Write ups

Cyberseclabs - Red - Walkthrough [ cyberseclabs ]

RCE on redis 4.0.8 and cron script misconfigured
linux, redis, redis-4.0.8, rce

PG - Helpdesk - Walkthrough [ proving-grounds ]

Quick enumeration to quick escalation
Windows, serviceDesk, manageEngine, java

PG - Election1 - Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

Exploiting a vulnerability in Serv-U FileServer
linux, easy, CVE-2019-12181, serv-u, fileserver, serv-u-15

PG - Loly - Walkthrough [ proving-grounds ]

Exploiting Wordpress Adrotate plugin then abusing eBPF_verifier
linux, CVE-2017-16995, 4.13.9, 45010, eBPF_verifier, wordpress

PG - Snookums - Walkthrough [ proving-grounds ]

Exploiting a rfi in SimplePHPGal 0.7
linux, SimplePHPGal, gallery, photo, php, rfi, lfi

THM - Kenobi - Walkthrough [ tryhackme ]

Enumerate Samba for shares, manipulate a vulnerable version of proftpd and escalate your privileges with path variable manipulation.
linux, ProFTPD, 1.3.5, ProFTPD-1.3.5, mod_copy, path_exploit

PG - Hutch - Walkthrough [ proving-grounds ]

Attacking a DC
Windows, Webdav, kerberos, DC, windows-2019, printSpoofer, ldap, adset, ad-set

PG - MoneyBox - Walkthrough [ proving-grounds ]

Simple CTF with steganography
linux, ctf, steganography

PG - Assertion101 - Walkthrough [ proving-grounds ]

Difficult LFI with php assert
linux, lfi, aria2c, php-assert

PG - Potato - Walkthrough [ proving-grounds ]

Easy enumeration and exploit of a vulnerable PHP function strcmp
linux, strcmp, lfi

PG - DC-2 - Walkthrough [ proving-grounds ]

Exploiting wordpress
linux, rbash, git, worpress

PG - Sumo - Walkthrough [ proving-grounds ]

Exploit a shellshock
linux, dirty-cow, shellshock, easy

PG - DC-1 - Walkthrough [ proving-grounds ]

Exploit a Drupal vulnerability
linux, drupal, drupal-7, find

PG - Flimsy - Walkthrough [ proving-grounds ]

Exploiting package manager
linux, linux-exploit-suggester, CVE-2021-4034, at, package, manager, apisix, crontab

PG - Algernon - Walkthrough [ proving-grounds ]

Exploiting Smartmail RCE
Windows, smartmail

PG - Internal - Walkthrough [ proving-grounds ]

Exploit eternal blue on Windows 2008
Windows, ms17-010, CVE-2017-0143, eternal-blue, 32b

PG - Twiggy - Walkthrough [ proving-grounds ]

Vulnerable ZeroMQ (SaltStack)
linux, SaltStack, CVE-2020-11651, CVE-2020-11652, zeroMQ

PG - Exfiltrated - Walkthrough [ proving-grounds ]

Find Subrion CMS then exploit exiftool
linux, exiftool, djvu, subrion, cms, 4.2

Windows Retro Walkthrough [ tryhackme ]

A machine with Wordpress on Windows 2016
Windows, CVE-2017-0213, CVE-2017-0213_x64, oscp-training, wordpress, windows-2016, MS16-135

Linux Ignite walkthrough [ tryhackme ]

Attacking Fuel CMS
linux, fuelcms, fuel-cms, oscp-training

PG - EvilBoxe One - Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

Exploit an easy LFI
linux, easy, lfi, ffuf

PG - Blogger - Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

upload exploit in wpDiscuz plugin
Linux, GIF89a, reverse-shell, wpDiscuzz, wordpress

PG - Shakabrah - Linux [ proving-grounds ]

Simple command injection box
linux, vim, command-injection, injection

PG - Seppuku - Linux [ proving-grounds ]

Simple linux CTF
Linux, bin-sh

PG - Funbox - Linux [ proving-grounds ]

Exploiting a Wordpress instance then escalating cron script
linux, wordpress, bash-c

PG - Born2Root - Linux [ proving-grounds ]

Basic enumeration straight to root
linux, enumeration

HTB - Valentine - Linux [ hackthebox ]

