Investigation starts with a website that accepts user uploaded images and runs Exiftool on them. I’ll crack the PGP key protecting the password and get a shell as root.Ĭtf hackthebox htb-investigation nmap php exiftool feroxbuster cve-2022-23935 command-injection youtube perl event-logs msgconvert mutt mbox evtx-dump jq ghidra reverse-engineering race-condition The user has a Passpie instance that stores the root password. On the FTP server I’ll find a script that is sending emails, and use the creds from that to get a shell on the host. I’ll exploit an XML external entity (XXE) injection to read files from the host, reading the WP configuration, and getting the creds for the FTP server. I’ll find an unauthenticated SQL injection in that plugin and use it to get access to the WP admin panel as an account that can manage media uploads. MetaTwo starts with a simple WordPress blog using the BookingPress plugin to manage booking events. Htb-metatwo ctf hackthebox nmap wfuzz php wordpress bookingpress cve-2022-0739 sqli sqlmap john xxe cve-2021-29447 credentials passpie pgp gpg I’ll abuse that to get the administrator’s hash and from there a shell. As a service account, it will authenticate over the network as the machine account. That user has access to the new IIS site, and can write an ASPX webshell to get a shell as the IIS account. That user has write access to a share, where I’ll drop files designed to provoke another auth back to my server to catch another Net NTLMv2. I’ll get a list of domain users over RPC, and password spray that password to find another user using the same password. I’ll get the PHP site to connect back to my server on SMB, leaking a Net NTLMv2, and crack that to get a plaintext password. Htb-flight hackthebox ctf nmap subdomain crackmapexec windows php apache feroxbuster file-read directory-traversal responder net-ntlmv2 password-spray lookupsid rpc ntlm-theft runascs iis webshell aspx rubeus machine-account dcsync secretsdump psexecįlight is a Windows-centered box that puts a unique twist by showing both a Apache and PHP website as well as an internal IIS / ASPX website. In Beyond Root, I’ll look at an unintended abuse of another cleanup script and how symbolic links could (before the box was patched) be used to overwrite and change the ownership of arbitrary files. To escalate, I’ll abuse a cleanup script with Arithmetic Expression Injection, which abuses the ] syntax in Bash scripts. I’ll exploit a vulnerability in DomPDF to get a font file into a predictable location, and poison that binary file with a PHP webshell. Interface starts with a site and an API that, after some fuzzing / enumeration, can be found to offer an endpoint to upload HTML and get back a PDF, converted by DomPDF. Htb-interface hackthebox ctf nmap ubuntu next-js feroxbuster subdomain api ffuf dompdf php cve-2022-28368 webshell upload pspy arithmetic-expression-injection quoted-expressinion-injection exiftool symbolic-link In Beyond Root, I’ll explore the Ruby web application, how it’s hosted, and fix the bug that doesn’t allow me to fetch a PDF of the page itself. To get to root, I’ll exploit a yaml deserialization vulnerability in a script meant to manage dependencies. Then I’ll find creds in a Ruby Bundler configuration file to get to user. I’ll use the metadata from the resulting PDF to identify the technology in use, and find a command injection exploit to get a foothold on the box. It starts with a simple web page that takes a URL and generates a PDF. Precious is on the easier side of boxes found on HackTheBox. Ctf hackthebox htb-precious nmap subdomain ffuf ruby phusion passenger nginx exiftool pdfkit feroxbuster cve-2022-25765 command-injection bundler yaml-deserialization youtube
0 Comments
Leave a Reply. |