kami@kali:~$ journalctl
-
Knife writeup
10.129.1.225
Scanned the machine with rustscan.
Navigated to the webserver.
Ran ffuf for directory busting while I poked around further.
Didn’t find anything in source code. No robots.txt exists. Ffuf didn’t seem to find anything with that list. Also ran dirb but that didn’t find anything. The .svg file is the only thing that looks a bit interesting (the heart monitor line). Tried running ffuf with a bigger list.
Ran searchsploit on the version of apache but no results. Not finding anything else so I will look for subdomains.
I checked Wappalyzer.
I searchsploited PHP 8.1.0 and I got a bunch of stuff back.
Specifically these two look interesting.
Read through the first exploit and it looks like this is the one we want. Also the second one is Windows. https://www.exploit-db.com/exploits/49933
Made a file and copied the code into it. Ran it and we got a shell.
Ran sudo -l
Navigated to gtfobins and knife is actually there. This allows us to run ruby code. I tried a bunch but nothing was running properly. I couldn’t even upgrade my shell for some reason. I went back to the github as I saw this earlier, I used the revshell python script instead and got a shell that way. https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/README.md
Going back to stabilize our shell and run knife to get a shell and get the flags.
Submit user flag –
A: b17b94cbaa49a718bde3027b92cc4ea0
Submit root flag –
A: 21a7315094ab8095c6e52910f80a6470
GG
-
Optimum writeup
10.129.1.173
Scanned the machine with rustscan.
I’ve already seen this version being vulnerable. This will be simple.
I thought there was a metasploit exploit though so I checked that and there is.
Set my options and sent it.
Found user.txt
Submit User Flag –
A: c74037cc0f43e985d1e2c1c49b41bf25
To escalate privs, I’ll use winpeas. Got the architecture so I can upload the proper winpeas.
Set up a http server on my machine.
Downloaded it to the machine.
I haven’t used winpeas enough yet but I didn’t see too much. Checked privs manually.
Nothing fun. Tried easy win getsystem with Metasploit but nothing here either.
Tried poking around other directors for anything interesting. I’m not sure if that hfs.exe is useful. Cmdkey /list didn’t have any creds stored. Checked txt files in system 32.
There’s no AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt. No interesting services I could see. I’m having 0 luck with manual enumeration. I’ll go back to automated priv tools. Since we have a meterpreter lets try the local_exploit_suggester.
Set the session and ran. It found a bunch of things.
Honestly this is some pretty skid shit I just did but I just fired off the exploits from top to bottom and ms16_032_secondary_logon_handle_privesc exploit worked.
Root.txt was on Administrator’s desktop.
Submit User Flag –
A: 0f2c17c061fd104f2ccaf813851224a1
So why did this even work? Apparently it’s Secondary Logon Handle Privilege Escalation and is a security flaw in Microsoft Windows that affects older versions of the Windows, especially the one this box was on. I guess this could’ve been a lot easier than I made it out to be.
GG
-
Intune printer deployment
In my opinion Universal print is a pretty bad solution to deploying printers to Intune environments for a few reasons but that’s likely not surprising to you considering it’s Microsoft. I did a bit of research on my own but I couldn’t find any convenient solutions on the internet so I decided to solve the problem myself and I created a script that may help you for your needs.
You can check it out here on my newly created Github: https://github.com/Kamigold/Printer-script
If anyone has any additional thoughts, let me know.
GG
-
Nibbles writeup
10.129.1.118
Scanned the machine.
Navigate to the webserver to check it out.
Nothing in robots.txt but checking source code we do see a mention of /nibbleblog.
Looks like it’s powered by Nibbleblog bottom right. Checking exploits, it looks like theres a metasploit module we can use.
Started metasploit. Found the exploit but we actually need credentials. Let’s find the actual login page. To do this I ran gobuster (Disregard the failed commands I was brainfarting the wordlist location). While the scan was running I was poking around the directories it already found. The /admin was the most interesting but I didn’t see any files that would let us move forward. Since this is ran on PHP I randomly just typed in admin.php and got lucky.
I tried a bunch of random credentials but wasn’t having too much luck. Also after some manual guessing it also looks like it blacklisted us so brute forcing isn’t an option.
I did more looking around the directories that gobuster found and it looks like we found an admin but still no password.
It doesn’t look like the blacklist goes away so I reset the machine. New IP is 10.129.1.119. Since we arn’t asked to bruteforce (or possible technically) I still guessed random passwords. It ended up being the name of the machine…
Updated my earlier metasploit exploit options.
And we’re in.
Poked around files until I found something useful. I was actually able to read passwd.
This isn’t actually much help as we know we need root. If I run sudo -l I actually get something interesting.
