OSWE Prep — Hack The Box Magic

This is the 1st blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSWE. The full list of OSWE like machines compiled by TJ_Null can be found here. This box is not on TJ_Null’s list, however, when working on the initial foothold, I found it to be very similar to an exercise I worked on in the OSWE labs and therefore, made the decision to include it in the list of boxes.

The blog will be divided into three sections:

• Box Walkthrough: This section provides a walkthrough of how to solve the box.
• Automated Script(s): This section automates the web application attack vector(s) of the box. This is in an effort to improve my scripting skills for the OSWE certification.
• Code Review: This section dives into the web application code to find out what portion(s) of the insecure code introduced the vulnerabilities. Again, this is in an effort to improve my code review skills for the OSWE certification.

Box Walkthrough

This section provides a walkthrough of how to solve the box.

Reconnaissance

Run AutoRecon to enumerate open ports and services running on those ports.

autorecon.py 10.10.10.185