Posts

Showing posts from April, 2022

HackMyVM Kitty

  Its a nightmare! 1. Find subdomain target.  2. exploit oracle padding attack on cookie to become admin and get logs  3. sqlmap 'logs' to get users and salt table to find gitea credentials  4. gitea holds a comment to find the fastAPI URL  5. find the number for some creds to get a token  6. Crack OAUTH token and forge a new one as admin with 'isadmin=1' . 7. find and send commands to get reverse shell  8. Explore to find 'user' name and sshkey  9. use 'user' and 'www-data' to escalate to 'power' with fastcgi socket  10. reverse engineer regex as power to get root

HackMyVM - System

Image
  System was not all that 'Easy' as there are a couple of places to get stuck! This is just a basic writeup and I have excluded anything unrequired. It will cover user and root flags so you can work out how to get a root shell for yourself. Find it ┌──(kali㉿kali)-[~/system] └─$ sudo netdiscover -r 10.0.0.0/24 -P| tee findit [sudo] password for kali:   _____________________________________________________________________________    IP            At MAC Address     Count     Len  MAC Vendor / Hostname        -----------------------------------------------------------------------------  10.0.0.1        08:00:27:cb:bf:ce      1      60  PCS Systemtechnik GmbH  10.0.0.65       08:00:27:8a:4b:22      1      60  PCS Systemtechnik GmbH -- Active scan completed, 2 Hosts found.   Scan it   # Nmap 7.91 scan initiated Wed Apr  6 04:28:39 2022 as: nmap -T4 -p- -sC -sV -oN nmap.log 10.0.0.65 Nmap scan report for 10.0.0.65 Host is up (0.00038s latency). Not shown: 65533 closed ports PORT   ST