hackthebox · 4 min
Canape write-up (HackTheBox). Intermediate Linux machine that exploits an insecure pickle deserialisation in a Flask + CouchDB site. Includes RCE via XXE-like in pickle, CouchDB enumeration, and escalation to root by abusing sudo pip install.
· Manuel López Pérez
writeups · 2 min
Write-up of Celestial (HackTheBox). Low-level Linux machine that exploits an insecure cookie deserialisation in Node.js (CVE-2017-16137) to obtain RCE, then escalates to root by abusing a cron job that executes an editable script.
· Manuel López Pérez
cheatsheet · 4 min
Compilation of techniques for obtaining shell access in Windows after RCE. Includes in-memory PowerShell, Powercat, Regsvr32, HTA, Cscript, MSBuild, WMIC, Certutil, and tests against Windows Defender.
· Pablo Plaza Martínez
writeups · 2 min
Rabbit write-up (HackTheBox): Windows machine that exploits time-based SQLi in Complain Management System for RCE via xp_cmdshell + msbuild NPS payload, and escalates to SYSTEM by abusing WAMP64 running as SYSTEM.
· Manuel López Pérez
writeups · 2 min
Quaoar write-up (VulnHub): a simple machine for getting started in pentesting. We exploit WordPress with default credentials and upload a webshell for RCE, then escalate to root with DirtyCow.
· Manuel López Pérez
tutorials · 2 min
Example of phishing in Windows 10 with a PDF and an embedded SettingContent-ms file, automatically executed by JavaScript when the document is opened.
· Pablo Plaza Martínez
writeups · 3 min
Aragog write-up (HackTheBox): initial scan, XXE exploitation to read SSH keys, user access, WordPress modification to steal admin credentials and escalate to root. Intermediate level with a focus on XXE and creative post-exploitation.
· Pablo Plaza Martínez
writeups · 5 min
Nightmare write-up (HackTheBox): high-level Linux machine that exploits SQLi to extract credentials, obtains RCE via modified 32-bit SFTP exploit, and escalates to root with Decoder binary reversing + disk group abuse with debugfs.
· Manuel López Pérez
writeups · 3 min
Olympus write-up (HackTheBox): average Linux machine that exploits Xdebug RCE to obtain initial shell, cracks WPA2 handshake for SSH credentials, uses port knocking to access port 2222, and escalates to root by mounting host filesystem from Docker container.
· Manuel López Pérez
tutorials · 3 min
Practical guide to generating a malicious PDF that, when opened in Windows, forces NTLM authentication and captures the NET-NTLMv2 hash. Includes generation with modern tools, cracking with hashcat, and use of psexec. Updated with best practices and current alternatives.
· Pablo Plaza Martínez
writeups · 1 min
Write-up of Nibbles (HackTheBox): simple Linux machine that exploits Nibbleblog 4.0.3 with leaked credentials and RCE via plugin upload, and escalates to root by abusing sudo in the monitor.sh script.
· Manuel López Pérez
writeups · 2 min
Poison write-up (HackTheBox): simple FreeBSD machine that exploits LFI in browse.php to poison Apache logs and obtain RCE, extracts credentials from pwdbackup.txt, and escalates to root via VNC with leaked password.
· Manuel López Pérez
