zer0xjr's blog

OverviewFlight is a Hard Windows Machine from HTB created by Geiseric which starts off with an RFI vulnerability to capture an NTLMv2 hash. This hash can be cracked and password sprayed to get a hit on different Domain User. This user has write acess to a share so I’ll use ntlm_theft to generate an .ini file which lets me capture another NTLMv2 hash for another user. I can crack this hash to get creds for a user that can write to the share that controls the website. So I’ll drop a webshell...

OverviewRetro is an easy windows machine created by r0BIT which starts off with RID cycling to get a list of usernames. One of the users uses the username as their password. I find a refrence to Pre-Created computer accounts in an SMB share. After some enum I changed the password for a Pre-Created computer account to abuse an ESC1 vulnerability for the NT hash of Administrator. I’ll use the NT hash over WinRM for a shell and the root flag. Nmap ScanI’ll run nmap to get...

OverviewBaby is an easy windows machine from VL created by xct that starts off with anonymous LDAP access which can be used to get credentials for a domain user. The password for the domain user must be changed so I’ll change the password using impacket’s smbpasswd.py. I can then get a shell over WinRM with the newly set password for the user flag. For root I’ll abuse the SeBackupPrivilege to backup the sam & system files, and I’ll run those through pypykatz to dump all of the NTLM...

OverviewData is an easy Linux machine from VL created by xct that starts off with exploiting CVE-2021-43798 to read a database file. I then use a python script to format the hash that was found in the database file into hashcat format. Then I crack the hash to reveal creds that work over SSH for the user flag. For root I’ll take advantage of a sudo misconfiguration to run bash in a docker container, and then I can mount the host filesystem to read the root flag. I’ll showcase two different...

OverviewLock is an easy windows machine from VL created by xct & kozmer that starts off with discovering Gitea on port 3000, which lets me view an old commit which leaks the PAT (Personal Access Token) for one of the users on Gitea. I use the PAT to upload an aspx webshell onto the website for a shell as ellen.freeman. I find a config.xml file which contains a password that can be cracked via using mremoteng-decrypt, and I can login as gale.dekarios via RDP. I discover that PDF24 is on...