KagisoSec_

Writeups

The Archive

Machines, fortresses, challenges & CTF solutions. Search inside any writeup with ⌘K.

8 writeups 3 types 2 years

Type

Category

Difficulty

OS

Track

Year

MACHINE Linux

HackTheBox: Postman

An Easy Linux box: an unauthenticated Redis 4.x instance writes an SSH key into the redis user's authorized_keys for a foothold, an encrypted /opt/id_rsa.bak cracks to computer2008 to reach Matt via su, and Webmin 1.910 falls to CVE-2019-12840 command injection (running as root) for a root shell.

#linux#redis#ssh-key-injection
Read
MACHINE Linux

HackTheBox: Trick

An Easy Linux box: a DNS zone transfer leaks a preprod payroll vhost, a boolean SQL injection with the MySQL FILE privilege reads the nginx config to expose a second vhost, then a str_replace LFI bypass combined with SMTP mail-spool poisoning lands RCE as michael — and a writable fail2ban action plus a passwordless sudo restart escalates to root.

#linux#dns-zone-transfer#smtp
Read
CHALLENGE

Critical Ops

An HTB web challenge, the app shipped its JWT signing key in the client-side bundle, so reading it from DevTools let me forge an admin token, hit a privileged endpoint and grab the flag.

#web#jwt#authentication-bypass
Read
MACHINE Windows

HackTheBox: Fluffy

An assumed-breach Windows AD box: steal a second user's NTLM hash with CVE-2025-24071, map ACLs in BloodHound, abuse GenericAll/GenericWrite with bloodyAD + Certipy shadow credentials to reach winrm_svc, then exploit an ADCS ESC16 misconfiguration to impersonate the Administrator.

#active-directory#windows#smb
Read
MACHINE Windows

HackTheBox: Support

An Easy Windows AD box, reverse-engineering a custom .NET binary to recover LDAP credentials, looting a plaintext password from an AD info attribute, then chaining GenericAll → RBCD to impersonate Administrator for SYSTEM.

#active-directory#windows#smb
Read
FORTRESS

HTB Fortress: Akerva

An 8-flag HTB Fortress, leaking a backup script over SNMP, bypassing auth with HTTP verb tampering, abusing a Flask LFI to forge the Werkzeug debugger PIN for RCE, then PwnKit to root and a Vigenère-encrypted final flag.

#wordpress#snmp#http-verb-tampering
Read
MACHINE Linux

HackTheBox: Helix

A Medium Linux box, abusing an exposed Apache NiFi instance for RCE through H2 SQL aliases, recovering an SSH key from a support bundle, then driving an OPC UA / ICS reactor over an SSH tunnel to open a privileged maintenance window and reach root.

#linux#apache-nifi#rce
Read
CHALLENGE

byp4ss3d, picoMini byCMU-Africa

Bypassing a file upload filter on Apache by abusing .htaccess to execute a PHP webshell disguised as a JPEG, achieving full RCE and reading the flag.

#web#file-upload#htaccess
Read