CTF Writeups

Got access via discovered subdomain which we accessed by modifying a header and then we uploaded a phar file access phar file content to get our rev shell, esclated priv by python2 input func rce which gave us …

Accessed request tracker software with default creds , found credws in one of the queues for ssh access, ssh as user and found a keypass memory dump file, used script to get masterkey fromt he memory dump which …

path traversal led to file disclosure that led us to a config file which we got creds from to access the mail server.

got shell found exposed site under nginx, found sqli boolean based, used sql map got table with creds, winrm with creds and privesc with doas suid enabled.

Got Access via leaked user creds, ntlm poisioning of service account hash, priv esc with a vuln certificate template.

This writeup covers the full attack path for Intentions, including enumeration, exploitation, and privilege escalation.

Gained access with RCE exploit that for activemq that trusts a xml file easily, and then priv esc with sudo perms over being able to upload a nginx config file.

Gained access with php reverseshell, timezone, privesc with linuxexploitsugg.

SSRF practice + RCE followed with pager based shell escape for root access.

learnt how to mount something using nfs, used hashcat to crack admin creds which i found from the backup file in the mount, used an authenticated rce exploit to get nc.exe on the box with powershell and then …

Enumerated box irked, found a backdoor exploit for service UnrealIRCd , got a shell, got password to some steg backup, learnt to use the tool steghide to pull information from a image which allowed me to ssh …

I started broad, validated each finding, and then focused only on paths that were reproducible.

learnt how to recover data that was deleted from a usb stick, also learnt how to check for devices that are mounted.

HackTheBox Devoops writeup

learnt how to exploit this using ssti ( server side template injection ), used a splunk exploit called splunkwhisperer2 to get root shell.

learnt how to portforward with chisel, update buffer exploit with own payload.

adding 10.10.10.140 swagshop.htb to our /etc/hosts folder we are able to access the site

I validated this step using the evidence below before moving forward in the chain.