Mounting the NFS and got a sfd file which contains a hash and cracking it with john and logged in to umbraco and after searching an exploit for it got a RCE and shell as user , abusing service uSoSvc got shell as administrator.
This Box is currently in hackthbox active category , You can access the writeup only if you have the root flag of the machine.I cant reveal the box information due to hackthebox rules.Thanks
This is relatively an insane box , It revolves around the Oauth2 as feom which we get account linked to qtc (admin) using a SSRF and then a xss in which just gave we have to steal cookies of the user qtc and from that sesion id we logged into api and get the ssh-keys for user.There is a docker running and we can ssh into it.Exploiting the uwsgi to get shell as www-data and then exploiting dbus to get shell as root
This box is currently active,So in order to read its writeup you should have the root hash Goto the following url to access the Writeup http://0xprashant.github.io/private/root.txt
Got usernames from the about page , performing a asreproast attack using GetNPusers.py and then cracking the hash with john , after login running winpeas and found autologon creds of svc_loanmgr , and he can perform a dcsync attack
This machine is currently active on hackthebox wait until it gets retired or if you have owned it then you need to get the Administrator NTLM hash or the root password hash from the file /etc/shadow file.And enjoy the writeup.
Json is a medium level machine and its a very interesting machine and straightforward.This machine taught me many new things and i liked the box very much.Thanks to Htb and the creator.
Using X-Forwarded-For to Bypass the Waf , A search product option which leads to a SQLI.After Uploading a shell and executing it to get a Actual powershell shell , And then modifying the Registry of the service to Spawn a shell as admin.
Exploiting the vulnerable nostromo version for getting initial shell and finding the hidden dir, cracking the ssh private keys to get user and running journalctl as root and exploiting the journalctl to get root shell.
Running enum4linux against the machine , We got a some usernames and a password . Found another user’s credentials in a hidden dir and the user is in the group of dnsadmin , So we can modify the dns enteries to get root.