Posts

Synopsis Cypher is a Medium Linux machine from HackTheBox that features a Cypher injection vulnerability in its web application login form, which allows for initial access via a reverse shell, lateral movement using credentials discovered in bash history, and privilege escalation by exploiting a sudo misconfiguration for the bbot binary to load a malicious custom module. + − ⌂ [https://i.ibb.co/JjzkJ3NR/user-removebg-preview.png]Scan for Services [https://i.ibb.co/HDPF8ZMm/website-removebg-preview-1.png]Discover Web App & Login Form [https://i.ibb.co/ksTD4Kyw/bug-malicious-removebg-preview.png]Exploit Cypher Injection [https://i.ibb.co/Gwv4v4g/shell-exploit-removebg-preview.png]Get Reverse Shell as 'neo4j' [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Find Password in Bash History [https://i.ibb.co/JR4shsmH/login-removebg-preview.png]SSH as 'graphasm' & Get User Flag [https://i.ibb.co/0ybfPw9J/password-removebg-preview.png]Abuse Sudo rule for 'bbot' [https://i.ibb.co/ksTD4Kyw/bug-malicious-removebg-preview.png]Create Malicious Module for SUID Shell [https://i.ibb.co/679DN5x7/rooted-removebg-preview.png]Execute SUID Shell to get Root Skills Required Web application enumeration SQL/NoSQL injection (specifically Cypher) Linux privilege escalation techniques Familiarity with SUID binaries and sudo misconfigurations 1. Reconnaissance (TA0043) The reconnaissance phase involves actively scanning the target to identify services and enumerate the web application. ...

Sypnosis Scepter is a Hard Windows machine from HackTheBox featuring an exposed NFS share that contains user certificate files, which after being cracked, allow for initial access and a series of chained Active Directory Certificate Services (ADCS) abuses (ESC9 and ESC14) to pivot through multiple user accounts, ultimately gaining DCSync rights for full domain compromise. + − ⌂ [https://i.ibb.co/JjzkJ3NR/user-removebg-preview.png]Scan for Services [https://i.ibb.co/LzdxQFPv/computer-removebg-preview.png]Enumerate NFS Share [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Crack Certificate Passwords [https://i.ibb.co/JR4shsmH/login-removebg-preview.png]Authenticate as User 'd.baker' [https://i.ibb.co/0ybfPw9J/password-removebg-preview.png]Abuse 'ForceChangePassword' to become 'a.carter' [https://i.ibb.co/HDPF8ZMm/website-removebg-preview-1.png]Abuse ADCS (ESC9) to become 'h.brown' [https://i.ibb.co/Gwv4v4g/shell-exploit-removebg-preview.png]Capture User Flag [https://i.ibb.co/HDPF8ZMm/website-removebg-preview-1.png]Abuse ADCS (ESC14) to become 'p.adams' [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Abuse DCSync rights to dump all hashes [https://i.ibb.co/679DN5x7/rooted-removebg-preview.png]Use Administrator hash to get Root Shell Skills Required Active Directory (AD) Enumeration NFS Enumeration Password Cracking (John the Ripper) AD Certificate Services (ADCS) Abuse Familiarity with BloodHound, Certipy, Impacket, and BloodyAD 1. Reconnaissance (TA0043) The reconnaissance phase involves actively scanning the target to identify services and potential vulnerabilities. ...

Overview Dog is an easy box from HackTheBox that focuses on web application vulnerabilities, specifically a misconfigured Git repository and a vulnerable Backdrop CMS. We start by discovering an exposed .git directory, which allows us to dump the repository and uncover database credentials. These credentials lead to an authenticated web panel, where we exploit a known Remote Code Execution (RCE) vulnerability in Backdrop CMS to gain an initial shell as www-data. For privilege escalation, we discover that a user (johncusack) can execute a PHP utility (bee) as root, which we then abuse to spawn a root shell. ...

Overview Fusion corp is a hard rated box on tryhackme. After some basic enumeration fails, we find a backup file on the web server that contains a list of usernames. One of these users, lparker, is vulnerable to AS-REP Roasting because they have Kerberos pre-authentication disabled. We get their hash, crack it, and get a shell on the box. From there, post-exploitation enumeration reveals another user, jmurphy, with their password stored in the user account’s comment field. This user is a member of the Backup Operators group. We abuse this privilege to create a shadow copy of the C: drive and exfiltrate the ntds.dit and SYSTEM hives. Finally, we use secretsdump.py to dump all the domain hashes, get the administrator’s hash, and use it to get the final flag. ...

Overview Crocc Crew is an insane machine on TryHackMe, but it’s kinda like a easy box. The path starts with some clever RDP reconnaissance to find initial credentials. From there, it involves kerberoasting a service account, diving into BloodHound to find a constrained delegation path, and wrestling with a very frustrating secretsdump error that I almost rage quit and touched grass. Let’s walk through it. + − ⌂ [https://i.ibb.co/JjzkJ3NR/user-removebg-preview.png]Nmap Scan [https://i.ibb.co/LzdxQFPv/computer-removebg-preview.png]Bypass RDP NLA → Spot Sticky Note → Visitor:GuestLogin! [https://i.ibb.co/Kckn13Nh/database-removebg-preview.png]Enumerate SMB → Home Share → Get User Flag [https://i.ibb.co/Gwv4v4g/shell-exploit-removebg-preview.png]Kerberoast password-reset → Crack with Hashcat [https://i.ibb.co/JR4shsmH/login-removebg-preview.png]Login as password-reset → Run BloodHound [https://i.ibb.co/Gwv4v4g/shell-exploit-removebg-preview.png]Find Constrained Delegation to oakley/DC [https://i.ibb.co/0ybfPw9J/password-removebg-preview.png]Use getST.py to impersonate Administrator [https://i.ibb.co/LzdxQFPv/computer-removebg-preview.png]Fix /etc/hosts → Run secretsdump [https://i.ibb.co/JR4shsmH/login-removebg-preview.png]Evil-WinRM as Administrator [https://i.ibb.co/679DN5x7/rooted-removebg-preview.png]LDAPSearch → Identify Planted 1. Initial Access (TA0001) As always, the first step is a thorough nmap scan to see what we’re working with. ...

Overview Ra is a Hard machine on TryHackme it started with exploiting a weak password reset mechanism on a web application. After finding employee names and guessing a security question based on a pet’s name found in an image file, we get our initial credentials. This leads us to an SMB share with an installer for a vulnerable Spark XMPP client. The real challenge begins here: we have to set up a sandboxed environment to run the client, debug Java and audio errors within Docker, and finally exploit a Cross-Site Scripting (XSS) vulnerability (CVE-2020-12772) to capture another user’s NTLM hash. ...

Overview This box focuses on web application vulnerabilities, specifically Cross-Site Scripting (XSS) and SQL Injection, leading to privilege escalation. We start with an Nmap scan to identify open ports and services. We then enumerate the web application, discovering an exposed Git repository and an XSS vulnerability in the cat registration feature. Exploiting the XSS allows us to capture an admin session cookie, granting access to an administrative panel. From there, we identify and exploit a SQL Injection vulnerability to dump user credentials, which leads to SSH access as a low-privileged user. Finally, we leverage another XSS vulnerability within a local Gitea instance, triggered by an internal mail service, to compromise a higher-privileged user and obtain the root flag. ...