This is an Easy difficulty machine, for the intrusion I took advantage of downloading a .pcap file on the web and got a password that allowed me to authenticate via SSH, for the privilege escalation I found the Python capability in the system that allowed me to change the UID, I changed it to 0 and gained root access.
This is a medium difficulty machine, for the cookie intrusion I was able to find out that I was dealing with a JWT attack, to break it I created a new cookie pulling my private key through a Python server and changed the panel, it had an option to upload files, I created a reverse shell and uploaded it, for the privilege escalation I took advantage of a vulnerable version of Docker.
This is an easy machine, for the intrusion I took advantage of a vulnerable version of Drupal that was running on the system and gained RCE, I had to migrate to another user, for this I found MySQL credentials that helped me find a hash, after breaking it the credential was of the user I had to migrate to, for the privilege escalation I took advantage of snap, since it could be executed with sudo privileges.
This is an easy difficulty machine, I quite liked this machine, the intrusion was fun, I took advantage of a vulnerable version of CMS Made Simple, the exploit I used exploited a SQL vulnerability, once I gained access to the machine I had a few issues escalating, until I saw that it was running run-parts without their absolute path when starting SSH, so I took advantage of a PATH hijacking.
This machine is of medium difficulty, I liked the intrusion much more than the escalation, for the intrusion I managed to download a .bak file that had the code of the page, seeing it I realized that I was dealing with an insecure deserialization in PHP, I serialized malicious code and uploaded it to the server, for the escalation I had to include my public key before it was copied to known_hosts.
This machine is of easy difficulty, I especially liked it because it touched on active directory issues, for its intrusion I took advantage of a virtual hard disk file, I was able to dump SAM hashes and I managed to crack the l4mpje user’s hashes with john. For privilege escalation I found a file called consConf.xml that had a coded key, I decoded it and got root
This machine is of easy difficulty, I liked intrusion more than privilege escalation. For its intrusion I found the group preferences key in a shared resource called Replication and in the Groups.xml file, I decrypted it with gpp-decrypt and it gave me access with smbclient using the SVC_TGS user. For the escalation I managed to dump the Administrator user’s Ticket, it helped me authenticate with psexec.
This machine is a ‘Starting Point’, I liked the intrusion better, I took advantage of a DTS file with XML code in the backups share that had authentication credentials in clear text, I connected with mssqclient and achieved RCE using PowerShell code, I started a reverse Shell, for the escalation of privileges I found a file in a system path with credentials, I managed to authenticate with winexe.
This is an easy difficulty machine, I liked the intrusion better, for its intrusion I took advantage of a file upload field, I used a script that created the malicious template, I uploaded it, I listened with netcat and gained a Shell. For privilege escalation I used the sudo -ly command and like all users it allowed me to execute the Metasploit binary.
This is an easy difficulty machine, I liked the intrusion better, for its intrusion I took advantage of a file upload field, I used a script that created the malicious template, I uploaded it, I listened with netcat and gained a Shell. For privilege escalation I used the sudo -ly command and like all users it allowed me to execute the Metasploit binary.
This is an easy machine, I liked the intrusion more than the privilege escalation, for its intrusion I managed to make ‘directory listing’ and get to see WordPress credentials, I authenticated with the administrator user, I managed to modify the 404 template and embed a reverse shell, in the privilege escalation it allowed me to execute the initctl binary with any user, I modified a service and got root
This machine is of medium difficulty, I liked the intrusion much more than the escalation, for the intrusion I managed to download a .bak file that had the code of the page, seeing it I realized that I was dealing with an insecure deserialization in PHP, I serialized malicious code and uploaded it to the server, for the escalation I had to include my public key before it was copied to known_hosts.
This machine is a ‘Starting Point’, I liked intrusion more than privilege escalation, accessing a panel using credentials from another machine, I brute-forced a URL parameter (id) and found a user with more privileges, I managed to change the view of the page and get a reverse shell to go up in PHP, for its escalation I found a program that was running cat without its absolute path, this was PATH hijacking.
This machine is a ‘Starting Point’, I liked the intrusion better, I took advantage of a DTS file with XML code in the backups share that had authentication credentials in clear text, I connected with mssqclient and achieved RCE using PowerShell code, I started a reverse Shell, for the escalation of privileges I found a file in a system path with credentials, I managed to authenticate with winexe.
This is an easy difficulty machine, I quite liked this machine, the intrusion was fun, I took advantage of a vulnerable version of CMS Made Simple, the exploit I used exploited a SQL vulnerability, once I gained access to the machine I had a few issues escalating, until I saw that it was running run-parts without their absolute path when starting SSH, so I took advantage of a PATH hijacking.
