Fluffy is an Easy-rated Windows machine and my first box from the new CPTS Preparation Track on HackTheBox. It’s a great box if you want to get hands-on with modern Active Directory attacks. We start from an assumed-breach perspective, inject a crafted .library-ms file via an SMB share to harvest NTLM hashes, and continue by abusing Generic Write privileges through Shadow Credentials. The final step to Domain Takeover is exploiting an AD CS ESC16 vulnerability.
CodePartTwo is an easy difficulty Linux machine featuring a web-based JavaScript editor. The core of this challenge revolves around the “Run Code” functionality - a feature that is inherently dangerous if not properly isolated.
After spawning the machine and connecting to the VPN, we start with the initial enumeration.
Like always, we start by running an initial nmap scan to identify open ports:
Editor is an easy Linux machine running a vulnerable version of XWiki that allows unauthenticated remote code execution, providing an initial foothold. Enumeration of the system reveals a misconfigured SUID binary, which can be exploited to escalate privileges and gain root access.
After spawning the machine and connecting to the VPN, we start with the initial enumeration.
We begin by running an initial nmap scan with the following command:
Cap is an easy difficulty Linux machine running an HTTP server that performs administrative functions including performing network captures. Improper controls result in Insecure Direct Object Reference (IDOR) giving access to another user’s capture. The capture contains plaintext credentials and can be used to gain foothold. A Linux capability is then leveraged to escalate to root.
After spawning the machine and connecting to the VPN, we start with the initial enumeration.
Optimum is a beginner-level machine which mainly focuses on enumeration of services with known exploits. Both exploits are easy to obtain and have associated Metasploit modules, making this machine fairly simple to complete.
After spawning the machine and connecting to the VPN, we start with the initial enumeration.
We begin by running an initial nmap scan with the following command:
nmap -sC -sV -vv -oA nmap/initial_scan <Target-IP>
-sC Default script scan-sV Service version detection-vv Verbose output-oA Output all formatsNmap reports only Port 80 open: