Puppy is another amazing assumed breach active directory box.
Phantom is a Medium AD box where SMB enumeration leads to a decrypted VeraCrypt container, recovered credentials enable a foothold via password spraying, and Resource-Based Constrained Delegation (RBCD) is exploited to gain Administrator access.
Cat is a medium-difficulty Linux machine featuring a custom PHP web application vulnerable to XSS, which allows cookie hijacking and privilege escalation. A SQL injection in a SQLite database enables remote code execution and access to internal logs, which leak plaintext credentials. These are used to access a vulnerable Gitea instance (CVE-2024-6886), ultimately leading to the discovery of root credentials in a private repository.
"Trickster" is a medium-difficulty Linux machine on HackTheBox that challenges you with technologies like Git, MySQL, Docker, and vulnerabilities such as SSTI and CSRF. This write-up covers the key steps and techniques I used to exploit the machine, highlighting the creative enumeration and exploitation required to capture the flags.
