Hackthebox on chw㉿world:~$

HackTheBox: EscapeTwo [Active Directory]

Sat, 30 Aug 2025 00:00:00 +0000

HackTheBox: EscapeTwo [Active Directory]

[TOC]

Topic

Lab

HackTheBox:
https://app.hackthebox.com/machines/EscapeTwo

Initial Enumeration

● Start Machine: 10.10.11.51

HackTheBox: Puppy [Active Directory]

Sat, 30 Aug 2025 00:00:00 +0000

HackTheBox: Puppy [Active Directory]

[TOC]

Topic

Lab

HackTheBox:
https://app.hackthebox.com/machines/Puppy

Initial Enumeration

● Start Machine: 10.10.11.70

HackTheBox: TheFrizz [Active Directory]

Sat, 30 Aug 2025 00:00:00 +0000

HackTheBox: TheFrizz [Active Directory]

[TOC]

HackTheBox: Heal

Thu, 24 Apr 2025 00:00:00 +0000

HackTheBox: Heal

[TOC]

HackTheBox: Titanic

Wed, 23 Apr 2025 00:00:00 +0000

HackTheBox: Titanic

[TOC]

Topic

Lab

HackTheBox:
https://app.hackthebox.com/machines/Titanic

Initial Enumeration

● Start Machine: 10.10.11.55

┌──(chw㉿CHW)-[~]
└─$ nmap -sC -sV -Pn 10.10.11.55 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-09 01:41 EDT
Stats: 0:00:11 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 01:41 (0:00:01 remaining)
Nmap scan report for 10.10.11.55
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)
|_ 256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://titanic.htb/
Service Info: Host: titanic.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSH, HTTP

HackTheBox: Dog

Sun, 20 Apr 2025 00:00:00 +0000

HackTheBox: Dog

[TOC]

Topic

Lab

HackTheBox:
https://app.hackthebox.com/machines/Dog

Initial Enumeration

● Start Machine: 10.10.11.58

┌──(chw㉿CHW)-[~]
└─$ nmap -sC -sV -Pn 10.10.11.58
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-18 03:59 EDT
Nmap scan report for 10.10.11.58
Host is up (0.47s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 97:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7 (RSA)
| 256 27:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b (ECDSA)
|_ 256 93:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Backdrop CMS 1 (https://backdropcms.org)
|_http-title: Home | Dog
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.md /web.config /admin 
| /comment/reply /filter/tips /node/add /search /user/register 
|_/user/password /user/login /user/logout /?q=admin /?q=comment/reply
| http-git: 
| 10.10.11.58:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro...
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.22 seconds

SSH, HTTP

HackTheBox: Code

Sat, 19 Apr 2025 00:00:00 +0000

HackTheBox: Code

[TOC]

Topic

Lab

HackTheBox:
https://app.hackthebox.com/machines/Code

Initial Enumeration

● Start Machine: 10.10.11.62

┌──(chw㉿CHW)-[~]
└─$ nmap -sC -sV -Pn 10.10.11.62
Nmap scan report for 10.10.11.62
Host is up (0.32s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 b5:b9:7c:c4:50:32:95:bc:c2:65:17:df:51:a2:7a:bd (RSA)
| 256 94:b5:25:54:9b:68:af:be:40:e1:1d:a8:6b:85:0d:01 (ECDSA)
|_ 256 12:8c:dc:97:ad:86:00:b4:88:e2:29:cf:69:b5:65:96 (ED25519)
5000/tcp open http Gunicorn 20.0.4
|_http-title: Python Code Editor
|_http-server-header: gunicorn/20.0.4
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SSH, HTTP

HackTheBox: Codify

Fri, 11 Apr 2025 00:00:00 +0000

HackTheBox: Codify

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/machines/Codify

Initial Enumeration

●Start Machine:

Solution

1. Attempt

1.1 Edit /etc/hosts

/etc/hosts

HackTheBox: LinkVortex

Fri, 11 Apr 2025 00:00:00 +0000

HackTheBox: LinkVortex

[TOC]

