On finding the default credentials, I’ll use that to upload a webshell and get a shell on the box. Soccer starts with a website that is managed over Tiny File Manager. Hackthebox ctf htb-soccer nmap ffuf subdomain ferobuster express ubuntu tiny-file-manager default-creds upload webshell php websocket burp sqli websocket-sqli boolean-based-sqli sqlmap doas dstat In Beyond Root, I’ll show an alternative vector using a silver ticket attack from the first user to get file read as administrator through MSSQL. To get administrator, I’ll attack active directory certificate services, showing both certify and certipy. That user has access to logs that contain the next user’s creds. With those, I’ll use xp_dirtree to get a Net-NTLMv2 challenge/response and crack that to get the sql_svc password. I’ll start by finding some MSSQL creds on an open file share. The user can run some NodeJS scripts as root, but the sudo rule is misconfiguration that allows me to run arbirtray JavaScript, and get a shell as root.Ĭtf htb-escape hackthebox nmap crackmapexec windows smbclient mssql mssqlclient xp-cmdshell responder net-ntlmv2 hashcat winrm evil-winrm certify adcs rubeus certipy silver-ticket pass-the-hash xp-dirtreeĮscape is a very Windows-centeric box focusing on MSSQL Server and Active Directory Certificate Services (ADCS). I’ll get the application source and use a password it contains to get a shell on the box. From there, I’ll exploit purchase order generation via a serverside cross site scripting in the PDF generation that allows me to read files from the host. Stocker starts out with a NoSQL injection allowing me to bypass login on the dev website. Hackthebox ctf htb-stocker nmap ubuntu ffuf subdomain feroxbuster burp burp-repeater chatgpt express nodejs nosql nosql-auth-bypass nosql-injection xss serverside-xss pdf file-read In beyond root, I take a quick look at the max length of a URL encountered during the XXE exploit. That API has a prototpye pollution vulnerability, which I can exploit to get execution and a shell as root. I’ll pivot to the next user by exploiting PHP’s FastCGI Process Manager (PHP-FPM), where I’ll get access to the source code for a NodeJS / Express API in development. This filter injection technique has become popular, but was relatively unknown at the time of Pollution’s release. That site has a PHP local file include (LFI) that I can exploit with filter injection to get code execution. With that, I’ll read files, including the source code for the site to get access to redis, where I’ll modify my state to get access to the developers site. With that token, I can escalate my account to admin, and get access to an endpoint vulnerable to XML external entity (XXE) injection. Pollution starts off with a website where I can find a token in a forum post that has a Burp history export attached. Htb-pollution ctf hackthebox debian nmap redis redis-cli feroxbuster ffuf subdomain mybb burp burp-history-export xxe htpasswd hashcat source-code php lfi php-filter-injection php-fpm fastcgi express nodejs snyk prototype-pollution The root step is about abusing a cron that’s running the Ansible automation framework. I’ll show how to identify this vulnerability both manually and using Snyk. The source leaks that it’s using SpringBoot, and have a vulnerable library in use that allows me to get remote code execution. Inject has a website with a file read vulnerability that allows me to read the source code for the site. Ctf htb-inject hackthebox nmap ubuntu file-read directory-traversal tomcat feroxbuster burp-repeater burp spring-cloud-function-spel-injection java java-sprint maven snyk spring-cloud-function-web cve-2022-22963 command-injection brace-expansion ansible pspy ansible-playbook
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |