Fluffy - HTB Machine

Sat, 20 Sep 2025 03:38:50 -0300

Summary (How?)

We started by enumerating the provided credentials for the user j.fleischman and identified an SMB share named IT. After downloading files from the share, we discovered a PDF detailing vulnerabilities, including CVE-2025-24071, which enabled me to craft a malicious .zip file to leak NTLM hashes via Windows Explorer’s automatic file parsing. Using this exploit, we captured the NTLM hash for the user p.agila and cracked its password.

With p.agila’s credentials, we found that the user had GenericAll permissions over the SERVICE ACCOUNTS group. This allowed us to add p.agila to the group and, subsequently, perform a Shadow Credentials attack to impersonate the WINRM_SVC account, successfully gaining access to the system as that user.

Cypher - HTB Machine

Thu, 10 Jul 2025 03:38:50 -0300

Cypher is a Hack The Box machine released on 01 Mar 2025

Summary (How?)

Cypher is a HTB machine running a web app that relies on a Neo4j graph database. A Cypher-injection flaw lets us bypass the login logic and enumerate data. Then, an exposed directory holds a JAR file whose decompiled code reveals a custom Neo4j procedure that executes shell commands without sanitisation (command injection); exploiting that procedure yields remote code execution and a reverse shell.

Artificial - HTB Machine

Tue, 24 Jun 2025 03:38:50 -0300

Artificial is a Hack The Box machine from season 8

Summary (How?)

Artificial is a machine with a web interface that allows to upload and execute TensorFlow .h5 model files. The initial foothold was obtained by embedding a reverse shell code inside a Lambda layer and exploiting the backend’s behavior which loads these models without sandboxing. From there, we accessed the Flask app’s source code, extracted database credentials, dumped the user table, cracked hashes using rockyou.txt, and obtained valid SSH credentials for user gael, leading to the user flag.

Nocturnal - HTB Machine

Sat, 21 Jun 2025 03:38:50 -0300

Nocturnal is a Hack The Box machine released on 12 Apr 2025

Summary (How?)

Nocturnal is a Hack The Box machine which serves a web application that allows file upload and download. The interesting/weird thing is that it utilizes a username parameter in the URL to retrieve and show files for an specific user. This is vulnerable to Insecure Direct Object Reference (IDOR) and also allowed us to enumerate users. Using ffuf we found user amanda and were able to read her files finding credentials.

Code - HTB Machine

Sat, 14 Jun 2025 03:38:50 -0300

Code is a Hack The Box machine released on 22 Mar 2025

Summary (How?)

We’re presented with a Python-based code editor exposed via a web application, allowing users to write, save, and execute Python scripts. However, execution is limited by a blacklist of restricted keywords, making direct command execution impossible at first glance. The first part of the challenge involves bypassing these restrictions to achieve Remote Code Execution (RCE).

To do so, we leverage object-oriented introspection to enumerate loaded Python subclasses and locate the index of the sys module. With access to sys.modules, we enumerate all loaded modules and identify one that exposes a call function—specifically, subprocess.call()—which enables us to execute system commands and obtain a reverse shell.

Dog - HTB Machine

Tue, 10 Jun 2025 03:38:50 -0300

Dog is a Hack The Box machine released on 08 Mar 2025

Summary (How?)

Started by identifying the CMS version and other services running on the target, including Backdrop CMS 1.27.1. Through endpoint enumeration and exploration of accessible files and directories, I discovered several opened directories, among them .git which can be downloaded using git-dumper to retrieve the source code of the applicaiton

In the source code I found credentials for the database and some usernames. A lot of password reuse after I managed to access the admin panel using a combination of them. Once there, leveraged an exploit (CVE-2022-43422) to achieve remote code execution (RCE). From there, I established a web shell, which had a trick since it was getting deleted after a minute, so I modified the paylod to get a reverse shell as the www-data user.

Attacking Common Applications - Part I

Tue, 03 Jun 2025 03:38:50 -0300

This is the part one of the Attacking Common Application’s skills assessment section.

Summary (How?)

