writeups

Initial enumerationWe start with an nmap scan 123456789101112131415PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 256 3f:da:55:0b:b3:a9:3b:09:5f:b1:db:53:5e:0b:ef:e2 (ECDSA)|_ 256 b7:d3:2e:a7:08:91:66:6b:30:d2:0c:f7:90:cf:9a:f4 (ED25519)80/tcp open http Apache httpd 2.4.52|_http-title: Did not follow redirect to http://cloudsite.thm/|_http-server-header: Apache/2.4.52 (Ubuntu)4369/tcp open epmd Erlang Port Mapper Daemon| ...

Ledger is a room where you have to compromise a domain controller. Several paths are possible to compromise the domain, one using an RCBD attack and the other a vulnerable certificate template. EnumerationAs usual, we start by running an nmap scan to identify the services exposed on the machine. We can see straight away that the machine is a domain controller, as it has all the ports typical of a DC. Recovery of valid accountsOnce I’d noticed that the machine was a DC, I tried to see if it wa...

EnumerationAs always, we start with an nmap scan to identify a web service running on port 80. Access to the website reveals that it’s a MagnusBilling interface, an open-source software package for managing telephony over the Internet (VoIP). Companies use it to sell telephony, manage customers, subscriptions, prepaid cards and billing. RCE on MagnusBillingAfter some research, we discover that the version of MagnusBilling used is vulnerable to an RCE without authentication. In fact, an uplo...

Puppet is a chain comprising 3 machines. It allows you to familiarize yourself with the C2 sliver, exploit PrintNighmare to perform a local privilege escalation and finally exploit the Puppet management tool to compromise the DC. Port enumerationThe initial reconnaissance phase identifies potential vulnerabilities on the Linux machine, which is probably the C2 server in view of the scenario description. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495...

User enumerationWe start by running an nmap scan: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185...

Hybrid is an Active Directory chain containing a Windows machine and a Linux machine. Initial access is gained by compromising the Linux machine, then the domain can be compromised using an ADCS attack. EnumerationWe start by running an nmap scan on the ips provided. 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374┌──(kali㉿kali)-[~/ctf/vulnlab/hybrid]└─$ nmap -A -iL ipsStarting Nmap 7.94SVN ( https://nm...

Heron is a medium-difficulty lab. The scenario assumes an initial compromise on a Linux machine attached to a domain, requiring a pivot to a domain controller in an attempt to compromise it. EnumerationLet’s start with the usual Nmap scan:The scan shows that 10.10.168.69 has no accessible ports, probably due to a firewall. On the other hand, 10.10.168.70 has port 22 open. This suggests that we should start by connecting to the Linux machine via SSH.The Wiki page tells us that this is a suppos...

SynthesisTea is an Active Directory chain containing 2 machines to be compromised. Initial access is gained by exploiting a CI/CD runner on a Gitea instance, and full domain compromise is possible through the WSUS connection of the domain controller. Initial enumerationLet’s start with an nmap scan of both machines.It looks like we’ve got a domain controller that isn’t behind a firewall and a machine hosting web services.We can retrieve the names of both machines using NetExec : We add t...

Initial accessThanks to the nmap scan, we quickly discover that one of the servers hosts an xampp server. By listing its directories, we discover a website:After browsing the site, we notice that it is potentially vulnerable to a BIA:This is confirmed by accessing the server log on the following link: http://10.10.162.134/dev/index.html?view=C:/xampp/apache/logs/access.log In this way, you can gain access to the machine by log poisoning. To do this, we send a request with php code to the user...

EnumerationEnumeration of open ports using nmap : Looking at the smb share, we see that it is possible to connect to the share using the guest account : A log1.txt file is then retrieved from the anonymous share, which appears to contain passwords:Listing the web server folders with dirb, we come across a mail server connection page: Mail server accessUsing hydra and the log1.txt file, we find the password for the milesdyson account (name found when enumerating smb shares). This gives us acc...