Synopsis: # The RetroTwo machine, a Windows Server 2008 R 2 Domain Controller for the retro2.vl domain, was targeted. Initial reconnaissance revealed several services, including SMB and LDAP. Anonymous SMB access led to the discovery of a Microsoft Access database file containing credentials for an ldapreader user. This user’s privileges were leveraged through BloodHound analysis to identify pathways for lateral movement, involving the manipulation of computer account passwords due to misconfigurations related to “Pre-Windows 2000 Compatible Access” and “GenericWrite” permissions. These actions allowed the ldapreader user to gain RDP access to the Domain Controller. Finally, a known vulnerability in the Windows Server 2008 R 2 operating system was exploited using the Perfusion tool to escalate privileges to nt authority\system, achieving full compromise of the server.
Synopsis: # This write-up details the penetration test conducted against the HTB x Vulnlab Build machine identified by the IP address 10.10.102.56. Initial reconnaissance revealed several open ports, including SSH, RSH-related services, RSYNC, and a Gitea instance on port 3000. Vulnerability analysis began with the Gitea service, where user registration was possible. After registering an account, exploration revealed a repository containing a Jenkinsfile. Attention then shifted to the open RSYNC service, which exposed a Jenkins backup archive (jenkins.tar.gz). This archive was downloaded and unpacked. Within the backup, an encrypted Jenkins password was found in configuration files (config.xml), along with necessary decryption keys (master.key, hudson.util.Secret). Using a publicly available script, the password was decrypted offline, revealing credentials for the buildadm user. These credentials granted authenticated access back into the Gitea instance. Exploitation proceeded by modifying the previously discovered Jenkinsfile within Gitea to include a reverse shell payload. Committing this change triggered the Jenkins pipeline, resulting in initial access as the root user within a Docker container. Post-exploitation within the container identified internal network routes and services, including a MariaDB database accessible via the container’s gateway IP. Lateral movement involved setting up a network pivot using Chisel to tunnel traffic from the attacker machine through the compromised container to the internal network. This allowed connection to the MariaDB service, which contained a powerdnsadmin database. Credentials (username admin and a bcrypt hash) for the PowerDNS-Admin service were found within this database. The hash was cracked offline, yielding the password. Using the cracked credentials and the pivot, the attacker accessed the PowerDNS-Admin web interface running on an internal IP. Privilege escalation was achieved by leveraging administrative access to PowerDNS-Admin to perform DNS poisoning, specifically altering the ‘A’ record for admin.build.vl (a hostname found listed in a .rhosts file discovered within the container) to point to the attacker’s IP address. This configuration, combined with the insecure .rhosts file on the target host which allowed passwordless root login from admin.build.vl, enabled the attacker to gain root access on the host machine via RSH.
Synopsis: # Cozy hosting is a project hosting service web app hosted on nginx 1.18.0. From directory busting a few endpoints were discovered which disclosed a user’s session cookie via replacing the session cookie the attacker logged in the /admin endpoint. And in that page there was a functionality to check for live hosts using SSH which found out to be vulnerable to OS Command Injection. By exploiting that vulnerability the attacker gained the initial foothold and landed as the user apps. From the /apps directory a java archive was found upon decompiling the archive file the postgres user’s password was found which was later used to login into the database, from the database the admin user’s password hash was captured and got cracked via hashcat later. Using the cracked hash it was possible to login on behalf of the user josh via SSH. After landing on the host as the user josh it was found out that the user could run SSH with sudo privilege which lead to sudo abuse and the host got compromised completely.
Synopsis: # Keeper is a Linux easy machine that hosts the Request Ticket (RT 4.4.4) web application. A password for the user lnorgaard was found in the web application, which was then used to log into the host via SSH. Upon logging in as lnorgaard, a zip file for the KeePass application was found. Unzipping the file revealed a dump file and a database file. The KeePass dump files are vulnerable to CVE-2023–32784, which allows an attacker to dump the master password. After cracking the database file, a PuTTY key was found. This key was then converted into an SSH key, which allowed the attacker to compromise the entire host.
Synopsis: # MonitorsTwo is an easy-to-hack Linux machine that is vulnerable to the CVE-2022–46169 vulnerability. This vulnerability allows an attacker to execute arbitrary code on a server running Cacti. After exploiting this vulnerability, it was found that the Cacti web app was running in a Docker container.
Synopsis: # On the host Busqueda a vulnerable web app was running, by exploiting the web app’s query parameter the attacker gained RCE & the initial foothold. The attacker then enumerated the system and compromised the password for the cody user, which was reused for the user svc account. The attacker also discovered a new virtual host (VHOST) where a self-hosted Git service was running. Using the sudo privileges of the svc user, the attacker was able to dump the configuration files of running Docker containers, which led to the compromise of a few additional user passwords. The attacker then logged into the administrator’s Git account and found a number of scripts. One of these scripts, named full-checkup.sh, did not have its full path specified. The attacker abused this oversight by creating a file named full-checkup.sh in the /tmp directory that contained a reverse shell. This allowed the attacker to gain complete control of the host.
Synopsis: # The Agile HTB Linux machine hosted a password manager that was vulnerable to IDOR and LFI. An attacker could exploit the IDOR to obtain the user corum’s SSH password and exploit the LFI to disclose the source code and other confidential files. Upon landing on the host, an attacker could build a SSH local port forwarding to find a test web application. The test web application was not significantly different from the main application, but it was vulnerable to the same IDOR vulnerability. By exploiting this vulnerability, an attacker could find a pair of credentials for the user edwards. The user edwards was able to run sudoedit commands only as the user “dev_admin” on two files. The host was also vulnerable to CVE-2023–22809, which could be exploited to add a reverse shell to the app/venv/bin/activate file and compromise the host.
Synopsis: # Traverxec is a HTB machine that hosted an outdated Nostromo web server which was vulnerable to RCE. An attacker could gain a foothold on the machine by exploiting this vulnerability and then laterally move to the user david by inspecting the web config file. A bash script in the user’s home directory revealed that the user could execute journalctl as root. This could be used to escalate privilege and gain full control of the machine.
Synopsis: # Sau is a Linux machine that focused on some recently exposed CVEs and security misconfigurations. The first step was to exploit a vulnerable REST API through SSRF to access an internal malicious traffic detection system running a web service. The login page of that web service was vulnerable to OS command injection. RCE was gained by exploiting this vulnerability, and privileges were escalated by abusing the puma user’s permissions.
