SidePieceVillage

These pair of machines was pretty fun. Starting off on a ubuntu machine with just 2 ports open. Scanning shows port 8080 and when viewing this in a browser shows its running Jenkins and with a flick of the wrist, using admin:admin gets in the door. From here we can go to /script and use groovy or, you can create and build. Using a little reverse shell gets us on the machine after building. From user jenkins, we enumerate to find some binaries set with the sticky bit, as well as it requires no password for us from viewing our privileges using sudo. Coming to find a binary called router_config, we get this back to our machine and look at it with strings. Finding its not a complicated binary but uses puts as a function, nevertheless, looking at how it works left room to play as it didn’t sanitize any input. So simply running a little hello world, works to show we can run a command and get root on this system. From root, we find a keytab find only holding the AES-256 hash for...

This Active Directory machine starts off with ZERO CREDENTIALS. So our initial scan shows us normal ports open for a server. We first check SMB to find we have guest auth to a ‘Share’ directory. We have READ,WRITE to the directory. So after uploading a lnk file we capture the hash for bob.ross. Once a bloodhound dump is obtained, we find we have GenericAll to user alice.wonderland. We can do this a couple ways with entail setting a SPN and TargetedKerberoasting or change her password. This user alice.wonderland has access to the box being in Remote Management Users. After poking around some we find a SQL directory at C:\ but no access. Nevertheless, this is a older Windows Machine (Server 2022). Using CVE-2024-35250 to exploit at the kernel level we are able to obtain SYSTEM using msfconsole. Initial Scan12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970PORT STATE SERVICE REASON ...

This is a linux hard box focusing on SSRF which you can use in turn to trigger ssh2.exec. This executes on the box giving a reverse shell. On the box we escalate to eric with previously cracked hash. Using pspy, we find a binary running via cronjob. The binary objcopy is used to check a file, with in turn we replace with our malicious binary that upon execution gets us a shell as root. Initial Nmap12345678PORT STATE SERVICE REASON VERSION21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.580/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)| http-methods:|_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: nginx/1.18.0 (Ubuntu)|_http-title: Did not follow redirect to http://era.htb/Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel FTP for smilesLooking at FTP and trying anonymous logon get us nothing. Moving on. HTTPScanning this site gives us the domain name era.htb we can add to our hosts file. Looking at the site nothing special. We can...

Voleur starts with credentials, but after a nmap you find NTLM is disabled. Using kerberos, we are able to get a bloodhound dump. Checking the shares reveals a xlsx file, we can convert it and crack it. Once done, we get access to a excel file with some users and passwords, one user has be deleted. Once on the box, we lateral move to ldap_svc, and find a user that has been deleted. Using powershell, we restore them and then get a shell using the password found from the xlsx file. Then we do to the next directory in the IT share, and find a archived users directory which hold DPAPI credentials. After obtaining the credentials, we find our user able to access a backup in the next directory that contains the SAM, SECURITY, and NTDS files used to dump the Administrator hash. As is common in real life Windows pentests, you will start the Voleur box with credentials for the following account: ryan.naylor / HollowOct31Nyt Initial...

This Windows Hard box starts off assumed breach. While enumerating with the credentials you find that NTLM is disabled. Using your credentials you’re able to obtain a kerberos ticket that lets you get a bloodhound dump and further enumerate the machine. Once done, you’re able to kerberoast SPNs(Some did timeroast) and obtain some hashes, which one of them cracks to cleartext for IT-Computer3$. Using your new found credentials you’re able to abuse DACLs that allows our user to remove objects from the Protected Objects group. Thus allowing for ForceChangePassword and after successfully changing the password for bb.morgan, we are able to get a kerberos ticket, setup our krb5.conf and evil-winrm onto the box. Enumeration as bb.morgan shows very little, yet we had a user ee.reed in the Support group. After changing his password, creating a reverse shell and using RunasCs.exe, we’re able to get a shell as ee.reed. Using PrivescCheck.ps1 shows us a COM Registry component we have...

