On this Windows machine I exploited a Gym Management System to get remote code execution. After enumerating the machine there was a port, 8888, listening on localhost. Looking at the processes we find that its running CloudMe. I’ll use chisel to tunnel traffic from my machine to the target. In the the users download folder…
On this linux box I used a LFI vulnerability in the webserver to get a users password which was encoded 13 times with base64. After finding the password, we read /etc/password and found a username charix. Using that username and password I SSH into the machine. In Charix folder there was a secret.zip. After enumerating…
On this Windows machine I abused an upload vulnerability to get remote code execution. When trying to upload a webshell, I got an error message hinting that uploading a web.config was allowed. There is a great post about uploading a web.config with command execution possiblity. To elevate my privilege I used Juicy potato vulnerability to…
This box was similar to Grandma, where I abused a BOF in IIS 6 and got a shell. Since this is a windows server 2003 I used token kidnapping to escalate my privileges. Enumeration I’ll start with a NMAP scan. Only one port open. Port 80 and its running IIS httpd 6.0. A quick google…
This linux box was vulnerable to heartbleed. In one of the subdirectories there was a encoded file, which when decoded gave us a SSH private key. Using heartbleed PoC I was able to extract the passphrase from memory and use that to ssh into the machine. To escalate my privileges there were two methods; using…
This Linux box was a easy box where I found a username and used the pfsense’s default password, pfsense, to get access to the firewall. Then I exploited a vulnerability that allowed authenticated users to execute arbitrary code to get a shell. The shell was root so there was no need for privilege escalation. Enumeration…
This Linux machine was running a vulnerable blog running the engine Nibbleblog which was vulnerable to arbitrary file upload. To get root shell I used command injection i a script the user was able to run as sudo. Enumeration I’ll start with an NMAP scan. There are two ports open, 22 and 80. Visiting port…
This Linux machine had drupal running on one of the ports. I used drupalgeddon2 to upload a webshell and be able to run commands. I upgraded my shell, but could not get PTY so I had to read from the database using the command line. I then got the credentials to brudetherealadmin and he was…
This is an Active Directory machine. After enumerating SMB it leaks a list of users. I then used impacket-GetNPUsers to look for users without Kerberos pre-authentication required attribute. There was one user, svc-alfresco, which didnt have kerberos pre-authentication enabled and I got a hash. I cracked the hash using john the ripper, and used Evil-WinRM…
This Linux machine was very cluttered and I had to keep my notes really organized not to get lost. Getting initial shell was very straight forward with RCE in OpenNt. After getting shell as www-data I found DB credentials that happened to be the same passoword as Jimmy’s. There were also a hash in the…
This Windows machine was a relativly easy machine. There was FMTP server running on port 8500, and in that FMTP it was pointing to /administrator directory which was running Adobe Cold Fusion. Cold fusion was vulnerable to file upload RCE which we exploited and got a shell. I then used MS10-059 vulnerabilty to get a…
Even though the name of this machine implies that we’re going to do something easy, it was the opposite. With a hard enumeration phase, there was also horizontal movement through abusing a scritp pwn‘s home directory. After that getting root was abusing the fact that the user pwn could run metasploit as root. Enumeration I’ll…
This Windows machine have a SSRF vulnerability. Through SSRF we get credentials to a webserver hosting a voting system, that have a upload RCE that I’ll abuse to get reverse shell. The user have a registery that allows us to install .msi files as NT AUTHORITY\SYSTEM, giving is administrator access. I’ll start with a NMAP…
This Linux box was quiet interesting. In the webservers subdirectory there was a shell embedded in a PHP file. I used python to get a reverse shell on netcat, which gives me a better terminal. I abused a kernel exploit to get root shell. Enumeration I’ll start with a NMAP scan. Only port 80 open…
This is a Active Directory box. Because of SMB null session, we found Group Policy Prefance encrypted password stored in cpassword. We decrypted that and got credentials for SVC_TGS. Using these credentials we kerberoasting technique to get hash for the user Administrator. I then cracked that hash, and used psexec to gain shell on the…
