daz

Breach in particular was one of the first Vulnlab machines I had tried when I started Vulnlab back in December - though I really didn’t know what was going on as I had just started off doing red team labs. Since then, I’ve done essentially every easy machine on the Vulnlab archive and large amount of seasonal machines on HTB. Hopefully I’ll be able to relay this a bit easier this time around. EnumerationLet’s start out with our usual NMAP scans, just the default. Starting Nmap 7.94SVN (...

This is the newest chain in the medium difficulty that was created by xct, I’m going into this relatively blind so I hope I’ll be able to relay the info that I know correctly. It involves an assumed breach scenario within a domain-joined Linux machine, requiring a pivot takeover to the domain controller for completion. I want to thank both xct and otter for their help on this during the initial access portion of the chain, overthinking is a common attribute to have when you start out as a...

Reflection was another chain that consisted of three different machines - which is relatively similar to what we saw in Tengu. The great thing about this specifically in my case is the fact that there doesn’t seem to be any web-application testing on the internal side. While I am still working to improve my web-application testing skills, a break from it every now and then is more than welcome. EnumerationOur three machines are 10.10.255.149-151. We’ll query each of these with the NMAP scans...

SQL Injection is a web security vulnerability that essentially allows an attacker to maliciously query a database through an input form. Otherwise known as SQLi, SQL injection thus can allow the attacker to view data from within an SQL database that they would normally should not be able to view. IntroductionWhen I was progressing through my research into exploits, I came across various different forms of SQL injections and how they specifically affect the web services from where they are...

I took inspiration from researching this topic from one of the recent machines that I wrote a writeup for, which you can find here (you can probably get the interpretation from the name of the chain). The topic that I wanted to delve into today was the idea of Domain and Forest Trusts in an Active Directory environment. I tried getting a little creative with Lucidchart, as you’ll see in the images to follow. I’ll list a few topics that you’ll need to understand before we delve into domain...

This machine is an Active Directory environment that starts from the domain controller and pivots to a workstation before returning back to the DC. Given that we have two machines that are both Windows, I’d like to use Havoc instead of Sliver as our C2 for this walkthrough. EnumerationGiven the IP range of the instance it seems that there are only two machines to this chain. Let’s start with our usual NMAP scans across them both. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 22:59...

This was my first step into a three-machine chain on VulnLab, and I want to thank r0BIT on the development of this chain and all of the work that was developed for this chain. It involves exploiting a domain-joined Linux machine and pivoting through MSSQL, finally leading to the DC after. EnumerationUpon doing our first scans, we can see that there are three machines that collectively have either RDP or SSH on them. There’s also another port on .183 denoted as VSAT-CONTROL on port 1880,...

This machine was really interesting to get into, as I learned how to practically implement backdoors onto a compromised host as well as GPO abuses and general vulnerability testing in domain accounts. Props to xct for creating this machine. EnumerationLet’s start with a general NMAP scan of the machine. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 21:04 EDTNmap scan report for 10.10.102.12Host is up (0.11s latency).Not shown: 987 filtered tcp ports (no-response)PORT STATE...

This chain was relatively fun, however it’s a REALLY long one. That being said I still think it was a great learning experience, as I’ve learned how to perform pen-testing exploits that I’ve only heard brief snippets about (yet never done them practically). This machine includes exploits such as Local File Inclusion and DLL Hijacking, both of which are actually commonly seen vulnerabilities if not taken into consideration properly by developers. EnumerationRunning our NMAP scans for host...

This chain was relatively fun and allowed me to learn a lot of different tactics that I would’ve previously not known how to do before. It involves attempting to gain initial access to a domain-joined Linux machine, following a pivot to the DC using ADCS. EnumerationRunning our NMAP scanning to discover both machines 10.10.242.85 and 10.10.242.86. ┌──(daz㉿LAPTOP-VA8M33JK)-[~/tech/vl/hybrid]└─$ cat initial_scan.txtStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 00:38 EDTNmap scan...