Posts by Tag

Pollution is a hardbox from hackthebox. Where in doing penetration testing we can find information in the form of text files and this information is encrypted using base64. the contents of the file contains the token of the administrator. the system has XXE vulnerability, where we can get the /etc/passwd file using Out-of-Band technique. to get access rights to the system we can use php-filter-chain. to get user victor, we can exploit it using php-fpm or fastcgi. The root user can be found by using the vulnerability of the pollution prototype at address 127.0.0.1 using port 3000 or pollutio...

PC is easy machine from hackthebox. in the initial foothold we can interact on port 50051 which is gRPC. we can use grpcui to get a good interface. then followed by registering the user using the login method. after logging in using the credentials we created, we can use get-info by filling in our id and token. capture the request and name the file pc.req. drop it into sqlmap so it does the rest. to get root privileges, there is a cve on the pyload. The content-length header has a big impact on the application pyload.

only for you on a medium linux machine that resembles a ctf which can be said to have no real life vulnerabilities. in enumeration process we can get beta as sub domain and get source code. do our analysis determine LFI vulnerabilities in this domain. take the app.py file on the domain only4you.htb will get the RCE vulnerability, where attackers can send requests using the POST method and email, subject, messages as parameters. After getting shell access, we see an application running on localhost using port 3000 and 8001. Doing port forwarding will find neo4j on port 8001, we can get a val...

Inject is a very fun easy linux machine from hackthebox . in our case we were faced with a file upload which turned out to be only rabbit holes. by using the img parameter we can find LFI vulnerabilities. from this vulnerability we can find pom.xml file which contains system information of application using spring-cloud-function-web with version 3.2.2. Then when we arrive at the system shell, we can identify the password for user phil which is useful for getting root privileges on the system. The process to reach our root user only needs to upload the malicious playbook.yml, and after that ...

Format is a medium linux engine featuring the microblog app. where we can make our own application. but this is a vulnerability for the system, the attacker is able to carry out an LFI attack to Remote Command Execution by making the attacker a pro user on the application’s microblog. in obtaining root privileges, we can take advantage of the SUID binaries license with a vulnerability in the format() function in python. By combining a third party redis application to create a new user. With this we can become root on the box format system.

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Shibboleth is a medium difficulty Linux machine featuring IPMI and Zabbix software. IPMI authentication is found to be vulnerable to remote password hash retrieval. The hash can be cracked and Zabbix access can be obtained using these credentials. Foothold can be gained by abusing the Zabbix agent in order to run system commands. The initial password can be re-used to login as the ipmi-svc and acquire the user flag. A MySQL service is identified and found to be vulnerable to OS command execution. After successfully exploiting this service a root shell is gained.

Tentacle is a Hard linux machine featuring a Squid proxy server. Bypassing Squid proxy authentication reveals a host which is making use of a vulnerable OpenSMTPD service. Initial foothold can be achieved by the exploitation of it. A SMTP client configuration file discloses a password which assists in generating a valid Kerberos ticket. This ticket then can be used to move laterally. Finally a cronjob can be exploited to escalate to another user who has privileges to add root user to Kerberos principals. This gives us a root shell.

Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute- forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users, password spraying leads to the discovery of a valid user account, granting initial foothold on the system. A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname is discovered; by adding a custom DNS r...

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies ...

Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After imp...

Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson , which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith . This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded passwo...

Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows an attacker to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This ...

Pollution is a hardbox from hackthebox. Where in doing penetration testing we can find information in the form of text files and this information is encrypted using base64. the contents of the file contains the token of the administrator. the system has XXE vulnerability, where we can get the /etc/passwd file using Out-of-Band technique. to get access rights to the system we can use php-filter-chain. to get user victor, we can exploit it using php-fpm or fastcgi. The root user can be found by using the vulnerability of the pollution prototype at address 127.0.0.1 using port 3000 or pollutio...

PC is easy machine from hackthebox. in the initial foothold we can interact on port 50051 which is gRPC. we can use grpcui to get a good interface. then followed by registering the user using the login method. after logging in using the credentials we created, we can use get-info by filling in our id and token. capture the request and name the file pc.req. drop it into sqlmap so it does the rest. to get root privileges, there is a cve on the pyload. The content-length header has a big impact on the application pyload.

only for you on a medium linux machine that resembles a ctf which can be said to have no real life vulnerabilities. in enumeration process we can get beta as sub domain and get source code. do our analysis determine LFI vulnerabilities in this domain. take the app.py file on the domain only4you.htb will get the RCE vulnerability, where attackers can send requests using the POST method and email, subject, messages as parameters. After getting shell access, we see an application running on localhost using port 3000 and 8001. Doing port forwarding will find neo4j on port 8001, we can get a val...

