This is a Windows box which have a vulnerable IIS webserver running. This webserver allowed different HTTP methods such as PUT, MOVE, PROPFIND. So it was possible to upload a shell. I used davtest which tries uploading executables and files that can give us remote code execution. To privilege escalate I had to be creative…
This Windows 7 box was vulnerable to Eternalblue or MS17-010. Using metasploit, it would be done in about 10 minutes. But since Im not using metasploit I did it manually. I had a lot of trouble getting the exploit to work because I required named pipes. There is a module in Metasploit which would enumerate…
Another Windows box, this one however had two CVEs that we could abuse to get initial access and root. It would be possible to use metasploit and be done with this machine in under 10 minutes, however I will not use metasploit on this machine. Enumeration I’ll start with an NMAP scan. There is only…
One my weakest link in penetration testing is Windows Privilege Escalation. I had alot of trouble escalating my privilege on this box. Anyways, this box had two ports open. Port 21 and 80. FTP allowed anonymous login, and it was writeable. FTP share pointed to the webservers location, so it would be possible to get…
This is rated an easy box, and for good reason, however, I spent a good amount of time just enumerating because the initial access was hidden well. For some who have encountered this vulnerability before, this would be a piece of cake, but I had never encountered ShellShock before so I spent a lot of…
Since HackTheBox had problems yesterday I did OSCP like box from TryHackMe instead. This is a Linux box with a pretty straightforward approach. In the initial search there were a couple ports open, such as SMB, HTTP, POP3 and imap. Enumerting each of these ports will give you initial access, and root eventually. Enumeration I…
This Windows XP box had two vulnerabilities. MS10-017 (Eternal blue) and MS08-067. I will in this blog post go through both of them without metasploit. For testing purpose I tried using metasploit first to verify that it was actually eternal blue. When manually exploiting the vulnearbilites I used helviojunior’s and areyou1or0 scripts. I had alot…
Another Linux box from TJ_nulls OSCP prep. This was was pretty interesting box with an attack vector I have not yet seen before. This is a pretty straight forward box, with no trickery. You can use metasploit to get initial access, but as I’ve stated earlier I will refrain from using metasploit. Edit: After looking…
This is the first box for my OSCP preparation. This is a pretty straight forward box, where there are multiple vulnerabilites that can be used, as well as some privilege escalation vectors. I’ll look at two different vulnerabilites in this writeup. Even though metasploit is only allowed once on the OSCP exam, I will strictly…
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Introduction Privilege escalation will require you to follow a methodology similar to the one given below: Information Gathering Permissions icacls – Displays or modifies discretionary access control lists (DACLs) on…
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Linux Privilege escalation checklist https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist Enumeration hostname The hostname command will return the hostname of the target machine. Although this value can easily be changed or have a relatively meaningless string (e.g….
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Metasploit: Introduction The main components of the Metasploit Framework can be summarized as follows; msfconsole: The main command-line interface. Modules: supporting modules such as exploits, scanners, payloads, etc. Tools: Stand-alone…
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. NMAP Live Host Discovery Scan Type Example Command ARP Scan sudo nmap -PR -sn MACHINE_IP/24 ICMP Echo Scan sudo nmap -PE -sn MACHINE_IP/24 ICMP Timestamp Scan sudo nmap -PP -sn…
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. What is a database? A database is a way of electronically storing collections of data in an organised manner. A database is controlled by a DBMS which is an acronym…
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. What is Command Injection? Command injection is the abuse of an application’s behaviour to execute commands on the operating system, using the same privileges that the application on a device…
