Time is a medium-rated machine on HackTheBox created by egotisticalSW and felamos which takes us through exploiting a Java Deserialization in a JSON validator web application and abusing a cronjob with a misconfigured file permission set to gain a root shell.
Information gathering is an integral part of cybersecurity. We require enumerating our target to know any potential loopholes. Being a cybersecurity enthusiasts we use different services like Shodan, Censys and perform things like fingerprinting, Google Dorking etc. This blog will make you familiar with another great service which is Spyse.
Passage is an interesting linux machine, it takes us through exploiting an RCE in CuteNews 2.1.2 content management system to exploiting USB-Creator D-Bus interface to gain root access.
This box is created by egre55 and mrb3n. It takes us through exploiting a simple IDOR in a web application to escalate our privileges and accessing a task list which reveals a virtual host for development & testing purposes. We then exploit an Unserialize RCE in PHP Laravel framework and receive a reverse shell. We then use enumerate in the machine to find credentials, sensitive files and use misconfigured permissions on /usr/bin/composer to escalate to root in the machine.
Feline is a super fun box created by MinatoTW and MrR3boot, two hackers I admire a lot for their work. Give them a follow on their twitter profiles! This box takes us through exploiting a java deserialization in a custom web application hosted on an Apache Tomcat server to exploiting an RCE in SaltStack to gain a shell inside a docker container, and finally getting root on host by exploiting an exposed docker.sock file.