<p><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-VNZLb51mpEB9xeVTwZWVibK9B4sW-XQj9U6S60wN0rnZTlCa3wtHII9R6s8nS6_prSx-HsckR9oyd2XplLijcvtevHgkVFGc-41qR7jqrw0m9F_HwSLFG6iJX-cpQ-vRkDYoell2cjHbro4CbSbVBOGoVPvIrvPDXzYw0fe_XTDhsFNoAu1xkXuIjm1N/s16000/Runner-HTB.png" alt="Runner HTB Writeup" /></p>
<h2 id="heading-introduction">Introduction</h2>
<p>Today, I'll be diving into <strong>Runner Writeup</strong>, a Windows box on Hack The Box created by <strong>Geiseric</strong>, to hack it. Throughout this post, I'll detail my journey and share how I successfully breached <strong>Runner</strong> to retrieve the flags.</p>
<p>Since I'm still honing my skills, I'll occasionally reference the official <strong>Runner Walkthrough</strong> for guidance. Consider this write-up as more of a personal blog documenting my experience rather than a comprehensive step-by-step guide.</p>
<p>Full Writeup - <a target="_blank" href="https://www.hackerhq.tech/2024/04/runner-htb.html">https://www.hackerhq.tech/2024/04/runner-htb.html</a></p>
<h2 id="heading-runner-hacking-phases">Runner Hacking Phases</h2>
<h3 id="heading-initial-access"><strong>Initial Access</strong></h3>
<ol>
<li><h4 id="heading-nmap-tcp-port-scan"><strong>Nmap TCP Port Scan</strong></h4>
<ul>
<li>Checking for open ports using <a target="_blank" href="https://www.blogger.com/blog/post/edit/6122917969754731837/2008576925906632756#"><strong>Nmap</strong></a>.</li>
</ul>
</li>
</ol>
<ol start="2">
<li><h4 id="heading-web-page-enumeration"><strong>Web Page Enumeration</strong></h4>
<ul>
<li>Exploring and gathering information from web pages.</li>
</ul>
</li>
</ol>
<ol start="3">
<li><h4 id="heading-directory-bruteforce"><strong>Directory Bruteforce</strong></h4>
<ul>
<li>Attempting to find hidden directories.</li>
</ul>
</li>
</ol>
<ol start="4">
<li><h4 id="heading-vulnerability-assessment"><strong>Vulnerability Assessment</strong></h4>
<ul>
<li>Identifying potential weaknesses and vulnerabilities.</li>
</ul>
</li>
</ol>
<ol start="5">
<li><h4 id="heading-server-side-template-injection-exploitation"><strong>Server-Side Template Injection Exploitation</strong></h4>
<ul>
<li>Exploiting server-side template injection vulnerabilities.</li>
</ul>
</li>
</ol>
<ol start="6">
<li><h4 id="heading-user-flag"><strong>User Flag</strong></h4>
<ul>
<li>Obtaining the user flag.</li>
</ul>
</li>
</ol>


![Runner HTB Writeup](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-VNZLb51mpEB9xeVTwZWVibK9B4sW-XQj9U6S60wN0rnZTlCa3wtHII9R6s8nS6_prSx-HsckR9oyd2XplLijcvtevHgkVFGc-41qR7jqrw0m9F_HwSLFG6iJX-cpQ-vRkDYoell2cjHbro4CbSbVBOGoVPvIrvPDXzYw0fe_XTDhsFNoAu1xkXuIjm1N/s16000/Runner-HTB.png align="left")

## Introduction

Today, I'll be diving into **Runner Writeup**, a Windows box on Hack The Box created by **Geiseric**, to hack it. Throughout this post, I'll detail my journey and share how I successfully breached **Runner** to retrieve the flags.

Since I'm still honing my skills, I'll occasionally reference the official **Runner Walkthrough** for guidance. Consider this write-up as more of a personal blog documenting my experience rather than a comprehensive step-by-step guide.

Full Writeup - [https://www.hackerhq.tech/2024/04/runner-htb.html](https://www.hackerhq.tech/2024/04/runner-htb.html)

## Runner Hacking Phases

### **Initial Access** 

1. #### **Nmap TCP Port Scan**
    
    * Checking for open ports using [**Nmap**](https://www.blogger.com/blog/post/edit/6122917969754731837/2008576925906632756#).
        
    
2. #### **Web Page Enumeration**
    
    * Exploring and gathering information from web pages.
        
    
3. #### **Directory Bruteforce**
    
    * Attempting to find hidden directories.
        
    
4. #### **Vulnerability Assessment**
    
    * Identifying potential weaknesses and vulnerabilities.
        
    
5. #### **Server-Side Template Injection Exploitation**
    
    * Exploiting server-side template injection vulnerabilities.
        
    
6. #### **User Flag**
    
    * Obtaining the user flag.

HackerHQ

HackerHQ

Runner HTB Writeup | HacktheBox | HackerHQ

Introduction

Runner Hacking Phases

Initial Access

Nmap TCP Port Scan

Web Page Enumeration

Directory Bruteforce

Vulnerability Assessment

Server-Side Template Injection Exploitation

User Flag