Skip to content

Latest commit

 

History

History
68 lines (59 loc) · 27.9 KB

README.md

File metadata and controls

68 lines (59 loc) · 27.9 KB

Hack-The-Box-Writeups

Easy

S.No Machine & Links Writeup CVEs - Tags
1 Lame 1 2 Lame CVE-2007-2447, CVE-2004-2687, CVE-2009-1185, unix, smb, samba, smbmap, smbclient, distccd, process, udev
2 Shocker 1 2 Shocker CVE-2014-6271, unix, cgi-*, cgi-bin, user.sh, shellshock, gtfobins, sudo, RCE, reverse shell
3 Bashed 1 2 Bashed unix, sudo, cronjob/scheduled task, RCE, reverse shell
4 Nibbles 1 2 Nibbles CVE-2015-6967, CVE-2017-16995, unix, sudo, nibbleblog, kernel, RCE, default creds, source code inspection
5 Beep 1 2 Beep CVE:N/A 1, CVE-2012-4869, CVE-2014-6271, CVE-2012-4867, CVE-2016-1713, CVE-2015-6000, CVE-2013-3214, CVE-2013-3215, unix, sudo, Elastix, PBX, LFI, svwar, webmin, shellshock, cgi-*, smtp, pop3, email, vTiger CRM, reverse shell, ssh
6 Sense 1 2 Sense CVE-2014-4688, CVE-2016-10709, unix, default creds, rce, stored creds, pfsense
7 Valentine 1 2 Valentine CVE-2014-0160, CVE-2014-0346, CVE-2016-5195, unix, heartbleed ssl/tsl, sslyze, bruteforce/decrypt/decode, hash/encrypted/encoded, ssh, openssl, kernel exploit, dirtycow, system binary exploit, tmux session
8 Sunday 1 2 Sunday unix, bruteforce/decrypt/decode, finger, hydra, hash/encrypted/encoded, ssh, stored creds, sudo, suid, system/config/backup file, shadow.backup, hashid, john, hashcat, wget, gtfobins, openssl, passwd, wget --post-file, Overwrite Different SUID Binary, Overwrite shadow, Overwrite sudoers, /etc/sudoers, pspy, cronjob/scheduled task, solaris, powershell
9 Irked 1 2 Irked CVE-2010-2075, CVE-2016-1531, CVE-2018-6789, unix, hidden file, rce, reverse shell, stego, steghide, stored creds, suid, IRC, UnrealIRCd, Irssi, hexchat, Exim, ltrace
10 FriendZone 1 2 FriendZone CVE-2021-3156, CVE-2019-10149, unix, subdomain, DNS, DNS zone transfer, XSS, LFI, local file inclusion, burp, rce, reverse shell, smb, stored creds, system/config/backup file, mysql, sql conf file, mysql_data.conf, pspy, cronjob/scheduled task, Python Library Hijacking, writable python module, source code inspection, aquatone, impacket, smbclient, crackmapexec, smtp, Exim, Sudo Baron Samedit vulnerability
11 CozyHosting 1 2 CozyHosting unix, whitelabel error page, Spring Boot framework, actuator, session cookie, burp, rce, obfuscate, base64/URL encoded reverse shell, whitespaces not allowed, bypass without space, $IFS, obfuscate, java archive, jar xf, jd-gui, application.properties, postgresql, psql, hash/encrypted/encoded, john, hashcat, bcrypt, sudo, gtfobins, ssh
12 Keeper 1 2 Keeper CVE-2023-32784, unix, Request Tracker, default creds, unzip, stored creds, password manager, KeePass, .kdbx, .dmp, keepas2, .NET, dotnet, Danish dish, rødgrød med fløde, PuTTY PPK, .ppk, .pem, puttygen, putty, ssh
13 Analytics 1 2 Analytics CVE-2023-38646, CVE-2021-3493, CVE-2023-2640, CVE-2023-32629, unix, Metabase, business intelligence platform, subdomain, rce, Metabase Pre-Auth RCE, JDBC, setup-token, burp, base64 encoded reverse shell, json, curl, docker container, environment variables, stored creds, ssh, kernel, OverlayFS, GameOver(lay)
