Introduction

This lab had 3 Windows end-user computers, 1 Netscaler FreeBSD server, 1 Citrix Windows server and 1 Domain Controller.
Initial access was based on social engineering and phishing attacks, followed by privilege escalation I was able to own first 3 end-user computers.

One of the accounts had SPN, allowed kerberoasting and moving laterally.
After some post exploitation, enumeration and escalation, I was able to own Citrix and Netscaler server too.
The user I got initial access on DC had some juicy privileges that allowed me to obtain shadow files. After gathering hashes and crafting golden ticket, I was able to finish this lab

Key skills required

  • Social Engineering - Phishing attacks
  • Post Exploitation
  • Lateral Movement
  • Silver-Golden tickets
  • Pivoting
  • Active Directory
Read more »

Introduction

OpenAdmin is a 20 pts box on HackTheBox and it is rated as “Easy”. It has a web application running that is vulnerable to Remote Code Execution. There is a web server running locally on the box. After gathering some credentials and enumeration, an attacker is able to comprimise all the users on the box. One of the users has a sudo entry with root privileges and it allows escalation of privileges to root.

Read more »

Giriş

OpenAdmin HackTheBox üzerinde 20 puanlık ve “Kolay” olarak oylanmış bir makine. Makine üzerinde Uzaktan Kod Çalıştırmaya zafiyetli bir uygulama çalışıyor. Makinenin lokalinde çalışan farklı bir web sunucusu var. Bazı incelemeler ve keşiflerin sonucunda bir saldırgan makine üzerindeki bütün kullanıcılara erişimm sağlayabiliyor. Kullanıcılardan bir tanesi root yetkileriyle çalışmak üzere bir sudo girdisine sahip ve bunu kullanarak bir saldırgan yetkilerini yükseltebiliyor.

Read more »

Introduction

Control is a 40 pts box on HackTheBox and it is rated as “Hard”. It has an admin page that is supposed to be accessible for only one ip but an attacker is able to bypass it with a http header. There is a search form that is vulnerable to SQL Injection on admin page. SQL Injection is not enough by itself, an attacker also needs to obtain code execution by abusing it. There is a WinRM process running locally and the attacker needs to forward it outside in order to get the initial access to user on the box. The user have control over some services and it allows escalation of privileges.

Read more »

Giriş

Control HackTheBoxta 40 puanlık “Zor” kategorisinde bir makine. Makine üzerinde sadece 1 ip addresinden erişilebilir olması gereken bir admin paneli var fakat bu admin paneline özel bir http başlığı ile atlanabiliyor. Admin panelinde SQL Injection’a karşı zafiyetli bir arama formu var. Bu açık başlı başına yeterli değil, saldırganın daha ileriye gidebilmesi için bu zafiyeti kullanarak sunucuda kod çalıştırmaya erişmesi gerekiyor. Sunucunun localinde WinRM çalışıyor, bu servis dışarı çıkarılarak saldırgan sunucudaki kullanıcıya ilk erişimi sağlayabiliyor. Kullanıcının bazı servislerde kontrolü var ve yetkilerini bunu kullanarak yükseltebiliyor.

Read more »

Introduction

Mango is a 30 pts box on HackTheBox and it is rated as “Medium”. It has an application running that was vulnerable to mongodb injection. An attacker needs to extract data from db rather than bypassing the login page. After dumping credentials from database attacker is able get the initial access on the box. There is a binary called jjs box that has a suid bit set and it is allowing elevation of privileges.

Read more »

Introduction

Traverxec is a 20 pts box on HackTheBox and it is rated as “Easy”. It has a web server running called nostromo. This version of nostromo is vulnerable to Remote Code Execution. By abusing this vulnerability, an attacker was able to access to the webserver. There are some backup files that allows initial access on the box. The user is able to run journalctl as root and it allows elevation of privileges.

Read more »

Giriş

Traverxec HackTheBoxta 20 puanlık “Kolay” kategorisinde bir makine. Makine üzerinde nostromo adında bir webserver çalışıyor ve nostromonun bu versiyonu Uzaktan Kod Çalıştırmaya karşı zafiyetli. Saldırgan sunucuda ilk erişimi sağladıktan sonra bulduğu yedekleme dosyalarıyla sunucudaki bir kullanıcıya erişim sağlıyor. Bu kullanıcının root yetkileriyle journalctl programını çalıştırma izni var ve bunu sömürerek yetkilerini yükseltebiliyor

Read more »

Introduction

Mango HackTheBoxta 30 puanlık “Orta” kategorisinde bir makine. Makine üzerinde mongodb injection atağına karşı zafiyetli bir uygulama çalışıyor. Bir saldırgan login sayfasını atlatmak yerine veritabanından veri sızdırması gerekiyor. Veritabanından şifreler sızdırıldıktan sonra, saldırgan makine üzerinde ilk erişimi sağlayabiliyor. Makinede jjs adında bir program yüklü. Bu programın suid biti etkin ve yetkilerin yükseltilmesine sebep oluyor.

Read more »

Introduction

Registry was a 40 pts box on HackTheBox and it was rated as “Hard”. It had a private docker registry that was protected with a common password allowing attackers to pull the docker image. Docker image had private ssh key for a user on the host. The box had also a CMS installed called Bolt, admin password of this CMS was crackable with a common wordlist. A downgrade of privileges was required because www-data was able to perform a backup operation with program called restic with root privileges. After backing up juicy files an attacker could obtain root user.

Read more »