22---ssh

All Posts

sudo--l (8)
sqli (7)
139445---smb (5)
ftp (5)
kerberoast (4)
rce (4)
bloodhound (3)
389636---ldap (3)
lfi (3)
dns (3)
wordpress (3)
msfconsole (3)
openssl (3)
suid (3)
routingport-forward (3)
crackmapexec (3)
powershell-web-access (2)
passthecert (2)
directory-traversal (2)
brute-force (2)
drupal (2)
pivoting (2)
ms15 (2)
enumeration (2)
microsoft-iis (2)
161---snmp (2)
juicypotato (2)
file-upload (2)
buffer-overflow (2)
tomcat (2)
wget (2)
certificate (2)
22---ssh (2)
default-credentials (2)
rfi (2)
4555 (1)
gpp (1)
powershell (1)
sam-hashes (1)
migrate (1)
ipv6-relay-attack (1)
mimikatz (1)
golden-ticket-attack (1)
group-policy-preferences (1)
impacket (1)
url-file-attack (1)
ansible (1)
certipy (1)
gdb (1)
intruder (1)
screen (1)
stored-user-agent (1)
log-file-poisoning (1)
autologon (1)
web (1)
nc (1)
tls-10---443 (1)
elastix (1)
webmin (1)
eternal-blue (1)
webconfig (1)
smtp (1)
nslookup (1)
command-injection (1)
crontab (1)
xxe (1)
pwnkit (1)
groups (1)
raw-image (1)
debugfs (1)
python (1)
h2 (1)
111---portmapper (1)
6697---unrealircd (1)
irc (1)
ssh-keygen (1)
hash (1)
kbdx (1)
ssrf (1)
psy-shell (1)
nmap-vuln (1)
nmap-suid (1)
wireshark (1)
tcpdump (1)
imagemagick (1)
exiftool (1)
neofetch (1)
ejpt (1)
prtg-network-monitor (1)
mime (1)
changenamesh (1)
knock (1)
chkrootkit (1)
httpfileserver (1)
pandora-cms (1)
path (1)
rocket (1)
pkexec (1)
polkit (1)
base64-decode (1)
ps-aux (1)
vnc (1)
keepass (1)
smbclientpy (1)
silver-ticket (1)
deserialization-attack (1)
gmsa (1)
enumerating (1)
subdomain (1)
sqlmap (1)
htaccess (1)
netstat (1)
npm (1)
cgi-bin (1)
perl (1)
oracle (1)
odat (1)
opt (1)
firefox-passwords (1)
program-files (1)
writeowner (1)
finger (1)
password-cracking (1)
magento (1)
jamovi (1)
bolt (1)
ssti (1)
chisel (1)
mongodb (1)
shocker (1)
sharepoint (1)
kdbx (1)
tar (1)
evil-winrm (1)
net-user (1)
22-ssh (1)
heartbleed (1)
history (1)
active-directory (1)

Published on
August 31, 2023
HTB Talkative
jamovi Bolt SSTI Pivoting 22---ssh chisel MongoDB shocker
This machine was quite the conundrum. First, we exploited a Jamovi RCE, which led to Rocket Chat, then Bolt CMS. With Bolt we got template injection, code was reflecting, so we did SSTI to gain a reverse shell. Now with foothold, we scanned the local network with nmap, finding a MongoDB. We used chisel to create a tunnel to MongoDB, enumerate it, and then eventually exploit cap_dac from capsh not being installed by using shocker.
Published on
August 19, 2023
HTB Lightweight
22---ssh OpenSSL Wireshark tcpdump
Exploited tcpdump, privesc'd with openssl from the e= capability.

22---ssh

22---ssh (2)

HTB Talkative

HTB Lightweight