About Me

$ whoami
0xW1LD
$ id
groups=1000(Discord-@w1ld__),1001(HTB Team-OSI)
$ cat README.txt
Hey there! W1LD here,
Founding Member of OSI
Volunteer Moderator for HTB Discord Server
all around W1ld Card.

HTB

Certificate by Spectra199

---

Certificate is running a website on getting certifications. If we register as a student and enrol in a course we can upload a file. There's some filters in place but by using a nullbyte bypass we can get a shell. We can find database credentials in which contains the hash for Sara.b. Sara has a pcap file in her desktop, with a description that notes failure to find a share. We can find AS-REQ packets which we can use to recreate a krb5-18 hash for Lion.SK which is crackable. Lion.SK is a member of a group that can issue and revoke certificates. We grab a certificate for Lion.SK using which we grab a certificate for Ryan.K. Ryan.K has the privilege SeManageVolumePrivilege which allows us to escalate to root.

Puppy by tr3nb0lone

---

Puppy is an assumed breach scenario wherein the starting credentials we're given has access to add himself to the Developers Group. The group has access to the DEV SMB share which contains a keyfile database backup. One of these credentials is for a Remote Management User whose account is currently disabled. One of the other credentials provided allows us to enable his account and change his password. Just like that we get user, we find a backups folder storing additional credentials for another Remote Manager User. Said user has an admin account and hints towards browser credentials so we dump DPAPI and get an additional password which works for their admin account. Just like that we have root.

Fluffy by ruycr4ft

---

Fluffy is yet another assumed breach scenario where we can access an IT SMB share. The Share highlights an upgrade request pdf with vulnerabilities found on the environment. One of the vulnerabilities allows us to grab a hash through a zip file extraction. We can crack the hash to get to the user: p.agila. This user has Write permissions on the Service Accounts group which contains winrm_svc and ca_svc. Once we add the user to the group we're able to do a shadow credential attack on both these service accounts. Winrm_svc has our user flag! Using our permissions as p.agila and ca_svc we're able to change ca_svc's upn to the Administrator one to request an administrator certificate. We can use this certificate to authenticate as the Administrator, and just like that we have root!

Planning by FisMatHack & d00msl4y3r

---

Planning is running a grafana public subdomain with assumed breach credentials. We find an authenticated file read and remote code execution (RCE) vulnerability which gets us a foothold. Clear text credentials can be found in the environment variables of the docker instance we're in which we can use to SSH as enzo. There's a crontab management webservice running as root for which we can find the cleartext credentials for. Using this service we can schedule a reverse shell command and just like that we have root!

Environment by coopertim13

---

Environment has an environmental preservation website running laravel. We find a login page which if broken allows to read parts of the code. Using this information we inject a parameter allowing login to the dashboard without credentials. We find we are logged in as Hish, and can upload a profile picture. We upload a payload to get a shell using some filter bypasses. In Hish's home folder we find a gpg file and keys which we can use to decrypt his password. Hish can run sudo on a script with preserved BASH_ENV environment variable which if changed allows arbitrary code execution as root.

Eureka by Spectra199

---

Eureka is running a website and has an open port to Spring Boot Eureka. Looking through endpoints of the API we're able to extract a heapdump with credentials for oscar190. Using these credentials we login to the Eureka dashboard and redirect the application instance *USER-MANAGEMENT-SERVICE* to ourselves to intercept a login for miranda-wise, our user. We can see that a certain script runs every so often which takes a log file we can edit as input. Using this we can do command execution by editing the contents of the log file.

The Frizz by 0xPizzaCat

---

We start with a windows box running Gibbons-LMS which we find is vulnerable to an arbitrary file write which we can use to upload an RCE. Once we get a foothold we locate the database and extract crackable password hashes. We use the found passwords to view the site, we can also see the posts on the database, we see a reference to the RecycleBin. We can find an archive containing config files with an encoded password. We utilize a password spray to gain a foothold onto the AD domain. From this foothold on the domain we can run bloodhound to find vulnerable ACLs which we can follow to gain GPO permissions. We abuse these GPO permissions to create a local admin account and just like that we have root!

Nocturnal by FisMatHack

---

Nocturnal runs a webserver on port 80 with a file upload portal. Retrieved Amanda’s temporary password from an `.odt` file in the upload directory. Logged into her ISPConfig panel account and generated a backup. Downloaded and extracted the SQLite database containing user password hashes. Cracked Tobias’ hash and accessed the system via SSH. Gained root access by exploiting a command injection vulnerability in ISPConfig’s language editor functionality.