14 Codify 1 2 Codify CVE-2023–30547, unix, node.js, vm2 library, sandbox escape, rce, reverse shell, SQLite, stored creds, bcrypt, hash/encrypted/encoded, john, hashcat, sudo, mysql, insecure/unquoted variable comparison, pattern matching, bruteforcing , scripting, ~/.ssh/authorized_keys
15 Devvortex 1 2 Devvortex CVE-2023–23752, CVE-2023–26604, unix, subdomain, joomla, joomscan, improper access check, data exfiltration, rce, reverse shell, template, mysql, stored creds, bcrypt, hash/encrypted/encoded, john, hashcat, sudo, apport-cli
16 SwagShop 1 2 SwagShop CVE-2015-1397, CVE:N/A 1, unix, magento, e-commerce, cms, PHP Object Injection, deserialization, mechanize, authenticated rce, rce, file upload, reverse shell, sudo, gtfobins, magescan, Mage Scan, Magento package, burp, mysql, sqli, Froghopper Attack
17 Networked 1 2 Networked unix, cron/scheduled tasks, rce, reverse shell, file upload, mime types, magic bytes, burp, source code inspection, exec(), sudo, system/config/backup file, tar, command injection, ifcfg, networking script, exiftool, steghide
18 Crafty 1 2 Crafty CVE-2021-44228, windows, Minecraft, log4j, java logging library, java archive, jdk, Minecraft Python Client Library, pyCraft, virtual environment, virtualenv, ldap server, jndi, .jar, msfvenom, payload, windows/x64/meterpreter/reverse_tcp, Metasploit, multi/handler, certutil, meterpreter, download, upload, Java Decompiler, jdg-gui, stored creds, evil-winrm, nc.exe, RunasCs, Minecraft Console Client (MCC), Plugins, wmic product, Powershell, Windows Run As Reverse Shell / New-Object System.Management.Automation.PSCredential, post/windows/manage/run_as_psh
19 Perfection 1 2 Perfection unix, ruby app, SSTI, Server Side Template Injection, url encoding, bypass, escape characters, line feed, Linefeed (newline), %0A, sqlite, stored creds, system/config/backup file, bruteforce/decrypt/decode, hash/encrypted/encoded, hash-identifier, hashid, sha256, SHA2-256, hashcat, crackstation.net, linpeas.sh, /var/mail, hashcat brute-force attack-mode, sudo, hurl
20 Tabby 1 2 Tabby CVE:N/A 1, unix, apache tomcat, view page source code, local file inclusion, LFI, code review, api, file upload, stored creds, manager webapp, host-manager, admin-gui, manager-gui, tomcat-users.xml, /usr/share/tomcat9/etc/tomcat-users.xml, Text-based manager, curl, -T, --upload-file, java, msfvenom, java/shell_reverse_tcp, Java reverse shell, .war, system/config/backup file, .zip, bruteforce/decrypt/decode, hash/encrypted/encoded, zip2john, john, fcrackzip, user groups, lxd/lxc, container, Alpine Linux container, /etc/passwd, /etc/sudoers, SUID, bash -p, euid, openssl
21 Legacy 1 2 Legacy CVE-2008-4250 (ms08-067) / Conficker, CVE-2017-0144, CVE-2017-0143, ms17-010 / Eternal Blue / Shadow Brokers / WannaCry / NotPetya, windows, Windows XP Pro SP3, Windows 2000 LAN Manager, smb, smbv1, rpc, nmap scripts, nse, Windows Kernel, Impacket, shellcode, msfvenom, windows/shell_reverse_tcp, bad characters, whoami.exe, /usr/share/windows-binaries, smbserver.py, /usr/share/doc/python3-impacket/examples/smbserver.py, NT AUTHORITY\SYSTEM, windows/smb/ms08_067_netapi, TFTP server, exploit/windows/smb/ms17_010_psexec
22 Blue 1 2 Blue CVE-2017-0144, CVE-2017-0143, ms17-010 / Eternal Blue / Shadow Brokers / WannaCry / NotPetya, Windows, windows 7, smb, smbv1, Windows Kernel, mysmb.py, msfvenom, windows/shell_reverse_tcp, enum4linux, smbmap, NT AUTHORITY\SYSTEM, windows/smb/ms17_010_eternalblue, impacket
