xxe

MACHINE Linux

HackTheBox: Pollution

A Hard Linux box: a leaked Burp history file in a MyBB forum exposes an admin token, an XXE in the admin panel reads files to crack an .htpasswd hash, a Redis session write bypasses the developers login, a PHP filter-chain LFI gives a www-data shell, a FastCGI attack on php-fpm pivots to victor, and lodash prototype pollution in a root Node.js API escalates to root.

MACHINE Linux

HackTheBox: Snoopy

A Linux box: an LFI on /download leaks the Bind9 TSIG key to hijack DNS and add a mail record, a Mattermost password reset is intercepted via Postfix, an SSH-honeypot plugin captures cbrown's creds, a sudo git apply symlink writes an SSH key for sbrown, and a ClamAV XXE (CVE-2023-20052) leaks root's SSH key.