Skip to main content

Introduction

This is my first walkthrough for a HTB machine rated as "hard".

Breadcrumbs stats

Thoughts#

Overall a very interesting and fun machine. It has very little guessy elements and is generally a joy to play. Despite it being a Windows machine, most of the exploits focus on poor web configurations.

Overview#

This machine was rooted in about 6 hours (with small hints from the official thread in the HTB forum) Here's a breakdown of the chain of events.

  1. Nmap Scans to discover open ports and services
  2. Checks out SMB but fails to obtain any juicy details
  3. Proceed to explore and target the Book search service
  4. Dirbusting to find out important endpoints (which includes the admin portal)
  5. Changing request variables led to reveal of error messages
  6. Proceed to exploit LFI (due to poor sanitisation)
  7. Discover various secrets and requirements to login as Paul (admin)
  8. Exploit the unrestricted file upload to put a PHP reverse shell in uploads directory
  9. Upload a netcat binary to create a stable reverse shell
  10. Discover plaintext credentials stored in Juliette who is always hungry for pizza
  11. Login as Juliette (SSH) and obtain user.txt
  12. Understands that passwords are stored in plaintext in Microsoft Sticky Notes
  13. Extract login password of development account
  14. Dissassemble the self-made Krypter_Linux binary to reveal important internal endpoints and services
  15. Port forward the password manager service using SSH
  16. Exploit basic UNION based SQL injection to reveal password hash
  17. Decrypt using the AES key and hash to obtain administrator password
  18. Login as Administrator and obtain root.txt