I’ll kerberoast and get a challenge/response for a service account, and use that to generate a silver ticket, getting access to the MSSQL instance. I’ll find user creds with hints from the page, and get some more hints from a file share. NTLM authentication is disabled for the box, so a lot of the tools I’m used to using won’t work, or at least work differently. There are some hints on a webpage, and from there the exploitation is all Windows. Scrambled presented a purely Windows-based path. Htb-scrambled ctf hackthebox kerberos deserialization windows silver-ticket reverse-engineering oscp-like The host has a cron running Git commands as root, so I’ll use git hooks to abuse this and get a shell as root. From there, I’ll access a private Gitea instance and find an SSH key to get a shell on the host. The later is overwriting one of the Flask source files to get execution.
/cdn.vox-cdn.com/uploads/chorus_image/image/33770101/494951905.0.jpg "replay media catcher alternative reddit")
The first is abusing the file read to get the information to calculate the Flask debug pin. The website has a directory traversal vulnerability that allows me to read and write files. That zip has a Git repo in it, and that leaks the production code as well as account creds. OpenSource starts with a web application that has a downloadable source zip. Ctf hackthebox htb-opensource nmap upload source-code git git-hooks flask directory-traversal file-read flask-debug flask-debug-pin youtube chisel gitea pspy
0 kommentar(er)