23 Devel 1 2 Devel CVE-2011-1249 / MS11–046 / afd.sys, Windows, ftp, Microsoft IIS, aspnet_client, asp.net, .aspx, msfvenom, windows/shell_reverse_tcp, /usr/share/windows-binaries/, smbserver.py, systeminfo, powershell, nishang / Invoke-PowerShellTcp, Windows 7 Build 7600 on x86, i686-w64-mingw32-gcc, Windows kernel, NT AUTHORITY\SYSTEM, meterpreter, exploit/multi/handler, windows/meterpreter/reverse_tcp, Watson, .NET versions, registry, Visual Studio, .sln, Windows Exploits, local exploit suggester, post/multi/recon/local_exploit_suggester, MS10-015, exploit/windows/local/ms10_015_kitrap0d, ms15_051, exploit/windows/local/ms15_051_client_copy_image, Mimikatz, kiwi, lsa_dump_sam, ms14_058, windows/local/ms14_058_track_popup_menu, ms13_053, windows/local/ms13_053_schlamperei, SeAssignPrimaryTokenPrivilege, SeImpersonatePrivilege, Juicy Potato, Rotten Potato, CLSID, Abusing Token Privileges
24 Headless 1 2 Headless unix, upnp, XSS, Burp, JWT, cookie, is_admin, User-Agent, User Agent, document.cookie, account takeover, command injection, sudo, SUID, /usr/bin/syscheck, /bin/bash, /bin/bash -p
25 Optimum 1 2 Optimum CVE-2014-6287, MS16-098 / Kernel, CVE-2016-0099 / MS16-032, Invoke-MS16032, CVE-2016-7214 / MS16-135, Windows, Windows Server 2012 R2, HttpFileServer, HFS, Rejetto, /usr/share/windows-binaries, Windows Exploit Suggester, systeminfo, Invoke-PowerShellTcpOneLine.ps1, powershell, IEX, Invoke-Expression, winPEAS, smbserver.py, microsoft.net, .NET, Watson, Sherlock, sysNative, metasploit, exploit/windows/http/rejetto_hfs_exec, local exploit suggester, post/multi/recon/local_exploit_suggester, msfvenom, windows/x64/powershell_reverse_tcp
26 Granny 1 2 Granny MS15-051 / CVE:N/A 1, MS14-058, CVE-2017-7269, MS14-070 / CVE-2014-1767, ms10_015, MS09-012, Windows, Windows 2003 server, iis, WebDAV, allowed HTTP methods, davtest, upload arbitrary files, HTTP PUT, MOVE, .aspx, .html, .txt, curl, msfvenom, windows/shell_reverse_tcp, Windows Exploit Suggester, systeminfo, kernel vulnerability, metasploit, local exploit suggester, post/multi/recon/local_exploit_suggester, /usr/share/webshells/aspx/cmdasp.aspx, exploit/multi/handler, churrasco.exe, /usr/share/sqlninja/apps/churrasco.exe, SeImpersonatePrivilege, Juicy Potato, Rotten Potato, CLSID, Abusing Token Privileges, wget vbs script, cadaver
27 Arctic 1 2 Arctic CVE-2009-2265, CVE-2010-2554 / MS10-059, CVE-2010-2861, MS15-051, Windows, Windows Server 2008, local file inclusion, LFI, Arbitrary File Upload, stored creds, msfvenom, .jsp, java/jsp_shell_reverse_tcp, Windows Exploit Suggester, Flight Message Transfer Protocol (FMTP), CFIDE, cfdocs, adobe coldfusion, Directory Traversal, cfadminPassword, SHA1, HMAC SHA1, salt, console.log, hex_hmac_sha1, document.loginform.salt.value, Developer Tools, burp, js (javascript), authentication bypass, web passing the hash, Kernel Vulnerability, smbserver.py, cronjob/scheduled task, CFM webshell, SeImpersonatePrivilege, Juicy Potato, Rotten Potato, CLSID, Abusing Token Privileges, windows/x64/shell_reverse_tcp, Windows Exploit Suggester 2, WES-NG, PowerUp.ps1, accesschk64.exe, exploit/windows/http/coldfusion_fckeditor, exploit/windows/local/ms10_092_schelevator, multi/recon/local_exploit_suggester, windows/local/ms16_014_wmi_recv_notif

