HTB Write-ups

           

Last update: Mailroom

🐧*nix

Box	Difficulty	Writeup	Foothold	Privesc
	$\textcolor{orange}{\textsf{Medium}}$	Agile	LFI	Chrome Debug Mode AND Sudoedit CVE-2023-22809
	$\textcolor{green}{\textsf{Easy}}$	armageddon	Drupal property injection: Drupalgeddon 2	snap install with sudo
	$\textcolor{green}{\textsf{Easy}}$	Backdoor	WP-Plugin:eBook Download 1.1 - LFI/RFI And identifying services with /proc And GDBserver Remote Payload Execution	suid: screen
	$\textcolor{orange}{\textsf{Medium}}$	Bagel	LFI And Reversing DLL And DotNET Object Deserialization	dotnet with sudo
	$\textcolor{green}{\textsf{Easy}}$	BountyHunter	xxe	python script logic
	$\textcolor{green}{\textsf{Easy}}$	Busqueda	Command Injection	Docker inspect config dump
	$\textcolor{green}{\textsf{Easy}}$	Cap	Parameter Manipulation And PCAP file analysis	python with setuid capability
	$\textcolor{yellow}{\textsf{INSANE}}$ ⚠️	CrossFitTwo	Websocket And SQL injection: blind/Union And DNS Hijacking And CSRF	Node module hijack And Yubikey
	$\textcolor{red}{\textsf{Hard}}$	Developer	Reverse tab-nabbing And Django Deserialization	Postgresql Enumeration
	$\textcolor{orange}{\textsf{Medium}}$	Devzat	Command Injection	InfluxDB authentication bypass vulnerability And lfi
	$\textcolor{orange}{\textsf{Medium}}$	Dynstr	ISC BIND DNSserver And Command Injection in Bind API	DNS pointer record(PTR) And Wildcard in cp Command
	$\textcolor{orange}{\textsf{Medium}}$	encoding	LFI and SSRF and PHP filter chain and Git hooks	systemctl with sudo
	$\textcolor{orange}{\textsf{Medium}}$	Faculty	LFI	Command Injection and gdb attach
	$\textcolor{orange}{\textsf{Medium}}$	Forge	SSRF	Python pdb Module
	$\textcolor{orange}{\textsf{Medium}}$	GoodGames	SQLi And SSTI	Docker escape: Password Reuse And Host mount inside docker
	$\textcolor{green}{\textsf{Easy}}$	Horizontall	Improper Access Control And Command Injection	Laravel <8.4.2 RCE
	$\textcolor{green}{\textsf{Easy}}$	Inject	Path Traversal in apache maven webApp AND CVE-2022-22963	ansible-playbook
	$\textcolor{orange}{\textsf{Medium}}$	Interface	API fuzzing AND dompdf CVE-2022-28368	Shell Arithmetic Expansion Command Injection
	$\textcolor{orange}{\textsf{Medium}}$	Investigation	Exiftool CVE-2022-23935 And Windows Event Log	Reversing C binary
	$\textcolor{green}{\textsf{Easy}}$	Knife	backdoor php Version	knife with sudo
	$\textcolor{red}{\textsf{Hard}}$	Mailroom	Blind XSS AND NoSQL injection AND Command Injection	Watch feature process and strace AND Open keepass database
	$\textcolor{green}{\textsf{Easy}}$	Meta	exiftool CVE-2021-22204	ImageMagick PDF-parsing flaw And sudo neofetch with XDG_CONFIG_HOME
	$\textcolor{green}{\textsf{Easy}}$	MetaTwo	WP-Plugin SQLi CVE-2022-0739 And WP XXE CVE-2021-29447	passpie cracking with john
	$\textcolor{red}{\textsf{Hard}}$	Monitors	wp-plugin "Spritz" LFI And "cacti" SQLi Stacked Queries to RCE	Socat Portforwarding And "ofbiz" Deserialization RCE And Container with SYS_MODULE Capability
	$\textcolor{green}{\textsf{Easy}}$	MonitorsTwo	Cacti Unauthenticated RCE CVE-2022-46169	Docker overlay FS
	$\textcolor{orange}{\textsf{Medium}}$	Onlyforyou	Directory Traversal AND Command Injection AND neo4j Cypher Injection	pip3 as root
	$\textcolor{orange}{\textsf{Medium}}$	ophiuchi	SnakeYAML Deserilization	wasm reversing
	$\textcolor{green}{\textsf{Easy}}$	Pandora	enumerating SNMP And Pandora FMS - SQLi and file upload	setresuid() Restriction Bypass
	$\textcolor{red}{\textsf{Hard}}$	Pikaboo	URL parser logic in nginx server And lfi to RCE via ftp log	Perl jam: Command Injection
	$\textcolor{orange}{\textsf{Medium}}$	Pit	SNMP Enumeration And Login Form Bruteforce with hydra And SeedDMS RCE	Access control list(ACL) And SNMP Extend Command
	$\textcolor{red}{\textsf{Hard}}$	Pollution	Burp history logs And out-of-band XXE to exfiltrate data And redis php session manipulation And PHP filter chain	php-fpm RCE And lodash merge prototype pollution
	$\textcolor{green}{\textsf{Easy}}$	Precious	pdfkit CVE-2022-25765	Ruby YAML deserialization
	$\textcolor{green}{\textsf{Easy}}$	Previse	Blind Command Injection	Absolute Path Injection
	$\textcolor{orange}{\textsf{Medium}}$	Ready	gitlab <11.4.8 SSRF via IPv6 And redis server RCE	docker container with --privileged
	$\textcolor{green}{\textsf{Easy}}$	RouterSpace	Android app dynamic analysis	Sudoedit
	$\textcolor{orange}{\textsf{Medium}}$	Schooled	Moodle LMS Enumeration And XSS in "Moodle" And Privilege Escalation in "Moodle" And Moodle Admin RCE	pkg with sudo
	$\textcolor{green}{\textsf{Easy}}$	scriptKiddie	command injection	msfconsole with sudo
	$\textcolor{orange}{\textsf{Medium}}$	Seal	URL Parser Logic in Apache server	ansible-playbook Command with sudo
	$\textcolor{green}{\textsf{Easy}}$	Secret	Webapp source code review And Command injection	Core Dump
	$\textcolor{orange}{\textsf{Medium}}$	Shibboleth	ipmi And zabbix	mysql 'wsrep_provider' OS Command Execution
	$\textcolor{yellow}{\textsf{INSANE}}$ ⚠️	Sink	http Request Smuggling	AWS secretsmanager And AWS kms decrypt
	$\textcolor{green}{\textsf{Easy}}$	Soccer	Blind SQLi over websocket	dstat with doas
	$\textcolor{orange}{\textsf{Medium}}$	Socket	Python byte-codes de-compile AND Websocket SQLi using SQLMAP	pyInstaller file read
	$\textcolor{green}{\textsf{Easy}}$	Spectra	wpadmin reverse shell	initctl with sudo
	$\textcolor{red}{\textsf{Hard}}$	Spider	SSTI And SQLi in auth token And Blind restricted SSTI	XXE to inject payload in auth token
	$\textcolor{green}{\textsf{Easy}}$	Stocker	NoSQLi with JSON And PDF XSS	Nodejs with sudo
	$\textcolor{red}{\textsf{Hard}}$	Tentacle	DNS Enumeration And squid proxy And ffuf with multi-proxy And OpenSMTPD RCE	ssh with kerberos token And k5login And kadmin
	$\textcolor{orange}{\textsf{Medium}}$	theNotebook	jwt bypass	Breaking Docker via runC
	$\textcolor{orange}{\textsf{Medium}}$	Timing	LFI And Admin role impersonate And File upload RCE	wget and axel rc files
	$\textcolor{green}{\textsf{Easy}}$	Trick	LFI	fail2ban Misconfiguration
	$\textcolor{orange}{\textsf{Medium}}$	Unicode	JWT jku bypass And lfi	Python byte-codes decompile And Command injection
	$\textcolor{red}{\textsf{Hard}}$	Unobtainium	reversing Electron application deb package And Prototype Pollution And Command injection	Kubernetes And Kubectl And kubernetes admin
	$\textcolor{orange}{\textsf{Medium}}$	Writer	UNION sqli TO file read And RCE using SSRF with smb And Unintended: Command Injection via filename	postfix automate scripts And Invoke command with apt Configs