Cypher by Techromancer

---

Cypher is running a web server which has an exposed testing directory which contains a jar file. Analyzing the jar file and the login page on the site leads us to a neo4j cypher injection exploit which when calling a custom function on the jar file leads to RCE. Through this we are able to get a reverse shell. Looking through the bash history file we find the password of the user. The user is able to run bbot, an osint script as root. Using this script we can take advantage of debug mode and set a custom YARA file to get an arbitrary file read. We can also write a custom module to achieve code execution as root.

Scepter by Emsec

---

Scepter is running active directory with an nfs share mounted to /helpdesk. We use these certificate files to generate a certificate for d.baker to request his TGT. Once we have access to d.baker we find a certificate template vulnerable to ESC9. A.carter has transitive generic all over the OU and so we grant him fullcontrol over the OU which d.baker is in to exploit a derivation of ESC9 to gain access to h.brown. H.brown can write altSecurityIdentities of p.adams which allows us to exploit ESC14. P.adams has DCSync rights over the domain which we use to dump secrets.

Dog by FisMathack

---

Dog is running a dog blog webserver run by backdrop CMS, it also has an exposed git directory. Dumping the git directory we can find credentials for use to login to backdrop CMS. We can upload a malicious module to gain a foothold. Using the same password we found we conduct a password spray and find a user we can pivot to. Said user has access to run bee, a backdrop command line utility, as root, we can use the post-script function to gain root.

Cat by FisMathack

---

Cat is running a website for a cat competition which is vulnerable to an XSS injection. Using this we are able to steal the admins cookie which reveal several additional pages. One of the pages is vulnerable to an SQLi using which we can grab credentials for users on the machine. Using these credentials we are able to ssh into the machine. Looking at some logs we are able to find another set of credentials and pivot from there. There is a gitea webpage running on the host, the version also contains an XSS vulnerability. Using the vulnerability we are able to read another set of credentials which belong to root.

Haze by EmSec

---

Haze is running a splunk version vulnerable to an lfi which can be used to steal a password hash and splunk secret to decrypt the hash. Using the password, we access two accounts, one being a GMSA manager. Found a machine account in MSA's list with write owner privileges over support services group. This group can change passwords for a user on the box. Used this privilege chain to gain a shell as that user. This user has access to backups directory containing another splunk password hash and secret. Decrypted to gain access as another user with SEImpersonate Privileges, which we used to gain NT SYSTEM.

Titanic by ruycr4ft

---

Titanic is running an http server on port 80 in whch you can book a trip which triggers a file download. The file download endpoint is vulnerable to an LFI. Looking around further we can find a subdomain which is running gitea, using the LFI we download the database and using a script to modify the hashes to become crackable. There's an image identification script that runs a magick version that happens to be vulnerable to an arbitrary code execution.

Backfire by hyperreality & chebuya

---

Backfire is a hackback scenario linux box which is still running a file server on port 8000 by mistake of the users. It contains a patch file and a yaotl file for havoc C2. Using information from these files we can find a CVE for unauthenticated SSRF, we combine this with an authenticated RCE through websockets to gain a foothold. We can now find Hardhat, another C2, which is vulnerable to an authentication bypass. Hardhat C2, offers us a direct terminal as Sergej. Sergej is able to execute iptables and iptables-save as root which we are able to use as an arbitrary write, to write our ssh key to the root directory.

Checker by 0xyassine

---

Checker is running Bookstack and TeamPass on ports 80 and 8080 respectively. Teampass has an SQLi where we can leak credentials which we can use to login. TeamPass contains a couple of credentials for ssh and bookstack. We login on BookStack and looking around we find interesting documentation. The version of bookstack is vulnerable to an LFI via SSRF which we can use to steal the OTP key for ssh. Logging into ssh we find that the user has super user privileges to a script that is used to check for a password leak. Reversing the binary we see that it accesses a shared memory address, using this we can inject malicious code to achieve root.

EscapeTwo by ruycr4ft & Llo0zy

---

Escape two is an assumed breach scenario where we start of as Rose. Rose is able to view an SMB share that contains excel files which contain additional credentials for SA. SA is a service account running mssql which we have access to xp_cmdline to get a foothold. With this foothold we can look around and find a file with a cleartext password which, when password spraying, leads us to Ryan's account. Ryan has an ACL to write owner the CA account, which is the Certificate Authority service. Using the CA service we find a vulnerable certificate template that needs a slight edit for the ESC to work. Once we edit and exploit the template we're able to grab the Administrator's certificates and just like that we have root!

Heal by rajHere

---

Heal is running a resume builder website running Ruby on Rails as an api. We can abuse an LFI to gather credentials for another subdomain, Lime Survey. We can use these credentials to conduct an authenticated RCE which gets us a foothold. We use this foothold to locate databse credentials which we discover is the reused password of a user on the box. After which we can find a consul service running as root using a version with an RCE which we can use to escalate privileges.

