↑

binary exploitation

Frolic - Hack The Box

This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.

Back to Top ↑

joomla

Curling - Hack The Box

This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.

Back to Top ↑

cron

Curling - Hack The Box

This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.

Back to Top ↑

easy

Curling - Hack The Box

This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.

Back to Top ↑

openvpn

Vault - Hack The Box

This is the writeup for Vault, a machine with pivoting across different network segments.

Back to Top ↑

firewall

Vault - Hack The Box

This is the writeup for Vault, a machine with pivoting across different network segments.

Back to Top ↑

pivoting

Vault - Hack The Box

This is the writeup for Vault, a machine with pivoting across different network segments.

Back to Top ↑

gpg

Vault - Hack The Box

This is the writeup for Vault, a machine with pivoting across different network segments.

Back to Top ↑

xss

Redcross - Hack The Box

Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration.

Back to Top ↑

pgsql

Redcross - Hack The Box

Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration.

Back to Top ↑

nss

Redcross - Hack The Box

Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration.

Back to Top ↑

moodle

Teacher - Hack The Box

Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root.

Back to Top ↑

mysql

Teacher - Hack The Box

Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root.

Back to Top ↑

tar

Teacher - Hack The Box

Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root.

Back to Top ↑

cronjob

Teacher - Hack The Box

Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root.

Back to Top ↑

stego

Irked - Hack The Box

Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary.

Back to Top ↑

exploit development

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Back to Top ↑

asm

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Back to Top ↑

nginx

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Back to Top ↑

keepass

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Back to Top ↑

lfi

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Back to Top ↑

ntfs ads

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Back to Top ↑

insane

Bighead - Hack The Box

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

Back to Top ↑

john

Lightweight - Hack The Box

Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP session. We then find more credentials in the source code of the web application and finally priv esc to root by abusing a copy of the openssl program that all has Linux caps set on it.

Back to Top ↑

caps

Lightweight - Hack The Box

Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP session. We then find more credentials in the source code of the web application and finally priv esc to root by abusing a copy of the openssl program that all has Linux caps set on it.

Back to Top ↑

tcpdump

Lightweight - Hack The Box

Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP session. We then find more credentials in the source code of the web application and finally priv esc to root by abusing a copy of the openssl program that all has Linux caps set on it.

Back to Top ↑

password cracking

Lightweight - Hack The Box

Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP session. We then find more credentials in the source code of the web application and finally priv esc to root by abusing a copy of the openssl program that all has Linux caps set on it.

Back to Top ↑

asp

Conceal - Hack The Box

Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerating with SNMP, we connect to the server, upload an ASP payload to gain RCE then privesc to SYSTEM using RottenPotato. Not a bad box overall, but the initial part of figuring out the IPSec configuration parameters took me a while to figure out/guess.

Back to Top ↑

ipsec

Conceal - Hack The Box

Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerating with SNMP, we connect to the server, upload an ASP payload to gain RCE then privesc to SYSTEM using RottenPotato. Not a bad box overall, but the initial part of figuring out the IPSec configuration parameters took me a while to figure out/guess.

Back to Top ↑

vpn

Conceal - Hack The Box

Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerating with SNMP, we connect to the server, upload an ASP payload to gain RCE then privesc to SYSTEM using RottenPotato. Not a bad box overall, but the initial part of figuring out the IPSec configuration parameters took me a while to figure out/guess.

Back to Top ↑

rotten tomato

Conceal - Hack The Box

Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerating with SNMP, we connect to the server, upload an ASP payload to gain RCE then privesc to SYSTEM using RottenPotato. Not a bad box overall, but the initial part of figuring out the IPSec configuration parameters took me a while to figure out/guess.

Back to Top ↑