nihilist`s Blog
Previous Page

Offensive Security Writeups


Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.


Below you will find my personal writeups of the various boxes that can be found on hackthebox.eu, ranked by difficulty.

nihilist

Hack The Box - Easy Boxes

Template Page

  1. ✅ - Lame
  2. ✅ - Legacy
  3. ✅ - Devel
  4. ✅ - Beep
  5. ✅ - Optimum
  6. ✅ - Arctic
  7. ✅ - Grandpa
  8. ✅ - Granny
  9. ✅ - Bank
  10. ✅ - Blocky
  11. ✅ - Blue
  12. ✅ - Mirai
  13. ✅ - Shocker
  14. ✅ - Sense
  15. ✅ - Bashed
  16. ✅ - Nibbles
  17. ✅ - Valentine
  18. ✅ - Sunday
  19. ✅ - Bounty
  20. ✅ - Jerry
  21. ✅ - Active
  22. ✅ - Access
  23. ✅ - Frolic
  24. ✅ - Curling
  25. ✅ - Irked
  26. ✅ - Teacher
  27. ✅ - Help
  28. ✅ - FriendZone
  29. ✅ - Netmon
  30. ✅ - CasaDePapel
  31. ✅ - Bastion
  32. ✅ - SwagShop
  33. ✅ - Writeup
  34. ✅ - Haystack
  35. ✅ - Safe
  36. ✅ - Heist
  37. ✅ - Networked
  38. ✅ - Forest
  39. ✅ - Postman
  40. ✅ - Traverxec
  41. ✅ - OpenAdmin
  42. ✅ - Nest
  43. ✅ - Traceback
  44. ✅ - Remote
  45. ✅ - Servmon
  46. ✅ - Admirer
  47. ✅ - Blunder
  48. ✅ - Tabby
  49. ✅ - Buff
  50. ✅ - Omni
  51. ✅ - Doctor
  52. ✅ - Academy
  53. ✅ - Laboratory
  54. ✅ - Luanne
  55. ✅ - Delivery
  56. ✅ - Toolbox
  57. ✅ - Sauna
  58. ✅ - ScriptKiddie
  59. ✅ - Armageddon
  60. ✅ - Spectra
  61. ✅ - Love
  62. ✅ - Cap
  63. ✅ - Knife
  64. ✅ - Previse
  65. ✅ - Paper
  66. ✅ - BountyHunter
  67. ✅ - Explore
  68. ✅ - Horizontall
  69. ✅ - Backdoor
  70. ✅ - Driver
  • | CVE-2007-2447, vsftpd 2.3.4
  • | ms08_067_netapi RCE
  • | Anonymous FTP, ms10_015_kitrap0d
  • | Elastix, Webmin, vtiger
  • | HttpFileServer 2.3, rejetto, 41020
  • | ColdFusion 8, JRun Web Server
  • | IIS 6.0, webdav
  • | IIS 6.0, webdav
  • | DNS, reverse php shell, root binary
  • | Wordpress, jar
  • | MS17-010, EternalBlue, Win7 SP1
  • | PiHole
  • | ShellShock, 34900
  • | FreeBSD, pfSense
  • | PHPBash, kernel 4.4, 44298
  • | NibbleBlog 4.0.3
  • | HeartBleed
  • | Solaris, SunOS, fingerd, unshadow, john
  • | IIS 7.5, transfer.aspx
  • | Tomcat, tomcat_mgr_login, mgr_upload
  • | SMB, Kerberoast, gpp encrypt
  • | ftp, telnet, pst, mbox, readpst, runas
  • | Brainfuck, nginx, ROP exploit
  • | Joomla , reverse php
  • | UnrealIRCd
  • | Moodle, MariaDB, hashes
  • | HelpdeskZ, reverse php, 44298
  • | smb, ssl certs, dns
  • | ftp, prtg network monitor
  • | ssl certs, cron
  • | smb, share mounting, vhd, mRemoteNG
  • | Magento, lfi, reverse php
  • | CMS made Simple, 46635 , reverse py
  • | Elasticsearch, json, kibana
  • | ROP, ghidra, gef, keepass hashes
  • | Cisco pass, smb, sysinternals
  • | Reverse php gif, cmd execution
  • | BloodHound AD Navigation, Exchange Windows
  • | Redis 4.0.x, Webmin 1.910, RCE
  • | nostromo 1.9.6, journalctl
  • | OpenNetAdmin, nano shell
  • | Visual Basic, SMB, telnet
  • | Web-Shells, SSH Motd script
  • | Umbraco v7.12 ,TeamViewer v7
  • | xc.exe, nsclient++, ftp, winpeas
  • | Adminer, MySQL, Python library Hijacking
  • | Bludit 3.9.2, SHA1, sudo 1.8.25p1
  • | Tomcat, LFI, lxc container
  • | Gym Management RCE, Buffer Overflow
  • | Windows IOT, SirepRAT.py, Import-CliXml
  • | XML SSTI splunkd RCE
  • | PHP Laravel token deserialization, composer
  • | Gitlab CE 12.8.1 gitlab-rails, SUID bit
  • | NetBSD lua code injection, doas, netpgp
  • | OSTicket, Mattermost, hashcat custom list
  • | SQL Injection reverse shell, boot2docker
  • | LDAP, kerberos, mimikatz, NTLM hash
  • | Msfvenom apk exploit, command injection
  • | Drupal7, MySQL password hash, Snap GTFOBin
  • | .save extension, Wordpress, initctl privesc
  • | nishang ps1, AlwaysInstallElevated msi msfvenom
  • | pcap, python3.8 cap setuid capabilities
  • | php 8.1.0, 49933.py, knife binary
  • | auth bypass, code injection
  • | Wordpress 5.2.3, CVE-2021-3560
  • | xml poisoning, python poisoning
  • | ES File Explorer, adb shell
  • | strapi, laravel 8
  • | ebook-download, gdbserver, screen
  • | MFP firmware, RICOH_PCL6

