![]() ![]() When jkr got first blood on Noter, he did it using all the same intended pieces for the box, but in a very clever way that allowed getting a root shell as the first shell on the box. HTB: Noter - Alternative Root (First Blood)Ĭtf hackthebox htb-noter tunnel mysql mysql-privileges mysql-file-write In Beyond Root, two other ways to abuse the MSSQL access, via file read and JuicyPotatoNG. Because the tooling for this box is so different I’ll show it from both Linux and Windows attack systems. I’ll reverse those to find a deserialization vulnerability, and exploit that to get a shell as SYSTEM. From there, I’ll get some more creds, and use those to get access to a share with some custom dot net executables. I’ll kerberoast and get a challenge/response for a service account, and use that to generate a silver ticket, getting access to the MSSQL instance. I’ll find user creds with hints from the page, and get some more hints from a file share. NTLM authentication is disabled for the box, so a lot of the tools I’m used to using won’t work, or at least work differently. There are some hints on a webpage, and from there the exploitation is all Windows. Scrambled presented a purely Windows-based path. Htb-scrambled ctf hackthebox kerberos deserialization windows silver-ticket reverse-engineering oscp-like The host has a cron running Git commands as root, so I’ll use git hooks to abuse this and get a shell as root. From there, I’ll access a private Gitea instance and find an SSH key to get a shell on the host. The later is overwriting one of the Flask source files to get execution. The first is abusing the file read to get the information to calculate the Flask debug pin. The website has a directory traversal vulnerability that allows me to read and write files. That zip has a Git repo in it, and that leaks the production code as well as account creds. OpenSource starts with a web application that has a downloadable source zip. In Beyond Root, I’ll look at an unintended way to get admin on the website, and get JuicyPotatoNG working, despite most ports being blocked.Ĭtf hackthebox htb-opensource nmap upload source-code git git-hooks flask directory-traversal file-read flask-debug flask-debug-pin youtube chisel gitea pspy htb-bitlab I’ll use a padding oracle attack to encrypt cookies, and exploit a command injection via the cookie and the password reset process to get a shell as administrator. With a shell, I’ll find a staging version of the application with additional logging and some protections that break my previous attack. With that, I can sign a serialized object and get execution. I’ll decrypt another application key, showing both how to do it with math and via a POST request via the SSRF. There’s a server-side request forgery vulnerability in that part of the site, and I’ll use it to access a crypto service running on localhost. That key is enough for me to forge a cookie as admin and get access to additional places on the site. With that, I’ll leak one of the keys used by the application, and the fact that there are more protections in place. I’ll start by uploading a SHTML file that allows me to read the configuration file for the application. Perspective is all about exploiting a ASP.NET application in many different ways. Hackthebox ctf htb-perspective windows iis aspx dotnet feroxbuster web-config shtml upload burp burp-proxy burp-repeater burp-intruder filter formatauthenticationticket ssrf pdf html-scriptless-injection meta crypto deserialization viewstate viewstateuserkey machinekey nishang command-injection padding-oracle padbuster youtube potato seimpersonate juicypotatong htb-overflow htb-lazy htb-smasher I’ll abuse a process running as root to get root access. This allows me to connect to any process on the box and inject shellcode, getting execution in the context of that process. The final user has access to the GNU debugger with ptrace capabilities. Next I’ll abuse meta-git to get a shell as the next user. I’ll find a password for the database connection in the web files that is also used for a user account on the box. I’ll abuse SQL injection to bypass authentication, and then a mPDF vulenrability to read files from disk. ![]() Htb-faculty ctf hackthebox nmap php feroxbuster sqli sqli-bypass auth-bypass sqlmap mpdf cyberchef burp burp-repeater file-read password-reuse credentials meta-git command-injection gdb ptrace capabilities python msfvenom shellcodeįaculty starts with a very buggy school management web application. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |