This post documents my process for solving the Blocky box on Hack The Box. The machine revolves around web enumeration, WordPress, reverse engineering a Java plugin, MySQL credential hunting, and privilege escalation. Reference https://0xdf.gitlab.io/2020/06/30/htb-blocky.html Recon Nmap nmap -sC -sV 10.10.10.37 PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 8192/tcp closed sophos Notes: ...
This post covers my process for solving the FriendZone box on Hack The Box. It demonstrates a typical CTF methodology: recon, enumeration, exploitation (web and SMB), privilege escalation via Python library hijacking, and lessons learned. References 0xdf’s writeup Python library hijack privilege escalation Recon NMAP Scan └──╼ [★]$ nmap -sC -sV 10.10.10.123 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-03 15:01 CDT Nmap scan report for 10.10.10.123 Host is up (0.011s latency). Not shown: 993 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA) | 256 e5:44:01:46:ee:7a:bb:7c:e9:1a:cb:14:99:9e:2b:8e (ECDSA) |_ 256 00:4e:1a:4f:33:e8:a0:de:86:a6:e4:2a:5f:84:61:2b (ED25519) 53/tcp open domain ISC BIND 9.11.3-1ubuntu1.2 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.11.3-1ubuntu1.2-Ubuntu 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: Friend Zone Escape software |_http-server-header: Apache/2.4.29 (Ubuntu) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 443/tcp open ssl/http Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu) | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time |_http-title: 404 Not Found | ssl-cert: Subject: commonName=friendzone.red/organizationName=CODERED/stateOrProvinceName=CODERED/countryName=JO | Not valid before: 2018-10-05T21:02:30 |_Not valid after: 2018-11-04T21:02:30 445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) Service Info: Hosts: FRIENDZONE, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-time: | date: 2025-07-03T20:02:08 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: mean: -1h00m00s, deviation: 1h43m55s, median: -1s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: friendzone | NetBIOS computer name: FRIENDZONE\x00 | Domain name: \x00 | FQDN: friendzone |_ System time: 2025-07-03T23:02:09+03:00 |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 21.29 seconds title: FriendZone HTB Walkthrough date: 2025-07-03 categories: [Penetration Testing, CTF Walkthrough, Privilege Escalation, Web Application Security] tags: [HTB, FriendZone, SMB, LFI, privilege escalation, python hijack, reverse shell, DNS, enumeration] This post covers my process for solving the FriendZone box on Hack The Box. It demonstrates a typical CTF methodology: recon, enumeration, exploitation (web and SMB), privilege escalation via Python library hijacking, and lessons learned. ...
This post documents my process for solving the Neonify box on Hack The Box. This challenge revolves around a Ruby application vulnerable to Server-Side Template Injection (SSTI) via a regex newline bypass. Challenge Description It’s time for a shiny new reveal for the first-ever text neonifier. Come test out our brand new website and make any text glow like a lo-fi neon tube! Solution After looking at the source code, I noticed it was a Ruby application and suspected some kind of command injection. I didn’t immediately see the path, so I referred to a writeup and discovered that the challenge is about “ERB SSTI via newline regex bypass.” There’s very little public writeup info on this exact method, which made it a great learning opportunity. ...
This post documents my process for solving the Toxic box on Hack The Box. This box is all about PHP insecure deserialization, exploiting LFI, and using log poisoning to achieve remote code execution. Synopsis PHP insecure deserialization to LFI that abuses log poisoning for RCE. Learning References: https://ianpeter.medium.com/exploiting-log-poisoning-through-lfi-and-serialization-in-php-e039e7b126ad The official writeup I wasn’t sure what to do at first, so I checked the writeup after struggling for a while. Challenge Analysis & Source Code Review The web page didn’t reveal much, but looking at the source code, you see: ...
This post documents my process for solving the LoveTok box on Hack The Box. The challenge involves analyzing PHP source code, understanding the misuse of addslashes, and exploiting command injection through the eval function. Description True love is tough, and even harder to find. Once the sun has set, the lights close and the bell has rung… you find yourself licking your wounds and contemplating human existence. You wish to have somebody important in your life to share the experiences that come with it, the good and the bad. This is why we made LoveTok, the brand new service that accurately predicts in the threshold of milliseconds when love will come knockin’ (at your door). Come and check it out, but don’t try to cheat love because love cheats back. ...
This post documents my process for solving the Phonebook box on Hack The Box. The box focuses on LDAP injection and brute-forcing credentials using knowledge of LDAP search/filter syntax. Solve I didn’t find any obvious attack vectors except for a DOM-based HTML injection. After checking a writeup, I learned the challenge was about LDAP injection—a topic I had little prior experience with. What is LDAP Injection? According to PayloadAllTheThings, LDAP Injection is a vulnerability that occurs when user-supplied input is used to construct LDAP queries without proper sanitization or escaping. ...
This post documents my process for solving the Pandora box on Hack The Box. The challenge focuses on recon, SNMP enumeration, port forwarding, SQLi on an internal service, and a series of lateral movement and privilege escalation steps. Recon Initial port scan: ports=$(nmap -p- --min-rate=1000 -T4 10.10.11.136 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -p$ports -sC -sV 10.10.11.136 Open ports: 22 (SSH) 80 (HTTP, Apache, Ubuntu) Enumerated with UDP scan (-sU): ...
This post documents my process for solving the Validation box on Hack The Box. This challenge centers on SQL injection, writing a web shell via SQLi, and privilege escalation via password reuse. Recon Started with full port scan: ports=$(nmap -p- --min-rate=1000 -T4 <IP> | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) echo $ports # 22,80,4566,5000,5001,5002,5003,5004,5005,5006,5007,5008,8080 nmap -p$ports -sC -sV 10.10.11.116 Main open ports: 22 (SSH), 80 (Apache), 4566 (nginx), 8080 (nginx). ...
This post documents my process for solving the Writeup box on Hack The Box. The machine revolves around web enumeration, CMS exploitation, SQLi, hash cracking, and privilege escalation via PATH hijacking. Recon Target: 10.10.10.138 nmap -sC -sV 10.10.10.138 Results: 22/tcp (SSH) OpenSSH 9.2p1 Debian 80/tcp (HTTP) Apache httpd 2.4.25 (Debian) robots.txt has a disallowed entry: /writeup/ Site uses CMS Made Simple, version 2.2.9.1 CMS Exploitation Accessed /writeup and /writeup/doc/CHANGELOG.txt to confirm CMS version. ...
This post documents my process for solving the Help box on Hack The Box. This box involves GraphQL enumeration, credential dumping, hash cracking, and classic web application enumeration and exploitation. Recon Initial nmap scan: nmap -sC -sV -oA nmap/help <IP> Found GraphQL running on port 3000. GraphQL Enumeration Referred to PayloadsAllTheThings - GraphQL Injection to start enumeration. Discovered GraphQL types via introspection: http://10.10.10.121:3000/graphql?query={__schema{types{name}}} Full schema dump and queries revealed a user type with username and password fields. ...