Posts by Tag

penetration testing

Book Write-Up: HackTheBox

3 minute read

Book was a medium machine on Hack The Box created by MrR3boot. Initial recon revealed a web application login that is vulnerable to SQL truncation attack, allowing login as admin. Once admin, we can inject XSS payloads to read local files through dynamically generated PDFs, which is used to extract a user’s private SSH key. Finally, logged in as the user reader via SSH, a vulnerable version of logrotate running as root is discovered, which is exploited to escalate to the root user.

Nest Write-Up: Hack The Box

4 minute read

Nest was an excellent easy-rated machine on Hack The Box created by VbScrub. Initial recon revealed an open SMB port and an uncommon HQK Reporting service. Enumerating SMB revealed some default credentials, which allowed further read access. Digging further we come across some encrypted credentials and a Visual Basic project. Building the project we are able to decrypt yet another password, but this time for an user c.smith. We use the new found creds to go further into the SMB gauntlet and discover the HQK Reporting binary. Tearing it apart with dnSpy, and a touch of reversing, we get the Administrator password and root flag.

Resolute Write-Up: Hack The Box

3 minute read

Resolute was a straight-forward medium-rated machine on Hack The Box created by egre55. Initial recon revealed an open LDAP service which leaked all local users and a default password. This allowed a password spray WinRM and a successful login as user melanie. As melanie, further machine enumeration revealed PowerShell transcripts that leaked a command containing user ryan’s password. User ryan is part of the Contractors group, which is also contained in the DnsAdmin group. Being a member of the DnsAdmin is abused to add the first compromised user melanie as a Domain Admin, owning the machine.

Back to top ↑

hackthebox

Book Write-Up: HackTheBox

3 minute read

Book was a medium machine on Hack The Box created by MrR3boot. Initial recon revealed a web application login that is vulnerable to SQL truncation attack, allowing login as admin. Once admin, we can inject XSS payloads to read local files through dynamically generated PDFs, which is used to extract a user’s private SSH key. Finally, logged in as the user reader via SSH, a vulnerable version of logrotate running as root is discovered, which is exploited to escalate to the root user.

Nest Write-Up: Hack The Box

4 minute read

Nest was an excellent easy-rated machine on Hack The Box created by VbScrub. Initial recon revealed an open SMB port and an uncommon HQK Reporting service. Enumerating SMB revealed some default credentials, which allowed further read access. Digging further we come across some encrypted credentials and a Visual Basic project. Building the project we are able to decrypt yet another password, but this time for an user c.smith. We use the new found creds to go further into the SMB gauntlet and discover the HQK Reporting binary. Tearing it apart with dnSpy, and a touch of reversing, we get the Administrator password and root flag.

Resolute Write-Up: Hack The Box

3 minute read

Resolute was a straight-forward medium-rated machine on Hack The Box created by egre55. Initial recon revealed an open LDAP service which leaked all local users and a default password. This allowed a password spray WinRM and a successful login as user melanie. As melanie, further machine enumeration revealed PowerShell transcripts that leaked a command containing user ryan’s password. User ryan is part of the Contractors group, which is also contained in the DnsAdmin group. Being a member of the DnsAdmin is abused to add the first compromised user melanie as a Domain Admin, owning the machine.

Back to top ↑

write-ups

Book Write-Up: HackTheBox

3 minute read

Book was a medium machine on Hack The Box created by MrR3boot. Initial recon revealed a web application login that is vulnerable to SQL truncation attack, allowing login as admin. Once admin, we can inject XSS payloads to read local files through dynamically generated PDFs, which is used to extract a user’s private SSH key. Finally, logged in as the user reader via SSH, a vulnerable version of logrotate running as root is discovered, which is exploited to escalate to the root user.

Nest Write-Up: Hack The Box

4 minute read

Nest was an excellent easy-rated machine on Hack The Box created by VbScrub. Initial recon revealed an open SMB port and an uncommon HQK Reporting service. Enumerating SMB revealed some default credentials, which allowed further read access. Digging further we come across some encrypted credentials and a Visual Basic project. Building the project we are able to decrypt yet another password, but this time for an user c.smith. We use the new found creds to go further into the SMB gauntlet and discover the HQK Reporting binary. Tearing it apart with dnSpy, and a touch of reversing, we get the Administrator password and root flag.

Resolute Write-Up: Hack The Box

3 minute read

Resolute was a straight-forward medium-rated machine on Hack The Box created by egre55. Initial recon revealed an open LDAP service which leaked all local users and a default password. This allowed a password spray WinRM and a successful login as user melanie. As melanie, further machine enumeration revealed PowerShell transcripts that leaked a command containing user ryan’s password. User ryan is part of the Contractors group, which is also contained in the DnsAdmin group. Being a member of the DnsAdmin is abused to add the first compromised user melanie as a Domain Admin, owning the machine.

