Jewel was a fun 30 point box created by polarbearer which involved exploiting a deserialisation vulnerability in the way the ruby application handles specific user objects, with an interesting swist on sudo relating to Google Authenticator, and finally a sudo Gem binary to get root.
Doctor was a fun 20 point box created by egotisticalSW that involved a cool attack vector to gain RCE, and a nice Splunk exploit to get root.
Worker was an interesting 30 point box created by ekenas that introduces some cool technologies such as SVN and Azure Devops.
Compromised was a fun 40 point box created by D4nch3n that covered some interesting tools and techniques. Let’s jump in.
Cascade was a cool 30 point box created by VbScrub. It started out with some LDAP enumeration that allowed you to find a Base64 encoded password which you then use to log into SMB, after that you discover a VNC encrypted password which you can crack using an interactive ruby shell and then use to login via WinRM to get user. After that you have to decrypt a password from an audit database file utilising some C#, you then login and discover you have the AD Recycle Bin group privileges allowing you to recover a temporary administrator password. You then login as admin and get root.
Sauna was a fun 20 point box created by egotisticalSW. It started out with some username enumeration which allows you to AS-REP roast and dump a hash, you then crack it and login via WinRM to get user. You then stumble across some autologon credentials which have DCSync privileges which then allows you to use secretsdump.py, login with the admin hash, and get root.
Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.
Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.
Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.
Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.
Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.
Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.
Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.
RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.
AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.
Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.
Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.
Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.
Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.
Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.
Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.
Networked was a nice 20 point box created by guly. It started out by finding backup source code and then embedding PHP into an uploaded image to get command injection, then exploiting a vulnerable PHP function to get user and finally abusing a sudo bash script to get root.
Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.
Haystack was a nice 20 point box created by JoyDragon. It started out with dumping SSH credentials via Elasticsearch and then escalating to the Kibana user and abusing its privileges to exploit Logstash and get root.
Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.
Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in to the box. We then needed to crack some hashes to get user and pwn a SUID binary to get root.
Writeup was a nice 20 point box created by jkr. It started with a CVE to get SSH creds and then abusing a SSH startup process by injecting into PATH to get root.
Worker was an interesting 30 point box created by ekenas that introduces some cool technologies such as SVN and Azure Devops.
Cascade was a cool 30 point box created by VbScrub. It started out with some LDAP enumeration that allowed you to find a Base64 encoded password which you then use to log into SMB, after that you discover a VNC encrypted password which you can crack using an interactive ruby shell and then use to login via WinRM to get user. After that you have to decrypt a password from an audit database file utilising some C#, you then login and discover you have the AD Recycle Bin group privileges allowing you to recover a temporary administrator password. You then login as admin and get root.
Sauna was a fun 20 point box created by egotisticalSW. It started out with some username enumeration which allows you to AS-REP roast and dump a hash, you then crack it and login via WinRM to get user. You then stumble across some autologon credentials which have DCSync privileges which then allows you to use secretsdump.py, login with the admin hash, and get root.
Monteverde was an interesting 30 point box created by egre55. It started out with some user enumeration which leads you to password spraying and discovering a weak password policy for a service account, you then dump an SMB share using the service account’s credentials and discover more creds used by Azure which you can use to WinRM in and get user. You then have to modify an exploit which abuses Azure’s Password Hash Synchronization to dump the Administrator credentials, you then use the creds to WinRM in again and get the root flag.
Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.
Resolute was a fun 30 point box created by egre55. It starts out by finding a set of credentials via SMB enumeration which allows you to password spray and find that the password has been reused, allowing you to login via WinRM and get the user flag. You then find a set of credentials in a PowerShell Transcript file, log in again via WinRM with those credentials, and then finally abuse the user’s group privileges to get root.
In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.
Making the most out of lockdown in the UK, I decided to enroll in the new Hack The Box pro lab, Cybernetics.
Some notes to myself to use as a reference guide and to gain a better understanding of the privileges and rights assigned to Windows services in the form of SDDL security descriptor strings.
I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.
Sniper was a cool 30 point box created by MinatoTW and felamos. It started out with finding a parameter vulnerable to LFI which happened to also be vulnerable to RFI using our own custom Samba SMB server to host a web shell. You can then use some PowerShell to execute commands as chris to get user and subsequently a meterpreter shell on the box. Finally you had to create a malicious CHM file which when opened executes nc.exe sending you a shell and subsequently root.
Forest was a fun 20 point box created by egre55 and mrb3n. It started out with enumerating users from SMB for use in a Kerberos AS-REP Roasting attack, you then crack the resulting hash and login via WinRM to get user. You then have to Invoke-BloodHound and abuse the privileges our user has to get root.