This machine is a ‘Starting Point’, I liked intrusion more than privilege escalation, accessing a panel using credentials from another machine, I brute-forced a URL parameter (id) and found a user with more privileges, I managed to change the view of the page and get a reverse shell to go up in PHP, for its escalation I found a program that was running cat without its absolute path, this was PATH hijacking.
This machine is of easy difficulty, I especially liked it because it touched on active directory issues, for its intrusion I took advantage of a virtual hard disk file, I was able to dump SAM hashes and I managed to crack the l4mpje user’s hashes with john. For privilege escalation I found a file called consConf.xml that had a coded key, I decoded it and got root
This machine is of easy difficulty, I liked intrusion more than privilege escalation. For its intrusion I found the group preferences key in a shared resource called Replication and in the Groups.xml file, I decrypted it with gpp-decrypt and it gave me access with smbclient using the SVC_TGS user. For the escalation I managed to dump the Administrator user’s Ticket, it helped me authenticate with psexec.
This is an easy machine, for its intrusion I took advantage of a vulnerable version of PHP/8.1.0-dev, adding the header ‘User-Agent’ followed by ‘zerodiumsystem()’ it was found that ‘RCE’ could be gained, for this I established a reverse shell through netcat and gained access, for escalation I found that the Knife binary could be executed as root user, search in gtfobins and escalate privileges.
This is an easy machine, the experience has not been frustrating due to its ease. While fuzzing I found a directory called cgi-bin so I thought it might be a shellshock, while fuzzing again I found a script called user.sh, and it was vulnerable to shellshock, once I gained access to the machine I took advantage of Perl because I could run it with sudo.
)
This is an easy machine, the intrusion started by taking advantage of an outdated version of OpenNetAdmin, sending a crafted request to the server and gaining remote command execution as the user www-data, then I had to do a user pivotting to become the user douglas by cracking a hash using a 10-character password pattern.
This machine is of easy difficulty, I liked the intrusion better by taking advantage of a vulnerable control panel called OpenNetAdmin, I used an exploit that exploited the vulnerability of the panel and granted you remote execution of arbitrary code. This time the escalation was quite easy to complete, by doing sudo -l I allowed myself as any user to execute the nano binary to a file called priv.
We start by enumerating an SMB share with write permissions on a folder. We can perform a SCF attack by loading malicious SCF. The user needs a public key to connect to WinRM. We can create a new public key using Active Directory Certificate Services and log in with evil-winrm. For privilege escalation, the user mrlky is kerberoasteable. We can request a TGS and decrypt it with john. This user has ‘Get-Changes’ and ‘Get-Changes-All’ privileges. We can perform a DCSync attack and obtain the admin hash.
This is an easy machine, for its intrusion I managed to enumerate users with the rpcenum tool of s4vitar and I managed to dump a net ntlm v2 hash without authentication to the kerberos protocol, this technique is called ASREPRoast, I also managed to crack it by brute force with john, I accessed it with evil-winrm, for the escalation I used BloodHound to see the attack vector, I saw that I could grant myself DCSync privileges based on the group function.
This is a medium difficulty machine, for its intrusion I took advantage of an ‘XSS’ to steal the session cookie from the administrator and make use of an ‘exploit’ to gain arbitrary code execution, for the privilege escalation I had the ability to execute the pkg binary with ‘root’ privileges, for this I went to gtfobins and found a payload that allowed privilege escalation.
This is an easy machine, for the intrusion I took advantage of a vulnerable version of Drupal that was running on the system and gained RCE, I had to migrate to another user, for this I found MySQL credentials that helped me find a hash, after breaking it the credential was of the user I had to migrate to, for the privilege escalation I took advantage of snap, since it could be executed with sudo privileges.
This is a crazy difficult machine, for the intrusion I leveraged XSS to derive to SSRF and thus gain access by abusing the creation of AWS lambda functions. For the privilege escalation I found a task that was executed at regular time intervals, this concatenated the –handler parameter when creating the lambda function so I managed to inject commands and become root in the container.
This is a medium difficulty machine, for the cookie intrusion I was able to find out that I was dealing with a JWT attack, to break it I created a new cookie pulling my private key through a Python server and changed the panel, it had an option to upload files, I created a reverse shell and uploaded it, for the privilege escalation I took advantage of a vulnerable version of Docker.
This is a crazy difficult machine, for the intrusion I leveraged XSS to derive to SSRF and thus gain access by abusing the creation of AWS lambda functions. For the privilege escalation I found a task that was executed at regular time intervals, this concatenated the –handler parameter when creating the lambda function so I managed to inject commands and become root in the container.
