Artificial is a Hack The Box machine from season 8
Summary (How?)
Artificial is a machine with a web interface with that allow to upload and execute TensorFlow .h5 model files. The initial foothold on Artificial was obtained by embedding a reverse shell inside a Lambda layer — a feature known to allow arbitrary code execution during model deserialization — we exploited the backend’s behavior of loading these models without sandboxing. From there, we accessed the Flask app’s source code, extracted database credentials, dumped the user table, cracked hashes using rockyou.txt, and obtained valid SSH credentials for user gael, leading to the user flag.
Code is a Hack The Box machine released on 22 Mar 2025
Summary (How?)
We’re presented with a Python-based code editor exposed via a web application, allowing users to write, save, and execute Python scripts. However, execution is limited by a blacklist of restricted keywords, making direct command execution impossible at first glance. The first part of the challenge involves bypassing these restrictions to achieve Remote Code Execution (RCE).
To do so, we leverage object-oriented introspection to enumerate loaded Python subclasses and locate the index of the sys module. With access to sys.modules, we enumerate all loaded modules and identify one that exposes a call function—specifically, subprocess.call()—which enables us to execute system commands and obtain a reverse shell.
Dog is a Hack The Box machine released on 08 Mar 2025
Summary (How?)
Started by identifying the CMS version and other services running on the target, including Backdrop CMS 1.27.1. Through endpoint enumeration and exploration of accessible files and directories, I discovered several opened directories, among them .git which can be downloaded using git-dumper to retrieve the source code of the applicaiton
In the source code I found credentials for the database and some usernames. A lot of password reuse after I managed to access the admin panel using a combination of them. Once there, leveraged an exploit (CVE-2022-43422) to achieve remote code execution (RCE). From there, I established a web shell, which had a trick since it was getting deleted after a minute, so I modified the paylod to get a reverse shell as the www-data user.
This is the part one of the Attacking Common Application’s skills assessment section.
Summary (How?)
We are presented with a Windows host that has several services running. Among these the vulnerable one is Tomcat 9.0.0.M1 running on port 8080. This does not have any manager pages available, and its vulnerable to several CVEs including Ghostcat and CVE-2019-0232, the latter was the key to get into the machine, as it allowed for RCE. The problem here is that this RCE wasn’t that straight forward, first we needed to fuzz a vulnerable CGI script located in /cgi/cmd.bat and the use a metasploit module that abused this vulnerability to obtain a reverse shell as NT authority/system.
This is the part two of the Attacking Common Application’s skills assessment section.
Summary (How?)
We began by scanning the target and identified several open ports hosting potentially interesting services. One of them was GitLab, accessible via a provided virtual host. Enumeration of the GitLab instance revealed a public repository referencing another virtual host: monitoring, which resolved to a Nagios instance.
Next, we created an account on GitLab and logged in. This revealed additional repositories, one of which contained hardcoded credentials for the Nagios web interface. Using these, we accessed the Nagios instance as an admin.
This is the part two of the Attacking Common Application’s skills assessment section.
Situation
During our penetration test our team found a Windows host running on the network and the corresponding credentials for the Administrator. It is required that we connect to the host and find the hardcoded password for the MSSQL service.
What is the hardcoded password for the database connection in the MultimasterAPI.dll file?
Enumeration
We are given the credentials Administrator:xcyj8izxNVzhf4z and a dynamic-linked libraty MultimasterAPI.dll to analyze, so the first thing was loggin into the box and search for this file, we get 3 hits, but from the path I decide to start with the first one.
These are the general things we will be enumerating in the process below
OS
OS Version
Kernel Version
Services
Running Services: ps aux | grep root
Installed Packages and Versions
User
whoami, id, hostname
User Home Directories
Sudo Privileges: sudo -l
Files & Directories
Configuration files: .conf & .config
Readable Shadow File
Password Hashes in /etc/passwd (more common on embedded devices and routers)
Writeable Directories
Writeable Files
SETUID and SETGID Permissions
Cron Jobs
Under: /etc/cron*
File Systems
Unmounted File System and Aditional Drivers
File Systems & Additional Drives
Process of enumeration
1. Gaining Situational Awareness
whoami
id
hostname
cat /etc/os-release
echo $PATH
env
uname -a
lscpu
cat /etc/shells
lsblk # block deviceslpstat # printerscat /etc/fstab
# network informationroute
arp -a
cat /etc/passwd
cat /etc/passwd | cut -f1 -d: # usernamesgrep "*$" /etc/passwd
cat /etc/group
getent group sudo
ls /home
# file systemsdf -h
# unmounted fscat /etc/fstab | grep -v "#" | column -t
# hidden files for $USERfind / -type f -name ".*" -exec ls -l {}\; 2>/dev/null | grep $USER
# setuid filesfind / -perm -4000 -exec ls -ldb {}\; 2>/dev/null
find / -perm -4000 -type f -exec ls -l {}\; 2>/dev/null
# setgid filesfind / -uid 0 -perm -6000 -type f 2>/dev/null
# hidden directoriesfind / -type d -name ".*" -ls 2>/dev/null
ls /var/tmp # data retained 30 daysls /tmp # data retained 10 days or until system reboot
2. Linux Services & Internals Enumeration
ip a
cat /etc/hosts
lastlog # users's last login commandwho # check who's logged infinger
history
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {}\; 2>/dev/null
# finding history files# Cronjobsls -la /etc/cron.*/
cat /etc/crontab
# writeable files (check for cronjob abuse)find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
# proc filesystem is a virtual fs that contains info about system processes, hw, system infofind /proc -name cmdline -exec cat {}\; 2>/dev/null | tr " ""\n"apt list --installed | tr "/"" " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list # list of installed packagessudo -V # sudo versionls -l /bin /usr/bin/ /usr/sbin/ # list of binaries# compare available binaries against GTFOfor i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/
# analyze system calls and signal processingstrace ping -c1 IP
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {}\; 2>/dev/null # configuration files# Scriptsfind / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"ps aux | grep root
# running services by user
find all possible configuration files on the system
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name "*$l" **2**>/dev/null | grep -v "lib\|fonts\|share\|core" ;done
run the scan directly for each file found with the specified file extension and output the contents. In this example, we search for three words (user, password, pass) in each file with the file extension .cnf.
for i in $(find / -name "*.cnf" **2**>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i **2**>/dev/null | grep -v "\#";done
We gain initial access to the internal Active Directory environment through a web shell. We begin by enumerating the host and retrieving the first flag located on the administrator’s desktop. Using the compromised host, the web shell, and Ligolo-ng, we pivot into the internal network.
During internal enumeration, we discover a host named MS01. We compromise the local administrator account on this machine using a Pass-the-Hash attack, leveraging NTLM hashes obtained from the initial foothold.
La ISO 27001 es una norma internacional que define los requisitos generales y establece que debes implementar controles de seguridad específicos como parte de un Sistema de Gestión de Seguridad de la Información (SGSI), no detalla cómo hacerlo. Indica qué controles son necesarios para gestionar los riesgos de seguridad de la información de manera efectiva.
Es aplicable a todo tipo de organizaciones donde la información es un activo del que dependen los objetivos y resultados de una organización.