Windows

Box	Difficulty	Writeup	Foothold	Privesc
	$\textcolor{orange}{\textsf{Medium}}$	Atom	Electron-Updater RCE	Kanban credentials Encryption Flaw
	$\textcolor{red}{\textsf{Hard}}$	Breadcrumbs	LFI And File upload to RCE	Stickynotes backups And sql injection: union
	$\textcolor{orange}{\textsf{Medium}}$	Intelligence	Enumeration And NTLM Relay Attack	BloodHound And Reading GMSA Password And Silver ticket Attack
	$\textcolor{green}{\textsf{Easy}}$	Love	File upload to RCE	abusing AlwaysInstallElevated policy
	$\textcolor{red}{\textsf{Hard}}$	Proper	sql injection: blind And RFI via SMB And Race condition with inotify	-
	$\textcolor{green}{\textsf{Easy}}$	Timelapse

Android

Box	Difficulty	Writeup	Foothold	Privesc
	$\textcolor{green}{\textsf{Easy}}$	Explore	ES Explorer CVE-2019–6447	adb Root

Old WriteUPs

Box	Difficulty	Writeup
	Easy	Academy
	Easy	Admirer
	Easy	Blunder
	Medium	Bucket
	Medium	Cache
	Hard	Compromised
	Easy	Delivery
	Easy	Doctor
	Hard	Feline
	Medium	Jewel
	Easy	Laboratory
	Easy	Luanne
	Medium	OpenKeyS
	Medium	passage
	Easy	Tabby
	Medium	Tenet
	Medium	Time
	Hard	Unbalanced