SidePieceVillage

This box start off with port 80 open. Enumeration of the website returns users upon a page. Kerberoasting proves successful as you retrieve the hash of user fsmith. Once the hash is cracked we are able to gain access to the machine. Doing the steps to escalate privilege we come across cached credentials used by WinLogon found in Registry for user svc_loanmanager, we get the credentials using PowerShell. After looking at the user in Bloodhound, we find the user has GetChangesAll to the domain. This allows the user to DCSync and dump all the hashes for the domain. Initial Nmap12345678910111213141516171819PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 |_http-title: Egotistical Bank :: Home | http-methods: ...

Hybrid is a Chain mixed with a linux and windows machine. Starts off with Roundcube Webmail on http, using alias identities your able to force command injection leading to a reverse shell. The once on the box your find /etc/exports enabling rw for /opt/share, allowing for privilege escalation to user peter. Once done, you tunnel through to find a vulnerable ESC1 template allowing for Domain Computers to supply enrollees allowing for privilege escalation to Administrator. Initial NmapTwo IPs to scan. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178Nmap scan report for 10.10.160.197Host is up (0.16s latency).Not...

Manage is a Linux Easy machine starting off with Java RMI using beanshooter. After enumeration we see we gather credentials and that authorization on the Remote MBean server isn’t required. Using this we are able to get a foothold on the machine. As user tomcat, we see other users we can attack in /etc/passwd. Trying to escalate our privilege to useradmin we have password reuse from the credentials we gathered, but upon entering the password were asked for verification. Looking in useradmin‘s home we see a backup tar file. Getting it to our machine yields this users home directory backed up. We have a ssh key we can use to get on the box, along with .google_authenticator having PINS to try. Doing so gets us sshed on the box. Looking at our users privilege, we see we have ALL:ALL on /usr/sbin/adduser. Looking at a typical sudoers file we see we can use admin as a user, as this group is not present on the box. Upon adding this user, they will in turn be added to the admin group...

Heist is a Windows Easy box, I wanted to take it easy and doing something relaxing and this was very interesting to say the least. This starts out with a website that you’re able to login as a guest and read the recent posts. When you do you gather a user name, as well as see an attachment. This attactment is a cisco config file. You’re able to deduce what type of hash the passwords are and crack them. From there your able to get a list of users, and then spray to find one allows for winrm access. Upon looking a directories and anything from the norm, you find processes running and a particular firefox is running, which can allow for dumping the process memory if its still being used. Using procdump64.exe, we’re able to dump the process memory and filter through and retrieve the Administrator password. Initial Nmap12345678910111213141516171819202122232425262728293031PORT STATE SERVICE REASON VERSION80/tcp open http syn-ack ttl 127 Microsoft IIS httpd...

Retro2 is a Easy Windows machine, that starts off with Guest auth enabled to look at shares finding a Microsoft Access Database file. After finding the user and password we are able to obtain a bloodhound dump. This shows a relatively simple path with some twists, we are able to find a couple of Pre-Windows machine and change the password for one. Allowing us to change/reset the password for the computer ADMWS01$ which has a particular attribute that allows the reset of the password. Once we’ve done this we are able to add our user to the Services group allowing for RDP access. Upon getting a session we find that with the version of Windows Server 2008 we are able to control the full path to a windows registry value that allows us to escalate to NT AUTHORITY\SYSTEM. Initial Nmap123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354PORT STATE SERVICE VERSION53/tcp open domain Microsoft DNS 6.1.7601 (1DB15F75)...

Scrambled is a Medium Windows Active Directory machine. Enumerating the website hosted on the remote machine a potential attacker is able to deduce the credentials for the user ksimpson. On the website, it is also stated that NTLM authentication is disabled meaning that Kerberos authentication is to be used. Accessing the Public share with the credentials of ksimpson, a PDF file states that an attacker retrieved the credentials of an SQL database. This is a hint that there is an SQL service running on the remote machine. Enumerating the normal user accounts, it is found that the account SqlSvc has a Service Principal Name (SPN) associated with it. An attacker can use this information to perform an attack that is knows as kerberoasting and get the hash of SqlSvc. After cracking the hash and acquiring the credentials for the SqlSvc account an attacker can perform a silver ticket attack to forge a ticket and impersonate the user Administrator on the remote MSSQL service. Enumeration...

Breach is a Windows Medium box that starts with Guest auth to shares. Having read/write to one share, we upload a lnk file and receive a user hash. This hash is used to kerberoast SPNs which gets a hash for svc_mssql user. As we have a Service Account, we can create a silver ticket. After creation, we connect as Administrator to a MSSQL instance and can run commands via xp_cmdshell. Only after bypassing AMSI do you get a reverse shell. Once on the machine, checking our privileges we have SeImpersonate available to us. Using GodPotato we create a user and add them to the Administrators group, and connect as Admin via evil-winrm. Initial Nmap12345678910111213141516PORT STATE SERVICE REASON VERSION53/tcp open domain syn-ack ttl 127 Simple DNS Plus80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.088/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-28 00:08:14Z)135/tcp open msrpc ...

Cypher is a Linux Medium box that starts with a website hosting a .jar file. Once downloaded and decompiled you find amongst them a CustomFunctions.class java file. Using jd-gui we are able to look at the source code of the file. The code reveals a attack vector inside a string that executes a system command. Using Cypher Injection we are able to obtain a reverse shell that gets us on the box as neo4j. Once on the box we look around to find a .yml file containing credentials. Trying with the other user gets us a shell as graphasm. We ssh in for stability, and check what permissions we have with sudo -l that reveals we can run bbot with sudo. Looking into the github and the man pages. We can force run a config through a dry run and have it abort before executing. Doing this we can obtain the root.txt file. Initial Nmap12345678910111213PORT STATE SERVICE REASON VERSION22/tcp open ssh syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.8 (Ubuntu Linux; protocol 2.0)|...

Cascade is a medium Windows machine configured as a Domain Controller. LDAP anonymous binds are enabled, and enumeration yields the password for user r.thompson, which gives access to a TightVNC registry backup. The backup is decrypted to gain the password for s.smith. This user has access to a .NET executable, which after decompilation and source code analysis reveals the password for the ArkSvc account. This account belongs to the AD Recycle Bin group, and is able to view deleted Active Directory objects. One of the deleted user accounts is found to contain a hardcoded password, which can be reused to login as the primary domain administrator. Initial Nmap1234567891011121314151617181920PORT STATE SERVICE REASON VERSION53/tcp open domain syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)| dns-nsid:|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos...

Backfield is a hard Windows machine featuring Windows and Active Directory misconfigurations. Anonymous / Guest access to an SMB share is used to enumerate users. The user is found to have Kerberos pre-authentication disabled, which allows us to conduct an ASREPRoasting attack. This allows us to retrieve a hash of the encrypted material contained in the AS-REP, which can be subjected to an offline brute force attack in order to recover the plaintext password. With this user we can access a SMB share containing forensics artifacts, including an lsass process dump. This contains a username and a password for a user with WinRM privileges, who is also a member of the Backup Operators group. The privileges conferred by this privileged group are used to dump the Active Directory database, and retrieve the hash of the primary domain administrator. Nmap1234567891011121314PORT STATE SERVICE REASON VERSION53/tcp open domain syn-ack ttl 127 Simple DNS...