Bankrobber was a fun 50 point box created by Gioo and Cneeliz. It started out with XSS to steal the admins cookie which contains credentials for the admin interface, you then login and find SQLi to get source code to a script that’s vulnerable to SSRF and exploit it via an XSS payload to get user. You then have to brute force a 4 digit PIN code leveraging pwntools and exploit a blind buffer overflow to get root.
Json was a fun 30 point box created by Cyb3rb0b. It started out by finding a Json.Net deserialization error which leads you to ysoserial.net, you then create a JSON deserialization payload to get code execution and subsequently return a shell. You can then either find and decrypt credentials to login via FTP and get the flag, or you can get SYSTEM via Juicy Potato.
RE was a fun box created by 0xdf. It started out by creating an .ods document with a malicious macro that would execute once opened, returning a reverse shell which grants you the user flag. You then have to find and exploit a ZipSlip vulnerability in a .ps1 script, this allows you to escalate privileges to iis apppool\reblog. From here you binary plant a vulnerable service to get a NT AUTHORITY\SYSTEM shell and then impersonate an available token which allows you to get root.
Heist was a nice 20 point box created by MinatoTW. It started out with finding a Cisco router config file and cracking some hashes, enumerating more users and then logging in via WinRM to get the user flag. We then dumped the local Firefox processes with ProcDump, used some simple PowerShell for basic process dump analysis, found admin credentials and logged in again via WinRM to get root.
Table of reference for Windows user rights assignment.
Instead of having to check the Microsoft docs every time I needed to identify a mysterious SID, I decided to type up the table here so I can reference it easily when required.
Collection of Windows PowerShell Event log commands and Windows Event ID tables.
Collection of references, commands, scripts, and tool usage examples for various things.
Small collection of Windows privilege escalation scripts, references, binaries and commands.
Domain enumeration will require the use of either PowerView.ps1 or the Active Directory PowerShell Module.
Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.
Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.
In this post we’ll be covering the different ways we can create, edit, and abuse Windows .lnk files to achieve command exection.
Jewel was a fun 30 point box created by polarbearer which involved exploiting a deserialisation vulnerability in the way the ruby application handles specific user objects, with an interesting swist on sudo relating to Google Authenticator, and finally a sudo Gem binary to get root.
Doctor was a fun 20 point box created by egotisticalSW that involved a cool attack vector to gain RCE, and a nice Splunk exploit to get root.
Compromised was a fun 40 point box created by D4nch3n that covered some interesting tools and techniques. Let’s jump in.
Postman was a nice 20 point box created by Xh4H. It started out with exploiting an open redis server by writing our public key to the authorized_keys file which allows you to SSH in. You then find and decrypt an encrypted RSA private key to get a passphrase, and finally get a root shell via an authenticated Webmin exploit to get the user and root flags.
AI was an interesting 30 point box created by MrR3boot . It started out by finding a wav file upload and using it to get SQL Injection. SQLi then allows you to dump SSH credentials which you use to log in and get user. You then have to abuse a Java/Tomcat/JDWP root process with some Java calls and jdb to get code execution and return a reverse shell to get root.
Player was a fun 40 point box created by MrR3boot . It started out with heavy vhost enumeration which leads you to some backup file artifacts that expose an access code and passphrase, we then use the code and passphrase to generate a JWT and access an avi file upload application. An avi file exploit is then used to read sensitive files and get SSH credentials for an XAUTH SSH exploit with which you can read local files to get user.
Bitlab was an interesting 30 point box created by Frey and thek. It started out with finding and decoding some hex encoded JavaScript to get credentials for a GitLab instance, then taking advantage of two repos with web hooks to get code execution and a shell as www-data. We then dump SSH credentials from a database using PHP and finally do some analysis of a Windows executable to get root credentials and log in to get root.
Craft was a fun 30 point box created by rotarydrone. It started out with finding and exploiting the Python eval() function in a flask API application via exposed source code in Gogs to get a shell as root in a docker container. We then dump the user table of a MySQL database via a Python script to get credentials and log in via SSH to get user, and finally abusing vault SSH to get root using a OTP.
Wall was an easy 30 point box created by ecdo. It started out with finding a Centreon web interface, brute forcing the API to get login credentials and then logging in to find a page where we can get command injection. We then obtained a shell as www-data through the injection point and exploited a GNU Screen SUID binary to get both the root and user flags.
Chainsaw was a nice 40 point box created by artikrh and absolutezero. It started out by exploiting a smart contract leveraging Web3.py, then dumping some IPFS info and cracking an RSA Private Key to get user. We then took advantage of a SUID binary to get root and used bmap to get the flag hidden within the slack space of root.txt.
