Category: Uncategorized
-
MySQL bruteforcing to Fernet decryption to Python exec calls
Another target. Let’s begin. Let’s run nmap service discovery to make sure. Great, OpenSSH and MySQL. No known-to-me vulnerabilities in either. Guess we’re bruteforcing. Sweet, MySQL creds are ‘root’ and ‘prettywoman’. Thanks, I know what I am. Next up is a bit of a read. I connect to MySQL and poke at the data. Alright,…
-
Command injection via GET request arguments to Cron stupidity
Let’s go! Let’s see what’s on the web server. Alright, dirbusting it is. Okay, what’s in robots.txt? Okay, going to that directory. If we click on OS, we get a set of links to URLs like: Let’s try to do some command injection with the following: It works! Unfortunately, I can’t show you the output…
-
Shellshock to DirtyCOW to root
Alright! Another day, another box! Let’s hit it with nmap. Cool cool, nothing on HTTP but OpenSSH is an extremely old version. After a lot of effort, we decide to look at HTTP again. This is a lesson learned the hard way. Always scan major subdirectories, even if they themselves return 404. Okay, let’s try…
-
PHP string comparison bypass to PHP command injection to password cracking to sudo misconfigs
Alright, so, we’ve got another box to hack. Let’s scan it. Now, I don’t know what kip is, but I’m going to go ahead and press X to doubt. That makes a lot more sense. Let’s see if we can login. We’re able to login as anonymous and download index.php.bak… that will probably help later.…
-
Abusing HTTP proxies to connect to unsecured admin services
This is our first challenge. We’re presented with a target and run nmap against it. From this, we see that port 3128 is open, and that it’s usually running Squid proxy. Navigating to this port in a web browser confirms such. We don’t find any blatant/easy-to-exploit vulnerabilities in version 4.14 of Squid, so we decide…