Complete walkthrough of Traverxec from Hack The Box. An easy Linux machine featuring a nostromo 1.9.6 web server vulnerable to CVE-2019-16278 (RCE). After gaining initial access, enumeration reveals an encrypted SSH key backup in the public_www directory. The SSH key passphrase is cracked to gain user access. Privilege escalation is achieved through a sudo-enabled journalctl command that uses less as a pager, allowing command execution through less's escape mechanism.

Complete walkthrough of Sauna from Hack The Box. An easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn't require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies their password. This second user also has Windows remote management permissions. BloodHound reveals that this user has the DS-Replication-Get-Changes-All extended right, which allows them to dump password hashes from the Domain Controller in a DCSync attack. Executing this attack returns the hash of the primary domain administrator, which can be used with Impacket's psexec.py in order to gain a shell on the box as NT_AUTHORITY\SYSTEM.

Complete walkthrough of Forest from Hack The Box. An easy Windows machine that showcases a Domain Controller (DC) for a domain in which Exchange Server has been installed. The DC allows anonymous LDAP binds, which are used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes, compromising the system.

Complete walkthrough of Precious from Hack The Box. An Easy Difficulty Linux machine that focuses on the Ruby language. It hosts a custom Ruby web application using an outdated library, namely pdfkit, which is vulnerable to CVE-2022-25765, leading to an initial shell on the target machine. After pivoting using plaintext credentials found in a Gem repository config file, the box concludes with an insecure deserialization attack on a custom, outdated Ruby script.

Complete walkthrough of Beep from Hack The Box. Covers service enumeration with 15+ open ports, Elastix 2.2.0 Local File Inclusion exploitation (CVE-2012-4869), credential extraction from amportal.conf, and SSH access using deprecated Diffie-Hellman key exchange algorithms.

Complete walkthrough of OpenAdmin from Hack The Box. Covers OpenNetAdmin 18.1.1 command injection exploitation, database credential reuse, internal web application enumeration, SSH key cracking with john, and nano sudo privilege escalation via GTFOBins.

Complete walkthrough of Active from Hack The Box. Covers GPP password exploitation, Kerberoasting attack, and Active Directory privilege escalation techniques used in real-world penetration testing.

Complete walkthrough of Devel from Hack The Box. Covers anonymous FTP access, arbitrary file upload to IIS, ASP webshell deployment, and Windows 7 privilege escalation using MS13-053.

Complete walkthrough of Codify from Hack The Box. Covers vm2 sandbox escape (CVE-2023-30547), Node.js RCE exploitation, SQLite database extraction, bcrypt password cracking, and bash wildcard privilege escalation.

Complete walkthrough of Nibbles from Hack The Box. Covers web enumeration, Nibbleblog 4.0.3 authentication bypass, arbitrary file upload RCE exploitation, and sudo script privilege escalation through writable monitor.sh.