Shared is a great box that taught me much. You start out by enumerating a web app and then find an SQL injection in an unexpected place. You’ll use this SQL injection to extract a username and a password hash which can be cracked and used to SSH. Once on the box you’ll exploit iPython and Redis to make your way to root.
Upon gaining a shell on a target you may find that you are in a restricted shell. Restricted shells are introduced as another line of defense and greatly limited what you can do within a shell. In this post I will show a few different techniques to escape this restricted shell and gain full functionality.
DCSync attacks allow an attacker to simulate the behavior of a domain controller via MS-DRSR and obtain credentials from another domain controller. In this article I will give an overview of DCSync attacks, how to perform them, and how to remediate them.
AS-REP roasting is a technique that enables us to steal the password hashes of accounts without Kerberos pre-authentication enabled. In this article I will show how to perform an AS-REP roast attack.
DNS zone transfers can give an attacker the keys to the DNS castle so to speak. Although this vulnerability is ancient and rather rare these days it is still important to know how zone transfers work and how to prevent unauthorized transfers.
As part of the OSCP exam you may or may not have to perform a buffer overflow. Even without any security measures in place this can still be a daunting tasks for beginners. This article will not teach you from the ground up how to perform a buffer overflow but instead an easy methodology to follow for OSCP-like buffer overflows.
I recently completed the Dante pro lab from HackTheBox. Dante is a realistic simulated corporate network aimed at junior penetration testers. In This post I will give my review and some recommendations for Dante.
In a Windows environments it’s possible to escalate your privileges via misconfigured services. The most common ways for this to happen is insecure permissions on the service executable, unquoted service paths, and insecure permissions. In this article I will walk you through the exploitation of unquoted service paths and how to fix them.
A new vulnerability has been discovered within sudo versions 1.8.0 through 1.9.12.p1. This issue occurs because the sudoedit feature mishandles the contents of user controlled environment variables. If one of these environment variables contains a “–” every following argument will be taken as a file to process.
Ambassador is a medium difficulty box from Hack The Box released on October 1st 2022 and retired on January 28 2023. I start off by exploiting a directory traversal vulnerability in a Grafana instance to read sensitive configuration files and obtain MySQL login credentials. Searching through the MySQL databases I’ll find SSH login details and a obtain shell. I’ll find that this account has access to a git repo that leaks a token for Consul, I’ll then use this token to interact with Consul and escalate my privileges to root.