About Me

$ whoami
0xW1LD
$ id
groups=1000(Discord-@w1ld__),1001(HTB Team-OSI)
$ cat README.txt

Hey there! W1LD here,
Founding Member of OSI
Volunteer Moderator at the HTB discord server
all around W1ld Card.

HTB

Cypher by Techromancer

---

Cypher is running a web server which has an exposed testing directory which contains a jar file. Analyzing the jar file and the login page on the site leads us to a neo4j cypher injection exploit which when calling a custom function on the jar file leads to RCE. Through this we are able to get a reverse shell. Looking through the bash history file we find the password of the user. The user is able to run bbot, an osint script as root. Using this script we can take advantage of debug mode and set a custom YARA file to get an arbitrary file read. We can also write a custom module to achieve code execution as root.

Scepter by Emsec

---

Scepter is running active directory with an nfs share mounted to /helpdesk. We use these certificate files to generate a certificate for d.baker to request his TGT. Once we have access to d.baker we find a certificate template vulnerable to ESC9. A.carter has transitive generic all over the OU and so we grant him fullcontrol over the OU which d.baker is in to exploit a derivation of ESC9 to gain access to h.brown. H.brown can write altSecurityIdentities of p.adams which allows us to exploit ESC14. P.adams has DCSync rights over the domain which we use to dump secrets.

Dog by FisMathack

---

Dog is running a dog blog webserver run by backdrop CMS, it also has an exposed git directory. Dumping the git directory we can find credentials for use to login to backdrop CMS. We can upload a malicious module to gain a foothold. Using the same password we found we conduct a password spray and find a user we can pivot to. Said user has access to run bee, a backdrop command line utility, as root, we can use the post-script function to gain root.

Cat by FisMathack

---

Cat is running a website for a cat competition which is vulnerable to an XSS injection. Using this we are able to steal the admins cookie which reveal several additional pages. One of the pages is vulnerable to an SQLi using which we can grab credentials for users on the machine. Using these credentials we are able to ssh into the machine. Looking at some logs we are able to find another set of credentials and pivot from there. There is a gitea webpage running on the host, the version also contains an XSS vulnerability. Using the vulnerability we are able to read another set of credentials which belong to root.

Haze by EmSec

---

Haze is running a splunk version vulnerable to an lfi which can be used to steal a password hash and splunk secret to decrypt the hash. Using the password, we access two accounts, one being a GMSA manager. Found a machine account in MSA's list with write owner privileges over support services group. This group can change passwords for a user on the box. Used this privilege chain to gain a shell as that user. This user has access to backups directory containing another splunk password hash and secret. Decrypted to gain access as another user with SEImpersonate Privileges, which we used to gain NT SYSTEM.

Titanic by ruycr4ft

---

Titanic is running an http server on port 80 in whch you can book a trip which triggers a file download. The file download endpoint is vulnerable to an LFI. Looking around further we can find a subdomain which is running gitea, using the LFI we download the database and using a script to modify the hashes to become crackable. There's an image identification script that runs a magick version that happens to be vulnerable to an arbitrary code execution.

Backfire by hyperreality & chebuya

---

Backfire is a hackback scenario linux box which is still running a file server on port 8000 by mistake of the users. It contains a patch file and a yaotl file for havoc C2. Using information from these files we can find a CVE for unauthenticated SSRF, we combine this with an authenticated RCE through websockets to gain a foothold. We can now find Hardhat, another C2, which is vulnerable to an authentication bypass. Hardhat C2, offers us a direct terminal as Sergej. Sergej is able to execute iptables and iptables-save as root which we are able to use as an arbitrary write, to write our ssh key to the root directory.

Checker by 0xyassine

---

Checker is running Bookstack and TeamPass on ports 80 and 8080 respectively. Teampass has an SQLi where we can leak credentials which we can use to login. TeamPass contains a couple of credentials for ssh and bookstack. We login on BookStack and looking around we find interesting documentation. The version of bookstack is vulnerable to an LFI via SSRF which we can use to steal the OTP key for ssh. Logging into ssh we find that the user has super user privileges to a script that is used to check for a password leak. Reversing the binary we see that it accesses a shared memory address, using this we can inject malicious code to achieve root.

EscapeTwo by ruycr4ft & Llo0zy

---

Escape two is an assumed breach scenario where we start of as Rose. Rose is able to view an SMB share that contains excel files which contain additional credentials for SA. SA is a service account running mssql which we have access to xp_cmdline to get a foothold. With this foothold we can look around and find a file with a cleartext password which, when password spraying, leads us to Ryan's account. Ryan has an ACL to write owner the CA account, which is the Certificate Authority service. Using the CA service we find a vulnerable certificate template that needs a slight edit for the ESC to work. Once we edit and exploit the template we're able to grab the Administrator's certificates and just like that we have root!

Heal by rajHere

---

Heal is running a resume builder website running Ruby on Rails as an api. We can abuse an LFI to gather credentials for another subdomain, Lime Survey. We can use these credentials to conduct an authenticated RCE which gets us a foothold. We use this foothold to locate databse credentials which we discover is the reused password of a user on the box. After which we can find a consul service running as root using a version with an RCE which we can use to escalate privileges.

