SidePieceVillage

This is a linux hard box focusing on SSRF which you can use in turn to trigger ssh2.exec. This executes on the box giving a reverse shell. On the box we escalate to eric with previously cracked hash. Using pspy, we find a binary running via cronjob. The binary objcopy is used to check a file, with in turn we replace with our malicious binary that upon execution gets us a shell as root. Initial Nmap12345678PORT STATE SERVICE REASON VERSION21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.580/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)| http-methods:|_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: nginx/1.18.0 (Ubuntu)|_http-title: Did not follow redirect to http://era.htb/Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel FTP for smilesLooking at FTP and trying anonymous logon get us nothing. Moving on. HTTPScanning this site gives us the domain name era.htb we can add to our hosts file. Looking at the site nothing special. We can...

Voleur starts with credentials, but after a nmap you find NTLM is disabled. Using kerberos, we are able to get a bloodhound dump. Checking the shares reveals a xlsx file, we can convert it and crack it. Once done, we get access to a excel file with some users and passwords, one user has be deleted. Once on the box, we lateral move to ldap_svc, and find a user that has been deleted. Using powershell, we restore them and then get a shell using the password found from the xlsx file. Then we do to the next directory in the IT share, and find a archived users directory which hold DPAPI credentials. After obtaining the credentials, we find our user able to access a backup in the next directory that contains the SAM, SECURITY, and NTDS files used to dump the Administrator hash. As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt Initial...

This Windows Hard box starts off assumed breach. While enumerating with the credentials you find that NTLM is disabled. Using your credentials you’re able to obtain a kerberos ticket that lets you get a bloodhound dump and further enumerate the machine. Once done, you’re able to kerberoast SPNs(Some did timeroast) and obtain some hashes, which one of them cracks to cleartext for IT-Computer3$. Using your new found credentials you’re able to abuse DACLs that allows our user to remove objects from the Protected Objects group. Thus allowing for ForceChangePassword and after successfully changing the password for bb.morgan, we are able to get a kerberos ticket, setup our krb5.conf and evil-winrm onto the box. Enumeration as bb.morgan shows very little, yet we had a user ee.reed in the Support group. After changing his password, creating a reverse shell and using RunasCs.exe, we’re able to get a shell as ee.reed. Using PrivescCheck.ps1 shows us a COM Registry component we have...

Axlle is a hard-level Windows machine that begins with a website running on port 80. The site displays a maintenance message but mentions that Excel invoices can still be sent via email for processing. An attacker exploits this by crafting a malicious .XLL file, which bypasses security checks and is used in a phishing attack. Once the attacker gains code execution on the machine, they create a malicious .url file. This file is executed by the user dallon.matrix, leading to the compromise of their account. The dallon.matrix user is part of a group that has the ability to change the password of another user, jacob.greeny. The attacker leverages this privilege to reset the password and authenticate as jacob.greeny via WinRM. The jacob.greeny user is a member of the App Devs group, which has access to a scheduled automation that runs the StandaloneRunner binary with SYSTEM privileges. The attacker exploits this automated task to escalate privileges and ultimately gain a shell as the...

Starts with CVE-2025-24996, which is used to retrieve the hash of p.agila. This user Owns the Service Accounts OU, and can add themselves. Once done they have GenericWrite, and GenericAll which we can utilize for Shadow Credentials and obtain the hash for winrm_svc and other corresponding service accounts (ldap_svc, ca_svc). Having the ca_svc who is in Cert Publishers, we find a vulnerable template within ADCS. ESC 16 allows a low-privileged user to escalate their privilege. In doing so, we update the ca_svc account upn to administrator then request a pfx. This give us the administrator.pfx. Now we change back the upn for ca_svc and we authenticate with the administrator.pfx giving us the administrator hash. As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: rr.j.fleischman / J0elTHEM4n1990! Initial Nmap123456789101112PORT STATE SERVICE REASON53/tcp open domain syn-ack88/tcp open ...

Initial Nmap found a NFS containing pfx keys and a key file and a cert file. By use pfx2john and creating a hash we crack the password. Then creating a pfx file using the cracked password with openssl. Then we auth and recieve d.baker hash. After getting a bloodhound dump we see d.baker has ForceChangePassword over a.carter. After doing so, we see a.carter has GenericAll over the Staff Access Certificate. Using dacledit.py we give a.carter access. Then we set a mail attribute for d.baker to h.brown@scepter.htb using bloodyAD. Then request again using upn h.brown. From there we can auth and recieve h.brown‘s hash as well as ccache we can export and use. We have write over p.adams account and if we look at h.brown attributes we see altSecurityIdentities. This is weak encryption and we can set this attribute to p.adams and then set d.baker mail attribute to p.adams. Once done we request again using upn p.adams. This get us the hash for p.adams, from here we are a Replication Operator...

This Windows Medium box starts with our user having write permissions over the DEVELOPERS group. Once we look at shares we find available to use the DEV share. In this share lies a keepass database, which we exfiltrate to our machine. Once done we crack the password to the database and discover users and credentials. After password spraying we have another valid user, and this user is in the SENIOR DEVS group, with GenericAll to user Adam.Silver. After re-enabling his account, we can finally get on the box. Going to the root directory we find a Backups directory with a zip file containing an xml file with credentials for Steph.Cooper. Using these credentials we login, and if we looked at bloodhound or other users we noticed a steph.cooper_adm. With access to this users AppData we exfiltrate the file required for DPAPI. Once we dump DPAPI, we find credentials for steph.cooper_adm. Starts as an assumed breach with credentials: levi.james / KingofAkron2025! Initial...

This box start off with port 80 open. Enumeration of the website returns users upon a page. Kerberoasting proves successful as you retrieve the hash of user fsmith. Once the hash is cracked we are able to gain access to the machine. Doing the steps to escalate privilege we come across cached credentials used by WinLogon found in Registry for user svc_loanmanager, we get the credentials using PowerShell. After looking at the user in Bloodhound, we find the user has GetChangesAll to the domain. This allows the user to DCSync and dump all the hashes for the domain. Initial Nmap12345678910111213141516171819PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 |_http-title: Egotistical Bank :: Home | http-methods: ...

Hybrid is a Chain mixed with a linux and windows machine. Starts off with Roundcube Webmail on http, using alias identities your able to force command injection leading to a reverse shell. The once on the box your find /etc/exports enabling rw for /opt/share, allowing for privilege escalation to user peter. Once done, you tunnel through to find a vulnerable ESC1 template allowing for Domain Computers to supply enrollees allowing for privilege escalation to Administrator. Initial NmapTwo IPs to scan. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178Nmap scan report for 10.10.160.197Host is up (0.16s latency).Not...

Manage is a Linux Easy machine starting off with Java RMI using beanshooter. After enumeration we see we gather credentials and that authorization on the Remote MBean server isn’t required. Using this we are able to get a foothold on the machine. As user tomcat, we see other users we can attack in /etc/passwd. Trying to escalate our privilege to useradmin we have password reuse from the credentials we gathered, but upon entering the password were asked for verification. Looking in useradmin‘s home we see a backup tar file. Getting it to our machine yields this users home directory backed up. We have a ssh key we can use to get on the box, along with .google_authenticator having PINS to try. Doing so gets us sshed on the box. Looking at our users privilege, we see we have ALL:ALL on /usr/sbin/adduser. Looking at a typical sudoers file we see we can use admin as a user, as this group is not present on the box. Upon adding this user, they will in turn be added to the admin group...