Inject is a very fun easy linux machine from hackthebox . in our case we were faced with a file upload which turned out to be only rabbit holes. by using the img parameter we can find LFI vulnerabilities. from this vulnerability we can find pom.xml file which contains system information of application using spring-cloud-function-web with version 3.2.2. Then when we arrive at the system shell, we can identify the password for user phil which is useful for getting root privileges on the system. The process to reach our root user only needs to upload the malicious playbook.yml, and after that ...

Format is a medium linux engine featuring the microblog app. where we can make our own application. but this is a vulnerability for the system, the attacker is able to carry out an LFI attack to Remote Command Execution by making the attacker a pro user on the application’s microblog. in obtaining root privileges, we can take advantage of the SUID binaries license with a vulnerability in the format() function in python. By combining a third party redis application to create a new user. With this we can become root on the box format system.

Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute- forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users, password spraying leads to the discovery of a valid user account, granting initial foothold on the system. A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname is discovered; by adding a custom DNS r...

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies ...

Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After imp...

Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows an attacker to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This ...

only for you on a medium linux machine that resembles a ctf which can be said to have no real life vulnerabilities. in enumeration process we can get beta as sub domain and get source code. do our analysis determine LFI vulnerabilities in this domain. take the app.py file on the domain only4you.htb will get the RCE vulnerability, where attackers can send requests using the POST method and email, subject, messages as parameters. After getting shell access, we see an application running on localhost using port 3000 and 8001. Doing port forwarding will find neo4j on port 8001, we can get a val...

Inject is a very fun easy linux machine from hackthebox . in our case we were faced with a file upload which turned out to be only rabbit holes. by using the img parameter we can find LFI vulnerabilities. from this vulnerability we can find pom.xml file which contains system information of application using spring-cloud-function-web with version 3.2.2. Then when we arrive at the system shell, we can identify the password for user phil which is useful for getting root privileges on the system. The process to reach our root user only needs to upload the malicious playbook.yml, and after that ...

Format is a medium linux engine featuring the microblog app. where we can make our own application. but this is a vulnerability for the system, the attacker is able to carry out an LFI attack to Remote Command Execution by making the attacker a pro user on the application’s microblog. in obtaining root privileges, we can take advantage of the SUID binaries license with a vulnerability in the format() function in python. By combining a third party redis application to create a new user. With this we can become root on the box format system.

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Pollution is a hardbox from hackthebox. Where in doing penetration testing we can find information in the form of text files and this information is encrypted using base64. the contents of the file contains the token of the administrator. the system has XXE vulnerability, where we can get the /etc/passwd file using Out-of-Band technique. to get access rights to the system we can use php-filter-chain. to get user victor, we can exploit it using php-fpm or fastcgi. The root user can be found by using the vulnerability of the pollution prototype at address 127.0.0.1 using port 3000 or pollutio...

PC is easy machine from hackthebox. in the initial foothold we can interact on port 50051 which is gRPC. we can use grpcui to get a good interface. then followed by registering the user using the login method. after logging in using the credentials we created, we can use get-info by filling in our id and token. capture the request and name the file pc.req. drop it into sqlmap so it does the rest. to get root privileges, there is a cve on the pyload. The content-length header has a big impact on the application pyload.

Inject is a very fun easy linux machine from hackthebox . in our case we were faced with a file upload which turned out to be only rabbit holes. by using the img parameter we can find LFI vulnerabilities. from this vulnerability we can find pom.xml file which contains system information of application using spring-cloud-function-web with version 3.2.2. Then when we arrive at the system shell, we can identify the password for user phil which is useful for getting root privileges on the system. The process to reach our root user only needs to upload the malicious playbook.yml, and after that ...

Format is a medium linux engine featuring the microblog app. where we can make our own application. but this is a vulnerability for the system, the attacker is able to carry out an LFI attack to Remote Command Execution by making the attacker a pro user on the application’s microblog. in obtaining root privileges, we can take advantage of the SUID binaries license with a vulnerability in the format() function in python. By combining a third party redis application to create a new user. With this we can become root on the box format system.

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson , which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith . This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded passwo...

Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows an attacker to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This ...

Tentacle is a Hard linux machine featuring a Squid proxy server. Bypassing Squid proxy authentication reveals a host which is making use of a vulnerable OpenSMTPD service. Initial foothold can be achieved by the exploitation of it. A SMTP client configuration file discloses a password which assists in generating a valid Kerberos ticket. This ticket then can be used to move laterally. Finally a cronjob can be exploited to escalate to another user who has privileges to add root user to Kerberos principals. This gives us a root shell.

Cache is a medium difficulty Linux machine. Enumeration of the website reveals a second website that is hosted on the same server under a different vhost. This website is an OpenEMR instance that suffers from a SQL injection vulnerability. Exploiting this vulnerability enables the attacker to retrieve the hashed password for user openemr_admin , which can be cracked offline in order to recover the plaintext password. These credentials can be used to exploit an authenticated Remote Command Execution vulnerability and achieve reverse shell as www-data , due to the outdated version of the Open...

