# Starting Point (Hack The Box) ## Tier 0 Labs - [[Meow Write-up|Meow]] (Telnet) - [[Fawn Write-up|Fawn]] (FTP) - [[Dancing Write-up|Dancing]] (SMB) - [[Redeemer Write-up|Redeemer]] (Redis) - [[Explosion Write-up|Explosion]] (RDP) - [[Preignition Write-up|Preignition]] (gobuster) - [[Mongod Write-up|Mongod]] (MongoDB) - [[Synced Write-up|Synced]] (Rsync) ## Tier 1 Labs - [[Appointment Write-up|Appointment]] (SQL Injection) - [[Sequel Write-up|Sequel]] (MySQL) - [[Crocodile Write-up|Crocodile]] (Wappalyzer, gobuster) - [[Responder Write-up|Responder]] (John the Ripper, evil-winrt, responder) - [[Three Write-Up|Three]] (S3 reverse shell with php, gobuster subdomain enumeration) - [[Bike Write-up|Bike]] (Handlebars Server Side Template Injection with Burp Suite) - [[Funnel Write-up|Funnel]] (Hydra) - [[Pennyworth Write-up|Pennyworth]] (Jenkins remote code execution via Groovy script) - [[Tactics Write-Up|Tactics]] (Impacket) ## Tier 2 Labs - [[Archetype Write-up|Archetype]] (Impacket's `mssqlclient.py`, WinPEAS) - [[Oopsie Write-Up|Oopsie]] (SUID privilege escalation, Burp Suite) - [[Vaccine Write-up|Vaccine]] (John the Ripper, `sqlmap`, `hashcat`, `hashid`) - [[Unified Write-up|Unified]] (`mkpasswd`, log4j to access UniFi and modify admin password in DB) - [[Included Write-up|Included]] (LXD container user group privilege escalation and local file inclusion via TFTP) - [[Markup Write-up|Markup]] (XML External Entity used to extract ssh key, privilege escalation by replacing existing privileged log script) - [[Base Write-up|Base]] (using recovered VIM swap file to read backend code, bypassing php `strcmp`, `sudo find` for escalation)