Topic

Lab

HackTheBox:
https://app.hackthebox.com/machines/LinkVortex

Initial Enumeration

● Start Machine: 10.10.11.47

┌──(chw㉿CHW)-[~]
└─$ nmap -sC -sV -Pn 10.10.11.47 
Nmap scan report for 10.10.11.47
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 256 3e:f8:b9:68:c8:eb:57:0f:cb:0b:47:b9:86:50:83:eb (ECDSA)
|_ 256 a2:ea:6e:e1:b6:d7:e7:c5:86:69:ce:ba:05:9e:38:13 (ED25519)
80/tcp open http Apache httpd
|_http-title: Did not follow redirect to http://linkvortex.htb/
|_http-server-header: Apache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 241.69 seconds

SSH, HTTP

HackTheBox: UnderPass

Fri, 11 Apr 2025 00:00:00 +0000

HackTheBox: UnderPass

[TOC]

Topic

Lab

HackTheBox:
https://app.hackthebox.com/machines/UnderPass

Initial Enumeration

● Start Machine: 10.10.11.48

┌──(chw㉿CHW)-[~]
└─$ nmap -sC -sV -Pn 10.10.11.48 
Nmap scan report for 10.10.11.48
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 256 48:b0:d2:c7:29:26:ae:3d:fb:b7:6b:0f:f5:4d:2a:ea (ECDSA)
|_ 256 cb:61:64:b8:1b:1b:b5:ba:b8:45:86:c5:16:bb:e2:a2 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 625.00 seconds

SSH, HTTP

HackTheBox: RenderQuest

Mon, 29 Apr 2024 00:00:00 +0000

HackTheBox: RenderQuest

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/challenges/RenderQuest

Initial Enumeration

●Start Machine: http://94.237.57.59:38703 (301) http://94.237.57.59:38703/render?page=index.tpl

Submit: CHW

http://94.237.57.59:38703/render?use_remote=true&page=CHW 500 (Internal Server Error)

Solution

1.Code Review

neon.rb

class NeonControllers < Sinatra::Base

 configure do
 set :views, "app/views"
 set :public_dir, "public"
 end

 get '/' do
 @neon = "Glow With The Flow"
 erb :'index'
 end

 post '/' do
 if params[:neon] =~ /^[0-9a-z ]+$/i
 @neon = ERB.new(params[:neon]).result(binding)
 else
 @neon = "Malicious Input Detected"
 end
 erb :'index'
 end

end

提交的@neon 需要符合正規表達式: /^[0-9a-z ]+$/i

HackTheBox: Neonify

Wed, 24 Apr 2024 00:00:00 +0000

HackTheBox: Neonify

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/challenges/Neonify

Initial Enumeration

●Start Machine: https://83.136.254.223:30167/

Submit: CHW

CHW

Submit: $(ls)

Malicious Input Detected

Solution

1.Code Review

neon.rb

class NeonControllers < Sinatra::Base

 configure do
 set :views, "app/views"
 set :public_dir, "public"
 end

 get '/' do
 @neon = "Glow With The Flow"
 erb :'index'
 end

 post '/' do
 if params[:neon] =~ /^[0-9a-z ]+$/i
 @neon = ERB.new(params[:neon]).result(binding)
 else
 @neon = "Malicious Input Detected"
 end
 erb :'index'
 end

end

提交的@neon 需要符合正規表達式: /^[0-9a-z ]+$/i

HackTheBox: jscalc

Fri, 19 Apr 2024 00:00:00 +0000

HackTheBox: jscalc

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/challenges/jscalc

Initial Enumeration

●Start Machine: http://94.237.57.59:46780/

(Calculate)

