Explore >> Select a destination

You are here

 blog.superautomation.co.uk
Super Automation Station: Vulnhub Writeup: Bravery
| | blog.ikuamike.io
Vulnhub: Sar 1
9.0 parsecs away

Travel
| | Difficulty Release Date Author Beginner 15 Feb 2020 Love Summary In this box there's only one port open that is running a vulnerable version of sar2html that we take advantage of to get a low priv shell. For privilege escalation there was a cron job running as root that was running a script we could write in. Reconnaissance Nmap Nmap scan report for 192.168.56.107 Host is up (0.000040s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.
| | blog.ikuamike.io
Vulnhub: Symfonos 1
9.2 parsecs away

Travel
| | Difficulty Release Date Author Beginner 29 June 2019 Zayotic Summary I got an OSCP voucher last year and this is my active effort to prep for it using TJ-Null's OSCP Prep list. Hopefully documenting this will help improve my methodology and get me ready for OSCP and beyond. In this box, initial access is through lfi to rce by using sending a payload in mail and accessing it.For privilege escalation we exploit a setuid binary that doesn't use absolute paths, therefore hijacking the path gives us root.
| | blog.ikuamike.io
Vulnhub: Symfonos 4
8.2 parsecs away

Travel
| | Difficulty Release Date Author Intermediate 20 Aug 2019 Zayotic Summary For this box, some directory bruteforce is needed to discover some php files. One of the php files has an lfi vulnerability but can only be access by authenticating to the other page. The login form can be bypassed and we exploit the lfi. For that we poison ssh logs for exploitation to rce. For privilege escalation we exploit a python web app running locally as root using insecure deserialization of the cookie by jsonpickle.
| | blog.ikuamike.io
Vulnhub: Symfonos 5
59.7 parsecs away

Travel
| Difficulty Release Date Author Beginner 2 Mar 2020 Zayotic Summary In this box, we first perform ldap injection on the web application to bypass the login page. Then we are able to read local files by abusing a local file inclusion vulnerability with php base64 filter. From one of the php files we get ldap credentials that we used to authenticate to ldap and dump entries. From the entries we get a base64 encoded password that we could use to ssh into the machine.