Tea - Vulnlab
Tea is one of the chains that I still have left to write up, and it involves traversing though an Active Directory environment with two workstations. The first exploit involves CI/CD runners in a Gitea instance, and the next involves exploiting a WSUS connection to the domain controller.
Initial EnumerationSo let’s start with our usual NMAP scans of the two machines. We have access to 10.10.252.213 and 10.10.252.214.
└─$ sudo nmap 10.10.252.213 && sudo nmap 10.10.252.214Nmap scan re ...
Media - Vulnlab
Media is one of the last Medium machines that I’ll cover as a part of the medium machines chains. I still have to do the Linux machines along with Unintended (the only Linux-specific chain) but we’ll get to those later. This machine covers NTLM theft along with exploiting symlinks and restoring an IIS accounts vulnerable privileges.
EnumerationTo start, let’s do our usual NMAP scan.
└─$ sudo nmap 10.10.115.42Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-07 21:54 EDTNmap scan report for 1 ...
Bruno - Vulnlab
Bruno is one of the more difficult AD machines that I’ve done, as all of the attacks in this specific machine are relatively new to me. This machine consists of exploiting a zip archive vulnerability along with pivoting to other user accounts in an AD environment using untraditional methods.
You may see the IP update a few times, I did the box multiple times during the writeup portion.
EnumerationWe’ll first start with our usual NMAP scan.
└─$ sudo nmap 10.10.126.214[sudo] password for daz:Start ...
Job - Vulnlab
Job is one of the older machines from Vulnlab that consisted of tactics generally seen on the OSCP. This is great practice for the exam, and involves LibreOffice macros in email servers along with an interesting privilege escalation path. I’ll try to avoid using C2’s for this machine just to stay in-line with OSCP rules.
EnumerationSo let’s first start with our NMAP scan. Our entry point for this machine is 10.10.105.93.
└─$ sudo nmap 10.10.105.93Starting Nmap 7.94SVN ( https://nmap.org ) at 202 ...
Phantom - Vulnlab
Phantom is the latest machine that was released as of 7/13/2024. This machine involved Active Directory penetration testing along with some password decryption paths. I originally tried going for first blood on this machine, however the encryption portion was a little difficult for me and I ended up completing it a couple of days later. Cheers and thanks to the people that I worked alongside for this machine - you know who you are.
EnumerationLet’s run an NMAP scan, our entry point to ...
Sendai - Vulnlab
Sendai is an AD machine that focuses on a large quantity of different AD topics. There are a couple ways to exploit different parts of the attack path - to which I’ll go over two methods that I was able to perform for both foothold and privilege escalation. I’m guessing that we’ll see many similar tactics to the AD boxes that I’ve completed before.
EnumerationLet’s first start out with our NMAP scan of the machine.
└─$ sudo nmap 10.10.98.227 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07- ...
Manage - Vulnlab
Manage is one of the latest machines created by fume and xct, and it involves enumerating and exploiting a Java MBeans application that is tied to Apache Tomcat. Privilege escalation then involves general binary exploitation with sudo privileges.
EnumerationStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-03 16:19 EDTNmap scan report for 10.10.89.27Host is up (0.11s latency).Not shown: 997 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh2222/tcp open EtherNetIP-18080/tcp op ...
Delegate - Vulnlab
Delegate is another AD machine that focuses more on your knowledge of how to exploit user privileges and traverse through an AD environment. The bulk of this machine will be done through AD, harboring some exploits such as unconstrained delegation and GenericWrite privileges.
EnumerationLet’s start by doing our usual NMAP scans of the machine.
└─$ sudo nmap 10.10.87.35Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-30 00:50 EDTNmap scan report for delegate.vl (10.10.87.35)Host is up (0.11s ...
Breach - Vulnlab
Breach in particular was one of the first Vulnlab machines I had tried when I started Vulnlab back in December - though I really didn’t know what was going on as I had just started off doing red team labs. Since then, I’ve done essentially every easy machine on the Vulnlab archive and large amount of seasonal machines on HTB. Hopefully I’ll be able to relay this a bit easier this time around.
EnumerationLet’s start out with our usual NMAP scans, just the default.
Starting Nmap 7.94SVN ( https:// ...
Heron - Vulnlab
This is the newest chain in the medium difficulty that was created by xct, I’m going into this relatively blind so I hope I’ll be able to relay the info that I know correctly. It involves an assumed breach scenario within a domain-joined Linux machine, requiring a pivot takeover to the domain controller for completion.
I want to thank both xct and otter for their help on this during the initial access portion of the chain, overthinking is a common attribute to have when you start out as a red t ...