BackBox News
Latest news and insights on Security
Company Blogs
Hacking Tools
- Shodan-Dorks - Dorks for Shodan; a powerful tool used to search for Internet-connected devices
- Pegasus-Pentest-Arsenal - A Comprehensive Web Application Security Testing Toolkit That Combines 10 Powerful Penetration Testing Features Into One Tool
- Witcher - Managing GitHub Advanced Security (GHAS) Controls At Scale
- ByeDPIAndroid - App To Bypass Censorship On Android
- API-s-for-OSINT - List Of API's For Gathering Information About Phone Numbers, Addresses, Domains Etc
- Firecrawl-Mcp-Server - Official Firecrawl MCP Server - Adds Powerful Web Scraping To Cursor, Claude And Any Other LLM Clients
- Deep-Live-Cam - Real Time Face Swap And One-Click Video Deepfake With Only A Single Image
- CAMEL - The First And The Best Multi-Agent Framework. Finding The Scaling Law Of Agents
- Liam - Automatically Generates Beautiful And Easy-To-Read ER Diagrams From Your Database
- SubGPT - Find Subdomains With GPT, For Free
Exploit DB
- [local] TP-Link VN020 F3v(T) TT_V6.2.1021) - DHCP Stack Buffer Overflow
- [webapps] WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
- [webapps] Kentico Xperience 13.0.178 - Cross Site Scripting (XSS)
- [local] RDPGuard 9.9.9 - Privilege Escalation
- [webapps] WordPress Depicter Plugin 3.6.1 - SQL Injection
- [webapps] SureTriggers OttoKit Plugin 1.0.82 - Privilege Escalation
- [local] Microsoft Windows 11 Pro 23H2 - Ancillary Function Driver for WinSock Privilege Escalation
- [local] VirtualBox 7.0.16 - Privilege Escalation
- [remote] Apache ActiveMQ 6.1.6 - Denial of Service (DOS)
- [webapps] ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
HTB Busqueda Walkthrough
/in General NewsAs usual, a nice and simple BOX with two relatively simple exploits even for beginners. Let’s go.
The nmap scan:
port 80 responds to the “searcher.htb” domain. Put it in the /etc/hosts file.
It seems to be a search engine collector.
Wappalyzer reports python (3.10.6) and flask (2.1.2) technology.
The portal is based on version 2.4.0 of an open-source project called Searchor with the repository on git
Searching for exploits I found this:
Intercepting the calls using BurpSuite, I retrieve the request:
Let’s try to investigate the code in the repository, crossing the information of the eval reported in the vulnerability and the request towards the /search routing. Download the 2.4.0 version of the source code (https://github.com/ArjunSharda/Searchor/releases/tag/v2.4.0).
Search the POST method…
…and the Engine class:
Apparently, you can run some python code, it will be easier using the last parameter (open). Sniffing the request setting the “Auto redirect” check with BurpSuite…
It seems that the backend code only checks for the presence of the parameter, so I can’t take advantage of the “auto_redirect” parameter, I’ll have to use the “query” parameter. The purpose is to pass a value such that a command is executed in addition to the original one. Starting from the construction of the original string, then
we have to close the string at the point of the query parameter. Just pass the value as the query value
This will terminate the string with the single quote, close the search command with the closing parenthesis, and comment out everything that follows.
Since the search of the engine class accepts the remaining parameters with default values, there will be no problems, as the search method in this case will be launched specifying only the first parameter.
But now I have to try to inject the code I want to execute, but failing to concatenate another string, I take advantage of a trick that allows me to execute some code through the use of the format of a string. The output of the search command of the Engine class still returns a string, on which I can perform a format. Since there are no variable markers, the format will have no effect, but it will still allow me to execute some code. As usual, to test, I’ll run a curl to my listening machine to see if the injection was successful. The query parameter will then look something like this:
By replacing the parameter on the BurpSuite and launching the request, the surprise is not long in coming.
Perfect, it works, let’s convert curl to a reverse shell and activate our listener.
The BurpSuite will do the rest!
Navigate to the home folder and let’s find out he’s the user with the flag.
Spawned a tty shell to test the sudo command but this user cannot launch sudo without a password. So, launch linpeas as usual, without leaving any trace.
