Nooff's Cyber Blog

Overview MonitorsFour is an easy Windows machine from HackTheBox. Although it’s presented as easy, it can definitely post some problems, but has couple interesting vulnerabilities. We start by enumeration and discover a subdomain and an API. We abuse type juggling flaw in PHP to access special endpoint that exposes sensitive info about users. Then, we access Cacti dashboard and exploit RCE vulnerability to get a shell. Next, we identify a Docker environment and Docker version. We find an escape online, mount the entire host filesystem and get access to host OS. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -Pn -A 10.10 .11 .98 -T5 Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-20 10 :03 CET Nmap scan report for monitorsfour.htb (10.10.11.98) Host is up (0.10s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80 /tcp open http nginx | http-cookie-flags: | /: ...

Overview Overwatch is a medium Windows/Active Directory machine from HackTheBox. This box showcases couple interesting vulnerabilities and misconfigurations so it’s definitely worth checking out. We start by discovering EXE program which we reverse engineer and find MS SQL credentials. Because our user’s write permissions, we perform ADIDNS poisoning and steal NTLMv2 hash with Responder. We get remote access to the machine. Once inside, we find an internal SOAP-based web service. We recheck the decompiled code and find command injection vulnerability. We exploit it and get shell as System user. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -Pn -A -p- overwatch.htb -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-26 04 :27 -0500 Nmap scan report for overwatch.htb (10.129.16.108) Host is up (0.027s latency). Not shown: 65516 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53 /tcp open domai...