This is an easy difficulty machine, to break into it I managed to dump credentials into a file scanner, with searchsploit I found an exploit that allowed me to gain access, but I had to be authenticated, I entered the credentials into the exploit and pointed it to my IP to receive a reverse shell, in the privilege escalation I found that I had AlwaysInstallElevated privileges, meaning I could deposit malicious .msi files.
This is a difficult machine, for the intrusion I take advantage of a ‘Server Side Template Injection’ to gain RCE, the privilege escalation consists of a Binary vulnerable to ‘Buffer Overflow’ but with a peculiarity, little space in the stack memory, so it is necessary to derive to a ‘Socket Reuse’.
This is a medium difficulty machine, for its intrusion I took advantage of a buffer vulnerable to ‘SSTI’ on a server with GO and managed to enumerate deposits with AWS and upload a ‘webshell’ in PHP to the web server, for the escalation of privileges I managed to find a backdoor nginx module and found the parameter that I needed for the ‘RCE’ as the ‘ROOT’ user.
This is a crazy difficult machine, for the intrusion I leveraged XSS to derive to SSRF and thus gain access by abusing the creation of AWS lambda functions. For the privilege escalation I found a task that was executed at regular time intervals, this concatenated the –handler parameter when creating the lambda function so I managed to inject commands and become root in the container.
This is a medium difficulty machine, for its intrusion I took advantage of an ‘XSS’ to steal the session cookie from the administrator and make use of an ‘exploit’ to gain arbitrary code execution, for the privilege escalation I had the ability to execute the pkg binary with ‘root’ privileges, for this I went to gtfobins and found a payload that allowed privilege escalation.
In this article, we explore an exploit that follows a specific flow to obtain a remote shell. The process includes byte generation, a jump to the ESP memory address, and shellcode execution. Through detailed steps and the use of tools such as mona.py and msfvenom, we demonstrate how to exploit a vulnerability and achieve the desired goal.
In this article I teach how to create and use a buffer overflow exploit to gain access to a shell by abusing unsafe functions like strcpy, getenv etc. I also show how the binary works at a low level, the ESP and EIP registers and how to use tools like gdb or hexedit to edit hexadecimal binaries.
This is a difficult machine, for the intrusion I take advantage of a ‘Server Side Template Injection’ to gain RCE, the privilege escalation consists of a Binary vulnerable to ‘Buffer Overflow’ but with a peculiarity, little space in the stack memory, so it is necessary to derive to a ‘Socket Reuse’.
In this article I teach how to create and use a buffer overflow exploit to gain access to a shell by abusing unsafe functions like strcpy, getenv etc. I also show how the binary works at a low level, the ESP and EIP registers and how to use tools like gdb or hexedit to edit hexadecimal binaries.
This machine is of medium difficulty, I liked the intrusion much more than the escalation, for the intrusion I managed to download a .bak file that had the code of the page, seeing it I realized that I was dealing with an insecure deserialization in PHP, I serialized malicious code and uploaded it to the server, for the escalation I had to include my public key before it was copied to known_hosts.
This machine is a ‘Starting Point’, I liked the intrusion better, I took advantage of a DTS file with XML code in the backups share that had authentication credentials in clear text, I connected with mssqclient and achieved RCE using PowerShell code, I started a reverse Shell, for the escalation of privileges I found a file in a system path with credentials, I managed to authenticate with winexe.
This machine is a ‘Starting Point’, I liked the intrusion better, I took advantage of a DTS file with XML code in the backups share that had authentication credentials in clear text, I connected with mssqclient and achieved RCE using PowerShell code, I started a reverse Shell, for the escalation of privileges I found a file in a system path with credentials, I managed to authenticate with winexe.
This is an easy machine, I liked the intrusion more than the privilege escalation, for its intrusion I managed to make ‘directory listing’ and get to see WordPress credentials, I authenticated with the administrator user, I managed to modify the 404 template and embed a reverse shell, in the privilege escalation it allowed me to execute the initctl binary with any user, I modified a service and got root
This is an easy machine, I liked the intrusion more than the privilege escalation, for its intrusion I managed to make ‘directory listing’ and get to see WordPress credentials, I authenticated with the administrator user, I managed to modify the 404 template and embed a reverse shell, in the privilege escalation it allowed me to execute the initctl binary with any user, I modified a service and got root
This is an easy machine, I liked the intrusion more than the privilege escalation, for its intrusion I managed to make ‘directory listing’ and get to see WordPress credentials, I authenticated with the administrator user, I managed to modify the 404 template and embed a reverse shell, in the privilege escalation it allowed me to execute the initctl binary with any user, I modified a service and got root
This machine is a ‘Starting Point’, I liked intrusion more than privilege escalation, accessing a panel using credentials from another machine, I brute-forced a URL parameter (id) and found a user with more privileges, I managed to change the view of the page and get a reverse shell to go up in PHP, for its escalation I found a program that was running cat without its absolute path, this was PATH hijacking.
