About Me

$ whoami
0xW1LD
$ id
groups=1000(Discord-@w1ld__),1001(HTB Team-OSI)
$ cat README.txt
Hey there! W1LD here,
Founding Member of OSI
Volunteer Moderator for HTB Discord Server
all around W1ld Card.

⭐

DarkCorp by OxEr3bus & ctrlzero

---

DarkCorp is running a roundcube mail service vulnerable to stored XSS. Using this to reset the password for the b.case user' on their admin dashboard. The dashboard is vulnerable to SQLi leading to RCE with backups containing credentials. We gain access to an internal monitor that can be used to coerce authentication. Coercing authentication to the mail server machine we poison the DNS record and retrieve the admin hash. Dumping passwords to do a password spray nets an account with an ACL over another. We use this to abuse the kerberos relationship between the linux and AD machines to gather cached credentials. The credentials belong to a GPO manager which we use to create an account in the local administrators to get control over the DC

HTB

Previous by brun0ne

---

Previous is running a website using an outdated version of ReactJS and NextJS frameworks allowing us to authenticate and view documentation. In the documentation endpoint we're able to exploit a file traversal vulnerability to get credentials for the NextJS framework which are being reused by the site's admin for remote access. We're able to then exploit our sudo permissions to create a custom terraform automation that runs a binary we point it to as root for privilege escalation.

White Rabbit by FLX0x00

---

Whiterabbit is running a webserver on port 80. Fuzzing revealed uptime kuma app, with /status/temp containing subdomains. Found gophish and wikijs sites with webhook security docs. Exploited SQLi in webhook endpoint to access database showing command logs with restic backup repository and password. Downloaded repository containing Bob's SSH keys. SSH'd in, landing in Docker container with sudo privileges for restic. Used restic to read root folder with more SSH keys. Accessed box as Morpheus. Found password generator binary, recreated method to generate password list. Brute forced into Neo account which has root privileges.

Editor by Kavigihan & TheCyberGeek

---

Editor is running a wiki for a website which is vulnerable to a Server-Side Template Injection Remote Code Execution vulnerability allowing us a Foothold into the machine. We then find a cleartext credential used to connect to the database reused by a user on the machine. Finally we can locate a Set User ID binary which we can influence using PATH poisoning to escalate privileges.

Era by yurivich

---

Era, in a subdomain, is running a file management service vulnerable to an authenticated IDOR attack allowing an attacker to download site backup files. We're able to extract credentials from a database and determine php wrapper functionality limited to the admin. Said credentials allow us FTP access where we can find the available php wrappers, one of which is ssh. Using one of the credentials we can change the admin's security questions and login as an admin and then utilize the parameter using the ssh wrapper to achieve RCE. Once we use RCE to achieve a shell on the box we can then find a writable monitoring binary that is regularly being executed by root. However the binary is signed so we need to copy its signing data to the binary we replace it with. Just like that we have root.

Mirage by ctrlzero & Emsec

---

Mirage is running an active directory server where we everyone can access a network file share with reports. There's mentions of a missing dns record which we exploit on NATS to gain initial credentials for NATS. We then add a consumer which we use to gain AD credentials. We're able to kerberoast one of the users. Through this user we're able to read WinLogon credentials. These credentials then lead us to another account which we have to activate, change the logonHours and password. We can then read the GMSA password of the mirage-service computer. Using this computer we're able to exploit ESC10 to gain the DC's certificate pfx file. Using this we're able to give ourselves RBCD over ldap shell and dump secrets. Just like that we have root!

Outbound by TheCyberGeek

---

Outbound is an assumed breach Linux box running roundcube mail. We're able to authenticate to roundcube and exploit a recent CVE to gain a foothold on the machine inside a docker. We can extract credentials from the database and decrypt them using openssl and the encryption key we can find in a configuration file. Reusing the decrypted password we gain access as a user on the main machine who can run below as sudo. Exploiting another CVE for below we're able to change the permissions of /etc/passwd and create a root user without a password.

