Tryhackme “Archangel” Report, LFI and log poisoning, $PATH exploit

  • Post author:

Tryhackme "Archangel" Reporthttps://tryhackme.com/room/archangelAn exposed hostname was added to /etc/hosts and the virtual domain, mafialive.thm, webapp was accessible.  A LFI (local file inclusion) vulnerability, mixed with log poisoning results in RCE (remote code execution).A scheduled cron job can be leveraged for horizontal privilege escalation to the Archangel…

Continue Reading Tryhackme “Archangel” Report, LFI and log poisoning, $PATH exploit

Tryhackme “Keldagrim” Report, SSTI (Server Side Template Injection), LD_PRELOAD PrivEsc

  • Post author:

Keldagrim Introduction https://tryhackme.com/room/keldagrimSUMMARYKeldagrim Forge is a Flask web application created with Python. Poor authentication allows the Admin panel to be reached by modifying the session cookie. The web app is susceptible to a SSTI (Server Side Template Injection) attack, due to a cookie value reflected…

Continue Reading Tryhackme “Keldagrim” Report, SSTI (Server Side Template Injection), LD_PRELOAD PrivEsc

Tryhackme “Sustah” Report, Bypass rate-limitations, doas.conf PrivEsc

  • Post author:

Sustah Introduction https://tryhackme.com/room/sustahA roulette-like number guessing game needs to be beat in order to obtain access to the CMS.Rate-limitation restrictions in the game prevent brute forcing techniques, but can be bypassed by specifying a couple request header fields.Exposed default admin credentials in Mara CMS allows…

Continue Reading Tryhackme “Sustah” Report, Bypass rate-limitations, doas.conf PrivEsc

Tryhackme “Colddbox” Report, WordPress enumeration and Plugin Exploitation, SUID binary PrivEsc

  • Post author:

Colddbox Introduction https://tryhackme.com/room/colddboxeasyDirectory brute forcing exposes usernamesWPScan can also be used to enumerate Wordpress usernamesDue to poor password strength, hydra can use rockyou.txt wordlist to perform a dictionary attack against the login form and determine a user’s credentialsWordpress plugins can be leveraged to run malicious…

Continue Reading Tryhackme “Colddbox” Report, WordPress enumeration and Plugin Exploitation, SUID binary PrivEsc

End of content

No more pages to load