writeups

Heron is a medium-difficulty lab. The scenario assumes an initial compromise on a Linux machine attached to a domain, requiring a pivot to a domain controller in an attempt to compromise it. EnumerationLet’s start with the usual Nmap scan:The scan shows that 10.10.168.69 has no accessible ports, probably due to a firewall. On the other hand, 10.10.168.70 has port 22 open. This suggests that we should start by connecting to the Linux machine via SSH.The Wiki page tells us that this is a suppos...

SynthesisTea is an Active Directory chain containing 2 machines to be compromised. Initial access is gained by exploiting a CI/CD runner on a Gitea instance, and full domain compromise is possible through the WSUS connection of the domain controller. Initial enumerationLet’s start with an nmap scan of both machines.It looks like we’ve got a domain controller that isn’t behind a firewall and a machine hosting web services.We can retrieve the names of both machines using NetExec : We add t...

Initial accessThanks to the nmap scan, we quickly discover that one of the servers hosts an xampp server. By listing its directories, we discover a website:After browsing the site, we notice that it is potentially vulnerable to a BIA:This is confirmed by accessing the server log on the following link: http://10.10.162.134/dev/index.html?view=C:/xampp/apache/logs/access.log In this way, you can gain access to the machine by log poisoning. To do this, we send a request with php code to the user...

EnumerationEnumeration of open ports using nmap : Looking at the smb share, we see that it is possible to connect to the share using the guest account : A log1.txt file is then retrieved from the anonymous share, which appears to contain passwords:Listing the web server folders with dirb, we come across a mail server connection page: Mail server accessUsing hydra and the log1.txt file, we find the password for the milesdyson account (name found when enumerating smb shares). This gives us acc...

We start with an nmap scan We can see that the open ports correspond to those of a Windows machine, which is confirmed by visiting the web site on port 80: We start by trying to enumerate smb shares with the guest account: Note that you have read and write rights on a share. Using impacket-smbclient, we discover a password.txt file containing base64 : By decoding it with CyberChef, we obtain Bob’s and Bill’s identifiers: After trying to use these accounts to access other parts of the serve...

We start by enumerating the open ports with an nmap : We notice that the certificate used for https contains several domain names, so we add them to the /etc/hosts file to access them: Most of the domains are useless, but accessing the domain netops-dev.dodge.thm using https will bring up a blank page: By analyzing the source code, we discover a php file that allows us to modify the firewall configuration: By entering the sudo ufw disable command, we can disable the firewall rul...

What is PrinterBug?PrinterBug is the name given to a technique for abusing the Microsoft Remote Procedure Call Print System Remote Protocol (MS-RPRN). This method enables an attacker with a simple user account to force a Windows computer (often a domain controller) with the print spooler enabled, to authenticate to a machine controlled by the attacker.The aim is to exploit this authentication to carry out an NTLM Relay attack. Why does this vulnerability exist?In a Windwos environment, the MS...

Step 1: Find the offsetThe first step is to find the offset that will allow us to replace the return address. To do this, there are 2 methods: Manual method:We can see in the source code that the buffer is 140 bytes long, but between the end of this buffer and the return address there are possible fill bytes (memory alignment) and the rbp register (base pointer), which is 8 bytes long on a 64-bit architecture.So, to overwrite the return address, you’ll need at least 148 bytes. To find out the...

Source : https://tryhackme.com/room/bof1 The aim of this exercise is to modify the normal operation of the program so that it executes a function that it is not supposed to be able to execute. After connecting to the machine via ssh, we find the program’s c code: 1234567891011121314151617181920void special(){ printf("this is the special function"); printf("you did this, friend!\\n");}void normal(){ printf("this is the normal function");
...

Machine presentation Level: Easy Link: https://tryhackme.com/r/room/yueiua Tools nmap fuzz dirb hexeditor steghide openssl EnumerationWe start with a simple nmap scan: 2 ports are open, the ssh port and the http port.Using dirb, we discover an index.php file in an assets directory, which is unusual: We then try to verify the existence or otherwise of an input parameter to this php file using FUZZ with this command : 1ffuf -u 'http://10.10.85.246/assets/index.php?FUZZ=whoami' -...