Monitors is a hard Linux machine that involves WordPress plugin exploitation leading to a command injection via SQL injection through a well known network management web application in order to get a shell on the system. Then by performing basic service file enumeration one can gain the user password and thus a foothold to the system through SSH. The root stage consists of a Java based XML RPC deserialization attack against Apache OFBiz to gain a shell in a Docker container. Then it is possible by abusing the CAP_SYS_MODULE capability to load a malicious kernel module against the host and e...

Inject is a very fun easy linux machine from hackthebox . in our case we were faced with a file upload which turned out to be only rabbit holes. by using the img parameter we can find LFI vulnerabilities. from this vulnerability we can find pom.xml file which contains system information of application using spring-cloud-function-web with version 3.2.2. Then when we arrive at the system shell, we can identify the password for user phil which is useful for getting root privileges on the system. The process to reach our root user only needs to upload the malicious playbook.yml, and after that ...

Format is a medium linux engine featuring the microblog app. where we can make our own application. but this is a vulnerability for the system, the attacker is able to carry out an LFI attack to Remote Command Execution by making the attacker a pro user on the application’s microblog. in obtaining root privileges, we can take advantage of the SUID binaries license with a vulnerability in the format() function in python. By combining a third party redis application to create a new user. With this we can become root on the box format system.

Book is a medium difficulty Linux machine hosting a Library application. It allows users to sign up and add books, as well as provide feedback. The back-end database is found to be vulnerable to SQL truncation, which is leveraged to register an account as admin and escalate privileges. The admin panel contains additional functionality to export PDFs, which is exploited through XSS to gain SSH access. Finally, misconfigured logs are exploited to get root.

Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute- forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users, password spraying leads to the discovery of a valid user account, granting initial foothold on the system. A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname is discovered; by adding a custom DNS r...

Monitors is a hard Linux machine that involves WordPress plugin exploitation leading to a command injection via SQL injection through a well known network management web application in order to get a shell on the system. Then by performing basic service file enumeration one can gain the user password and thus a foothold to the system through SSH. The root stage consists of a Java based XML RPC deserialization attack against Apache OFBiz to gain a shell in a Docker container. Then it is possible by abusing the CAP_SYS_MODULE capability to load a malicious kernel module against the host and e...

Tentacle is a Hard linux machine featuring a Squid proxy server. Bypassing Squid proxy authentication reveals a host which is making use of a vulnerable OpenSMTPD service. Initial foothold can be achieved by the exploitation of it. A SMTP client configuration file discloses a password which assists in generating a valid Kerberos ticket. This ticket then can be used to move laterally. Finally a cronjob can be exploited to escalate to another user who has privileges to add root user to Kerberos principals. This gives us a root shell.

SneakyMailer is a medium difficulty Linux machine that features a phishing scenario, from which a set of credentials are gained. These credentials provide access to a mailbox, which reveals another set of credentials to access the FTP service. FTP file upload allows a foothold to be gained. PyPI server package installation can be exploited to move laterally. Root access can be obtained by leveraging sudo privileges.

Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute- forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users, password spraying leads to the discovery of a valid user account, granting initial foothold on the system. A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname is discovered; by adding a custom DNS r...

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies ...

Inject is a very fun easy linux machine from hackthebox . in our case we were faced with a file upload which turned out to be only rabbit holes. by using the img parameter we can find LFI vulnerabilities. from this vulnerability we can find pom.xml file which contains system information of application using spring-cloud-function-web with version 3.2.2. Then when we arrive at the system shell, we can identify the password for user phil which is useful for getting root privileges on the system. The process to reach our root user only needs to upload the malicious playbook.yml, and after that ...

Format is a medium linux engine featuring the microblog app. where we can make our own application. but this is a vulnerability for the system, the attacker is able to carry out an LFI attack to Remote Command Execution by making the attacker a pro user on the application’s microblog. in obtaining root privileges, we can take advantage of the SUID binaries license with a vulnerability in the format() function in python. By combining a third party redis application to create a new user. With this we can become root on the box format system.

Pollution is a hardbox from hackthebox. Where in doing penetration testing we can find information in the form of text files and this information is encrypted using base64. the contents of the file contains the token of the administrator. the system has XXE vulnerability, where we can get the /etc/passwd file using Out-of-Band technique. to get access rights to the system we can use php-filter-chain. to get user victor, we can exploit it using php-fpm or fastcgi. The root user can be found by using the vulnerability of the pollution prototype at address 127.0.0.1 using port 3000 or pollutio...

PC is easy machine from hackthebox. in the initial foothold we can interact on port 50051 which is gRPC. we can use grpcui to get a good interface. then followed by registering the user using the login method. after logging in using the credentials we created, we can use get-info by filling in our id and token. capture the request and name the file pc.req. drop it into sqlmap so it does the rest. to get root privileges, there is a cve on the pyload. The content-length header has a big impact on the application pyload.

