Puzzles on

Facts

Tue, 03 Feb 2026 07:07:07 +0100

Information Gathering

> nmap 10.129.22.202 -sCV -p- --open

22
- SSH is blocked by authentication
80
- HTTP hosting a simple website with facts to read.
54321 HTTP – redirect to 9001

Exploitation

By walking the site, we find an admin login page by reading the page source.
From there we are able to create a new admin account.
- This new account doesn’t have full privileges.
However, we see that it is using Camaleon CMS version 2.9.0
- This has a Mass Assignment vulnerability for Privilege Escalation
- CVE-2025-2304
- We can use this proof of concept: https://github.com/d3vn0mi/cve-2025-2304-poc
Using the exploit, we get access to the admin panel.
- This website is using Ruby. So we can try to get a ruby Reverse shell by uploading a file.
- I think this may be possible as well with more time.
Instead, using another CVE we get file inclusion.
With the exploit we read /home/trivia/.ssh/id_ed25519
- This will output the user’s private ssh key:

——BEGIN OPENSSH PRIVATE KEY—– b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBBjiZADO dtctyuCfPvlK6JAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIBGGQJW4pNnMqYSI CpzP1BZ+GsR5Sox+8tBAIsX2Ev9RAAAAoI3/9swkZHFRnU1w+ylzRNebxOWg5T+9HRDi/s PFWehTZVCrG8AliD7+Sfdal2IMDeR4Y7gyJRtWHOfuCnbXvFy0nIbEENRGBBs6mpMp6Gp8 HrRnw5L1fzdbEREr4AKUrDEijp2sUAt1ybzj0WQclSXPOSEwDk+OSj5Z1P2CeYKKIPrLKz Swqe9ptBowCkgZ3WFJeX2uStN2YSXcytaClwo= —–END OPENSSH PRIVATE KEY—–

MonitorsFour

Tue, 03 Feb 2026 07:07:07 +0100

Information Gathering

> nmap 10.129.17.45 -sCV -oV -o htb/MonitorsFour/nmap -p-

port	service
80	http/nginx
5985	http/Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Port 5985

The root of the website is a 404 page. Running dirsearch showed a few 403 errors but nothing accessible

Port 80

subdomains:

cacti.monitorsfour.htb

Directories found using dirsearch:

/contact
/login
/user
/static
/views

In the login page source code we can see that it makes a POST request to /api/v1/auth.

Advent of Cyber: Dec 1st

Mon, 01 Dec 2025 07:07:07 +0100

Introduction

This was an interesting event. We didn’t end up completing the ‘sidequest’ but some of it was fun; a few parts were tedious. The sidequest after getting the egg was, by far, more interesting but it got late and never got around to completing more calendar days nor the sidequest. Doing all that work just for a PNG of an egg that unlocks more work was fun in its own respect and gave us a good laugh lol.

CodeTwo

Sat, 23 Aug 2025 07:07:07 +0100

Information Gathering

The server has two ports open:

22
- SSH is blocked by authentication
8000
- Running a simple webpage with a login, register, and download link
- Login and register are not vulnerable to SQL injection
- The download link downloads the code for the web application
- After creating an account we see that you can input JavaScript code and run in on the application as well as download written code.

After downloading the app.zip from the web application we can read through app.py and other components of the application.

Artificial

Tue, 01 Jul 2025 07:07:07 +0100

Enum

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA)
|   256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA)
|_  256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Artificial - AI Solutions
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Dirsearch

Target: http://artificial.htb/

[22:13:55] Starting:                                                               
[22:14:25] 302 -  199B  - /dashboard  ->  /login                      
[22:14:36] 200 -  857B  - /login                                     
[22:14:37] 302 -  189B  - /logout  ->  /                              
[22:14:49] 200 -  952B  - /register

Shell using tensorflow vulnerability

Setup Docker Image
Install Vim, remove export and build the image
Run the python code to create our exploit
Upload the .h5 file through the file upload

Shell popped

We can see app.py in the home directory

TwoMillion

Wed, 18 Jun 2025 07:07:07 +0100

Recon

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open  http    nginx
|_http-title: Did not follow redirect to http://2million.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.04 seconds

22 OpenSSH 8.9p1

80 nginx

|-> Redirect to http://2million.htb
|-> curl 10.10.11.221:80

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

[!Note] Have to add 2million.htb to /etc/hosts

Lame

Tue, 10 Jun 2025 07:07:07 +0100

Recon

NMAP

└─$ nmap -sC -sV 10.10.10.3 -p-  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-10 17:11 EDT
Stats: 0:01:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 31.33% done; ETC: 17:14 (0:02:38 remaining)
Nmap scan report for 10.10.10.3
Host is up (0.048s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 10.10.14.39
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey:                                                        
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)        
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)        
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
3632/tcp open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel        
                                                                      