Download linpeas and start the php native web server.
Then start the netcat listener that will receive the scan output.
And finally, launch the attack on the remote machine.
Let the scan complete (check your netcat session).
linpeas output, interesting poits
Found an additional domain (gitea.searcher.htb), insert it on the /etc/hosts file and try to navigate.
Gitea Version: 1.18.0+rc1
Searching for some exploit, I find something (even an RCE), but be being authenticated. After some more searching, I can’t find anything of interest, so, convinced that the next clue has something to do with git anyway, I search the repositories available in this BOX.
After searching the repository a bit, without much success, and not knowing exactly how to proceed, I start searching online and come across an interesting article.
It seems that I have found what I was looking for and finally can access the gitea portal. So, I can come back on one of the previous exploits that need credentials.
Unfortunately I can’t even create a new repository. Anyway, I can connect via ssh using the password.
Even though I can run it, I can’t read it.
So, try to execute.
I’ll probably have to use the docker command to elevate the privileges, but in the meantime let’s collect as much information as possible about the running containers as well.
And the environment variables section is really cool.
Obviously, the environment section of the second container is equally attractive.
Passwords don’t seem, in any case, to be useful. Since the script appeared to use the docker command anyway, I tried hard to exploit that, trying passing additional commands and injecting alternative commands, but without success. Then I took a look at the folder where the script is located and found a couple of interesting clues.
Inside the folder is a script named after the third argument that takes the original script and there appears to be a git repository. However, I don’t have permission to read the files inside, but let’s try to proceed on this new path.
The git repository route is to be abandoned; the script file remains.
Oh oh… the command that didn’t work before now seems to execute correctly, so it runs a script with that name contained in the folder you are in!
And after a few simple tries, we have our root flag!
That’s all folks, as usual, see you at the next BOX, have an excellent hacking (in legal), bye.
Secjuice – Read More
HTB Escape Walkthrough
/in General NewsA very particular windows machine, in which I got stuck, stubbornly looking for an exploit which later turned out to be a simple clue left in plain sight that allowed a very trivial privesc. More challenging, but almost standard, the second privec which then led me to the desired root flag.
Let’s start with the nmap scan.
As usual, there are an infinite number of ports open on a windows machine and not happy, let’s also take a look at the UDP ports.
Little steal, thank goodness! Ok, let’s analyze one port at a time!
53 – DNS, 88 – kerberos, 135, 593 – RPC, 139, 445 – SMB, 464
Nothing about this set, unless I’ve missed something.
139, 445 – SMB
The enum4linux tool doesn’t enumerate anything in particular, let’s try a manual approach.
I’m able to connect using the rpcclient tool (rpcclient -U “” -N 10.10.11.202), but investigating this would take too much time, I’ll mark it as an activity to come back to if I can’t find anything else and move on.
The SAMBA client shows, among the classic windows shares, a “Public” folder that could be interesting, let’s take a look.
Give a look at the pdf file.
Well, a good domain to insert into my /etc/hosts; go ahead.
389 (636, 3268, 3269) – LDAP
As for LDAP, I tried to navigate the structure using phpLDAPAdmin as usual, but without success.
1433 – SQL Server
And for the uninitiated, port 1433 is the one reserved for SQL Server. There will be a lot of work here; let’s work.
The Metasploit Framework is full of attacks for SQL Server… and I think I’ve tried a lot of them.
I omitted some of the exploits I ran and also omitted some sections of the information returned by the scans, so as not to take up too much reading time.
But let’s connect to the SQL Server instance and investigate the contents of the DBs.
Besides the SQL Server version which may come in handy to identify some specific exploit, the DB doesn’t seem to contain many schemas and tables. I tried some exciting system queries, but most of them gave “permission denied“. I, therefore, rely on the now official guide for identifying vulnerabilities.
Inside the guide, we find an interesting attack, which is worth trying.
The concept behind this attack is to force the SQL Server to authenticate to a fake server that will capture the unsuspecting service’s credentials.
So, activate our responder…
…let’s take advantage of one of the Metasploit Framework exploits…
…and wait for the attacked service to fall into the trap.
We now have a NetNTLM hash that we can safely hashcat after identifying the corresponding value of the specific hash (5600).