nihilist

Hack The Box - Medium Boxes

Template Page

  1. ✅ - Popcorn
  2. ✅ - Bastard
  3. ✅ - Tenten
  4. ✅ - Cronos
  5. ✅ - October
  6. ✅ - Lazy
  7. ✅ - Sneaky
  8. ✅ - Haircut
  9. ✅ - Europa
  10. ✅ - Nineveh
  11. ✅ - Apocalyst
  12. ✅ - SolidState
  13. ✅ - Node
  14. ✅ - Enterprise
  15. ✅ - Jeeves
  16. ✅ - Inception
  17. ✅ - FluxCapacitor
  18. ✅ - Chatterbox
  19. ✅ - Aragog
  20. ✅ - Bart
  21. ✅ - Stratosphere
  22. ✅ - Celestial
  23. ✅ - Silo
  24. ✅ - Poison
  25. ✅ - Canape
  26. ✅ - Olympus
  27. ✅ - TartarSauce
  28. ✅ - DevOops
  29. ✅ - Hawk
  30. ✅ - Waldo
  31. ✅ - SecNotes
  32. ✅ - Giddy
  33. ✅ - Ypuffy
  34. ✅ - Carrier
  35. ✅ - Vault
  36. ✅ - Redcross
  37. ✅ - Lightweight
  38. ✅ - Chaos
  39. ✅ - Querier
  40. ✅ - Arkham
  41. ✅ - Unattended
  42. ✅ - Luke
  43. ✅ - Jarvis
  44. ✅ - Craft
  45. ✅ - Bitlab
  46. ✅ - Wall
  47. ✅ - Json
  48. ✅ - AI
  49. ✅ - Sniper
  50. ✅ - Mango
  51. ✅ - Obscurity
  52. ✅ - Monteverde
  53. ✅ - Book
  54. ✅ - Cascade
  55. ✅ - Magic
  56. ✅ - Cache
  57. ✅ - Fuse
  58. ✅ - SneakyMailer
  59. ✅ - OpenKeyS
  60. ✅ - Worker
  61. ✅ - Passage
  62. ✅ - Jewel
  63. ✅ - Bucket
  64. ✅ - Time
  65. ✅ - Ready
  66. ✅ - Tenet
  67. ✅ - Ophiuchi
  • | Torrent Hoster
  • | Drupal 7
  • | Wordpress
  • | php lavarel, sql injection
  • | OctoberCMS
  • | cookie authentification padding abuse
  • | udp snmp ipv6
  • | php rce, GNU screen 4.50
  • | europacorp v0.2b, sqlmap, RCE
  • | phpLiteAdmin v1.9, hydra port knocking
  • | wordpress, wordlists
  • | james smtpd, james pop3d
  • | myplace nodejs api, mongodb, binexp
  • | php sql inj, joomla, wp, binexp
  • | askjeeves, kdbx, rdesktop
  • | dompdf, webdav, pivot
  • | Fuzzing
  • | AChat, Win7
  • | xml-content XXE, wordpress
  • | server monitor, simple chat User-Agent
  • | OGNL RCE, mysql, python lib hijacking
  • | Node.js concatenating deserialization
  • | Oracle DB RCE
  • | FreeBSD, php LFI
  • | cPickle, couchDB, pip
  • | xdebug 2.5.5, airgeddon, knock, docker
  • | Wordpress, gwolle-gb, tar
  • | XXE, github repository enumeration
  • | aes-256-cbc, ssh tunnel, H2 database
  • | Evasive LFI, Container, cap_dac_read_search
  • | XSRF, SQLi, nc.exe, smb, IIS,
  • | SQLi, xp_dirtree, Ubiquiti UniFi-Video
  • | FreeBSD, ldap, smb, putty, ssh certificates
  • | Lyghtspeed, Quagga v0.99, BGP routes MITM
  • | SOCKS5 Port Forwarding, double pivoting, gpg
  • | SQLi, PHPSESSID, cmd injection, psql, sudo gid
  • | LDAP, getcap, tcpdump, binary capabilities
  • | WebMin, roundcube, ajax.php, LaTeX, firefox
  • | smb, excel macros, mssql, xp_dirtree, winRM
  • | smb, LUKS, javax.ViewState, powershell privesc
  • | 2nd order blind SQL injection, luks initrd.img
  • | Boostrap4, JWT, Ajenti, FreeBSD amd64
  • | SQL Injection, python privesc, systemctl SUID
  • | Gogs, REST api, docker, mysql sqlAlchemy
  • | Gitlab, hardcoded creds in js, sudo git pull
  • | Centreon, uncompyle, linpeas, GNU Screen 4.5.0
  • | Json.Net deserialization, WS2012 R2 Datacenter
  • | Speech recognition SQL injection, jdwp
  • | RFI, MS Compiled HTML Help
  • | MongoDB NoSQL injection, jjs
  • | Python exec(), file decryption, background processes
  • | Azure AD Connect exploit PoC
  • | SQL Truncation attack, logrotten
  • | ldap, VNC hardcoded key, AD Recycle Bin group
  • | Magic bytes, mysqldump, PATH priority binary exec
  • | OpenEMR, SQL Injection, memcached, docker mount
  • | PaperCut Print Logger, SeLoadDriverPrivilege
  • | Phishing via SMTP (yes), pypi, pip3
  • | /usr/libexec/ld.so, OpenBSD, xlock
  • | svnserve, Azure Devops Git repository
  • | CuteNews, USBCreator DBus
  • | rails 5.2.2.1, sudo 2FA (oath), gem
  • | LocalStack (AWS), pd4ml
  • | Jackson json parser deserialization, SQL SHELLEXEC
  • | Gitlab CE 11.4.7, Docker Container escape
  • | PHP deserialization, Race Condition bash exploit
  • | YAML Java deserialization, wasm wat

