Approach and Takeaways from TJNull's 2021 List: First 25 Easy Machines

I'm putting together these notes mainly for myself to help me on my long-term OSCP journey. But then I thought, why not share them with fellow enthusiasts like you who are on the same path? I pulled this info straight from my Notion, specifically from the sticky notes column on TJ Null’s Dashboard's HTB database.

These are like sticky notes for Hack The Box machines. Caution! This content is based solely on my perspective, and these approaches may or may not be relevant to your methods. Note that these approaches are designed without using Metasploit.

LINUX

lame

samba > anonymous login > shell upload > root access
        

shocker

http > dir bruteforce > /cgi-bin/user.sh > shell upload at user-agent > user shell > perl-Gtfobins > root shell
        

bashed

http > dir bruteforce > /dev/phpbash.php > shell upload > user shell > cronjobs @ /scripts > root shell
        

nibbles

http > dir bruteforce > /nibbleblog/admin.php > admin:nibbles > RCE via file upload at My image Plugin > user shell > sudo-based privilege escalation - monitor.sh > root shell 
        

sense

https > dir bruteforce > /system-users.txt > pfsense login > exploit CVE: 2014-4688 > root shell
        

valentine

http/https > dir bruteforce /dev > exploit heartbleed > ssh > user shell > exploit dirtycow > root shell
        

swagshop

http > dir bruteforce > /index.php/admin > magento-older > exploit shoplift- to add admin > exploit 37811 > user shell > GTFOBins vi > root shell
        

networked

http > dir bruteforce > /backup > upload shell.php.png > user shell > sudo-based privilege escalation - changename.sh > root shell 
        

irked

UnrealIRCd > exploit UnrealIRCd backdoor > extract with steghide > ssh > user shell > sudo-based privilege escalation - viewuser > root shell 
        

beep

https > elastix > RCE via 18650 > user shell > sudo-based privilege escalation - nmap/chmod > root shell
        

sunday

finger > finger-user-enum.pl > ssh with default creds > user shell > sudo-based privilege escalation - troll > root shell
        

friendzone

smb > SMB share information disclosure > https > dir bruteforce > DNS zone transfer > subdomain endpoints > dir bruteforce > LFI > shell upload @ smb /development > user shell > cron > Python Library Hijack - os.py > root shell
        

WINDOWS

legacy

smb > exploit ms17-010 - eternalblue > root shell
        

blue

smb > exploit ms17-010 - eternalblue > root shell
        

devel

ftp > anonymous login > upload aspx shell > user shell > watson - exploit MS11-046 > root shell
        

optimum

http > Rejetto HFS - CVE-2014-6287 > user shell > Watson/Sherlock - MS16-032 > root shell
        

grandpa

http > exploit webdav > user shell > token impersonation - churrasco > root shell
        

jerry

http > Tomcat manager > default creds > deploy war file > war shell upload > root shell
        

bastion

smb > mount share,vhd > extract creds > psexec with credentials > user shell > local SYSTEM conf files > extract creds > ssh > root shell
        

buff

http > exploit gym management > user shell > cloudme-bof exploit > root shell
        

active

smb > user enumeration > crack password > user shell > kerberoasting > extract hashes > Pass-the-Hash > root shell
        

granny

http > webdav > upload .aspx web shell > user shell > exploit MS14-058 > root shell
        

arctic

http > exploit ColdFusion 8 > upload jsp shell > user shell > exploit MS10-059 - Chimichurri > root shell
        

bounty

http > dir bruteforce > asp shell upload > user shell > watson/sherlock > kernel exploit/JuicyPotato exploit > root shell
        

servmon

ftp > anonymous login > http > exploit NVMS-1000 -dir_traversal > extract creds > ssh with creds > user shell > exploit NSClient++ > shell upload > root shell