[email protected]~$

A personal blog for anything cybersecurity, mostly HackTheBox and CTF writeups.

Future Router - UMassCTF 2024 Writeup

A web category challenge which involves chaining an arbitrary file read vulnerability in a cURL utility with a command injection vulnerability on a WebSocket-based customer service agent.

Posted on Mon, Apr 22, 2024 UMassCTF'24 Web Application Command Injection

Flight - HackTheBox Writeup (10.10.11.187)

Hard-difficulty Windows machine that covers forced NTLM authentication techniques through Remote File Inclusion and SCF file attacks. Lots of pivoting between service accounts and user accounts using web shells. Privilege escalation by abusing SeImpersonatePrivilege to perform token impersonation.

RedPanda - HackTheBox Writeup (10.10.11.170)

Easy-difficulty Linux box on exploiting a server-side template injection vulnerability in a Spring Boot web application, then a not-so-easy privilege escalation involving an XML external entity injection vulnerability in a custom view counter script.

DFIR Investigation - DownUnderCTF 2022 Writeup

A digital forensics and incident response challenge on deobfuscating a C2 persistence PowerShell stager, using ActivitiesCache.db to reveal past user activities, and recovering resident data from the NTFS Master File Table.

Timelapse - HackTheBox Writeup (10.10.11.152)

Easy-difficulty Windows machine with a focus on Active Directory LDAP and SMB enumeration. Privilege escalation by recovering service account credentials in PowerShell history logs, then dumping LAPS passwords from the service account.

Posted on Sun, Jul 17, 2022 Easy Windows Active Directory SMB LAPS

Horizontall - HackTheBox Writeup (10.10.11.105)

Easy-difficulty Linux box on exploiting CVE-2019-19609 on Strapi and CVE-2021-3129 on Laravel. A good refresher on reverse tunnelling with Chisel and subdomain enumeration techniques.

Posted on Sat, Jan 29, 2022 Easy Linux Web Application Strapi Laravel

Vault - IJCTF 2021 Writeup

A forensics category challenge on recovering TLS session keys from a packet capture, and decrypting TLS traffic tunnelled over ICMP (ping) through a SOCKS proxy, then recovering files from partial HTTP/2 requests.

Posted on Sun, Jul 25, 2021 IJCTF 2021 Forensics Network Analysis

Ophiuchi - HackTheBox Writeup (10.10.10.227)

Medium-difficulty Linux box on exploiting insecure deserialisation vulnerability in a SnakeYAML applet. Privilege escalation by reverse-engineering and forging a deploy-ready WebAssembly binary to exploit a command injection vulnerability in the deploy script.

Spectra - HackTheBox Writeup (10.10.10.229)

Easy-difficulty ChromeOS box with a focus on password reuse on WordPress. Privilege escalation by leveraging sudo rights on initctl to create a new malicious service and gain root access.

Posted on Mon, Jul 5, 2021 Easy Linux WordPress Password Reuse SUID Binary

Tenet - HackTheBox Writeup (10.10.10.223)

Medium-difficulty Linux box about exploiting insecure deserialisation vulnerabilities in a PHP data migration program under development. Privilege escalation by exploiting a race condition between Bash variable references in an SSH backup script.

ScriptKiddie - HackTheBox Writeup (10.10.10.226)

Easy-difficulty Linux box on exploiting CVE-2020-7384 APK template vulnerability in MSFvenom. Privilege escalation by exploiting a command injection vulnerability in a Bash script, then pivoting to a privileged user with sudo rights on msfconsole.

Posted on Sun, Jun 13, 2021 Easy Linux Web Application MSFvenom Command Injection

Delivery - HackTheBox Writeup (10.10.10.222)

Easy-difficulty Linux box demonstrating a clever enumeration technique of leveraging the ticketing system to obtain a temporary email address under the victim's domain. Privilege escalation by dumping the password hash from MySQL and cracking it with mutation rules.

