Summary: Initial access to this machine was very easy thanks to a backdoor that the site mentioned. Researching the hackers handle reveals a Github page with a bunch of different php backdoors. Once initial access is obtained the user webadmin is able to run a sudo command as the sysadmin user, which gets us the … Continue reading HTB – Traceback
HTB – Monteverde
Summary: Achieving initial access on this machine was done by enumerating a list of users and using those same users as passwords for a bruteforce attack. I took advantage of a sloppy user configured as the typical “admin/admin”. Once access was gained an XML file was found with credentials for the user. From there the … Continue reading HTB – Monteverde
HTB – Resolute
Summary: This box was a Windows domain controller that had some relaxed permissions on SMB shares that allowed me to obtain my initial foothold on the machine. After gaining access I enumerated the system and found a user with elevated privileges who also inadvertently left their password in plain text in a transcript file. Once … Continue reading HTB – Resolute
HTB – Postman
This box had an interesting way of obtaining initial access by backing up the Redis config to a file. I was able to exploit this and upload/backup an ssh key I generated and add it to the "authorized_keys" on the target box. At that point user level access was obtained and the path to root was a simple exploit because the "Webmin" service was running as root.
Casey Trader 