Machine

Summary CCTV is a Linux HackTheBox machine exposing SSH and a ZoneMinder web application on HTTP. The key foothold is an authenticated SQL injection in ZoneMinder 1.37.63, specifically the removetag action affected by CVE-2024-51482. After authenticating to the panel, the SQLi can be exploited with sqlmap to dump zm.Users, recover password hashes, and crack the mark account password. Once on the box as mark, privilege escalation comes from a second service: motionEye. A world-readable /etc/motioneye/motion.conf exposes the motionEye admin credential hash. That hash is sufficient to compute valid request signatures for the localhost-only motionEye API on 127.0.0.1:8765. By updating camera configuration and setting command_storage_exec, it is possible to trigger root command execution through the snapshot action. ...

Summary WingData is a Linux machine built around Wing FTP Server. The intended path chains a Wing FTP unauthenticated RCE into credential recovery for SSH access as wacky, followed by a root escalation through a Python tarfile extraction bug exposed by a sudo-allowed restore script. Attack chain: Wing FTP exposure → config leakage / credential recovery → SSH as wacky → vulnerable tar restore script → root Step Technique Result Recon nmap, vhost checks, ffuf Wing FTP attack surface identified Initial access Wing FTP RCE / recovered credentials SSH as wacky Privilege escalation CVE-2025-4517 (tarfile.extractall(filter="data")) root Target ...

Summary Facts is a Linux machine running Camaleon CMS behind nginx, with SSH exposed and a public MinIO/S3-style media service. Initial access comes from CVE-2024-46987, an authenticated Camaleon CMS path traversal / arbitrary file read. The file read is used to grab the user flag and an encrypted SSH private key for trivia. After cracking the SSH key passphrase, privilege escalation is straightforward because trivia can run /usr/bin/facter as root with NOPASSWD. Facter custom facts are Ruby files; loading one with --custom-dir executes Ruby code as root. ...

Summary SmartHire is a medium-difficulty Linux machine from HackTheBox. It hosts an AI hiring platform built with Flask on nginx, using MLflow for model management. Initial access is gained via CVE-2024-37054, a pickle deserialization vulnerability in MLflow that allows remote code execution by overwriting a model artifact with a malicious payload. Privilege escalation exploits a writable plugin directory combined with a sudo rule — a crafted .pth file executed by site.addsitedir() runs as root. ...

Summary Expressway is a Linux machine on Hack The Box that involves exploiting a weak Pre-Shared Key (PSK) in an IKEv1 VPN service to gain initial access. Privilege escalation is achieved by bypassing a flawed security policy in a custom sudo binary that relies on the system’s hostname. This write-up details the process from initial reconnaissance to gaining root privileges, concluding with remediation steps for the identified vulnerabilities. Target IP Address: 10.10.11.87 Hostname: expressway.htb Reconnaissance TCP Port Scan The initial reconnaissance phase began with a TCP port scan using nmap to identify open ports and running services. ...

Summary This write-up documents a full exploitation path for the HTB machine IClean. Primary findings: information disclosure and web vulnerabilities led to user access via an SSTI/XSS chain; credentials from application code allowed database access; qpdf misconfiguration enabled root privilege escalation. Goal: demonstrate methodology and reasoning (recon → enumeration → exploitation → privilege escalation → remediation). Target Host: 10.10.11.12 (lab address) Domain mapped locally: capiclean.htb Reconnaissance Start with a standard service/version scan: ...