7Rocky

Hash function. XOR. Oracle

CRLF Injection. RegEx bypass. Server-Side Template Injection

Hash length extension attack. Custom hash function

64-bit binary. Heap exploitation. Heap feng shui. House of Einherjar. Format String vulnerability

Command injection

Hack The Box. Linux. Easy machine. This machine has a vulnerable version of Apache OFBiz that can be exploited to get RCE using an authentication bypass and Java deserialization payload. Once on the machine, we can inspect the database and search for the password hash of the administrator user. Once the hash is cracked, we can reuse the password and gain access as root

Hack The Box. Linux. Insane machine. This machine exposes a web application that allows to create custom domains with HTML code. Moreover, there is a Docker registry exposed where we can download Docker image blobs after getting a suitable JWT token. The web application is running a WAR file with Tomcat, we can decompile it and see that it queries a RMI server. Since Tomcat is behind an nginx reverse proxy, we can access some sensitive Tomcat servlets to modify our session and set manager permissions on the web application. We need this to modify the RMI configuration using a mass assignment vulnerability and point the RMI server to us. After that, we can exploit an insecure deserialization vulnerability in Java to get RCE in a container. Then, we can interact with the legitimate RMI server using port forwarding. This server allows us to read arbitrary files with a directory traversal attack. We can find a plaintext password for user developer, which is reused in SSH. Then, root is executing a JAR file to analyze files of the hosting website by sending them to a ClamAV server. The problem here is that the JAR calls functions from the RMI register, which is restarted periodically. Therefore, we can craft a malicious RMI registry and exploit win a race condition to take the port, so that root queries our malicious registry and talks to our fake ClamAV server. The result is that all files at /root will be quarantined inside a readable directory, which leads to the privilege escalation

Hack The Box. Linux. Easy machine. This machine has a web application that is vulnerable to SSRF, which can be used to read the contents of an internal server, which is vulnerable to command injection. The two vulnerabilities can be chained to get RCE on the machine. The low-privileged user is able to run systemctl as root using sudo, which leads to the privilege escalation via the default pager less

Hack The Box. Linux. Easy machine. This machine has a website that exposes a Git repository. We are able to extract the PHP source of the web application and find out that it uses ImageMagick under the hood to process uploaded images. The version of ImageMagick has a local file read vulnerability that can be used to read a SQLite database file and find a plaintext password for emily, which is used in SSH too. After that, we find that root executes a Bash script that uses binwalk to remove malware from uploaded image files. The version of binwalk is vulnerable to Remote Code Execution, which leads to the privilege escalation

Hack The Box. Linux. Medium machine. This machine has a website that allows to encrypt, decrypt and verify signatures using PGP. The website is vulnerable to SSTI in Flask, which is the way to access the machine as atlas. However, this environment is limited due to firejail, but we are able to find a plaintext password to login as silentobserver in SSH. As this user, we are able to modify a Rust project that is used in another Rust project that runs periodically as atlas. With this power, we can get access as atlas again, but outside firejail. Finally, since firejail is a SUID binary, we can use a public exploit to become root