Skills Assessment on

Attacking Common Applications - Part I

Tue, 03 Jun 2025 03:38:50 -0300

This is the part one of the Attacking Common Application’s skills assessment section.

Summary (How?)

We are presented with a Windows host that has several services running. Among these the vulnerable one is Tomcat 9.0.0.M1 running on port 8080. This does not have any manager pages available, and its vulnerable to several CVEs including Ghostcat and CVE-2019-0232, the latter was the key to get into the machine, as it allowed for RCE. The problem here is that this RCE wasn’t that straight forward, first we needed to fuzz a vulnerable CGI script located in /cgi/cmd.bat and the use a metasploit module that abused this vulnerability to obtain a reverse shell as NT authority/system.

Attacking Common Applications - Part II

Tue, 03 Jun 2025 03:38:50 -0300

This is the part two of the Attacking Common Application’s skills assessment section.

Summary (How?)

We began by scanning the target and identified several open ports hosting potentially interesting services. One of them was GitLab, accessible via a provided virtual host. Enumeration of the GitLab instance revealed a public repository referencing another virtual host: monitoring, which resolved to a Nagios instance.

Next, we created an account on GitLab and logged in. This revealed additional repositories, one of which contained hardcoded credentials for the Nagios web interface. Using these, we accessed the Nagios instance as an admin.

Attacking Common Applications - Part III

Tue, 03 Jun 2025 03:38:50 -0300

This is the part two of the Attacking Common Application’s skills assessment section.

Situation

During our penetration test our team found a Windows host running on the network and the corresponding credentials for the Administrator. It is required that we connect to the host and find the hardcoded password for the MSSQL service. What is the hardcoded password for the database connection in the MultimasterAPI.dll file?

Enumeration

We are given the credentials Administrator:xcyj8izxNVzhf4z and a dynamic-linked libraty MultimasterAPI.dll to analyze, so the first thing was loggin into the box and search for this file, we get 3 hits, but from the path I decide to start with the first one.

Active Directory Enumeration and Attacks - Part I

Tue, 08 Apr 2025 03:38:50 -0300

Summary (How?)

We gain initial access to the internal Active Directory environment through a web shell. We begin by enumerating the host and retrieving the first flag located on the administrator’s desktop. Using the compromised host, the web shell, and Ligolo-ng, we pivot into the internal network.

During internal enumeration, we discover a host named MS01. We compromise the local administrator account on this machine using a Pass-the-Hash attack, leveraging NTLM hashes obtained from the initial foothold.

SQLMap - Skills Assessment

Sun, 08 Dec 2024 03:38:50 -0300

Introduction

sqlmap is an open-source penetration testing tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications. It supports a wide range of SQL injection techniques, including boolean-based, time-based, error-based, and UNION query-based attacks.

The goal of this module is to introduce us into the tool and how it is useful in real-world scenarios where SQLi is feasible. That’s why in this writeup the key is in finding the vulnerable parameter.