Instant begins with a basic web page with limited functionality, offering only an APK download. From there, we explore the APK to uncover information that helps gain an initial foothold and another jump before getting root!
We are going to walk through Editorial on Hack the Box! It started by discovering a blind SSRF vulnerability that led to finding various API endpoints which leaked cleartext credentials. Additional credentials were discovered in a Git commit leading to abusing a Python script for escalation to root!
The machine starts with identifying an XSS vulnerability to steal an administrator’s cookie. This stolen cookie is then used to access a separate page vulnerable to code injection. Finally, a Bash script is exploited to escalate privileges to root.
PermX is an easy-rated machine on Hack The Box, created by mtzsec. It begins with discovering and exploiting a vulnerable learning management system to gain initial access. Password reuse and a Bash script exploit are used to escalate privileges and gain root access.
BoardLight, an easy-rated machine on Hack The Box created by cY83rR0H1t, involves discovering a new virtual host, leveraging a CVE to gain a low-privileged foothold, performing horizontal escalation to another user on the box, and ultimately exploiting a lesser-known binary for root access.