# Machines - HTB

***A collection of walkthroughs and insights for tackling challenges on Hack The Box. Explore different techniques and approaches to enhance your cybersecurity skills.***

## Walkthroughs and Techniques

<table data-card-size="large" data-view="cards"><thead><tr><th></th><th></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><h2>WifineticTwo</h2></td><td><em><strong>WifineticTwo</strong> is a medium-difficulty Linux machine with OpenPLC on port 8080, vulnerable to Remote Code Execution (CVE-2021-31630). After gaining initial access, a WPS attack is executed to retrieve the Wi-Fi password for an Access Point. This enables targeting the OpenWRT router to obtain a root shell via its web interface.</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FHe27ruqJ4L4e5OlVrzDE%2FScreenshot%202024-09-27%20222400.png?alt=media&#x26;token=fddde477-b4a4-4f74-8d66-754590ed4d31">Screenshot 2024-09-27 222400.png</a></td><td><a href="https://medium.com/@RejuKole.com/wifinetictwo-htb-walkthrough-by-reju-kole-090245a7b5c6">https://medium.com/@RejuKole.com/wifinetictwo-htb-walkthrough-by-reju-kole-090245a7b5c6</a></td></tr><tr><td><h2>Runner</h2></td><td><p><em><strong>Runner</strong> is a medium-difficulty Linux box with a <strong>TeamCity</strong> vulnerability (CVE-2023-42793) for authentication bypass. We extract <strong>matthew's</strong> credentials and <strong>john's</strong> SSH key, then access a <strong>Portainer</strong> instance with limited privileges. Finally, we exploit a <strong>runc</strong> vulnerability (CVE-2024-21626) to create a SUID bash file on the host.</em></p><p><br></p></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2F1oRZupQttvCraLX5YbaJ%2FScreenshot%202024-09-27%20222123.png?alt=media&#x26;token=4938c677-9f8e-44ac-a323-b2c87872aa2c">Screenshot 2024-09-27 222123.png</a></td><td><a href="https://medium.com/@RejuKole.com/runner-htb-walkthrough-by-reju-kole-ba5508ee0493">https://medium.com/@RejuKole.com/runner-htb-walkthrough-by-reju-kole-ba5508ee0493</a></td></tr><tr><td><h2>Perfection</h2></td><td><em><strong>Perfection</strong> is an easy Linux machine with a web application for calculating student scores, vulnerable to Server-Side Template Injection (SSTI) via regex bypass. Exploiting this grants foothold access, and the user is in the sudo group. Enumeration reveals password hashes and a possible format. A mask attack uncovers the user's password, enabling root access.</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FI1yZCWwzIg4Z6Ez8sXC8%2FScreenshot%202024-09-27%20222534.png?alt=media&#x26;token=2a1453cd-5abb-492f-9269-9ae319e38f2f">Screenshot 2024-09-27 222534.png</a></td><td><a href="https://medium.com/@RejuKole.com/perfection-htb-walkthrough-by-reju-kole-fc7cb46877a4">https://medium.com/@RejuKole.com/perfection-htb-walkthrough-by-reju-kole-fc7cb46877a4</a></td></tr><tr><td><h2>Lame</h2></td><td><em><strong>Lame</strong> is an easy Linux machine, requiring only one exploit to obtain root access. It was the first machine published on Hack The Box and was often the first machine for new users prior to its retirement.</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FdbM60y3ByVD90nJv6yfI%2FScreenshot%202024-09-27%20223444.png?alt=media&#x26;token=45688072-064c-4014-9827-1276dd899b48">Screenshot 2024-09-27 223444.png</a></td><td><a href="https://medium.com/@RejuKole.com/lame-htb-walkthrough-by-reju-kole-bcd80d803b26">https://medium.com/@RejuKole.com/lame-htb-walkthrough-by-reju-kole-bcd80d803b26</a></td></tr><tr><td><h2>Cap</h2></td><td><em><strong>Cap</strong> is an easy Linux machine with an HTTP server for administrative functions, vulnerable to Insecure Direct Object Reference (IDOR). This allows access to another user’s network capture, revealing plaintext credentials for foothold access, which is escalated to root using a Linux capability.</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FDE6Xcw6rn00fwWvyl64E%2FScreenshot%202024-09-27%20222826.png?alt=media&#x26;token=5f0a29d8-1a5b-4a35-be4f-45c377b6d35a">Screenshot 2024-09-27 222826.png</a></td><td><a href="https://medium.com/@RejuKole.com/cap-htb-walkthrough-by-reju-kole-213efe7b6655">https://medium.com/@RejuKole.com/cap-htb-walkthrough-by-reju-kole-213efe7b6655</a></td></tr><tr><td><h2>BoardLight</h2></td><td><em><strong>BoardLight</strong> is a Linux machine with a vulnerable <code>Dolibarr</code> instance (CVE-2023-30253), granting <code>www-data</code> access. Extracting credentials from config files allows <code>SSH</code> access. Privilege escalation is achieved through a <code>SUID</code> binary (CVE-2022-37706), leading to root.