![]() ![]() I’ll abuse that to get code execution in the web container. ![]() I’ll abuse that, with a CRLF injection to interact with the Redis database that’s caching the Laravel session data. One of webhooks allows me to get the server to issue web requests, like an SSRF. I’ll abuse that to forge a token and get admin access to the API, where I can create webhooks. I’ll enumerate that API to find it uses JWTs and asymmetric crypto. I’ll find a mass assignment vulnerability in the site allowing me to get admin access, which provides a new subdomain for a webhooks API. I’ll start with a website, and abuse an off-by-slash nginx misconfiguration to read a. Htb-cybermonday ctf hackthebox nmap debian php laravel feroxbuster off-by-slash nginx ffuf gitdumper source-code mass-assignment burp burp-repeater api jwt jwks python-jwt jwt-tool jwt-algorithm-confusion jwt-asymmetric ssrf ssrf-redis redis crlf-injection laravel-deserialization deserialization redis-migrate redis-blind laravel-decrypt phpggc docker container escape pivot chisel docker-registry snyk directory-traversal file-read docker-compose docker-capabilities docker-apparmor docker-shocker shocker youtube htb-pikaboo htb-seal htb-monitors htb-talkativeĬyberMonday is a crazy difficult box, most of it front-loaded before the user flag. ![]() In that repo, the attacker found SSH creds, and used an SSH session to download GonnaCry ransomware using wget. On that server, they find lots of documents, including a reference to secrets on the company GitHub page. In there, the attacker finds a configuration file for a port-knocking setup, and uses that to get access to an internal FTP server. I’ll find where the attacker uses a password spray to compromise a publicly facing FTP server. Knock Knock is a Sherlock from HackTheBox that provides a PCAP for a ransomware incident. That certificate doesn’t work directly, but I can use a pass-the-cert attack to dumb hashes and get access as administrator.Ĭtf dfir forensics sherlock-knock-knock hackthebox pcap zeek pcap-nmap pcap-password-spray port-knocking knockd pcap-port-knocking ansible gonnacry I’ll add a fake computer to the domain and use that to get a certificate for the DC. Rather than any user being able to enroll with the template, it’s any domain computer. With those creds, I’ll enumerate active directory certificate services to find they are vulnerable to ESC1, with a twist. The PWM instance is in configuration mode, and I’ll use that to have it try to authenticate to my box over LDAP with plain text credentials. I’ll crack some encrypted fields to get credentials for a PWM instance. I’ll access open shares over SMB to find some Ansible playbooks. I’ll see through the logs the processes it runs, where Defender catches it, and how it tries to mess with forensics by constantly changing the system time.Ĭtf htb-authority hackthebox nmap windows iis smb netexec smbclient dig dns feroxbuster pwm ansible ansible-vault ansible2john hashcat wireshark responder evil-winrm adcs certipy esc1 ms-ds-machineaccountquota powerview addcomputer-py pass-the-cert silver-ticket htb-absolute htb-escape htb-supportĪuthority is a Windows domain controller. They get a TeamViewer connection and launch a Merlin C2 agent. From there, I can dump the hashes for the domain and get a shell as administrator.Ĭtf dfir forensics sherlock-tick-tock hackthebox kape teamviewer event-logs evtxecmd time-stomping merlin-c2 defender mft mftecmdĪ new employee gets a call from the “IT department”, who is actually a malicious actor. For root, I’ll abuse CVE-2022-26923 by registering a fake computer with a malicious DNS hostname to trick ADCS into thinking it’s the DC. I’ll find Windows encrypted creds for the next user in a diff files stored with the TeamCity files. With that and the creds, I can log into the server and upload a diff that gets executed as part of a CI/CD pipeline. I’ll reverse the Chrome plugin to understand how the backup works, and brute force the password to recover the TOTP seed. I’ll use the file as a key to get in, and find the domain, creds, and a 2FA backup to a TeamCity server. I’ll reverse engineer the executable and find a flaw that allows me to decrypt the file, providing a KeePass DB and file. Ctf htb-coder hackthebox nmap windows smb netexec smbclient adcs teamcity reverse-engineering dotnet dotpeek youtube visual-studio keepass kpcli authenticate 2fa totp source-code javascript cicd git-diff evil-winrm bloodhound bloodhound-python CVE-2022-26923 secretsdumpĬoder starts with an SMB server that has a DotNet executable used to encrypt things, and an encrypted file.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |