Overview This machine begins w/ a finger user enumeration, revealing user sunny, sammy on sunday.htb, allowing us to bruteforce w/ hydra, obtaining a low-privilege/sunny shell. On the home directo...

Overview This machine begins w/ a web enumeration, browse.php is enumerated and is susceptible to LFI2RCE via Apache log poisoning, allowing us to obtain a low-privilege/www-data shell. On the web...

Overview This machine begins w/ a web enumeration, discovering /dev directory and omg, inside /dev contains a hex encoded string, decoding it reveals a encrypted SSH private key. Next, omg reveals ...

Overview This machine begins w/ a web enumeration, revealing a directory /api when intercepting a login request w/ burp. By directory enumerating /api, login credentials are revealed. After authe...

Overview This machine w/ an network enumeration, enumerating a service James Server 2.3.2, which is susceptible to an authenticated RCE exploit. Also, James Server 2.3.2 is configured w/ its defau...

Overview This machine begins w/ a directory enumeration, a file containing credentials is enumerated, allowing us to login to pfsense. pfsense version is revealed upon login in, allowing us to find...

Overview This machine begins w/ a web enumeration, discovering a login page on both TCP/80 (HTTP) & TCP/443 (HTTPS) that is both susceptible to a bruteforce attack due to a weak password and th...

Overview This machine begins w/ a DNS enumeration, revealing several subdomains. After enumerating the subdomains, admin.cronos.htb is susceptible to SQLi authentication bypass and a command injec...

Overview This machine has 4 ways to obtain an initial shell. For the 1st method, after a web enumeration at TCP/443 (HTTPS), it is discovered that Elastix running on the webserver. After searching ...

Overview This machine begins w/ web directory enumeration revealing files and directories that discloses the username, CMS version and login page of the webpage, allowing us to login as an admin us...