Skip to content

x00tex/hackTheBox

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

HTB Write-ups

Discord  GitHub  Twitter  HackTheBox  HackTheBox  HackerOne 

htb
size

Last update: Mailroom

🐧*nix

Box Difficulty Writeup Foothold Privesc
agile $\textcolor{orange}{\textsf{Medium}}$ Agile LFI Chrome Debug Mode AND Sudoedit CVE-2023-22809
armageddon $\textcolor{green}{\textsf{Easy}}$ armageddon Drupal property injection: Drupalgeddon 2 snap install with sudo
backdoor $\textcolor{green}{\textsf{Easy}}$ Backdoor WP-Plugin:eBook Download 1.1 - LFI/RFI And identifying services with /proc And GDBserver Remote Payload Execution suid: screen
bagel $\textcolor{orange}{\textsf{Medium}}$ Bagel LFI And Reversing DLL And DotNET Object Deserialization dotnet with sudo
bountyHunter $\textcolor{green}{\textsf{Easy}}$ BountyHunter xxe python script logic
busqueda $\textcolor{green}{\textsf{Easy}}$ Busqueda Command Injection Docker inspect config dump
cap $\textcolor{green}{\textsf{Easy}}$ Cap Parameter Manipulation And PCAP file analysis python with setuid capability
CrossFitTwo $\textcolor{yellow}{\textsf{INSANE}}$ ⚠️ CrossFitTwo Websocket And SQL injection: blind/Union And DNS Hijacking And CSRF Node module hijack And Yubikey
developer $\textcolor{red}{\textsf{Hard}}$ Developer Reverse tab-nabbing And Django Deserialization Postgresql Enumeration
devzat $\textcolor{orange}{\textsf{Medium}}$ Devzat Command Injection InfluxDB authentication bypass vulnerability And lfi
Dynstr $\textcolor{orange}{\textsf{Medium}}$ Dynstr ISC BIND DNSserver And Command Injection in Bind API DNS pointer record(PTR) And Wildcard in cp Command
encoding $\textcolor{orange}{\textsf{Medium}}$ encoding LFI and SSRF and PHP filter chain and Git hooks systemctl with sudo
Faculty $\textcolor{orange}{\textsf{Medium}}$ Faculty LFI Command Injection and gdb attach
forge $\textcolor{orange}{\textsf{Medium}}$ Forge SSRF Python pdb Module
forge $\textcolor{orange}{\textsf{Medium}}$ GoodGames SQLi And SSTI Docker escape: Password Reuse And Host mount inside docker
horizontall $\textcolor{green}{\textsf{Easy}}$ Horizontall Improper Access Control And Command Injection Laravel <8.4.2 RCE
inject $\textcolor{green}{\textsf{Easy}}$ Inject Path Traversal in apache maven webApp AND CVE-2022-22963 ansible-playbook
interface $\textcolor{orange}{\textsf{Medium}}$ Interface API fuzzing AND dompdf CVE-2022-28368 Shell Arithmetic Expansion Command Injection
investigation $\textcolor{orange}{\textsf{Medium}}$ Investigation Exiftool CVE-2022-23935 And Windows Event Log Reversing C binary
knife $\textcolor{green}{\textsf{Easy}}$ Knife backdoor php Version knife with sudo
mailroom $\textcolor{red}{\textsf{Hard}}$ Mailroom Blind XSS AND NoSQL injection AND Command Injection Watch feature process and strace AND Open keepass database
meta $\textcolor{green}{\textsf{Easy}}$ Meta exiftool CVE-2021-22204 ImageMagick PDF-parsing flaw And sudo neofetch with XDG_CONFIG_HOME
metatwo $\textcolor{green}{\textsf{Easy}}$ MetaTwo WP-Plugin SQLi CVE-2022-0739 And WP XXE CVE-2021-29447 passpie cracking with john
monitors $\textcolor{red}{\textsf{Hard}}$ Monitors wp-plugin "Spritz" LFI And "cacti" SQLi Stacked Queries to RCE Socat Portforwarding And "ofbiz" Deserialization RCE And Container with SYS_MODULE Capability
monitorsTwo $\textcolor{green}{\textsf{Easy}}$ MonitorsTwo Cacti Unauthenticated RCE CVE-2022-46169 Docker overlay FS
onlyforyou $\textcolor{orange}{\textsf{Medium}}$ Onlyforyou Directory Traversal AND Command Injection AND neo4j Cypher Injection pip3 as root
ophiuchi $\textcolor{orange}{\textsf{Medium}}$ ophiuchi SnakeYAML Deserilization wasm reversing
pandora $\textcolor{green}{\textsf{Easy}}$ Pandora enumerating SNMP And Pandora FMS - SQLi and file upload setresuid() Restriction Bypass
pikaboo $\textcolor{red}{\textsf{Hard}}$ Pikaboo URL parser logic in nginx server And lfi to RCE via ftp log Perl jam: Command Injection
pit $\textcolor{orange}{\textsf{Medium}}$ Pit SNMP Enumeration And Login Form Bruteforce with hydra And SeedDMS RCE Access control list(ACL) And SNMP Extend Command
pollution $\textcolor{red}{\textsf{Hard}}$ Pollution Burp history logs And out-of-band XXE to exfiltrate data And redis php session manipulation And PHP filter chain php-fpm RCE And lodash merge prototype pollution
precious $\textcolor{green}{\textsf{Easy}}$ Precious pdfkit CVE-2022-25765 Ruby YAML deserialization
previse $\textcolor{green}{\textsf{Easy}}$ Previse Blind Command Injection Absolute Path Injection
ready $\textcolor{orange}{\textsf{Medium}}$ Ready gitlab <11.4.8 SSRF via IPv6 And redis server RCE docker container with --privileged
routerspace $\textcolor{green}{\textsf{Easy}}$ RouterSpace Android app dynamic analysis Sudoedit
schooled $\textcolor{orange}{\textsf{Medium}}$ Schooled Moodle LMS Enumeration And XSS in "Moodle" And Privilege Escalation in "Moodle" And Moodle Admin RCE pkg with sudo
scriptKiddie $\textcolor{green}{\textsf{Easy}}$ scriptKiddie command injection msfconsole with sudo
seal $\textcolor{orange}{\textsf{Medium}}$ Seal URL Parser Logic in Apache server ansible-playbook Command with sudo
secret $\textcolor{green}{\textsf{Easy}}$ Secret Webapp source code review And Command injection Core Dump
shibboleth $\textcolor{orange}{\textsf{Medium}}$ Shibboleth ipmi And zabbix mysql 'wsrep_provider' OS Command Execution
sink $\textcolor{yellow}{\textsf{INSANE}}$ ⚠️ Sink http Request Smuggling AWS secretsmanager And AWS kms decrypt
soccer $\textcolor{green}{\textsf{Easy}}$ Soccer Blind SQLi over websocket dstat with doas
socket $\textcolor{orange}{\textsf{Medium}}$ Socket Python byte-codes de-compile AND Websocket SQLi using SQLMAP pyInstaller file read
spectra $\textcolor{green}{\textsf{Easy}}$ Spectra wpadmin reverse shell initctl with sudo
spider $\textcolor{red}{\textsf{Hard}}$ Spider SSTI And SQLi in auth token And Blind restricted SSTI XXE to inject payload in auth token
stocker $\textcolor{green}{\textsf{Easy}}$ Stocker NoSQLi with JSON And PDF XSS Nodejs with sudo
tentacle $\textcolor{red}{\textsf{Hard}}$ Tentacle DNS Enumeration And squid proxy And ffuf with multi-proxy And OpenSMTPD RCE ssh with kerberos token And k5login And kadmin
theNotebook $\textcolor{orange}{\textsf{Medium}}$ theNotebook jwt bypass Breaking Docker via runC
timing $\textcolor{orange}{\textsf{Medium}}$ Timing LFI And Admin role impersonate And File upload RCE wget and axel rc files
Trick $\textcolor{green}{\textsf{Easy}}$ Trick LFI fail2ban Misconfiguration
unicode $\textcolor{orange}{\textsf{Medium}}$ Unicode JWT jku bypass And lfi Python byte-codes decompile And Command injection
unobtainium $\textcolor{red}{\textsf{Hard}}$ Unobtainium reversing Electron application deb package And Prototype Pollution And Command injection Kubernetes And Kubectl And kubernetes admin
writer $\textcolor{orange}{\textsf{Medium}}$ Writer UNION sqli TO file read And RCE using SSRF with smb And Unintended: Command Injection via filename postfix automate scripts And Invoke command with apt Configs

