Seems like I say this for every box, but it was fun and I learned a lot. The box starts off will cookie manipulation so that I can upload files. From there I am able to upload a PHP reverse shell to gain a foothold. Poking around the system reveals SSH credentials. After logging in via SSH I find a custom SUID binary. This binary accepts user input and allows the viewing of files under the security context of root. I image the intent was to only allow the viewing of files in a hard coded directory that is in…
This is the first installment of Tier 2 writeups. There is a clear increase in difficulty with these boxes. The increase in difficulty is do to more steps needing to be taken to gain access and elevate privileges. Archetype starts off with the enumeration of SMB shares. On this share is a config file that contains credentials. I then use those credentials and Impacket to get a reverse shell. Once I have a shell on the box I find a command history file with administrator credentials waiting for me. Initial Recon Started with the standard nmap scan. There are a…
Introduction This was a straight forward box. It was very similar to a previous Starting Point machine. Gain access to SMB via brute force. With valid credentials and Impacket I am able to get a semi-interactive shell on the box. This wraps up Tier 1 machines. Next is Tier 2 and then on to some retired machines! Initial Recon Started with the standard nmap scan. There are a few ports open – RPC on 135, NetBIOS on 139, and SMB on 445. Initial Access SMB The first thing I do when I see port 445 is try to list shares….
This box required a password guessing attack to discover valid credentials to a Jenkins application. From there it was easy enough to get code execution via a Groovy script. There is one more Tier 1 box to look at before moving to Tier 2. These easier machines have taught me a lot. No matter what skill level you are at there is always an opportunity to learn. Initial Recon Started with the standard nmap scan. There is a single port open – HTTP on port 8080. Initial Access HTTP Prior to navigating to a web site, I like to start…
This box taught me A LOT about Node.JS and Server Side Template Injections (SSTI). It was fun creating a payload, determining why it did not work, and tweaking it until the desired end state is achieved. With that said, documentation is your friend! A lot of time was spent going through the Node.JS documentation to identify how a SSTI can be abused to get a RCE. Initial Recon Started off with the standard nmap scan. There are only two ports open – SSH on 22 and HTTP on 80. Initial Access HTTP Before I do anything with HTTP I like…
This was an interesting box. It shows how information leaked by a HTTP application can aid an attacker in a password guessing attack. Creating an account in the web application revealed minimum password requirements. With that knowledge and assuming users do the bare minimum for password creation, I was able to create a custom password list. After a little bit of time and luck I was able to successfully guess a user’s password to gain access to the application. Initial Recon Started with the standard nmap scan. There is a single port open – HTTP on port 80. Initial Access…
This was a very fun box and I learned a lot. A little bit of fuzzing a parameter in a GET request led to the discovery of a local file inclusion. Which turned out to also be a remote file inclusion. With that knowledge I was able to trick the remote system to give me its hash which ultimately resulted in a valid username and password. Initial Recon Started with the standard nmap scan. There are two ports open – 80 is hosting a web server and 5985 is hosting WinRM. Let’s start with port 80. Initial Access HTTP Before…
In the previous writeup, Appointment, I got a little exposure to SQL. I learned how a web application could use some sort of database to authenticate users and how that can be taken advantage of if not properly configured. For this box, I got to work with such a database directly which helped cement what I had learned previously. Initial Recon Started off with the standard nmap scan. There is a single port open – MySQL on port 3306. Initial Access MySQL What is MySQL? It is an open-source database system. There can be multiple databases being managed by MySQL…
This was a very fun box! It starts off with an information leak in a HTTP header that contains a domain to enumerate. From there, a post is seen that hints that some hidden content may not be so hidden. Further enumeration leads to a version number which happens to have a CVE. With that CVE I am able to discover another subdomain. There I discover a custom bot that provides users various functionality. Ultimately I am able to take advantage of the bot to get a reverse shell. Once a shell is established, enumeration of the box is done…
Continuing with Starting Point, I moved onto the next tier. Learned a lot doing these boxes. And it caused some self-reflection. A bad habit that I am trying to correct is my tendency to not completely understand why a specific attack works. Some may call me a script kiddie and I would agree. Relying on tools that automate an attack or copy/pasting a PoC is a major crutch. But what happens when the tool doesn’t work? Or a PoC doesn’t match the exact environment I am in? That is when an understanding of how an exploit works comes into play….