About



If it flies, it lies.

Recent Posts

HTB Fatty Writeup by Immo

The box was rated as insane and required us to grab a client and information from an anonymous FTP server, modify the Java client to exploit lacking server side validation, exploit Java deserialization, and exploit and careless administrator who periodically pulls log archives from within docker containers and extracts them. All in all this box was quite entertaining but not necessarily insane. Rather it mostly was just time-consuming.

HTB Dream Diary Chapter 1 Writeup by FizzBuzz101

Now that Dream Diary: Chapter 1 has finally retired, here is my writeup for it. This problem along with Chapter 2 were perhaps the 2 heap challenges I solved over a year ago that helped me start to understand heap pwn, and also inspired me to develop Dream Diary: Chapter 3 down the road.

HTB Cascade Writeup by dmw0ng

Cascade is a medium difficulty windows machine that requires a lot of enumeration. Credentials can be found in different places, and one set is decrypted by reversing an application. For the final privilege escalation we abuse an Active Directory feature using deleted objects.

ret2csu ARM 32bit by gbyolo

In this post I’ll show you how to port the ret2csu technique on ARM binaries. This technique allows full ASLR bypass using ROP gadgets inside the binary only. We will see that it also turns out to be a very effective technique to easily chain ROP gadgets.

HTB Forwardslash Writeup by c4e

Forwardslash is a hard-rated box (medium difficulty imo) in which we exploit an LFI in the web server to get access to some sensitive info that lets us SSH in. In our initial SSH session we exploit a SUID binary to obtain once again read access to a file with credentials that we use to move laterally to another user. From there we have sudo rights to access an encrypted luks image file, so we only have to bruteforce the key to then gain root and complete the machine.

HTB Player2 Writeup by FizzBuzz101

Player2 was a challenging but very fun box by MrR3boot and b14ckh34rt. The highlight of the box for me is the finale 2.29 heap pwn! In my opinion, if there were no unintended routes, this would have been by far the hardest box so far, but some of these alternative solutions were never patched.

HTB Servmon Writeup by Immo

Throughout this writeup we’ll see how just a little bit of additional information allows us to effectively abuse a directory traversal vulnera- bility in way too old software. Going forward, we’ll use credentials obtained to look around the system to discover credentials for yet another application. Abusing an inherent flaw in the application design we’ll obtain SYSTEM privileges and ultimately take over the box. After we finished the hassle we’ll look at an alternative, easier, and more reliable route dmw0ng told me about after I solved the box and for style points use RDP to log into the system.

HTB Monteverde Writeup by dmw0ng

Monteverde was a medium difficulty box with no web server in which we gained access by using a password discovered in a file stored in an SMB Share. After that, we had to interact with Azure to escalate privileges and finish the box.

HTB Resolute Writeup by dmw0ng

Resolute was a quite particular windows box that did not have a web server running. A password could be retrieved remotely from user descriptions comments, allowing a login into the box through WinRM. From there, another password can be grabbed from PSTranscripts to escalate to a user with DnsAdmin privieleges, which allowed us to further privesc to the Domain Admins group and finish the box.

HTB ropmev2 Writeup by c4e

ropmev2 was a fun binary exploitation challenge by r4j in which we needed to rop our way through some twists to be able to build a successful exploit.

HTB Rope Writeup by FizzBuzz101

Rope was an insane box from r4j that was almost purely binary exploitation, one of the favorite categories of the members of this team.

HTB Patents Writeup by FizzBuzz101

Patents was quite a difficult box from gb.yolo (who’s now a teammate of mine!) with a realistic pwn in the end. Overall, it was a very enjoyable box that took a while! Before I start, I would like to thank D3v17 and pottm, my teammates who worked with me on this box. Additionally, I would like to thank oep, Sp3eD, R4J, and Deimos who I collaborated with at times throughout and after the box.

HTB Obscurity Writeup by plasticuproject

Obscurity is a medium difficulty box where we will leverage bad server code to inject and run commands, and take advantage of poor cryptography and leftover files to get user access. From there we take advantage of sudo privileges and a poorly executed program to read the root.txt file.

HTB Openadmin Writeup by Spengesec

Openadmin was an easy box that required exploiting a vulnerability in a running web service to get a shell, then escalating privileges laterally to different users to finally escalating to root abusing a sudo nopasswd access configuration.

HTB Control Writeup by dmw0ng

Control is a hard-rated box that required writing a shell through an SQL injection, using previously acquired hashes to pivote to a different user and then modifying a service to gain an Administrator shell.

HTB Mango Writeup by plasticuproject

Mango is a medium difficulty box where with basic enumeration and some MongoDB NOSQL Injection we can extract user passwords to log in and get user access. From there we will leverage a classic jjs privilege escalation to get root access and read the root.txt file.

