0xdf

HTB: RustyKey RustyKey HTB walkthrough: Timeroasting to crack computer passwords, ForceChangePassword abuse, CLSID hijacking via registry, and RBCD for domain compromise.

RustyKey from HackTheBox is an assume breach AD box. I'll Timeroast to get a better foothold, and after some AD privilege chaining with BloodHound, perform a CLSID hijack, and then abuse AddAllowedToAct to RBCD to escalate to administrator.

Generative AI has many applications. An amazing one is to give it a writeup to a challenge you're trying to solve but stuck on and getting it to coach you th... Free AI HTB Tutor

If you're using writeups to learn how to hack on HackTheBox (or other CTFs), use AI as a tutor. In this video I'll show a free prompt to use, as well as a Claude Skill I developed.

HTB: Dump Dump has a website that collects packets on a specific port. It can also handle PCAP uploads and download all the current PCAP files in a zip archive. I’ll abuse wildcard injection in the zip command with some carefully crafted filenames to get RCE and a shell. I’ll pivot to the next user with a password from the database. I’ll then abuse how www-data can run sudo to run tcpdump to get root.

Dump from VulnLab released on HackTheBox last week. It has some very trick injections and a sudo rule puzzle to work out - I'll show two ways.

Thank you! So glad to hear that.

I'm bummed bs never really took off (at least I get very little interaction). But glad to know at least some people get benefit. At this point posting to five different places is just built into the cicd of building the post, so it's low effort for me to continue 😁

HTB: Voleur Voleur is an active directory box that starts with assume breach credentials. I’ll find an Excel notebook with credentials and get a shell. I’ll find a deleted user and switch to a service account to recover it. That user can access an SMB share with a user’s home directory backup, where I’ll find DPAPI encrypted credentials. I’ll recover those, getting access to an SSH key that provides access to a WSL instance. There I’ll find registry hive backups where I can dump the administrator hash.

Voleur is an assume breach active directory box from HackTheBox. It has lots of passwords, deleted user recovery, DPAPI, targeted kerberoasting, and hashes from registry hives.

HTB: Store HTB Store walkthrough: exploiting XOR encryption for arbitrary file read, SFTP tunneling to Node.js debugger, and Chrome webdriver RCE for root access.

Store from VulnLab released on HackTheBox yesterday. It's got a web decryption known plaintext attack, directory traversal, node inspect, and Chrome debug.

HTB: Artificial Artificial starts with an AI website where I can upload models that are run with TensorFlow. I’ll exploit a deserialization vulnerability in how TensorFlow handles h5 files to get RCE and a foothold. I’ll find hashes in the database and crack one to pivot to the next user. That user has access to an instance of Backrest running on localhost. I’ll find the config and crack the hash to get access, and then show three ways to get execution as root through the application.

Artificial from HackTheBox is starts with uploading a malicious TensorFlow model to get a foothold through deserialization. I'll abuse Backrest in three different ways for root.

HTB: DarkCorp DarkCorp lives up to it’s insane difficulty, with three hosts, including a Windows AD domain, and starts with a Debian web/mail server. I’ll exploit an XSS in RoundCube to get access to the admin’s emails, leaking a private subdomain. I’ll reset the admin’s password and get into the dashboard, identifying an SQLI. I’ll abuse PostgreSQL to get RCE from this two ways. In a PGP-encrypted backup I’ll find the hash for another user and crack it, getting auth to the domain. Those creds also get me into a website on the Windows web server that can do status checks on other websites. These checks will attempt NTLM authentication, and I’ll relay that to create a domain entry, and then use printer bug to get the WEB-01 box to authenticate to me, which I can relay to get a silver ticket for administrator on WEB-01. On that host I’ll find the local administrator account creds in the scheduled tasks, and use those to decrypt a stored credential. Password spraying that password will own another account on the domain. That user can get a shadow credential for another user. That user has a matching .adm account, and I’ll do UPN spoofing to get access to that admin account back on the original Linux host. With root access on that host, I’ll pull cached AD credentials from the SSSD database to pivot back to the DC. This user can modify a GPO, which I’ll abuse to get administrator access over the entire domain.

DarkCorp from HackTheBox lived up to it's insane rating. Pivots from Linux to Windows and back, abuse of cross-OS Kerberos, and lots more. Several new techniques in this one.

HTB: TombWatcher TombWatcher is an assume breach active directory box. I’ll use BloodHound to find a path to another user with targeted Kerberoasting, GMSA, ForceChangePassword, and a shadow credential. This user has access to the AD Recycle Bin, where I’ll recover an old ADCS admin account. I’ll use that account to exploit ESC15 to get Administrator access.

TombWatcher from HackTheBox is an assume breach Windows AD box. BloodHound shows a path abusing targeted Kerberoasting, GMSA, password change, and shadow creds. Then there's AD Recycle Bin and ESC15.

HTB: Watcher Watcher starts with a Zabbix server. I’ll abuse CVE-2024-22120, a blind SQL injection to leak the admin session and get RCE. From there I’ll log in as admin and find a user logging in every minute. I’ll update the login PHP source to save the creds to a file. Those creds also work for a local instance of TeamCity, which I can log into as an admin and abuse a build pipeline to get execution as root.

