Threat Ninja Security Awareness

Hack The Box Success: Cat Machine Write-Up Published! I’ve just published my personal write-up for the Cat machine on Hack The Box. In this challenge, I gained the user flag by exploiting a Stored XSS vulnerability to capture the admin session cookie, followed by an SQL Injection to extract credentials and gain SSH access. For the root flag, I took advantage of a vulnerable image processing script owned by root, crafting a payload to gain a root shell and retrieve the flag. The full write-up dives into each step, the logic behind the attacks, and key takeaways. #CyberSecurity #HackTheBox #PenetrationTesting #EthicalHacking #CTF #WriteUp #XSS #SQLi #PrivilegeEscalation #InfoSec #CTFWriteup The post Hack The Box: Cat Machine Walkthrough – Medium Diffculity appeared first on Threatninja.net.

CVE-2025-32463 – Local Privilege Escalation via Sudo’s chroot Option I recently explored a vulnerability in Sudo that allows unprivileged users to escalate to root by abusing the rarely used -R (chroot) feature and manipulating nsswitch.conf. Tested on Parrot OS, this PoC demonstrates how easy it is to gain root shell access when Sudo < 1.9.17p1 is installed. If you’re running Linux, patch immediately or compile Sudo from source to version 1.9.17p1 or later. Stay safe, patch early. #CyberSecurity #Linux #CVE2025 #PrivilegeEscalation #InfoSec #ExploitDevelopment #Sudo #BlueTeam #RedTeam #ParrotOS #ThreatHunting #VulnerabilityResearch The post Abusing Sudo’s chroot: CVE-2025-32463 Explained appeared first on Threatninja.net.

New Write-Up Published: Haze [Medium | Windows | Active Directory] – Hack The Box Just released a walkthrough for Haze, a medium-difficulty Windows machine on Hack The Box. Initial access was obtained by exploiting CVE-2024-36991, a local file inclusion vulnerability in Splunk, to extract LDAP credentials. This enabled a Shadow Credentials attack using PyWhisker and Certipy, allowing lateral movement to a high-privileged domain user. For privilege escalation, I utilized Splunk admin access to deploy a reverse shell via a crafted app package. Upon gaining shell access, I escalated privileges to NT SYSTEM by abusing SeImpersonatePrivilege with SweetPotato. This box offers great insight into chained Active Directory abuse and Splunk misconfigurations. #HackTheBox #RedTeam #ActiveDirectory #Splunk #CVE202436991 #ShadowCredentials #PrivilegeEscalation #SweetPotato #CTF #InfoSec #WriteUp #CyberSecurity The post Hack The Box: Haze Machine Walkthrough – Hard Difficulty appeared first on Threatninja.net.

Just wrapped up a detailed walkthrough of the Hack The Box Titanic machine — an easy-rated challenge packed with valuable learning opportunities! The journey started with exploiting a directory traversal vulnerability to access sensitive Gitea configuration files and extract user credentials. From there, I gained SSH access as the developer user and retrieved the user flag. Privilege escalation was achieved by exploiting a critical ImageMagick vulnerability (CVE-2024-41817) in a writable directory, allowing arbitrary code execution via a crafted shared library. I also discovered the developer user had unrestricted sudo privileges, providing a straightforward path to root. #HackTheBox #CyberSecurity #Pentesting #CTF #PrivilegeEscalation #LinuxSecurity #ImageMagick #CVE202441817 #EthicalHacking #DirectoryTraversal The post Hack The Box: Titanic Machine Walkthrough – Easy Difficulty appeared first on Threatninja.net.

Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag. #CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF Successfully completed a two-stage Active Directory exploitation scenario involving both user access and privilege escalation. The first stage focused on identifying accounts that did not require Kerberos pre-authentication (AS-REP Roasting), allowing extraction and cracking of a user password hash to gain remote access and retrieve the user flag. In the second stage, a misconfigured certificate template (ESC4 vulnerability) within Active Directory Certificate Services was exploited to request a certificate impersonating a privileged user. This enabled full administrative access and retrieval of the root flag. #CyberSecurity #ActiveDirectory #RedTeam #Kerberos #PrivilegeEscalation #ASREP #ADCS #ESC4 #PenetrationTesting #Infosec #HackTheBox #WindowsSecurity #CTF The post Hack The Box: Inflitrator Machine Walkthrough – Insane Difficulity appeared first on Threatninja.net.

