- Published on
Exploited a CVE in exiftool to get code execution, then privesc'd with neofetch.
All Posts
All Posts
- sudo--l (8)
- sqli (7)
- 139445---smb (5)
- ftp (5)
- kerberoast (4)
- rce (4)
- bloodhound (3)
- 389636---ldap (3)
- lfi (3)
- dns (3)
- wordpress (3)
- msfconsole (3)
- openssl (3)
- suid (3)
- routingport-forward (3)
- crackmapexec (3)
- powershell-web-access (2)
- passthecert (2)
- directory-traversal (2)
- brute-force (2)
- drupal (2)
- pivoting (2)
- ms15 (2)
- enumeration (2)
- microsoft-iis (2)
- 161---snmp (2)
- juicypotato (2)
- file-upload (2)
- buffer-overflow (2)
- tomcat (2)
- wget (2)
- certificate (2)
- 22---ssh (2)
- default-credentials (2)
- rfi (2)
- 4555 (1)
- gpp (1)
- powershell (1)
- sam-hashes (1)
- migrate (1)
- ipv6-relay-attack (1)
- mimikatz (1)
- golden-ticket-attack (1)
- group-policy-preferences (1)
- impacket (1)
- url-file-attack (1)
- ansible (1)
- certipy (1)
- gdb (1)
- intruder (1)
- screen (1)
- stored-user-agent (1)
- log-file-poisoning (1)
- autologon (1)
- web (1)
- nc (1)
- tls-10---443 (1)
- elastix (1)
- webmin (1)
- eternal-blue (1)
- webconfig (1)
- smtp (1)
- nslookup (1)
- command-injection (1)
- crontab (1)
- xxe (1)
- pwnkit (1)
- groups (1)
- raw-image (1)
- debugfs (1)
- python (1)
- h2 (1)
- 111---portmapper (1)
- 6697---unrealircd (1)
- irc (1)
- ssh-keygen (1)
- hash (1)
- kbdx (1)
- ssrf (1)
- psy-shell (1)
- nmap-vuln (1)
- nmap-suid (1)
- wireshark (1)
- tcpdump (1)
- imagemagick (1)
- exiftool (1)
- neofetch (1)
- ejpt (1)
- prtg-network-monitor (1)
- mime (1)
- changenamesh (1)
- knock (1)
- chkrootkit (1)
- httpfileserver (1)
- pandora-cms (1)
- path (1)
- rocket (1)
- pkexec (1)
- polkit (1)
- base64-decode (1)
- ps-aux (1)
- vnc (1)
- keepass (1)
- smbclientpy (1)
- silver-ticket (1)
- deserialization-attack (1)
- gmsa (1)
- enumerating (1)
- subdomain (1)
- sqlmap (1)
- htaccess (1)
- netstat (1)
- npm (1)
- cgi-bin (1)
- perl (1)
- oracle (1)
- odat (1)
- opt (1)
- firefox-passwords (1)
- program-files (1)
- writeowner (1)
- finger (1)
- password-cracking (1)
- magento (1)
- jamovi (1)
- bolt (1)
- ssti (1)
- chisel (1)
- mongodb (1)
- shocker (1)
- sharepoint (1)
- kdbx (1)
- tar (1)
- evil-winrm (1)
- net-user (1)
- 22-ssh (1)
- heartbleed (1)
- history (1)
- active-directory (1)
- Published on
SNMP enumeration to find credentials to gain a shell, which we then route to find Pandora CMS, which wa vulnerable to SQLi, to gain foothold. For root, $PATH was exploited.- Published on
This was an Active Directory Windows machine, started by finding credentials in an image on the website, then dumped information with LDAP for the domain to find a kerberoastable user, then enumerating more shares with cme, find which accounts were active, and then get foothold. For root, we pfx2john, and find a GMSA exploit on powershell, to reset a higher privilege user's password so we can authenticate with our new credentials.- Published on
Exploited a WordPress plugin that exploited Directory Traversal, then enumerated ports with Burpsuite's Intruder functionality. Then we find RCE on a GDB server, which gives foothold. For root, it was a simple screen exploit.- Published on
Exploited buffer overflow to gain foothold, and then cracked a .kdbx file to gain the root password.