This machine is currently active on hackthebox wait until it gets retired or if have owned iyout then you need to get the Administrator NTLM hash or the root password hash from the file /etc/shadow file.And enjoy the writeup.
There was a reverse tabnapping in hackthebox in the walkthrough section due to the html link opener using target=”_blank” without any rel=”noopener nofollow” , that results redireting the victim user to a new phishing page.
This machine is currently active on hackthebox wait until it gets retired or if you have owned it then you need to get the Administrator NTLM hash or the root password hash from the file /etc/shadow file.And enjoy the writeup.
This machine is currently active on hackthebox wait until it gets retired or if you have owned it then you need to get the Administrator NTLM hash or the root password hash from the file /etc/shadow file.And enjoy the writeup.
Discvering a new domain and adding it to the hosts file , Identifying a Local-file-Inclusion and extracting sensitive information . Fuzzing some dirs and got the tomcat-users.xml which contain username and password for tomcat-manager , Generating a java-payload and uploading it to get an initial reverse shell . or using metasploit to exploit the tomcat-deploy . Got a zip file cracking it with john and the password that is cracked is of user ash , The user ash is in lxd group . By importing and initialization lxd image and mouting the root dir , We got shell as root
Got few usernames from the files from the website itself and making a custom wordlist from the website itself using cewl . Password Sparying using metasploit on the smb protocol , Got the correct username and password . Changed the password using smbpasswd and login to the rpcclient. Enumerating about printers . Got a password from the result , Again password sparying using crackmapexec on the winrm protocol got the username associated with it .Logged in using evil-winrm . The user is privileged to load the drivers as , And following an article compiling the necessary files using visual-studio and exploiting the SeLoadDriverPrivilege to get shell as administartor.
The Fortress is currently active , Better you just own it first and then enter the last flag to decrypt the writeup.If you completed the fortress then you can simply enter the last flag of the Akerva fortress , Thanks for visiting
Getting TGT using secretdump for usernames got from smb dirs and using rpcclient to chnage the user password , got a zip file that was a memory dump and getting NTLM hash of user lsass mimikatz ad then admin is around dumping the ntds.dit file.
The file todo.txt tells about a username and making a custom-wordlist using cewl , Brute forcing the login using custom python script , We logged into the CMS and exploiting the bludit using manually and metasploit , We got our initial shell . And the file users.php reveals a hash by cracking it we are logged into as hugo . Privielge escalation is all about the sudo vulnerability.
Dumping the .git dir and bypassing the ssrf along with chaining it with the php-deserialization and php-memcache to get a rce then doing some ldapmodify to modify some users entries to get the shell as root……..