PyUs3r

PyUs3r

Pentester, CTF player

Recent Posts

Forest - Hack The Box

Forest is an easy Windows machine that showcases a Domain Controller (DC) for a domain in which Exchange Server has been installed. The DC allows anonymous LDAP binds, which are used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled can be cracked to gain a foothold. The service account is found to be a member of the Account Operators group, which can be used to add users to privileged Exchange groups. The Exchange group membership is leveraged to gain DCSync privileges on the domain and dump the NTLM hashes, compromising the system.

Sauna - Hack The Box

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn't require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies their password. This second user also has Windows remote management permissions. BloodHound reveals that this user has the DS-Replication-Get-Changes-All extended right, which allows them to dump password hashes from the Domain Controller in a DCSync attack. Executing this attack returns the hash of the primary domain administrator, which can be used with Impacket-psexec.py in order to gain a shell on the bo...

Tenet - Hack The Box

Tenet is a Medium difficulty machine that features an Apache web server. It contains a Wordpress blog with a few posts. One of the comments on the blog mentions the presence of a PHP file along with it's backup. It is possible after identificaiton of the backup file to review it's source code. The code in PHP file is vulnerable to an insecure deserialisation vulnerability and by successful exploiting it a foothold on the system is achieved. While enumerating the system it was found that the Wordpress configuration file can be read and thus gaining access to a set of credentials. By using them we can move laterally from user ‘www-data’ to user ‘Neil’. Further system enumeration reveals that this user have root permissions to run a bash script through ‘sudo’. The script is writing SSH public keys to the ‘authorized_keys’ file of the ‘root’ user and is vulnerable to a race condition. After successful exploitation, attackers can write their own SSH keys to the ‘authorized_keys’ file and use t...

Writer - Hack The Box

Writer is a medium Linux machine that outlines poor coding practices and presents how a file read vulnerability through SQL injection can lead to disclosure of source code files which include credentials. The combination of password reuse on the SMB service with a blind SSRF exploitation via an image upload function can lead to a foothold on the system. By abusing Django features it is possible to extract and crack user credentials. Further abusing multiple misconfigurations in Postfix service leads to exploit privileges in the apt service folders allowing those users to execute commands as root through a script that updates the machine every minute.

Heal - Hack The Box

Heal is a medium-difficult Linux machine that features a website vulnerable to arbitrary file read, allowing us to extract sensitive credentials. The server also hosts a LimeSurvey instance, where the leaked credentials can be used to log in as an administrator. Since administrators can upload plugins, we can exploit this to upload a malicious plugin and gain a reverse shell as the ‘www-data’ user. Further enumeration reveals the database password for LimeSurvey, which is reused by the system user ‘ron’, allowing us to escalate access. The server also runs a local instance of the Consul Agent as ‘root’. By registering a malicious service via the Consul API, we can escalate privileges and gain root access.

Pit - Hack The Box

Pit is a medium difficulty Linux machine that focuses on SNMP enumeration and exploitation, while introducing basic SELinux restrictions and web misconfigurations. By enumerating SNMP via the default insecure public community, information about filesystems and users can be obtained. This allows attackers to discover and gain access to a vulnerable SeedDMS instance, which was incorrectly patched by applying Apache .htaccess rules to an Nginx server where they are not effective. Exploiting CVE-2019-12744 results in Remote Command Execution (with some SELinux restrictions) and subsequent access to a Cockpit console via password reuse. Privileges are escalated by writing a Bash script that is executed as an SNMP extension when the corresponding OID is queried.

Union - Hack The Box

Union is an medium difficulty linux machine featuring a web application that is vulnerable to SQL Injection. There are filters in place which prevent SQLMap from dumping the database. Users are intended to manually craft union statements to extract information from the database and website source code. The database contains a flag that can be used to authenticate against the machine and upon authentication the webserver runs an iptables command to enable port 22. The credentials for SSH are in the PHP Configuration file used to authenticate against MySQL. Once on the machine, users can examine the source code of the web application and find out by setting the X-FORWARDED-FOR header, they can perform command injection on the system command used by the webserver to whitelist IP Addresses.

Strutted - Hack The Box

‘Strutted’ is an medium-difficulty Linux machine featuring a website for a company offering image hosting solutions. The website provides a Docker container with the version of Apache Struts that is vulnerable to ‘CVE-2024-53677’, which is leveraged to gain a foothold on the system. Further enumeration reveals the ‘tomcat-users.xml’ file with a plaintext password used to authenticate as ‘james’. For privilege escalation, we abuse ‘tcpdump’ while being used with ‘sudo’ to create a copy of the ‘bash’ binary with the ‘SUID’ bit set, allowing us to gain a ‘root’ shell.