HackTheBox - Monteverde
Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.
Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuosly adding to this.
Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.
In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.
Making the most out of lockdown in the UK, I decided to enroll in the new Hack The Box pro lab, Cybernetics.
Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings.
Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.
Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.
Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.
Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.
RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.
Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.
Collection of Windows PowerShell Event log commands and Windows Event ID tables.
Collection of references, commands, scripts, and tool usage examples for various things.
Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.
Basic overview and some terminology for Active Directory.
Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.
In this post we’ll be covering the different ways we can create, edit, and abuse Windows .lnk files to achieve command exection.
Msfvenom cheat sheet for generating shellcode and payloads.
Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.
AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.
Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.
Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.
Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.
Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.
Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.
Networked was a nice 20 point box created by guly. It started out by finding backup source code and then embedding PHP into an uploaded image to get command injection, then exploiting a vulnerable PHP function to get user and finally abusing a sudo bash script to get root.
Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.
Haystack was a nice 20 point box created by JoyDragon. It started out with dumping SSH credentials via Elasticsearch and then escalating to the Kibana user and abusing its privileges to exploit Logstash and get root.
Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.
Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in. We then needed to crack some hashes to get user and pwn a SUID binary to get root.
Writeup was a nice 20 point box created by jkr. It started with a CVE to get SSH creds and then abusing a SSH startup process by injecting into PATH to get root.
Small collection of Linux privilege escalation scripts, references and commands.
Collection of common SQL Injection commands and techniques for various database technologies.
Cheat sheet for useful meterpreter commands, modules, and scripts.
File transfer cheat sheet for Windows and Linux operating systems.
Cheat sheet for common reverse shells, mainly one liners.
The following commands should be executed from the Linux command line. What TTY you’re able to spawn will come down to available shells on the host - cat /etc/shells
Advanced XSS builds upon my previous post, Basic XSS.
Modifiying HTML
Changing the title of the target page to New Title.
Small post covering some basic information on XSS attacks and some sample payloads.
Post covering information on Content Management Systems, scanning for any vulnerabilities present, and attack scenarios for various systems.
During a pentest there is a high chance you’ll stumble across user hashes and credentials. Knowing how to leverage these findings is essential.
Collection of basic Python code templates I’ve developed and/or used on various occasions.
Top 15 IoCs
Below are the Top 15 Indicators of Compromise from DarkReading that I’ve compressed as a quick reference guide.
Small collection of books I own, as well as useful links and resources for infosec and offensive security.
This post focuses on essential Information Security Management Principles and the CIA Triad.
The premise of password attacks is simple. If a service requires credentials to access it, we simply guess or brute force the credentials until they’re accepted. The targeted services play a huge part in our approach, therefore the tools and techniques will vary from host-to-host.
Password Lists
Clovery is a Cloud Discovery tool written in Go. Based on a supplied wordlist it checks for open AWS, GCP, Alibaba, and Azure cloud storage and services.
Small collection of documentation/links/metadata information for cloud services.