This is my first walkthrough for a HTB machine rated as "hard".
Overall a very interesting and fun machine. It has very little guessy elements and is generally a joy to play. Despite it being a Windows machine, most of the exploits focus on poor web configurations.
This machine was rooted in about 6 hours (with small hints from the official thread in the HTB forum) Here's a breakdown of the chain of events.
- Nmap Scans to discover open ports and services
- Checks out SMB but fails to obtain any juicy details
- Proceed to explore and target the Book search service
- Dirbusting to find out important endpoints (which includes the admin portal)
- Changing request variables led to reveal of error messages
- Proceed to exploit LFI (due to poor sanitisation)
- Discover various secrets and requirements to login as Paul (admin)
- Exploit the unrestricted file upload to put a PHP reverse shell in uploads directory
- Upload a netcat binary to create a stable reverse shell
- Discover plaintext credentials stored in Juliette who is always hungry for pizza
- Login as Juliette (SSH) and obtain user.txt
- Understands that passwords are stored in plaintext in Microsoft Sticky Notes
- Extract login password of development account
- Dissassemble the self-made Krypter_Linux binary to reveal important internal endpoints and services
- Port forward the password manager service using SSH
- Exploit basic UNION based SQL injection to reveal password hash
- Decrypt using the AES key and hash to obtain administrator password
- Login as Administrator and obtain root.txt