Web

Machine: Conversor Platform: Hack The Box Difficulty: Easy OS: Linux Focus: Web exploitation, XML/XSLT injection, credential reuse, privilege escalation via misconfigured sudo binary Enumeration We begin with a basic full TCP port scan using nmap: nmap -sT -p- --min-rate 2000 10.10.11.92 This scan performs a full TCP connect scan against all ports, increasing the minimum packet rate to speed up discovery. From the output, we observe the following open ports: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9090/tcp open zeus-admin Based on the presence of ports 80 and 9090, it is reasonable to assume that the target is hosting a web application. We navigate to the target IP address (10.10.11.92) using a browser and observe that it resolves to the domain: ...

Machine: Strutted Platform: Hack The Box Difficulty: Medium OS: Linux Focus: Apache Struts2 exploitation (CVE-2024-53677), file upload bypass, JSP web shell, reverse shell, credential disclosure, privilege escalation via misconfigured tcpdump sudo permissions Enumeration We begin the assessment with a full TCP port scan using nmap in order to identify exposed services: nmap -p- --min-rate=1000 -T4 10.10.11.59 This scan checks all TCP ports while increasing the scan speed using a higher timing template and minimum packet rate. ...

Intro Web reconnaissance is the foundation of a strong security test. It maps assets and technology choices before deeper testing begins and reduces blind spots. Types of Recon Recon uses two approaches: active and passive. Active touches systems directly, while passive relies on public sources. Active Recon Active recon interacts with the target to gather accurate data. It is effective but increases detection risk because requests are logged by servers and security tools. ...

Introduction to Web Fuzzing Web fuzzing is used when a site does not link to hidden pages or does not expose anything useful through normal navigation. The technique sends many controlled inputs to an interface to see how the server responds. In some notes, the Spanish verb for fuzzing is translated as borrar, but the actual goal is discovery. When you do this correctly, you can reveal directories, pages, subdomains, and parameters that are not linked anywhere. ...

Machine: Imagery Platform: Hack The Box Difficulty: Medium OS: Linux Focus: Web exploitation, stored XSS leading to admin session hijacking, LFI via log viewer, full source code review, command injection in image processing, credential extraction from encrypted backups, and privilege escalation through misconfigured cron functionality Introduction Imagery is a Linux machine from Hack The Box that heavily focuses on web application analysis and source code review. The attack path requires chaining multiple vulnerabilities, including stored XSS, local file inclusion, command injection, and misconfigured scheduled tasks, making it an excellent machine to practice real-world web exploitation methodology. ...

Introduction SQL injection (SQLi) happens when user input changes the final SQL query sent by a web application. The impact ranges from reading sensitive data to modifying records or writing files on the server. This guide merges database basics with practical SQLi techniques and commands so you can connect theory to hands-on exploitation. Database Foundations Modern web applications rely on databases to store content, user data, and configuration. Understanding DBMS structure and query behavior helps you predict how an injection point will behave and which payloads are likely to work. It also helps you distinguish between relational and non-relational systems when fingerprinting the backend. ...

Intro Most communication on the Internet is performed through web requests using the Hypertext Transfer Protocol (HTTP). HTTP is an application-layer protocol designed to enable the retrieval and exchange of resources across the World Wide Web. The term hypertext refers to text that contains references (links) to other resources, enabling non-linear navigation between documents. HTTP follows a client-server communication model. The client, typically a web browser or command-line tool, initiates a request for a resource. The server processes this request and returns a response containing the requested resource or an error message. By default, HTTP operates over TCP port 80, although servers may be configured to listen on alternative ports. ...

Machine: Previous Platform: Hack The Box Difficulty: Medium OS: Linux Focus: Next.js middleware auth bypass, LFI with secret leakage, credential extraction, and privilege escalation via Terraform plugin hijacking Executive Summary Previous is a Linux machine that exposes real-world vulnerabilities in modern web applications. The attack chain includes: Next.js middleware authorization bypass (CVE-2025-29927) Local File Inclusion (LFI) through an insecure download endpoint Information disclosure and credential leakage Privilege escalation via Terraform provider hijacking This write-up walks through each issue and shows practical exploitation techniques. ...

Intro Web applications are interactive applications that run inside web browsers and typically follow a client-server architecture. In this model, the client (browser) is responsible for rendering the interface and interacting with the user, while the server handles application logic, data processing, and persistence. This separation enables scalability, flexibility, and centralized control, but also introduces a wide attack surface that must be properly understood from a security perspective. From a security engineering point of view, this separation of responsibilities is critical. Any data crossing the boundary between client and server must be considered untrusted by default, regardless of client-side validation. Attackers can fully control browsers, manipulate requests, and bypass front-end restrictions, which is why secure design always assumes a hostile client environment. ...

Introduction to LFI Local File Inclusion (LFI) happens when a web app loads a file based on user input without strict validation. This usually appears in template engines and dynamic page loaders that read content based on a parameter like ?language=es. If the path is not restricted, an attacker can read arbitrary local files such as /etc/passwd, and in some cases LFI can lead to remote code execution. Modern apps often use parameters to reduce duplicate templates and keep routing simple. That pattern becomes dangerous when the parameter controls the file path directly. Testing starts by identifying the parameter and then trying known local files. ...