Skip to content

Hack The Box: Signed Machine Walkthrough – Medium Difficulity

After escalating to a SYSTEM-level PowerShell reverse shell using xp_cmdshell and a base64-encoded payload that called back to my netcat listener on port 9007, I navigated to the user profile and read the user flag directly with type user.txt.

With full sysadmin rights on the SQL instance as SIGNED\Administrator (thanks to a forged silver ticket with Domain Admins membership), I enabled xp_cmdshell, launched a reverse shell to land SYSTEM access, then grabbed the root flag from

Box fully pwned — domain admin and SYSTEM in the bag!

#HackTheBox #HTBSigned #PenetrationTesting #CyberSecurity #PrivilegeEscalation #ActiveDirectory #RedTeam #CTF #EthicalHacking #OffensiveSecurity

Hack The Box: CodePartTwo Machine Walkthrough – Easy Diffculty

Just finished CodePartTwo on Hack The Box — a fun Easy-rated Linux box that taught me a lot!

Initial access came via a js2py sandbox escape in their online JavaScript code editor (CVE-2024-28397 style prototype chain abuse) → reverse shell as ‘app’.
Post-exploitation: found users.db in /app/instance → quick Python HTTP server exfil → local sqlite3 dump → two MD5 hashes. CrackStation instantly revealed marco’s password (sweetangelbabylove).
Lateral move: SSH as marco → user.txt claimed.

Privesc: sudo -l gave NOPASSWD /usr/local/bin/npbackup-cli. After inspecting npbackup.conf (stdin_from_command hint), I used –external-backend-binary to point to my malicious reverse shell script → root shell → root.txt captured.

Loved how it combined modern sandbox escape with classic sudo misconfig abuse. Solid box for anyone practicing foothold → lateral → root paths.

#HackTheBox #CTF #PenetrationTesting #Cybersecurity #PrivilegeEscalation #SandboxEscape #LinuxPrivilegeEscalation #RedTeamOps #BugBountyHunter #EthicalHacking

Hack The Box: Imagery Machine Walkthrough – Medium Difficulity

Just completed the Imagery machine on Hack The Box (Medium). The challenge involved identifying weaknesses in a custom web application, analysing exposed application logic and data, and chaining these issues to move laterally within the system to gain user-level access. Further investigation highlighted how overlooked privilege boundaries and misconfigured trusted utilities can be abused to escalate privileges and obtain full administrative control.

#HackTheBox #CyberSecurity #WebSecurity #EthicalHacking #PenetrationTesting #PrivilegeEscalation #CTF #InfoSec

Hack The Box: HackNet Machine Walkthrough – Medium Diffucility

Just wrapped up HackNet (Medium difficulty, Hack The Box) — what a ride!
Started with deep web enumeration and uncovered a template injection vulnerability in how dynamic content gets rendered. Crafted a payload, injected it into a user-controlled field, triggered the vulnerable path through a specific page interaction, and extracted sensitive account details that handed me valid SSH credentials as a low-priv user. From there, grabbing the user flag was a clean win.
For privilege escalation, enumeration from the foothold revealed a misconfigured, world-writable file-based cache backend in the Django app. Knowing the framework’s caching behavior and a known deserialization weakness, I built a malicious payload, poisoned the cache location, and triggered RCE as the web user. Further digging exposed encrypted database backups secured by public-key crypto; I obtained the key, cracked its passphrase, decrypted the dumps, and recovered a high-priv credential that let me escalate to root and snag the root flag.

#HackTheBox #Cybersecurity #WebExploitation #PrivEsc #PickleRCE #DjangoSecurity #CTF #PenetrationTesting #OffensiveSecurity #BugBounty

Hack The Box: Previous Machine Walkthrough – Medium Difficulty

🎯 Just rooted the ‘Previous’ machine on Hack The Box!

Started with a Next.js app exposing a path traversal bug in /api/download, leaked /etc/passwd → found user ‘jeremy’, then extracted the NextAuth provider code revealing credentials.

Abused .terraformrc dev_overrides to load a malicious custom provider binary.
Classic NextAuth misconfig + Terraform provider override chain. Loved the creativity!