And after some waiting and patience, the password comes out. What better tool to use than Evil-WinRM?
Obviously, this user can’t do much. You need a winPEAS session. We load the scanner on the BOX through the features made available by Evil-WinRM…
…and start it, saving the result so as not to lose it.
Let’s take it home the same way and analyze it.
winpeas
Below is the information extracted from the winPEAS scan that I deemed worthy of note.
Obviously, in addition to some interesting files, the possible privileges available to the user are highlighted (to verify actual vulnerabilities) and the WSUS windows update service (often used precisely for the elevation of privileges).
Let’s try to understand if the WSUS is really vulnerable.
Already from the windows registry keys, there doesn’t seem to be any hope.
Even on the privileges front, nothing particularly attractive seems to be highlighted, the masterkey of the user Ryan would be needed, but at the moment it does not seem to be available.
Let’s try some other tools, for example, PrivescCheck.
PrivescCheck output
Also in this case I report only the interesting and noteworthy things.
We get to a point where the use of classic windows tools becomes essential, let’s try bloodhound.
I collect the necessary information…
…and analyze the result.
I use the containerized version, so wait for the availability of the Neo4j.
When logged in, upload the collected data (directly zip file).
Now, on the search box, search for the user you pawn: sql_svc.
Select it and mark the user as owned.
Search for the Ryan user account and select it, right-click and chose “shortest path from owned to here“
Well, the path is long enough, but the tool crashes as soon as you try to investigate the third link. Nonetheless, the information from previous nodes highlights standard attacks that I’ve faced in the past. Let’s try them quickly.
Again, however, nothing seems to emerge. The commands you run seem to throw an error while generating the security object; another hole in the water.
I’m starting to feel this dead end approaching, but I still have some resources, let’s try some exploits suggester for Windows.
Once again blocked even before starting. Next another.
Exhausted and out of ideas, I abandon my goal for a few days (needless to tell us, when you slam too much on the same apparently unsolvable problem, disconnect… let your mind refresh, empty and face the problem again).
So I go back to the machine after a few days and with the memories of all the attempts tried up to that moment, I go back to having a look at the resources available from the shell. I then find a folder on the root containing what appears to be the SQL Server installation package and a couple of other directories one of which contains a backup file.
I start sifting through the log file and find two consecutive failed accesses within a few…. hundredths of a second (it seems a bit exaggerated to me, but we’ll stick to the clues).
All we have to do is reconnect with Evil-WinRM using the new credentials.
And the first flag is captured. Ok, at this point the steps repeat as before. Unfortunately also in this case, nothing with winPEAS, nothing with BloodHound, nothing with PowerScript and Rubeus; another dead end.
As exhausted, I rely on the suggestions of the forum and thus discover a new (for me) interesting tool: “just download the Certify.exe“.
It looks really interesting, let’s see what comes out.
As in the example given in the git repository documentation, our user also seems to be enabled for the ManageCA privilege (but what a coincidence). Go on.
Create the pfx key from the recovered certificate.
And we ask for the resolution of the TGT key.
There are two different ways to obtain the hash password (that I know), using ccache…
…or generating it from Rubeus itself; let me use the simplest method.
And we run straight to the root flag without delay, once again exploiting the potential of Evil-WinRM.
And once again… that’s all folks, I sweated for a few days, but in the end, I managed to overcome every obstacle (even the most trivial ones, next time, look around before proceeding down the most impervious routes). For the moment, goodbye, but I’ll wait for you at the next BOX, happy hacking everyone!
Secjuice – Read More
HTB Stocker Walkthrough
/in General NewsSimple BOX on both flags, much more root than the user, still fun and great for beginners.
The nmap scan:
It can be said that only port 80 of the portal is available. Directly towards the goal, then. Let’s put stocker.htb in the /et/hosts file and take a look at the portal. It seems to be an e-commerce portal (but there don’t seem to be any functional features), let’s immediately identify a possible user “Angoose Garden, Head of IT at Stockers Ltd“, keep that in mind. Let’s scan with dirb, looking for hidden routes.
Nothing interesting, let’s try subdomains.
Bingo, let’s add dev.stocker.htb to the /etc/hosts file and browse the new portal. This time we find something, a login form, probably managed by a back-end in node.js.
