Wreath is a network on TryHackMe. The network contains one public facing web server and two other clients inside the internal network. The goal was to perform a penetration test against this network and write a report. Initial foothold inside the network was done by exploiting a vulnerable Webmin version. After that the attacker could pivot to another server, that was running a vulnerable version of GitStack. From there the developer machine could be compromised by exploiting a unrestricted file upload vulnerability. On the developer machine, the privilege escalation to SYSTEM has been done by abusing an unquoted service path.
Glitch is a room on TryHackMe. It has “Easy” difficulty. Initial foothold on the machine could be obtained by a remote code execution flaw in the API. Privilege escalation to root could be accomplished by reused credentials that were stored inside a Firefox profile.
The enumeration started with Nmap. It revealed that Nginx was running on port 80.
“UltraTech” is a boot2root machine on TryHackMe. It has intermediate difficulty. You have been contracted by UltraTech to pentest their infrastructure. It is a grey-box kind of assessment, the only information you have is the company’s name and their server’s IP address.
Initial access to the machine could be obtained through a command injection vulnerability in the API. After that credentials could be dumped from a SQLITE database file. The hashed passwords could be cracked. The credentials were used to escalate privileges to another user on the box. The user was inside the
docker group. …
“Vaccine” is a boot2root machine on Hack The Box. This machine is part of the starting point series. The operating system is Linux. Initial foothold on the machine could be accomplished through a SQL injection vulnerability in the web app. Privilege escalation to root could be accomplished because of sudo rights for the
vi program. The FTP credentials
ftpuser:mc@F1l3Z1lL4 from the last challenge were used to obtain sensitive data from the target.
The engagement was started with the following Nmap scan:
nmap -sC -sV -O -oN nmap/inital 10.10.10.46
The Nmap scan revealed FTP on port 21, SSH on port 22…
This is a room on TryHackMe. The challenge is to “Infiltrate BadByte and help us to take over root”. The challenge difficulty is “Easy”.
First of all we start with a Nmap scan. The following command will scan all ports, use default scripts and version enumeration. The output will be saved in a file called “initial”.
nmap -p- -sC -sV -oA initial 10.10.242.102
Blueprint is an easy level boot2root machine on TryHackMe. The machine is a Windows 7 machine which hosts a web server on port 443. That web server is an outdated version of osCommerce. After enumerating the install directory of the web app, we could install osCommerce. After that a arbitrary file upload vulnerability has been used to upload a web shell. Finally this web shell has be used to gain a Meterpreter session on the box with System privileges.
First of all an Nmap scan has been started.
sudo nmap -sC -sV -O 10.10.242.9 -oN nmap/inital -vv
Thompson is a boot2root CTF on TryHackMe. It has “Easy” difficulty. Initial access has been done through uploading a reverse shell. Privilege escalation to root could be done through a misconfigured cronjob.
After running a Nmap scan we can see that port 22, 8009 and 8080 is running. On port 8080 Tomcat 8.5.5 is running.
nmap -sC -sV -O -oN nmap/scripts 10.10.39.116
Anonymous is a boot2root CTF on TryHackMe. It has medium difficulty. Initial access has been accomplished through injecting a reverse shell into a script on the FTP server. This script was run by a cronjob. After that privilege escalation to
root was done via a misconfigured SUID binary.
First of all we start a Nmap scan against the target.
sudo nmap 10.10.237.17 -sC -sV -p- -O -oN nmap/all
Boiler CTF is a boot2root machine on TryHackMe. The room has the difficulty “Medium”. After enumerating for a while we find a vulnerability in a web application. This web application contains a command injection vulnerability, which we will utilize to read SSH credentials. After login into the machine with these credentials, there will be a “backup.sh” script inside the home folder. This home folder contains again some credentials. These credentials are then used to SSH again into the machine as another user. The final privilege escalation to root was done with a misconfigured SUID binary.
First of all we start…
Library is a room on TryHackMe. The difficulty of the room is “easy”. Initial access was done through brute forcing SSH credentials. Finally privilege escalation to root was done through the creation of a malicious Python script.
The first step of the enumeration is starting a Nmap scan. After running the following Nmap scan we will see that SSH is running on port 22 and a web server is running on port 80.
nmap -oA initial 10.10.239.219
Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!