When I tried to cat it, it wouldn’t read but it looks like it’s executing in the cli which is weird. I can’t really replicate that without recording. I was seeing if it was actually just running whatever was after it so I tried bash and python but I think I’m just wasting my time.
My other thought it that it runs on a scheduled task. Unfortunately that does not look like the case.
I wanted to see the privilege on the files but this actually doesn’t even exist.
So now I’m thinking, what if I just create that file as a reverse shell. Created a shell and tried creating it but even directories above that didn’t exist which was weird. I wanted to confirm that so I navigates to /home/nibbler and I should’ve just went here earlier.
The file had a bunch of content. Don’t care though I’ll try overwriting it.
And we get a shell but it was just nibbler again. Reran it as sudo.
Submit User Flag –
A: 5e6b8e6225c8d7ec4b9f8df02ee4b23d
Submit Root Flag –
A: b7077f18f61da82efb73411a2d495593
GG
-
Legacy writeup
10.129.227.181
Scanned the machine.
Tried SMBclient but didn’t get anything back.
Smbmap also failed interestly enough.
Enum4linux also didn’t return anything. Tried running searchsploit against versions of things but nothing interesting. The nmap results earlier mentioned conficker. Did some research and found an nmap script i can specifically run to see if I can get more information.
Turns out it’s likely vulnerability to this. This is the blog I started to refer to https://blog.razzsecurity.com/2025/04/27/windows-penetration-testing/windows-xp-penetration-testing-ms08-067-smb-exploit-1/
Let’s trying using that msfconsole exploit.
And damn…. I thought this was it but it failed.
I searched the CVE in msconsole and I actually found a module that was built specifically for this so I wanted to try this because I feel like we are on the correct path.
I’m in.
And we’re already root. Started to navigate around to look for the flags. Found a user john.
Submit User Flag –
A: e69af0e4f443de7e36876fda4ec7644f
Submit Root Flag –
A: 993442d258b0e0ec917cae9e695d5713
GG
-
Cap writeup
10.129.1.105
Scanned the machine.
Checked out the webserver.
It already logged me in with a Nathan account. There is also some commands being ran on the site that show network information.
The options of the dropdown on Nathan seems to not do anything.
Before I do more looking into that I want to check ftp. Searchsploit only shows a DoS.
Looks like no anonymous.
We do have a possible username nathan though. I’m going to run brute forces in the background on ssh and ftp.
While those go, I’ll also check directory bust the website to see if there’s anything fun there. Someone in HTB discord mentioned feroxbuster might be better than gobuster so I’ll try using that.
While those run I came back to the website. So the website runs commands obviously which might be interesting. I don’t think I can upload anywhere at this point to run a shell. One of the options on the webpage is “Security Snapshot (5 Second PCAP + Analysis)” and it actually looks like we can download a file.
I downloaded those PCAP files to take a look. Nothing was in that file but it actually looks like the website is vulnerable by the URL. I changed that a few times and when I got to 0 there was information in the value column, so this pcap file might have something.
It does have content.
I searched for any strings containing pass and it looks like I actually found something.
Followed that TCP stream.
This explains the automatic login. I SSH’d to the server with those creds and it actually worked.
Submit User Flag –
A: cf154a82b4e92d314d126a54ce7535b8
Submit Root Flag –
I can’t get in to root which I expected. I can’t run sudo -l, no bash history, tried finding password files. There was nothing dumb easy so I’ll get linpeas on the machine. Opened a httpserver and transferred linpeas.sh to the machine.
Sifting through the results I see pkexec may be vulnerable.
That failed so I continued to look further and I found this, and this checks out considering the room is called Cap.
I’m not exactly familiar with it, so I did some googling and found this https://medium.com/@forgecode/linux-privilege-escalation-via-cap-setuid-gaining-root-with-python-ecca7cab716e
This got us root!
Submit Root Flag –
A: 8b3c1083857c50284715c78f7d6f0542
GG
-
Lame writeup
10.129.1.103
Scanned the machine.
I saw ftp was open lets check if allows anonymous. Looks like it does but nothing is in there.
Nmap part finished.
Checked out the SMB instead.
Looks like tmp might be interesting. There’s a bunch of random files in there that I’m not getting any thoughts right away.
Started to download files to check out what they are.
The other files looked like I couldn’t download them. Will keep this stuff in the back of my head but I think this is a rabbit hole. Started searchsploiting versions and the ftp server looks interesting.
Opened up metasploit.
That didn’t work though.
SSH doesn’t look interesting. The only thing remaining that may be of user is port 3632. Not familiar with this port so I checked out hacktricks https://book.hacktricks.wiki/en/network-services-pentesting/3632-pentesting-distcc.html
Looks like I might be able to use a metasploit module.
I messed up RHOSTS, set that properly but it failed.