Posted on Wed, Jun 2, 2021 Easy Linux Web Application MatterMost MySQL

Ready - HackTheBox Writeup (10.10.10.220)

Medium-difficulty Linux box on exploiting CVE-2018-19571 (SSRF), CVE-2018-19585 (CRLF) vulnerabilities in GitLab 11.4.7 CE. Privilege escalation by abusing the notify_on_release feature in cgroups to escape the privileged Docker container.

Posted on Wed, May 19, 2021 Medium Linux Web Application GitLab Docker

Sharp - HackTheBox Writeup (10.10.10.219)

Hard-difficulty Windows box with a focus on reverse engineering C# applications and enumerating SMB shares. Foothold gained by reversing the encryption in a Kanban application. Privilege escalation by abusing WCF server and client applications ported from .NET remoting.

Posted on Mon, May 10, 2021 Hard Windows Reversing SMB .NET Remoting

Bucket - HackTheBox Writeup (10.10.10.212)

Medium-difficulty Linux box all about exploiting improperly configured Amazon S3 buckets. Privilege escalation by extracting credentials from DynamoDB and leveraging arbitrary file read through PD4ML, an HTML-to-PDF tool.

Posted on Sun, May 2, 2021 Medium Linux Amazon DynamoDB Amazon S3 Pd4Cmd

Laboratory - HackTheBox Writeup (10.10.10.216)

Easy-difficulty Linux box with a focus on exploiting local file inclusion and insecure deserialisation vulnerabilities in GitLab 12.8.1. Privilege escalation by escaping the Docker container and abusing a SUID binary with a PATH hijacking attack.

Posted on Sun, Apr 18, 2021 Easy Linux GitLab Docker PATH Hijacking

Time - HackTheBox Writeup (10.10.10.214)

Medium-difficulty Linux box on exploiting SSRF vulnerability CVE-2019-12384 in Jackson and leveraging a privileged shell script to gain root.

Posted on Sun, Apr 11, 2021 Medium Linux Web Application Jackson Command Injection

Chicken - UMassCTF '21 Writeup

Chicken Chicken Chicken: Chicken Chicken? A forensics category challenge all about extracting hidden streams in a PDF file and 7-Zip password cracking.

Posted on Mon, Mar 29, 2021 UMassCTF'21 Forensics Password Cracking

Heim - UMassCTF '21 Writeup

Only those who BEARER a token may enter! A web exploitation category challenge on intercepting and forging JSON Web Tokens from a debugging endpoint to bypass Bearer authentication.

Posted on Mon, Mar 29, 2021 UMassCTF'21 Web Application Bearer Authentication

Reel2 - HackTheBox Writeup (10.10.10.210)

Hard-difficulty Windows box with a focus on password spraying attacks and NetNTLMv2 hash phishing on Outlook. Privilege escalation by abusing an insecure Powershell JEA cmdlet with symbolic links, while bypassing PS constrained language mode.

Passage - HackTheBox Writeup (10.10.10.206)

Medium-difficulty Linux box on exploiting CuteNews 2.1.2 CVE-2019-11447 and abusing Linux's official USB-creator tool to gain arbitrary file write as root.

Posted on Sat, Mar 13, 2021 Medium Linux Web Application CuteNews USBCreator

Academy - HackTheBox Writeup (10.10.10.215)

Easy-difficulty Linux box about exploiting Laravel CVE-2018-15133 and privilege escalation with Composer.

Posted on Wed, Mar 3, 2021 Easy Linux Web Application Laravel Composer

Feline - HackTheBox Writeup (10.10.10.205)

Hard-difficulty Linux box on exploiting Apache Tomcat CVE-2020-9484 and abusing docker.sock exposure.

Doctor - HackTheBox Writeup (10.10.10.209)

A not-so-easy Linux box about advanced URL command injection and exploiting Splunk Universal Forwarder to gain root and persistence.

Worker - HackTheBox Writeup (10.10.10.203)

Medium-difficulty Windows box with a focus on exploiting Azure DevOps environment.

Posted on Wed, Feb 3, 2021 Medium Windows Web Application SVN Azure DevOps