This machine is a ‘Starting Point’, I liked intrusion more than privilege escalation, accessing a panel using credentials from another machine, I brute-forced a URL parameter (id) and found a user with more privileges, I managed to change the view of the page and get a reverse shell to go up in PHP, for its escalation I found a program that was running cat without its absolute path, this was PATH hijacking.
This machine is of easy difficulty, I liked intrusion more than privilege escalation. For its intrusion I found the group preferences key in a shared resource called Replication and in the Groups.xml file, I decrypted it with gpp-decrypt and it gave me access with smbclient using the SVC_TGS user. For the escalation I managed to dump the Administrator user’s Ticket, it helped me authenticate with psexec.
This machine is of easy difficulty, I liked intrusion more than privilege escalation. For its intrusion I found the group preferences key in a shared resource called Replication and in the Groups.xml file, I decrypted it with gpp-decrypt and it gave me access with smbclient using the SVC_TGS user. For the escalation I managed to dump the Administrator user’s Ticket, it helped me authenticate with psexec.
This machine is of easy difficulty, I especially liked it because it touched on active directory issues, for its intrusion I took advantage of a virtual hard disk file, I was able to dump SAM hashes and I managed to crack the l4mpje user’s hashes with john. For privilege escalation I found a file called consConf.xml that had a coded key, I decoded it and got root
This machine is of easy difficulty, I especially liked it because it touched on active directory issues, for its intrusion I took advantage of a virtual hard disk file, I was able to dump SAM hashes and I managed to crack the l4mpje user’s hashes with john. For privilege escalation I found a file called consConf.xml that had a coded key, I decoded it and got root
This is an easy machine, the experience has not been frustrating due to its ease. While fuzzing I found a directory called cgi-bin so I thought it might be a shellshock, while fuzzing again I found a script called user.sh, and it was vulnerable to shellshock, once I gained access to the machine I took advantage of Perl because I could run it with sudo.
This is an easy machine, the experience has not been frustrating due to its ease. While fuzzing I found a directory called cgi-bin so I thought it might be a shellshock, while fuzzing again I found a script called user.sh, and it was vulnerable to shellshock, once I gained access to the machine I took advantage of Perl because I could run it with sudo.
This is an easy machine, the experience has not been frustrating due to its ease. While fuzzing I found a directory called cgi-bin so I thought it might be a shellshock, while fuzzing again I found a script called user.sh, and it was vulnerable to shellshock, once I gained access to the machine I took advantage of Perl because I could run it with sudo.
This machine is of easy difficulty, I liked the intrusion better by taking advantage of a vulnerable control panel called OpenNetAdmin, I used an exploit that exploited the vulnerability of the panel and granted you remote execution of arbitrary code. This time the escalation was quite easy to complete, by doing sudo -l I allowed myself as any user to execute the nano binary to a file called priv.
This machine is of easy difficulty, I liked the intrusion better by taking advantage of a vulnerable control panel called OpenNetAdmin, I used an exploit that exploited the vulnerability of the panel and granted you remote execution of arbitrary code. This time the escalation was quite easy to complete, by doing sudo -l I allowed myself as any user to execute the nano binary to a file called priv.
This machine is of easy difficulty, I liked the intrusion better by taking advantage of a vulnerable control panel called OpenNetAdmin, I used an exploit that exploited the vulnerability of the panel and granted you remote execution of arbitrary code. This time the escalation was quite easy to complete, by doing sudo -l I allowed myself as any user to execute the nano binary to a file called priv.
This is an easy difficulty machine, I quite liked this machine, the intrusion was fun, I took advantage of a vulnerable version of CMS Made Simple, the exploit I used exploited a SQL vulnerability, once I gained access to the machine I had a few issues escalating, until I saw that it was running run-parts without their absolute path when starting SSH, so I took advantage of a PATH hijacking.
This is an easy difficulty machine, I quite liked this machine, the intrusion was fun, I took advantage of a vulnerable version of CMS Made Simple, the exploit I used exploited a SQL vulnerability, once I gained access to the machine I had a few issues escalating, until I saw that it was running run-parts without their absolute path when starting SSH, so I took advantage of a PATH hijacking.
This is an easy machine, for the intrusion I found credentials in a web server path, I used them to dump more users with lookupsid.py, with the user Chase I authenticated with a password cracked in evil-winrm, for the privilege escalation I dumped a Firefox process with procdump64.exe and leaked in the dump through login.php and it reported me access credentials as Administrator.
