Cypher is a Hack The Box machine released on 01 Mar 2025

Summary (How?)

Cypher is a HTB machine running a web app that relies on a Neo4j graph database. A Cypher-injection flaw lets us bypass the login logic and enumerate data. Then, an exposed directory holds a JAR file whose decompiled code reveals a custom Neo4j procedure that executes shell commands without sanitisation (command injection); exploiting that procedure yields remote code execution and a reverse shell.

Artificial is a Hack The Box machine from season 8

Summary (How?)

Artificial is a machine with a web interface that allows to upload and execute TensorFlow .h5 model files. The initial foothold was obtained by embedding a reverse shell code inside a Lambda layer and exploiting the backend’s behavior which loads these models without sandboxing. From there, we accessed the Flask app’s source code, extracted database credentials, dumped the user table, cracked hashes using rockyou.txt, and obtained valid SSH credentials for user gael, leading to the user flag.

Nocturnal is a Hack The Box machine released on 12 Apr 2025

Summary (How?)

Nocturnal is a Hack The Box machine which serves a web application that allows file upload and download. The interesting/weird thing is that it utilizes a username parameter in the URL to retrieve and show files for an specific user. This is vulnerable to Insecure Direct Object Reference (IDOR) and also allowed us to enumerate users. Using ffuf we found user amanda and were able to read her files finding credentials.

Code is a Hack The Box machine released on 22 Mar 2025

Summary (How?)

We’re presented with a Python-based code editor exposed via a web application, allowing users to write, save, and execute Python scripts. However, execution is limited by a blacklist of restricted keywords, making direct command execution impossible at first glance. The first part of the challenge involves bypassing these restrictions to achieve Remote Code Execution (RCE).

To do so, we leverage object-oriented introspection to enumerate loaded Python subclasses and locate the index of the sys module. With access to sys.modules, we enumerate all loaded modules and identify one that exposes a call function—specifically, subprocess.call()—which enables us to execute system commands and obtain a reverse shell.

Dog is a Hack The Box machine released on 08 Mar 2025

Summary (How?)

Started by identifying the CMS version and other services running on the target, including Backdrop CMS 1.27.1. Through endpoint enumeration and exploration of accessible files and directories, I discovered several opened directories, among them .git which can be downloaded using git-dumper to retrieve the source code of the applicaiton

In the source code I found credentials for the database and some usernames. A lot of password reuse after I managed to access the admin panel using a combination of them. Once there, leveraged an exploit (CVE-2022-43422) to achieve remote code execution (RCE). From there, I established a web shell, which had a trick since it was getting deleted after a minute, so I modified the paylod to get a reverse shell as the www-data user.

This is the part one of the Attacking Common Application’s skills assessment section.

Summary (How?)

We are presented with a Windows host that has several services running. Among these the vulnerable one is Tomcat 9.0.0.M1 running on port 8080. This does not have any manager pages available, and its vulnerable to several CVEs including Ghostcat and CVE-2019-0232, the latter was the key to get into the machine, as it allowed for RCE. The problem here is that this RCE wasn’t that straight forward, first we needed to fuzz a vulnerable CGI script located in /cgi/cmd.bat and the use a metasploit module that abused this vulnerability to obtain a reverse shell as NT authority/system.

This is the part two of the Attacking Common Application’s skills assessment section.

Summary (How?)

We began by scanning the target and identified several open ports hosting potentially interesting services. One of them was GitLab, accessible via a provided virtual host. Enumeration of the GitLab instance revealed a public repository referencing another virtual host: monitoring, which resolved to a Nagios instance.

Next, we created an account on GitLab and logged in. This revealed additional repositories, one of which contained hardcoded credentials for the Nagios web interface. Using these, we accessed the Nagios instance as an admin.

This is the part two of the Attacking Common Application’s skills assessment section.

Situation

During our penetration test our team found a Windows host running on the network and the corresponding credentials for the Administrator. It is required that we connect to the host and find the hardcoded password for the MSSQL service. What is the hardcoded password for the database connection in the MultimasterAPI.dll file?

Enumeration

We are given the credentials Administrator:xcyj8izxNVzhf4z and a dynamic-linked libraty MultimasterAPI.dll to analyze, so the first thing was loggin into the box and search for this file, we get 3 hits, but from the path I decide to start with the first one.

Planning is a Hack The Box machine released on 10 May 2025

Summary (How?)

Planning is a box with a huge fuzzing to do in order to find a Grafana instance, which was vulnerable to CVE-2024-9264, a critical vulnerability allowing arbitrary command execution via unsanitized SQL input to the DuckDB CLI. Using a proof-of-concept exploit, I was able to read files and execute commands, confirming access to the Grafana container but not the host system. Further enumeration revealed valid credentials for the user enzo, which allowed SSH access to the host system.

Titanic is a Hack The Box machine released on 15 Feb 2025

Summary (How?)

Titanic is a web application with a Local File Inclusion (LFI) vulnerability, which allowed me to enumerate sensitive files, including the /etc/hosts file that revealed a secondary host dev.titanic.htb. This led to a Gitea instance where I found configuration files exposing the path to Gitea’s database. Using the LFI vulnerability, I downloaded the database, extracted password hashes for the developer user, and cracked them to gain SSH access to the machine as developer.