Web-Exploitation
Found 6 related articles
Back to Tags- 2025-03-08
Dog - Active Machine Writeup (Content Withheld)
Content is currently withheld as per HackTheBox policy, since Chemistry is an active machine. This writeup details the full exploitation path from initial access to root, likely involving chemical-themed web application vulnerabilities, service enumeration, and local privilege escalation on a Linux target.
- 2025-03-02
EscapeTwo - Active Machine Writeup (Content Withheld)
Content is currently withheld as per HackTheBox policy, since Chemistry is an active machine. This writeup details the full exploitation path from initial access to root, likely involving chemical-themed web application vulnerabilities, service enumeration, and local privilege escalation on a Linux target.
- 2025-02-19
UnderPass - Active Machine Writeup (Content Withheld)
Content is currently withheld as per HackTheBox policy, since UnderPass is an active machine. This writeup details the full exploitation path from initial access to root, likely involving web vulnerabilities, service misconfigurations, and local privilege escalation.
- 2024-12-02
Oopsie - IDOR, Arbitrary File Upload, and SUID Path Hijacking
Technical writeup detailing the compromise of the Oopsie machine. Initial access involves exploiting an IDOR vulnerability to enumerate credentials, followed by cookie manipulation to gain access to an arbitrary file upload function for a PHP reverse shell. Privilege escalation is achieved by finding plaintext database credentials for SSH access, and finally, exploiting the SUID binary '/usr/bin/bugtracker' using a PATH hijacking technique to execute a root shell.
- 2024-11-18
Appointment - Authentication Bypass via SQL Injection (SQLi)
Technical writeup detailing the compromise of the Appointment machine. The primary vulnerability is an Authentication Bypass via SQL Injection (SQLi) affecting the web application's login form. By injecting the payload 'admin'#' into the username field, the SQL query is manipulated to bypass the password check, allowing unauthenticated access as the admin user to retrieve the flag.
- 2024-11-12
Broken Access Control (BAC) Analysis and Mitigation
Technical analysis of Access Control failures (A01:2021) leading to resource exposure or privilege escalation. Covers identification of IDOR, Horizontal, and Vertical BAC vulnerabilities, presenting a Proof of Concept (PoC) using Burp Suite, alongside key mitigation strategies like RBAC.