I make some first attempts, but it doesn’t seem to be vulnerable to standard SLQi (SQL injection) attacks, even sqlmap doesn’t find anything. In addition to the technologies already mentioned, there is also the HUGO framework. I investigate.
This is a framework for creating portals, but it doesn’t seem to help me. Let’s keep that in mind, we’ll come back to it later if necessary. Let’s do another session with the dirb on this second domain as well.
Again nothing, I have to bypass the login first. Let’s go over what we did a bit and understand. Reviewing the past steps, it occurs to me that it is probably not an SQLi attack that is needed, but NOSQLi. And here I have to admit that I had some difficulty, not in the search for the vulnerability, but in the use of the tools, where once again, the fact was revealed that doing it manually brings its benefits, but let’s proceed step by step and so here are my stubborn mistakes in the desire to use existing tools (because I am convinced that they work better than I can do), to find than the right path in that manual activity which has always paid off.
After a myriad of additional packages to install, I finally succeed, with python 2.7 and pip 2.7. Here’s how to install pip 2.7:
Finally, the launch of the NOSQLi vulnerability scan command.
Despite everything, nothing emerges for the two most popular NOSQL databases; mongodb and couchdb. Let’s go ahead, let’s rely on the best-stocked portal of tricks we know at the moment…
…and find another couple of interesting tools.
Again, however, they don’t seem to work for me. I decide on a few manual steps, so the BurpSuite is a must.
Here’s the call to login, still referring to the hacktricks guidelines, I start going through all the listed payloads and finally find the right one.
And finally, we are in. Now I can buy and request a receipt. The invoice is returned in pdf format, there must be a conversion process. Need to understand which tools are being used to make the conversion. so let’s download the pdf and take a closer look at the metadata.
The producer field provides us with the necessary information, so I search for “skia/pdf exploit” and immediately a series of interesting links are revealed to my eyes.
Ok, the portal cart seems to have remained full, it is not emptied after the purchase, which could make my life easier. Let’s see if I can modify the data inside it in a simple and fast way.
The products are placed in a javascript array named basket. Just change the information contained therein and make a new purchase. Let’s start by passing the most classic payload, just to understand if the vulnerability actually exists: <iframe src=file:////etc/passwd>.
When you open the cart again, the set payload appears.
And when we go to download the invoice, the magic happens.
Do you remember the name of the Head of IT? Ok, needless to say, I immediately tried to reach the user flag file (<iframe width=’1200′ height=’700′ src=file:////home/angoose/user.txt>), but obviously to no avail. At this point the only thing I can do is go look for interesting files such as configuration files, DB connection, credentials, etc… Let’s focus on the technologies that we had identified with the wappalyzer.
Trying with <iframe width=’1200′ height=’1000′ src=file:////etc/nginx/nginx.conf>:
I’d like to see a few more lines of the file, but I think this could be a good starting point; the path in which the portal is published. Let’s cross this information with the fact that the back-end is in node.js and we can try to retrieve the most common filenames used for a project like this: app.js, server.js and index.js.
And using <iframe width=’1200′ height=’1000′ src=file:////var/www/dev/index.js>:
In addition to the mongodb address, in which the application user’s credentials are evident, I have also reported the block of code used to login, in which the point where we attacked via the NOSQLi payload is visible. It’s evident that there is not a dev user who has access via shell, but knowing the nature of the BOX, we can easily apply the password to the one that can use a shell from the list of users (/etc/passwd) obviously excluding the user of root.
And first flag was captured, next step is really very fast, not even an advanced scan was needed. Let’s look at what this user can do as root without a password.
Apparently, we can run node scripts contained in a particular folder. That asterisk, however, highlights an unequivocal traversal path. So I prepare my malicious script. I initially tried to spawn a shell as root, but quickly reverted (child_process didn’t seem to work), so I chose a script that simply reads the root flag file.
And that’s all folks, see you soon my readers and happy hacking activities.
