- Published on
Had to make my Firefox able to load TLS 1.0, then found elastix was vulnerable, gained foothold. Then, found a Webmin portal which was able to execute commands as root, which gave me root.
All Posts
All Posts
- sudo--l (8)
- sqli (7)
- 139445---smb (5)
- ftp (5)
- kerberoast (4)
- rce (4)
- bloodhound (3)
- 389636---ldap (3)
- lfi (3)
- dns (3)
- wordpress (3)
- msfconsole (3)
- openssl (3)
- suid (3)
- routingport-forward (3)
- crackmapexec (3)
- powershell-web-access (2)
- passthecert (2)
- directory-traversal (2)
- brute-force (2)
- drupal (2)
- pivoting (2)
- ms15 (2)
- enumeration (2)
- microsoft-iis (2)
- 161---snmp (2)
- juicypotato (2)
- file-upload (2)
- buffer-overflow (2)
- tomcat (2)
- wget (2)
- certificate (2)
- 22---ssh (2)
- default-credentials (2)
- rfi (2)
- 4555 (1)
- gpp (1)
- powershell (1)
- sam-hashes (1)
- migrate (1)
- ipv6-relay-attack (1)
- mimikatz (1)
- golden-ticket-attack (1)
- group-policy-preferences (1)
- impacket (1)
- url-file-attack (1)
- ansible (1)
- certipy (1)
- gdb (1)
- intruder (1)
- screen (1)
- stored-user-agent (1)
- log-file-poisoning (1)
- autologon (1)
- web (1)
- nc (1)
- tls-10---443 (1)
- elastix (1)
- webmin (1)
- eternal-blue (1)
- webconfig (1)
- smtp (1)
- nslookup (1)
- command-injection (1)
- crontab (1)
- xxe (1)
- pwnkit (1)
- groups (1)
- raw-image (1)
- debugfs (1)
- python (1)
- h2 (1)
- 111---portmapper (1)
- 6697---unrealircd (1)
- irc (1)
- ssh-keygen (1)
- hash (1)
- kbdx (1)
- ssrf (1)
- psy-shell (1)
- nmap-vuln (1)
- nmap-suid (1)
- wireshark (1)
- tcpdump (1)
- imagemagick (1)
- exiftool (1)
- neofetch (1)
- ejpt (1)
- prtg-network-monitor (1)
- mime (1)
- changenamesh (1)
- knock (1)
- chkrootkit (1)
- httpfileserver (1)
- pandora-cms (1)
- path (1)
- rocket (1)
- pkexec (1)
- polkit (1)
- base64-decode (1)
- ps-aux (1)
- vnc (1)
- keepass (1)
- smbclientpy (1)
- silver-ticket (1)
- deserialization-attack (1)
- gmsa (1)
- enumerating (1)
- subdomain (1)
- sqlmap (1)
- htaccess (1)
- netstat (1)
- npm (1)
- cgi-bin (1)
- perl (1)
- oracle (1)
- odat (1)
- opt (1)
- firefox-passwords (1)
- program-files (1)
- writeowner (1)
- finger (1)
- password-cracking (1)
- magento (1)
- jamovi (1)
- bolt (1)
- ssti (1)
- chisel (1)
- mongodb (1)
- shocker (1)
- sharepoint (1)
- kdbx (1)
- tar (1)
- evil-winrm (1)
- net-user (1)
- 22-ssh (1)
- heartbleed (1)
- history (1)
- active-directory (1)
- Published on
Enumerated with ffuf, to come to the realization that this is just a shocker exploit. Sudo -l listed perl so perl was our privesc.- Published on
- Published on
Enumerated LDAP, http, smbclient, to then Kerberoast, auth as sqlsvc, and prepare a silver ticket attack. Once we convert SID to string, we can create our ticket, and authenticate as a shell with pwsh. Once we gain foothold, we get root with a deserialization attack.- Published on
Boolean-based SQL injection, which gives access to a database, then we authenticated file fuzz leading to bypassing .htaccess in apache which gives RCE. Once foothold from RCE was obtained, we pivot as mark, find a local hosted web server, and exploit npm to root.