Summary HackTheBox’s Help was a relatively straightforward box which required the attacker to use a unmodified script to gain remote code execution and a rudimentary shell, upgrade that to a full shell, forward the port for a vulnerable service, and exploit a buffer overflow vulnerability in that service. …

Before the holiday break last month, I was in the process of setting up a dropbox that would be deployed onto a client’s internal network. This involved taking an ISO of a standard enterprise-grade Linux distribution, configuring the device with it, and loading in all necessary tools and dependencies as…

As I had been planning to do since earlier this year, on August 31st I took and passed the Certificate of Cloud Security Knowledge (CCSKv4) exam. Thinking I’d put my experience to good use and inform potential test takers on the pros and cons of the certificate, I’ve decided to…

Summary HackTheBox’s Traceback was retired this past week, and it was a relatively straightforward box that required no active exploitation. The home page of the website hosted on port 80 claimed that the site had been “owned” and that a backdoor existed on the site. Reading the source code of that…

Summary HackTheBox’s Sauna was retired today, and it was an excellent machine for practicing Active Directory (and domain controller) exploitation. Rooting the box did not require any vulnerability exploitation at all, rather it relied on tried and true AD exploitation tactics. Getting an initial foothold on the box required enumerating employee…

Summary HackTheBox’s Teacher didn’t involve very much CTF-like trickery. By performing basic web application enumeration, getting a username and a partial password is relatively straightforward. From the partially-obtained credentials, I generated a password list and used Hydra to brute force my way into the Moodle web application. I was able to…

Summary HackTheBox’s Irked was a simple machine with a fun, steganographic twist. In order to get an initial low shell on the system, one needs to exploit a backdoor in UnrealIRCd. Once on the box, there is a file called ‘.backup’ in the ‘djmardov’ user’s home directory that hints at their…

Summary How difficult HackTheBox’s Curling is highly depends on how well you enumerate the box. In my case, it ended up being relatively simple. Inspecting the source code reveals a hidden file from which I derived the password to the Joomla admin panel. From there, I was able to get a…

It’s been a while since I’ve had the chance to do one of these, things have been pretty busy… But anyways, the box is Frolic. This is probably the most difficult box I’ve done to date. It involves going further and further down an exceedingly convoluted rabbit hole to get…