February 2021 – HEX-MEN

Tryhackme “Inferno” Report, Exploiting Codiad 0-day CVE-2018-14009

Post author:Xiao Kuang
Post published:February 22, 2021

TryHackMe Inferno Report https://tryhackme.com/room/infernoInferno is a medium-difficulty room created by @mindsflee. SUMMARYDirectory busting the main web app reveals an authentication-protected path. The authentication can be bypassed with a list of possible usernames and the rockyou.txt password list. After authenticating, there is another login page to access Codiad. …

Tryhackme “En-Pass” Report, Python Deserialization Privilege Escalation

Post author:Xiao Kuang
Post published:February 19, 2021

Tryhackme En-Pass Report https://tryhackme.com/room/enpassEn-pass is a medium difficulty room, created by @kiransauDirectory busting reveals four paths: a recursive path that contains a passphrase-protected private SSH key, an input form where the correct input will print a password, a 403 status page that can be bypassed…

Tryhackme “Classic Password” Reverse Engineering w/ IDA, Ghidra, ltrace

Post author:Xiao Kuang
Post published:February 10, 2021

Tryhackme "Classic Passwd" Reverse Engineering Report https://tryhackme.com/room/classicpasswdA Linux ELF binary is available for download. The challenge is to determine the correct input to reveal the flag. This can be done several different ways, with different software. Reverse Engineering with IDA Pro Load the binary into…

Tryhackme “TOC2” Report, CMSMS Exploit 2018-7448, File path race condition

Post author:Xiao Kuang
Post published:February 9, 2021

TryHackMe TOC2 Report https://tryhackme.com/room/toc2A web developer has taken a break from installing a CMS onto their web server. As the attacker, we can use exposed credentials and database info to poison a config file during the CMS install, allowing for RCE (remote code execution). An interactive…

2021 Sudo Exploit-In-Action

Post author:Xiao Kuang
Post published:February 7, 2021

2021 Sudo Vulnerability In Action, Baron Samedit, CVE-2021-3156 Vulnerability Background Info https://tryhackme.com/room/sudovulnssameditThis is a huge SUDO vulnerability, as it affects sudo versions for the past ten years, from 1.8.2-1.8.31p2 and 1.9.0-1.9.5p1. The last big sudo vulnerability was a stack-based buffer overflow, but Baron Samedit is…

Tryhackme “Archangel” Report, LFI and log poisoning, $PATH exploit

Post author:Xiao Kuang
Post published:February 5, 2021

Tryhackme "Archangel" Reporthttps://tryhackme.com/room/archangelAn exposed hostname was added to /etc/hosts and the virtual domain, mafialive.thm, webapp was accessible. A LFI (local file inclusion) vulnerability, mixed with log poisoning results in RCE (remote code execution).A scheduled cron job can be leveraged for horizontal privilege escalation to the Archangel…

Tryhackme “Mr. Robot” Report, Password cracking, SUID binary PrivEsc

Post author:Xiao Kuang
Post published:February 2, 2021

Mr. Robot Introduction https://tryhackme.com/room/mrrobotFrom IMDB, Mr. Robot series: “Elliot, a brilliant but highly unstable young cyber-security engineer and vigilante hacker, becomes a key figure in a complex game of global dominance when he and his shadowy allies try to take down the corrupt corporation he…

Tryhackme “Keldagrim” Report, SSTI (Server Side Template Injection), LD_PRELOAD PrivEsc

Post author:Xiao Kuang
Post published:February 1, 2021

Keldagrim Introduction https://tryhackme.com/room/keldagrimSUMMARYKeldagrim Forge is a Flask web application created with Python. Poor authentication allows the Admin panel to be reached by modifying the session cookie. The web app is susceptible to a SSTI (Server Side Template Injection) attack, due to a cookie value reflected…