SquareZero

Reflection is a Medium difficulty machine where enumeration and exploitation involve a thorough assessment of a Windows-based network. The user started by identifying open ports and services, leading to the discovery of an SMB share containing database credentials. These credentials were used to access MSSQL servers, where additional credentials were retrieved. By exploiting SMB relay vulnerabilities and using Bloodhound for Active Directory enumeration, the user identified privileges like Gene ...

Baby2 is a Medium difficult machine where I began with a Nmap scan revealing several open ports on the target, including SMB and LDAP. Access to SMB shares with a null password provided read/write permissions on the homes share, revealing user information and a VBS logon script in the SYSVOL share. The script was modified to execute a reverse shell, leading to access as the user Amelia Griffiths. Using BloodHound and PowerView, it was discovered that Amelia had WriteDACL rights over the GP ...

Retro is an easy difficulty machine where enumeration revealed a static website on port 80 and a Gitea instance on port 3000. Exploring Gitea, a repository by ellen.freeman contained a script with an exposed access token, leading to the cloning of a hidden “website” repository with CI/CD integration. A reverse shell was injected and executed, gaining access as ellen.freeman. In her Documents, a config file for mRemoteNG with encrypted credentials was found and decrypted, allowing access to ...

Retro is an easy difficulty machine where I had to enumerate open ports and services, leverage LDAP and SMB services to gain initial access, utilize credential brute forcing to discover simple passwords, and employ Impacket and Certipy to change credentials and exploit an ESC1 vulnerability for privilege escalation. The final step involved obtaining a TGT for the administrator to capture the root flag. EnumerationThe Nmap scan shows the following ports. 1234567891011121314PORT STATE SERVIC ...

Baby is an easy difficulty machine, Where I had to enumerate open ports and services, leverage LDAP and SMB services to gain initial access, utilize SeBackupPrivilege to extract sensitive files and employ various tools to achieve privilege escalation and capture the root flag. EnumerationThe Nmap scan shows the following ports. 123456789101112131415161718192021PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Wind ...

Trusted is an easy difficulty machine where I leveraged several techniques to exploit vulnerabilities and escalate privileges. After performing an Nmap scan and directory brute-forcing, I discovered user names and hidden directories on the web server. Using a Local File Inclusion (LFI) vulnerability, I accessed sensitive files to obtain MySQL credentials and performed SQL injection to plant a webshell for remote command execution. I created an administrative user, dumped all machine hashes, and ...

Hybrid is an easy difficulty machine, Where I exploited a Roundcube vulnerability and leveraged NFS, SUID misconfiguration, and certificate services to escalate privileges and compromise the domain. EnumerationI start with 2 IP addresses and nmap shows us the open ports. Mail01.hybrid.vl 12345678910111213PORT STATE SERVICE 22/tcp open ssh25/tcp open smtp80/tcp open http110/tcp open pop3111/tcp open rpcbind 143/tcp open imap587/tcp open ...

Build is an easy difficulty machine, Where I had to get credentials from a backup file, access the internal network and add new records in order to bypass the docker container. EnumerationThe Nmap scan shows the following ports.nmap -p- --min-rate=10000 10.10.67.89 nmap -sC -sV -p21,23,80 10.10.67.89 -oA ./nmap/Build |Ports|Service|22| ssh OpenSSH 8.9p1 Ubuntu|53| Domain PowerDNS|512| exec|513| login|514| shell Netkit rshd|873| rsync|3000| ppp?|3306| mysql|8081| blackice-icecap Default creds ...

Escape is a medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credentials are available for accessing an MSSQL service running on the machine. An attacker is able to force the MSSQL service to authenticate to his machine and capture the hash. It turns out that the service is running under a user account and the hash is crackable. Having a valid set of credentials an att ...

Jeeves is not overly complicated, however, it focuses on some interesting techniques and provides a great learning experience. As the use of alternate data streams is not very common, some users may have a hard time locating the correct escalation path. EnumerationFirst I check for available open ports. nmap -p- --min-rate=10000 10.10.10.63 nmap -sC -sV -p80,135,445,50000 10.10.10.63 -oA ./nmap/jeeves -Pn Ports Service 80 msrpc Microsoft IIS httpd 10.0 135 msrpc Microsoft Windows RPC ...