We are solving Breadcrumbs, a 40-point Windows machine on HackTheBox. For user, we exploit an LFI to read PHP source code, forge a session cookie & upload a PHP shell. Root involves dumping sticky notes content & exploiting a SQL injection.
We are going to solve Atom, a 30-point machine on HackTheBox where we'll analyze an electron app and exploit its updater. For root we will enumerate the running Redis instance, find an encrypted kanban password and then decrypt it.
We are solving Cereal, a 40-point machine on HackTheBox. For user, we will exploit a pretty tricky deserialization vulnerability in a .NET web app. For root, we exploit SeImpersonate.
We will solve Sharp, a 40-point machine on HackTheBox that is all about C-Sharp & .Net. For user, we exploit a deserialization vulnerability in a .NET Remoting Service and for root WCF.
APT is a 50-point machine on HackTheBox which involves getting the IPv6 Address via MS-RPC, credential spraying, and reading the boxes registry remotely. For root, we force authentication of the box's machine account to our box, capture it with responder, crack it, and then use secretsdump to obtain the...
Solving Reel2 on HackTheBox. This is a 40 point box involving Spraying, Phishing, Sticky Notes and JEA.
Sauna is a 20-point Windows Machine on HackTheBox. For user, we bruteforce usernames and then use ASREP-Roasting to obtain the hash of one the users. For root, we find the logon password for an account that has DCSync privileges and then use secretsdump.py to execute the attack.
Monteverde is a 30-point Windows machine on HackTheBox that involves some LDAP and SMB enumeration to get the user flag. For root we exploit Azure AD Connect’s way of storing the password for the account that synchronizes on premise AD accounts with Azure AD.
Nest is a 20-point Windows machine on HackTheBox that involves searching through smb shares and analyzing 2 short custom programs.
P.O.O. Endgame is one of HackTheBox’s endgame labs and was just retired. It involves exploiting SQL Server Links & Active Directory ACLs.