Sizzle - HackTheBox
We start by enumerating an SMB share with write permissions on a folder. We can perform a SCF attack by loading malicious SCF. The user needs a public key to connect to WinRM. We can create a new public key using Active Directory Certificate Services and log in with evil-winrm. For privilege escalation, the user mrlky is kerberoasteable. We can request a TGS and decrypt it with john. This user has ‘Get-Changes’ and ‘Get-Changes-All’ privileges. We can perform a DCSync attack and obtain the admin hash.
)
This is an easy machine, the intrusion started by taking advantage of an outdated version of OpenNetAdmin, sending a crafted request to the server and gaining remote command execution as the user www-data, then I had to do a user pivotting to become the user douglas by cracking a hash using a 10-character password pattern.
This is a crazy difficult machine, for the intrusion I leveraged XSS to derive to SSRF and thus gain access by abusing the creation of AWS lambda functions. For the privilege escalation I found a task that was executed at regular time intervals, this concatenated the –handler parameter when creating the lambda function so I managed to inject commands and become root in the container.
This is a hard difficulty machine, I concatenated Type Juggling with a SQL injection to upload files using into outfile and gain access as ‘www-data’, for escalation I took advantage of the outdated version of the Kernel to exploit *DirtyPipe.
This is a difficult machine, for the intrusion I take advantage of a ‘Server Side Template Injection’ to gain RCE, the privilege escalation consists of a Binary vulnerable to ‘Buffer Overflow’ but with a peculiarity, little space in the stack memory, so it is necessary to derive to a ‘Socket Reuse’.
In this article I teach how to create and use a buffer overflow exploit to gain access to a shell by abusing unsafe functions like strcpy, getenv etc. I also show how the binary works at a low level, the ESP and EIP registers and how to use tools like gdb or hexedit to edit hexadecimal binaries.
Strapi CMS version 3.0.0-beta.17.4 mishandles password resets, allowing an attacker to take control of a privileged account, so I have developed an exploit module in Metasploit and teach you how to exploit this vulnerability in a practical way.
This article is merely informative to understand how the base64 encoding algorithm works. I begin with a brief Introduction on what Cryptography is to situate the subject a little. I also give examples of its use in the field of cybersecurity.
This is an easy difficulty machine, the first Android machine, for its intrusion I found with Nmap that ES File Explorer was running, looking at this I looked for exploits and found that it was vulnerable to reading arbitrary files on the device, enumerating it a bit I found an image with a credential that served me to access via SSH, for the escalation the machine had the adb port open, I simply connected to it.
This is a hard difficulty machine, for the intrusion I took advantage of a vulnerable version of ‘cacti’ and gained access to the machine by exploiting ‘SQLi’ in an automated manner and gaining access from a ‘mkfifo’ reverse shell, for the escalation I found a Docker ‘capability’ called ‘SYS_MODULE’ vulnerable to privilege escalation.
This is an Easy difficulty machine, for the intrusion I took advantage of downloading a .pcap file on the web and got a password that allowed me to authenticate via SSH, for the privilege escalation I found the Python capability in the system that allowed me to change the UID, I changed it to 0 and gained root access.
This is a medium difficulty machine, to break into it I took advantage of an SNMP MIB to enumerate, I found a user and a web server path, a control panel reported to me and I accessed it with Michelle as username and password, I was able to upload a ‘webshell’ taking advantage of a panel exploit, I managed to escalate privileges by taking advantage of a binary that was executed when scanning SNMP with a MIB.
This is a medium difficulty machine, for its intrusion I took advantage of an ‘XSS’ to steal the session cookie from the administrator and make use of an ‘exploit’ to gain arbitrary code execution, for the privilege escalation I had the ability to execute the pkg binary with ‘root’ privileges, for this I went to gtfobins and found a payload that allowed privilege escalation.
This is a medium difficulty machine, for its intrusion I took advantage of a buffer vulnerable to ‘SSTI’ on a server with GO and managed to enumerate deposits with AWS and upload a ‘webshell’ in PHP to the web server, for the escalation of privileges I managed to find a backdoor nginx module and found the parameter that I needed for the ‘RCE’ as the ‘ROOT’ user.
This is an easy machine, for its intrusion I took advantage of a vulnerable version of PHP/8.1.0-dev, adding the header ‘User-Agent’ followed by ‘zerodiumsystem()’ it was found that ‘RCE’ could be gained, for this I established a reverse shell through netcat and gained access, for escalation I found that the Knife binary could be executed as root user, search in gtfobins and escalate privileges.
This is an easy difficulty machine, to break into it I managed to dump credentials into a file scanner, with searchsploit I found an exploit that allowed me to gain access, but I had to be authenticated, I entered the credentials into the exploit and pointed it to my IP to receive a reverse shell, in the privilege escalation I found that I had AlwaysInstallElevated privileges, meaning I could deposit malicious .msi files.