Watcher from VulnLab released on HackTheBox last week. It's a web-centric box with Zabbix exploitation, and then changing the source code to capture logins. I'll escalate though TeamCity.

The HTB Content team made me a goodbye CTF consisting of four challenges. In this video, I'll solve Uncheesable, a forensics challenge involving a memory dum... Uncheesable [0xff: One Last Address]

Uncheesable is the final challenge from the CTF the HackTheBox content team made for me as a goodbye present. I'll get a memory dump from a custom Linux kernel. I'll pull the bzImage from the dump, generate the symbols, and use vol3 to find the flag.

HTB: Certificate Certificate starts with a school website that accepts assignment uploads in limited formats that includes zip archives. I’ll show two ways to bypass the filters in PHP and upload a webshell - first with a null byte in the filename inside the zip, and then by stacking two zips together. Both of these abuse how the filesystem and PHP handle these cases differently. I’ll pivot to the next user after dumping a hash from the website DB. That user has access to a PCAP, where I’ll find a Kerberos authentication and crack it in hashcat to get the next user. I’ll exploit ESC in the ADCS environment to get the next user, and then use their membership in the Domain Storage Managers group (which gives SeManageVolumePrivilege) to get arbitrary file read on the system. The root flag is encrypted with EFS, so I’ll exfil the ADCS private key and use a Golden Certificate attack to get a shell as the Administrator user and the final flag.

Certificate from HackTheBox is a hard box with a bit of everything. There's upload / zip shenanigans (two ways), PCAP analysis and Kerberos cracking, ASCS ESC3, and Golden Certificate.

The HTB Content team made me a goodbye CTF consisting of four challenges. In this video, I'll solve Antipattern, a fullpwn machine that replicates my website... Antipattern [0xff: One Last Address]

Antipattern is the third video from the personal CTF the HackTheBox content team made me a as goodbye present. It's a full pwn box with my website, lots of memes, and, lots of things I always complained about when reviewing community submissions.

The HTB Content team made me a goodbye CTF consisting of four challenges. In this video, I'll solve 0o337, a forensics challenge digging through a PCAP file ... 0o337 [0xff: One Last Address]

The HackTheBox content team made me a personal CTF as as goodbye present. In this second video, I'll show 0o337, an easy forensics challenge with a PCAP and a nice (even if unrealistic) maze to follow. Still some nice tricks to showcase.

The HTB Content team made me a goodbye CTF consisting of four challenges. In this video, I'll solve Farewell, a format string pwn challenge from w3th4nds.w3t... Farewell [0xff: One Last Address]

The HackTheBox content team made me a personal CTF as as goodbye present. In this video, I'll show Farewall, a pwn challenge with a simple format string vulnerability, a few hurdles to work around, and some neat pwntools tricks at the end.

HTB: Puppy Puppy is a Windows Active Directory pentest simulation. It starts with a set of creds in the HR group, which a common target of phishing attacks. That user has GenericWrite over the Developers group, so I’ll add my user and get access to SMB shares where I’ll find a KeePassXC database. I’ll crack the secret with John, and get auth as the next user. That uses is a member of Senior Devs, which has GenericAll over another user. I’ll reset that user’s password and get a WinRM session. This user has access to a site backup, where I’ll find a password to spray and get WinRM as the next user. Finally, I’ll abuse that user’s DPAPI access to get a saved credential for an administrator.

Puppy is a nice AD assume breach box. I'll abuse GenericWrite on a group, GenericAll on a user, bruteforce a KeepassXC DB, find creds in a config, and dump DPAPI stored credentials.

HTB: BabyTwo Another Windows box where I’ll try username as password and find two accounts. From those I’ll get access to the SYSVOL share, where I can poison a logon script to give me a reverse shell when the user logs in. That user has control over another service account that is meant to administer GPOs. I’ll abuse the GPO to get shell in the administrator’s group.

BabyTwo from VulnLab released on HackTheBox on Thursday. It has GPO abuse and logon script poisoning.

HTB: Fluffy Fluffy is an assume-breach Windows Active Directory challenge. I’ll start by exploiting CVE-2025-24071 / CVE-2025-24055, a vulnerability in how Windows handles library-ms files in zip archives, leading to authentication attempts to the attacker. I’ll get a NetNTLMv2 and crack it. From there, BloodHound data shows that this user has GenericWrite over some service accounts. I’ll abuse that to get a WinRM shell with one. From this user, I’ll exploit ESC16 in the ADCS environment to get a shell as Administrator.

Fluffy from HackTheBox is a nice AD / ADCS box with CVE-2025-24071/CVE-2025-24054 to get a NetNTLMv2, and then pivot using BloodHound to get access to a user who can exploit ESC16 in the ADCS environment.

My new favorite CTF tip!

If you’re stuck on a box, find a writeup and feed the solution to an llm. Use the instructions of “Do not tell me the answer under any circumstances, but guide me as I ask questions.”

You’ll think critically and make progress without feeling like you cheated.