Medium

S.No Machine & Links Writeup CVEs - Tags
1 Cronos 1 2 Cronos CVE-2017-16995, CVE-2018-15133, unix, burp, cronjob/scheduled task, DNS, DNS zone transfer, subdomain, sqli, authentication bypass, RCE, reverse shell, KERNEL, Laravel
2 Nineveh 1 2 Nineveh CVE:N/A 1, CVE-2014-0476, CVE-2017-16995, unix, info.php, bruteforce/decrypt/decode, hydra, php login bypass, php comparisons error exploit, type juggling, php login bypass type juggling, LFI, rce, phpliteadmin, reverse shell, pspy, cronjob/scheduled task, chkrootkit, strings, ssh, stego, binwalk, system binary exploit, system/config/backup file, mail, port knock, knockd, chisel, ssh authorized keys, public SSH keystring, private SSH keystring, kernel, procmon.sh
3 SolidState 1 2 SolidState CVE:N/A 1 2, unix, Apache James Mail Server, smtp, pop3, email, mutt, ssh, sshpass, authenticated rce, cron/scheduled tasks, pspy, rbash(restricted bash shell)/restricted shell, smtp/pop/imap, ssh, default creds, telnet, /etc/bash_completion.d, RSIP
4 Node 1 2 Node CVE-2017-16995, unix, Express Node.js, API, hadoop, big data, crackstation.net, MongoDB, NoSQL, base64, unzip, fcrackzip, zip2john, john, ssh, cron/scheduled tasks, kernel exploit, SUID, binary analysis, ltrace, unzip, 7z, libc buffer overflow
5 Poison 1 2 Poison unix, bruteforce/decrypt/decode, hash/encrypted/encoded, LFI, local file inclusion, log poisoning, rce, reverse shell, ssh, ssh tunnelling, proxychains, port forwarding, stored creds, system binary exploit, system/config/backup file, VNC, vncviewer, scp, phpinfo.php, phpinfolfi.py
6 TartarSauce 1 2 TartarSauce CVE:N/A 1, CVE-2015-8351, unix, robots.txt, monstra cms, wordpress, wpscan, gwolle-gb, cron/scheduled tasks, pspy, systemctl list-timers, RFI, remote file inclusion, reverse shell, source code inspection, sudo, system binary exploit, gtfobins, tar, --checkpoint-action, --to-command, SUID, symbolic link
7 Surveillance 1 2 Surveillance CVE-2023-41892, CVE-2023-26035, unix, Craft CMS, rce, reverse shell, stored creds, SQLBackupFile, .sql.zip, sha256, hash/encrypted/encoded, hashcat, mysql, ssh, ssh tunnelling, port forwarding, zoneminder, sudo, zmupdate.pl, Busybox
8 Jarvis 1 2 Jarvis CVE-2018-12613, unix, bruteforce/decrypt/decode, hash/encrypted/encoded, crackstation, john, hashcat, LFI, local file inclusion, rce, reverse shell, sqli, sql injection, mysql, sleep(), order by, UNION SELECT, group_concat, LIMIT, Information_Schema Tables, SCHEMATA, SCHEMA_NAME, TABLE_NAME, COLUMN_NAME, COLUMNS, TABLE_SCHEMA, User, Password, mysql.User, file_priv, load_file, INTO OUTFILE, phpMyAdmin, phpinfo, waf bypass/evasion, command injection, stored creds, sudo, suid, systemctl, gtfobins, systemd, system binary exploit, stderr, stdout, burp, sqlmap, --os-shell, --file-write, --file-dest, copy ssh public key, authorized_keys
9 Manager 1 2 Manager windows, SSL certificate, nslookup, Active Directory, kerberos, crackmapexec, NetExec, kerbrute, mssql, impacket-mssqlclient, EXEC xp_dirtree, C:\inetpub\wwwroot, system/config/backup file, stored creds, IIS, evil-winrm, impacket-psexec, psexec, PTH(Pass the Hash), whoami /priv, BUILTIN\Certificate Service, SeMachineAccountPrivilege, Certify.exe, Certificate template SubCA, certipy, certipy-ad, Active Directory Certificate Services (AD CS) enumeration, Vulnerable Certificate Authority Access Control — ESC7 vulnerabilities, Public Key Infrastructure, CA (certificate authority), certutil, .pfx, .crt, OpenSSL, ntpdate, rdate, hash, domain admin, virtual environment
10 Hospital 1 2 Hospital CVE-2023–2640, CVE-2023-32629, CVE-2023-36664 / Ghostscript , windows, file upload vulnerability, webshell, p0wny-shell / powny-shell, weevely, .phar, base64/URL encoded reverse shell, nc/netcat reverse shell, WSL, WSL(Windows Subsystem for Linux), OS vulnerability, GameOver(lay) Ubuntu, Kernel, OverlayFS, bruteforce/decrypt/decode, /etc/shadow, hashcat, john, webmail portal, Ghostscript command injection, .eps, send mail, system/config/backup file, stored creds, rpcclient, querydispinfo, icacls
