Hack The Box: Guardian Machine Walkthrough โ€“ Hard Difficulty

๐Ÿ” User Flag โ€” Compromising the Application Layer

Successfully rooted the Guardian (Hard) machine on Hack The Box by chaining multiple real-world web vulnerabilities.Initial access was achieved through credential abuse and IDOR within the student portal. Leaked chat credentials exposed internal Gitea repositories containing hardcoded database secrets. A vulnerable XLSX file upload feature allowed formula injection โ†’ XSS โ†’ session hijacking. Leveraging CSRF, I created a rogue admin account and escalated privileges within the application. From there, an LFI vulnerability combined with a PHP filter chain led to Remote Code Execution. After gaining a shell as www-data, I reused leaked credentials to pivot laterally to user jamil, capturing the user flag.

๐Ÿ‘‘ Root Flag โ€” From Code Injection to Full System Compromise

Privilege escalation started with sudo -l, revealing that jamil could execute a Python utility as user mark without a password. Since one of the Python files was writable, I injected code to spawn a shell as mark. Further enumeration uncovered a custom binary (safeapache2ctl) executable as root. A flawed validation mechanism in its Apache config parsing allowed path traversal and arbitrary file inclusion. By crafting a malicious shared object (evil.so) and abusing the wrapperโ€™s improper include validation, I achieved root-level code execution and obtained a root shell.

The post Hack The Box: Guardian Machine Walkthrough โ€“ Hard Difficulty appeared first on Threatninja.net.

Read More >>

Moment Iranian strike hits US military base in Bahrain

Black smoke rose over Manama after Iranโ€™s Revolutionary Guard said it struck the US 5th Fleet in Bahrain in retaliation for joint US-Israel attacks. A centre at the headquarters of the US Fifth Fleet was hit by a ‘missile attack’, the country’s authori…

Read More >>

Dubai shuts airport & flights halted in Middle East leaving thousands stranded as Iran blitz sparks chaos for tourists

TOURISTS have been thrown into turmoil after a wave of flight cancellations between Western Europe and the Middle East following US and Israeli strikes on Iran. The โ€œmajor combat operationโ€ announced by Donald Trump on Saturday morning triggered immedi…

Read More >>