This is an easy machine, for the intrusion I found credentials in a web server path, I used them to dump more users with lookupsid.py, with the user Chase I authenticated with a password cracked in evil-winrm, for the privilege escalation I dumped a Firefox process with procdump64.exe and leaked in the dump through login.php and it reported me access credentials as Administrator.
This is an easy machine, for the intrusion I found credentials in a web server path, I used them to dump more users with lookupsid.py, with the user Chase I authenticated with a password cracked in evil-winrm, for the privilege escalation I dumped a Firefox process with procdump64.exe and leaked in the dump through login.php and it reported me access credentials as Administrator.
This is an easy machine, for the intrusion I found credentials in a web server path, I used them to dump more users with lookupsid.py, with the user Chase I authenticated with a password cracked in evil-winrm, for the privilege escalation I dumped a Firefox process with procdump64.exe and leaked in the dump through login.php and it reported me access credentials as Administrator.
This is an easy machine, for the intrusion I found a vulnerable version of a service that was running on the machine, called nostromo, I used a GitHub exploit for that version and gained arbitrary code execution, for the privilege escalation I took advantage of a utility that I could run as the root user, I had to minimize the terminal to bypass it.
This is an easy machine, for the intrusion I found a vulnerable version of a service that was running on the machine, called nostromo, I used a GitHub exploit for that version and gained arbitrary code execution, for the privilege escalation I took advantage of a utility that I could run as the root user, I had to minimize the terminal to bypass it.
This is an easy machine, for the intrusion I found a vulnerable version of a service that was running on the machine, called nostromo, I used a GitHub exploit for that version and gained arbitrary code execution, for the privilege escalation I took advantage of a utility that I could run as the root user, I had to minimize the terminal to bypass it.
This is an easy machine, for the intrusion I found a vulnerable version of a service that was running on the machine, called nostromo, I used a GitHub exploit for that version and gained arbitrary code execution, for the privilege escalation I took advantage of a utility that I could run as the root user, I had to minimize the terminal to bypass it.
This is an easy machine, for its intrusion I managed to enumerate users with the rpcenum tool of s4vitar and I managed to dump a net ntlm v2 hash without authentication to the kerberos protocol, this technique is called ASREPRoast, I also managed to crack it by brute force with john, I accessed it with evil-winrm, for the escalation I used BloodHound to see the attack vector, I saw that I could grant myself DCSync privileges based on the group function.
This is an easy machine, for its intrusion I managed to enumerate users with the rpcenum tool of s4vitar and I managed to dump a net ntlm v2 hash without authentication to the kerberos protocol, this technique is called ASREPRoast, I also managed to crack it by brute force with john, I accessed it with evil-winrm, for the escalation I used BloodHound to see the attack vector, I saw that I could grant myself DCSync privileges based on the group function.
This is an easy machine, for its intrusion I managed to enumerate users with the rpcenum tool of s4vitar and I managed to dump a net ntlm v2 hash without authentication to the kerberos protocol, this technique is called ASREPRoast, I also managed to crack it by brute force with john, I accessed it with evil-winrm, for the escalation I used BloodHound to see the attack vector, I saw that I could grant myself DCSync privileges based on the group function.
This is an easy machine, for the intrusion I took advantage of a vulnerable version of Drupal that was running on the system and gained RCE, I had to migrate to another user, for this I found MySQL credentials that helped me find a hash, after breaking it the credential was of the user I had to migrate to, for the privilege escalation I took advantage of snap, since it could be executed with sudo privileges.
This is an easy machine, for the intrusion I took advantage of a vulnerable version of Drupal that was running on the system and gained RCE, I had to migrate to another user, for this I found MySQL credentials that helped me find a hash, after breaking it the credential was of the user I had to migrate to, for the privilege escalation I took advantage of snap, since it could be executed with sudo privileges.
This is a medium difficulty machine, for the cookie intrusion I was able to find out that I was dealing with a JWT attack, to break it I created a new cookie pulling my private key through a Python server and changed the panel, it had an option to upload files, I created a reverse shell and uploaded it, for the privilege escalation I took advantage of a vulnerable version of Docker.
This is a medium difficulty machine, for the cookie intrusion I was able to find out that I was dealing with a JWT attack, to break it I created a new cookie pulling my private key through a Python server and changed the panel, it had an option to upload files, I created a reverse shell and uploaded it, for the privilege escalation I took advantage of a vulnerable version of Docker.
