This machine begins w/ a web enumeration, browse.php is enumerated and is susceptible to LFI2RCE via Apache log poisoning, allowing us to obtain a low-privilege/www-data shell. On the web directory, there is a file called pwdbackup.txt that is base64 encoded 13 times, decoding it reveal...

This machine begins w/ a web enumeration, discovering /dev directory and omg, inside /dev contains a hex encoded string, decoding it reveals a encrypted SSH private key. Next, omg reveals an image of a bleeding heart, hinting us to use an exploit called heartbleed which allows us to obta...

This machine begins w/ a web enumeration, revealing a directory /api when intercepting a login request w/ burp. By directory enumerating /api, login credentials are revealed. After authenticating w/ an admin account, a password protected zipfile myplace.backup can be downloaded, after ...

This machine w/ an network enumeration, enumerating a service James Server 2.3.2, which is susceptible to an authenticated RCE exploit. Also, James Server 2.3.2 is configured w/ its default password, allowing us to view users on the machine as well as change their password, allowing us ...

This machine begins w/ a directory enumeration, a file containing credentials is enumerated, allowing us to login to pfsense. pfsense version is revealed upon login in, allowing us to find a RCE exploit due to the lack of input sanitization, allowing us to obtain a root shell instantly. ...

This machine begins w/ a web enumeration, discovering a login page on both TCP/80 (HTTP) & TCP/443 (HTTPS) that is both susceptible to a bruteforce attack due to a weak password and the lack of bruteforce prevention. On TCP/443, phpLiteAdmin 1.9 is running, it is susceptible to a RC...

This machine begins w/ a DNS enumeration, revealing several subdomains. After enumerating the subdomains, admin.cronos.htb is susceptible to SQLi authentication bypass and a command injection exploit, allowing us to obtain a low-privilege/www-data shell For the privilege escalation par...

This machine has 4 ways to obtain an initial shell. For the 1st method, after a web enumeration at TCP/443 (HTTPS), it is discovered that Elastix running on the webserver. After searching possible exploits for Elastix, there are 4 available exploits for Elastix, since we have no way of f...

This machine begins w/ web directory enumeration revealing files and directories that discloses the username, CMS version and login page of the webpage, allowing us to login as an admin user w/ a weak/guessable password. Also, with the version of the CMS available to us, we found out tha...

This machine begins w/ a web directory enumeration, finding a directory /dev directory containing a file phpbash.php that has code execution functionality, allowing us to obtain a low-privilege/www-data shell. User www-data has a sudoers entry that allows www-data to run any command as ...