- Published on
All Posts
All Posts
- sudo--l (8)
- sqli (7)
- 139445---smb (5)
- ftp (5)
- kerberoast (4)
- rce (4)
- bloodhound (3)
- 389636---ldap (3)
- lfi (3)
- dns (3)
- wordpress (3)
- msfconsole (3)
- openssl (3)
- suid (3)
- routingport-forward (3)
- crackmapexec (3)
- powershell-web-access (2)
- passthecert (2)
- directory-traversal (2)
- brute-force (2)
- drupal (2)
- pivoting (2)
- ms15 (2)
- enumeration (2)
- microsoft-iis (2)
- 161---snmp (2)
- juicypotato (2)
- file-upload (2)
- buffer-overflow (2)
- tomcat (2)
- wget (2)
- certificate (2)
- 22---ssh (2)
- default-credentials (2)
- rfi (2)
- 4555 (1)
- gpp (1)
- powershell (1)
- sam-hashes (1)
- migrate (1)
- ipv6-relay-attack (1)
- mimikatz (1)
- golden-ticket-attack (1)
- group-policy-preferences (1)
- impacket (1)
- url-file-attack (1)
- ansible (1)
- certipy (1)
- gdb (1)
- intruder (1)
- screen (1)
- stored-user-agent (1)
- log-file-poisoning (1)
- autologon (1)
- web (1)
- nc (1)
- tls-10---443 (1)
- elastix (1)
- webmin (1)
- eternal-blue (1)
- webconfig (1)
- smtp (1)
- nslookup (1)
- command-injection (1)
- crontab (1)
- xxe (1)
- pwnkit (1)
- groups (1)
- raw-image (1)
- debugfs (1)
- python (1)
- h2 (1)
- 111---portmapper (1)
- 6697---unrealircd (1)
- irc (1)
- ssh-keygen (1)
- hash (1)
- kbdx (1)
- ssrf (1)
- psy-shell (1)
- nmap-vuln (1)
- nmap-suid (1)
- wireshark (1)
- tcpdump (1)
- imagemagick (1)
- exiftool (1)
- neofetch (1)
- ejpt (1)
- prtg-network-monitor (1)
- mime (1)
- changenamesh (1)
- knock (1)
- chkrootkit (1)
- httpfileserver (1)
- pandora-cms (1)
- path (1)
- rocket (1)
- pkexec (1)
- polkit (1)
- base64-decode (1)
- ps-aux (1)
- vnc (1)
- keepass (1)
- smbclientpy (1)
- silver-ticket (1)
- deserialization-attack (1)
- gmsa (1)
- enumerating (1)
- subdomain (1)
- sqlmap (1)
- htaccess (1)
- netstat (1)
- npm (1)
- cgi-bin (1)
- perl (1)
- oracle (1)
- odat (1)
- opt (1)
- firefox-passwords (1)
- program-files (1)
- writeowner (1)
- finger (1)
- password-cracking (1)
- magento (1)
- jamovi (1)
- bolt (1)
- ssti (1)
- chisel (1)
- mongodb (1)
- shocker (1)
- sharepoint (1)
- kdbx (1)
- tar (1)
- evil-winrm (1)
- net-user (1)
- 22-ssh (1)
- heartbleed (1)
- history (1)
- active-directory (1)
- Published on
Eventually landed upon finding SQLi on /room.php?cod=, so we dump databases with sqlmap. Foothold is a simple phpMyAdmin credential login, then a phpMyAdmin 4.8.0 exploit to gain a shell. Root was obtained from exploiting root.service.- Published on
Set up three vulnerable Windows machines and conducted a series of attacks against them using techniques like Kerberoasting, IPv6 Relay Attack, etc. Grasping these concepts was time intensive, but it ultimately increased my skills within Active Directory overall.- Published on
Enumeration brought me to the realization that we are working with Magento. Whenever you have Magento, magescan is your best course of action. Then, we exploit magento with RCE to come to an admin panel. Eventually, we get a shell from exploiting Magento's Admin Panel. Root was a simple privesc, with sudo -l.- Published on
One way to gain foothold was bruteforce on an admin account, or /department/login.php. Then, we get remote PHP code injection on phpLiteAdmin v1.9, which results in LFI to shell. For root, we use nmap to exploit knock / port knocking.