Theme for the next machine is Hitman, as in this box you will be breaking into the forum about games.
SQL injection for the foothold, and quite tricky PrivEsc as I wanted to avoid using Metasploit.
#tryhackme #pentest
https://telegra.ph/Game-Zone-09-23
SQL injection for the foothold, and quite tricky PrivEsc as I wanted to avoid using Metasploit.
#tryhackme #pentest
https://telegra.ph/Game-Zone-09-23
Telegraph
Game Zone
Game Zone is the fourth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path. > Enumeration Nmap scan output: nmap -sC -sV -o gamezone <ip> 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 ( 80/tcp open http Apache httpd 2.4.18…
Dipping your toes into Digital Forensic just a bit. Analyzing the .pcap file to replicate attacker's action. This machine is different from others in this series, but it's worth checking.
#tryhackme #pentest
https://telegra.ph/Ovrpass2-09-23
#tryhackme #pentest
https://telegra.ph/Ovrpass2-09-23
Telegraph
Ovrpass2
Overpass2 is the seventh machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path. > PCAP analysis That is an unusual type of machine for me. We got the .pcap file with the network dump. There are few ways to work with .pcap…
Hacking Skynet in this Terminator-themed machine. A LOT of enumeration with a pinch of brute forcing. Exploitation is straight forward, PrivEsc part will...take some time 😉
#tryhackme #pentest
https://telegra.ph/Skynet-09-23
#tryhackme #pentest
https://telegra.ph/Skynet-09-23
Telegraph
Skynet
Skynet is the fifth machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path. > Enumeration Let’s start with the nmap scan: nmap -sC -sV -o nmap.txt <target_ip> 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 80/tcp open http…
The last writeup on
https://telegra.ph/Internal-09-23-2
Offensive Pentesting learning path from me. Kicking Wordpress and Jenkins instance in that one. https://telegra.ph/Internal-09-23-2
Telegraph
Internal
Internal is the last machine in the “Advanced Exploitation” part of TryHackMe’s “Offensive pentesting” path. Enumeration As I’m starting to prepare for my “Dry run” for the OSCP exam, this time I will use more stuff from my methodology. We already learned…
Found my old HackTheBox writeup, that is also can be useful for OSCP prep. In Tabby, you need to break into the Tomcat instance and escape from the LXD container for a PrivEsc. Pretty cool machine, this PrivEsc vector is quite common, but still underrepresented in the majority of labs.
#hackthebox #pentest
https://telegra.ph/Tabby-09-27
#hackthebox #pentest
https://telegra.ph/Tabby-09-27
Telegraph
Tabby
Tabby is an easy Linux machine from HackTheBox, that is part of the pool of machines that recommended for preparation for OSCP certification. > Content table Enumeration Exploitation of Tomcat Privilege escalation with LXC containers > Enumeration Start with…
To the hardcore part. While we are still on the OSCP note, it is wort mentioning the crucial part of the exam - the Buffer Overflow exploitation. That machine will give you 25 points (from 70 to pass the exam), and it is very different from all other machines. To handle that one, you will need to have some basic experience with Binary Exploitation and Exploit Development, as you will need to develop an exploit, that by manipulating of the program's input and memory, could execute arbitrary code to spawn a shell.
Without further ado, let's gain you some experience:
https://telegra.ph/Buffer-Overflow-101-09-27
#exploitdev #binaryexploitation #oscp
Without further ado, let's gain you some experience:
https://telegra.ph/Buffer-Overflow-101-09-27
#exploitdev #binaryexploitation #oscp
Telegraph
Buffer Overflow 101
> Introduction What is a Buffer Overflow?
Preparing for the OSCP? I captured my journey, thoughts and a bunch of advances in this long read OSCP review.
Is it good? Should you take it? Does it worth it? It's all here!
Enjoy!
#oscp #cert #review
https://telegra.ph/OSCP-review-09-27
Is it good? Should you take it? Does it worth it? It's all here!
Enjoy!
