Welcome

User Flag Started by doing some nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out haze.htb sudo nmap -p$ports -sC -sV -vv -oN nmap_scripts.out haze.htb In port 8000 we find a splunk service: And in port 8089 we can find the version of splunk: It appears that this version has a critical vulnerability: https://www.sonicwall.com/blog/critical-splunk-vulnerability-cve-2024-36991-patch-now-to-prevent-arbitrary-file-reads Let’s try to exploit it: https://github.com/bigb0x/CVE-2024-36991 python CVE-2024-36991.py -u http://haze.htb:8000 We are unable to crack the hashes, but we find 3 potencial users: edward,mark and paul....

User Flag Nmap scans: sudo nmap -p- --min-rate=1000 -oN nmap.out hospital.htb sudo nmap -p$ports -sC -sV -vv -oN nmap_scripts.out hospital.htb Navigating to port 8080: After registering an account, we have access to a file upload feature: Since this is a PHP web application, let’s try uploading a PHP web shell: echo '<?php system($_REQUEST["cmd"]); ?>' > ./shell.php We can intercept the request: And notice that is redirecting to /failed.php: Trying some common php extensions leads us to a /success....

User flag Started by doing some nmap scans: The only interesting port seems to be port 80, so lets enumerate it. Found a statistics vhost but returning a 401 unauthorized http code: Still, gonna add it to the /etc/hosts file. Going to this subdomain, we are asked for credentials: The login form is simply sending the username and password, base64 encoded, in the authorization header: I also did a dir scan on the page, but only got the expected results, except for a messages page:...

User Flag Started by doing some nmap scans: I tried to do some enumeration with vhost and dirs, but didn’t find anything interesting so lets look at the website: Very simple page. When we login we see that we can upload a cif file and the view it: I tried changing the file on request and doing some injections, but couldn’t get anything to work. But, searching for an exploit for cif files found something interesting:...

User Flag We start by doing the usual nmap scans: For now, in the nmap scan we can notice some interesting things: there is a ghost 5.58 and a /ghost dir. Let’s move on. Two ports open: ssh and http. Starting with port 80 we do our typical vhost and dir scans on it. There is a dev vhost, so let’s add it to the /etc/hosts file, and do a dir scan on it: We collected a lot of useful information with theses scans....

User Flag I started by doing some nmaps scans: I did some dir and dns enumeration on port 80, but couldn’t find anything, so let’s check the website: On the website, I found nothing of interest except a download link for an apk file, so let’s download it and extract the code. To do this I used a visual code extension: Looking for config files in the extracted code I found: This means that there are two other vhosts for the application so let’s add them to the /etc/hosts file....

I’m excited to share that, as of April 3rd of 2025, I’ve officially passed the Certified Penetration Testing Specialist (CPTS) exam by HackTheBox! For those unfamiliar, CPTS is a hands-on certification focused on real-world penetration testing techniques. It covers the full pentesting lifecycle — from information gathering to post-exploitation — and is known for its practical, lab-based approach. The exam itself was a 10 days hands-on assessment where I had to compromise 8 different machines organized in a lab resembling a real life scenario....

Moving away from Medium With the launch of this blog, my Medium profile is no longer necessary. I wasn’t entirely satisfied with Medium, as many of its best features were locked behind paywalls, so I don’t consider this a loss. Nonetheless, here is a link to my previous profile, where you can find my past posts. https://medium.com/@andremisidoro