Today we’ll be going through the ‘Bastion’ machine, from HackTheBox. In this walkthrough, we’re going to demonstrate how to remotely mount a VHD file over the network, dump some password hashes from the mounted filesystem with the help of the ‘pwdump‘ utility, and then crack those hashes with Hashcat to recover the password for a […]
Hey everyone, today we’ll be going through the ‘Querier’ machine from Hack the Box. This was a fun Windows machine where we discover an Excel spreadsheet in an unprotected SMB share. This Excel file contains a macro that connects back to the machine’s SQL server (with hard-coded credential for us to steal). We are then […]
So I finally made the plunge and purchased some actual hardware for my home lab environment. I was able to find a great deal on a used Dell R710 server from someone at my local security meetup group. It was pretty bare from a specs standpoint when I first got my hands on it (only […]
On this HacktheBox walkthrough, we’re going through the ‘Irked’ box. This was a pretty easy box all things considered, but good practice nonetheless. Our initial attack path is through a vulnerable IRC chat server (Internet Relay Chat). We follow this up by exploiting a misconfigured SUID binary to escalate to root privileges. What we know […]
Hello everyone. It has been a busy past few weeks for me so I haven’t done as much posting as I would have liked, but I’m happy to announce that I am now OSCP certified! Initial access for Curling is obtained through placing PHP code within a template file in the Joomla administrator console. We […]
Welcome back everyone. This time around, I’ll be showing you my methodology for the “Access” machine from HacktheBox. This was actually one of the first few machines I ever owned when I started on this site, and it has finally retired. This machine was a lot of fun, and excellent practice for someone new to […]
This week, I’ve documented my methodology on the ‘Lazy’ machine. I’ll demonstrate a ‘padding oracle attack‘ to obtain a private SSH key exposed on the adminstrator web panel, and achieve privilege escalation via a path hijacking attack in Linux made possible by an insecure instance of an SUID binary. Let’s get started. What we know […]
Welcome back everyone. For this week’s post, I’ll be going through the retired machine, ‘Cronos’. We start by running a DNS Zone Transfer to enumerate some hidden domains, then we follow it up with a basic SQL injection attack to bypass an authentication page. One inside, we’re able to abuse a ‘ping’ web function that […]
Most of you are probably familiar with the Equifax data breach back in 2017 that ended up exposing over 140 million Americans private information. This was possible due to a vulnerability in the Apache Struts 2 framework, which allowed attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. In this […]
Hello again everyone, welcome back to another HacktheBox walk-through. This time around, I’ll be going through the ‘Active’ machine. This is a great example of a more “real-world” Active Directory attack scenario, where we steal credentials from an exposed Group Policy file, and then Kerberoast the Administrator account’s password. Let’s get started. What we know […]
The Houston Hacker 