Vulnhub/ PG/ THM/ HTB

Quick Writeups for Vulnhub/ PG Machines/ THM/ HTB

Infosec Prep

USER User : OSCP User-Agent: * Disallow: /secret.txt In robots.txt, we get base64 encoded Private SSH Key. ssh oscp@IP_ADDRESS -i id_rsa

ROOT SUID bash binary /bin/bash -p Unintended Methods: https://falconspy.medium.com/infosec-prep-oscp-vulnhubwalkthrough-a09519236025

FunBoxEasy

USER : Dirbuster -> http://192.168.74.111/store/admin.php Login with admin:admin, edit image and upload PHP reverse shell. SSH with password.txt ROOT : sudo time /bin/bash

Dawn

USER : smbclient //192.168.178.11/ITDEPT Management.log in :80/logs shows web-control running as root. uploaded python shell in smb ITDEPT share with name 'web-control' Got reverse shell with cron. ROOT : checking for SUID BITS, found /usr/bin/zsh -> euid=0

Machine Categories

SSTI

HTB - Late (Image to Text Application built with Flask)

Important Machines Writeups

VulnNet: Active [THM]CTF Write-ups

Execute sandboxed Lua scripts through the “EVAL” command using dofile(), Capturing NTLM hash via responder by connecting with //tun0-ip//share, Powerview and sharpHound, BloodHound for enumeration and Abusing GPO Permission via SharpGPOAbuse.exe

TryHackMe | VulnNet: EndgameTryHackMe

Enumerating subdomains and finding CMS "typo3", backend api call for SQLi, password cracking to get in typo3 panel, uploaded reverse shell, cracked user mozilla history to find credentials, getcap to find openssl binary to read and replace passwd file to get root.