Machine Summary In this Hack The Box machine, I start of with basic Nmap enumeration. Then move on to directory enumeration and vhost enumeration using gobuster and ffuf. From here, we find an endpoint running Dollibarr v17.0.0 that is vulnerable to CVE-2023-30253. We are able to leverage this to get a reverse shell on the machine and get an initial foothold. From here, we find a password for the user larissa and are able to use these credentials to log in via SSH.

Crypto on the Rocks Writeup Challenge Author: supasuge Difficulty: Hard Table Of Contents Introduction Challenge Source Code Solution Source Code Challenge Overview Technical Details ECDSA Signature Scheme Challenge Implementation Vulnerability Lattice Attack: Exploiting the Bias Solution Script Steps Explanation of Lattice Construction Conclusion Sources This challenge was initially inspired by the recent PuTTY vulnerability: CVE-2024-31497. Within PuTTY, when utilizing the NIST P-521 elliptic curve, the implementation generates nonces with the first 9 bits set to zero.

Pickles and Crypto vault Difficulty: Easy Category: Web Resources exploit-notes.hdks - Python Pickle RCE Pickles deserialization RCE explaination Description Pickles and crypto? What a concept. This challenge involves a flask RESTful web application with endpoints for user registration, login, key upload, and decryption/encryption. The application uses JWT for authentication, RSA for encryption/decryption of user supplied data, and AES-CBC-256 for database security using a SHA256 hash of the user’s password as the AES key for RSA keys stored in-memory.

Incomplete post… Full writeup coming soon. Resources https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot https://man.archlinux.org/man/extra/sbctl/sbctl.8.en https://wiki.archlinux.org/title/User:Krin/Secure_Boot,_full_disk_encryption,_and_TPM2_unlocking_install https://github.com/Ataraxxia/secure-arch/blob/main/00_basic_system_installation.md https://wiki.archlinux.org/title/Dracut

0day is a Medium difficulty room from TryHackMe, I start off with a bit of enumeration before coming across a .cgi file on a particular endpoint that was vulnerable to ShellShock. Once I used ShellShock to get a foothold as www-data, I was able to perform further enumeration of the host. Due to the old Ubuntu version, I was able to then leverage CVE-2015-1328 to escalate my privileges to root.

Enumeration Starting off, I ran a nmap TCP scan on all ports. The only open port from this was 23(Telnet), so I then decided to try a UDP scan (-sU), in which port 161(SNMP) was found. From here, I went ahead and connected to port 23 using telnet. HP JetDirect was the live service for this port, I am going to go ahead and search google for any exploits for HP JetDirect

Bizness is a Easy Linux machine initially released on January 6th, 2024. As usual, I start with basic enumeration using Nmap; and from there used dirsearch for directory enumeration. From directory enumeration we find a login page running Apache OFBiz. This version of Apache OFBiz is vulnerable to an authentication bypass vulnerability CVE-2023-51497. From here, using a public PoC script found on github, we are then able to leverage CVE-2023-49070 to get remote code execution and get a shell on the machine as the ofbiz user.

TryHackMe - Breaking RSA This room present’s an exercise in which a public RSA SSH key is given to you, the goal to complete this room is to successfully recover the private key and then use the recovered private key to authenticate via SSH. I began with nmap scanning, and after a bit of web directory enumeration, we find a RSA public key SSH entry. We then download this public key, extract n the public modulus, and e the public exponent, and attempt to factor n into it’s prime factors p and q.

This post is a writeup for Medium difficulty Hack The Box machine: Builder. In this lab, we leverage CVE-2024-23897 a Local File Inclusion vulnerability to gather credentials for the user jennifer. From here, after logging into the Jenkins instance we use Jennifer’s account privileges to manually reset the root user’s password. Which then allowed us to view/edit the SSH key information. From there, we use the SSH key to easily log into the machine and get the root flag!

In this post, I go over the path I took towards getting root on the Hack The Box machine: Devvortex(Easy). As usual we start out with an nmap port scan, where we discover a Joomla site hosted on port 80. After finding the version of Joomla being used and looking for public exploits, I leverage CVE-2023-23752(Unauthenticated Information Disclosure) to get credentials to login as the user lewis. From here, we are able to edit templates on the site and add in a PHP reverse shell to get a foothold on the machine as www-data.