This is an easy difficulty machine, to break into it I managed to dump credentials into a file scanner, with searchsploit I found an exploit that allowed me to gain access, but I had to be authenticated, I entered the credentials into the exploit and pointed it to my IP to receive a reverse shell, in the privilege escalation I found that I had AlwaysInstallElevated privileges, meaning I could deposit malicious .msi files.
This is an easy difficulty machine, to break into it I managed to dump credentials into a file scanner, with searchsploit I found an exploit that allowed me to gain access, but I had to be authenticated, I entered the credentials into the exploit and pointed it to my IP to receive a reverse shell, in the privilege escalation I found that I had AlwaysInstallElevated privileges, meaning I could deposit malicious .msi files.
This is an easy difficulty machine, to break into it I managed to dump credentials into a file scanner, with searchsploit I found an exploit that allowed me to gain access, but I had to be authenticated, I entered the credentials into the exploit and pointed it to my IP to receive a reverse shell, in the privilege escalation I found that I had AlwaysInstallElevated privileges, meaning I could deposit malicious .msi files.
This is an easy machine, for its intrusion I took advantage of a vulnerable version of PHP/8.1.0-dev, adding the header ‘User-Agent’ followed by ‘zerodiumsystem()’ it was found that ‘RCE’ could be gained, for this I established a reverse shell through netcat and gained access, for escalation I found that the Knife binary could be executed as root user, search in gtfobins and escalate privileges.
This is an easy machine, for its intrusion I took advantage of a vulnerable version of PHP/8.1.0-dev, adding the header ‘User-Agent’ followed by ‘zerodiumsystem()’ it was found that ‘RCE’ could be gained, for this I established a reverse shell through netcat and gained access, for escalation I found that the Knife binary could be executed as root user, search in gtfobins and escalate privileges.
This is an easy machine, for its intrusion I took advantage of a vulnerable version of PHP/8.1.0-dev, adding the header ‘User-Agent’ followed by ‘zerodiumsystem()’ it was found that ‘RCE’ could be gained, for this I established a reverse shell through netcat and gained access, for escalation I found that the Knife binary could be executed as root user, search in gtfobins and escalate privileges.
This is a medium difficulty machine, for its intrusion I took advantage of a buffer vulnerable to ‘SSTI’ on a server with GO and managed to enumerate deposits with AWS and upload a ‘webshell’ in PHP to the web server, for the escalation of privileges I managed to find a backdoor nginx module and found the parameter that I needed for the ‘RCE’ as the ‘ROOT’ user.
This is a medium difficulty machine, for its intrusion I took advantage of a buffer vulnerable to ‘SSTI’ on a server with GO and managed to enumerate deposits with AWS and upload a ‘webshell’ in PHP to the web server, for the escalation of privileges I managed to find a backdoor nginx module and found the parameter that I needed for the ‘RCE’ as the ‘ROOT’ user.
This is a medium difficulty machine, for its intrusion I took advantage of a buffer vulnerable to ‘SSTI’ on a server with GO and managed to enumerate deposits with AWS and upload a ‘webshell’ in PHP to the web server, for the escalation of privileges I managed to find a backdoor nginx module and found the parameter that I needed for the ‘RCE’ as the ‘ROOT’ user.
This is a medium difficulty machine, for its intrusion I took advantage of an ‘XSS’ to steal the session cookie from the administrator and make use of an ‘exploit’ to gain arbitrary code execution, for the privilege escalation I had the ability to execute the pkg binary with ‘root’ privileges, for this I went to gtfobins and found a payload that allowed privilege escalation.
This is a medium difficulty machine, for its intrusion I took advantage of an ‘XSS’ to steal the session cookie from the administrator and make use of an ‘exploit’ to gain arbitrary code execution, for the privilege escalation I had the ability to execute the pkg binary with ‘root’ privileges, for this I went to gtfobins and found a payload that allowed privilege escalation.
This is a medium difficulty machine, to break into it I took advantage of an SNMP MIB to enumerate, I found a user and a web server path, a control panel reported to me and I accessed it with Michelle as username and password, I was able to upload a ‘webshell’ taking advantage of a panel exploit, I managed to escalate privileges by taking advantage of a binary that was executed when scanning SNMP with a MIB.
This is a medium difficulty machine, to break into it I took advantage of an SNMP MIB to enumerate, I found a user and a web server path, a control panel reported to me and I accessed it with Michelle as username and password, I was able to upload a ‘webshell’ taking advantage of a panel exploit, I managed to escalate privileges by taking advantage of a binary that was executed when scanning SNMP with a MIB.
This is a medium difficulty machine, to break into it I took advantage of an SNMP MIB to enumerate, I found a user and a web server path, a control panel reported to me and I accessed it with Michelle as username and password, I was able to upload a ‘webshell’ taking advantage of a panel exploit, I managed to escalate privileges by taking advantage of a binary that was executed when scanning SNMP with a MIB.
