Posts
0xJordan
Cancel

An easy difficulty Windows host running a vulnerable web app exploitable via directory traversal to reveal credentials. Password spraying with CrackMapExec. SSH tunneling traffic to allow login and exploiting another web app running as admin to open a reverse shell

An insane difficulty Linux host running a wordpress install with a vulnerable plugin that allows an authentication bypass for the admin user. Further enumeration of wordpress reveals SMTP login details. Checking users e-mail reveals a forum login credentials. Forum message reveals a link to an SSH key encrypted using a Keyed Vigenere. SSH key cracking using john. RSA decryption using a python.

An easy difficulty Linux host running a web app named Torrent Hunter. File upload vulnerability by modifying HTTP request to forge PHP file as PNG. Privilege escalation by exploit MOTD files.

An easy difficulty Windows host with a public FTP server with access to the IIS web server. Exploited without metasploit. Foothold via MSFVenom aspx reverse shell. Privilege escalation scan using Watson and kernel exploit ms11-046.

A RedHat Linux host with a vulnerable Apache OpenSSL service. Easy exploit via a buffer overflow POC.

An easy difficulty windows box with a vulnerable SMB server. Exploitation via EternalBlue(MS17-010) without metasploit.

An easy difficulty Linux box with a vulnerable SMB service. Exploited with metasploit using “Username map script”.

A medium difficulty windows box. Foothold is gained by enumerating users on the box and exploiting weak passwords for service users to gain access to file shares. File shares reveal an Azure Active domain configuration file which contains user credentails for a domain admin user. Using a powershell script to extract administrator credentials from the azure domain.

A medium difficulty Linux box. Foothold is gained by fuzzing for files suggested in files stored on the web server. The web server is a custom python script that allows system commands to be executed via a GET variable. Using the URL it is possible to start a reverse shell. Escalating privileges is done via CTF style python cryptography challenges to dump the shadow file contents.

A medium difficulty windows box running a web server with an RFI vulnerability. Remotely including a PHP web shell via SMB allows for code execution. This enables file upload to send netcat to the box and turn the web shell into a full shell. User escalation via reused passwords from a database file. Admin user via a vulnerable HTML help file.