Tryhackme “Inferno” Report, Exploiting Codiad 0-day CVE-2018-14009

  • Post author:

TryHackMe Inferno Report https://tryhackme.com/room/infernoInferno is a medium-difficulty room created by @mindsflee.  SUMMARYDirectory busting the main web app reveals an authentication-protected path.  The authentication can be bypassed with a list of possible usernames and the rockyou.txt password list. After authenticating, there is another login page to access Codiad. …

Continue Reading Tryhackme “Inferno” Report, Exploiting Codiad 0-day CVE-2018-14009

Tryhackme “En-Pass” Report, Python Deserialization Privilege Escalation

  • Post author:

Tryhackme En-Pass Report https://tryhackme.com/room/enpassEn-pass is a medium difficulty room, created by @kiransauDirectory busting reveals four paths: a recursive path that contains a passphrase-protected private SSH key, an input form where the correct input will print a password, a 403 status page that can be bypassed…

Continue Reading Tryhackme “En-Pass” Report, Python Deserialization Privilege Escalation

Tryhackme “Classic Password” Reverse Engineering w/ IDA, Ghidra, ltrace

  • Post author:

Tryhackme "Classic Passwd" Reverse Engineering Report https://tryhackme.com/room/classicpasswdA Linux ELF binary is available for download. The challenge is to determine the correct input to reveal the flag. This can be done several different ways, with different software.  Reverse Engineering with IDA Pro Load the binary into…

Continue Reading Tryhackme “Classic Password” Reverse Engineering w/ IDA, Ghidra, ltrace

Tryhackme “TOC2” Report, CMSMS Exploit 2018-7448, File path race condition

  • Post author:

TryHackMe TOC2 Report https://tryhackme.com/room/toc2A web developer has taken a break from installing a CMS onto their web server.  As the attacker, we can use exposed credentials and database info to poison a config file during the CMS install, allowing for RCE (remote code execution). An interactive…

Continue Reading Tryhackme “TOC2” Report, CMSMS Exploit 2018-7448, File path race condition

2021 Sudo Exploit-In-Action

  • Post author:

2021 Sudo Vulnerability In Action, Baron Samedit, CVE-2021-3156 Vulnerability Background Info https://tryhackme.com/room/sudovulnssameditThis is a huge SUDO vulnerability, as it affects sudo versions for the past ten years, from 1.8.2-1.8.31p2 and 1.9.0-1.9.5p1.  The last big sudo vulnerability was a stack-based buffer overflow, but Baron Samedit is…

Continue Reading 2021 Sudo Exploit-In-Action

Tryhackme “Archangel” Report, LFI and log poisoning, $PATH exploit

  • Post author:

Tryhackme "Archangel" Reporthttps://tryhackme.com/room/archangelAn exposed hostname was added to /etc/hosts and the virtual domain, mafialive.thm, webapp was accessible.  A LFI (local file inclusion) vulnerability, mixed with log poisoning results in RCE (remote code execution).A scheduled cron job can be leveraged for horizontal privilege escalation to the Archangel…

Continue Reading Tryhackme “Archangel” Report, LFI and log poisoning, $PATH exploit

Tryhackme “Mr. Robot” Report, Password cracking, SUID binary PrivEsc

  • Post author:

Mr. Robot Introduction https://tryhackme.com/room/mrrobotFrom IMDB, Mr. Robot series: “Elliot, a brilliant but highly unstable young cyber-security engineer and vigilante hacker, becomes a key figure in a complex game of global dominance when he and his shadowy allies try to take down the corrupt corporation he…

Continue Reading Tryhackme “Mr. Robot” Report, Password cracking, SUID binary PrivEsc

Tryhackme “Keldagrim” Report, SSTI (Server Side Template Injection), LD_PRELOAD PrivEsc

  • Post author:

Keldagrim Introduction https://tryhackme.com/room/keldagrimSUMMARYKeldagrim Forge is a Flask web application created with Python. Poor authentication allows the Admin panel to be reached by modifying the session cookie. The web app is susceptible to a SSTI (Server Side Template Injection) attack, due to a cookie value reflected…

Continue Reading Tryhackme “Keldagrim” Report, SSTI (Server Side Template Injection), LD_PRELOAD PrivEsc

End of content

No more pages to load