Luke HTB Walkthrough

Walk through of Luke machine from Hack the Box. Key Findings Key findings noted from the machine Luke: Privileged credentials were left exposed in files available via HTTP (config.php & config.json). Credentials obtained could be used to gain additional system access. This type of data should not be publicly available. User credentials were available to an authenticated API user. Credential should not be made available in this fashion. Ajenti instance does not have SSL configured. This allows a malicious attacker

Read more

Bastion HTB Walkthrough

Walk through of the Bastion machine from Hack The Box Key Findings Production backup data was left un-encrypted and exposed to the public. This was able to be used to derive initial system credentials and obtain initial access. Access to this type of data should not be made available to the public and should be stored encrypted. Privileged credentials were left stored in a non-secure manner. These could be extracted and used to obtain privileged access to the system. Appropriately

Read more

OneTwoSeven HTB Walkthrough

Walkthrough of OneTwoSeven machine from Hack The Box. Key Findings Comments were maintained in production code. Details in comments give insights to what has been done by development teams when and why. Comments need to be removed prior to pushing any code into production. System data exposed by inappropriate chroot configuration. Method of configuring chroot on machine left significant amounts of chroot data exposed that can be accessed by an attacker. As part of deploying to production system functionality to

Read more