https://maccioniandrea.com/categories/hackthebox/ Recent content in HackTheBox on Maccioni Andrea - Portfolio Hugo en Sun, 14 Jun 2026 00:00:00 +0000 https://maccioniandrea.com/posts/htb-gavel-writeup/ Sun, 14 Jun 2026 00:00:00 +0000 https://maccioniandrea.com/posts/htb-gavel-writeup/ <p><strong>Difficulty:</strong> Medium<br> <strong>Operating System:</strong> Linux</p> <hr> <h1 id="executive-summary">Executive Summary</h1> <p>Gavel is a Linux machine that combines source code disclosure, application security flaws, and custom software analysis to achieve full system compromise.</p> <p>The attack begins with an exposed Git repository, leading to source code disclosure and identification of a PDO placeholder confusion vulnerability. After obtaining administrative access to the web application, arbitrary PHP code execution is achieved through insecure runtime rule evaluation. Finally, a custom root-owned service is reversed and abused to gain root privileges.</p> https://maccioniandrea.com/posts/htb-interpreter-writeup/ Sat, 14 Feb 2026 00:00:00 +0000 https://maccioniandrea.com/posts/htb-interpreter-writeup/ <blockquote> <p><strong>Difficoltà:</strong> Medium<br> <strong>OS:</strong> Linux (Debian 12)<br> <strong>IP:</strong> 10.129.5.191<br> <strong>Categorie:</strong> CVE, Deserialization, Python Injection, Privilege Escalation</p> </blockquote> <hr> <h2 id="indice">Indice</h2> <ol> <li><a href="#panoramica">Panoramica</a></li> <li><a href="#ricognizione">Ricognizione</a></li> <li><a href="#foothold--cve-2023-43208-mirth-connect-rce">Foothold — CVE-2023-43208 (Mirth Connect RCE)</a></li> <li><a href="#lateral-movement--crack-hash-pbkdf2-e-accesso-ssh-come-sedric">Lateral Movement — Crack hash PBKDF2 e accesso SSH come <code>sedric</code></a></li> <li><a href="#privilege-escalation--python-f-string-injection-su-notifpy">Privilege Escalation — Python F-String Injection su <code>notif.py</code></a></li> <li><a href="#lezioni-apprese">Lezioni Apprese</a></li> </ol> <hr> <h2 id="panoramica">Panoramica</h2> <p>La macchina <strong>Interpreter</strong> simula un ambiente ospedaliero reale che utilizza <strong>Mirth Connect</strong>, un middleware per l&rsquo;integrazione di dati sanitari (standard HL7). La catena di attacco si compone di tre fasi principali:</p> https://maccioniandrea.com/posts/htb-eighteen-writeup/ Wed, 14 Jan 2026 00:00:00 +0000 https://maccioniandrea.com/posts/htb-eighteen-writeup/ <p><strong>Difficulty:</strong> Medium<br> <strong>Operating System:</strong> Windows</p> <hr> <h1 id="executive-summary">Executive Summary</h1> <p>Eighteen is a Windows Active Directory machine that combines database misconfigurations, password reuse, and modern Active Directory abuse techniques to achieve full domain compromise.</p> <p>The attack begins with access to a Microsoft SQL Server instance, progresses through credential recovery and password reuse, and ultimately leverages the BadSuccessor technique to abuse delegated Managed Service Accounts (dMSA), resulting in Domain Administrator privileges.</p> <hr> <h1 id="attack-path">Attack Path</h1> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>MSSQL Access (kevin) </span></span><span style="display:flex;"><span> → Login Impersonation (appdev) </span></span><span style="display:flex;"><span> → Financial Planner Database </span></span><span style="display:flex;"><span> → PBKDF2 Credential Recovery </span></span><span style="display:flex;"><span> → Password Reuse </span></span><span style="display:flex;"><span> → WinRM Access (adam.scott) </span></span><span style="display:flex;"><span> → BadSuccessor (dMSA Abuse) </span></span><span style="display:flex;"><span> → Kerberos Impersonation </span></span><span style="display:flex;"><span> → DCSync </span></span><span style="display:flex;"><span> → Domain Administrator </span></span></code></pre></div><hr> <h1 id="reconnaissance">Reconnaissance</h1> <h2 id="service-enumeration">Service Enumeration</h2> <p>Initial enumeration revealed a limited attack surface:</p>