6 posts tagged with "Arbitrary File Upload"

Summary:​

We navigate the Hack The Box website, starting by spawning a target machine. Next, we perform reconnaissance on the target to gather initial information. We identify a running webserver and proceed with directory enumeration using gobuster to uncover hidden directories. After discovering a server status login page with default credentials, we log in to gain access to the Manager App website.

Analyzing this app further, we collect the necessary credentials to log in and then identify a file upload vulnerability on the website. We create a malicious payload using msfvenom, which we use to upload and execute a reverse shell on the target machine. With a stable shell established at system level access, we proceed to grab both the user flag and root flag, ultimately achieving System Own status.

Machine Name: Jerry | Difficulty: Easy | OS: Windows

Summary:​

We test connectivity, scan, and enumerate the target website. We discover a PHP type juggling vulnerability and exploit it to gain access to the admin file uploads directory. Using this access, we upload a web shell via the upload functionality. Enumerating the system with our new tool, we find clear text credentials that grant us user-level SSH access. We then escalate to root by exploiting sudo using find. Finally, we grab the root flag.

Machine Name: Base | Difficulty: Easy | OS: Linux

Summary:​

We test connectivity to the target and scan it, then enumerate its website and login with some default credentials. Once we have user access, we continue enumerating the site. Analyzing the page source code reveals the used XML version and a potential username.

We exploit the found XXE vulnerability to leak the user's private SSH key, allowing us to access the target machine via SSH and gain user-level access. Next, we grab the user flag. With our foothold established, we enumerate the machine with user-level access until we find a job.bat file that runs with administrator privileges. We exploit this by modifying the scheduled job to run our reverse shell, wait for it to execute, and catch the connection to gain administrative access to the target machine. Finally, we grab the root flag.

Machine Name: Markup | Difficulty: Easy | OS: Windows

Summary:​

We test connectivity and scan the target, then enumerate its TFTP service and web page. We find an unauthenticated upload function on TFTP and a Local File Inclusion (LFI) vulnerability on the web page. We use these to upload a PHP reverse shell and gain low-level access via LFI.

With this foothold, we upgrade our access to user level using the acquired clear-text credentials. We then grab the user flag, enumerate further, and exploit privilege escalation opportunities to reach root level access with the help of the lxdprivesc script. Finally, we obtain the root flag.

Machine Name: Included | Difficulty: Easy | OS: Linux

Summary:​

This article guides users through completing the Oopsie machine challenge on Hack The Box. The steps outline a hacking scenario, from initial connection testing and scanning to exploiting vulnerabilities in a web application, including IDOR, cookie manipulation, and SUID exploitation, ultimately leading to gaining admin access and finally grabbing the root flag.

Machine Name: Oopsie | Difficulty: Easy | OS: Linux

Summary:​

This article guides users through completing the Three machine challenge on Hack The Box. This is a web hacking challenge that involves exploiting vulnerabilities in an S3 bucket and executing a reverse shell on the target machine. The goal is to retrieve the "flag" file from the target machine.

Machine Name: Three | Difficulty: Easy | OS: Linux