This box was similar to Grandma, where I abused a BOF in IIS 6 and got a shell. Since this is a windows server 2003 I used token kidnapping to escalate my privileges. Enumeration I’ll start with a NMAP scan. Only one port open. Port 80 and its running IIS […]

This linux box was vulnerable to heartbleed. In one of the subdirectories there was a encoded file, which when decoded gave us a SSH private key. Using heartbleed PoC I was able to extract the passphrase from memory and use that to ssh into the machine. To escalate my privileges […]

This Linux box was a easy box where I found a username and used the pfsense’s default password, pfsense, to get access to the firewall. Then I exploited a vulnerability that allowed authenticated users to execute arbitrary code to get a shell. The shell was root so there was no […]

This Linux machine was running a vulnerable blog running the engine Nibbleblog which was vulnerable to arbitrary file upload. To get root shell I used command injection i a script the user was able to run as sudo. Enumeration I’ll start with an NMAP scan. There are two ports open, […]

This Linux machine had drupal running on one of the ports. I used drupalgeddon2 to upload a webshell and be able to run commands. I upgraded my shell, but could not get PTY so I had to read from the database using the command line. I then got the credentials […]

This is an Active Directory machine. After enumerating SMB it leaks a list of users. I then used impacket-GetNPUsers to look for users without Kerberos pre-authentication required attribute. There was one user, svc-alfresco, which didnt have kerberos pre-authentication enabled and I got a hash. I cracked the hash using john […]

This Linux machine was very cluttered and I had to keep my notes really organized not to get lost. Getting initial shell was very straight forward with RCE in OpenNt. After getting shell as www-data I found DB credentials that happened to be the same passoword as Jimmy’s. There were […]

This Windows machine was a relativly easy machine. There was FMTP server running on port 8500, and in that FMTP it was pointing to /administrator directory which was running Adobe Cold Fusion. Cold fusion was vulnerable to file upload RCE which we exploited and got a shell. I then used […]

Even though the name of this machine implies that we’re going to do something easy, it was the opposite. With a hard enumeration phase, there was also horizontal movement through abusing a scritp pwn‘s home directory. After that getting root was abusing the fact that the user pwn could run […]

This Windows machine have a SSRF vulnerability. Through SSRF we get credentials to a webserver hosting a voting system, that have a upload RCE that I’ll abuse to get reverse shell. The user have a registery that allows us to install .msi files as NT AUTHORITY\SYSTEM, giving is administrator access. […]

This Linux box was quiet interesting. In the webservers subdirectory there was a shell embedded in a PHP file. I used python to get a reverse shell on netcat, which gives me a better terminal. I abused a kernel exploit to get root shell. Enumeration I’ll start with a NMAP […]

This is a Active Directory box. Because of SMB null session, we found Group Policy Prefance encrypted password stored in cpassword. We decrypted that and got credentials for SVC_TGS. Using these credentials we kerberoasting technique to get hash for the user Administrator. I then cracked that hash, and used psexec […]

This Windows box used default passwords on the Apache tomcat, allowing us to log into the websever and upload a payload that gave us reverse shell. The developers also did a mistake, running the webserver with the user NT AUTHORITY\ SYSTEM, giving us instant high privileged user. Enumeration We’ll start […]

Beep is a linux machine which has alot of ports open, so enumeration took along time. There were many ways to exploit this machine, and getting root as well. However I’ll not show all of them. The webserver is running a vulnerable version of Elastix, which result in RCE. The […]

This is a Windows box which have a vulnerable IIS webserver running. This webserver allowed different HTTP methods such as PUT, MOVE, PROPFIND. So it was possible to upload a shell. I used davtest which tries uploading executables and files that can give us remote code execution. To privilege escalate […]