This is a medium difficulty machine, to break into it I took advantage of an SNMP MIB to enumerate, I found a user and a web server path, a control panel reported to me and I accessed it with Michelle as username and password, I was able to upload a ‘webshell’ taking advantage of a panel exploit, I managed to escalate privileges by taking advantage of a binary that was executed when scanning SNMP with a MIB.
This is an Easy difficulty machine, for the intrusion I took advantage of downloading a .pcap file on the web and got a password that allowed me to authenticate via SSH, for the privilege escalation I found the Python capability in the system that allowed me to change the UID, I changed it to 0 and gained root access.
This is an Easy difficulty machine, for the intrusion I took advantage of downloading a .pcap file on the web and got a password that allowed me to authenticate via SSH, for the privilege escalation I found the Python capability in the system that allowed me to change the UID, I changed it to 0 and gained root access.
This is an Easy difficulty machine, for the intrusion I took advantage of downloading a .pcap file on the web and got a password that allowed me to authenticate via SSH, for the privilege escalation I found the Python capability in the system that allowed me to change the UID, I changed it to 0 and gained root access.
This is a hard difficulty machine, for the intrusion I took advantage of a vulnerable version of ‘cacti’ and gained access to the machine by exploiting ‘SQLi’ in an automated manner and gaining access from a ‘mkfifo’ reverse shell, for the escalation I found a Docker ‘capability’ called ‘SYS_MODULE’ vulnerable to privilege escalation.
This is a hard difficulty machine, for the intrusion I took advantage of a vulnerable version of ‘cacti’ and gained access to the machine by exploiting ‘SQLi’ in an automated manner and gaining access from a ‘mkfifo’ reverse shell, for the escalation I found a Docker ‘capability’ called ‘SYS_MODULE’ vulnerable to privilege escalation.
This is a hard difficulty machine, for the intrusion I took advantage of a vulnerable version of ‘cacti’ and gained access to the machine by exploiting ‘SQLi’ in an automated manner and gaining access from a ‘mkfifo’ reverse shell, for the escalation I found a Docker ‘capability’ called ‘SYS_MODULE’ vulnerable to privilege escalation.
This is a hard difficulty machine, for the intrusion I took advantage of a vulnerable version of ‘cacti’ and gained access to the machine by exploiting ‘SQLi’ in an automated manner and gaining access from a ‘mkfifo’ reverse shell, for the escalation I found a Docker ‘capability’ called ‘SYS_MODULE’ vulnerable to privilege escalation.
This is an easy difficulty machine, the first Android machine, for its intrusion I found with Nmap that ES File Explorer was running, looking at this I looked for exploits and found that it was vulnerable to reading arbitrary files on the device, enumerating it a bit I found an image with a credential that served me to access via SSH, for the escalation the machine had the adb port open, I simply connected to it.
This is an easy difficulty machine, the first Android machine, for its intrusion I found with Nmap that ES File Explorer was running, looking at this I looked for exploits and found that it was vulnerable to reading arbitrary files on the device, enumerating it a bit I found an image with a credential that served me to access via SSH, for the escalation the machine had the adb port open, I simply connected to it.
This is an easy difficulty machine, the first Android machine, for its intrusion I found with Nmap that ES File Explorer was running, looking at this I looked for exploits and found that it was vulnerable to reading arbitrary files on the device, enumerating it a bit I found an image with a credential that served me to access via SSH, for the escalation the machine had the adb port open, I simply connected to it.
This article is merely informative to understand how the base64 encoding algorithm works. I begin with a brief Introduction on what Cryptography is to situate the subject a little. I also give examples of its use in the field of cybersecurity.
This article is merely informative to understand how the base64 encoding algorithm works. I begin with a brief Introduction on what Cryptography is to situate the subject a little. I also give examples of its use in the field of cybersecurity.
Strapi CMS version 3.0.0-beta.17.4 mishandles password resets, allowing an attacker to take control of a privileged account, so I have developed an exploit module in Metasploit and teach you how to exploit this vulnerability in a practical way.
Strapi CMS version 3.0.0-beta.17.4 mishandles password resets, allowing an attacker to take control of a privileged account, so I have developed an exploit module in Metasploit and teach you how to exploit this vulnerability in a practical way.
Strapi CMS version 3.0.0-beta.17.4 mishandles password resets, allowing an attacker to take control of a privileged account, so I have developed an exploit module in Metasploit and teach you how to exploit this vulnerability in a practical way.
