daz

Reflection was another chain that consisted of three different machines - which is relatively similar to what we saw in Tengu. The great thing about this specifically in my case is the fact that there doesn’t seem to be any web-application testing on the internal side. While I am still working to improve my web-application testing skills, a break from it every now and then is more than welcome. EnumerationOur three machines are 10.10.255.149-151. We’ll query each of these with the NMAP scans tha ...

SQL Injection is a web security vulnerability that essentially allows an attacker to maliciously query a database through an input form. Otherwise known as SQLi, SQL injection thus can allow the attacker to view data from within an SQL database that they would normally should not be able to view. IntroductionWhen I was progressing through my research into exploits, I came across various different forms of SQL injections and how they specifically affect the web services from where they are hosted ...

I took inspiration from researching this topic from one of the recent machines that I wrote a writeup for, which you can find here (you can probably get the interpretation from the name of the chain). The topic that I wanted to delve into today was the idea of Domain and Forest Trusts in an Active Directory environment. I tried getting a little creative with Lucidchart, as you’ll see in the images to follow. I’ll list a few topics that you’ll need to understand before we delve into domain and fo ...

This machine is an Active Directory environment that starts from the domain controller and pivots to a workstation before returning back to the DC. Given that we have two machines that are both Windows, I’d like to use Havoc instead of Sliver as our C2 for this walkthrough. EnumerationGiven the IP range of the instance it seems that there are only two machines to this chain. Let’s start with our usual NMAP scans across them both. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 22:59 EDT ...

This was my first step into a three-machine chain on VulnLab, and I want to thank r0BIT on the development of this chain and all of the work that was developed for this chain. It involves exploiting a domain-joined Linux machine and pivoting through MSSQL, finally leading to the DC after. EnumerationUpon doing our first scans, we can see that there are three machines that collectively have either RDP or SSH on them. There’s also another port on .183 denoted as VSAT-CONTROL on port 1880, though t ...

This machine was really interesting to get into, as I learned how to practically implement backdoors onto a compromised host as well as GPO abuses and general vulnerability testing in domain accounts. Props to xct for creating this machine. EnumerationLet’s start with a general NMAP scan of the machine. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 21:04 EDTNmap scan report for 10.10.102.12Host is up (0.11s latency).Not shown: 987 filtered tcp ports (no-response)PORT STATE SERVIC ...

This chain was relatively fun, however it’s a REALLY long one. That being said I still think it was a great learning experience, as I’ve learned how to perform pen-testing exploits that I’ve only heard brief snippets about (yet never done them practically). This machine includes exploits such as Local File Inclusion and DLL Hijacking, both of which are actually commonly seen vulnerabilities if not taken into consideration properly by developers. EnumerationRunning our NMAP scans for host discove ...

This chain was relatively fun and allowed me to learn a lot of different tactics that I would’ve previously not known how to do before. It involves attempting to gain initial access to a domain-joined Linux machine, following a pivot to the DC using ADCS. EnumerationRunning our NMAP scanning to discover both machines 10.10.242.85 and 10.10.242.86. ┌──(daz㉿LAPTOP-VA8M33JK)-[~/tech/vl/hybrid]└─$ cat initial_scan.txtStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 00:38 EDTNmap scan report ...

This is I believe the second Linux machine that I’ve written a post about, and I liked how it delved more into hash cracking and the infamous Docker (oh how I despise Docker). This specific machine is really helpful if you want to understand ports that aren’t used very often such as rsync. EnumerationLet’s start with our regular NMAP scans. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-31 19:17 EDTNmap scan report for 10.10.110.153Host is up (0.11s latency).Not shown: 996 closed tcp port ...

This machine is another Active Directory machine, and mimics what you might see in an environment where interns and trainees are given a universal account to use in AD. This has it’s own security issues, to which we’ll exploit today. EnumerationLet’s start with our usual NMAP scan. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 16:20 EDTNmap scan report for 10.10.124.140Host is up (0.11s latency).Not shown: 988 filtered tcp ports (no-response)PORT STATE SERVICE53/tcp open domain ...