With that read access, I’ll get the administrator password and use Evil-WinRM to get a shell.Ĭtf hackthebox htb-retired nmap feroxbuster upload directory-traversal local-file-read filter bof wfuzz ghidra reverse-engineering proc maps gdb pattern mprotect rop jmp-rsp msfvenom shellcode python symlink make capabilities cap-dac-override binfmt-misc sched_debug htb-previse htb-fingerprint execute-after-redirect That user can read from LAPS, the technology that helps to keep local administrator passwords safe and unique. As the initial user, I’ll find creds in the PowerShell history file for the next user. I’ll crack the zip and the keys within, and use Evil-WinRM differently than I have shown before to authenticate to Timelapse using the keys. It starts by finding a set of keys used for authentication to the Windows host on an SMB share. Timelapse is a really nice introduction level active directory box. This container has a dangerous capabilities, CAP_DAC_READ_SEARCH, which I’ll abuse to both read and write files on the host.Ĭtf htb-timelapse hackthebox nmap windows active-directory crackmapexec smbclient laps zip2john john pfx2john evil-winrm winrm-keys powershell-history htb-pivotapi I’ll abuse the Rocket Chat webhook functionality to get a shell in yet another Docker container. I’ll connect to that and use it to get access as admin for a Rocket Chat instance. From the host, I’ll find a different network of containers, and find MongoDB running in one. From that container, I can SSH into the main host. There I’ll find creds for the Bolt CMS instance, and use those to log into the admin panel and edit a template to get code execution in the next container. I’ll start by abusing the built-in R scripter in jamovi to get execution and shell in a docker container.
Talkative is about hacking a communications platform. Hackthebox ctf htb-talkative nmap wfuzz jamovi bolt-cms feroxbuster rocket-chat r-lang docker webhook twig ssti mongo deepce shocker cap-dac-read-search htb-paper htb-anubis htb-registry
0 kommentar(er)
