I’ll exploit an SQL injection over the websocket to leak a password and get a shell over SSH. That site uses websockets to do a validation task. With this foothold, I’ll identify a second virtual host with a new site. ![]() On finding the default credentials, I’ll use that to upload a webshell and get a shell on the box. Soccer starts with a website that is managed over Tiny File Manager. Hackthebox ctf htb-soccer nmap ffuf subdomain ferobuster express ubuntu tiny-file-manager default-creds upload webshell php websocket burp sqli websocket-sqli boolean-based-sqli sqlmap doas dstat In Beyond Root, I’ll show an alternative vector using a silver ticket attack from the first user to get file read as administrator through MSSQL. To get administrator, I’ll attack active directory certificate services, showing both certify and certipy. That user has access to logs that contain the next user’s creds. With those, I’ll use xp_dirtree to get a Net-NTLMv2 challenge/response and crack that to get the sql_svc password. I’ll start by finding some MSSQL creds on an open file share. ![]() Ctf htb-escape hackthebox nmap crackmapexec windows smbclient mssql mssqlclient xp-cmdshell responder net-ntlmv2 hashcat winrm evil-winrm certify adcs rubeus certipy silver-ticket pass-the-hash xp-dirtreeĮscape is a very Windows-centeric box focusing on MSSQL Server and Active Directory Certificate Services (ADCS).
0 Comments
Leave a Reply. |