Underpass by dakkmaddy

---

Underpass is running a default apache website. If we check udp ports we find that a daloradius is running. Looking through the source of daloradius we find a couple of login pages and default credentials. Using these credentials we login to a dashboard and find credentials for svcMosh. We use his credentials to ssh on the box. svcMosh can run Mosh-server as root which we can use to spawn a root terminal.

BigBang by ruycr4ft & lavclash75

---

Bigbang is running a wordpress website using buddy forms which is vulnerable to RCE through image deserialization. Using this RCE we can establish a reverse shell which allows us to find credentials within a database with a reused password for ssh. We find a GrafanaDB endpoint which contains further credentials to pivot to another user. Finally we find an interesting thick web app running as root which is vulnerable to command injection.

Vintage by Geiseric

---

Vintage is another assumed breach active directory box, we're given Olivia's credentials. We use these to enumerate the domain using bloodhound where we'll find a pre 2000 compatible windows machine. We login using the machine account which can read GMSA01 which is another machine account. We use this account to allow ourselves to AS-REP Roast one of the service accounts. After which we find that the password is reused by C.Neri through a password spray. Checking bloodhound, C.Neri has an admin account which we manually have to decrypt the dpapi to read the password. C.Neri has access to the delegated admins group so we add SVC_SQL and give it an SPN using which we can impersonate L.Bianchi.adm who is root.

Administrator by nirza

---

Administrator is running Active Directory and we're provided with initial credentials for the user Olivia. We can use Olivia to change Michael's password who can change Benjamin's Password. Benjamin is a member of Share Moderators which hints us towards file shares, nothing interesting in SMB however FTP is open and is hosting a backup passwordsafe file. Cracking this file we gain access to Emily through her password located in the file. Emily can write Ethan, however we can't Kerberoast him so instead we ASREPRoast him. Ethan has DCsync privileges over the domain so we use those to dump all the hashes

linkvortex by 0xyassine

---

Link vortex is running a webserver using ghost cms which we can find the credentials of in the git repository of a subdomain. We utilize a ghost cms exploit that uses symlinks to read files for the configuration of ghost which nets us the credentials of user Bob. Bob has the permissions to run a custom script as sudo which reads and transfers symlinks with some filtering. We can bypass the filtering through a double symlink. Another way we can escalate privileges is through exploiting a vulnerbility in the script that allows code execution through injection via the CHECK_CONTENT variable. Neither of these methods are intended and the intended method is to just fight the race condition right after the symlink is moved but before it is read to get another arbitrary file read.

Blockblock by MrR3boot

---

Blockblock is running an online web chat decentralized through block chain. We can exploit an XSS vulnerability in the web app to gain an admin cookie, from which we can interact with the blockhain api to leak credentials. We can then use these credentials to login to the system. We have permissions to run forge as another user. Using this privillege we run forge with a malicious build script to gain a shell as that user. This user has access to run pacman as root so we use this to install a malicious pacman package to get the ssh keys of root.

Chemistry by FisMatHack

---

Chemistry is running an http webserver on a strange port, port 5000. The webpage is of a chemistry CIF analyzer tool using python. The python libraries that it uses in order to parse the CIF files is vulnerable to an RCE vulnerability. Using this we can upload and execute a reverse shell to get a shell on the system. We can then find a database with users and their passwords. One of the passwords belongs to a user on the machine allowing us to ssh into the machine. As User we find a monitoring site running as root on port 8080 which is running aiohttp with a vulnerable setting that allows for an LFI. We can use this LFI to gain root's ssh keys and ssh into the box.

Yummy by LazyTitan33

---

Yummy is running a website for booking a restaurant. The site allows us to download an iCalendar file, the endpoint of which is vulnerable to an LFI. Using this we're able to download the web files and spot a vulnerability with accessing the Admin dashboard. The dashboard is vulnerable to SQLi which gives us an Arbitrary file write vulnerability. Mixing this with the crontab information we're able to get a shell on the box.

Nibbles by mrb3n

---

Nibbles is running a nibble blog on port 80 which is hidden behind the nibbleblog directory. Through a directory fuzz we can find an admin panel and are able to login through guessing the admin password. The site is vulnerable to an authenticated file upload RCE which we use to get user shell on the box. After which we find a vulnerable privilege to run a shell script in a directory where we have write access which we can use to escalate to root.

Caption by MrR3boot

---

Caption is running a caption portal on port 80 and a gitbucket instance on port 8080. In gitbucket we find credentials for margo which we can use to login. Several pages on this site are vulnerable to a stored XSS. Through this we are able to steal cookies. However, we are unable to access the downloads directory due to haproxy; so we must smuggle our request by upgrading to http 2 using h2smuggle. We can then access the downloads directory and find an arbitrary file read used on margo's ssh key. Finally we find the logservice and create a client that we can use to execute arbitrary commands as root.