This is a medium difficulty machine, for the cookie intrusion I was able to find out that I was dealing with a JWT attack, to break it I created a new cookie pulling my private key through a Python server and changed the panel, it had an option to upload files, I created a reverse shell and uploaded it, for the privilege escalation I took advantage of a vulnerable version of Docker.
This is an easy machine, for the intrusion I took advantage of a vulnerable version of Drupal that was running on the system and gained RCE, I had to migrate to another user, for this I found MySQL credentials that helped me find a hash, after breaking it the credential was of the user I had to migrate to, for the privilege escalation I took advantage of snap, since it could be executed with sudo privileges.
This is an easy machine, for its intrusion I managed to enumerate users with the rpcenum tool of s4vitar and I managed to dump a net ntlm v2 hash without authentication to the kerberos protocol, this technique is called ASREPRoast, I also managed to crack it by brute force with john, I accessed it with evil-winrm, for the escalation I used BloodHound to see the attack vector, I saw that I could grant myself DCSync privileges based on the group function.
This is an easy machine, for the intrusion I found a vulnerable version of a service that was running on the machine, called nostromo, I used a GitHub exploit for that version and gained arbitrary code execution, for the privilege escalation I took advantage of a utility that I could run as the root user, I had to minimize the terminal to bypass it.
This is an easy machine, for the intrusion I found credentials in a web server path, I used them to dump more users with lookupsid.py, with the user Chase I authenticated with a password cracked in evil-winrm, for the privilege escalation I dumped a Firefox process with procdump64.exe and leaked in the dump through login.php and it reported me access credentials as Administrator.
This is an easy difficulty machine, I quite liked this machine, the intrusion was fun, I took advantage of a vulnerable version of CMS Made Simple, the exploit I used exploited a SQL vulnerability, once I gained access to the machine I had a few issues escalating, until I saw that it was running run-parts without their absolute path when starting SSH, so I took advantage of a PATH hijacking.
This machine is of easy difficulty, I liked the intrusion better by taking advantage of a vulnerable control panel called OpenNetAdmin, I used an exploit that exploited the vulnerability of the panel and granted you remote execution of arbitrary code. This time the escalation was quite easy to complete, by doing sudo -l I allowed myself as any user to execute the nano binary to a file called priv.
This is an easy machine, the experience has not been frustrating due to its ease. While fuzzing I found a directory called cgi-bin so I thought it might be a shellshock, while fuzzing again I found a script called user.sh, and it was vulnerable to shellshock, once I gained access to the machine I took advantage of Perl because I could run it with sudo.
This machine is of easy difficulty, I especially liked it because it touched on active directory issues, for its intrusion I took advantage of a virtual hard disk file, I was able to dump SAM hashes and I managed to crack the l4mpje user’s hashes with john. For privilege escalation I found a file called consConf.xml that had a coded key, I decoded it and got root
This machine is of easy difficulty, I liked intrusion more than privilege escalation. For its intrusion I found the group preferences key in a shared resource called Replication and in the Groups.xml file, I decrypted it with gpp-decrypt and it gave me access with smbclient using the SVC_TGS user. For the escalation I managed to dump the Administrator user’s Ticket, it helped me authenticate with psexec.
This machine is a ‘Starting Point’, I liked intrusion more than privilege escalation, accessing a panel using credentials from another machine, I brute-forced a URL parameter (id) and found a user with more privileges, I managed to change the view of the page and get a reverse shell to go up in PHP, for its escalation I found a program that was running cat without its absolute path, this was PATH hijacking.
This is an easy machine, I liked the intrusion more than the privilege escalation, for its intrusion I managed to make ‘directory listing’ and get to see WordPress credentials, I authenticated with the administrator user, I managed to modify the 404 template and embed a reverse shell, in the privilege escalation it allowed me to execute the initctl binary with any user, I modified a service and got root
This machine is a ‘Starting Point’, I liked the intrusion better, I took advantage of a DTS file with XML code in the backups share that had authentication credentials in clear text, I connected with mssqclient and achieved RCE using PowerShell code, I started a reverse Shell, for the escalation of privileges I found a file in a system path with credentials, I managed to authenticate with winexe.
This machine is of medium difficulty, I liked the intrusion much more than the escalation, for the intrusion I managed to download a .bak file that had the code of the page, seeing it I realized that I was dealing with an insecure deserialization in PHP, I serialized malicious code and uploaded it to the server, for the escalation I had to include my public key before it was copied to known_hosts.
This is an easy difficulty machine, I liked the intrusion better, for its intrusion I took advantage of a file upload field, I used a script that created the malicious template, I uploaded it, I listened with netcat and gained a Shell. For privilege escalation I used the sudo -ly command and like all users it allowed me to execute the Metasploit binary.