Windows

Box Difficulty Writeup Foothold Privesc
atom $\textcolor{orange}{\textsf{Medium}}$ Atom Electron-Updater RCE Kanban credentials Encryption Flaw
breadcrumbs $\textcolor{red}{\textsf{Hard}}$ Breadcrumbs LFI And File upload to RCE Stickynotes backups And sql injection: union
intelligence $\textcolor{orange}{\textsf{Medium}}$ Intelligence Enumeration And NTLM Relay Attack BloodHound And Reading GMSA Password And Silver ticket Attack
love $\textcolor{green}{\textsf{Easy}}$ Love File upload to RCE abusing AlwaysInstallElevated policy
proper $\textcolor{red}{\textsf{Hard}}$ Proper sql injection: blind And RFI via SMB And Race condition with inotify -
Timelapse $\textcolor{green}{\textsf{Easy}}$ Timelapse

Android

Box Difficulty Writeup Foothold Privesc
explore $\textcolor{green}{\textsf{Easy}}$ Explore ES Explorer CVE-2019–6447 adb Root
Old WriteUPs
Box Difficulty Writeup
academy Easy Academy
admirer Easy Admirer
blunder Easy Blunder
bucket Medium Bucket
cache Medium Cache
compromised Hard Compromised
delivery Easy Delivery
doctor Easy Doctor
feline Hard Feline
jewel Medium Jewel
laboratory Easy Laboratory
luanne Easy Luanne
openkeyS Medium OpenKeyS
Medium passage
tabby Easy Tabby
tenet Medium Tenet
time Medium Time
unbalanced Hard Unbalanced