Sendai - Vulnlab
Sendai is a medium Active Directory machine from Vulnlab, created by xct. This box is a retiring hiring challenge offering multiple paths for exploitation. The path I’ve taken involves resetting a user password with STATUS_PASSWORD_MUST_CHANGE status, abusing GenericALL permissions, and reading the gMSA password. For privilege escalation, we exploit both ESC4 and ESC1.
NMAP123456789101112131415PORT STATE SERVICE53/tcp open domain80/tcp open http88/tcp open kerberos-sec135/tcp open ...
CrackMapExec and NetExec Cheat Sheet
A cheat sheet for CrackMapExec and NetExec, featuring useful commands and modules for different services to use during Pentesting
CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec (no longer maintained)
NetExec: https://github.com/Pennyw0rth/NetExec
Installation: https://www.netexec.wiki/getting-started/installation
The same commands for crackmapexec would also work for NetExec
Other names: cme, nxc
EnumerationInitial Enumeration1crackmapexec smb target
Null Authentication1crackmape ...
Lock - Vulnlab
Lock is an easy windows box from Vulnlab created by xct and kozmer. It involves gaining a foothold by abusing CI/CD in Gitea to upload a shell, decrypting mRemoteNG configs, and gaining system access by exploiting the MSI installer in PDF24 Creator.
NMAPAs always, we start with a standard nmap scan
123456PORT STATE SERVICE80/tcp open http445/tcp open microsoft-ds3000/tcp open ppp3389/tcp open ms-wbt-server5357/tcp open wsdapi
1234567891011121314151617181920212223242526272829303 ...
Bamboo - Vulnlab
Bamboo is a Medium Linux machine from Vulnlab, created by xct. It involves getting foothold by exploiting a CVE in PaperCut NG and escalating privileges by exploiting a 0day.
EnumerationNMAPWe start, as always, with a standard scan. I’ll use rustscan to get the open ports then nmap to get more details about them.
12345678910111213141516➜ bamboo rustscan --range 1-65535 -b 2000 -a 10.10.66.158.----. .-. .-. .----..---. .----. .---. .--. .-. .-.| {} }| { } |{ ...
Slonik - Vulnlab
Slonik is a medium Linux machine from Vulnlab created by xct. It involves getting foothold through PostgreSQL and escalating privilege by exploiting a custom backup script.
EnumerationNMAPAs always, we start with a standard nmap scan
123456789101112131415161718192021222324252627282930313233343536373839➜ slonik sudo nmap -sC -sV --min-rate=5000 10.10.93.116 | tee nmap.txt[sudo] password for serioton:Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-29 14:45 EDTNmap scan report for 10.10.93.116H ...
Job - Vulnlab
Job is a medium windows machine from Vulnlab created by xct. It involves getting Remote Code Execution (RCE) via Macros in LibreOffice Documents and exploiting SeImpersonatePrivilege for Privilege Escalation.
ReconNMAP12345678910111213141516171819202122232425262728Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-23 13:52 EDTNmap scan report for 10.10.69.83Host is up (0.083s latency).Not shown: 996 filtered tcp ports (no-response)PORT STATE SERVICE VERSION25/tcp open smtp ...
Media - Vulnlab
Media is a medium windows box from vulnlab. It involves stealing NTLM hash by uploading a specific Windows Media Player file and abusing Symlinks for Privesc.
NMAP1234567891011121314151617181920212223PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)| ssh-hostkey:| 3072 0b:b3:c0:80:40:88:e1:ae:aa:3b:5f:f4:c2:23:c0:0d (RSA)| 256 e0:80:3f:dd:b1:f8:fc:83:f5:de:d5:b3:2d:5a:4b:39 (ECDSA)|_ 256 b5:32:c0:72:18:10:0f:24:5d:f8:e1:ce:2a:73:5c:1f (E ...
Black Hat MEA CTF 2023 Writeups
Over the weekend, I took part in the Black Hat MEA 2023 CTF alongside some friends. We secured the 33rd position. I solved 3 forensics, 2 reversing, and 1 web challenge. Below are my write-ups.
ForensicsUSB100 [Easy]Challenge Description1In a shocking turn of events, a malicious actor managed to gain physical access to our victim's computer by plugging in a rogue USB device. As a result, all critical data has been pilfered from the system. Flag is direct without BHFlagY{} tag.
W ...
HTB - Wifinetic
Nmap ScanAs always let’s start with a basic port scan
1234567891011121314151617181920212223242526272829303132333435# Nmap 7.94 scan initiated Sat Sep 16 14:10:16 2023 as: nmap -sC -sV -oA nmap/wifinetic --min-rate=10000 10.10.11.247Nmap scan report for 10.10.11.247Host is up (0.089s latency).Not shown: 997 closed tcp ports (reset)PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.3| ftp-syst: | STAT: | FTP server status:| Connected to ::ffff:10.10.14.19| Logged in as f ...
WaniCTF 2023 Writeups
WaniCTF 2023 WriteupsI participated in WaniCTF as a solo team and got 108th place , I solved 5 forensics, 4 reversing, 4 crypto, 3 web, 3 pwn and 1 misc. Kudos to the organizers for putting together such a fantastic ctf. The challenges were really great.
Here are some very short writeups and solving scripts for the challenges I solved
ForensicsJust_mp4Challenge Description1✨✨✨ Enjoy wani CTF ! ✨✨✨
we are given a chall.mp4 file. I ran exiftool and found the flag in base64 , so just decode it
...