I like to write about my insights from my training on Hack The Box, TryHackMe, and OffSec, exploring offensive security techniques and real-world scenarios. Here are some of my favorite posts that made it onto the blog.
Description Plattform: Hack the BoxLink: https://app.hackthebox.com/challenges/222Difficulty: easy 🟢 General Given is an overview of which registers manage which values. And a circuit diagram that explains the wiring/connection. Procedure What needs to be done to prevent the tank from overflowing? Modbus function-codes are required for this challange The data must be transmitted to the PLC in hex …
Fieldbus Before Modbus was invented the issue of connection-oriented control was addressed, where each contact had to be individually wired, requiring two wires per contact. As the amount of information to be transmitted increased, the complexity of the wiring also grew. The solution came with the introduction of the fieldbus, whose basic principle is similar …
Description Plattform: Hack the BoxLink: https://www.hackthebox.com/machines/titanicDifficulty: easy 🟢 Enumeration NMAP Booking-Modul A booking module is provided, which generates a JSON file after the form is completed. If you examine the download request, it invites a Local File Inclusion (LFI) vulnerability. Exploitation Local File Inclusion With this, it realy ease to get the user-flag: Subdomain Remote File-Inclusion …
Description Plattform: Hack the BoxLink: https://app.hackthebox.com/machines/123Difficulty: Medium 🟠 Enumeration NMAP We’ll find just two ports open: The ports indicate an application called Achat. A quick Google search reveals that Achat is a Windows-based chat application that supports direct messaging and file sharing within a local network. A working exploit can quickly be found using Searchsploit. …
Introduction The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB was also created here, whose credentials we need to access. Enumeration NMAP The scan shows that some mail ports …
Introduction This is a second server that is accessible to everyone in the internal network. The client was informed that such servers are often targeted by attackers and has included this server in the scope. The goal is to gather information about the server and exploit any potential vulnerabilities. Additionally, a user named HTB has …
Introduction Inlanefreight Ltd has commissioned a penetration test on their internal network to assess security. The focus is on an internal DNS server, with the goal of gathering information without using aggressive attacks or exploits. Credentials (“ceil:qwer1234”) have been found, and there are indications of SSH keys. A file named `flag.txt` is located on the …
Description Plattform: TryHackMeLink: https://tryhackme.com/room/dailybugleDifficulty: Hard 🟠 Enumeration NMAP Exploit CVE-2017-8917 The running Joomla CMS seems to be vulnerabile against the CVE-2017-8917 which is an SQLi vulnerability. On Github an working exploit can be found: https://github.com/stefanlucas/Exploit-Joomla Equipped with the exploit, one can exfiltrate superuser access credentials. The hash can be cracked easily with hashcat or john. …
Description Plattform: TryHackMeLink: https://tryhackme.com/room/codeanalysisDifficulty: Medium 🟠 Codeanalysis This router is based on the POST request type and uses a function called isYaml() to check whether the file parameter (here file_path) is a YAML file or not. If the return value is „Yes,“ the file is read, and the JavaScript data is returned to the client …
Important Note Enumeration NMAP Share Enumeration User Enumeration Foothold To establish a foothold, use the credentials and spawn a shell on the system using Evil-WinRM. This provides a list of existing users on the system, but the relationship between them and your access is still missing. For this, BloodHound is the best tool to use. …