Nmap says its vulnerable though.
I ran searchsploit on the SMB version as I hadn’t done that and theres a lot of results.
Realized I missed a 0, reran searchsploit to narrow results as that’s a lot to sift through.
There’s a metasploit module. Let’s try that.
That worked.
I could upgrade the shell but not going to bother at this point.
Submit User Flag –
A: 8c00826f7186351b20251036e2c06c7e
Submit Root Flag –
A: 55f231e377ee99dacbcaedf46aa33891
GG
-
Blue writeup
10.129.1.101
Scanned the machine.
Also from the name of the machine and ports I can make a really good guess that this would be an EternalBlue machine.
Started up metasploit, searched ms17_010 with is eternal blue. Let’s use a checker first as best practice instead of just firing an exploit.
It’s likely vulnerable. Let’s exploit.
We’re in.
And we’re already root. Looked around for the flags and I saw a user on the device.
Submit User Flag –
A: 74fb11bbe7091ed73c98fdefa8f0cc87
Submit Root Flag –
A: bf59850502778a791dc921473c73cd87
GG
-
Jerry writeup
10.129.136.9
Scanned the machine.
Checked out the webserver.
Searchsploited the Apache version but nothing specific to that. Did a bit of googling but no exploits popping up right away. Ran gobuster, /manager has a login page.
Tried using the default credentials found on this page tomcat:s3cret and I actually got in.
I had some notes to upload a jsp shell and since we have credentials I wanted to try that. Started up msfconsole.
Unfortunately this failed. Also in previous screenshot I missed setting the shell “set shell cmd”. There may be another option while being logged into /manager as I see a WAR file but can’t recall how to take advantage of this so I did a bit of research. I mean this might be obvious but I’m not really familiar with .WAR files, but that’s what it accepts. Tomcat uses java so I created a shell that I attempted to use in my Metasploit exploit using msfvenom (with the help of revshells).
Set up a handler.
Uploaded the war file and it responded with a Message: OK
And now I can see it on the page.
That didn’t work. I’m wondering if it’s because I used tun0 when creating the shell so I tried using my IP address instead. I undeployed the original shell, rewrote the payload with the IP, uploaded it and called it then and got a shell.
And right away I’m actually root.
Navigated around the box to find the flags and they can both be found on the Administrator desktop.
Submit User Flag –
A: 7004dbcef0f854e0fb401875f26ebd00
Submit Root Flag –
A: 04a8b36e1545a455393d067e772fe90e
GG
-
Shocker writeup
I’m first going to attempt Adventure Mode for these machines going forward unless I get stuck, then will move to Guided Mode. Additionally, instead of using the pwnbox from Hackthebox I’m now going to start to use my own machine so I am more prepped for PNPT with tools on my device.
10.129.1.88
Since I’m using my own device I wanted to start using rustscan. Doesn’t look like this is on Kali rolling so I downloaded that first. Unzipped it and confirmed download.
Now onto the box.
Scanned the machine with rust scan and running nmap switches against open ports.
Port 80 and 2222 is open. Let’s check out the webserver as 2222 looks like ssh. We get a silly little webpage there.
I don’t see anything in source code or robots.txt. I downloaded the image as the image might have something useful and also started a directory busting scan with dirb.
I always just use dirb for low hanging fruit. I’m not sure if this is efficient or if I should just run an indepth directory busting scan but I think over time I’ll find patterns. I ran exiftool on the image but it’s definitely and image and nothing import looks to be here.
Dirb found nothing.
Kicked off gobuster instead but that didn’t find anything.
Ran binwalk on the image but found nothing.
Tried checking for possible subdomains but that also did not find anything.
I tried some default credentials on SSH but also was unable to find anything there. Something MUST be on the webserver. Since cgi-bin/ was the only possibly interesting directory I found earlier I tried to see if there were files and turns out there was.
Checking that file out it’s an uptime script.
I recall seeing something like this on my eJPT exam with shellshock. Started up msfconsole.
Searched for shellshock. I’m pretty confident this is what the machine wants us to do especially given the name of the box but best practice lets just use a scanner first.
Played with setting some options and it does appear it is vulnerable after sending the exploit.
Moved to the exploit and set my options there.
Ran it and it looks like we successfully got on!
Looks like our account is just shelly. I tried upgrading the shell automatically but no luck.
Lets just run shell and see what we can find with Linux local enumeration. Looking for low hanging fruit, I ran sudo -l and perl showed up. Checked GTFObins and we can get root off of it.
Then we can get our flags.
Submit User Flag –
A: 7d9e07b9c792f4bbd02217823789d38c
Submit Root Flag –
A: 7f447f9333d441f207a9cb5a671c111b
GG
Hacking Insights by Max Bautista 