RustKey by EmSec

---

RustKey is yet another assumed breach scenario wherein NTLM authentication is disabled but an older version of Kerberos is being utilized. Gathering bloodhound data we identify several targets, the first one being it-computer3 which we can access through timeroasting. It-computer3 is a member of the helpdesk group which can add and remove members from the protected objects group and change passwords for several accounts. We can remove the IT and support groups and gain access to 2 additional accounts: BB.MORGAN, who is the user, and EE.REED. We find a memo detailing additional access provided to members of the support team, including EE.REED, on archiving utilities. We utilize this as a hint to look at registry DLL paths for 7-zip which we can modify to point to an arbitrary DLL. When we point this to our malicious DLL we gain access as MM.TURNER who we can use to conduct an RBCD attack.

Voleur by baseDN

---

Voleur is yet another Active Directory assumed breach scenario. The user we have access to has access to sensitive files that provide us credentials for service accounts after cracking its password. The ldap service account has write access to a support group in which is the winRM service account which we can kerberoast. The same document leads us to a deleted account which we can restore and use its credentials to access additional shares. We're able to recover backed up DPAPI secrets and pivot to another user. We can find yet another share folder which provides us the sshkey. With this access we can find backup files which we can use to dump secrets.

Artificial by FisMathack

---

Artificial is running an AI model hosting site that allows us to gain a reverse shell by uploading a malicious h5 model. We can find a database with crackable passwords and login using gael's credentials via ssh. We can find backrest, a frontend for restic that allows us to backup files in /root's directory, we can grab the flag and root's ssh key, and use the ssh key to remote into the machine as root.

TombWatcher by Sentinal & mrb3n8132

---

TombWatcher is yet another assumed breach scenario, staring with Henry's credentials. Henry is able to set an SPN for Alfred so we kerberoast him. Alfred can, through a long chain of ACLs, gain access to John, our user. Using John we enumerate deleted objects and are able to restore a deleted account called cert_admin. Cert_admin can perform ESC15 which we use to gain access as Administrator.

Certificate by Spectra199

---

Certificate is running a website on getting certifications. If we register as a student and enrol in a course we can upload a file. There's some filters in place but by using a nullbyte bypass we can get a shell. We can find database credentials in which contains the hash for Sara.b. Sara has a pcap file in her desktop, with a description that notes failure to find a share. We can find AS-REQ packets which we can use to recreate a krb5-18 hash for Lion.SK which is crackable. Lion.SK is a member of a group that can issue and revoke certificates. We grab a certificate for Lion.SK using which we grab a certificate for Ryan.K. Ryan.K has the privilege SeManageVolumePrivilege which allows us to escalate to root.

Puppy by tr3nb0lone

---

Puppy is an assumed breach scenario wherein the starting credentials we're given has access to add himself to the Developers Group. The group has access to the DEV SMB share which contains a keyfile database backup. One of these credentials is for a Remote Management User whose account is currently disabled. One of the other credentials provided allows us to enable his account and change his password. Just like that we get user, we find a backups folder storing additional credentials for another Remote Manager User. Said user has an admin account and hints towards browser credentials so we dump DPAPI and get an additional password which works for their admin account. Just like that we have root.

Fluffy by ruycr4ft

---

Fluffy is yet another assumed breach scenario where we can access an IT SMB share. The Share highlights an upgrade request pdf with vulnerabilities found on the environment. One of the vulnerabilities allows us to grab a hash through a zip file extraction. We can crack the hash to get to the user: p.agila. This user has Write permissions on the Service Accounts group which contains winrm_svc and ca_svc. Once we add the user to the group we're able to do a shadow credential attack on both these service accounts. Winrm_svc has our user flag! Using our permissions as p.agila and ca_svc we're able to change ca_svc's upn to the Administrator one to request an administrator certificate. We can use this certificate to authenticate as the Administrator, and just like that we have root!

