Using cewl to make a custom wordlist from thr page author.html , used wfuzz to find the another domain and sqli in the add_edit_event_user.php , using sqlmap to dump the table user_secure and got the credentials for the openEmr panel.Editing the file config.php and embeding php reverse shell to get initial shell as www-data.The file jquery/functionality.js contains user ash password.Memcached service is ruuning locally. Getting user luffy credentials By dumping data from memcache by Monitoring using Watchers and manually.The user luffy is in the group docker.Displaying docker images got ubuntu and Spawning a root-shell.
{"long"=>"May 10, 2020", "short"=>"May 10"} 2020-05-10T00:00:00+08:00
Fuzzing the hidden dir and then analyzing the python script to excute the command and get an initial shell,And after decrypting the key using superSecureCrypt.py we can get password of user robert robert can run Betterssh.py i mentioned both unintended and Two intended ways to get root.
{"long"=>"May 9, 2020", "short"=>"May 9"} 2020-05-09T00:00:00+08:00
Nmap results and Gobuster reveals robot.txt file which is dissallowing a dir called admin-dir running wfuzz against it we got two files contacts.txt and credentials.txt which contains ftp user and pass.Got some files in ftp server.We got an another directory utility-scripts and fuzzing the dir we got another file adminer.php which is running the adminer-database on it.Connecting our mysql database with the adminer we can write adminer-db data to our data and so we got a password for user waldo.And the user waldo can run a script as root.Privilege escalation via python library path hijacking and running script as root we got a root shell by using netcat bind shell.
{"long"=>"May 4, 2020", "short"=>"May 4"} 2020-05-04T00:00:00+08:00
Exploiting the openadmin service we get an initial shell and after getting credentials of jimmy in db.php logged in using ssh,Enumerating on a local high port we are joanna and privesc using nano is the journey of openadmin.
{"long"=>"May 1, 2020", "short"=>"May 1"} 2020-05-01T00:00:00+08:00
This Box is currently in hackthbox active category , You can access the writeup only if you have either the Administrator user ntlm or the root user password hash from file /etc/shadow.
{"long"=>"Apr 30, 2020", "short"=>"Apr 30"} 2020-04-30T00:00:00+08:00
This Box is currently in hackthbox active category , You can access the writeup only if you have the Administrator user ntlm in md5 format. For More information Go to http://0xprashant.github.io/pages/decryption-instruction
{"long"=>"Apr 20, 2020", "short"=>"Apr 20"} 2020-04-20T00:00:00+08:00
Anonymous access to ftp protocol and found that there exist a interesting file , Directory traversal on the nvms-1000 and grabbing that files and login in as a regular user ,Exploiting Nsclient that is running on port 8443 to get root.
{"long"=>"Apr 13, 2020", "short"=>"Apr 13"} 2020-04-13T00:00:00+08:00
Finding a new subdomain and a tricky lfi using php Wrapper and getting a users creds , Abusing a suid that is somehow linked to another file . Got user and analyzing a python script and getting password to mount images and got ssh-keys for root
{"long"=>"Apr 5, 2020", "short"=>"Apr 5"} 2020-04-05T00:00:00+08:00
This Box is currently in hackthbox active category , You can access the writeup only if you have the Administrator user ntlm in md5 format. For More information Go to http://0xprashant.github.io/pages/decryption-instruction
{"long"=>"Mar 31, 2020", "short"=>"Mar 31"} 2020-03-31T00:00:00+08:00
Identifying the RFI and exploiting it by executing our script using smb service and getting credentials of chris,Running command as chris and getting a Shell as chris.Best part of the machine to create a chm file and embeding our Command init , the boss will Execute the File on it own
{"long"=>"Mar 27, 2020", "short"=>"Mar 27"} 2020-03-27T00:00:00+08:00
