https://z3r0s6.github.io/tags/hard/Recent content in Hard on z3r0sHugoenSun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/web-resizer/Sun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/web-resizer/<h1 id="resizer-writeup"> Resizer Writeup <a class="heading-link" href="#resizer-writeup"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <h2 id="challenge"> Challenge <a class="heading-link" href="#challenge"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <ul> <li>Name: <code>Resizer</code></li> <li>Category: <code>Web</code></li> <li>Target: <code>http://154.57.164.66:30462</code></li> </ul> <h2 id="tldr"> TL;DR <a class="heading-link" href="#tldr"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>The core bug is an <strong>arbitrary file write through path traversal</strong> in the upload filename:</p> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>filename <span style="color:#ff7b72;font-weight:bold">=</span> file<span style="color:#ff7b72;font-weight:bold">.</span>filename </span></span><span style="display:flex;"><span>filepath <span style="color:#ff7b72;font-weight:bold">=</span> os<span style="color:#ff7b72;font-weight:bold">.</span>path<span style="color:#ff7b72;font-weight:bold">.</span>join(app<span style="color:#ff7b72;font-weight:bold">.</span>config[<span style="color:#a5d6ff">&#39;UPLOAD_FOLDER&#39;</span>], filename) </span></span><span style="display:flex;"><span>file<span style="color:#ff7b72;font-weight:bold">.</span>save(filepath) </span></span></code></pre></div><p>Because <code>filename</code> is never sanitized with <code>secure_filename()</code> and <code>os.path.join()</code> does not stop <code>../</code>, we can write files outside <code>uploads/</code>.</p>https://z3r0s6.github.io/machines/pirate/Sun, 26 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/pirate/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>OS</td> <td>Windows (Active Directory)</td> </tr> <tr> <td>Domain</td> <td>PIRATE.HTB</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Pirate is a Hard-rated multi-host Windows Active Directory machine simulating a realistic corporate environment with three domain-joined machines. The attack chains <strong>six distinct AD primitives</strong> with no CVEs required - every step exploits misconfigurations:</p> <p><strong>Pre-Windows 2000 Compatible Access</strong> (MS01$ machine account auth) → <strong>gMSA password extraction</strong> via LDAP → <strong>Pass-the-Hash</strong> over WinRM on DC01 → <strong>L3 network pivot</strong> via Ligolo-ng to the internal <code>192.168.100.0/24</code> subnet → <strong>NTLM relay</strong> to LDAPS with RBCD to gain WEB01 Administrator → user flag → <strong>SPN injection</strong> with Constrained Delegation abuse to impersonate Domain Admin on DC01 → root flag.</p>https://z3r0s6.github.io/machines/logging/Sun, 12 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/logging/<h2 id="overview"> Overview <a class="heading-link" href="#overview"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>OS</td> <td>Windows Server 2019</td> </tr> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>IP</td> <td>10.129.X.X</td> </tr> <tr> <td>Domain</td> <td>logging.htb</td> </tr> <tr> <td>DC</td> <td>dc01.logging.htb</td> </tr> </tbody> </table> <p><strong>Attack Chain:</strong> <code>Anonymous SMB → Credentials in Logs → Shadow Credentials (gMSA) → WinRM → DLL Hijack → Domain User Shell → ESC17 (ADCS + WSUS MitM) → SYSTEM</code></p> <hr> <h2 id="1-reconnaissance"> 1. Reconnaissance <a class="heading-link" href="#1-reconnaissance"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <h3 id="port-scan"> Port Scan <a class="heading-link" href="#port-scan"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h3> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>rustscan -a 10.129.X.X --ulimit <span style="color:#a5d6ff">5000</span> -- -sV </span></span></code></pre></div><p><strong>Key open ports:</strong></p>https://z3r0s6.github.io/machines/garfield/Sun, 22 Mar 2026 00:00:00 +0000https://z3r0s6.github.io/machines/garfield/<blockquote> <p><strong>Difficulty:</strong> Hard | <strong>Platform:</strong> Windows Active Directory | <strong>Category:</strong> Seasonal<br> <strong>Tags:</strong> <code>active-directory</code> <code>smb</code> <code>kerberos</code> <code>rbcd</code> <code>rodc</code> <code>golden-ticket</code> <code>keylist</code> <code>mimikatz</code> <code>rubeus</code></p> </blockquote> <hr> <h2 id="machine-info"> Machine Info <a class="heading-link" href="#machine-info"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <table> <thead> <tr> <th>Field</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Machine Name</td> <td>Garfield</td> </tr> <tr> <td>IP Address</td> <td>10.129.27.196 (initial) / 10.129.23.120 (reset)</td> </tr> <tr> <td>OS</td> <td>Windows Server 2019 (Domain Controller)</td> </tr> <tr> <td>Domain</td> <td>garfield.htb (GARFIELD.HTB)</td> </tr> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>Starting Creds</td> <td><code>j.arbuckle / Th1sD4mnC4t!@1978</code></td> </tr> </tbody> </table> <hr> <h2 id="1-executive-summary"> 1. Executive Summary <a class="heading-link" href="#1-executive-summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Garfield is a Hard-rated Windows Active Directory machine on Hack The Box's seasonal lineup. It simulates a real-world corporate AD environment with multiple chained vulnerabilities spanning SMB misconfigurations, AD ACL abuse, logon script hijacking, RBCD (Resource-Based Constrained Delegation) attacks, Read-Only Domain Controller (RODC) compromise, and a KeyList attack to retrieve the main DC's Administrator hash - ultimately achieving full domain compromise.</p>