Nooff's Cyber Blog

Overview Browsed is a medium Linux machine from HackTheBox. This box showcases potential dangers of insecure browser extensions and beyond. We start by discovering an exposed Gitea instance, which stored source code for internal service. We identify a vulnerability and perform Bash arithmetic injection to get initial access. Once inside, we find a Python script. We inspect it’s source code and perform Python cache poisoning to get Root access. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─ # nmap -A 10.10.8.1 -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-13 04:55 -0500 Nmap scan report for 10.10.8.1 Host is up (0.027s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 02:c8:a4:ba:c5:ed:0b:13:ef:b7:e7:d7:ef:a2:9d:92 (ECDSA) |_ 256 53:ea:be:c7:07:05:9d:aa:9f:44:f8:bf:32:ed:5c:9a (ED25519) 80/tcp open http nginx 1.24...

You have found WindCorp’s internal network and their Domain Controller. Can you pwn their network? Overview Ra is a hard Windows/Active Directory machine from TryHackMe. It has three stages/flags, each one has interesting vulnerability, and a lot of users. So buckle up! We start by enumerating the domain and associated web server. We abuse weak password reset functionality to compromise our first user. Then, we identify vulnerable version of Spark client. We exploit it and capture NTLMv2 hash with Responder. Next, after gaining initial access, we find Powershell script vulnerable to command injection. We hijack important file and add our user to Admin group, and thus compromise the domain. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -Pn -A -p- 10.112 .147 .122 -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-06 13 :27 -0500 Warning: 10.112 .147 .122 giving up on port because retransmission cap hit (2). Nmap scan report ...