Reverse-Shell
Found 9 related articles
Back to Tags- 2024-12-04
Vaccine - FTP, PKZIP/MD5 Cracking, SQL Injection via SQLMap, and SUID vi Privesc
Technical writeup detailing the compromise of the Vaccine machine. Initial access is achieved by exploiting Anonymous FTP to retrieve a password-protected PKZIP file, cracking the PKZIP and subsequent MD5 hashes to gain web credentials. Authentication leads to exploiting a blind SQL Injection vulnerability via SQLMap, gaining an OS shell. Privilege escalation is completed by finding plaintext credentials for SSH access, then exploiting the SUID binary 'vi' with specific permissions via the ':shell' command to achieve a root shell.
- 2024-12-02
Oopsie - IDOR, Arbitrary File Upload, and SUID Path Hijacking
Technical writeup detailing the compromise of the Oopsie machine. Initial access involves exploiting an IDOR vulnerability to enumerate credentials, followed by cookie manipulation to gain access to an arbitrary file upload function for a PHP reverse shell. Privilege escalation is achieved by finding plaintext database credentials for SSH access, and finally, exploiting the SUID binary '/usr/bin/bugtracker' using a PATH hijacking technique to execute a root shell.
- 2024-11-28
Archetype - SMB Credential Disclosure, MSSQL xp_cmdshell RCE, and SYSTEM Privileges via psexec
Technical writeup detailing the compromise of the Archetype Windows machine. Initial foothold is achieved by exploiting Anonymous SMB access (445/tcp) to retrieve SQL credentials from a shared backup directory (prod.dtsConfig). These credentials are used to gain access to the MSSQL service (1433/tcp), where xp_cmdshell is activated to achieve RCE and establish a reverse shell. Privilege escalation to NT AUTHORITY sYSTEM is completed by hunting for credentials in the PowerShell history file and leveraging Impacket's psexec.py with the found administrator account.
- 2024-11-21
Three - S3 Bucket Misconfiguration and Remote Code Execution via AWS CLI
Technical writeup detailing the compromise of the Three machine. The methodology involves identifying an exposed subdomain (s3.thetoppers.htb) pointing to an AWS S3 bucket. Exploitation is achieved by leveraging a misconfigured access policy via the AWS CLI to perform an arbitrary file upload of a PHP webshell. Remote Code Execution (RCE) is then established using the webshell, leading to full system access as the www-data user.
- 2024-11-06
Whiterose - IDOR, EJS SSTI (CVE-2022-29078), and Sudoedit Bypass (CVE-2023-22809)
Technical writeup detailing the compromise of the Whiterose machine. Initial access involves subdomain enumeration via wFuzz and exploiting an IDOR vulnerability to retrieve privileged user credentials. This leads to a Server-Side Template Injection (SSTI) RCE via CVE-2022-29078 (EJS Template Engine vulnerability). Privilege escalation is achieved by exploiting the Sudoedit vulnerability CVE-2023-22809 to gain root access via modifying the /etc/sudoers file.
- 2024-10-25
Verdejo - SSTI Exploitation and Base64 SUID Privesc Chain
Technical writeup detailing the compromise of the 'Verdejo' challenge. Initial access is gained by exploiting a Server-Side Template Injection (SSTI) vulnerability via Jinja2 to obtain a reverse shell. Privilege escalation is achieved by exploiting NOPASSWD SUID on '/usr/bin/base64' to read the root SSH private key, which is then cracked using ssh2john and JohnTheRipper for final root access.
- 2024-10-21
Chemistry - Pymatgen RCE (CVE-2024-23346), SSH Port Forwarding, and aiohttp LFI (CVE-2024-23334)
Technical writeup detailing the compromise of the Chemistry machine. Initial access (RCE) is gained by exploiting CVE-2024-23346, an arbitrary code execution vulnerability in the pymatgen library via a malicious .CIF file upload, leading to a low-privileged shell. Privilege escalation is achieved by locating hidden credentials in a SQLite database, gaining SSH access, and then using SSH Port Forwarding to access an internal web service. The final step involves exploiting CVE-2024-23334, a critical path traversal vulnerability in aiohttp/3.9.1, to perform Local File Inclusion (LFI) and read the /etc/shadow file for root access.
- 2024-10-15
Source - Webmin 1.890 RCE (CVE-2019-15107) Exploitation
Technical writeup detailing the immediate compromise of the Source machine by exploiting the Webmin service running on port 10000. The vulnerability leveraged is the unauthenticated Remote Code Execution (RCE) backdoor in Webmin versions 1.882 < 1.921 (CVE-2019-15107). Exploitation is achieved by running a public exploit to gain direct root access and establishing a reverse shell for full system control.
- 2024-10-01
WalkingCMS - WordPress Exploitation via Theme Editor and SUID Privilege Escalation
Technical writeup detailing the compromise of the WalkingCMS challenge. Initial access involves enumerating a WordPress installation via Gobuster, credential cracking using WPScan, and achieving a reverse shell by modifying the theme's index.php file. Final root access is achieved by exploiting a vulnerable SUID binary, '/usr/bin/env', using standard Linux privilege escalation techniques.