It starts with a simple web page that takes a URL and generates a PDF. Precious is on the easier side of boxes found on HackTheBox. To get administrator access, I’ll abuse relaying Kerberos, showing both KrbRelay to add a user to the administrators group, and KrbRelayUp to get the machine account hash and do a DC sync attack.Ĭtf hackthebox htb-precious nmap subdomain ffuf ruby phusion passenger nginx exiftool pdfkit feroxbuster cve-2022-25765 command-injection bundler yaml-deserialization youtube This user is able to modify a group and from there modify a user to add a shadow credential and finally get a shell on the box. Access to a share provides a Nim binary, where some dynamic analysis provides yet another set of creds. LDAP enumeration leads to the next set of creds. I’ll figure out the username format for the domain, and AS-REP-Roast to get creds. Still, even today, it’s a maze of Windows enumeration and exploitation that starts with some full names in the metadata of images. At that time, many of the tools necessary to solve the box didn’t support Kerberos authentication, forcing the place to figure out ways to make things work. Htb-absolute hackthebox ctf windows iis crackmapexec ldapsearch dnsenum feroxbuster exiftool username-anarchy kerbrute as-rep-roast hashcat kerberos kinit klist bloodhound bloudhound-python rpc dynamic-reversing wireshark shadow_credential certipy krbrelay visual-studio runascs krbrelayup rubeus dcsyncĪbsolute is a much easier box to solve today than it was when it first released in September 2022. To get root, I’ll exploit a sudo rule that let’s the user run dotnet as root. I’ll pivot to the next user using creds from the DLL. On reversing that DLL, I’ll find a JSON derserialization issue, and exploit it to get file read and the user’s SSH key. I’ll abuse the first file read to get the DLL for that server. In that source, I see how it connects to the other. I’ll exploit a file read vulnerability to locate and retrieve the source. In Beyond Root, I’ll look at another easter egg challenge with a thank you message, and a YouTube video exploring the webserver and it’s vulnerabilities.Ĭtf htb-bagel hackthebox nmap python flask source-code file-read dotnet websocket ffuf source-code reverse-engineering proc wscat dnspy json json-deserialization dotnet-deserialization īagel is centered around two web apps. I’ll use database creds to pivot to the next user, and a kernel exploit to get to root. Once registered, I’ll enumerate the API to find an endpoint that allows me to become an administrator, and then find a command injection in another admin endpoint. It features a website that looks like the original HackTheBox platform, including the original invite code challenge that needed to be solved in order to register. It released directly to retired, so no points and no bloods, just for run. TwoMillion is a special release from HackTheBox to celebrate 2,000,000 HackTheBox members. The user is able to run dstat as root using doas, which I’ll exploit by crafting a malicious plugin.Ĭtf htb-twomillion hackthebox nmap ffuf feroxbuster php ubuntu javascript burp burp-repeater api command-injection cve-2023-0386 htb-invite-challenge cyberchef youtube I’ll exploit an SQL injection over the websocket to leak a password and get a shell over SSH. That site uses websockets to do a validation task. With this foothold, I’ll identify a second virtual host with a new site. On finding the default credentials, I’ll use that to upload a webshell and get a shell on the box. Soccer starts with a website that is managed over Tiny File Manager. Hackthebox ctf htb-soccer nmap ffuf subdomain ferobuster express ubuntu tiny-file-manager default-creds upload webshell php websocket burp sqli websocket-sqli boolean-based-sqli sqlmap doas dstat In Beyond Root, I’ll show an alternative vector using a silver ticket attack from the first user to get file read as administrator through MSSQL. To get administrator, I’ll attack active directory certificate services, showing both certify and certipy. That user has access to logs that contain the next user’s creds. With those, I’ll use xp_dirtree to get a Net-NTLMv2 challenge/response and crack that to get the sql_svc password. I’ll start by finding some MSSQL creds on an open file share. Ctf htb-escape hackthebox nmap crackmapexec windows smbclient mssql mssqlclient xp-cmdshell responder net-ntlmv2 hashcat winrm evil-winrm certify adcs rubeus certipy silver-ticket pass-the-hash xp-dirtreeĮscape is a very Windows-centeric box focusing on MSSQL Server and Active Directory Certificate Services (ADCS).
0 Comments
Leave a Reply. |