Introduction

This is my first walkthrough for a HTB machine rated as "hard".

Thoughts

Overall a very interesting and fun machine. It has very little guessy elements and is generally a joy to play. Despite it being a Windows machine, most of the exploits focus on poor web configurations.

Overview

This machine was rooted in about 6 hours (with small hints from the official thread in the HTB forum) Here's a breakdown of the chain of events.

1. Nmap Scans to discover open ports and services
2. Checks out SMB but fails to obtain any juicy details
3. Proceed to explore and target the Book search service
4. Dirbusting to find out important endpoints (which includes the admin portal)
5. Changing request variables led to reveal of error messages
6. Proceed to exploit LFI (due to poor sanitisation)
7. Discover various secrets and requirements to login as Paul (admin)
8. Exploit the unrestricted file upload to put a PHP reverse shell in uploads directory
9. Upload a netcat binary to create a stable reverse shell
10. Discover plaintext credentials stored in Juliette who is always hungry for pizza
11. Login as Juliette (SSH) and obtain user.txt
12. Understands that passwords are stored in plaintext in Microsoft Sticky Notes
13. Extract login password of development account
14. Dissassemble the self-made Krypter_Linux binary to reveal important internal endpoints and services
15. Port forward the password manager service using SSH
16. Exploit basic UNION based SQL injection to reveal password hash
17. Decrypt using the AES key and hash to obtain administrator password
18. Login as Administrator and obtain root.txt