UnChleuHacker

Intercept is a chain of machines consisting of two Windows servers. Initial access is gained via an SCF attack, compromising the account of a domain user. With this access, several notable elements are observed: the domain controller does not enforce LDAP signing, the compromised user has the necessary rights to join a machine to the domain, one of the servers is vulnerable to PetitPotam and has the WebClient service enabled. By combining these vulnerabilities, a Relay (RCBD) attack can be ...

Tengu is a chain of medium level machines, consisting of one Linux machine and two Windows machines. An instance of Node-RED was used to execute code on the Linux machine. The recovery of a database password was then used to compromise a domain account, which was administrator on the Linux machine. The latter had constrained delegation for the MSSQL service, making it possible to compromise the associated MSSQL server. Finally, by recovering information protected by DPAPI, it was possible to ...

Préparation de l’environnementExécution en tant qu’administrateur1234Start-Process PowerShell_ISE -Verb RunAs Add-MpPreference -ExclusionPath "C:\Temp" Set-MpPreference -DisableRealtimeMonitoring $true Import-Module C:\Temp\Invoke-Mimikatz.ps1 Si windows defender ne peut pas être désactivé, faire un AMSI Bypass1S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`...

Reflection is a chain of 3 Windows machines: MS01 , WS01 and DC01. Initial access is via an SMB connection to MS01, which provides credentials to access an MSSQL database. These are used to retrieve the database’s service account and, using an NTLM Relay attack, to access the DC’s prod share, which contains the credentials of abbie.smith, a domain account. As this account has GenericAll rights on MS01, it can read the LAPS password and retrieve the credentials of the Georgia.Price account on ...

Initial accessWe start by running an nmap scan to identify open ports on the target machine. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748Nmap scan report for 10.10.145.204Host is up (0.068s latency).Not shown: 994 filtered tcp ports (no-response)PORT STATE SERVICE VERSION139/tcp open netbios-ssn Microsoft Windows netbios-ssn445/tcp open microsoft-ds?3389/tcp open ms-wbt-server Microsoft Terminal Services|_ssl-date: 2025-06-26T14:08:53+00:00; +1s from...

K2 is a hard room made up of a network containing a Linux machine and 2 Windows with an AD. It allows you to practice basic attacks by confronting certain security equipment that you must try to bypass in order to achieve your goals. EnumerationAs usual, we start by running an nmap scan to identify the machine’s open ports. 12345678910111213141516171819└─$ nmap -A 10.10.18.124 -oA scanStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-21 15:50 EDTNmap scan report for k2.thm (10.10.18.124)H...

Initial enumerationWe start with an nmap scan 123456789101112131415PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:| 256 3f:da:55:0b:b3:a9:3b:09:5f:b1:db:53:5e:0b:ef:e2 (ECDSA)|_ 256 b7:d3:2e:a7:08:91:66:6b:30:d2:0c:f7:90:cf:9a:f4 (ED25519)80/tcp open http Apache httpd 2.4.52|_http-title: Did not follow redirect to http://cloudsite.thm/|_http-server-header: Apache/2.4.52 (Ubuntu)4369/tcp open epmd Erlang Port Mapper Daemon| ...

Ledger is a room where you have to compromise a domain controller. Several paths are possible to compromise the domain, one using an RCBD attack and the other a vulnerable certificate template. EnumerationAs usual, we start by running an nmap scan to identify the services exposed on the machine. We can see straight away that the machine is a domain controller, as it has all the ports typical of a DC. Recovery of valid accountsOnce I’d noticed that the machine was a DC, I tried to see if it wa...

EnumerationAs always, we start with an nmap scan to identify a web service running on port 80. Access to the website reveals that it’s a MagnusBilling interface, an open-source software package for managing telephony over the Internet (VoIP). Companies use it to sell telephony, manage customers, subscriptions, prepaid cards and billing. RCE on MagnusBillingAfter some research, we discover that the version of MagnusBilling used is vulnerable to an RCE without authentication. In fact, an uplo...

Puppet is a chain comprising 3 machines. It allows you to familiarize yourself with the C2 sliver, exploit PrintNighmare to perform a local privilege escalation and finally exploit the Puppet management tool to compromise the DC. Port enumerationThe initial reconnaissance phase identifies potential vulnerabilities on the Linux machine, which is probably the C2 server in view of the scenario description. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495...