11 Monitored 1 2 Monitored CVE-2023–40931, CVE-2023–40933, unix, nagios, snmp, snmpwalk, snmp-check, snmpbulkwalk, default creds, stored creds, nagiosxi, api, endpoint, curl, token, auth_token, auth_level, authentication bypass, sqli, sqlmap, mysql, api_key, services/command, sudo, .service files, service, ldapsearch, incursore, linpeas, log_file, .cfg, zip, /.ssh/id_rsa, ssh
12 Pov 1 2 Pov windows, asp.net, subdomain, file download, lfi, local file inclusion, burp, web.config, system.web, AES, decryptionKey, SHA1, validationKey, hash/encrypted/encoded, .NET deserialization vulnerabilitiy, DotNet Deserialization vulnerabilitiy, ysoserial.exe, ysoserial.net, Wine, Winetricks, Mono, dotNET45, dotnet48, ViewState, powershell base64 reverse shell, system/config/backup file, stored creds, CyberChef, powershell, New-Object System.Management.Automation.PSCredential, $Credential.GetNetworkCredential().password, Invoke-Command, RunasCs, msfvenom, payload, windows/x64/meterpreter/reverse_tcp, Metasploit, exploit/multi/handler, meterpreter, cmd.exe -r Your_Ip:3333, certutil, curl, sedebugPrivilegePoC, process migrate, winlogon.exe, psgetsystem, EnableAllTokenPrivs.ps1, windows/x64/shell_reverse_tcp, Reverse powerShell cmdline payload generator (base64 encoded), hashdump, netstat, pivoting/port forwarding, ligolo, evil-winrm
13 Jab 1 2 Jab CVE-2023–32315, windows, nslookup, active directory, domain controller, kerberos, kerbrute, Jabber XMPP (Extensible Messaging and Presence Protocol) open communication protocol, pidgin, chatroom, service discovery, search users, regex, regular expression, AS-REP Roasting, impacket, GetNPUsers.py, hash/encrypted/encoded, hashcat, john, buddy list, system/config/backup file, stored creds, dcomexec.py, MSRPC, DCOM, Distributed COM Users, bloodhound-python, powershell base64 reverse shell, netstat, openfire-service, Java-based real-time collaboration (RTC) server, instant messaging (IM), group chat, pivoting/port forwarding, chisel, openfire administrative console, openfire admin console port vulnerability, svc_openfire, plugin, .jar, management tool, system command
14 Magic 1 2 Magic unix, sqli, authentication bypass, improper redirection, file upload vulnerability, bypass filters, file extension, mime types, magic bytes, png, php, system/config/backup file, stored creds, database, mysql, mysqldump, SUID, /bin/sysinfo, ltrace, strings, fdisk, path hijacking, $PATH, 302 response size, burp, match and replace, change response header, exiftool, port forwarding, ligolo, ssh-keygen, authorized_keys, chisel
15 WifineticTwo 1 2 WifineticTwo CVE:N/A 1 2, CVE-2021-31630, CVE-2021-3351, unix, OpenPLC webserver, default creds, hardware, Hardware Layer Code Box, rce, network services, iw, Wi-Fi, wifi, wireless network, wlan0, WPS PIN, WPA PSK, oneshot, Pixie Dust attack, wpa_passphrase, plcrouter, wpa_supplicant, ssh, default gateway
16 Bastard 1 2 Bastard CVE:N/A 1, Drupalgeddon2 / CVE-2018-7600, Drupalgeddon3 / CVE-2018-7602, ms16_014, MS15-051, Windows, Windows Server 2008 R2, iis, drupal, CMS, endpoint, rest, api, php, php-curl, .json, session cookie, burp, code/command injection, ruby, kernel vulnerability, droopescan, curl, Invoke-PowerShellTcp.ps1, windows exploit suggester, local exploit suggester, post/multi/recon/local_exploit_suggester, SeImpersonatePrivilege, Juicy Potato, Rotten Potato, CLSID, Abusing Token Privileges, tasklist, mysqld.exe, netstat -ano, pivoting/port forwarding, plink.exe, /usr/share/windows-resources/binaries/, mysql, lib_mysqludf_sys_64.dll, /usr/share/metasploit-framework/data/exploits/mysql/, smbserver.py, load_file, into dumpfile, sys_exec, exploit/windows/local/ms16_014_wmi_recv_notif