Pollution is a hardbox from hackthebox. Where in doing penetration testing we can find information in the form of text files and this information is encrypted using base64. the contents of the file contains the token of the administrator. the system has XXE vulnerability, where we can get the /etc/passwd file using Out-of-Band technique. to get access rights to the system we can use php-filter-chain. to get user victor, we can exploit it using php-fpm or fastcgi. The root user can be found by using the vulnerability of the pollution prototype at address 127.0.0.1 using port 3000 or pollutio...

PC is easy machine from hackthebox. in the initial foothold we can interact on port 50051 which is gRPC. we can use grpcui to get a good interface. then followed by registering the user using the login method. after logging in using the credentials we created, we can use get-info by filling in our id and token. capture the request and name the file pc.req. drop it into sqlmap so it does the rest. to get root privileges, there is a cve on the pyload. The content-length header has a big impact on the application pyload.

Pollution is a hardbox from hackthebox. Where in doing penetration testing we can find information in the form of text files and this information is encrypted using base64. the contents of the file contains the token of the administrator. the system has XXE vulnerability, where we can get the /etc/passwd file using Out-of-Band technique. to get access rights to the system we can use php-filter-chain. to get user victor, we can exploit it using php-fpm or fastcgi. The root user can be found by using the vulnerability of the pollution prototype at address 127.0.0.1 using port 3000 or pollutio...

PC is easy machine from hackthebox. in the initial foothold we can interact on port 50051 which is gRPC. we can use grpcui to get a good interface. then followed by registering the user using the login method. after logging in using the credentials we created, we can use get-info by filling in our id and token. capture the request and name the file pc.req. drop it into sqlmap so it does the rest. to get root privileges, there is a cve on the pyload. The content-length header has a big impact on the application pyload.

Pollution is a hardbox from hackthebox. Where in doing penetration testing we can find information in the form of text files and this information is encrypted using base64. the contents of the file contains the token of the administrator. the system has XXE vulnerability, where we can get the /etc/passwd file using Out-of-Band technique. to get access rights to the system we can use php-filter-chain. to get user victor, we can exploit it using php-fpm or fastcgi. The root user can be found by using the vulnerability of the pollution prototype at address 127.0.0.1 using port 3000 or pollutio...

PC is easy machine from hackthebox. in the initial foothold we can interact on port 50051 which is gRPC. we can use grpcui to get a good interface. then followed by registering the user using the login method. after logging in using the credentials we created, we can use get-info by filling in our id and token. capture the request and name the file pc.req. drop it into sqlmap so it does the rest. to get root privileges, there is a cve on the pyload. The content-length header has a big impact on the application pyload.

Pollution is a hardbox from hackthebox. Where in doing penetration testing we can find information in the form of text files and this information is encrypted using base64. the contents of the file contains the token of the administrator. the system has XXE vulnerability, where we can get the /etc/passwd file using Out-of-Band technique. to get access rights to the system we can use php-filter-chain. to get user victor, we can exploit it using php-fpm or fastcgi. The root user can be found by using the vulnerability of the pollution prototype at address 127.0.0.1 using port 3000 or pollutio...

PC is easy machine from hackthebox. in the initial foothold we can interact on port 50051 which is gRPC. we can use grpcui to get a good interface. then followed by registering the user using the login method. after logging in using the credentials we created, we can use get-info by filling in our id and token. capture the request and name the file pc.req. drop it into sqlmap so it does the rest. to get root privileges, there is a cve on the pyload. The content-length header has a big impact on the application pyload.

Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows an attacker to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This ...

Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows an attacker to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This ...

Backfield is a hard difficulty Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. Once user is found to have Kerberos pre-authentication disabled, which allows an attacker to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access an SMB share containing forensics artefacts, including an lsass process dump. This ...

Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson , which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith . This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded passwo...

Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson , which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith . This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded passwo...

Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson , which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith . This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded passwo...

Cascade is a medium difficulty Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson , which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith . This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded passwo...

Monitors is a hard Linux machine that involves WordPress plugin exploitation leading to a command injection via SQL injection through a well known network management web application in order to get a shell on the system. Then by performing basic service file enumeration one can gain the user password and thus a foothold to the system through SSH. The root stage consists of a Java based XML RPC deserialization attack against Apache OFBiz to gain a shell in a Docker container. Then it is possible by abusing the CAP_SYS_MODULE capability to load a malicious kernel module against the host and e...

Monitors is a hard Linux machine that involves WordPress plugin exploitation leading to a command injection via SQL injection through a well known network management web application in order to get a shell on the system. Then by performing basic service file enumeration one can gain the user password and thus a foothold to the system through SSH. The root stage consists of a Java based XML RPC deserialization attack against Apache OFBiz to gain a shell in a Docker container. Then it is possible by abusing the CAP_SYS_MODULE capability to load a malicious kernel module against the host and e...