Successfully rooted another Hack The Box machine by chaining multiple vulnerabilities across custom C2 frameworks. For the user flag, we exploited an SSRF vulnerability (CVE-2024-41570) in the Havoc C2 framework to access internal services, which we then chained with an authenticated RCE to execute arbitrary commands and gain a reverse shell as the ilya user. To maintain stable access, SSH keys were added for persistence, allowing us to retrieve the user.txt flag. For the root flag, we targeted the Hardhat C2 service by forging a valid JWT with a Python script to create an admin user, which provided shell access as sergej. Upon privilege escalation analysis, we found that sergej had sudo access to the iptables-save binary. This was abused to overwrite the /etc/sudoers file and escalate to root, ultimately retrieving the root.txt flag. Another great learning experience on the path to mastering offensive security! #HackTheBox #CyberSecurity #InfoSec #RedTeam #CTF #PrivilegeEscalation #RCE #SSRF #Linux #HTB #EthicalHacking #PenetrationTesting #HavocC2 #HardhatC2 #JWT #SudoExploit #OSCP #BugBounty The post Hack The Box: Backfire Machine Walkthrough – Medium Difficulty appeared first on Threatninja.net.

Successfully exploited CVE-2023-1545 in Teampass to extract user credentials and leveraged CVE-2023-6199 in BookStack to obtain an OTP, gaining user-level access on the Checker machine. Privilege escalation was achieved by exploiting a sudo script interacting with shared memory, setting the SUID bit on /bin/bash to capture the root flag. A great example of combining application vulnerabilities with creative privilege escalation techniques! #Cybersecurity #EthicalHacking #HackTheBox #PenetrationTesting #InfoSec #VulnerabilityResearch #PrivilegeEscalation #CTF #SecurityResearch The post Hack The Box: Checker Machine Walkthrough – Hard Difficulty appeared first on Threatninja.net.

🔒 My Write-Up for the EscapeTwo Machine on Hack The Box 🔍 I’m excited to share my detailed write-up for solving the beginner-friendly “EscapeTwo” machine on Hack The Box, showcasing skills in network enumeration and privilege escalation. First, to capture the user flag, I scanned for open ports, accessed SMB shares, uncovered a password, and leveraged the Ryan account’s elevated permissions to retrieve the flag remotely. Next, for the root flag, I escalated privileges by exploiting an Active Directory misconfiguration. Then, using the Ryan account, I employed tools to identify and modify permissions, thereby gaining control over a privileged account. With this control, I acquired a certificate, subsequently authenticated as an administrator, and finally captured the root flag. This challenge strengthened my expertise in Active Directory security and penetration testing. Check out the full write-up for a deep dive! #Cybersecurity #HackTheBox #EthicalHacking #PenetrationTesting #ActiveDirectory The post Hack The Box: EscapeTwo Machine Walkthrough – Easy Difficulty appeared first on Threatninja.net.

Writeup Summary: Heal (Hack The Box) This box involved thorough enumeration that uncovered multiple subdomains, including a Ruby on Rails API. Initial access was gained by chaining a Local File Inclusion vulnerability with password cracking and exploiting a LimeSurvey plugin upload vulnerability. Privilege escalation was achieved by identifying and exploiting an exposed Consul service accessible through SSH port forwarding. This challenge showcased key red teaming skills: web application exploitation, misconfiguration abuse, credential harvesting, and lateral movement. #HackTheBox #CyberSecurity #RedTeam #PrivilegeEscalation #BugBounty #WebSecurity #Infosec #CTF #HTB #OffensiveSecurity #LinuxExploitation The post Hack The Box: Heal Machine Walkthrough – Medium Difficulty appeared first on Threatninja.net.

Successfully completed the “Underpass” machine on Hack The Box! For the user flag, I enumerated SNMP to discover a Daloradius instance, logged in with default credentials, cracked an MD5-hashed password for the svcMosh account, and used SSH to access the user flag in its home directory. To capture the root flag, I escalated privileges by exploiting sudo permissions on mosh-server, obtaining a session key and port to establish a root session and retrieve the flag from /root/root.txt. #Cybersecurity #HackTheBox #CaptureTheFlag #PenetrationTesting #LinuxSecurity #PrivilegeEscalation #SNMP #Daloradius #EthicalHacking #InformationSecurity The post Hack The Box: Underpass Machine Walkthrough – Easy Difficulty appeared first on Threatninja.net.