Planning by FisMatHack & d00msl4y3r

---

Planning is running a grafana public subdomain with assumed breach credentials. We find an authenticated file read and remote code execution (RCE) vulnerability which gets us a foothold. Clear text credentials can be found in the environment variables of the docker instance we're in which we can use to SSH as enzo. There's a crontab management webservice running as root for which we can find the cleartext credentials for. Using this service we can schedule a reverse shell command and just like that we have root!

Environment by coopertim13

---

Environment has an environmental preservation website running laravel. We find a login page which if broken allows to read parts of the code. Using this information we inject a parameter allowing login to the dashboard without credentials. We find we are logged in as Hish, and can upload a profile picture. We upload a payload to get a shell using some filter bypasses. In Hish's home folder we find a gpg file and keys which we can use to decrypt his password. Hish can run sudo on a script with preserved BASH_ENV environment variable which if changed allows arbitrary code execution as root.

Eureka by Spectra199

---

Eureka is running a website and has an open port to Spring Boot Eureka. Looking through endpoints of the API we're able to extract a heapdump with credentials for oscar190. Using these credentials we login to the Eureka dashboard and redirect the application instance *USER-MANAGEMENT-SERVICE* to ourselves to intercept a login for miranda-wise, our user. We can see that a certain script runs every so often which takes a log file we can edit as input. Using this we can do command execution by editing the contents of the log file.

The Frizz by 0xPizzaCat

---

We start with a windows box running Gibbons-LMS which we find is vulnerable to an arbitrary file write which we can use to upload an RCE. Once we get a foothold we locate the database and extract crackable password hashes. We use the found passwords to view the site, we can also see the posts on the database, we see a reference to the RecycleBin. We can find an archive containing config files with an encoded password. We utilize a password spray to gain a foothold onto the AD domain. From this foothold on the domain we can run bloodhound to find vulnerable ACLs which we can follow to gain GPO permissions. We abuse these GPO permissions to create a local admin account and just like that we have root!

Nocturnal by FisMatHack

---

Nocturnal runs a webserver on port 80 with a file upload portal. Retrieved Amanda’s temporary password from an `.odt` file in the upload directory. Logged into her ISPConfig panel account and generated a backup. Downloaded and extracted the SQLite database containing user password hashes. Cracked Tobias’ hash and accessed the system via SSH. Gained root access by exploiting a command injection vulnerability in ISPConfig’s language editor functionality.

Cypher by Techromancer

---

Cypher is running a web server which has an exposed testing directory which contains a jar file. Analyzing the jar file and the login page on the site leads us to a neo4j cypher injection exploit which when calling a custom function on the jar file leads to RCE. Through this we are able to get a reverse shell. Looking through the bash history file we find the password of the user. The user is able to run bbot, an osint script as root. Using this script we can take advantage of debug mode and set a custom YARA file to get an arbitrary file read. We can also write a custom module to achieve code execution as root.

Scepter by Emsec

---

Scepter is running active directory with an nfs share mounted to /helpdesk. We use these certificate files to generate a certificate for d.baker to request his TGT. Once we have access to d.baker we find a certificate template vulnerable to ESC9. A.carter has transitive generic all over the OU and so we grant him fullcontrol over the OU which d.baker is in to exploit a derivation of ESC9 to gain access to h.brown. H.brown can write altSecurityIdentities of p.adams which allows us to exploit ESC14. P.adams has DCSync rights over the domain which we use to dump secrets.

Dog by FisMathack

---

Dog is running a dog blog webserver run by backdrop CMS, it also has an exposed git directory. Dumping the git directory we can find credentials for use to login to backdrop CMS. We can upload a malicious module to gain a foothold. Using the same password we found we conduct a password spray and find a user we can pivot to. Said user has access to run bee, a backdrop command line utility, as root, we can use the post-script function to gain root.

Cat by FisMathack

---

Cat is running a website for a cat competition which is vulnerable to an XSS injection. Using this we are able to steal the admins cookie which reveal several additional pages. One of the pages is vulnerable to an SQLi using which we can grab credentials for users on the machine. Using these credentials we are able to ssh into the machine. Looking at some logs we are able to find another set of credentials and pivot from there. There is a gitea webpage running on the host, the version also contains an XSS vulnerability. Using the vulnerability we are able to read another set of credentials which belong to root.