Monitors is a hard Linux machine that involves WordPress plugin exploitation leading to a command injection via SQL injection through a well known network management web application in order to get a shell on the system. Then by performing basic service file enumeration one can gain the user password and thus a foothold to the system through SSH. The root stage consists of a Java based XML RPC deserialization attack against Apache OFBiz to gain a shell in a Docker container. Then it is possible by abusing the CAP_SYS_MODULE capability to load a malicious kernel module against the host and e...

Monitors is a hard Linux machine that involves WordPress plugin exploitation leading to a command injection via SQL injection through a well known network management web application in order to get a shell on the system. Then by performing basic service file enumeration one can gain the user password and thus a foothold to the system through SSH. The root stage consists of a Java based XML RPC deserialization attack against Apache OFBiz to gain a shell in a Docker container. Then it is possible by abusing the CAP_SYS_MODULE capability to load a malicious kernel module against the host and e...

Monitors is a hard Linux machine that involves WordPress plugin exploitation leading to a command injection via SQL injection through a well known network management web application in order to get a shell on the system. Then by performing basic service file enumeration one can gain the user password and thus a foothold to the system through SSH. The root stage consists of a Java based XML RPC deserialization attack against Apache OFBiz to gain a shell in a Docker container. Then it is possible by abusing the CAP_SYS_MODULE capability to load a malicious kernel module against the host and e...

Monitors is a hard Linux machine that involves WordPress plugin exploitation leading to a command injection via SQL injection through a well known network management web application in order to get a shell on the system. Then by performing basic service file enumeration one can gain the user password and thus a foothold to the system through SSH. The root stage consists of a Java based XML RPC deserialization attack against Apache OFBiz to gain a shell in a Docker container. Then it is possible by abusing the CAP_SYS_MODULE capability to load a malicious kernel module against the host and e...

Shibboleth is a medium difficulty Linux machine featuring IPMI and Zabbix software. IPMI authentication is found to be vulnerable to remote password hash retrieval. The hash can be cracked and Zabbix access can be obtained using these credentials. Foothold can be gained by abusing the Zabbix agent in order to run system commands. The initial password can be re-used to login as the ipmi-svc and acquire the user flag. A MySQL service is identified and found to be vulnerable to OS command execution. After successfully exploiting this service a root shell is gained.

Shibboleth is a medium difficulty Linux machine featuring IPMI and Zabbix software. IPMI authentication is found to be vulnerable to remote password hash retrieval. The hash can be cracked and Zabbix access can be obtained using these credentials. Foothold can be gained by abusing the Zabbix agent in order to run system commands. The initial password can be re-used to login as the ipmi-svc and acquire the user flag. A MySQL service is identified and found to be vulnerable to OS command execution. After successfully exploiting this service a root shell is gained.

Shibboleth is a medium difficulty Linux machine featuring IPMI and Zabbix software. IPMI authentication is found to be vulnerable to remote password hash retrieval. The hash can be cracked and Zabbix access can be obtained using these credentials. Foothold can be gained by abusing the Zabbix agent in order to run system commands. The initial password can be re-used to login as the ipmi-svc and acquire the user flag. A MySQL service is identified and found to be vulnerable to OS command execution. After successfully exploiting this service a root shell is gained.

Shibboleth is a medium difficulty Linux machine featuring IPMI and Zabbix software. IPMI authentication is found to be vulnerable to remote password hash retrieval. The hash can be cracked and Zabbix access can be obtained using these credentials. Foothold can be gained by abusing the Zabbix agent in order to run system commands. The initial password can be re-used to login as the ipmi-svc and acquire the user flag. A MySQL service is identified and found to be vulnerable to OS command execution. After successfully exploiting this service a root shell is gained.

Shibboleth is a medium difficulty Linux machine featuring IPMI and Zabbix software. IPMI authentication is found to be vulnerable to remote password hash retrieval. The hash can be cracked and Zabbix access can be obtained using these credentials. Foothold can be gained by abusing the Zabbix agent in order to run system commands. The initial password can be re-used to login as the ipmi-svc and acquire the user flag. A MySQL service is identified and found to be vulnerable to OS command execution. After successfully exploiting this service a root shell is gained.

Book is a medium difficulty Linux machine hosting a Library application. It allows users to sign up and add books, as well as provide feedback. The back-end database is found to be vulnerable to SQL truncation, which is leveraged to register an account as admin and escalate privileges. The admin panel contains additional functionality to export PDFs, which is exploited through XSS to gain SSH access. Finally, misconfigured logs are exploited to get root.

Book is a medium difficulty Linux machine hosting a Library application. It allows users to sign up and add books, as well as provide feedback. The back-end database is found to be vulnerable to SQL truncation, which is leveraged to register an account as admin and escalate privileges. The admin panel contains additional functionality to export PDFs, which is exploited through XSS to gain SSH access. Finally, misconfigured logs are exploited to get root.

