This is a Active Directory box. Because of SMB null session, we found Group Policy Prefance encrypted password stored in cpassword. We decrypted that and got credentials for SVC_TGS. Using these credentials we kerberoasting technique to get hash for the user Administrator. I then cracked that hash, and used psexec to gain shell on the…

This Windows box used default passwords on the Apache tomcat, allowing us to log into the websever and upload a payload that gave us reverse shell. The developers also did a mistake, running the webserver with the user NT AUTHORITY\ SYSTEM, giving us instant high privileged user. Enumeration We’ll start with an nmap scan. Only…

Beep is a linux machine which has alot of ports open, so enumeration took along time. There were many ways to exploit this machine, and getting root as well. However I’ll not show all of them. The webserver is running a vulnerable version of Elastix, which result in RCE. The low privileged user could run…

This is a Windows box which have a vulnerable IIS webserver running. This webserver allowed different HTTP methods such as PUT, MOVE, PROPFIND. So it was possible to upload a shell. I used davtest which tries uploading executables and files that can give us remote code execution. To privilege escalate I had to be creative…

This Windows 7 box was vulnerable to Eternalblue or MS17-010. Using metasploit, it would be done in about 10 minutes. But since Im not using metasploit I did it manually. I had a lot of trouble getting the exploit to work because I required named pipes. There is a module in Metasploit which would enumerate…

Another Windows box, this one however had two CVEs that we could abuse to get initial access and root. It would be possible to use metasploit and be done with this machine in under 10 minutes, however I will not use metasploit on this machine. Enumeration I’ll start with an NMAP scan. There is only…

One my weakest link in penetration testing is Windows Privilege Escalation. I had alot of trouble escalating my privilege on this box. Anyways, this box had two ports open. Port 21 and 80. FTP allowed anonymous login, and it was writeable. FTP share pointed to the webservers location, so it would be possible to get…

This is rated an easy box, and for good reason, however, I spent a good amount of time just enumerating because the initial access was hidden well. For some who have encountered this vulnerability before, this would be a piece of cake, but I had never encountered ShellShock before so I spent a lot of…

Since HackTheBox had problems yesterday I did OSCP like box from TryHackMe instead. This is a Linux box with a pretty straightforward approach. In the initial search there were a couple ports open, such as SMB, HTTP, POP3 and imap. Enumerting each of these ports will give you initial access, and root eventually. Enumeration I…

This Windows XP box had two vulnerabilities. MS10-017 (Eternal blue) and MS08-067. I will in this blog post go through both of them without metasploit. For testing purpose I tried using metasploit first to verify that it was actually eternal blue. When manually exploiting the vulnearbilites I used helviojunior’s and areyou1or0 scripts. I had alot…

Another Linux box from TJ_nulls OSCP prep. This was was pretty interesting box with an attack vector I have not yet seen before. This is a pretty straight forward box, with no trickery. You can use metasploit to get initial access, but as I’ve stated earlier I will refrain from using metasploit. Edit: After looking…

This is the first box for my OSCP preparation. This is a pretty straight forward box, where there are multiple vulnerabilites that can be used, as well as some privilege escalation vectors. I’ll look at two different vulnerabilites in this writeup. Even though metasploit is only allowed once on the OSCP exam, I will strictly…