Learning NVim, Tryhackme, Vim-Adventures, resources

  • Post author:

Learning NVim, TryHackMe, Resources This post will be a walkthrough of the Vim room on TryHackMe, in addition to various learning resources I find helpful.  As I encounter helpful examples for penetration testing, I will post those as well. TryHackMe room: https://tryhackme.com/room/toolboxvimThis room teaches you to…

Continue Reading Learning NVim, Tryhackme, Vim-Adventures, resources

Tryhackme “Attacktive Directory” Report, Offensive Active Directory

  • Post author:

https://tryhackme.com/room/attacktivedirectoryThis room contains a Domain Controller, a Windows Server with Active Directory. Initial enumeration is performed with a linux version of enum.exe, enum4linux, gathering the NetBIOS name, and AD domain.Kerbrute tool can perform a dictionary attack against the DC to enumerate valid usernames, provided a usernames…

Continue Reading Tryhackme “Attacktive Directory” Report, Offensive Active Directory

Tryhackme “Magician” Report, Exploiting ImageMagick CVE-2016-3714

  • Post author:

TryHackMe Magician Report https://tryhackme.com/room/magicianA web application that converts user-uploaded PNG images to JPG images uses ImageMagick, a package commonly used by web services to process images.  The version of ImageMagick used is susceptible to multiple vulnerabilities, as described by CVE-2016-3714.  A PoC malicious file is amended…

Continue Reading Tryhackme “Magician” Report, Exploiting ImageMagick CVE-2016-3714

Tryhackme “Inferno” Report, Exploiting Codiad 0-day CVE-2018-14009

  • Post author:

TryHackMe Inferno Report https://tryhackme.com/room/infernoInferno is a medium-difficulty room created by @mindsflee.  SUMMARYDirectory busting the main web app reveals an authentication-protected path.  The authentication can be bypassed with a list of possible usernames and the rockyou.txt password list. After authenticating, there is another login page to access Codiad. …

Continue Reading Tryhackme “Inferno” Report, Exploiting Codiad 0-day CVE-2018-14009

Tryhackme “En-Pass” Report, Python Deserialization Privilege Escalation

  • Post author:

Tryhackme En-Pass Report https://tryhackme.com/room/enpassEn-pass is a medium difficulty room, created by @kiransauDirectory busting reveals four paths: a recursive path that contains a passphrase-protected private SSH key, an input form where the correct input will print a password, a 403 status page that can be bypassed…

Continue Reading Tryhackme “En-Pass” Report, Python Deserialization Privilege Escalation

Tryhackme “TOC2” Report, CMSMS Exploit 2018-7448, File path race condition

  • Post author:

TryHackMe TOC2 Report https://tryhackme.com/room/toc2A web developer has taken a break from installing a CMS onto their web server.  As the attacker, we can use exposed credentials and database info to poison a config file during the CMS install, allowing for RCE (remote code execution). An interactive…

Continue Reading Tryhackme “TOC2” Report, CMSMS Exploit 2018-7448, File path race condition

Tryhackme “Archangel” Report, LFI and log poisoning, $PATH exploit

  • Post author:

Tryhackme "Archangel" Reporthttps://tryhackme.com/room/archangelAn exposed hostname was added to /etc/hosts and the virtual domain, mafialive.thm, webapp was accessible.  A LFI (local file inclusion) vulnerability, mixed with log poisoning results in RCE (remote code execution).A scheduled cron job can be leveraged for horizontal privilege escalation to the Archangel…

Continue Reading Tryhackme “Archangel” Report, LFI and log poisoning, $PATH exploit

Tryhackme “Mr. Robot” Report, Password cracking, SUID binary PrivEsc

  • Post author:

Mr. Robot Introduction https://tryhackme.com/room/mrrobotFrom IMDB, Mr. Robot series: “Elliot, a brilliant but highly unstable young cyber-security engineer and vigilante hacker, becomes a key figure in a complex game of global dominance when he and his shadowy allies try to take down the corrupt corporation he…

Continue Reading Tryhackme “Mr. Robot” Report, Password cracking, SUID binary PrivEsc

Tryhackme “Keldagrim” Report, SSTI (Server Side Template Injection), LD_PRELOAD PrivEsc

  • Post author:

Keldagrim Introduction https://tryhackme.com/room/keldagrimSUMMARYKeldagrim Forge is a Flask web application created with Python. Poor authentication allows the Admin panel to be reached by modifying the session cookie. The web app is susceptible to a SSTI (Server Side Template Injection) attack, due to a cookie value reflected…

Continue Reading Tryhackme “Keldagrim” Report, SSTI (Server Side Template Injection), LD_PRELOAD PrivEsc

Tryhackme “Sustah” Report, Bypass rate-limitations, doas.conf PrivEsc

  • Post author:

Sustah Introduction https://tryhackme.com/room/sustahA roulette-like number guessing game needs to be beat in order to obtain access to the CMS.Rate-limitation restrictions in the game prevent brute forcing techniques, but can be bypassed by specifying a couple request header fields.Exposed default admin credentials in Mara CMS allows…

Continue Reading Tryhackme “Sustah” Report, Bypass rate-limitations, doas.conf PrivEsc

End of content

No more pages to load