Host script results:                                                  
| smb-security-mode:                                                  
|   account_used: guest                                               
|   authentication_level: user                                        
|   challenge_response: supported                                     
|_  message_signing: disabled (dangerous, but default)                
| smb-os-discovery:                                                   
|   OS: Unix (Samba 3.0.20-Debian)                                    
|   Computer name: lame                                               
|   NetBIOS computer name:                                            
|   Domain name: hackthebox.gr                                        
|   FQDN: lame.hackthebox.gr                                          
|_  System time: 2025-06-10T17:15:23-04:00                            
|_smb2-time: Protocol negotiation failed (SMB2)                       
|_clock-skew: mean: 2h00m33s, deviation: 2h49m44s, median: 31s

21 ftp

	|-> anonymous login allowed
	|-> SearchSploit:

vsftpd 2.3.4 - Backdoor Command Execution                        | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)           | unix/remote/17491.rb

22 ssh

|-> SearchSploit:

OpenSSH 2.3 < 7.7 - Username Enumeration                         | linux/remote/45233.py
OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)                   | linux/remote/45210.py
OpenSSH < 6.6 SFTP (x64) - Command Execution                     | linux_x86-64/remote/45000.c
OpenSSH < 6.6 SFTP - Command Execution                           | linux/remote/45001.py
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix | linux/local/40962.txt
OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading         | linux/remote/40963.txt
OpenSSH < 7.7 - User Enumeration (2)                             | linux/remote/45939.py

139 netbios-ssn Samba 3.x-4.x

445 netbios-ssn Samba 3.0.20

|-> SearchSploit:

Samba 3.0.20 < 3.0.25rc3 - 'Username' map script' Comma | unix/remote/16320.rb
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow ( | linux/remote/9950.rb
Samba 3.0.24 (Linux) - 'lsa_io_trans_names' Heap Overfl | linux/remote/16859.rb
Samba 3.0.24 (Solaris) - 'lsa_io_trans_names' Heap Over | solaris/remote/16329.rb
Samba 3.0.27a - 'send_mailslot()' Remote Buffer Overflo | linux/dos/4732.c
Samba 3.0.29 (Client) - 'receive_smb_raw()' Buffer Over | multiple/dos/5712.pl
Samba < 3.0.20 - Remote Heap Overflow                   | linux/remote/7701.txt
Samba < 3.6.2 (x86) - Denial of Service (PoC)           | linux_x86/dos/36741.py

3632 distccd V1

Exploitation

Samba 3.0.20 has an RCE exploit that can be run in metasploit.
After that we get a root shell and the box is PWNed

Cap

Mon, 09 Jun 2025 07:07:07 +0100

Recon

NMAP

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
|   256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    Gunicorn
|_http-title: Security Dashboard
|_http-server-header: gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

searchspoit

vsftpd 3.0.3 - Remote Denial of Service

Walking the Web App

Port 80

We get a dashboard
- Logged in by default as user Nathan
  - Cookies?
    - Nope
- We see security snapshots page
  - PCAP analysis
  - Hint here perhaps the name of the box
    - Don’t see anything useful here
- Ipconfig output page
- Network status page
  - We see connections

Dir search

These pages are not accessible to dirsearch but we are automatically logged in

[23:11:25] 302 -  208B  - /data  ->  http://10.10.10.245/                   
[23:11:25] 302 -  208B  - /data/adminer.php  ->  http://10.10.10.245/       
[23:11:25] 302 -  208B  - /data/autosuggest  ->  http://10.10.10.245/       
[23:11:26] 302 -  208B  - /download/users.csv  ->  http://10.10.10.245/     
[23:11:26] 302 -  208B  - /download/history.csv  ->  http://10.10.10.245/

WireShark

Downloading 0.pcap
We see a FTP connection and the username and password are shown
- USER nathan
- PASS Buck3tH4TF0RM3!
logging in, we see user.txt and linpeas is on the system
SSH password is the same password

PE

LinPeas

LinPeas shows 95% PE chance on: CVE-2021-3560

Blueprint

Fri, 21 Jun 2024 07:07:07 +0100

New Vocabulary

LM hash (LanMan Hash)
- a compromised password hashing function that was the primary hash that Microsoft LAN manager and Windows used to store passwords
NTLM (New Technology LAN Manager)
- a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain or a server running a stand-alone Windows computer.

Accessing MariaDB (unauthorized)

mysql -h 10.10.120.20 -u root
- Not allowed to connect to this MariaDB server from IP

Exploit osCommerce 2.3.4

https://www.exploit-db.com/exploits/44374

A Time Before

Mon, 01 Jan 2024 07:07:07 +0100

Though the date is marked differently, I am writing this on 02-07-2026…

I have lots of notes of the CTFs completed on Try Hack Me but they are nearly incoherent. Before this point (and even after) I had not learned how to take CTF notes and some of the early notes were just in a GUI text editor on Kali - But we all start somewhere, eh?

My note taking for challenges, and in general, has improved greatly over time. I went backwards through time adding my notes to this blog and it is cool seeing my documentation and technical improvement.