Hack The Box - Machines

Administrator

Administrator

Summary

  1. using netexec to find we have PSRemote permissions on the box
  2. run bloodhound via evil-winrm
  3. abuse GenericAll permissions on Michael
  4. abuse ForceChangePassword on Benjamin
  5. Find pwsafe vault in FTP
  6. crack the vault and find Emily’s password
  7. Abuse Targeted Kerberoasting to get Ethan’s hash
  8. Crack the hash of Ethan
  9. perform the DCSync Attack

USER

Initial Enumeration

This machine is a bit different from other HTB Machines. we receive some info at the beginning and start the box with a username and password. olivia / ichliebedich are the valid credentials we start with. This looks like an Assume Breach Scenario. cool!

read more
Hack The Box - Machines

EscapeTwo

EscapeTwo.png

Note: Machine Information As is common in real life Windows pentests, you will start this box with credentials for the following account: rose / KxEPkKe6R8su

Summary

  1. found juicy file in SMB share
  2. extracted passwords from unzipped xlsx file
  3. reverse shell as sql_svc using mssql and xp_cmdshell
  4. password spray to find credential reuse
  5. writeowner abuse using impacket
  6. ADCS-ESC4 using certipy

Initial Enumeration

Port scanning

As always I start off with a port scan. first a full port scan followed by a detailed targetted port scan.

read more
Hack The Box - Machines

Certified

Certified

Note: As is common in Windows pentests, you will start the Certified box with credentials for the following account: Username: judith.mader Password: judith09

Summary

  1. AD Enumeration using netexec and bloodhound
  2. abuse WriteOwner permissions to become member of Management Group
  3. ShadowCredential attack to get hash for management_svc
  4. Lateral Movement to CA_Operator by changing password
  5. ADCS-ESC9 to become Administrator

Initial Enumeration

As usual I start with a simple full port scan followed by a more detailed targetted port scan

read more
Hack The Box - Machines

Chemistry

Chemistry.png

Summary

  1. Find Vulnerable File Upload and exploit
  2. Find database file and crack password
  3. SSH and find hidden webservice
  4. tunnel hidden webservice and exploit vulnerable aiohttp component
  5. LFI to root.txt

Initial Enumeration

As always I start off with a simple full port scan followed by a more detailed targetted port scan

#all ports
nmap -p- chemistry.htb

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 63
5000/tcp open  upnp    syn-ack ttl 63

#detailed portscan
nmap -p22,5000 -sCV chemistry.htb

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b6:fc:20:ae:9d:1d:45:1d:0b:ce:d9:d0:20:f2:6f:dc (RSA)
|   256 f1:ae:1c:3e:1d:ea:55:44:6c:2f:f2:56:8d:62:3c:2b (ECDSA)
|_  256 94:42:1b:78:f2:51:87:07:3e:97:26:c9:a2:5c:0a:26 (ED25519)
5000/tcp open  upnp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Server: Werkzeug/3.0.3 Python/3.9.5
|     Date: Fri, 03 Jan 2025 14:07:17 GMT
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 719
|     Vary: Cookie
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <title>Chemistry - Home</title>
|     <link rel="stylesheet" href="/static/styles.css">
|     </head>
|     <body>
|     <div class="container">
|     class="title">Chemistry CIF Analyzer</h1>
|     <p>Welcome to the Chemistry CIF Analyzer. This tool allows you to upload a CIF (Crystallographic Information File) and analyze the structural data contained within.</p>
|     <div class="buttons">
|     <center><a href="/login" class="btn">Login</a>
|     href="/register" class="btn">Register</a></center>
|     </div>
|     </div>
|     </body>
|   RTSPRequest: 
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
|     "http://www.w3.org/TR/html4/strict.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
|     <title>Error response</title>
|     </head>
|     <body>
|     <h1>Error response</h1>
|     <p>Error code: 400</p>
|     <p>Message: Bad request version ('RTSP/1.0').</p>
|     <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
|     </body>
|_    </html>

This box is not exposing a lot. I can see SSH, for management reasons probably and HTTP running on port 5000, which is remarkable.The python Flask Framework is using port 5000 in debug mode. Let’s look into it

read more
Hack The Box - Machines

Cicada

Cicada.png

Summary

  1. use anonymous sessions to find txt in HR share
  2. use RID-bruteforcing to find usernames
  3. password spray password on found user to find valid credentials
  4. read AD user info using rpcclient and find new password
  5. winrm into the box with new credentials (user)
  6. abuse SeBackupPrivilege to escalate to Administrator (root)

Initial Enumeration

As always I start with a port scan using nmap to find running services.

First I find all open ports using a simple port scan:

read more