Book is a medium difficulty Linux machine hosting a Library application. It allows users to sign up and add books, as well as provide feedback. The back-end database is found to be vulnerable to SQL truncation, which is leveraged to register an account as admin and escalate privileges. The admin panel contains additional functionality to export PDFs, which is exploited through XSS to gain SSH access. Finally, misconfigured logs are exploited to get root.

Book is a medium difficulty Linux machine hosting a Library application. It allows users to sign up and add books, as well as provide feedback. The back-end database is found to be vulnerable to SQL truncation, which is leveraged to register an account as admin and escalate privileges. The admin panel contains additional functionality to export PDFs, which is exploited through XSS to gain SSH access. Finally, misconfigured logs are exploited to get root.

Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After imp...

Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After imp...

Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After imp...

Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After imp...

Search is a hard difficulty Windows machine that focuses on Active Directory enumeration and exploitation techniques. Foothold is obtained by finding exposed credentials in a web page, enumerating AD users, running a Kerberoast attack to obtain a crackable hash for a service account and spraying the password against a subset of the discovered accounts, obtaining access to a SMB share where a protected XLSX file containing user data is found. Unprotecting the file leads to a second set of credentials, which gives access to another share where PKCS#12 certificates can be downloaded. After imp...

SneakyMailer is a medium difficulty Linux machine that features a phishing scenario, from which a set of credentials are gained. These credentials provide access to a mailbox, which reveals another set of credentials to access the FTP service. FTP file upload allows a foothold to be gained. PyPI server package installation can be exploited to move laterally. Root access can be obtained by leveraging sudo privileges.

SneakyMailer is a medium difficulty Linux machine that features a phishing scenario, from which a set of credentials are gained. These credentials provide access to a mailbox, which reveals another set of credentials to access the FTP service. FTP file upload allows a foothold to be gained. PyPI server package installation can be exploited to move laterally. Root access can be obtained by leveraging sudo privileges.

SneakyMailer is a medium difficulty Linux machine that features a phishing scenario, from which a set of credentials are gained. These credentials provide access to a mailbox, which reveals another set of credentials to access the FTP service. FTP file upload allows a foothold to be gained. PyPI server package installation can be exploited to move laterally. Root access can be obtained by leveraging sudo privileges.

SneakyMailer is a medium difficulty Linux machine that features a phishing scenario, from which a set of credentials are gained. These credentials provide access to a mailbox, which reveals another set of credentials to access the FTP service. FTP file upload allows a foothold to be gained. PyPI server package installation can be exploited to move laterally. Root access can be obtained by leveraging sudo privileges.

SneakyMailer is a medium difficulty Linux machine that features a phishing scenario, from which a set of credentials are gained. These credentials provide access to a mailbox, which reveals another set of credentials to access the FTP service. FTP file upload allows a foothold to be gained. PyPI server package installation can be exploited to move laterally. Root access can be obtained by leveraging sudo privileges.

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies ...

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies ...

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies ...

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies ...

Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute- forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users, password spraying leads to the discovery of a valid user account, granting initial foothold on the system. A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname is discovered; by adding a custom DNS r...

Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute- forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users, password spraying leads to the discovery of a valid user account, granting initial foothold on the system. A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname is discovered; by adding a custom DNS r...

Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute- forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users, password spraying leads to the discovery of a valid user account, granting initial foothold on the system. A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname is discovered; by adding a custom DNS r...

Intelligence is a medium difficulty Windows machine that showcases a number of common attacks in an Active Directory environment. After retrieving internal PDF documents stored on the web server (by brute- forcing a common naming scheme) and inspecting their contents and metadata, which reveal a default password and a list of potential AD users, password spraying leads to the discovery of a valid user account, granting initial foothold on the system. A scheduled PowerShell script that sends authenticated requests to web servers based on their hostname is discovered; by adding a custom DNS r...

Cache is a medium difficulty Linux machine. Enumeration of the website reveals a second website that is hosted on the same server under a different vhost. This website is an OpenEMR instance that suffers from a SQL injection vulnerability. Exploiting this vulnerability enables the attacker to retrieve the hashed password for user openemr_admin , which can be cracked offline in order to recover the plaintext password. These credentials can be used to exploit an authenticated Remote Command Execution vulnerability and achieve reverse shell as www-data , due to the outdated version of the Open...

Cache is a medium difficulty Linux machine. Enumeration of the website reveals a second website that is hosted on the same server under a different vhost. This website is an OpenEMR instance that suffers from a SQL injection vulnerability. Exploiting this vulnerability enables the attacker to retrieve the hashed password for user openemr_admin , which can be cracked offline in order to recover the plaintext password. These credentials can be used to exploit an authenticated Remote Command Execution vulnerability and achieve reverse shell as www-data , due to the outdated version of the Open...

Cache is a medium difficulty Linux machine. Enumeration of the website reveals a second website that is hosted on the same server under a different vhost. This website is an OpenEMR instance that suffers from a SQL injection vulnerability. Exploiting this vulnerability enables the attacker to retrieve the hashed password for user openemr_admin , which can be cracked offline in order to recover the plaintext password. These credentials can be used to exploit an authenticated Remote Command Execution vulnerability and achieve reverse shell as www-data , due to the outdated version of the Open...