Axlle is a hard-level Windows machine that begins with a website running on port 80. The site displays a maintenance message but mentions that Excel invoices can still be sent via email for processing. An attacker exploits this by crafting a malicious .XLL file, which bypasses security checks and is used in a phishing attack. Once the attacker gains code execution on the machine, they create a malicious .url file. This file is executed by the user dallon.matrix, leading to the compromise of their account. The dallon.matrix user is part of a group that has the ability to change the password of another user, jacob.greeny. The attacker leverages this privilege to reset the password and authenticate as jacob.greeny via WinRM. The jacob.greeny user is a member of the App Devs group, which has access to a scheduled automation that runs the StandaloneRunner binary with SYSTEM privileges. The attacker exploits this automated task to escalate privileges and ultimately gain a shell as the...

Starts with CVE-2025-24996, which is used to retrieve the hash of p.agila. This user Owns the Service Accounts OU, and can add themselves. Once done they have GenericWrite, and GenericAll which we can utilize for Shadow Credentials and obtain the hash for winrm_svc and other corresponding service accounts (ldap_svc, ca_svc). Having the ca_svc who is in Cert Publishers, we find a vulnerable template within ADCS. ESC 16 allows a low-privileged user to escalate their privilege. In doing so, we update the ca_svc account upn to administrator then request a pfx. This give us the administrator.pfx. Now we change back the upn for ca_svc and we authenticate with the administrator.pfx giving us the administrator hash. As is common in real life Windows pentests, you will start the Fluffy box with credentials for the following account: rr.j.fleischman / J0elTHEM4n1990! Initial Nmap123456789101112PORT STATE SERVICE REASON53/tcp open domain syn-ack88/tcp open ...

Initial Nmap found a NFS containing pfx keys and a key file and a cert file. By use pfx2john and creating a hash we crack the password. Then creating a pfx file using the cracked password with openssl. Then we auth and recieve d.baker hash. After getting a bloodhound dump we see d.baker has ForceChangePassword over a.carter. After doing so, we see a.carter has GenericAll over the Staff Access Certificate. Using dacledit.py we give a.carter access. Then we set a mail attribute for d.baker to h.brown@scepter.htb using bloodyAD. Then request again using upn h.brown. From there we can auth and recieve h.brown‘s hash as well as ccache we can export and use. We have write over p.adams account and if we look at h.brown attributes we see altSecurityIdentities. This is weak encryption and we can set this attribute to p.adams and then set d.baker mail attribute to p.adams. Once done we request again using upn p.adams. This get us the hash for p.adams, from here we are a Replication Operator...

This Windows Medium box starts with our user having write permissions over the DEVELOPERS group. Once we look at shares we find available to use the DEV share. In this share lies a keepass database, which we exfiltrate to our machine. Once done we crack the password to the database and discover users and credentials. After password spraying we have another valid user, and this user is in the SENIOR DEVS group, with GenericAll to user Adam.Silver. After re-enabling his account, we can finally get on the box. Going to the root directory we find a Backups directory with a zip file containing an xml file with credentials for Steph.Cooper. Using these credentials we login, and if we looked at bloodhound or other users we noticed a steph.cooper_adm. With access to this users AppData we exfiltrate the file required for DPAPI. Once we dump DPAPI, we find credentials for steph.cooper_adm. Starts as an assumed breach with credentials: levi.james / KingofAkron2025! Initial...

This box start off with port 80 open. Enumeration of the website returns users upon a page. Kerberoasting proves successful as you retrieve the hash of user fsmith. Once the hash is cracked we are able to gain access to the machine. Doing the steps to escalate privilege we come across cached credentials used by WinLogon found in Registry for user svc_loanmanager, we get the credentials using PowerShell. After looking at the user in Bloodhound, we find the user has GetChangesAll to the domain. This allows the user to DCSync and dump all the hashes for the domain. Initial Nmap12345678910111213141516171819PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 |_http-title: Egotistical Bank :: Home | http-methods: ...