Updown Hackthebox

[Tinisha]

Thisblog post is a writeup for the updown machine from hackthebox. It contains the steps to exploit a web app vulnerability, crack a password hash, and escalate privileges using a cron job to get the root flag.

:-; Tried multiple php rev shells, bind shells or examples to execute shell commands which use proc_open or had that as title, from which none of em worked. php-fpm stuff just went off over my head. :-; We need to manually create the shell from the php docs :

Here is my way of learning ethical hacking and cybersecurity; this list is not at all comprehensive. I will be coming back to this article and update its content. Please let me know in the comments below if you found something new or if I can improve/add something to my repertoire.

I'm using the Oracle Virtual Box both for my target boxes and the attack box. All boxes are running on a separate internal network and Kali box is NATed. A separate network without Internet connection is crucial, especially when planning on booting up the Metasploitable.

I don't have any Guest Additions Tools installed, as this just increasing the attack surface. I know, this is painful to get used to, but it is a conscious decision to undergo such inconvenience from time to time to keep my data more secured.

All boxes have the same user/password setup and turned off some security measures, like firewall and password policy. Also, each box have a snapshot called "Fresh" that is taken after initial setup was completed. None of them is exposed to the Internet.

Snapshot Kali. Make sure Attack Box is disconnected from the Internet and connected to the internal hacknet. Turn both VMs. Perform actions. Optional: reconnect attack box to upload notes. Shutdown machines. Restore snapshots.

Time spent with this tool is not a wasted time because you will use it through all your mastery levels. Numerous possibilities that come from intercepting and modifying the requests and responses between host and website.

Collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Both platforms are paid ones, but if you are the participant of Visual Studio Dev Essentials program, you should have some free months to use on them - if you happen to work in a company that is a Microsoft Partner, ask your employee if you have access to the Microsoft Subscription benefits.

Great materials, comprehensive and well-prepared. There are few free modules, for the more advanced you have to pay in Cubes (currency acquired through subscription or direct payment). HTB also often organizes CTFs and events together with other partners. There are also many hacking boxes put on rotations (active/retired) on their App portal (retired ones are only for subscribers).

Just remember one thing - don't lose your goal. Your goal is to learn hacking and cybersecurity, not to become a celebrity. But in the same time try to engage your community - even when you don't have any (like me right now :D ). Act like you do, ask questions, participate in discussions. First - it will become natural for you, so you won't waste more time in the future. Second - remember that this will leave a content for the future followers.

This is not a guide on content creating, so last advice: publish content regularly. I'm posting each Monday and Friday. It keeps me motivated and pushes me to stay outside my comfort zone to learn new things, when knowledge is later established during content creation.

One thing is universal, and I hope you understand that, if not go through Learning Process (academy.hackthebox.eu/module/15). To keep on learning and improving yourself you have to keep practicing and making mistakes, so you can learn from them. In case you are totally out of the juice to tackle some boxes or poke at vulnerables - go on, watch a video. Read the article. Focus on your goal and go for it, step by step. Each minute counts, for example by spending just 15 minutes each day on learning, after a month you will be richer by almost 8 hours! It doesn't sound like that much, but it keeps adding.

Find your way to keep you motivating. For example, I like monitoring stuff. Writing it down, keep the track of. So, I've tried both Harvest and Toggle to keep my work tracked. Every time that failed. Until now, when I found out the Pomodoro timer feature on Toggle.

3a8082e126