Htb

Machine: Conversor Platform: Hack The Box Difficulty: Easy OS: Linux Focus: Web exploitation, XML/XSLT injection, credential reuse, privilege escalation via misconfigured sudo binary Enumeration We begin with a basic full TCP port scan using nmap: nmap -sT -p- --min-rate 2000 10.10.11.92 This scan performs a full TCP connect scan against all ports, increasing the minimum packet rate to speed up discovery. From the output, we observe the following open ports: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9090/tcp open zeus-admin Based on the presence of ports 80 and 9090, it is reasonable to assume that the target is hosting a web application. We navigate to the target IP address (10.10.11.92) using a browser and observe that it resolves to the domain: ...

Machine: Imagery Platform: Hack The Box Difficulty: Medium OS: Linux Focus: Web exploitation, stored XSS leading to admin session hijacking, LFI via log viewer, full source code review, command injection in image processing, credential extraction from encrypted backups, and privilege escalation through misconfigured cron functionality Introduction Imagery is a Linux machine from Hack The Box that heavily focuses on web application analysis and source code review. The attack path requires chaining multiple vulnerabilities, including stored XSS, local file inclusion, command injection, and misconfigured scheduled tasks, making it an excellent machine to practice real-world web exploitation methodology. ...

Machine: Previous Platform: Hack The Box Difficulty: Medium OS: Linux Focus: Next.js middleware auth bypass, LFI with secret leakage, credential extraction, and privilege escalation via Terraform plugin hijacking Executive Summary Previous is a Linux machine that exposes real-world vulnerabilities in modern web applications. The attack chain includes: Next.js middleware authorization bypass (CVE-2025-29927) Local File Inclusion (LFI) through an insecure download endpoint Information disclosure and credential leakage Privilege escalation via Terraform provider hijacking This write-up walks through each issue and shows practical exploitation techniques. ...