Exploit heartbleed vulnerability
linux, heartbleed, ssl, fdupes

HTB - Knife - Linux [ hackthebox ]

Exploiting a vulnerability for PHP/8.1.0-dev
linux

HTB - RedPanda - Walkthrough [ hackthebox ]

linux, ssti, server-side-template-injection, template, injection, template-injection, spring

HTB - Extension - Walkthrough [ hackthebox ]

linux, docker, docker-escape, gitea, gitea-1.15, webapp, code-review

HTB - DevOops - Walkthrough [ hackthebox ]

Exploiting XXE vulnerability on Gunicorn server
linux, xml, xxe, git, XML-External-Entity

HTB - Cronos - Walkthrough [ hackthebox ]

In the server viabasic attacks to then compromise a laravel application
linux, weevely, command-injection, laravel, php, domain-enumeration, gobuster-dns, gobuster-vhost, sqli

HTB - OpenSource - Walkthrough [ hackthebox ]

linux

HTB - Haircut - Walkthrough [ hackthebox ]

Using curl to write files then Screen for Privilege escalation
linux, strpos, strpos-bypass, screen, screen-4.5, curl, command, injection

HTB - Postman - Walkthrough [ hackthebox ]

Redis misconfiguration allowing SSH key creation
linux, webmin, webmin-1.910, 1910, redis, redis-409, redis-ssh, ssh2john

HTB - Heist - Walkthrough [ hackthebox ]

Dumping processes to then retrieve logged passwords
windows, rid-brute, crackmapexec, sysinternal, procdump, grep, firefox

HTB - Late - Walkthrough [ hackthebox ]

SSTI into the machine then abusing a misconfigured ssh script
linux, flask, SSTI, server-side-template-injection, template, injection, template-injection

HTB - GoodGames - Linux [ hackthebox ]

Escape the Docker container abusing SUID
linux, htb, Werkzeug, hackthebox, easy, Web, SQL, SQLi, Weak, Password, SSTI, Python, Docker, template, injection, template-injection, tpli, docker, docker-escape, suid, bash-suid

HTB - Noter - Walkthrough [ hackthebox ]

linux, Werkzeug, ffuf, ffuf-post, udf, user-defined-function, python, python-jwt, flask-unsign, flask, raptor_udf2

HTB - Friendzone - Walkthrough [ hackthebox ]

Snooping into processes without need for root permissions to then exploit python misconfiguration
linux, dig, host, python, pspy

HTB - SwagShop - Walkthrough [ hackthebox ]

Exploiting a Magento shop
linux, magescan, magento, magento-1.9, php

HTB - Enterprise - Walkthrough [ hackthebox ]

Attacking joomla/wordpress then escaping Docker
linux, wordpress-4.8.1, wordpress, cmsmap, wpscan, hydra, ltrace, joomla

Cyberseclabs - Lazy - Walkthrough [ cyberseclabs ]

Exploiting Samba is_known_pipename()
linux, eternal-red, anonymous-shares, samba, is_known_pipename, metasploit

Cyberseclabs - Roast - Walkthrough [ cyberseclabs ]

From kerberoasting to DCsync attack
linux, psexec, evil-winrm, kerbrute, dsync, bloodhound, sharphound, ldap, ad-set

HTB - Mirai - Walkthrough [ hackthebox ]

Brute-force ssh into pi-hole
linux, pi-hole, ssh-brute-force

HTB - Trick - Walkthrough [ hackthebox ]

Abusing fail2ban to escalate privileges
linux, nslookup, dns, lfi, fail2ban, dotdotpwn

Cyberseclabs - Spray - Walkthrough [ cyberseclabs ]

Abusing Group Policy
windows, winpeas-in-memory, GPO, sharphound, bloodhound, ad-set

cyberseclabs - Dictionary - Walkthrough [ cyberseclabs ]

Vulnerable Active directory
linux, kerbrute, ASREPRoast, ldapdomaindump, ad, firefox

Cyberseclabs - Unattended - Walkthrough [ cyberseclabs ]

Unattended file with password on Windows machine
windows, HttpFileserver, unattended, xml, mimikatz

Cyberseclabs - Deployable - Walkthrough [ cyberseclabs ]

