This was an easy difficulty box, and it involved multiple steps to fully gain root access on the box. Good learning path for:

• Access Control Bypass on Register Function on Webapp
• Laravel Token Unserialize RCE
• Linux Audit
• Composer Privilege Escalation

Initial Recon

Nmap

$ nmap -Pn --open -p- -T4 -sV -sC 10.10.10.215PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000

• HTTP…

This one was an easy-difficulty Windows box. Good learning path for:

• Anonymous FTP Access and Enumeration
• NVMS-1000 Directory Traversal Attack
• SMB Password Guessing (smbclient.py)
• NSClient++ Privilege Escalation

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -sC -sV -p- 10.10.10.184PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 11:05AM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: |…

This one was an easy difficulty box. Good learning path for:

• Login Brute-forcing
• Moodle RCE — Math Formula Abuse
• MySQL DB Enum to Extract Password
• Privilege Escalation via Cronjob

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -p- -sC -sV 10.10.10.153PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

Interesting Ports to Note

• HTTP (80/TCP) — Web page for Blackhat High School.

Image Enumeration

Within the homepage, there was another .html page at http://10.10.10.153/gallery.html.

This one was an easy difficulty box. Good learning path for:

• Gym Management System 1.0 RCE
• plink.exe to Port Forward to Bypass Restrictions
• cloudMe.exe BoF Exploit

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -p- -sC -sV 10.10.10.198PORT     STATE SERVICE    VERSION
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

Interesting Ports to Note

• HTTP (8080/TCP) — Web page. Gym Management Software 1.0

The contact page disclosing the version of the application:

This was an easy difficulty box. Good learning path for:

• Source Code Review (Client-side JavaScript Authentication)
• Puzzles — Various Encoding Programming
• Brute-forcing Password Protected .ZIP File
• playSMS Malicious .csv File Upload RCE
• x86 Binary Exploit (NX Enabled; ASLR Disabled; ret2libc Attack)

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -sC -sV -p- 10.10.10.111PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) | 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd…

This was an easy difficulty Windows box. Good learning path for:

• File Extension Bypass
• Allowed File Extension Checking (Python Scripting)
• web.config RCE
• Nishang (Invoke-PowerShellTcp.ps1) — Reverse Shell
• Juicy Potato (SeImpersonatePrivilege Abuse)

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -sC -sV -p- 10.10.10.93PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Interesting Ports to Note

• HTTP (80/TCP) — IIS 7.5 web server. Main page only contains an image file.

This was an easy difficulty box. Good learning path for:

• OpenSSL Heartbleed Vulnerability
• OpenSSL RSA Private Key Decrypt
• Tmux Running as Root Privilege Escalation

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -sV -sC -p- 10.10.10.79PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA) | 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA) |_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a…

This was an easy difficulty box. It was pretty easy and straight-forward box. Good learning path for:

• LFI — File Enumeration
• Tomcat JSP Script Exploit
• Password Protected .zip File Abuse
• Linux LXD Container Breakout

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -p- -sC -sV 10.10.10.194PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Interesting Ports to Note

• HTTP (80/TCP) — Mega Hosting Web page.