In Beyond Root, I’ll show an alternative vector using a silver ticket attack from the first user to get file read as administrator through MSSQL. To get administrator, I’ll attack active directory certificate services, showing both certify and certipy. That user has access to logs that contain the next user’s creds. With those, I’ll use xp_dirtree to get a Net-NTLMv2 challenge/response and crack that to get the sql_svc password. I’ll start by finding some MSSQL creds on an open file share. The user can run some NodeJS scripts as root, but the sudo rule is misconfiguration that allows me to run arbirtray JavaScript, and get a shell as root.Ĭtf htb-escape hackthebox nmap crackmapexec windows smbclient mssql mssqlclient xp-cmdshell responder net-ntlmv2 hashcat winrm evil-winrm certify adcs rubeus certipy silver-ticket pass-the-hash xp-dirtreeĮscape is a very Windows-centeric box focusing on MSSQL Server and Active Directory Certificate Services (ADCS).
I’ll get the application source and use a password it contains to get a shell on the box. From there, I’ll exploit purchase order generation via a serverside cross site scripting in the PDF generation that allows me to read files from the host. Stocker starts out with a NoSQL injection allowing me to bypass login on the dev website.
Hackthebox ctf htb-stocker nmap ubuntu ffuf subdomain feroxbuster burp burp-repeater chatgpt express nodejs nosql nosql-auth-bypass nosql-injection xss serverside-xss pdf file-read
0 kommentar(er)
