This machine begins w/ a web enumeration, discovering that TCP/3000 is running grafana, where it is susceptible to a directory traversal & arbitrary file read vulnerability. w/ this vulnerability, we are able to include grafana configuration file grafana.ini & grafana.db allowing...

This machine begins w/ web enumeration, viewing the page source of the index page reveals a javascript file photobomb.js containing credentials for /printer. /printer directory is a tool that allow users to download the images that are displayed, however it is susceptible to a command in...

This machine begins w/ a web enumeration, discovering /admin-dir, containing credentials for FTP, FTP contains an archive of the web directory, revealing a directory utility-scripts that we did not discover earlier. Directory enumerating utility-scripts directory, discovered adminer.php...

This machine begins w/ a web enumeration, discovering login.php, a login page that is susceptible to a SQLi Authentication bypass due to the lack of input sanitization. Next, we are redirected to upload.php where only images and be uploaded, however it is susceptible to an file upload b...

This machine begins w/ a web enumeration, discovering that on OpenNetAdmin 1.18.1 is running, it is susceptible to a RCE exploit, allowing us to obtain a low-privilege/www-data user. For privilege escalation part, we have to privilege escalate to jimmy, joanna then to root. After enume...

This machine begins w/ a web enumeration, discovering that the webserver is running nostromo 1.9.6 which is susceptible to a directory traversal that leads to RCE vulnerability due to insufficient input sanitization, allowing us to obtain a low-privilege/www-data user. For the privilege...

This machine begins w/ a web enumeration, discovering a subdomain name (staging-order.mango.htb) by viewing the SSL certificate. staging-order.mango.htb is a login page that is susceptible to NoSQL injection, allowing us exfiltrate user mango credentials and SSH w/ it. For the privilege...

This machine begins w/ a network enumeration, discovering a vulnerable service redis 4.0.9 that is susceptible to a RCE exploit, through the service, we are able to write a SSH public key into user redis’s authorized_keys, allowing us to SSH into user redis. For the privilege escalation...

This machine begins w/ a thorough web enumeration, discovering several directories that contains necessary information to proceed. Directory /admin contains a login page that is coded w/ javascript, viewing the source code reveals credentials. After successfully logging in, we are redir...

This machine begins w/ a web enumeration, discovering a directory /plugins and wordpress CMS running on it. After enumerating wordpress, user notch is discovered. The /plugins directory contains 2 java archives. After extracting it, a compiled java file is found, simply decompiling it re...