<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Password-Reuse on appl3b0y</title>
    <link>https://appl3b0y.com/tags/password-reuse/</link>
    <description>Recent content in Password-Reuse on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Thu, 04 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/password-reuse/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Help</title>
      <link>https://appl3b0y.com/writeups/help/</link>
      <pubDate>Thu, 04 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/help/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Help&lt;/strong&gt; is an easy Linux box, but it packs in more real-world lessons than most: a &lt;strong&gt;GraphQL&lt;/strong&gt; endpoint that leaks credentials through introspection, a &lt;strong&gt;HelpDeskZ 1.0.2&lt;/strong&gt; install with two known bugs whose public exploits are both broken (so you fix them yourself), a bit of &lt;strong&gt;password reuse&lt;/strong&gt;, and an old &lt;strong&gt;kernel&lt;/strong&gt; that falls to a public CVE.&lt;/p&gt;&#xA;&lt;p&gt;The path: port 3000 runs a Node/Express GraphQL API that all but invites you to query it, and doing so leaks an MD5 hash we crack. Those credentials log us into the HelpDeskZ ticketing app on port 80. HelpDeskZ 1.0.2 has both an authenticated &lt;strong&gt;SQL injection&lt;/strong&gt; and an &lt;strong&gt;arbitrary file upload&lt;/strong&gt;; the Exploit-DB PoCs for both fail on modern Python, so the real work is reading them and reproducing them manually. The SQLi dumps an admin password that is &lt;strong&gt;reused&lt;/strong&gt; for SSH as &lt;code&gt;help&lt;/code&gt;, and the file upload gives a shell directly. Either way we land as &lt;code&gt;help&lt;/code&gt;, and the ancient &lt;strong&gt;4.4.0-116&lt;/strong&gt; kernel gives up root to &lt;strong&gt;CVE-2017-16995&lt;/strong&gt;.&lt;/p&gt;</description>
    </item>
    <item>
      <title>Busqueda</title>
      <link>https://appl3b0y.com/writeups/busqueda/</link>
      <pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/busqueda/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Busqueda&lt;/strong&gt; is an easy Linux box that plays out like a small, realistic engagement: one web bug for the foothold, then a chain of information leaks and a &lt;code&gt;sudo&lt;/code&gt; misconfiguration for root. No memory corruption, just reading things carefully.&lt;/p&gt;&#xA;&lt;p&gt;The foothold is an &lt;strong&gt;&lt;code&gt;eval()&lt;/code&gt; injection&lt;/strong&gt; in &lt;strong&gt;Searchor 2.4.0&lt;/strong&gt;, the library powering the search site. That gives a shell as &lt;code&gt;svc&lt;/code&gt;. From there the box is about looting: a leftover &lt;code&gt;.git/config&lt;/code&gt; exposes a Gitea instance and a set of credentials, and a &lt;code&gt;sudo&lt;/code&gt;-runnable &amp;ldquo;system checkup&amp;rdquo; script lets us inspect Docker containers, one of which leaks a database password. That password is &lt;strong&gt;reused&lt;/strong&gt; for the Gitea admin, which lets us read the source of the very script we can run as root. The script calls a helper by a &lt;strong&gt;relative path&lt;/strong&gt;, so we drop our own version in the working directory and run it as root.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
