VariaType - HTB
A medium-difficulty Linux machine centered around a custom font-generation web application. The challenge involves exploring file handling behavior, analyzing backend processing logic, and chaining multiple issues in the font processing pipeline to move from initial access to full system compromise.
CCTV - HTB
Easy Linux CCTV machine abusing ZoneMinder and MotionEye flaws through SQL injection and escalation. [Unintended]
Pirate - HTB
Windows Active Directory challenge centered on delegation, Kerberos, and privilege escalation workflows.
Valid User (No Password)
Valid User (No Password) techniques and commands for Active Directory security assessment.
Linux Privilege Escalation via Sudo Misconfiguration
Sudo misconfigurations on Linux systems provide a common vector for privilege escalation. Attackers exploit overly permissive sudo rules to gain root-level access.
Era - HTB
Era is a medium Linux machine that chains an IDOR in a file portal, FTP config exposure, a PHP stream wrapper RCE via file preview, and a signed-binary bypass for root.
Certificate - HTB
Certificate is a hard Windows Active Directory machine that starts with an E-learning platform. The web application is vulnerable to Null-Byte Injection in its file upload feature, allowing a PHP reverse shell to be executed for initial access as xamppuser. Database credentials are retrieved, enabling lateral movement to the Sara.B user. Further enumeration uncovers a network capture file that leaks Lion.SK’s credentials. Using these, Active Directory Certificate Services (ADCS) is enumerated, and a vulnerable template is exploited to request certificates on behalf of other users. A certificate for the Ryan.K user is then obtained, whose SeManageVolumePrivilege is leveraged to gain a shell as NT AUTHORITY\NETWORK SERVICE. Finally, SeImpersonatePrivilege is used to escalate to NT AUTHORITY\SYSTEM, dump ntds.dit and registry hives, and extract the Administrator’s NTLM hash, ultimately allowing access as the Administrator.
RustyKey - HTB
RustyKey is a hard Windows machine chaining Kerberos time abuse, AD ACL misconfigurations, a 7-Zip shell extension hijack, and SPN-less RBCD to reach domain admin.