Cache is a medium difficulty Linux machine. Enumeration of the website reveals a second website that is hosted on the same server under a different vhost. This website is an OpenEMR instance that suffers from a SQL injection vulnerability. Exploiting this vulnerability enables the attacker to retrieve the hashed password for user openemr_admin , which can be cracked offline in order to recover the plaintext password. These credentials can be used to exploit an authenticated Remote Command Execution vulnerability and achieve reverse shell as www-data , due to the outdated version of the Open...

Tentacle is a Hard linux machine featuring a Squid proxy server. Bypassing Squid proxy authentication reveals a host which is making use of a vulnerable OpenSMTPD service. Initial foothold can be achieved by the exploitation of it. A SMTP client configuration file discloses a password which assists in generating a valid Kerberos ticket. This ticket then can be used to move laterally. Finally a cronjob can be exploited to escalate to another user who has privileges to add root user to Kerberos principals. This gives us a root shell.

Tentacle is a Hard linux machine featuring a Squid proxy server. Bypassing Squid proxy authentication reveals a host which is making use of a vulnerable OpenSMTPD service. Initial foothold can be achieved by the exploitation of it. A SMTP client configuration file discloses a password which assists in generating a valid Kerberos ticket. This ticket then can be used to move laterally. Finally a cronjob can be exploited to escalate to another user who has privileges to add root user to Kerberos principals. This gives us a root shell.

Tentacle is a Hard linux machine featuring a Squid proxy server. Bypassing Squid proxy authentication reveals a host which is making use of a vulnerable OpenSMTPD service. Initial foothold can be achieved by the exploitation of it. A SMTP client configuration file discloses a password which assists in generating a valid Kerberos ticket. This ticket then can be used to move laterally. Finally a cronjob can be exploited to escalate to another user who has privileges to add root user to Kerberos principals. This gives us a root shell.

Tentacle is a Hard linux machine featuring a Squid proxy server. Bypassing Squid proxy authentication reveals a host which is making use of a vulnerable OpenSMTPD service. Initial foothold can be achieved by the exploitation of it. A SMTP client configuration file discloses a password which assists in generating a valid Kerberos ticket. This ticket then can be used to move laterally. Finally a cronjob can be exploited to escalate to another user who has privileges to add root user to Kerberos principals. This gives us a root shell.

Busqueda is an easy engine from hackthebox. In carrying out the enumeration process from the target, we can identify the version of the application, namely searchor 2.4.0, where in that version there is an Arbitrary Code Execution vulnerability. to get root privileges, we need to be able to get the user from svc in the .git/config directory. the next step is to execute sudo using system-checkup.py with malicious file-checkup.sh

Busqueda is an easy engine from hackthebox. In carrying out the enumeration process from the target, we can identify the version of the application, namely searchor 2.4.0, where in that version there is an Arbitrary Code Execution vulnerability. to get root privileges, we need to be able to get the user from svc in the .git/config directory. the next step is to execute sudo using system-checkup.py with malicious file-checkup.sh

Busqueda is an easy engine from hackthebox. In carrying out the enumeration process from the target, we can identify the version of the application, namely searchor 2.4.0, where in that version there is an Arbitrary Code Execution vulnerability. to get root privileges, we need to be able to get the user from svc in the .git/config directory. the next step is to execute sudo using system-checkup.py with malicious file-checkup.sh

Busqueda is an easy engine from hackthebox. In carrying out the enumeration process from the target, we can identify the version of the application, namely searchor 2.4.0, where in that version there is an Arbitrary Code Execution vulnerability. to get root privileges, we need to be able to get the user from svc in the .git/config directory. the next step is to execute sudo using system-checkup.py with malicious file-checkup.sh

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Cerberus is the Hard machine from hackthebox. In doing the enumeration we can find vulnerabilities on the icinga website, namely the LFI vulnerability. In this process we can get a username and password, this is needed at the time of exploitation. after successfully getting the shell, we are met with firejail. it takes two sessions to proceed to the next stage. Pivoting is needed to take port 5985 namely winrm. The ManageEngine application runs on localhost using port 9251, double pivoting is required to gain root privileges. The ManageEngine application was found to have the CVE-2022-47966...