Haze by EmSec

---

Haze is running a splunk version vulnerable to an lfi which can be used to steal a password hash and splunk secret to decrypt the hash. Using the password, we access two accounts, one being a GMSA manager. Found a machine account in MSA's list with write owner privileges over support services group. This group can change passwords for a user on the box. Used this privilege chain to gain a shell as that user. This user has access to backups directory containing another splunk password hash and secret. Decrypted to gain access as another user with SEImpersonate Privileges, which we used to gain NT SYSTEM.

Titanic by ruycr4ft

---

Titanic is running an http server on port 80 in whch you can book a trip which triggers a file download. The file download endpoint is vulnerable to an LFI. Looking around further we can find a subdomain which is running gitea, using the LFI we download the database and using a script to modify the hashes to become crackable. There's an image identification script that runs a magick version that happens to be vulnerable to an arbitrary code execution.

Backfire by hyperreality & chebuya

---

Backfire is a hackback scenario linux box which is still running a file server on port 8000 by mistake of the users. It contains a patch file and a yaotl file for havoc C2. Using information from these files we can find a CVE for unauthenticated SSRF, we combine this with an authenticated RCE through websockets to gain a foothold. We can now find Hardhat, another C2, which is vulnerable to an authentication bypass. Hardhat C2, offers us a direct terminal as Sergej. Sergej is able to execute iptables and iptables-save as root which we are able to use as an arbitrary write, to write our ssh key to the root directory.

Checker by 0xyassine

---

Checker is running Bookstack and TeamPass on ports 80 and 8080 respectively. Teampass has an SQLi where we can leak credentials which we can use to login. TeamPass contains a couple of credentials for ssh and bookstack. We login on BookStack and looking around we find interesting documentation. The version of bookstack is vulnerable to an LFI via SSRF which we can use to steal the OTP key for ssh. Logging into ssh we find that the user has super user privileges to a script that is used to check for a password leak. Reversing the binary we see that it accesses a shared memory address, using this we can inject malicious code to achieve root.

EscapeTwo by ruycr4ft & Llo0zy

---

Escape two is an assumed breach scenario where we start of as Rose. Rose is able to view an SMB share that contains excel files which contain additional credentials for SA. SA is a service account running mssql which we have access to xp_cmdline to get a foothold. With this foothold we can look around and find a file with a cleartext password which, when password spraying, leads us to Ryan's account. Ryan has an ACL to write owner the CA account, which is the Certificate Authority service. Using the CA service we find a vulnerable certificate template that needs a slight edit for the ESC to work. Once we edit and exploit the template we're able to grab the Administrator's certificates and just like that we have root!

Heal by rajHere

---

Heal is running a resume builder website running Ruby on Rails as an api. We can abuse an LFI to gather credentials for another subdomain, Lime Survey. We can use these credentials to conduct an authenticated RCE which gets us a foothold. We use this foothold to locate databse credentials which we discover is the reused password of a user on the box. After which we can find a consul service running as root using a version with an RCE which we can use to escalate privileges.

Underpass by dakkmaddy

---

Underpass is running a default apache website. If we check udp ports we find that a daloradius is running. Looking through the source of daloradius we find a couple of login pages and default credentials. Using these credentials we login to a dashboard and find credentials for svcMosh. We use his credentials to ssh on the box. svcMosh can run Mosh-server as root which we can use to spawn a root terminal.

BigBang by ruycr4ft & lavclash75

---

Bigbang is running a wordpress website using buddy forms which is vulnerable to RCE through image deserialization. Using this RCE we can establish a reverse shell which allows us to find credentials within a database with a reused password for ssh. We find a GrafanaDB endpoint which contains further credentials to pivot to another user. Finally we find an interesting thick web app running as root which is vulnerable to command injection.

