The Wolf Den
CTF WriteupsHTB WriteupsAbout

  • HTB Tenet

    2021-06-22

    Tenet starts off with a wordpress site. After some enumeration second domain is found and a PHP file vulnerable to object injection. From there, an attacker can get a shell, find credentials in a configuration file, and privesc to root by leveraging a race condition. Enumeration NMAP shows port 22 is open for SSH and port 80 is running an HTTP server displaying the default apache2 page. Starting Nmap 7.91 ( https://nmap.…

  • HTB ScriptKiddie

    2021-06-16

    In ScriptKiddie, we compromise a server run by a pair of script kiddies with an outdated version of msfvenom and chain several misconfigurations to achieve root access. Enumeration Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-07 15:33 UTC Nmap scan report for 10.10.10.226 Host is up (0.19s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) |_ 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) 5000/tcp open http Werkzeug httpd 0.…

  • HTB Delivery

    2021-05-22

    In Delivery, we will leverage missconfigurations in a ticketing system and internal communications channels to gain access to where we certainly shouldn’t be able to go. We will also see another example of where weak and reused passwords make our job easy. Enumeration Starting off with a standard NMAP scan and shows both a SSH server on port 22 and a web server on port 80. Starting Nmap 7.91 ( https://nmap.…

  • HTB Ready

    2021-05-15

    Ready is a GitLab instance were we exploit an SSRF in order to get code execution and find ourselves in a docker container. We find some credentials to escalate to root inside the container and then leverage the fact it was started with the “privileged” flag to escape the container. Enumeration Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-27 00:15 UTC Nmap scan report for 10.129.90.66 Host is up (0.095s latency).…

  • Cyber Apocalypse 2021: Backdoor

    2021-04-25

    Note: I did not solve this challenge until after the CTF had officially ended. File shows that bd, is a stripped binary which can make reversing a bit harder. $ file bd bd: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1da3a1d77c7109ce6444919f4a15e7e6c63d02fa, stripped Nothing relevant shows up in strings though it’s interesting to note the size of the binary. Once opened in Ghidra, an interesting section can be seen in the program tree.…

  • Cyber Apocalypse 2021: Passphrase

    2021-04-25

    Passphrase is a ELF 64 bit executable. It is dynamically linked and is not stripped for debug symbols. $ file passphrase passphrase: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=60f6b6064d2e34a2b6a24dda9feb943b0b8c360f, not stripped Strings doens’t reveal a whole lot of info. The binary prompts for a “secret passphrase”. If it is correct, it asks that a message, presumably the flag, be taken to the chief.…

  • Cyber Apocalypse 2021: Authenticator

    2021-04-25

    Authenticator is a ELF 64 bit executable. It is dynamically linked and is not stripped for debug symbols $ file authenticator authenticator: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=66286657ca5a06147189b419238b2971b11c72db, not stripped Strings shows a lot of standard stuff and a few things that are likely directly related to this challenge. There are a couple of what seem to be dialog lines, mention of a flag and a rather strange sequence of, }a:Vh|}a:g}8j=}89gV<p<}:dV8<Vg9}V<9V<:j|{:.…

  • HTB Bucket

    2021-04-24

    Bucket is a very interesting box that replicates an AWS Cloud Stack. It’s also quick to the draw on file clean up so some scripting is useful to obtain a foothold. Nmap Starting off with the usual nmap scan shows two open ports. A bucket.htb web page on port 80 and SSH on port 22. sudo nmap -sC -sV 10.10.10.212 [sudo] password for nightwolf: Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-29 22:27 UTC Nmap scan report for 10.…

  • HTB Academy

    2021-04-10

    Academy is a Linux box that focuses a lot on enumeration and attention to detail for both foothold and privilege escalation, for root it has a simple GTFO bin and lastly it was a “special box” that served as a way for HTB to announce academy.hackthebox.eu Enumeration # Nmap 7.80 scan initiated Sat Nov 7 20:48:08 2020 as: nmap -sC -sV -oA Academy 10.129.20.80 Nmap scan report for 10.129.20.80 Host is up (0.…

  • HTB Passage

    2021-03-24

    Intro Passage is a Ubuntu box. It had a few privesc and a few tricks up it’s sleeve to prevent what you might typically do for initial enumeration. Enumeration A standard nmap scan shows that ssh is running on port 22 and an Apache web server is running on port 80. sudo nmap -sV -sC -Pn -oA Passage 10.10.10.206 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-19 17:14 MDT Nmap scan report for 10.…

  • 1
  • 2

The Wolf Den

Powered by Hugo & Notepadium