Welcome to another Hack the Box exercise. In this blog post, I will show you how I owned the Planning machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs. You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment, and subscribe to my YouTube channel and also follow me on LinkedIn for more updates.
About the Machine
Planning is an easy Linux machine on HackTheBox that demonstrates a well-paced attack chain involving reconnaissance, password reuse, enumeration of internal services, and Docker exploitation. The box is themed around a fictional project management environment where users manage infrastructure using tools like Grafana and Docker containers.
Once on the box as a low-privileged user, we analyze cron jobs and discover a Docker container being regularly backed up. The backup process includes a ZIP archive encrypted with a hardcoded password, which can be extracted and inspected to retrieve sensitive information. Internal services such as MySQL and a local service on port 8000 are only accessible via SSH tunneling, which is essential to pivot deeper into the host.
The machine concludes with the enumeration of internal Docker services and privilege escalation via Docker misuse or cron job manipulation, ultimately leading to root access.
The first step in owing the Planning machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:
0 Comments