All Posts

Windows machine first exploited with SQLi, getting admin to a website. Then there is a hidden file, which gives me execution to foothold. Eventually I extracted Firefox passwords, used Bloodhound to find out more about what we were looking at, and got a LAPS password to gain root.

This machine was quite the conundrum. First, we exploited a Jamovi RCE, which led to Rocket Chat, then Bolt CMS. With Bolt we got template injection, code was reflecting, so we did SSTI to gain a reverse shell. Now with foothold, we scanned the local network with nmap, finding a MongoDB. We used chisel to create a tunnel to MongoDB, enumerate it, and then eventually exploit cap_dac from capsh not being installed by using shocker.

Enumerated users with crackmapexec, smbclient, and eventually cracked a .pfx file, converted it into a cert.pem and key.pem, then obtained foothold. For root, we have credentials in a LAPS group which provides root.

Enumeration led me to WordPress, and eventually a username & computer name to authenticate within a web powershell. Then for foothold, we get a web powershell to a reverse shell, privesc with a pivot to msedge.exe, then utilize sam & system hashes to get hive information, which will eventually lead me to root.

Foothold obtained from finding something called Rocket Chat, and a bot called 'hubot' which allowed me to break out of its syntax and obtain foothold. For root, we went from dwight to root from CVE-2021-3560, which is 'polkit'. This was my first time exploiting it and my linpeas gave a weird output at first which didn't show the 'CVEs Check' from linpeas.