I like to write about my insights from my training on Hack The Box, TryHackMe, and OffSec, exploring offensive security techniques and real-world scenarios. Here are some of my favorite posts that made it onto the blog.
Enumeration NMAP Printer-Page The password field cannot be manipulated to reveal the password. However, the authentication target address can be customized. Set it to your own IP address and listen with netcat on the corresponding port. Exploitation With valid credentials, exploitation of the system can be started. Use Evil-WinRM to get CLI access: Check for …
Plattform: Hack the BoxLink: https://www.hackthebox.com/machines/wifineticDifficulty: Easy 🟠 Enumeration NMAP FTP This contains details regarding a planned system migration to Debian. The only file of significance is the backup file. The passwd file contains a potential username. Search for possibile passwords… Possibile SSH-Keys This involves SSH keys used by Dropbear, a lightweight SSH client/server commonly used on …
Plattform: Hack the BoxLink: https://www.hackthebox.com/machines/knifeDifficulty: Easy 🟠 Enumeration As usual start with nmap.. Port 80 is open, the website which is hosted is just a static page nothing special to find there. So lets see whats running under the hood. PHP 8.1.0 DEV looks interesting, lets see if there is a vulnerability. https://github.com/flast101/php-8.1.0-dev-backdoor-rce/blob/main/README.md An exploit for …
Description Plattform: Hack the BoxLink: https://www.hackthebox.com/machines/capDifficulty: Easy 🟠 Enumeration NMAP Website There different topics in the side-menu. I tried some command injection but this didnt worked there. So move on to this „data-scan or security-scan“ which looked most interesting for me. After some digging around I found out that this application is vurnable to IDOR (insecure …
Fieldbus Before Modbus was invented the issue of connection-oriented control was addressed, where each contact had to be individually wired, requiring two wires per contact. As the amount of information to be transmitted increased, the complexity of the wiring also grew. The solution came with the introduction of the fieldbus, whose basic principle is similar …
Description Plattform: Hack the BoxLink: https://app.hackthebox.com/machines/123Difficulty: Medium 🟠 Enumeration NMAP We’ll find just two ports open: The ports indicate an application called Achat. A quick Google search reveals that Achat is a Windows-based chat application that supports direct messaging and file sharing within a local network. A working exploit can quickly be found using Searchsploit. …
Description Plattform: TryHackMeLink: https://tryhackme.com/room/dailybugleDifficulty: Hard 🟠 Enumeration NMAP Exploit CVE-2017-8917 The running Joomla CMS seems to be vulnerabile against the CVE-2017-8917 which is an SQLi vulnerability. On Github an working exploit can be found: https://github.com/stefanlucas/Exploit-Joomla Equipped with the exploit, one can exfiltrate superuser access credentials. The hash can be cracked easily with hashcat or john. …
Description Plattform: TryHackMeLink: https://tryhackme.com/room/codeanalysisDifficulty: Medium 🟠 Codeanalysis This router is based on the POST request type and uses a function called isYaml() to check whether the file parameter (here file_path) is a YAML file or not. If the return value is „Yes,“ the file is read, and the JavaScript data is returned to the client …
Important Note Enumeration NMAP Share Enumeration User Enumeration Foothold To establish a foothold, use the credentials and spawn a shell on the system using Evil-WinRM. This provides a list of existing users on the system, but the relationship between them and your access is still missing. For this, BloodHound is the best tool to use. …
Enumeration NMAP SMB Anonymous login to the share /HR is possible. To view the file, its better to download it. The file contains a password for a user, but the user is not known. Searched for usernames in the infrastructure, but unfortunately found nothing. Attempting to enumerate usernames using Impacket. The following users can be …