HTB Doctor

2021-03-04

Doctor has a “secure” message board system that allows us to gain code execution. From there, we access logs, find credentials, and privilege escalate to root by taking advantage of our local access to Spulnkd. Enumeration sudo nmap -sC -sV 10.10.10.209 -oA Doctor Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-18 19:07 UTC Nmap scan report for 10.10.10.209 Host is up (0.11s latency). Not shown: 997 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.…

HTB Omni

2021-01-09

Omni is a Easy machine from HTB. The info card features a question mark in place of the OS. It’s something a little bit different than normal. I would sharpen your PowerShell skill though. Enumeration We start off with an NMAP scan and see a whole bunch of open port on what seems to be a Windows machine. Nmap scan report for 10.10.10.204 Host is up (0.081s latency). Not shown: 65529 filtered ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 5985/tcp open upnp Microsoft IIS httpd 8080/tcp open upnp Microsoft IIS httpd | http-auth: | HTTP/1.…

HTB OpenKeyS

2020-12-25

OpenKeyS is an OpenBSD box that features CVE 2019-19521 as an vulnerability that allows you to gain access to user and ultimately root. Enumeration We start off with an NMAP scan we can see that there are two open ports. 22 for SSH and 80 for OpenBSD httpd. Nmap scan report for 10.10.10.199 Host is up (0.079s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.…

HTB Buff

2020-11-23

Buff is a windows box that features the website for a Gym Membership software and a simple Window stack based buffer overflow. Scanning and Enumeration First thing to note about this box is it seems to have some odd things port wise. Example of that below. The only port that should be open is 8080. There isn’t anything to do with the other ports and we aren’t sure why it shows up consistently.…

HTB Tabby

2020-11-07

Tabby has a Tomcat server that doesn’t seem to have vulnerability we can exploit. But we chaining an LFI allows us to make use of it. Containers also prove to be useful for more than what they were intended for. Scanning and enumeration We start off, as always, with an NMAP scan to get an idea of what we are working with. nightwolf@kali:~/CTFs/HTB/Tabby$ nmap -sV -sC 10.10.10.194 Starting Nmap 7.80 ( https://nmap.…

HTB Blunder

2020-10-17

Blunder is a box that starts with a Bludit based blog being used to store random facts and a Sudoers file was configured with the intent to prevent us from running bash as root. It was less than sucessful. Scanning and Enumeration We start off with a basic nmap scan. sudo nmap -sV -sC 10.10.10.191 Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-21 08:44 MDT Nmap scan report for 10.10.10.191 Host is up (0.…

HTB Admirer

2020-09-26

Admirer is a Linux box that features a vulnerable database setup and leveraging a maliciously crafted python library to achieve root. Enumeration We start off, as always, with an NMAP Scan. Nmap scan report for 10.10.10.187 Host is up (0.12s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) | ssh-hostkey: | 2048 4a:71:e9:21:63:69:9d:cb:dd:84:02:1a:23:97:e1:b9 (RSA) | 256 c5:95:b6:21:4d:46:a4:25:55:7a:87:3e:19:a8:e7:02 (ECDSA) |_ 256 d0:2d:dd:d0:5c:42:f8:7b:31:5a:be:57:c4:a9:a7:56 (ED25519) 80/tcp open http Apache httpd 2.…

UIUCTF Kernel_Memory_Leak

2020-07-20

Kernel_Memory_Leak The kernel is leaking memory to the user! That's probably not good, right? One of the syscalls can be convinced to leak the kernel stack. Find the leak and you'll receive a flag. Keep leaking kernel secrets until you see the }. (Hint: finding the leak is half the battle, getting it to leak the entire flag requires some outside the box thinking) Author: ravi Disclaimer I was unable to solve this challenge until after the CTF had officially ended.…

UIUCTF Whats_A_Syscall

2020-07-20

Whats_A_Syscall? Challenge Description Syscall 14 is known as "SANDBOX_SPECIAL"... I wonder if that would be useful here. You'll be stuck in a never ending loop of binexec until you perform syscall 14. To learn about syscalls and how they work in pwnyOS, check out the documentation! System Calls in pwnyOS: https://github.com/sigpwny/pwnyOS-2020-docs/blob/master/Syscalls.pdf Author: ravi Solution We start out with a welcome screen and are told that we are in a sandbox.…

UIUCTF Time_To_Start

2020-07-20

Time_To_Start Challenge Description Welcome to pwnyOS!! pwnyOS is a custom x86 operating system that supports link-time kASLR, multitasking and kernel threads, execution of genuine ELF files, a realtime high resolution graphics engine, and a custom hierarchical file system. This OS was written from the ground up with its use as a challenge for UIUCTF 2020 in mind. All source code in the OS is 100% custom handwritten C and assembly- there are no libraries used, and none of its code can be found anywhere online.…