CPTS on

Attacking Common Applications - Part I

Tue, 03 Jun 2025 03:38:50 -0300

This is the part one of the Attacking Common Application’s skills assessment section.

Summary (How?)

We are presented with a Windows host that has several services running. Among these the vulnerable one is Tomcat 9.0.0.M1 running on port 8080. This does not have any manager pages available, and its vulnerable to several CVEs including Ghostcat and CVE-2019-0232, the latter was the key to get into the machine, as it allowed for RCE. The problem here is that this RCE wasn’t that straight forward, first we needed to fuzz a vulnerable CGI script located in /cgi/cmd.bat and the use a metasploit module that abused this vulnerability to obtain a reverse shell as NT authority/system.

Attacking Common Applications - Part II

Tue, 03 Jun 2025 03:38:50 -0300

This is the part two of the Attacking Common Application’s skills assessment section.

Summary (How?)

We began by scanning the target and identified several open ports hosting potentially interesting services. One of them was GitLab, accessible via a provided virtual host. Enumeration of the GitLab instance revealed a public repository referencing another virtual host: monitoring, which resolved to a Nagios instance.

Next, we created an account on GitLab and logged in. This revealed additional repositories, one of which contained hardcoded credentials for the Nagios web interface. Using these, we accessed the Nagios instance as an admin.

Attacking Common Applications - Part III

Tue, 03 Jun 2025 03:38:50 -0300

This is the part two of the Attacking Common Application’s skills assessment section.

Situation

During our penetration test our team found a Windows host running on the network and the corresponding credentials for the Administrator. It is required that we connect to the host and find the hardcoded password for the MSSQL service. What is the hardcoded password for the database connection in the MultimasterAPI.dll file?

Enumeration

We are given the credentials Administrator:xcyj8izxNVzhf4z and a dynamic-linked libraty MultimasterAPI.dll to analyze, so the first thing was loggin into the box and search for this file, we get 3 hits, but from the path I decide to start with the first one.

Linux Privilege Escalation

Wed, 07 May 2025 03:38:50 -0300

This post explains the process of enumerating a linux system in order to find paths to escalate privileges.

Overiview

Automated tools

Manual - General things

These are the general things we will be enumerating in the process below

OS

OS Version
Kernel Version

Services

Running Services: ps aux | grep root
Installed Packages and Versions

User

whoami, id, hostname
User Home Directories
Sudo Privileges: sudo -l

Files & Directories

Configuration files: .conf & .config
Readable Shadow File
Password Hashes in /etc/passwd (more common on embedded devices and routers)
Writeable Directories
Writeable Files
SETUID and SETGID Permissions

Cron Jobs

Under: /etc/cron*

File Systems

Unmounted File System and Aditional Drivers
File Systems & Additional Drives

Process of enumeration

1. Gaining Situational Awareness

whoami
id
hostname

cat /etc/os-release

echo $PATH
env

uname -a
lscpu

cat /etc/shells

lsblk    # block devices
lpstat   # printers
cat /etc/fstab

# network information
route
arp -a

cat /etc/passwd
cat /etc/passwd | cut -f1 -d: # usernames
grep "*$" /etc/passwd

cat /etc/group
getent group sudo

ls /home

# file systems
df -h
# unmounted fs
cat /etc/fstab | grep -v "#" | column -t

# hidden files for $USER
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep $USER
# setuid files
find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null
find / -perm -4000 -type f -exec ls -l {} \; 2>/dev/null
# setgid files
find / -uid 0 -perm -6000 -type f 2>/dev/null
# hidden directories
find / -type d -name ".*" -ls 2>/dev/null

ls /var/tmp   # data retained 30 days
ls /tmp       # data retained 10 days or until system reboot

2. Linux Services & Internals Enumeration

ip a

cat /etc/hosts

lastlog # users's last login command
who     # check who's logged in
finger

history
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null
# finding history files

# Cronjobs
ls -la /etc/cron.*/
cat /etc/crontab

# writeable files (check for cronjob abuse)
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

# proc filesystem is a virtual fs that contains info about system processes, hw, system info
find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list # list of installed packages
sudo -V  # sudo version
ls -l /bin /usr/bin/ /usr/sbin/ # list of binaries
# compare available binaries against GTFO
for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/

#  analyze system calls and signal processing
strace ping -c1 IP

find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null # configuration files

# Scripts
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
ps aux | grep root
# running services by user

3. Credential Hunting

See Credential Hunting Linux

Linux Credential Hunting

Tue, 06 May 2025 03:38:50 -0300

Configuration Files

find all possible configuration files on the system

for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name "*$l" **2**>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

run the scan directly for each file found with the specified file extension and output the contents. In this example, we search for three words (user, password, pass) in each file with the file extension .cnf.

Active Directory Enumeration and Attacks - Part I

Tue, 08 Apr 2025 03:38:50 -0300

Summary (How?)

We gain initial access to the internal Active Directory environment through a web shell. We begin by enumerating the host and retrieving the first flag located on the administrator’s desktop. Using the compromised host, the web shell, and Ligolo-ng, we pivot into the internal network.

During internal enumeration, we discover a host named MS01. We compromise the local administrator account on this machine using a Pass-the-Hash attack, leveraging NTLM hashes obtained from the initial foothold.

SQLMap - Skills Assessment

Sun, 08 Dec 2024 03:38:50 -0300

Introduction

sqlmap is an open-source penetration testing tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications. It supports a wide range of SQL injection techniques, including boolean-based, time-based, error-based, and UNION query-based attacks.

The goal of this module is to introduce us into the tool and how it is useful in real-world scenarios where SQLi is feasible. That’s why in this writeup the key is in finding the vulnerable parameter.