This user is able to modify a group and from there modify a user to add a shadow credential and finally get a shell on the box. Access to a share provides a Nim binary, where some dynamic analysis provides yet another set of creds. LDAP enumeration leads to the next set of creds. I’ll figure out the username format for the domain, and AS-REP-Roast to get creds. Still, even today, it’s a maze of Windows enumeration and exploitation that starts with some full names in the metadata of images. At that time, many of the tools necessary to solve the box didn’t support Kerberos authentication, forcing the place to figure out ways to make things work. Htb-absolute hackthebox ctf windows iis crackmapexec ldapsearch dnsenum feroxbuster exiftool username-anarchy kerbrute as-rep-roast hashcat kerberos kinit klist bloodhound bloudhound-python rpc dynamic-reversing wireshark shadow_credential certipy krbrelay visual-studio runascs krbrelayup rubeus dcsyncĪbsolute is a much easier box to solve today than it was when it first released in September 2022. To get root, I’ll exploit a sudo rule that let’s the user run dotnet as root. I’ll pivot to the next user using creds from the DLL. On reversing that DLL, I’ll find a JSON derserialization issue, and exploit it to get file read and the user’s SSH key. I’ll abuse the first file read to get the DLL for that server. ![]() In that source, I see how it connects to the other. ![]() I’ll exploit a file read vulnerability to locate and retrieve the source. Ctf htb-bagel hackthebox nmap python flask source-code file-read dotnet websocket ffuf source-code reverse-engineering proc wscat dnspy json json-deserialization dotnet-deserialization īagel is centered around two web apps.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |