Regex-33's blog

eLearnSecurity Web Application Penetration Tester eXtreme (eWPTXv2) Issuer: eLearnSecurity (INE) Date: [October 2, 2023] Description: Successfully achieved the eWPTX certification, showcasing expertise in advanced web application penetration testing, and exploitation of hardened environments.

Tea is one of the chains that I still have left to write up, and it involves traversing though an Active Directory environment with two workstations. The first exploit involves CI/CD runners in a Gitea instance, and the next involves exploiting a WSUS connection to the domain controller. Initial EnumerationSo let’s start with our usual NMAP scans of the two machines. We have access to 10.10.252.213 and 10.10.252.214. └─$ sudo nmap 10.10.252.213 && sudo nmap 10.10.252.214Nmap scan re ...

Driver is an easy Windows machine that focuses on printer exploitation. Enumeration of the machine reveals that a web server is listening on port 80, along with SMB on port 445 and WinRM on port 5985. Navigation to the website reveals that it’s protected using basic HTTP authentication. While trying common credentials the admin:admin credential is accepted and we are able to visit the webpage. The webpage provides a feature to upload printer firmwares on an SMB share for a remote team to test an ...

Delegate is another AD machine that focuses more on your knowledge of how to exploit user privileges and traverse through an AD environment. The bulk of this machine will be done through AD, harboring some exploits such as unconstrained delegation and GenericWrite privileges. EnumerationLet’s start by doing our usual NMAP scans of the machine. └─$ sudo nmap 10.10.87.35Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-30 00:50 EDTNmap scan report for delegate.vl (10.10.87.35)Host is up (0.11s ...

Mailing is an easy Windows machine that runs hMailServer and hosts a website vulnerable to Path Traversal . This vulnerability can be exploited to access the hMailServer configuration file, revealing the Administrator password hash. Cracking this hash provides the Administrator password for the email account. We leverage CVE-2024-21413 in the Windows Mail application on the remote host to capture the NTLM hash for user maya . We can then crack this hash to obtain the password and log in as user ...

I took inspiration from researching this topic from one of the recent machines that I wrote a writeup for, which you can find here (you can probably get the interpretation from the name of the chain). The topic that I wanted to delve into today was the idea of Domain and Forest Trusts in an Active Directory environment. I tried getting a little creative with Lucidchart, as you’ll see in the images to follow. I’ll list a few topics that you’ll need to understand before we delve into domain and fo ...

This chain was relatively fun, however it’s a REALLY long one. That being said I still think it was a great learning experience, as I’ve learned how to perform pen-testing exploits that I’ve only heard brief snippets about (yet never done them practically). This machine includes exploits such as Local File Inclusion and DLL Hijacking, both of which are actually commonly seen vulnerabilities if not taken into consideration properly by developers. EnumerationRunning our NMAP scans for host discove ...