hacksmarter

These pair of machines was pretty fun. Starting off on a ubuntu machine with just 2 ports open. Scanning shows port 8080 and when viewing this in a browser shows its running Jenkins and with a flick of the wrist, using admin:admin gets in the door. From here we can go to /script and use groovy or, you can create and build. Using a little reverse shell gets us on the machine after building. From user jenkins, we enumerate to find some binaries set with the sticky bit, as well as it requires no password for us from viewing our privileges using sudo. Coming to find a binary called router_config, we get this back to our machine and look at it with strings. Finding its not a complicated binary but uses puts as a function, nevertheless, looking at how it works left room to play as it didn’t sanitize any input. So simply running a little hello world, works to show we can run a command and get root on this system. From root, we find a keytab find only holding the AES-256 hash for...

This Active Directory machine starts off with ZERO CREDENTIALS. So our initial scan shows us normal ports open for a server. We first check SMB to find we have guest auth to a ‘Share’ directory. We have READ,WRITE to the directory. So after uploading a lnk file we capture the hash for bob.ross. Once a bloodhound dump is obtained, we find we have GenericAll to user alice.wonderland. We can do this a couple ways with entail setting a SPN and TargetedKerberoasting or change her password. This user alice.wonderland has access to the box being in Remote Management Users. After poking around some we find a SQL directory at C:\ but no access. Nevertheless, this is a older Windows Machine (Server 2022). Using CVE-2024-35250 to exploit at the kernel level we are able to obtain SYSTEM using msfconsole. Initial Scan12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970PORT STATE SERVICE REASON ...