We are presented with a Windows host that has several services running. Among these the vulnerable one is Tomcat 9.0.0.M1 running on port 8080. This does not have any manager pages available, and its vulnerable to several CVEs including Ghostcat and CVE-2019-0232, the latter was the key to get into the machine, as it allowed for RCE. The problem here is that this RCE wasn’t that straight forward, first we needed to fuzz a vulnerable CGI script located in /cgi/cmd.bat and the use a metasploit module that abused this vulnerability to obtain a reverse shell as NT authority/system.

Attacking Common Applications - Part II

Tue, 03 Jun 2025 03:38:50 -0300

This is the part two of the Attacking Common Application’s skills assessment section.

Summary (How?)

We began by scanning the target and identified several open ports hosting potentially interesting services. One of them was GitLab, accessible via a provided virtual host. Enumeration of the GitLab instance revealed a public repository referencing another virtual host: monitoring, which resolved to a Nagios instance.

Next, we created an account on GitLab and logged in. This revealed additional repositories, one of which contained hardcoded credentials for the Nagios web interface. Using these, we accessed the Nagios instance as an admin.

Attacking Common Applications - Part III

Tue, 03 Jun 2025 03:38:50 -0300

This is the part two of the Attacking Common Application’s skills assessment section.

Situation

During our penetration test our team found a Windows host running on the network and the corresponding credentials for the Administrator. It is required that we connect to the host and find the hardcoded password for the MSSQL service. What is the hardcoded password for the database connection in the MultimasterAPI.dll file?

Enumeration

We are given the credentials Administrator:xcyj8izxNVzhf4z and a dynamic-linked libraty MultimasterAPI.dll to analyze, so the first thing was loggin into the box and search for this file, we get 3 hits, but from the path I decide to start with the first one.

Planning - HTB Machine

Mon, 12 May 2025 03:38:50 -0300

Planning is a Hack The Box machine released on 10 May 2025

Summary (How?)

Planning is a box with a huge fuzzing to do in order to find a Grafana instance, which was vulnerable to CVE-2024-9264, a critical vulnerability allowing arbitrary command execution via unsanitized SQL input to the DuckDB CLI. Using a proof-of-concept exploit, I was able to read files and execute commands, confirming access to the Grafana container but not the host system. Further enumeration revealed valid credentials for the user enzo, which allowed SSH access to the host system.

Titanic - HTB Machine

Fri, 09 May 2025 03:38:50 -0300

Titanic is a Hack The Box machine released on 15 Feb 2025

Summary (How?)

Titanic is a web application with a Local File Inclusion (LFI) vulnerability, which allowed me to enumerate sensitive files, including the /etc/hosts file that revealed a secondary host dev.titanic.htb. This led to a Gitea instance where I found configuration files exposing the path to Gitea’s database. Using the LFI vulnerability, I downloaded the database, extracted password hashes for the developer user, and cracked them to gain SSH access to the machine as developer.

Linux Privilege Escalation

Wed, 07 May 2025 03:38:50 -0300

This post explains the process of enumerating a linux system in order to find paths to escalate privileges.

Overiview

Automated tools

Manual - General things

These are the general things we will be enumerating in the process below

OS

OS Version
Kernel Version

Services

Running Services: ps aux | grep root
Installed Packages and Versions

User

whoami, id, hostname
User Home Directories
Sudo Privileges: sudo -l

Files & Directories

Configuration files: .conf & .config
Readable Shadow File
Password Hashes in /etc/passwd (more common on embedded devices and routers)
Writeable Directories
Writeable Files
SETUID and SETGID Permissions

Cron Jobs

Under: /etc/cron*

File Systems

Unmounted File System and Aditional Drivers
File Systems & Additional Drives

Process of enumeration

1. Gaining Situational Awareness

whoami
id
hostname

cat /etc/os-release

echo $PATH
env

uname -a
lscpu

cat /etc/shells

lsblk    # block devices
lpstat   # printers
cat /etc/fstab

# network information
route
arp -a

cat /etc/passwd
cat /etc/passwd | cut -f1 -d: # usernames
grep "*$" /etc/passwd

cat /etc/group
getent group sudo

ls /home

# file systems
df -h
# unmounted fs
cat /etc/fstab | grep -v "#" | column -t

# hidden files for $USER
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep $USER
# setuid files
find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / -perm -4000 -type f -exec ls -l {} \; 2>/dev/null
# setgid files
find / -uid 0 -perm -6000 -type f 2>/dev/null
# hidden directories
find / -type d -name ".*" -ls 2>/dev/null

ls /var/tmp   # data retained 30 days
ls /tmp       # data retained 10 days or until system reboot