Monitor Two is an easy machine from hackthebox. In carrying out the enumeration process from the target, we can identify the out-dated version of cacti. by exploiting, we can easily access the server. to get to marcus, we can find the entrypoint.sh file with the user and password information for the database. to get root privileges, we can use the docker service to exploit it. because that version of docker has a vulnerability of CVE-2021-41091

Monitor Two is an easy machine from hackthebox. In carrying out the enumeration process from the target, we can identify the out-dated version of cacti. by exploiting, we can easily access the server. to get to marcus, we can find the entrypoint.sh file with the user and password information for the database. to get root privileges, we can use the docker service to exploit it. because that version of docker has a vulnerability of CVE-2021-41091

Monitor Two is an easy machine from hackthebox. In carrying out the enumeration process from the target, we can identify the out-dated version of cacti. by exploiting, we can easily access the server. to get to marcus, we can find the entrypoint.sh file with the user and password information for the database. to get root privileges, we can use the docker service to exploit it. because that version of docker has a vulnerability of CVE-2021-41091

Monitor Two is an easy machine from hackthebox. In carrying out the enumeration process from the target, we can identify the out-dated version of cacti. by exploiting, we can easily access the server. to get to marcus, we can find the entrypoint.sh file with the user and password information for the database. to get root privileges, we can use the docker service to exploit it. because that version of docker has a vulnerability of CVE-2021-41091

Monitor Two is an easy machine from hackthebox. In carrying out the enumeration process from the target, we can identify the out-dated version of cacti. by exploiting, we can easily access the server. to get to marcus, we can find the entrypoint.sh file with the user and password information for the database. to get root privileges, we can use the docker service to exploit it. because that version of docker has a vulnerability of CVE-2021-41091

Monitor Two is an easy machine from hackthebox. In carrying out the enumeration process from the target, we can identify the out-dated version of cacti. by exploiting, we can easily access the server. to get to marcus, we can find the entrypoint.sh file with the user and password information for the database. to get root privileges, we can use the docker service to exploit it. because that version of docker has a vulnerability of CVE-2021-41091

only for you on a medium linux machine that resembles a ctf which can be said to have no real life vulnerabilities. in enumeration process we can get beta as sub domain and get source code. do our analysis determine LFI vulnerabilities in this domain. take the app.py file on the domain only4you.htb will get the RCE vulnerability, where attackers can send requests using the POST method and email, subject, messages as parameters. After getting shell access, we see an application running on localhost using port 3000 and 8001. Doing port forwarding will find neo4j on port 8001, we can get a val...

only for you on a medium linux machine that resembles a ctf which can be said to have no real life vulnerabilities. in enumeration process we can get beta as sub domain and get source code. do our analysis determine LFI vulnerabilities in this domain. take the app.py file on the domain only4you.htb will get the RCE vulnerability, where attackers can send requests using the POST method and email, subject, messages as parameters. After getting shell access, we see an application running on localhost using port 3000 and 8001. Doing port forwarding will find neo4j on port 8001, we can get a val...

only for you on a medium linux machine that resembles a ctf which can be said to have no real life vulnerabilities. in enumeration process we can get beta as sub domain and get source code. do our analysis determine LFI vulnerabilities in this domain. take the app.py file on the domain only4you.htb will get the RCE vulnerability, where attackers can send requests using the POST method and email, subject, messages as parameters. After getting shell access, we see an application running on localhost using port 3000 and 8001. Doing port forwarding will find neo4j on port 8001, we can get a val...

only for you on a medium linux machine that resembles a ctf which can be said to have no real life vulnerabilities. in enumeration process we can get beta as sub domain and get source code. do our analysis determine LFI vulnerabilities in this domain. take the app.py file on the domain only4you.htb will get the RCE vulnerability, where attackers can send requests using the POST method and email, subject, messages as parameters. After getting shell access, we see an application running on localhost using port 3000 and 8001. Doing port forwarding will find neo4j on port 8001, we can get a val...

Socket is a medium linux machine featuring qreader executable file. Using the string command will get the pyc file, then we can convert from pyc to python file. Interact using websocket and find sql injection vulnerabilities. To get root privileges, we can use the build-installer script. spec is intended to fulfill the root user.

Socket is a medium linux machine featuring qreader executable file. Using the string command will get the pyc file, then we can convert from pyc to python file. Interact using websocket and find sql injection vulnerabilities. To get root privileges, we can use the build-installer script. spec is intended to fulfill the root user.

Socket is a medium linux machine featuring qreader executable file. Using the string command will get the pyc file, then we can convert from pyc to python file. Interact using websocket and find sql injection vulnerabilities. To get root privileges, we can use the build-installer script. spec is intended to fulfill the root user.

Socket is a medium linux machine featuring qreader executable file. Using the string command will get the pyc file, then we can convert from pyc to python file. Interact using websocket and find sql injection vulnerabilities. To get root privileges, we can use the build-installer script. spec is intended to fulfill the root user.

Socket is a medium linux machine featuring qreader executable file. Using the string command will get the pyc file, then we can convert from pyc to python file. Interact using websocket and find sql injection vulnerabilities. To get root privileges, we can use the build-installer script. spec is intended to fulfill the root user.

Socket is a medium linux machine featuring qreader executable file. Using the string command will get the pyc file, then we can convert from pyc to python file. Interact using websocket and find sql injection vulnerabilities. To get root privileges, we can use the build-installer script. spec is intended to fulfill the root user.