Background Evil-winrm tool is originally written by the team Hackplayers. The purpose of this tool is to make penetration testing easy as possible especially in the Microsoft Windows environment. Evil-winrm works with PowerShell remoting protocol (PSRP). System and network administrators often use Windows Remote Management protocol to upload, edit and upload. WinRM is a SOAP-based, and firewall-friendly protocol that works with HTTP transport over the default HTTP port 5985. For more information about PowerShell remoting, consider visiting Microsoft’s official site. https://learn.microsoft.com ..read more

Background Kerbrute is a tool used to enumerate valid Active directory user accounts that use Kerberos pre-authentication. Also, this tool can be used for password attacks such as password bruteforce, username enumeration, password spray etc. This tool is being used for many years by penetration testers during internal penetration testing engagements. This tool is originally written by Ronnie Flathers (ropnop) with contributor Alex Flores. Table of Content Introduction to Kerberos authentication Download Kerbrute Kerbrute help – List available features Find valid users / User enumeration Kerb ..read more

Summary Antique is Linux machine and is considered an easy box by the hack the box. On this box, we will begin with a basic port scan and move laterally based on the findings. Then we will enumerate telnet service and hunt vulnerabilities present in a particular version.  Laterally, we will exploit password disclosure vulnerability and obtain plain taxed passwords. Then we will be tasked to gain root access where we will need to perform port forwarding then we will read sensitive files by exploiting the file read vulnerability present on CUPS 1.6.1 version. In addition, we will be exploit ..read more

Summary Nunchucks is a Linux machine and is considered an easy box by the hack the box. On this box, we will begin with a basic port scan and move laterally based on the findings. Then we will enumerate HTTP services and hunt vulnerabilities present on the web page.  Laterally, we will exploit server-side template injection (SSTI) vulnerability to gain an initial foothold in the target system. Then we will exploit Perl capabilities to gain a root shell. Table of content Initial Access Nmap TCP Port Scan Web Page Enumeration Directory Bruteforce Vulnerability Assessment Server-Side Templa ..read more

Summary Late is a Linux machine and is considered as an easy box by the hack the box. On this box, we will begin with a basic port scan and move laterally based on the findings. Then we will enumerate HTTP services and hunt vulnerabilities present on the web page.  Laterally, we will exploit server-side template injection (SSTI) vulnerability to gain an initial foothold in the target system. Then we will be tasked to gain root access where we will exploit it by abusing file ownership and cron job. Table of Content Initial Access Nmap TCP Port Scan Web Page Enumeration Vulnerability Asses ..read more

Summary Backdoor is a Linux machine and is considered an easy box the hack the box. On this box we will begin with a basic port scan and move laterally. Then we will enumerate the WordPress webpage.  Then we will do a vulnerability assessment and exploit directory traversal vulnerability. From the running process, we will be exploiting the GDB server and gain an initial foothold in the target system. Then we will be tasked to gain root access where we will exploit SUID is set to screen. Table of Content Initial Access Nmap TCP Port Scan Web Page Enumeration Searching For the WordPress eB ..read more

Background: The Windows Server operating system uses two types of security principals for authentication and authorization: user accounts and computer accounts. These accounts are created to represent physical entities, such as people or computers, and can be used to assign permissions to access resources or perform specific tasks. Additionally, security groups are created to include user accounts, computer accounts, and other groups, in order to make it easier to manage permissions. The system comes pre-configured with certain built-in accounts and security groups, which are equipped with the ..read more

Summary GoodGames is a Linux machine and is considered an easy box. but it was tricky indeed. On this box, we will begin with a basic port scan and move laterally. Then we will enumerate domain name and subdomains. Then we will exploit SQL Injection vulnerability using burp and SQLmap. Exploitation of the server-side template injection (SSTI) will give us an initial foothold into the target machine. Then we will be tasked to gain root access where we will exploit it by taking advantage of the special permissions and ownerships both in the server and the Docker. A successful binary abuse will g ..read more

Introduction The driver is an easy-rated Windows box on the HackTheBox platform. This is designed to understand initial exploitation using an SCF file and further escalate privileges locally using PrintNightmare (printer driver vulnerability). The box covers the fundamentals of enumeration and points to attention to detail while pentesting. Table of Content Initial Access Enumeration using Nmap and other tools Compromising low-priv hash using SCF file Evil-WinRM to access low-priv account User Flag Privilege Escalation Abusing printer driver vulnerability Root flag Let’s deep dive into thi ..read more

Return is a Windows machine on HTB and is rated as easy, this box is designed over windows that have Weak Service Permission. If summarized, we will abuse a printer admin portal to get hardcoded credentials through netcat and use them for WinRM login. The printer service account is a member of the Server Operators group which allows one to stop and start some services. Thus, we exploited weak configured services to execute our malicious exe file by abusing the Server Operators’ permission. Table of content Initial Access Enumeration Credential Dumping WinRM Valid Account User Flag Privilege ..read more