HTB Traverxec Writeup by plasticuproject

Traverxec is an easy difficulty box in which we are able to leverage a directory traversal vulnerability in Nostromo to achieve remote command execution. We use a Metasploit exploit to gain a shell on the machine as www-data. Because of file/directory permission misconfiguration we can access a backup file containing user credentials, and then elevate our privileges to the root account via the user’s sudo privilege and a known shell escape for journalctl where the less pager allows us to execute commands as root.

Centreon ARCE CVE by SpengeSec

CVE-2019-19699 Centreon =< 19.10 Proof of Concept Authenticated Remote Code Execution (CVE-2019-19699) Privilege escalation (Walkthrough & Mitigation)

HTB Registry Writeup by Celesian

Registry is a Hard-rated HackTheBox machine that involved getting a foothold related to a docker registry and then abusing and chaining multiple flaws to escalate privileges.

HTB Forest Writeup by dmw0ng

Forest is a pure Active Directory box that requires chaining multiple attacks on different services to gain access and escalate.

HTB Zetta Writeup by dmw0ng

Zetta is a hard box in which you have to leak the machine’s IPv6 address to be able to gain access. After that, rsync credential bruteforcing and a SQL injection lead to privilege escalation to root.

HTB AI Writeup by dmw0ng

AI is a medium difficulty box that we own by exploiting an SQL injection through an audio file on an ‘Artificial Intelligence’ software. After that we escalate to root abusing a JDWP instance that is running locally.

HTB Wall Writeup by dmw0ng

Wall is a medium difficulty machine that we own by exploiting an RCE vulnerability in Centreon and then escalating privileges using a SUID binary.

HTB Heist Writeup by dmw0ng

Heist is an easy box in which we first crack found creds on the website to access RPC. From there we enumerate users and use one of them with the previously obtained passwords to log into WinRM. We find out that a Firefox process memory dump in the disk and analyze it to discover credentials that allow us to escalate to Administrator and own the box.

HTB Chainsaw Writeup by FizzBuzz101

Chainsaw was quite an interesting and difficult box involving some blockchain programming. After I finished the box, I found out that root could also be done with blockchain programming but I just hijacked the path to finish it up; you can check out some other writeups if you are interested in seeing that root method. Anyways, let us begin!

HTB Pseudo Writeup by FizzBuzz101

Pseudo is the toughest challenge on HTB in my opinion as of 2019 (well, before headachev2 released). Nothing even comes close to this reversing challenge, which centers around an aarch64 and VM crackme. Before I start, I would like to thank davidlightman for working on it with me. He taught me many new reversing tricks and, oftentimes, managed to see things which I missed.

HTB Networked Writeup by Spenge

Networked was a fun and easy box, requiring us to dig a little deeper into bypassing file upload limitations to gain initial foothold. Enumeration is key, and being able to comprehend php and bash is advised.

HTB Jarvis Writeup by dmw0ng

Jarvis is a medium difficulty box in which we are able to inject SQL to get credentials into a phpmyadmin instance. We use a phpmyadmin metasploit exploit to gain a shell on the machine as www-data. www-data has sudo access as pepper user to a python script which we escape into a bash shell and then use to exploit a SUID binary to get root.

HTB Writeup Writeup by dmw0ng

Writeup is an easy box in which we exploit a vulnerability in CMSMadeSimple to get ssh credentials. After that we privesc abusing a writeable directory in the PATH that leads to execution by a process that spawns when an ssh session is started.

HTB Bastion Writeup by dmw0ng

Bastion is an easy box that we start by getting a Windows backup from an open SMB share. We crack the SAM file and get a password. From there we ssh in the machine and find an mRemoteNG configuration file that we use to get the Adminisrator password and finish the box.

HTB OneTwoSeven Writeup by dmw0ng

OneTwoSeven is a hard box that starts by logging into sftp and creating multiple symlinks to enumerate files. From one of these files we get credentials and move on to port-forward to get access to a plugin upload website from which we can get RCE. For privesc we MITM attack an apt-get update that we have sudo rights with, create a malicious package and gain root access.

HTB LaCasaDePapel Writeup by dmw0ng

LaCasaDePapel is an easy box in which we get our foothold by entering a php-debugging console that runs on the ftp port to get an SSH key. For privesc we abuse a cronjob to gain root and finish the box.

HTB Luke Writeup by Spenge

Luke was a great box for those looking to up the difficulty a bit when coming from easy boxes. Once again enumeration is key, and the box involved a lot of the basics while looking a bit more in depth at web exploitation and an API, finally we abused the Ajenti web panel to access files and optionally for file upload.

HTB Querier Writeup by dmw0ng

Querier was a really fun Windows box that involved some skills around MSSQL, Responder, and some classic Windows priv esc techniques.

HTB Fortune Writeup by Spenge

Fortune was a tough puppy to crack, it requires good enumeration skills and web exploitation to abuse weak input validation. Knowing how SSL and certificates work made it much more achievable.