This time itโs a very lean box with no rabbit holes or trolls. The box name does not relate to a Capture the Flag event but rather the Compressed Token Format used by RSA securid tokens. The first ...
Friendzone - Hack The Box
Friendzone is an easy box with some light enumeration of open SMB shares and sub-domains. I used an LFI vulnerability combined with a writable SMB share to get RCE and a reverse shell. A cron job r...
Hackback - Hack The Box
Hackback took me a long time to do. There are so many steps required just to get a shell. For extra difficulty, AppLocker is enabled and an outbound firewall policy is configured to block reverse s...
Netmon - Hack The Box
I think Netmon had the quickest first blood on HTB yet. The user flag could be grabbed by just using anonymous FTP and retrieving it from the user directory. I guessed the PRTG admin password after...
Querier - Hack The Box
To solve Querier, we find an Excel spreadsheet that contains a VBA macro then use Responder to capture NTLM hashes from the server by forcing it to connect back to our machine with xp_dirtree. Afte...
Flujab - Hack The Box
Flujab was without a doubt one of the toughest HTB box. Itโs got a ton of vhosts that force you to enumerate a lot of things and make sure you donโt get distracted by the quantity of decoys and tro...
Help - Hack The Box
Help showed that a small programming mistake in a web application can introduce a critical security vulnerability. In this case, the PHP application errors out when uploading invalid extensions suc...
Sizzle - Hack The Box
Sizzle was an amazing box that requires using some Windows and Active Directory exploitation techniques such as Kerberoasting to get encrypted hashes from Service Principal Names accounts. The priv...
Chaos - Hack The Box
Chaos starts with some enumeration to find a hidden wordpress site that contains a set of credentials for a webmail site. Thereโs some simple crypto we have to do to decrypt an attachment and find ...
Conceal - Hack The Box
Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerating with SNMP, we connect to the server, ...