Back to top ↑

hacking

Book Write-Up: HackTheBox

3 minute read

Book was a medium machine on Hack The Box created by MrR3boot. Initial recon revealed a web application login that is vulnerable to SQL truncation attack, allowing login as admin. Once admin, we can inject XSS payloads to read local files through dynamically generated PDFs, which is used to extract a user’s private SSH key. Finally, logged in as the user reader via SSH, a vulnerable version of logrotate running as root is discovered, which is exploited to escalate to the root user.

Resolute Write-Up: Hack The Box

3 minute read

Resolute was a straight-forward medium-rated machine on Hack The Box created by egre55. Initial recon revealed an open LDAP service which leaked all local users and a default password. This allowed a password spray WinRM and a successful login as user melanie. As melanie, further machine enumeration revealed PowerShell transcripts that leaked a command containing user ryan’s password. User ryan is part of the Contractors group, which is also contained in the DnsAdmin group. Being a member of the DnsAdmin is abused to add the first compromised user melanie as a Domain Admin, owning the machine.

Back to top ↑

certification

CISSP After-Action Report

4 minute read

On 18 February 2020, I provisionally passed the CISSP examination on my first attempt at 100 questions with self-study. I’m writing this post to give back to the community some of my practices of study that allowed me to conquer this beast of an exam.

Back to top ↑

oscp

Back to top ↑

offensive security

Back to top ↑

cissp

CISSP After-Action Report

4 minute read

On 18 February 2020, I provisionally passed the CISSP examination on my first attempt at 100 questions with self-study. I’m writing this post to give back to the community some of my practices of study that allowed me to conquer this beast of an exam.

Back to top ↑

study advice

CISSP After-Action Report

4 minute read

On 18 February 2020, I provisionally passed the CISSP examination on my first attempt at 100 questions with self-study. I’m writing this post to give back to the community some of my practices of study that allowed me to conquer this beast of an exam.

Back to top ↑

best practices

CISSP After-Action Report

4 minute read

On 18 February 2020, I provisionally passed the CISSP examination on my first attempt at 100 questions with self-study. I’m writing this post to give back to the community some of my practices of study that allowed me to conquer this beast of an exam.

Back to top ↑

reversing

Back to top ↑

python

Back to top ↑

dns

Resolute Write-Up: Hack The Box

3 minute read

Resolute was a straight-forward medium-rated machine on Hack The Box created by egre55. Initial recon revealed an open LDAP service which leaked all local users and a default password. This allowed a password spray WinRM and a successful login as user melanie. As melanie, further machine enumeration revealed PowerShell transcripts that leaked a command containing user ryan’s password. User ryan is part of the Contractors group, which is also contained in the DnsAdmin group. Being a member of the DnsAdmin is abused to add the first compromised user melanie as a Domain Admin, owning the machine.

Back to top ↑

smb

Nest Write-Up: Hack The Box

4 minute read

Nest was an excellent easy-rated machine on Hack The Box created by VbScrub. Initial recon revealed an open SMB port and an uncommon HQK Reporting service. Enumerating SMB revealed some default credentials, which allowed further read access. Digging further we come across some encrypted credentials and a Visual Basic project. Building the project we are able to decrypt yet another password, but this time for an user c.smith. We use the new found creds to go further into the SMB gauntlet and discover the HQK Reporting binary. Tearing it apart with dnSpy, and a touch of reversing, we get the Administrator password and root flag.

Back to top ↑

dnspy

Nest Write-Up: Hack The Box

4 minute read

Nest was an excellent easy-rated machine on Hack The Box created by VbScrub. Initial recon revealed an open SMB port and an uncommon HQK Reporting service. Enumerating SMB revealed some default credentials, which allowed further read access. Digging further we come across some encrypted credentials and a Visual Basic project. Building the project we are able to decrypt yet another password, but this time for an user c.smith. We use the new found creds to go further into the SMB gauntlet and discover the HQK Reporting binary. Tearing it apart with dnSpy, and a touch of reversing, we get the Administrator password and root flag.

Back to top ↑

xxs

Book Write-Up: HackTheBox

3 minute read

Book was a medium machine on Hack The Box created by MrR3boot. Initial recon revealed a web application login that is vulnerable to SQL truncation attack, allowing login as admin. Once admin, we can inject XSS payloads to read local files through dynamically generated PDFs, which is used to extract a user’s private SSH key. Finally, logged in as the user reader via SSH, a vulnerable version of logrotate running as root is discovered, which is exploited to escalate to the root user.

Back to top ↑

sqli

Book Write-Up: HackTheBox

3 minute read

Book was a medium machine on Hack The Box created by MrR3boot. Initial recon revealed a web application login that is vulnerable to SQL truncation attack, allowing login as admin. Once admin, we can inject XSS payloads to read local files through dynamically generated PDFs, which is used to extract a user’s private SSH key. Finally, logged in as the user reader via SSH, a vulnerable version of logrotate running as root is discovered, which is exploited to escalate to the root user.

Back to top ↑

linux

Back to top ↑

CVE

Back to top ↑

windows

Back to top ↑