HTB: HackTheBox Season 10
Feel free to reachout on LinkedIn or any of my socials in case you need help with the challenge. The full writeup will be released after the box is retired.
Unauthenticated Enumeration, generate ticket using the found creds. Abuse shadow credential to reset msa_health and get initial foothold. Lateral movement through dll injection and privilege escalation via AD CS (ESC1) and WSUS abuse.
Unauathorized account takeover, leading to RCE in FLOWISEAI, reused passwords, insecure password storage. Arbitrary write using symlinks and PUT operation.
Initial Foothold via batch script, abusing ForceChangePassword privilege to move laterally. Ligolo to pivot to RODC, Domain compromise via RODC Keylist Abuse.
Initial foothold by leaking credentials using SSRF from Apache CXF, and using creds to execute RCE on Hoverfly dashboard. Privilege escalation via, exploiting the world writable bash and executing the syswatch script.
Initial Foothold via MCPJam RCE, LFI2RCE via privatebin resulting in compromise of stored credentials.Privilege escalation via Arcane container Orchaestration platform.
Initial access via LFI2RCE, lateral movement via cronjob and privilege escalation via vulnerable binary
Data Leak via authenticated SQLi leading to initial foothold, Privileges were escalated using RCE via motionEye running as a superuser.
Pirate blog will be posted later
Initial Foothold via Mirth Connect RCE moving laterally by craacking the user hash from db. Privilege escalation via XXE.
Initial foothold via unauthenticated RCE on WingData, lateral movement via cracking user password from DB. Privilege Escalation via tarslip, soft link, hard link and filter bypass.
Problem of future arbaaz
Improperly Controlled Modification of Dynamically-Determined Object Attributes allows privilege escalation to admin user leading to exfiltrating SSH keys from S3 Bucket and getting become the Root user by privilege escalation via misconfigured SUID