Recent Posts

HTB Heist Writeup by dmw0ng

Heist is an easy box in which we first crack found creds on the website to access RPC. From there we enumerate users and use one of them with the previously obtained passwords to log into WinRM. We find out that a Firefox process memory dump in the disk and analyze it to discover credentials that allow us to escalate to Administrator and own the box.

HTB Chainsaw Writeup by FizzBuzz101

Chainsaw was quite an interesting and difficult box involving some blockchain programming. After I finished the box, I found out that root could also be done with blockchain programming but I just hijacked the path to finish it up; you can check out some other writeups if you are interested in seeing that root method. Anyways, let us begin!

HTB Pseudo Writeup by FizzBuzz101

Pseudo is the toughest challenge on HTB in my opinion as of 2019 (well, before headachev2 released). Nothing even comes close to this reversing challenge, which centers around an aarch64 and VM crackme. Before I start, I would like to thank davidlightman for working on it with me. He taught me many new reversing tricks and, oftentimes, managed to see things which I missed.

HTB Networked Writeup by Spenge

Networked was a fun and easy box, requiring us to dig a little deeper into bypassing file upload limitations to gain initial foothold. Enumeration is key, and being able to comprehend php and bash is advised.

HTB Jarvis Writeup by dmw0ng

Jarvis is a medium difficulty box in which we are able to inject SQL to get credentials into a phpmyadmin instance. We use a phpmyadmin metasploit exploit to gain a shell on the machine as www-data. www-data has sudo access as pepper user to a python script which we escape into a bash shell and then use to exploit a SUID binary to get root.

HTB Writeup Writeup by dmw0ng

Writeup is an easy box in which we exploit a vulnerability in CMSMadeSimple to get ssh credentials. After that we privesc abusing a writeable directory in the PATH that leads to execution by a process that spawns when an ssh session is started.