Synopsis: # The engagement of the HTB x VL box Lock began with the discovery of an open Gitea service on TCP port 3000. An anonymous exploration of this service revealed a public code repository containing a Python script. Analysis of the script’s commit history uncovered a hardcoded Gitea personal access token. This token was leveraged to discover and clone a private ‘website’ repository, whose README file indicated a CI/CD pipeline was in place for automatic deployment to a webserver. By committing and pushing an ASP. NET web shell to this repository, the CI/CD pipeline was abused to gain initial code execution on the underlying webserver. A reverse shell was then established, granting access as the user ellen.freeman. Post-exploitation enumeration uncovered an mRemoteNG configuration file containing an encrypted password for a second user, Gale.Dekarios. After decrypting the password, the researcher performed lateral movement by logging in as this user via RDP. Further investigation on the new desktop revealed a vulnerable version of PDF 24 Creator (11.15.1), which was exploited through a flaw in its MSI installer service to escalate privileges to NT AUTHORITY\SYSTEM.
Synopsis: # Shibuya, a challenging hard-rated HTB x Vulnlab Active Directory box, requires a multi-stage attack chain involving credential harvesting, session hijacking, and a critical Active Directory Certificate Services (ADCS) misconfiguration. The initial foothold is gained by enumerating domain users via Kerberos and discovering a weak password for one user. This access is quickly leveraged to find a service account’s plaintext password stored in its user description, granting access to a critical SMB share. Inside the share, a Windows Imaging (.wim) file contains cached domain credentials for another user. By extracting the necessary registry hives from this image, a hash is recovered and used to reset the user’s password, enabling lateral movement to an interactive shell on the domain controller via SSH. Privilege escalation is a two-step process: first, a Cross-Session Relay attack is performed to capture and crack the hash of a high-privileged user with an active session. With these new credentials, the final pivot is made by exploiting a vulnerable ADCS certificate template (ESC1) to request a certificate as a domain administrator, ultimately yielding the administrator’s NT hash and achieving full domain compromise.
Synopsis: # The RetroTwo machine, a Windows Server 2008 R 2 Domain Controller for the retro2.vl domain, was targeted. Initial reconnaissance revealed several services, including SMB and LDAP. Anonymous SMB access led to the discovery of a Microsoft Access database file containing credentials for an ldapreader user. This user’s privileges were leveraged through BloodHound analysis to identify pathways for lateral movement, involving the manipulation of computer account passwords due to misconfigurations related to “Pre-Windows 2000 Compatible Access” and “GenericWrite” permissions. These actions allowed the ldapreader user to gain RDP access to the Domain Controller. Finally, a known vulnerability in the Windows Server 2008 R 2 operating system was exploited using the Perfusion tool to escalate privileges to nt authority\system, achieving full compromise of the server.
Synopsis: # The Retro machine from HTB x Vulnlab was a Windows Active Directory Domain Controller. Initial access was gained by leveraging anonymous SMB enumeration and weak credentials for a ‘trainee’ user. Post-exploitation involved discovering clues in text files, leading to the compromise of a machine account (‘BANKING$’) by guessing its password and then resetting it. This access was then pivotal for privilege escalation via an Active Directory Certificate Services (AD CS) misconfiguration (ESC1), allowing the attacker to request a certificate as the Domain Administrator, ultimately leading to full administrative control over the domain controller.
Synopsis: # This write-up details the penetration test conducted against the HTB x Vulnlab Build machine identified by the IP address 10.10.102.56. Initial reconnaissance revealed several open ports, including SSH, RSH-related services, RSYNC, and a Gitea instance on port 3000. Vulnerability analysis began with the Gitea service, where user registration was possible. After registering an account, exploration revealed a repository containing a Jenkinsfile. Attention then shifted to the open RSYNC service, which exposed a Jenkins backup archive (jenkins.tar.gz). This archive was downloaded and unpacked. Within the backup, an encrypted Jenkins password was found in configuration files (config.xml), along with necessary decryption keys (master.key, hudson.util.Secret). Using a publicly available script, the password was decrypted offline, revealing credentials for the buildadm user. These credentials granted authenticated access back into the Gitea instance. Exploitation proceeded by modifying the previously discovered Jenkinsfile within Gitea to include a reverse shell payload. Committing this change triggered the Jenkins pipeline, resulting in initial access as the root user within a Docker container. Post-exploitation within the container identified internal network routes and services, including a MariaDB database accessible via the container’s gateway IP. Lateral movement involved setting up a network pivot using Chisel to tunnel traffic from the attacker machine through the compromised container to the internal network. This allowed connection to the MariaDB service, which contained a powerdnsadmin database. Credentials (username admin and a bcrypt hash) for the PowerDNS-Admin service were found within this database. The hash was cracked offline, yielding the password. Using the cracked credentials and the pivot, the attacker accessed the PowerDNS-Admin web interface running on an internal IP. Privilege escalation was achieved by leveraging administrative access to PowerDNS-Admin to perform DNS poisoning, specifically altering the ‘A’ record for admin.build.vl (a hostname found listed in a .rhosts file discovered within the container) to point to the attacker’s IP address. This configuration, combined with the insecure .rhosts file on the target host which allowed passwordless root login from admin.build.vl, enabled the attacker to gain root access on the host machine via RSH.