Underpass by dakkmaddy

---

Underpass is running a default apache website. If we check udp ports we find that a daloradius is running. Looking through the source of daloradius we find a couple of login pages and default credentials. Using these credentials we login to a dashboard and find credentials for svcMosh. We use his credentials to ssh on the box. svcMosh can run Mosh-server as root which we can use to spawn a root terminal.

BigBang by ruycr4ft & lavclash75

---

Bigbang is running a wordpress website using buddy forms which is vulnerable to RCE through image deserialization. Using this RCE we can establish a reverse shell which allows us to find credentials within a database with a reused password for ssh. We find a GrafanaDB endpoint which contains further credentials to pivot to another user. Finally we find an interesting thick web app running as root which is vulnerable to command injection.

Vintage by Geiseric

---

Vintage is another assumed breach active directory box, we're given Olivia's credentials. We use these to enumerate the domain using bloodhound where we'll find a pre 2000 compatible windows machine. We login using the machine account which can read GMSA01 which is another machine account. We use this account to allow ourselves to AS-REP Roast one of the service accounts. After which we find that the password is reused by C.Neri through a password spray. Checking bloodhound, C.Neri has an admin account which we manually have to decrypt the dpapi to read the password. C.Neri has access to the delegated admins group so we add SVC_SQL and give it an SPN using which we can impersonate L.Bianchi.adm who is root.

Administrator by nirza

---

Administrator is running Active Directory and we're provided with initial credentials for the user Olivia. We can use Olivia to change Michael's password who can change Benjamin's Password. Benjamin is a member of Share Moderators which hints us towards file shares, nothing interesting in SMB however FTP is open and is hosting a backup passwordsafe file. Cracking this file we gain access to Emily through her password located in the file. Emily can write Ethan, however we can't Kerberoast him so instead we ASREPRoast him. Ethan has DCsync privileges over the domain so we use those to dump all the hashes

linkvortex by 0xyassine

---

Link vortex is running a webserver using ghost cms which we can find the credentials of in the git repository of a subdomain. We utilize a ghost cms exploit that uses symlinks to read files for the configuration of ghost which nets us the credentials of user Bob. Bob has the permissions to run a custom script as sudo which reads and transfers symlinks with some filtering. We can bypass the filtering through a double symlink. Another way we can escalate privileges is through exploiting a vulnerbility in the script that allows code execution through injection via the CHECK_CONTENT variable. Neither of these methods are intended and the intended method is to just fight the race condition right after the symlink is moved but before it is read to get another arbitrary file read.

Blockblock by MrR3boot

---

Blockblock is running an online web chat decentralized through block chain. We can exploit an XSS vulnerability in the web app to gain an admin cookie, from which we can interact with the blockhain api to leak credentials. We can then use these credentials to login to the system. We have permissions to run forge as another user. Using this privillege we run forge with a malicious build script to gain a shell as that user. This user has access to run pacman as root so we use this to install a malicious pacman package to get the ssh keys of root.

Chemistry by FisMatHack

---

Chemistry is running an http webserver on a strange port, port 5000. The webpage is of a chemistry CIF analyzer tool using python. The python libraries that it uses in order to parse the CIF files is vulnerable to an RCE vulnerability. Using this we can upload and execute a reverse shell to get a shell on the system. We can then find a database with users and their passwords. One of the passwords belongs to a user on the machine allowing us to ssh into the machine. As User we find a monitoring site running as root on port 8080 which is running aiohttp with a vulnerable setting that allows for an LFI. We can use this LFI to gain root's ssh keys and ssh into the box.

Yummy by LazyTitan33

---

Yummy is running a website for booking a restaurant. The site allows us to download an iCalendar file, the endpoint of which is vulnerable to an LFI. Using this we're able to download the web files and spot a vulnerability with accessing the Admin dashboard. The dashboard is vulnerable to SQLi which gives us an Arbitrary file write vulnerability. Mixing this with the crontab information we're able to get a shell on the box.

Nibbles by mrb3n

---

Nibbles is running a nibble blog on port 80 which is hidden behind the nibbleblog directory. Through a directory fuzz we can find an admin panel and are able to login through guessing the admin password. The site is vulnerable to an authenticated file upload RCE which we use to get user shell on the box. After which we find a vulnerable privilege to run a shell script in a directory where we have write access which we can use to escalate to root.

Caption by MrR3boot

---

Caption is running a caption portal on port 80 and a gitbucket instance on port 8080. In gitbucket we find credentials for margo which we can use to login. Several pages on this site are vulnerable to a stored XSS. Through this we are able to steal cookies. However, we are unable to access the downloads directory due to haproxy; so we must smuggle our request by upgrading to http 2 using h2smuggle. We can then access the downloads directory and find an arbitrary file read used on margo's ssh key. Finally we find the logservice and create a client that we can use to execute arbitrary commands as root.