Posts

Conversor Writeup (HackTheBox Easy Machine)

-
Image
Overview Conversor is an easy Linux machine from HackTheBox. This box chains web app vulnerability with binary misconfiguration and presents a fun challenge. We start by discovering XSLT injection vulnerability in a web app. We write a shellcode via XSLT injection and get it executed via active cronjob. Once inside, we crack a weak password and discover a binary with sudo privileges. We forge it’s config file for Perl shell script and gain Root shell. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─ # nmap -Pn -A 10.10.11.92 -T5 Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-17 15:07 CET Nmap scan report for conversor.htb (10.10.11.92) Host is up (0.025s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA) |_ 256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519) 80...
Post a Comment
Read more

Expressway Writeup (HackTheBox Easy Machine)

-
Image
Overview Expressway is an easy Linux machine from HackTheBox. This box is very straightforward and can be seen as too easy by experienced hackers, but still deals with some interesting topics. We start with classic port scan and discover IKE service on UDP port 500. During enumeration of this service, we get the PSK hash. We crack it and use it to login via SSH. Once inside, we identify an old sudo version and find out that it’s vulnerable. We exploit the weakness and get the Root shell and full access.
Post a Comment
Read more

Soulmate Writeup (HackTheBox Easy Machine)

-
Image
Overview Soulmate is an easy Linux machine from HackTheBox. This box requires mainly precise enumeration and good patience, although it’s beginner-friendly. We start by discovering subdomain which hosts CrushFTP. We exploit known Auth bypass and get into dashboard. Then we reset some user’s password and upload PHP shell script. Next, we find this user’s SSH creds in running Escript. And finally, we exploit critical vulnerability in Erlang version of SSH and get RCE on the machine with Root privileges.
Post a Comment
Read more

CodePartTwo Writeup (HackTheBox Easy Machine)

-
Image
Overview CodePartTwo is an easy Linux machine from HackTheBox. This box has several straight forward and simple attack paths. Hardest part is to find a proper way in. We start by enumerating a Flask web app and discovering a vulnerable Js2Py Python library, which we abuse to get a shell. Then, we find a SQLite database on the machine and crack a password. Next, we discover that our user can run NPBackup software with sudo privileges. We create a malicious config file and perform a backup of the “/root” directory to get all the secrets. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -A 10.10 .11 .82 -T5 Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 13 :11 CEST Nmap scan report for 10.10 .11 .82 Host is up (0.037s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 8. 2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0 ) | ssh-hostkey: | 307...
Post a Comment
Read more

VulnNet: Active Writeup (TryHackMe Medium Machine)

-
Image
VulnNet Entertainment just moved their entire infrastructure… Check this out… Overview VulnNet: Active is a medium Windows machine from TryHackMe. Another room from the VulnNet series, this time focused on Windows and it’s common services. We start by enumerating Redis service, which allows us to read system files. We use a trick to capture user’s NTLM hash using Responder. Then, we get a shell on the machine by overwriting scheduled Powershell script. Next, we do post-exploitation enumeration and found “SeImpersonatePrivilege” enabled. This allows us to perform GodPotato attack and get SYSTEM access. I also show alternative path to full compromise via modifying Group Policy Object (GPO). Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─ # nmap -Pn -A -p- 10.80.138.97 -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-04 11:10 -0500 Nmap scan report for 10.80.138.97 Host is up (0.043s latency). Not shown: 65521 filtered tcp ports (no-response) PORT STA...
Post a Comment
Read more