CTF

Escape is a Windows Machine. I utilise techniques such as MSSQL Relay Attack, plain-text credential search, misconfigured Active Directory Certificate Services exploit and pass-the-hash attack to gain root to this system. Initial Foothold The standard nmap scan reveals that this is another Domain Controller of an Active Directory. My methodology leads me to check the SMB network share. I quickly found that there is a folder named Public that contains a manual for the MSSQL server on the machine. ...

In this machine, I had to perform ASREPRoast, abuse WriteDACL privileges and finally gain root with the DCSync technique. Initial Foothold The nmap scan revealed a very standard Active Directory Domain Controller setup. Using the intuition I gained from previous machines, I started by drilling into SMB and LDAP. nmap 10.129.95.210 -sC -sV Both protocol returned some information about the AD but could not be exploited further. I extracted the user list from crackmapexec and used the sed command to only keep the usernames in a txt file for ease of use. ...

Welcome back to the new CTF blog where we take on Pandora — a Linux CTF box. In this episode, we will focus on the leveraging weak SNMP configuration, Pandora FMS system unauthenticated RCE vulnerability and path overriding to pawn the box. Initial Foothold Our journey begins with a nmap scan to gather more insight about the Pandora box. nmap 10.129.210.204 -sV -sC -oA pandora The box surprisingly returned nothing of interest. A thorough check on the port 80 website also suggests that there are nothing to be tinkering with. ...

This box was pretty rough for me. Enjoy the ride! Initial Foothold As usual, I started my recon with the usual nmap scan. The scan mistakenly states that the host is down. I added a -Pn flag following the nmap suggestion - the flag is an option that tells nmap to skip the discovery stage and do scanning as if the target IP is online. The starting Nmap scan clearly shows that the target this time is a Windows Active Directory box from the services available. ...

Windows and especially Active Directory(AD) is a big part of OSCP and no practice will be too much practice. Initial Foothold The target is a Windows Machine. I quickly did a Nmap scan to understand what services are available. nmap -sC -sV <ip-address> -oA active The open 3268 port and LDAP service suggest that I am dealing with an AD Domain Controller. Without any clue about credentials and users, I started by attempting an anonymous SMB login using enum4linux. ...

Welcome to my first CTF walkthrough write-up. This is going to be a series where I will be doing CTFs in preparation for OSCP. Initial Foothold Broker is a Linux machine. To better understand the machine, I did a Nmap scan for quick reconnaissance. nmap <ip-address> -sC -sV -oA broker The scan quickly reveals that the target is an ActiveMQ instance hosted with a nginx server. ActiveMQ is an open-source message broker (I see what you did there HTB) service written in Java to share data asynchronously between systems. In other words, one can think of it as a traffic system, but instead of cars, it regulates the flow of messages (data) between different applications. ...

After mistakenly enrolling for a course for offensive cyber security on Hack the Box Academy, I am here to write my first blog on a box I challenged. Reconnaissance Knowing that my target will be a Linux server and given the IP address, I started with a Nmap scan to see what ports are open and fetch some potentially useful banners. It came to my attention that this is an Apache server - hence I confirmed it to be a web server and ran whatweb for more details on the web infrastructure. Simultaneously, I proceeded with trying to enumerate some directories of the website. I used the common list with gobuster and found some addresses that can be accessed directly through the browser. ...