On this Windows machine there was a SMB share that had two VHDs that we could remotly mount. The VHDs looked like a backup of a Windows. Using secretsdump we could dump the hash from from the /system32/config, and get the hash for users. Using john the ripper, I cracked […]
Writeups
37 posts
On this Linux machine I abused LFI to find the password for admin panel for Tomcat. From there I used CLI to upload .WAR file to get a reverse shell. In /var/www there was a zip file which was password protected. Cracking the password using John, we find the credentials […]
This Linux machine had a PHP page with LFI vulnerability. To upload a webshell I used SMB. From there we find credentials from a database config file. To root the machine I added a reverse shell to a writeable python module which was called upon by a python script run […]
On this Solaris machine we used finger to enumerate users. We then guessed the password for the enumerated user to get SSH access. From there we escalated our privilege to Sammy through a shadow file we had access to. I cracked the password and as able to SU to Sammy. […]
On this Windows machine I exploited a Gym Management System to get remote code execution. After enumerating the machine there was a port, 8888, listening on localhost. Looking at the processes we find that its running CloudMe. I’ll use chisel to tunnel traffic from my machine to the target. In […]
On this linux box I used a LFI vulnerability in the webserver to get a users password which was encoded 13 times with base64. After finding the password, we read /etc/password and found a username charix. Using that username and password I SSH into the machine. In Charix folder there […]
On this Windows machine I abused an upload vulnerability to get remote code execution. When trying to upload a webshell, I got an error message hinting that uploading a web.config was allowed. There is a great post about uploading a web.config with command execution possiblity. To elevate my privilege I […]
This box was similar to Grandma, where I abused a BOF in IIS 6 and got a shell. Since this is a windows server 2003 I used token kidnapping to escalate my privileges. Enumeration I’ll start with a NMAP scan. Only one port open. Port 80 and its running IIS […]
This linux box was vulnerable to heartbleed. In one of the subdirectories there was a encoded file, which when decoded gave us a SSH private key. Using heartbleed PoC I was able to extract the passphrase from memory and use that to ssh into the machine. To escalate my privileges […]
This Linux box was a easy box where I found a username and used the pfsense’s default password, pfsense, to get access to the firewall. Then I exploited a vulnerability that allowed authenticated users to execute arbitrary code to get a shell. The shell was root so there was no […]
This Linux machine was running a vulnerable blog running the engine Nibbleblog which was vulnerable to arbitrary file upload. To get root shell I used command injection i a script the user was able to run as sudo. Enumeration I’ll start with an NMAP scan. There are two ports open, […]
This Linux machine had drupal running on one of the ports. I used drupalgeddon2 to upload a webshell and be able to run commands. I upgraded my shell, but could not get PTY so I had to read from the database using the command line. I then got the credentials […]
This is an Active Directory machine. After enumerating SMB it leaks a list of users. I then used impacket-GetNPUsers to look for users without Kerberos pre-authentication required attribute. There was one user, svc-alfresco, which didnt have kerberos pre-authentication enabled and I got a hash. I cracked the hash using john […]
This Linux machine was very cluttered and I had to keep my notes really organized not to get lost. Getting initial shell was very straight forward with RCE in OpenNt. After getting shell as www-data I found DB credentials that happened to be the same passoword as Jimmy’s. There were […]
This Windows machine was a relativly easy machine. There was FMTP server running on port 8500, and in that FMTP it was pointing to /administrator directory which was running Adobe Cold Fusion. Cold fusion was vulnerable to file upload RCE which we exploited and got a shell. I then used […]