TL;DR

linux, tomcat, war, tomcatWarDeployer, unquoted-path, seatbelt, service

Cyberseclabs - Monitor - Walkthrough [ cyberseclabs ]

PRTG network exploit
windows, CVE-2018-9276, sqlite, prtg

Cyberseclabs - stack - Walkthrough [ cyberseclabs ]

From GitStack vulnerable to Keepass access
windows, git, kdbx, keepass, keepassx, keepass2john, GitStack, GitStack-2.3.10

Cyberseclabs - Brute - Walkthrough [ cyberseclabs ]

Abusing DNS service on a domain controller
linux, dnscmd, kerbrute, GetNPUsers, dll, evil-winrm, dnsadmins, dns, dc, active-directory, AD

Cyberseclabs - ZeroLogon - Walkthrough [ cyberseclabs ]

Using Zerologon vulnerability on a domain controller
windows, zerologon, dc, domain-controller

Cyberseclabs - Hijack - Walkthrough [ cyberseclabs ]

Escalation of privileges via DLL
windows, drupal, drupal-8, Drupalgeddon, powercat, PowerUp, dll

Cyberseclabs - Pie - Walkthrough [ cyberseclabs ]

Easy access to pi-hole version 2.8.1
linux, pie, pi-hole, 2.8.1

Vulhub - Symfonos4 - Walkthrough [ vulnhub ]

WIP Symfonos4
linux

Cyberseclabs - Office - Walkthrough [ cyberseclabs ]

We had to brute force our way in to then beat the Webmin instance to get root privileges
linux, ssh, ssh-persistence, port-forward, Webmin, metasploit

Cyberseclabs - Cold - Walkthrough [ cyberseclabs ]

Modify Existing Service binPath
windows, adobe, coldfusion, binpath, service, seatbelt, 2010-2861, CVE-2010-2861

Cyberseclabs - Secret - Walkthrough [ cyberseclabs ]

Passwords exposed in the shares
windows, secretdumps, ntlm, htln-hashes, ctf-wordlist-names.sh, users-generation

Cyberseclabs - Leakage - Walkthrough [ cyberseclabs ]

in the commits of Gitlab we have found credentials for the server
linux, gitlab, oscp-like, rce, dummy-user, rogue-user, ssh2john, nano-suid, nano

Cyberseclabs - shock - Walkthrough [ cyberseclabs ]

shellshock vulnerability
linux, cgi, shellshock, curl, socat

Cyebrseclabs - Sam - Walkthrough [ cyberseclabs ]

A service replaced by a reverse shell
windows, sam, samdump2, icacls, service, evil-winrm, null-session, replace-service

Cyberseclabs - Boats - Walkthrough [ cyberseclabs ]

A reverse code execution in plugin thecartpress
windows, curl-post, wordpress, rce, remote-code-execution, windows-reverse

Cyberseclabs - Unroot - Walkthrough [ cyberseclabs ]

Sudo bypass to get root
linux, CVE-2019-14287, sudo-exploit, command-injection

Cyberseclabs - Debug - Walkthrough [ cyberseclabs ]

Reading protected files with xxd
linux, xxd, python, john, password-cracking

Cyberseclabs - Sync - Walkthrough [ cyberseclabs ]

Attacking an active directory using the secretdump then pass-the-hash
linux, AD, ad-set, active-directory, ASREPRoast, pass-the-hash, Secretsdump.py, evil-winrm

PG - Ha-Natraj - Walkthrough [ proving-grounds ]

ssh poisoning and privilege escalation via apache2.conf
linux, lfi, nmap, ssh, apache, apache2.conf, ssh-poison

Cyberseclabs - Weak - Walkthrough [ cyberseclabs ]

Using JuicyPotato on a Windows 7 instance with anonymous access on the FTP
windows, windows-7-ultimate, SeAssignPrimaryToken, SeImpersonatePrivilege, juicyPotato, ftp, ftp-binary

Imposter [ cyberseclabs ]

Wing FTP has a vulnerability which give us access to the server
windows, cyberseclabs, SeImpersonatePrivilege, Wing, FTP, server

HTB - Paper - Walkthrough [ hackthebox ]

linux

HTB - Granny - Walkthrough [ hackthebox ]