Secjuice – Read More
Start-up Security 101: How to Protect Your Venture from Cybersecurity Risk
/in General NewsDid you know that 43% of cyberattacks target small businesses, yet only 14% are prepared to defend themselves?…
Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More
Intel’s Secure Data Tunnel Moves AI Training Models to Data Sources
/in General NewsThe chip maker’s Tiber Secure Federated AI service creates a secure tunnel between AI models on remote servers and data sources on origin systems.
darkreading – Read More
LockBit Developer Rostislav Panev Extradited from Israel to the US
/in General NewsThe US extradites LockBit ransomware developer, Rostislav Panev, from Israel. Learn how his arrest impacts the fight against…
Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More
End-to-End Encrypted Texts Between Android and iPhone Are Coming
/in General NewsPlus: A nominee to lead CISA emerges, Elon Musk visits the NSA, a renowned crypto cracking firm’s secret (and problematic) cofounder is revealed, and more.
Security Latest – Read More
Cybersecurity in Crypto: Best Practices to Prevent Theft and Fraud
/in General NewsCybersecurity tips to protect your cryptocurrency from hackers, scams, and fraud. Learn best practices for securing digital assets…
Hackread – Latest Cybersecurity, Tech, AI, Crypto & Hacking News – Read More
Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal
/in General NewsCybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as “time” related utilities, but harboring hidden functionality to steal sensitive data such as cloud access tokens.
Software supply chain security firm ReversingLabs said it discovered two sets of packages totaling 20 of them. The packages
The Hacker News – Read More
ClickFix: How to Infect Your PC in Three Easy Steps
/in General NewsA clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.
ClickFix attacks mimic the “Verify You are a Human” tests that many websites use to separate real visitors from content-scraping bots. This particular scam usually starts with a website popup that looks something like this:
This malware attack pretends to be a CAPTCHA intended to separate humans from bots.
Clicking the “I’m not a robot” button generates a pop-up message asking the user to take three sequential steps to prove their humanity.
Executing this series of keypresses prompts Windows to download password-stealing malware.
Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” prompt that will execute any specified program that is already installed on the system.
Step 2 asks the user to press the “CTRL” key and the letter “V” at the same time, which pastes malicious code from the site’s virtual clipboard.
Step 3 — pressing the “Enter” key — causes Windows to download and launch malicious code through “mshta.exe,” a Windows program designed to run Microsoft HTML application files.
“This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT,” Microsoft wrote in a blog post on Thursday. “Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.”
According to Microsoft, hospitality workers are being tricked into downloading credential-stealing malware by cybercriminals impersonating Booking.com. The company said attackers have been sending malicious emails impersonating Booking.com, often referencing negative guest reviews, requests from prospective guests, or online promotion opportunities — all in a bid to convince people to step through one of these ClickFix attacks.
In November 2024, KrebsOnSecurity reported that hundreds of hotels that use booking.com had been subject to targeted phishing attacks. Some of those lures worked, and allowed thieves to gain control over booking.com accounts. From there, they sent out phishing messages asking for financial information from people who’d just booked travel through the company’s app.
Earlier this month, the security firm Arctic Wolf warned about ClickFix attacks targeting people working in the healthcare sector. The company said those attacks leveraged malicious code stitched into the widely used physical therapy video site HEP2go that redirected visitors to a ClickFix prompt.
An alert (PDF) released in October 2024 by the U.S. Department of Health and Human Services warned that the ClickFix attack can take many forms, including fake Google Chrome error pages and popups that spoof Facebook.
ClickFix tactic used by malicious websites impersonating Google Chrome, Facebook, PDFSimpli, and reCAPTCHA. Source: Sekoia.
The ClickFix attack — and its reliance on mshta.exe — is reminiscent of phishing techniques employed for years that hid exploits inside Microsoft Office macros. Malicious macros became such a common malware threat that Microsoft was forced to start blocking macros by default in Office documents that try to download content from the web.
Alas, the email security vendor Proofpoint has documented plenty of ClickFix attacks via phishing emails that include HTML attachments spoofing Microsoft Office files. When opened, the attachment displays an image of Microsoft Word document with a pop-up error message directing users to click the “Solution” or “How to Fix” button.
HTML files containing ClickFix instructions. Examples for attachments named “Report_” (on the left) and “scan_doc_” (on the right). Image: Proofpoint.
Organizations that wish to do so can take advantage of Microsoft Group Policy restrictions to prevent Windows from executing the “run” command when users hit the Windows key and the “R” key simultaneously.
Krebs on Security – Read More