Solution

1.Code Review

● main.js

let formula = document.getElementById('formula');
let form = document.getElementById('form');
let output = document.getElementById('output');

const flash = (message, level) => {
 alerts.innerHTML += `
 <div class="alert alert-${level}" role="alert">
 <button type="button" id="closeAlert" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
 <strong>${message}</strong>
 </div>
 `;
};

form.addEventListener('submit', e => {
	e.preventDefault();

	fetch('/api/calculate', {
		method: 'POST',
		body: JSON.stringify({
			formula: formula.value
		}),
		headers: {'Content-Type': 'application/json'}
	}).then(resp => {
		return resp.json();
	}).then(resp => {
 result = resp.message.toString();

		if (result.includes('wrong')) {
 flash(result, 'danger');

 setTimeout(() => {
 document.getElementById('closeAlert').click();
 }, 2000);

 return;
 }
 
 flash(result, 'success');

 setTimeout(() => {
 document.getElementById('closeAlert').click();
 }, 2000);
 
 output.value = result;
 
 })
});

"formula":"100*10-3+340" 用JSON格式 POST 到 fetch /api/calculate Content-Type: application/json

HackTheBox: LoveTok

Thu, 11 Apr 2024 00:00:00 +0000

HackTheBox: LoveTok

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/challenges/198

Initial Enumeration

●Start Machine: http://206.189.28.180:30492/

Solution

1. Attempt

1.1 nmap scan

nmap -sC -sV -T4 206.189.28.180

這題非滲透，只開 port 30492

1.2 dirsearch scan

dirsearch -u http://206.189.28.180:30492/

/.DS_Store

●.DS_Store用途

1.3 Browse

1.3.1 Click on the button, url changes

HackTheBox: Pilgrimage

Thu, 11 Apr 2024 00:00:00 +0000

HackTheBox: Pilgrimage

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/machines/Pilgrimage

Initial Enumeration

●Start Machine:

Solution

1. Attempt

1.1 Edit /etc/hosts

/etc/hosts

HackTheBox: Topology

Wed, 22 Nov 2023 00:00:00 +0000

HackTheBox: Topology

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/machines/Topology

Initial Enumeration

●Start Machine:

Solution

1. Attempt

1.1 Edit /etc/hosts

/etc/hosts

10.10.11.217 topology.htb

1.2 Browse http://topology.htb/

1.3 nmap scan

nmap -sC -sV -T4 10.10.11.217

HackTheBox: Sau

Thu, 19 Oct 2023 00:00:00 +0000

HackTheBox: Sau

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/machines/Sau

Initial Enumeration

●Start Machine:

Solution

1. nmap scan

nmap -sC -sV -T4 10.10.11.224

Hackthebox on chw㉿world:~$

HackTheBox: EscapeTwo [Active Directory]

HackTheBox: EscapeTwo [Active Directory]

Table of Contents

Topic

Lab

Initial Enumeration

HackTheBox: Puppy [Active Directory]

HackTheBox: Puppy [Active Directory]

Table of Contents

Topic

Lab

Initial Enumeration

HackTheBox: TheFrizz [Active Directory]

HackTheBox: TheFrizz [Active Directory]

Table of Contents

HackTheBox: Heal

HackTheBox: Heal

Table of Contents

HackTheBox: Titanic

HackTheBox: Titanic

Table of Contents

Topic

Lab

Initial Enumeration

HackTheBox: Dog

HackTheBox: Dog

Table of Contents

Topic

Lab

Initial Enumeration

HackTheBox: Code

HackTheBox: Code

Table of Contents

Topic

Lab

Initial Enumeration

HackTheBox: Codify

HackTheBox: Codify

Table of Contents

Topic

Lab

HackTheBox:

Initial Enumeration

Solution

1. Attempt

1.1 Edit /etc/hosts

HackTheBox: LinkVortex

HackTheBox: LinkVortex

Table of Contents

Topic

Lab

Initial Enumeration

HackTheBox: UnderPass

HackTheBox: UnderPass

Table of Contents

Topic

Lab

Initial Enumeration

HackTheBox: RenderQuest

HackTheBox: RenderQuest

Table of Contents

Topic

Lab

HackTheBox:

Initial Enumeration

Solution

1.Code Review

HackTheBox: Neonify

HackTheBox: Neonify

Table of Contents

Topic

Lab

HackTheBox:

Initial Enumeration

Solution

1.Code Review

HackTheBox: jscalc

HackTheBox: jscalc

Table of Contents