SquareZero

Baby is an easy difficulty machine, Where I had to enumerate open ports and services, leverage LDAP and SMB services to gain initial access, utilize SeBackupPrivilege to extract sensitive files and employ various tools to achieve privilege escalation and capture the root flag. EnumerationThe Nmap scan shows the following ports. 123456789101112131415161718192021PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Wind ...

Trusted is an easy difficulty machine where I leveraged several techniques to exploit vulnerabilities and escalate privileges. After performing an Nmap scan and directory brute-forcing, I discovered user names and hidden directories on the web server. Using a Local File Inclusion (LFI) vulnerability, I accessed sensitive files to obtain MySQL credentials and performed SQL injection to plant a webshell for remote command execution. I created an administrative user, dumped all machine hashes, and ...

Hybrid is an easy difficulty machine, Where I exploited a Roundcube vulnerability and leveraged NFS, SUID misconfiguration, and certificate services to escalate privileges and compromise the domain. EnumerationI start with 2 IP addresses and nmap shows us the open ports. Mail01.hybrid.vl 12345678910111213PORT STATE SERVICE 22/tcp open ssh25/tcp open smtp80/tcp open http110/tcp open pop3111/tcp open rpcbind 143/tcp open imap587/tcp open ...

Build is an easy difficulty machine, Where I had to get credentials from a backup file, access the internal network and add new records in order to bypass the docker container. EnumerationThe Nmap scan shows the following ports.nmap -p- --min-rate=10000 10.10.67.89 nmap -sC -sV -p21,23,80 10.10.67.89 -oA ./nmap/Build |Ports|Service|22| ssh OpenSSH 8.9p1 Ubuntu|53| Domain PowerDNS|512| exec|513| login|514| shell Netkit rshd|873| rsync|3000| ppp?|3306| mysql|8081| blackice-icecap Default creds ...

Escape is a medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an att ...

Jeeves is not overly complicated, however, it focuses on some interesting techniques and provides a great learning experience. As the use of alternate data streams is not very common, some users may have a hard time locating the correct escalation path. EnumerationFirst I check for available open ports. nmap -p- --min-rate=10000 10.10.10.63 nmap -sC -sV -p80,135,445,50000 10.10.10.63 -oA ./nmap/jeeves -Pn Ports Service 80 msrpc Microsoft IIS httpd 10.0 135 msrpc Microsoft Windows RPC ...

Remote is an easy difficulty Windows machine that features an Umbraco CMS installation. Credentials are found in a world-readable NFS share. Using these, an authenticated Umbraco CMS exploit is leveraged to gain a foothold. A vulnerable TeamViewer version is identified, from which we can gain a password. This password has been reused with the local administrator account. Using psexec with these credentials returns a SYSTEM shell. EnumerationFirst I check for available open ports. nmap -p- --mi ...

Access is an easy difficulty machine, that highlights how machines associated with the physical security of an environment may not themselves be secure. Also highlighted is how accessible FTP/file shares can often lead to getting a foothold or lateral movement. It teaches techniques for identifying and exploiting saved credentials. EnumerationFirst I check for available open ports. nmap -p- --min-rate=10000 10.10.10.98 nmap -sC -sV -p21,23,80 10.10.10.98 -oA ./nmap/access Ports Service ...

Bastion is an easy level WIndows box which contains a VHD ( Virtual Hard Disk ) image from which credentials can be extracted. After logging in, the software MRemoteNG is found to be installed which stores passwords insecurely, and from which credentials can be extracted. EnumerationFirst I check for available open ports. nmap -p- --min-rate=10000 10.10.10.134 nmap -sC -sV -p21,22,80,135,139,445,5985,39517 10.10.10.134 -oA ./nmap/bastion.txt Ports Service 22 ssh OpenSSH for_Windows_7.9 ...

We participated in our vsCTF 2023 and we ended up being 1st! It was a day-long CTF but we solved 24 (out of 31) challenges. Some of the challenges were very interesting. Cant wait to play the next vsCTF event as CyberSpace WebChallenge → Sanity CheckDescription → you know what to do. Solution → We are presented with a website that pretty much running nothing. I tried opening the source code by right click and Ctrl+u. None of them worked We can view the source code by directly manupulating ...