Networked was a nice 20 point box created by guly. It started out by finding backup source code and then embedding PHP into an uploaded image to get command injection, then exploiting a vulnerable PHP function to get user and finally abusing a sudo bash script to get root.
Jarvis was a nice 30 point box created by manulqwerty and Ghostpp7. It started out by finding SQL Injection in a vulnerable parameter and using sqlmap to get an os-shell, abusing a sudo script to get user and finally exploiting a SUID systemctl to get root.
Haystack was a nice 20 point box created by JoyDragon. It started out with dumping SSH credentials via Elasticsearch and then escalating to the Kibana user and abusing its privileges to exploit Logstash and get root.
Safe was an easy 20 point box created by ecdo. It started out with pwning a binary to get a shell as user and then abusing KeePass to get root.
Ellingson was a nice 40 point box created by Ic3M4n. It started with finding an exposed Werkzeug Debugger and getting RCE so we could SSH in to the box. We then needed to crack some hashes to get user and pwn a SUID binary to get root.
Writeup was a nice 20 point box created by jkr. It started with a CVE to get SSH creds and then abusing a SSH startup process by injecting into PATH to get root.
Collection of references, commands, scripts, and tool usage examples for various things.
Small collection of Linux privilege escalation scripts, references and commands.
Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.
Collection of simple/handy commands and my .tmux.conf.
Some snippets based on ASM and binary exploitation.
Collection of notes for Android/iOS pentesting, and MDM configuration reviews.
Collection of random commands/code snippets/resources relating to binary exploitation.
Some notes regarding code reviews.
Collection of random snippets including my .vimrc and commands for file/string manipulation in Vim.
Small collection of Linux privilege escalation scripts, references and commands.
Small collection of Windows privilege escalation scripts, references, binaries and commands.
Collection of basic Python code templates I’ve developed and/or used on various occasions.
Table of common MIME types as reference when testing file upload functionality, see iana media types for more info.
Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.
Cheat sheet for useful meterpreter commands, modules, and scripts.
Small collection of Linux privilege escalation scripts, references and commands.
Small collection of Windows privilege escalation scripts, references, binaries and commands.
In this post we’ll be covering the different ways we can create, edit, and abuse Windows .lnk files to achieve command exection.
During a pentest there is a high chance you’ll stumble across user hashes and credentials. Knowing how to leverage these findings is essential.
Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.
Collection of references, commands, scripts, and tool usage examples for various things.
Small collection of Linux privilege escalation scripts, references and commands.
Small collection of Windows privilege escalation scripts, references, binaries and commands.
Domain enumeration will require the use of either PowerView.ps1 or the Active Directory PowerShell Module.
Cheatsheet for upgrading regular shells to meterpreter sessions. Covering both Windows and Linux target hosts. handler.sh is mentioned throughout this post, it can be found on my github.
Quick post covering a few different ways to create and generate malcious DLLs for reverse/bind shells and for command execution.
Cheat sheet for useful meterpreter commands, modules, and scripts.
Active Directory domain enumeration without leveraging PowerView or the Active Directory PowerShell module, will be continuously adding to this.
I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.
Domain enumeration will require the use of either PowerView.ps1 or the Active Directory PowerShell Module.
I recently came across the Active Directory Pro blog post Top 25 Active Directory Security Best Practices. It’s a great read for anyone interested in AD security. I decided to type up the 25 points onto my blog so I could quickly reference them easily when required.
Top 15 IoCs
Below are the Top 15 Indicators of Compromise from DarkReading that I’ve compressed as a quick reference guide.
Collection of Windows PowerShell Event log commands and Windows Event ID tables.
Small collection of books I own, as well as useful links and resources for infosec and offensive security.
This post focuses on essential Information Security Management Principles and the CIA Triad.
Collection of references, commands, scripts, and tool usage examples for various things.
Building on basic XSS.
headi is a simple HTTP header injection tool written in Go. It automates the process of attempting to bypass forbidden errors on application resources by utilising specific HTTP headers (listed in the following section).
During a pentest there is a high chance you’ll stumble across user hashes and credentials. Knowing how to leverage these findings is essential.
Collection of basic Python code templates I’ve developed and/or used on various occasions.
Building on basic XSS.
Collection of snippets for basic network configuration and IP/CIDR ranges.
Making the most out of lockdown in the UK, I decided to enroll in the new Hack The Box pro lab, Cybernetics.
File transfer cheat sheet for Windows and Linux operating systems.
Cheat sheet for common reverse shells, mainly one liners.
Small collection of documentation/links/metadata information for cloud services.