#oscp #cert #review
https://telegra.ph/OSCP-review-09-27
Telegraph
OSCP review
> Table of Content Introduction About the PWK/OSCP course Expectations Before taking the course Lab time Preparations for the exam The exam Closing thoughts Useful resources > Introduction The OSCP (Offensive Security Certified Professional) also, knows as…
My eWPT review is almost done, but it's make no sense to post it, as I'm still waiting for the result to arrive.
Oh well...
I will continue with the start of another series and interrupt it with the review later on. Stay tuned.
Spoiler: eWPT is nice
Oh well...
I will continue with the start of another series and interrupt it with the review later on. Stay tuned.
Spoiler: eWPT is nice
A bunch of upcoming post will be all about wargames from https://exploit.education/, formerly known as exploit-exercises.com.
It's a great collection of virtual machines that could help to develop essential skills for vulnerability research, and exploit development.
It might seem too simple at the beginning, but the learning curve will smash me shortly, no doubt in that.
It's a great collection of virtual machines that could help to develop essential skills for vulnerability research, and exploit development.
It might seem too simple at the beginning, but the learning curve will smash me shortly, no doubt in that.
I realized it's hard to keep up in series like that (because of the same picture, maybe?). They all look alike!
I'll try to add more context to each post for that sake.
In level 5 of Nebula wargame we will learn a bit about privileges in Linux, and how you can a private ssh key that you might find in the backup of a compromised computer.
#exploitdev #nebula
https://telegra.ph/Nebula---05-10-26
I'll try to add more context to each post for that sake.
In level 5 of Nebula wargame we will learn a bit about privileges in Linux, and how you can a private ssh key that you might find in the backup of a compromised computer.
#exploitdev #nebula
https://telegra.ph/Nebula---05-10-26
Telegraph
Nebula - 05
> Source code There is no source code available for this level. > Getting the flag By checking the flag05 directory we can find unprotected .backup folder: level05@nebula:/home/flag05$ ls -lah total 9.0K drwxr-x--- 1 flag05 level05 80 2021-06-16 00:17 . drwxr…
Let's crack some passwords! In the level 6 of #nebula wargame we will learn how to crack the hash of the password.
#exploitdev
https://telegra.ph/Nebula---06-10-26
#exploitdev
https://telegra.ph/Nebula---06-10-26
Telegraph
Nebula - 06
> Source code There is no source code available for this level. > Getting the flag Nothing interesting in the /home/flag06 folder, but by poking around in previous challenges I noticed that flag06 user has the hashed password in the /etc/passwd: level06@…
Finally! The fun part starts here. All levels before that were to warm up.
In the level 7 of the #nebula wargame we got the source code of the application. We need to read, understand, and find how to exploit the bug there.
#exploitdev
https://telegra.ph/Nebula---07-10-26
In the level 7 of the #nebula wargame we got the source code of the application. We need to read, understand, and find how to exploit the bug there.
#exploitdev
https://telegra.ph/Nebula---07-10-26
Telegraph
Nebula - 07
> Source code #!/usr/bin/perl use CGI qw{param}; print "Content-type: text/html\n\n"; sub ping { $host = $_[0]; print("<html><head><title>Ping results</title></head><body><pre>"); @output = `ping -c 3 $host 2>&1`; foreach $line (@output) { print "$line";…
Finding the password from the next level of #nebula wargame in the TCP stream by using Wireshark.
#exploitdev
https://telegra.ph/Nebula-08-09-20
#exploitdev
https://telegra.ph/Nebula-08-09-20
Telegraph
Nebula - 08
> Source code There is no source code available for this level. > Getting the flag The .pcap file is in the flag08 folder, let’s download it to the main machine and analyze it with Wireshark. One of the ways could be spawning a SimpleHTTPServer on the machine:…
In this #nebula challenge, we will analyze and exploit the vulnerable PHP code wrapped around in a C SUID binary.
#exploitdev
https://telegra.ph/Nebula-09-09-20
#exploitdev
https://telegra.ph/Nebula-09-09-20
Telegraph
Nebula - 09
> Source code <?php function spam($email) { $email = preg_replace("/\./", " dot ", $email); $email = preg_replace("/@/", " AT ", $email); return $email; } function markup($filename, $use_me) { $contents = file_get_contents($filename); $contents…