Webdav allow us to upload a reverse shell and churrasco help us for the priv esc
windows, churrasco, webdav, cadaver, davtest, x86, windows-2003

HTB - Optimum - Walkthrough [ hackthebox ]

RCE in HttpFileServer to then use MS16-032 for priv esc
windows, Invoke-PowerShellTcp.ps1, ms16_032_intrd_mod.ps1, ms16_032, Invoke, MS16-032, rejetto, HttpFileServer, ms16-098

Cyberseclabs - Outdated - Walkthrough [ cyberseclabs ]

overlayfs incorrect permission handling
linux, CVE-2015-3306, ubuntu, ubuntu-3.13, 3.13, proFTPD, proFTPD-1.3.5, CVE-2015-1328, overlayfs

PG - HAWordy - Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

Using WP Support Plus Responsive Ticket System to get into the server and using cp to escalate our privileges
linux, easy, oscp-like, wordpress, WP-Support-Plus-Responsive-Ticket-System, cp, rce, wp-pown, php-webshell, rogue-user, dummy-user

HTB - upDown - Walkthrough [ hackthebox ]

linux, burp, headers-modification

HTB - Return - Walkthrough [ hackthebox ]

Using SeBackupPrivilege to read files
windows, SeBackupPrivilege, printer

HTB - Resolute - Walkthrough [ hackthebox ]

Abusing DNSAdmins privilege for escalation in Active Directory
windows, dnscmd, dnsadmins, DC, active-directory

HTB - Faculty - Walkthrough [ hackthebox ]

linux, run-command-as, sudo-run-command-as

Cyberseclabs - Engine - Walkthrough [ cyberseclabs ]

BlogEngine with default connection information
windows, blog, blogengine, blog-engine-3.3.6.0, autologon

Cyberseclabs - Eternal - Walkthrough [ cyberseclabs ]

Eternal Blue without metasploit
windows, windows-7, x64, blue, MS17-010, eternal-blue, nasm, smb, impacket

HTB - Blue - Walkthrough [ hackthebox ]

Eternal Blue without metasploit
windows, windows-7, x64, blue, MS17-010, eternal-blue, nasm, smb, impacket

HTB - Devel - Walkthrough [ hackthebox ]

A windows 7 machine vulnerable to JuicyPotato (for x86 architecture)
windows, IIS7, IIS, x86, seImpersonatePrivilege, JuicyPotatox86

HTB - SolidState - Walkthrough [ hackthebox ]

Powning a James administration with default credentials
linux, CVE-2015-7611, james, james-server, pop3, oscp-like

PG - Sar - Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

sar2html has a RCE vulnerability we can exploit to get in this machine
linux, sar2html, sar2html-v3.2.1, rce, crontab, easy

PG — CyberSploit1 — Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

linux, CVE-2015-1328

PG - NoName - Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

PHP Command injection bypass using base64
linux, intermediate, base64, waf, php, command-injection, poster.py, find, strcmp, rce

PG - Deception - Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

Extreme enumeration to collect hints and access the machine - A very CTF like machine
linux, intermediate, ctf, wordpress, suid-python, feroxbuster, wpscan

PG - BBSCute - Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

RCE in CuteNews to then abuse hping3 to escalation to root
linux, easy, RCE, CuteNews, CuteNews-2.1.2, hping3, CVE-2019-11447, PHP, suid

PG - OnSystemShellDredd - Walkthrough (Offensive Security Proving Grounds Play Boxes) [ proving-grounds ]

Using /usr/bin/mawk to pwn the machine by adding a dummy user to /etc/passwd
linux, easy, passwd, mawk, ftp

Simple [ cyberseclabs ]

CMSMadeSimple is the way in the server
linux, cmsmadesimple, passwd, CVE-2019-9053, cyberseclabs

Fuel [ cyberseclabs ]

fuelCMS get pwn with CVE-2018-16763
linux, easy, CVE-2018-16763, fuelcms, php, codeIgniter, rce

Glass [ cyberseclabs ]

A vulnerable VNC 3.8 defeated and "AlwaysInstallElevated" to break the glass (or shall I say the Window)
windows, powerup, vnc, msfvenom, AlwaysInstallElevated, msi