nihilist

Hack The Box - Hard Boxes

Template Page

  1. ✅ - Joker
  2. ✅ - Calamity
  3. ✅ - Charon
  4. ✅ - Shrek
  5. ✅ - Mantis
  6. ✅ - Kotarak
  7. ✅ - Tally
  8. ✅ - CrimeStoppers
  9. ✅ - Falafel
  10. ✅ - Dropzone
  • | Sudoedit Wildcards, Symlinks
  • | PHP Injection, wav file, alpine privesc
  • | SQL Injection, SuperCMS, SUID 4000
  • | mp3 Spectogram, ECC Crypto, chown wildcard
  • | IIS7, Orchard, DBeaver, MSSQL Server, psexec
  • | Apache Tomcat, NTDS, disk group, lxc
  • | hashcat on kdbx, smb mounting, xp_cmdshell
  • | PHP base64 LFI, PHP zip RCE, apache logs, modrootme
  • | linux char limit, video+disks group, linpeas
  • | manual psexec, MOF, nc.exe, ADS, streams.exe

nihilist

Recurrent Tricks

Template Page

  1. ✅ - File transfers
  2. ✅ - reverse shells with XC
  3. ✅ - SSH Tunnels
  4. ✅ - Intercepting HTTP and HTTPS requests with Burpsuite





nihilist

The Concept

The Goal is to capture both the User and the Root flags by gaining unauthorized access to the machines on HTB's private network, in order to get the flags, one has to employ various sets of pentesting skills, from finding out common vulnerabilities in the easier boxes, to crafting custom-exploitation for the harder boxes.

Binary Exploitation

gdb, gef, ghidra, pwntools, assembly, C, 32-64bit binaries, reverse engineering, CTF challenges