daz

Challenge Name: Serinus Challenge Description: The Nittany Lion is my second favorite animal. I love birds more - do you love them too? What? What do you mean you’re trying to get past my beautiful canary?? This is the second of two challenges that I’ve created for the CCSO 2025 Intro CTF, which involves yet another binary exploitation challenge. In our last challenge, we targeted an x86 ELF binary that was vulnerable to a stack overflow. We properly enumerated the offset of the EIP,...

Challenge Name: Overflow Challenge Description: This is my first C program in Computer Science! My teacher told me to make sure I don’t use some old functions, like strcpy(), strmem(), and…there’s one more that I forgot…. oh well! This is the first of two challenges I created for the PSU’s CCSO Intro CTF - geared towards teaching new students aspiring to improve their cyber skills. PWN - otherwise known as binary exploitation, is a CTF challenge that requires the user to exploit a...

Tea is one of the chains that I still have left to write up, and it involves traversing though an Active Directory environment with two workstations. The first exploit involves CI/CD runners in a Gitea instance, and the next involves exploiting a WSUS connection to the domain controller. Initial EnumerationSo let’s start with our usual NMAP scans of the two machines. We have access to 10.10.252.213 and 10.10.252.214. └─$ sudo nmap 10.10.252.213 && sudo nmap 10.10.252.214Nmap...

Media is one of the last Medium machines that I’ll cover as a part of the medium machines chains. I still have to do the Linux machines along with Unintended (the only Linux-specific chain) but we’ll get to those later. This machine covers NTLM theft along with exploiting symlinks and restoring an IIS accounts vulnerable privileges. EnumerationTo start, let’s do our usual NMAP scan. └─$ sudo nmap 10.10.115.42Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-07 21:54 EDTNmap scan report...

Bruno is one of the more difficult AD machines that I’ve done, as all of the attacks in this specific machine are relatively new to me. This machine consists of exploiting a zip archive vulnerability along with pivoting to other user accounts in an AD environment using untraditional methods. You may see the IP update a few times, I did the box multiple times during the writeup portion. EnumerationWe’ll first start with our usual NMAP scan. └─$ sudo nmap 10.10.126.214[sudo] password for...

Job is one of the older machines from Vulnlab that consisted of tactics generally seen on the OSCP. This is great practice for the exam, and involves LibreOffice macros in email servers along with an interesting privilege escalation path. I’ll try to avoid using C2’s for this machine just to stay in-line with OSCP rules. EnumerationSo let’s first start with our NMAP scan. Our entry point for this machine is 10.10.105.93. └─$ sudo nmap 10.10.105.93Starting Nmap 7.94SVN ( https://nmap.org ) at...

Phantom is the latest machine that was released as of 7/13/2024. This machine involved Active Directory penetration testing along with some password decryption paths. I originally tried going for first blood on this machine, however the encryption portion was a little difficult for me and I ended up completing it a couple of days later. Cheers and thanks to the people that I worked alongside for this machine - you know who you are. EnumerationLet’s run an NMAP scan, our entry point...

Sendai is an AD machine that focuses on a large quantity of different AD topics. There are a couple ways to exploit different parts of the attack path - to which I’ll go over two methods that I was able to perform for both foothold and privilege escalation. I’m guessing that we’ll see many similar tactics to the AD boxes that I’ve completed before. EnumerationLet’s first start out with our NMAP scan of the machine. └─$ sudo nmap 10.10.98.227 Starting Nmap 7.94SVN ( https://nmap.org ) at...

Manage is one of the latest machines created by fume and xct, and it involves enumerating and exploiting a Java MBeans application that is tied to Apache Tomcat. Privilege escalation then involves general binary exploitation with sudo privileges. EnumerationStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-03 16:19 EDTNmap scan report for 10.10.89.27Host is up (0.11s latency).Not shown: 997 closed tcp ports (reset)PORT STATE SERVICE22/tcp open ssh2222/tcp open ...

Delegate is another AD machine that focuses more on your knowledge of how to exploit user privileges and traverse through an AD environment. The bulk of this machine will be done through AD, harboring some exploits such as unconstrained delegation and GenericWrite privileges. EnumerationLet’s start by doing our usual NMAP scans of the machine. └─$ sudo nmap 10.10.87.35Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-30 00:50 EDTNmap scan report for delegate.vl (10.10.87.35)Host is up...