HackTheBox - Guardian

In modern penetration testing, the initial phase often hinges on thorough reconnaissance. The "Guardian" scenario began with an nmap sweep and DNS enumeration that uncovered a hidden sub‑domain, portal.guardian.htb. A publicly accessible PDF contained the default password "GU1234," highlighting the danger of exposing credential artifacts. By automating brute‑force attempts with FFUF, the testers quickly gained footholds across multiple accounts, a reminder that weak default passwords remain a prevalent attack vector across enterprise environments.

Once inside, the attackers pivoted to application‑level flaws. The chat module’s inadequate access controls allowed enumeration of admin messages, leading to the discovery of a Gitea instance. Gitea’s public API inadvertently confirmed user existence, facilitating targeted credential attacks. Further analysis of the portal’s source code revealed a PHP Spreadsheet XSS vulnerability, which was weaponized via a custom Python script to steal session cookies. Subsequent CSRF exploitation created privileged accounts, while a local file inclusion (LFI) combined with a filter‑chain bypass delivered a remote shell, enabling database extraction and hash cracking. These layered exploits demonstrate how a single vulnerable component can cascade into full system takeover.

The final escalation leveraged misconfigured Apache directives. By manipulating the Include directive and creating symbolic links, the team extracted arbitrary file contents, then crafted a minimal Apache configuration that ran the web server with root privileges. This granted unrestricted file system access and highlighted the critical risk of running services with elevated privileges. For security teams, the "Guardian" walkthrough reinforces the importance of regular credential rotation, strict API exposure policies, timely patching of third‑party libraries, and least‑privilege service configurations to mitigate similar multi‑stage attacks.