Latest posts
Search
Search is a hard difficulty Windows box. Initial access begins with exposed credentials from a website image, used to Kerberoast web_svc user. Pivoting through password reuse, removing protection from an .xlsx file, and cracking client certificates to get access to a shell. We recover a gMSA password, leading to domain admin privileges.
Help
Help is an easy-level machine that presents two ways for exploitation. The first option involves leveraging an arbitrary file upload vulnerability, while the second option utilizes an authenticated SQL injection to gain access to a user account. We escalate privileges by exploiting an outdated Linux kernel.
Active
Active is an easy difficulty box. We enumerate SMB shares using null authentication to locate a Groups.xml file. This file contains Group Policy Preferences (GPP) credentials, which we leverage to perform a Kerberoasting attack.
Remote
Remote is an easy difficulty box. We crack the hash from the config file hosted on the NFS share. We exploit vulnerabilities in Umbraco CMS and TeamViewer. We find an encrypted password in the registry and write a Python script to decrypt it, gaining access to an Administrator’s account.
Forest
Forest is an easy difficulty box, although rated medium by the majority of HackTheBox players. Forest focuses on Active Directory penetration testing. We gain access to a domain controller that is vulnerable to enumeration over RPC, attacks on Kerberos using AS-REP Roasting, ACL abuse, and a DCSync attack.