Hard

S.No Machine & Links Writeup CVEs - Tags
1 Analysis 1 2 Analysis CVE-2016-1417, windows, nslookup, kerberos, fuzzing, subdomain, feroxbuster, Arjun, LDAP Injection, attribute, IDOR, possible-usernames, sed -i, kerbrute, file upload vulnerability, webshell, nc.exe, winPEAS, snort, DLL hijacking vulnerability, sf_engine.dll, C:\Snort\etc\snort.conf, .dll, dynamicprocessor, msfvenom, payload, windows/x64/meterpreter/reverse_tcp, Metasploit, exploit/multi/handler, meterpreter, certutil, stored creds, RunasCs, ConPtyShell - Fully Interactive Reverse Shell for Windows / Invoke-ConPtyShell, p0wny-shell / powny-shell, PrivescCheck, Powershell, evil-winrm, icacls, crackmapexec, ldapsearch, impacket-smbserver, .pcap
2 Office 1 2 Office CVE-2023-23752, CVE-2023-2255, windows, Windows Server 2022, active directory, domain controller, Joomla CMS, nslookup, subdomain, kerberos, kerbrute, AS-REP, MySQL, crackmapexec, password spray, smb, wireshark, .pcap, krb5, AS-REQ, padata-value, cipher, NTLM hash, hash/encrypted/encoded, hashcat, template, RunasCs, cmd.exe -r, post/windows/manage/run_as_psh, netstat, pivoting/port forwarding, chisel, Libre Office, .odt, resume, upload, job application, xampp, msfvenom, stored creds, DPAPI, mimikatz, Microsoft Credentials, masterkey files, masterkey GUID, evil-winrm, GPO Managers, GPO aubuse, PowerView.ps1, objectsid, Default Domain Controllers Policy, SharpGPOAbuse, base-64 encoded reverse shell, exploit/multi/mysql/mysql_udf_payload, SeImpersonatePrivilege, GodPotato

Insane

S.No Machine & Links Writeup CVEs - Tags
1 Brainfuck 1 2 Brainfuck CVE:N/A 1 2, smtp, pop3, email, mutt, ssh, id_rsa, ssh2john, john, tls, subdomain, wordpress, vigenere, RSA, lxd, lxc, ssh