#HackTheBox #CTF #PrivilegeEscalation #PathTraversal #NextJS #Terraform #CyberSecurity #PenetrationTesting #BugBounty”

Hack The Box: WhiteRabbit Machine Walkthough – Insane Difficulity

Initial access was achieved through exposed monitoring and documentation services, which leaked internal service names and an unauthenticated workflow configuration. This disclosure revealed sensitive secrets, a vulnerable webhook parameter, and ultimately credentials for a backup system. Abuse of misconfigured backup tooling and sudo privileges allowed extraction of private SSH keys, enabling lateral movement across multiple user accounts and retrieval of the user flag.

Privilege escalation to root involved reverse-engineering a custom SUID binary. Analysis exposed a predictable pseudorandom password generator caused by unsafe seeding logic and an integer overflow, significantly reducing entropy. Recreating the binary locally and brute-forcing the constrained seed space yielded valid credentials, granting SSH access to a privileged user with unrestricted sudo rights and full system compromise.

This machine was a strong example of how exposed internal tooling, poor secret handling, and flawed custom binaries can combine into a complete attack chain.

#HackTheBox #CyberSecurity #OffensiveSecurity #PenetrationTesting #RedTeam #PrivilegeEscalation #ReverseEngineering #LinuxSecurity #Infosec #CTF

Hack The Box: Editor Machine Walkthrugh – Easy Difficulity

User access was achieved by enumerating an XWiki instance running on port 8080, identifying its vulnerable version, and exploiting an unauthenticated RCE in the Solr component (CVE-2025-24893). The foothold exposed plaintext database credentials in the XWiki configuration file, which were reused for the system user, allowing a successful SSH login as oliver.

Root access came from a misconfigured Netdata installation. Several root-owned plugins were SUID and group-writable, and oliver belonged to the netdata group. Replacing the ndsudo plugin with a custom SUID payload allowed Netdata to execute it as root, granting full system compromise and the root flag.

#HackTheBox #CyberSecurity #PenetrationTesting #PrivilegeEscalation #EthicalHacking #RedTeam #CTF #XWiki #CVE2025 #Netdata #LinuxSecurity

Impact Assessment: How Guest Access Affects Threat Detection in Office 365

Currently working on a deep-dive into a critical Teams guest access behaviour I discovered during testing.
My research shows how attackers can spin up fresh M365 tenants and completely bypass Defender protections by pulling users into external guests.
I’m documenting the attack flow, detection queries, and practical steps organisations can take to reduce exposure — learning a lot along the way.

#CyberSecurity #LearningInPublic #ThreatResearch #RedTeam #BlueTeam #Microsoft365 #Defender #SecurityCommunity

Hack The Box: Era Machine Walkthrough – Medium Difficulity

Compromising the Era HTB machine involved chaining multiple weaknesses across the web layer and system layer. Initial access was obtained through an IDOR flaw in a file-sharing platform, allowing unrestricted file retrieval by enumerating numeric IDs. Leaked backups exposed source code, plaintext credentials, and an SSH private key, enabling lateral movement as eric. Further analysis uncovered a root-executed integrity-check binary in a world-writable directory. By extracting its signature, injecting it into a backdoored replacement, and waiting for the cron job to trigger, privileged execution was achieved. A resulting callback delivered full root access and allowed retrieval of the final flag.

#HTB #HackTheBox #CyberSecurity #Pentesting #WebSecurity #IDOR #PrivilegeEscalation #LinuxSecurity #RedTeam #CTF #InfoSec

Hack The Box: Mirage Machine Walkthrough – Hard Difficulity

Compromising the Mirage domain started with a simple clue hidden in an exposed NFS share. Inside a PDF report was a missing DNS record—just enough to pivot. By hijacking the DNS entry, I intercepted NATS JetStream traffic and captured real authentication logs, including valid credentials. After fixing the system time and obtaining a Kerberos TGT, I gained my first foothold on the domain controller and captured the user flag.

From there, the path to domain dominance unfolded through Active Directory weaknesses. An SPN ticket leak led to a cracked password, which opened the door to BloodHound reconnaissance and more credentials. I reset a disabled user’s password, extracted a service account’s managed password, and used Certipy to transform certificate abuse into full machine-level impersonation. With Resource-Based Constrained Delegation enabled, I forged Kerberos tickets, dumped every domain hash, and finally authenticated as Administrator—securing the root flag.

#CyberSecurity #PenetrationTesting #Kerberos #ActiveDirectory #RedTeam #HackTheBox #Infosec #PrivilegeEscalation