Uncategorized
-
Another writeup after a long time, This room is based on privilege escalation. To get the flag, we need to obtain Frank’s password After logging in as user frank, we checked the environment variables: echo $PATH Output: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:… The current directory (/tmp) was not in the PATH. ⚙️ Exploitation — PATH Hijacking Step 1: Create…
-
🔺 CIA Triad Think of it like protecting your phone. 1️⃣ Confidentiality = Keep it Secret Only the right people can see the data. Example:Your phone has a password so strangers can’t read your messages. 👉 If someone steals your password → Confidentiality is broken 2️⃣ Integrity = Keep it Correct Data should not be…
-
Yo everyone, back with another write-up, I started with an Nmap scan and found ports 22, 80, and FTP open. FTP took a long time to respond. After visiting the web page, I checked the Apache default page and it mentioned adding team.thm to the hosts file. I added it, then ran Gobuster on the domain to…
-
Yo everyone, welcome back again, Today we’re taking on a Hack The Box machine called Soulmate. I kicked things off with a very basic Nmap scan, and surprise surprise, nothing crazy showed up. Only port 22 (SSH) and port 80 (HTTP) were open. No buffet here, just the usual two dishes. So instead of overthinking, I…
-
So let’s go Answer: unranked-wisdom-anthem 2. Browse to http://MACHINE_IP from within the AttackBox and try to access the mailbox of the factory user to see if the previously harvested admin password has been reused on the email portal. What is the total number of toys expected for delivery? Answer: 1984000
-
ok let’s go Answer: ls 2. What flag did you see inside of the McSkidy’s guide? Answer: THM{learning-linux-cli} 3. Which command helped you filter the logs for failed logins: Answer: grep 4. What flag did you see inside the Eggstrike script? Answer: THM{sir-carrotbane-attacks} 5. Which command would you run to switch to the root user:…
-
In November 2025, Anthropic, the company behind the AI model Claude revealed something the cybersecurity world knew was coming one day, but hoped would be far in the future:A state-sponsored hacking group used an AI system to carry out a major cyberattack with very little human involvement. This isn’t just “AI helped hackers.”It’s the first…
-
basically just download both py files and run code.py file we will immediately get the flag but, don’t forget to check what happened actually in codetxt.py file because it seems pretty interesting What’s Going On So, to decrypt the flag:
-
IntroCross-Site Scripting (XSS) is a web vulnerability where an attacker injects malicious code (usually JavaScript) into pages viewed by others. For bug hunters, XSS is one of the most common and valuable finds because it can steal cookies, perform actions as users, or pivot to further attacks. This post explains XSS in clear, practical terms…
-
Introduction: Brutus is an entry-level DFIR challenge with two artifacts: auth.log and wtmp. The goal is to trace an SSH brute-force attack where the attacker cracks the root password. What the challenge contains? We are given the system’s authentication log and the login record. By examining auth.log, we look for many failed SSH password attempts…
