Nooff's Cyber Blog

Overview CodePartTwo is an easy Linux machine from HackTheBox. This box has several straight forward and simple attack paths. Hardest part is to find a proper way in. We start by enumerating a Flask web app and discovering a vulnerable Js2Py Python library, which we abuse to get a shell. Then, we find a SQLite database on the machine and crack a password. Next, we discover that our user can run NPBackup software with sudo privileges. We create a malicious config file and perform a backup of the “/root” directory to get all the secrets. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -A 10.10 .11 .82 -T5 Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 13 :11 CEST Nmap scan report for 10.10 .11 .82 Host is up (0.037s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 8. 2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0 ) | ssh-hostkey: | 307...

Overview Previous is a medium Linux machine from HackTheBox. This box takes a lot of patience, enumeration and fuzzing. On the other hand, it has couple very interesting vulnerabilities. We start by discovering Next.js website with Auth bypass vulnerability. We get access to docs and identify LFI. We abuse it to fuzz the filesystem and discover a manifest file and ultimately an auth file with SSH credentials. We use those to get access to the machine. Once inside, we find out that we have specific sudo privilege over Terraform. We create a malicious provider script, trick Terraform into executing it and get the Root shell.

Overview Editor is an easy Linux machine from HackTheBox. This box mainly relies on good enumeration and researching skills. Programming knowledge in Bash and C will also help you a lot. We start by enumerating XWiki website and discovering a vulnerability which leads to RCE. After the foothold, we find a config file with credentials, which we use to access the machine via SSH. During priv esc, we find Netdata’s Ndsudo with SUID set. We modify the PATH variable so Ndsudo executes our malicious executable, elevating our privileges to Root.

As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2 Overview Outbound is an easy Linux machine from HackTheBox. This box depends heavily on enumeration and looking for the slightest of information. It also has several cool vulnerabilities. We start with identifying a vulnerable Roundcube Webmail web app, which we exploit and get an initial foothold. We find credentials for MySQL database and discover some auth secrets. Combining all of the found information, we decrypt a password for higher privileged user. During final privilege escalation, we once again find vulnerable software version and use an local priv esc exploit to get root and ultimately pwn the machine.

Overview Artificial is an easy Linux machine from HackTheBox. As the name implies, this box offers us an opportunity to hack AI models and much more. Firstly, we discover a website where we can upload our AI models. We craft a malicious Python AI model with injected shell code, upload it and get a reverse shell on the machine. During priv esc, we find credentials in old backup file for internal Backrest backup service. Abusing Restic’s restore function, we can backup arbitrary files to our local machine and get the root flag. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─ # nmap -A 10.10.11.74 -T5 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-25 20:35 CEST Nmap scan report for artificial.htb (10.10.11.74) Host is up (0.037s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RS...