#CTF #GenAI

HTB: Baby Baby is an easy Windows Active Directory box. I’ll start by enumerating LDAP to find a default credential, and spray it to find another account it works on. From there, I’ll abuse Backup Operators / SeBackupPrivilege to get dump both the local and domain hashes, finding a hash for the Administrator account that works to get a shell.

Baby is the second VulnLab box to release on HackTheBox this week. It's an easy Windows AD box with LDAP enumeration, password spraying, and SeBackupPrivilege. I'll do the LDAP enumeration completely from netexec.

HTB: Forgotten Forgotten starts with an uninitialized instance of LimeSurvey. I’ll do the installation wizard, using a MySQL instance hosted on my VM as the database, and giving myself superadmin access. I’ll upload a malicious plugin to get RCE and a shell in the LimeSurvey container. I’ll find a password in an environment variable that works for the user account on the host, as well as sudo to get root in the container. I’ll abuse that to write a root-owned SetUID binary in a shared folder on the container such that I get access to it on the host and complete the compromise.

Forgotten from VulnLab released on HackTheBox today. It's a nice easy box with LimeSurvey, shared credentials, and a nice Docker abuse to get root.

HTB: Planning Planning offers a Grafana instance that’s vulnerable to a CVE in DuckDB that is an SQL injection that can lead to remote code execution. I’ll abuse that to get a shell as root in the Grafana container. I’ll find creds in an environment variable, and use them to pivot to the host over SSH. There I’ll find an instance of Crontab UI. I’ll get creds from a backup cron, and use it to make my own cron as root to get execution. In Beyond Root I’ll dig into the Grafana Swagger UI and the Crontab UI configuration.

Planning from HackTheBox is a nice easy box with Grafana exploitation, creds in environment variables and scripts, and Crontab UI.

HTB: Delegate Delegate starts with a bat script on an open SMB share that leaks credentials. I’ll use those to targeted Kerberoast another user, and get a shell. That user has SeChangeNotifyPrivilege, which I’ll use to give a fake computer unconstrained delegation, and then capture the DC machine account TGT. From there I can DCSync to dump the Administrator’s NTLM hash.

Delegate from VulnLab releases yesterday on HackTheBox. There's targeted Kerberoasting and more delegation attacks, similar to Redelegate that released last month.

Yeah, I've been playing with the ghidra mcp. It's really nice

HTB: Environment Environment starts with a Laravel website that happens to be running in debug mode. I’ll abuse a CVE that allows me to set the environment via the URL. I’ll find in the debug crashes that if the environment is set to “preprod”, the login page is bypassed, and use that to get access to the internal site. There I’ll abuse another CVE to bypass file filtering in the Laravel filemanager to upload a webshell. I’ll find a GPG-encrypted file and the private key to get access to the next user. Finally, I’ll abuse a sudo rule that allows keeping the BASH_ENV environment variable to get root.

Environment from HackTheBox is all about exploiting Laravel and a couple CVEs in it. There's also some BASH_ENV thrown in for root.

HTB: Media Media starts with a PHP site on Windows that takes video uploads. I’ll use a wax file to leak a net-NTLMv2 hash, and then crack it to get SSH access to the host. I’ll understand how the webserver is writing the files to the filesystem, and use a junction point link to have it write into the web root, allowing me to upload a webshell and get access as local service. I’ll use FullPowers to enable the SeImpersonatePrivilage, and then GodPotato to get System.

The second vulnlab release on HackTheBox this week is Media. There's an interesting NTLM capture, followed by a pivot back to the local service account to get SeImpersonate.

HTB: Race Race starts with a website on Grav CMS, and a phpSysInfo page. I’ll find creds in the process list on phpSysInfo to get into the Grav admin panel as the limited backup user. I’ll create a backup, and use the results to reset the password of another admin. From this admin, I’ll show two ways to get execution, using CVE-2024-28116 and a malicious theme. From there I’ll pivot to the next user with a password from a shell script. For root, I’ll abuse a time-of-check / time-of-use vulnerability in a cron script, using named pipes to hang execution allowing me to switch files.

Race is a neat VulnLab box now on HackTheBox involving Grav CMS, phpSysInfo, and a very fun time of check / time of use vulnerability.

Yeah, I am going to have to really learn the AI side of things, but it's an exciting challenge. I don't think I've fully wrapped my head around all the potential yet :)

HTB: Eureka Eureka starts with a Spring Boot website. I’ll abuse an exposed heapdump endpoint to get creds from memory and SSH access. From there I’ll poison the Spring Cloud Gateway configuration to capture login credentials for another user. To get root, I’ll abuse a Bash arithmetic injection to get execution in a script analyzing logs on a cron.

Eureka from HackTheBox showcases exploiting Spring Boot and the heapdump endpoint, Spring Cloud Gateway, and some Bash arithmetic operations.

Practically speaking, I still plan to continue posting my writeups for HTB retiring machines (time permitting)—though I will fall behind on VulnLab (three posts a week is a lot). I'm hoping to still make YouTube videos, and may even drop in on Cube Talks from time to time. 6/6