I’ll abuse a process running as root to get root access. This allows me to connect to any process on the box and inject shellcode, getting execution in the context of that process. The final user has access to the GNU debugger with ptrace capabilities.
Next I’ll abuse meta-git to get a shell as the next user. I’ll find a password for the database connection in the web files that is also used for a user account on the box.
I’ll abuse SQL injection to bypass authentication, and then a mPDF vulenrability to read files from disk. Htb-faculty ctf hackthebox nmap php feroxbuster sqli sqli-bypass auth-bypass sqlmap mpdf cyberchef burp burp-repeater file-read password-reuse credentials meta-git command-injection gdb ptrace capabilities python msfvenom shellcodeįaculty starts with a very buggy school management web application. To escalate to root, I’ll abuse fail2ban. I’ll show how to use that LFI to get execution via mail poisoning, log poisoning, and just reading an SSH key. That file read leads to another subdomain, which has a file include. There’s an SQL injection that allows bypassing the authentication, and reading files from the system. Trick starts with some enumeration to find a virtual host. Htb-trick ctf hackthebox nmap smtp smtp-user-enum zone-transfer vhosts wfuzz feroxbuster employee-management-system sqli sqli-bypass cve-2022-28468 boolean-based-sqli sqlmap file-read lfi directory-traversal mail-poisoning log-poisoning burp burp-repeater fail2ban htb-admirertoo Finally, I’ll find a VirtualBox VM, and break through both VirtualBox encryption and LUKS to find a password that gets root access. I’ll have to look at the source for that plugin to figure out how to decrypt the information and get another user’s SSH key. From there, with access to the WordPress config, I’ll get the MySQL password which gives access to secrets stored via another WordPress plugin. With a shell, I’ll access an internal WordPress site exploiting the Brandfolder plugin to pivot to the next user. I’ll start by enumerating a website to eventually find a file upload page, where I’ll bypass filters to get a webshell.
Moderators was a long box with a bunch of web enumerations, some source code analysis, and cracking multiple passwords for a VM. Htb-moderators hackthebox ctf nmap feroxbuster wfuzz fuzz crackstation filter burp burp-repeater upload webshell php-disable-functions wordpress wordpress-brandfolder wordpress-passwords-manager wordpress-plugin source-code crypto virtualbox virtualbox-encryption pyvboxdie-cracker hashcat luks chisel