2. Linux Services & Internals Enumeration

ip a

cat /etc/hosts

lastlog # users's last login command
who     # check who's logged in
finger

history
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null
# finding history files

# Cronjobs
ls -la /etc/cron.*/
cat /etc/crontab

# writeable files (check for cronjob abuse)
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

# proc filesystem is a virtual fs that contains info about system processes, hw, system info
find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list # list of installed packages
sudo -V  # sudo version
ls -l /bin /usr/bin/ /usr/sbin/ # list of binaries
# compare available binaries against GTFO
for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/

#  analyze system calls and signal processing
strace ping -c1 IP

find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null # configuration files

# Scripts
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
ps aux | grep root
# running services by user

3. Credential Hunting

See Credential Hunting Linux

Linux Credential Hunting

Tue, 06 May 2025 03:38:50 -0300

Configuration Files

find all possible configuration files on the system

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name "*$l" **2**>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

run the scan directly for each file found with the specified file extension and output the contents. In this example, we search for three words (user, password, pass) in each file with the file extension .cnf.

Active Directory Enumeration and Attacks - Part I

Tue, 08 Apr 2025 03:38:50 -0300

Summary (How?)

We gain initial access to the internal Active Directory environment through a web shell. We begin by enumerating the host and retrieving the first flag located on the administrator’s desktop. Using the compromised host, the web shell, and Ligolo-ng, we pivot into the internal network.

During internal enumeration, we discover a host named MS01. We compromise the local administrator account on this machine using a Pass-the-Hash attack, leveraging NTLM hashes obtained from the initial foothold.

Introduction to ISO2700X

Thu, 06 Feb 2025 03:38:50 -0300

¿Que es la ISO27001?

La ISO 27001 es una norma internacional que define los requisitos generales y establece que debes implementar controles de seguridad específicos como parte de un Sistema de Gestión de Seguridad de la Información (SGSI), no detalla cómo hacerlo. Indica qué controles son necesarios para gestionar los riesgos de seguridad de la información de manera efectiva.

Es aplicable a todo tipo de organizaciones donde la información es un activo del que dependen los objetivos y resultados de una organización.

SQLMap - Skills Assessment

Sun, 08 Dec 2024 03:38:50 -0300

Introduction

sqlmap is an open-source penetration testing tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications. It supports a wide range of SQL injection techniques, including boolean-based, time-based, error-based, and UNION query-based attacks.

The goal of this module is to introduce us into the tool and how it is useful in real-world scenarios where SQLi is feasible. That’s why in this writeup the key is in finding the vulnerable parameter.

Post Quantum Cryptography

Tue, 16 Jul 2024 03:38:50 -0300

Notas utilizadas para mi presentacion sobre criptografía post cuántica con la que me recibí de Ingeniero en Computación 🎓

Introducción/Contexto de PQC

La criptografía de llave pública depende de funciones matemáticas que son “fáciles de hacer y difíciles de deshacer” (to do and to undo). Las variantes más utilizadas hasta ahora son vulnerables al Algoritmo de Shor:

RSA: factorización de números primos
Diffie-Hellman: problema del logaritmo discreto

Si se puede resolver el problema matemático, se puede romper la criptografía.

$whoami

Mon, 01 Jan 0001 00:00:00 +0000

Hi 👋🏻

My name is Francisco, or frang4 and I am a Computer Engineer passioned about computer science and more precisely offensive security. I am a curious learner and the idea behind this blog/notes is to share some of my work, feel free to reach out.

Experience

Key highlights:

Hands-on experience in penetration testing, vulnerability assessment, and exploit development, gained through both professional roles and active participation in CTFs.
Technical expertise in DevSecOps and secure infrastructure design.
Solid knowledge of risk treatment strategies and compliance with standards such as ISO/IEC 27001.

My background combines offensive and defensive security skills with a strategic mindset, allowing me to work cross-functionally with development and operations teams to embed security from design through deployment.