Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP session. We then find more credentials in...
Bighead - Hack The Box
Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We t...
Irked - Hack The Box
Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials for the low privileged user then got root...
Teacher - Hack The Box
Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that co...
Redcross - Hack The Box
Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration....
Vault - Hack The Box
Quick summary An upload page allows us to get RCE by uploading a PHP file with the php5 file extension We can find the SSH credentials in a plaintext file in Dave’s directory After getting ...
Curling - Hack The Box
Quick summary The username for the Joomla site is Floris as indicated on the main page in one of the post The password is a variant of a word on the main page: Curling2018! On the Joomla ad...
Frolic - Hack The Box
Frolic had a pretty straightforward user access part where after minimal enumeration we could find the password for the PlaySMS application obfuscated a couple of times with some esoteric languages...
Carrier - Hack The Box
I had the idea for creating Carrier after competing at the NorthSec CTF last year where there was a networking track that required the players to gain access to various routers in the network. I th...
Ethereal - Hack The Box
Ethereal was a really difficult box from MinatoTW and egre55 that I solved using an unintended priv esc method with Rotten Potato. The box was patched soon after the release to block that priv esc ...