</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FuwpSgmEZLA0JoDB6Bo6w%2FScreenshot%202024-09-29%20190533.png?alt=media&#x26;token=76a84584-b899-49e5-8806-a428be60f616">Screenshot 2024-09-29 190533.png</a></td><td><a href="https://medium.com/@RejuKole.com/boardlight-htb-walkthrough-by-reju-kole-cbb348d97c35">https://medium.com/@RejuKole.com/boardlight-htb-walkthrough-by-reju-kole-cbb348d97c35</a></td></tr><tr><td><h2>Cicada</h2></td><td><em>Coming Soon!!!!</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FnUzZSsTfdn5RDYa476g0%2FScreenshot%202024-09-29%20191855.png?alt=media&#x26;token=8992eb15-a091-43bb-9753-0327f9c8b5c3">Screenshot 2024-09-29 191855.png</a></td><td></td></tr><tr><td><h2>GreenHorn</h2></td><td><em>GreenHorn is an easy machine exploiting Pluck for RCE and highlighting risks of pixelated credentials and exposed open-source configurations revealing sensitive data.</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FLXOAVMKUsbomKnP35KkF%2FScreenshot%202024-09-29%20205455.png?alt=media&#x26;token=71f70ab3-37cf-4caa-8d16-a4a863319088">Screenshot 2024-09-29 205455.png</a></td><td><a href="https://medium.com/@RejuKole.com/greenhorn-htb-walkthrough-by-reju-kole-49107e31efa0">https://medium.com/@RejuKole.com/greenhorn-htb-walkthrough-by-reju-kole-49107e31efa0</a></td></tr><tr><td><h2>EvilCUPS</h2></td><td><em>EvilCUPS is a Linux machine with a CUPS command injection vulnerability (<strong>CVE-2024-47176</strong>). It allows unauthenticated users to execute commands via a malicious printer, gaining "lp" user access and the root password from print jobs.</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FowLgHxZyGzmEU1bNHorj%2FScreenshot%202024-10-02%20184148.png?alt=media&#x26;token=e118f6f5-5f80-415a-bc86-1a0c82691f55">Screenshot 2024-10-02 184148.png</a></td><td><a href="https://medium.com/@RejuKole.com/evilcups-htb-walkthrough-by-reju-kole-21e2f1126ed5">https://medium.com/@RejuKole.com/evilcups-htb-walkthrough-by-reju-kole-21e2f1126ed5</a></td></tr><tr><td><h2>PermX</h2></td><td><em><code>PermX</code> is an easy Linux machine with a file upload vulnerability (CVE-2023-4220) for initial access. SSH credentials are found, and a <code>sudo</code> misconfiguration is exploited to gain <code>root</code> access.</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FTM6CnD2LKwHH25HAdYtN%2FScreenshot%202024-11-08%20001539.png?alt=media&#x26;token=115f619e-d655-4351-b8e1-28f4053caf8e">Screenshot 2024-11-08 001539.png</a></td><td><a href="https://medium.com/@RejuKole.com/permx-htb-walkthrough-by-reju-kole-20b4dc2c4243">https://medium.com/@RejuKole.com/permx-htb-walkthrough-by-reju-kole-20b4dc2c4243</a></td></tr><tr><td><h2>Blue</h2></td><td><em>Blue, while possibly the most simple machine on Hack The Box, demonstrates the severity of the EternalBlue exploit, which has been used in multiple large-scale ransomware and crypto-mining attacks since it was leaked publicly.</em></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FafCrmzTnb4cBlKShulre%2FScreenshot%202024-11-25%20144426.png?alt=media&#x26;token=638ee3fd-9012-4bfd-9de5-044516c0ee65">Screenshot 2024-11-25 144426.png</a></td><td><a href="https://medium.com/@RejuKole.com/blue-htb-walkthrough-by-reju-kole-7305c7c90f8f">https://medium.com/@RejuKole.com/blue-htb-walkthrough-by-reju-kole-7305c7c90f8f</a></td></tr><tr><td><h2>Legacy</h2></td><td><p><em>Legacy is a fairly straightforward beginner-level machine which demonstrates the potential security risks of SMB on Windows. Only one publicly available exploit is required to obtain administrator access.</em></p><p><br></p></td><td></td><td><a href="https://1745675063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FCGGWKlHlJ0MPv2R7Ca7k%2Fuploads%2FiSs2OU2vaiQHmNfVhBLc%2FScreenshot%202024-11-25%20193037.png?alt=media&#x26;token=f6bef6df-03d9-45f1-a01e-cdefe8ca61b5">Screenshot 2024-11-25 193037.png</a></td><td><a href="https://medium.com/@RejuKole.com/legacy-htb-walkthrough-by-reju-kole-2dc839bec876">https://medium.com/@RejuKole.com/legacy-htb-walkthrough-by-reju-kole-2dc839bec876</a></td></tr></tbody></table>