daz

This is the last writeup I have documented for all of the Easy machines as of 6/3. This machine in particular is related to Gitea, a web-application that we’ve pen-tested before on our writeup of Build. This then follows a really intuitive exploit of a PDF application by creating a breakpoint at a specific opcode for privilege escalation. EnumerationLet’s start with our usual NMAP scan. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 17:05 EDTNmap scan report for 10.10.82.24Host is ...

This machine was relatively fun, as it involved progressing through the installation of an unused web-application - which we will then exploit. Big props to xct for creating this machine, as I thought it was great learning material and fun to exploit. EnumerationLet’s start with our usual NMAP scan to see what ports are open. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-14 21:55 EDTNmap scan report for 10.10.113.195Host is up (0.11s latency).PORT STATE SERVICE VERSION22/tcp open ssh ...

This is another machine from VulnLab, and it involves exploiting a Log4J vulnerability in a web service and use it to access internal resources to compromise a Linux machine. This specific machine seems to focus heavily on web services, which is a nice change of pace to the AD pen-testing that I’m used to. EnumerationLet’s start with our usual NMAP scan of the machine. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 22:30 EDTNmap scan report for 10.10.75.95Host is up (0.11s latency).Not ...

This box was really creative, and involved a Kiosk breakout with the only port being 3389. When I initially started this, I was going into it relatively blind. The attack path is more so up to interpretation and really get’s you thinking into understanding what you have access to and exploiting it. EnumerationWith that being said, let’s start with our initial NMAP scan. Given that just RDP is on this machine, I’ll run an aggressive scan immediately so that we can get the DNS information for our ...

Data was another interesting machine that involved interacting with a Grafana web service and utilizing web-app exploits to gain access to a docker container. This is the first writeup that I’ve written that exploits docker breakout, so I hope I’ll be able to explain it properly. EnumerationLet’s start with a basic NMAP scan. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-02 12:15 EDTNmap scan report for 10.10.64.184Host is up (0.12s latency).Not shown: 998 closed tcp ports (reset)PORT ...

The is one of the latest VulnLab machines that released in the Easy category, and it was a really well-put together machine. It offers practice into relatively unused ports and applications - also having us tunnel machine resources through a firewall. EnumerationLet’s start with our usual NMAP scans of the machine. Note that I ran a port range scan from 1-10000. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-12 23:42 EDTNmap scan report for 10.10.90.130Host is up (0.12s latency).Not shown ...

This machine is a more beginner-level Active Directory machine, however it’s very useful if you want to understand fundamentals of AD and how to exploit it. You’ll see a lot of techniques here in more difficult machines (though they may be used differently). EnumerationWith that, let’s run our base NMAP scan. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 17:18 EDTNmap scan report for 10.10.99.70Host is up (0.11s latency).Not shown: 987 filtered tcp ports (no-response)PORT STATE SE ...