Vintage by Geiseric

---

Vintage is another assumed breach active directory box, we're given Olivia's credentials. We use these to enumerate the domain using bloodhound where we'll find a pre 2000 compatible windows machine. We login using the machine account which can read GMSA01 which is another machine account. We use this account to allow ourselves to AS-REP Roast one of the service accounts. After which we find that the password is reused by C.Neri through a password spray. Checking bloodhound, C.Neri has an admin account which we manually have to decrypt the dpapi to read the password. C.Neri has access to the delegated admins group so we add SVC_SQL and give it an SPN using which we can impersonate L.Bianchi.adm who is root.

Administrator by nirza

---

Administrator is running Active Directory and we're provided with initial credentials for the user Olivia. We can use Olivia to change Michael's password who can change Benjamin's Password. Benjamin is a member of Share Moderators which hints us towards file shares, nothing interesting in SMB however FTP is open and is hosting a backup passwordsafe file. Cracking this file we gain access to Emily through her password located in the file. Emily can write Ethan, however we can't Kerberoast him so instead we ASREPRoast him. Ethan has DCsync privileges over the domain so we use those to dump all the hashes

linkvortex by 0xyassine

---

Link vortex is running a webserver using ghost cms which we can find the credentials of in the git repository of a subdomain. We utilize a ghost cms exploit that uses symlinks to read files for the configuration of ghost which nets us the credentials of user Bob. Bob has the permissions to run a custom script as sudo which reads and transfers symlinks with some filtering. We can bypass the filtering through a double symlink. Another way we can escalate privileges is through exploiting a vulnerbility in the script that allows code execution through injection via the CHECK_CONTENT variable. Neither of these methods are intended and the intended method is to just fight the race condition right after the symlink is moved but before it is read to get another arbitrary file read.

Blockblock by MrR3boot

---

Blockblock is running an online web chat decentralized through block chain. We can exploit an XSS vulnerability in the web app to gain an admin cookie, from which we can interact with the blockhain api to leak credentials. We can then use these credentials to login to the system. We have permissions to run forge as another user. Using this privillege we run forge with a malicious build script to gain a shell as that user. This user has access to run pacman as root so we use this to install a malicious pacman package to get the ssh keys of root.

Chemistry by FisMatHack

---

Chemistry is running an http webserver on a strange port, port 5000. The webpage is of a chemistry CIF analyzer tool using python. The python libraries that it uses in order to parse the CIF files is vulnerable to an RCE vulnerability. Using this we can upload and execute a reverse shell to get a shell on the system. We can then find a database with users and their passwords. One of the passwords belongs to a user on the machine allowing us to ssh into the machine. As User we find a monitoring site running as root on port 8080 which is running aiohttp with a vulnerable setting that allows for an LFI. We can use this LFI to gain root's ssh keys and ssh into the box.

Yummy by LazyTitan33

---

Yummy is running a website for booking a restaurant. The site allows us to download an iCalendar file, the endpoint of which is vulnerable to an LFI. Using this we're able to download the web files and spot a vulnerability with accessing the Admin dashboard. The dashboard is vulnerable to SQLi which gives us an Arbitrary file write vulnerability. Mixing this with the crontab information we're able to get a shell on the box.

Nibbles by mrb3n

---

Nibbles is running a nibble blog on port 80 which is hidden behind the nibbleblog directory. Through a directory fuzz we can find an admin panel and are able to login through guessing the admin password. The site is vulnerable to an authenticated file upload RCE which we use to get user shell on the box. After which we find a vulnerable privilege to run a shell script in a directory where we have write access which we can use to escalate to root.

Caption by MrR3boot

---

Caption is running a caption portal on port 80 and a gitbucket instance on port 8080. In gitbucket we find credentials for margo which we can use to login. Several pages on this site are vulnerable to a stored XSS. Through this we are able to steal cookies. However, we are unable to access the downloads directory due to haproxy; so we must smuggle our request by upgrading to http 2 using h2smuggle. We can then access the downloads directory and find an arbitrary file read used on margo's ssh key. Finally we find the logservice and create a client that we can use to execute arbitrary commands as root.