snowscan.io

Chaos - Hack The Box

May 25, 2019

Chaos starts with some enumeration to find a hidden wordpress site that contains a set of credentials for a webmail site. There’s some simple crypto we have to do to decrypt an attachment and find a hidden link on the site. We then exploit the PDF creation website which uses LaTeX and gain RCE. After getting a reverse shell, we do some digging into the user’s folders and find the webmin root credentials stored in the Firefox user profile.

Conceal - Hack The Box

May 18, 2019

Conceal uses IPSec to secure connectivity to the server and nothing is exposed by default except SNMP and IPSec. After finding the preshared key by enumerating with SNMP, we connect to the server, upload an ASP payload to gain RCE then privesc to SYSTEM using RottenPotato. Not a bad box overall, but the initial part of figuring out the IPSec configuration parameters took me a while to figure out/guess.

asp ipsec vpn rotten tomato

Lightweight - Hack The Box

May 11, 2019

Lightweight was a fun box that uses Linux capabilities set on tcpdump so we can capture packets on the loopback interface and find credentials in an LDAP session. We then find more credentials in the source code of the web application and finally priv esc to root by abusing a copy of the openssl program that all has Linux caps set on it.

john ldap caps tcpdump password cracking

Bighead - Hack The Box

May 04, 2019

Bighead was an extremely difficult box by 3mrgnc3 that starts with website enumeration to find two sub-domains and determine there is a custom webserver software running behind an Nginx proxy. We then need to exploit a buffer overflow in the HEAD requests by creating a custom exploit. After getting a shell, there’s some pivoting involved to access a limited SSH server, then an LFI to finally get a shell as SYSTEM. For the final stretch there is an NTFS alternate data stream with a Keepass file that contains the final flag.

exploit development egghunter asm nginx php keepass lfi ntfs ads enumeration insane windows

Irked - Hack The Box

April 27, 2019

Irked is an easy box running a backdoored UnrealIRC installation. I used a Metasploit module to get a shell then ran steghide to obtain the SSH credentials for the low privileged user then got root by exploiting a vulnerable SUID binary.

ctf stego cve metasploit suid

Teacher - Hack The Box

April 20, 2019

Teacher uses the Moodle Open Source Learning platform and contains a vulnerability in the math formula that gives us RCE. The credentials for the Moodle application are found in a .png file that contains text instead of an actual image. After getting a shell with the math formula, we find the low privilege user credentials in the MySQL database. We then escalate to root by abusing a backup script running from a cronjob as root.

moodle mysql enumeration ctf tar cronjob

Redcross - Hack The Box

April 13, 2019

Redcross has a bit of everything: Cross-Site Scripting, a little bit of SQL injection, reviewing C source code to find a command injection vulnerability, light exploit modification and enumeration.

linux xss sqli command injection pgsql cve nss

Vault - Hack The Box

April 06, 2019

This is the writeup for Vault, a machine with pivoting across different network segments.

linux php openvpn firewall pivoting gpg

Curling - Hack The Box

March 30, 2019

This is the writeup for Curling, a pretty easy box with Joomla running. We can log in after doing basic recon and some educated guessing of the password.

joomla ctf cron php easy

Frolic - Hack The Box

March 23, 2019

This is the writeup for Frolic, a CTF-like machine with esoteric programming languages and a nice priv esc that requires binary exploitation.

metasploit esoteric language ctf rop buffer overflow binary exploitation

Snowscan

Recent Posts