UnChleuHacker

We start by enumerating the open ports with an nmap : We notice that the certificate used for https contains several domain names, so we add them to the /etc/hosts file to access them: Most of the domains are useless, but accessing the domain netops-dev.dodge.thm using https will bring up a blank page: By analyzing the source code, we discover a php file that allows us to modify the firewall configuration: By entering the sudo ufw disable command, we can disable the firewall rul...

What is PrinterBug?PrinterBug is the name given to a technique for abusing the Microsoft Remote Procedure Call Print System Remote Protocol (MS-RPRN). This method enables an attacker with a simple user account to force a Windows computer (often a domain controller) with the print spooler enabled, to authenticate to a machine controlled by the attacker.The aim is to exploit this authentication to carry out an NTLM Relay attack. Why does this vulnerability exist?In a Windwos environment, the MS...

This article will be a walkthrough of the ine lab concerning this attack. PowerviewPowerview is a PowerShell tool for reconnaissance in Windows domains. It contains a set of Powershell commands that replace the classic Windows commands of the net * type. We start the lab by opening a powershell command prompt and enabling script execution: Next, we can find the domain machines on which the current user is administrator: You can then launch a powershell session with one of these machines: HF...

What is SPIKESpike is a protocol fuzzer creation kit. It provides an API for creating your own fuzzers for network protocols, using the C++ language. SPike provides a series of basic commands for generating fuzzed messages to be sent to a network service. Scriptiong SPIKEFor TCP-based server applications, we use scrpit .spk with the generic_send_tcp interpreter (preinstalled on Kali Linux). The basic syntax is : 1generic_send_tcp <IP> <port> <script.spk> <SKIPVAR> <...

Step 1: Find the offsetThe first step is to find the offset that will allow us to replace the return address. To do this, there are 2 methods: Manual method:We can see in the source code that the buffer is 140 bytes long, but between the end of this buffer and the return address there are possible fill bytes (memory alignment) and the rbp register (base pointer), which is 8 bytes long on a 64-bit architecture.So, to overwrite the return address, you’ll need at least 148 bytes. To find out the...

Source : https://tryhackme.com/room/bof1 The aim of this exercise is to modify the normal operation of the program so that it executes a function that it is not supposed to be able to execute. After connecting to the machine via ssh, we find the program’s c code: 1234567891011121314151617181920void special(){ printf("this is the special function"); printf("you did this, friend!\\n");}void normal(){ printf("this is the normal function");
...

A token is a temporary key that enables you to access a system or network without having to give credentials every time you access a resource. These tokens contain information such as : User identity Groups to which the user belongs User privileges There are two types of token: Delegate: Created when a user logs on to a machine or connects to a machine via RDP, these tokens enable a user to usurp the identity of a user on another machine on the network (e.g. a service accessing files on an...

Machine presentation Level: Easy Link: https://tryhackme.com/r/room/yueiua Tools nmap fuzz dirb hexeditor steghide openssl EnumerationWe start with a simple nmap scan: 2 ports are open, the ssh port and the http port.Using dirb, we discover an index.php file in an assets directory, which is unusual: We then try to verify the existence or otherwise of an input parameter to this php file using FUZZ with this command : 1ffuf -u 'http://10.10.85.246/assets/index.php?FUZZ=whoami' -...

We start with an nmap scan: The robots.txt file reveals 3 directories. Only one of them is accessible:You can now create an account and the initial password will be md5(username+ddmm)So we create a test account with a date of birth of 00/00/0000. We can then calculate the requested hash with the following bash command:Use -n to avoid line breaks. You can then connect to the test account with this password:We can see that the admin account has recently logged in, and we can also see ...

This challenge simulates a scenario where you have to compromise an Active Directory environment.Scan nmap : In view of the open ports, we’re probably dealing with an Active Directory environment. We can try to obtain information using a few important ports: Port 53 (DNS) :The nmap scan provides us with FQDNs (Fully Qualified Domain Names) such as haystack.thm.corp. We can then ask DNS to provide us with all DNS records linked to the thm.corp domain. This can be done with the dig utility (di...