The description states:  "This VM is made for playing with privileges. As its name, this box is specially made for learning and sharpening Linux Privilege Escalation skills. There are number of ways to playing with the privileges." 

    Seems like there were a number of options but I think I took the most direct.  When I scanned with the long version of Nmap, it showed a long time for completion.  I kick off with the short form:


    One of the reasons why I like HTB is the fact that they have current operating systems.  Let me restate that -- current Windows operating systems.  I have to be well-rounded but 75% of my work is with Windows and Windows applications.  In the world of capture the flag, the majority of systems are Linux.

    As you can guess, Sniper is a Windows box and it's a wicked ride.  I learned quite a few things along the way and I went down a legitimate rabbit hole because I wanted to learn more about a particular aspect of the compromise.  I'll get to that in a minute.  Moving on, we kick off with Nmap:


    [UPDATED]

    The description states:  "Debian 10 64 bit machine . This is a simple box. No advanced stuff , just some fun… can you find the trail to root?

    I'm not into boxes that I have to brute force my way in.  The box states "simple" but I would add not beginner.  It's not hard but a beginner might get stuck.  It almost feels like something broke when the box was pushed up because it just doesn't feel right.  The picture on Vulnhub shows the Forbidden page on the web and that is completely useful to us.  I don't want to get to far ahead and this one goes quick so here goes...


    "Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools. The files are compressed and deployed in a binary format with the extension.CHM, for Compiled HTML. The format is often used for software documentation."

    I'm working on something and I had the idea of infecting a CHM document.  Turns out, you can extract the contents using 7zip.  With the help of the Microsoft HTML Help Workshop, we can modify the contents with our malicious code and recompile it back together. 


    Right off the bat, I want to say that this is probably one of the better boxes I've had the opportunity to play on.  I took a red teaming class a couple of years ago and we played around with BloodHound.  Unfortunately, the networks we manage aren't too complicated and the path drawn by BloodHound is typically move from "this" user to "this" workstation where there's a domain admin.  From "that" machine, you can get the domain controller. Not that Forest was too far off but it was clever, different, and it has a few moving parts.

    I realize that's sort of a spoiler but I found the box by searching for "real world hack the box" or something like that and it mentioned a few clues as to where things where going.  You still have to do the work.


    Page 9 of 58

    © 2020 sevenlayers.com