In this article I teach how to create and use a buffer overflow exploit to gain access to a shell by abusing unsafe functions like strcpy, getenv etc. I also show how the binary works at a low level, the ESP and EIP registers and how to use tools like gdb or hexedit to edit hexadecimal binaries.
This is a difficult machine, for the intrusion I take advantage of a ‘Server Side Template Injection’ to gain RCE, the privilege escalation consists of a Binary vulnerable to ‘Buffer Overflow’ but with a peculiarity, little space in the stack memory, so it is necessary to derive to a ‘Socket Reuse’.
This is a difficult machine, for the intrusion I take advantage of a ‘Server Side Template Injection’ to gain RCE, the privilege escalation consists of a Binary vulnerable to ‘Buffer Overflow’ but with a peculiarity, little space in the stack memory, so it is necessary to derive to a ‘Socket Reuse’.
This is a hard difficulty machine, I concatenated Type Juggling with a SQL injection to upload files using into outfile and gain access as ‘www-data’, for escalation I took advantage of the outdated version of the Kernel to exploit *DirtyPipe.
This is a hard difficulty machine, I concatenated Type Juggling with a SQL injection to upload files using into outfile and gain access as ‘www-data’, for escalation I took advantage of the outdated version of the Kernel to exploit *DirtyPipe.
This is a hard difficulty machine, I concatenated Type Juggling with a SQL injection to upload files using into outfile and gain access as ‘www-data’, for escalation I took advantage of the outdated version of the Kernel to exploit *DirtyPipe.
This is a crazy difficult machine, for the intrusion I leveraged XSS to derive to SSRF and thus gain access by abusing the creation of AWS lambda functions. For the privilege escalation I found a task that was executed at regular time intervals, this concatenated the –handler parameter when creating the lambda function so I managed to inject commands and become root in the container.
This is an easy machine, the intrusion started by taking advantage of an outdated version of OpenNetAdmin, sending a crafted request to the server and gaining remote command execution as the user www-data, then I had to do a user pivotting to become the user douglas by cracking a hash using a 10-character password pattern.
This is an easy machine, the intrusion started by taking advantage of an outdated version of OpenNetAdmin, sending a crafted request to the server and gaining remote command execution as the user www-data, then I had to do a user pivotting to become the user douglas by cracking a hash using a 10-character password pattern.
This is an easy machine, the intrusion started by taking advantage of an outdated version of OpenNetAdmin, sending a crafted request to the server and gaining remote command execution as the user www-data, then I had to do a user pivotting to become the user douglas by cracking a hash using a 10-character password pattern.
In this article, we explore an exploit that follows a specific flow to obtain a remote shell. The process includes byte generation, a jump to the ESP memory address, and shellcode execution. Through detailed steps and the use of tools such as mona.py and msfvenom, we demonstrate how to exploit a vulnerability and achieve the desired goal.
In this article, we explore an exploit that follows a specific flow to obtain a remote shell. The process includes byte generation, a jump to the ESP memory address, and shellcode execution. Through detailed steps and the use of tools such as mona.py and msfvenom, we demonstrate how to exploit a vulnerability and achieve the desired goal.
In this article, we explore an exploit that follows a specific flow to obtain a remote shell. The process includes byte generation, a jump to the ESP memory address, and shellcode execution. Through detailed steps and the use of tools such as mona.py and msfvenom, we demonstrate how to exploit a vulnerability and achieve the desired goal.
We start by enumerating an SMB share with write permissions on a folder. We can perform a SCF attack by loading malicious SCF. The user needs a public key to connect to WinRM. We can create a new public key using Active Directory Certificate Services and log in with evil-winrm. For privilege escalation, the user mrlky is kerberoasteable. We can request a TGS and decrypt it with john. This user has ‘Get-Changes’ and ‘Get-Changes-All’ privileges. We can perform a DCSync attack and obtain the admin hash.
We start by enumerating an SMB share with write permissions on a folder. We can perform a SCF attack by loading malicious SCF. The user needs a public key to connect to WinRM. We can create a new public key using Active Directory Certificate Services and log in with evil-winrm. For privilege escalation, the user mrlky is kerberoasteable. We can request a TGS and decrypt it with john. This user has ‘Get-Changes’ and ‘Get-Changes-All’ privileges. We can perform a DCSync attack and obtain the admin hash.
We start by enumerating an SMB share with write permissions on a folder. We can perform a SCF attack by loading malicious SCF. The user needs a public key to connect to WinRM. We can create a new public key using Active Directory Certificate Services and log in with evil-winrm. For privilege escalation, the user mrlky is kerberoasteable. We can request a TGS and decrypt it with john. This user has ‘Get-Changes’ and ‘Get-Changes-All’ privileges. We can perform a DCSync attack and obtain the admin hash.