jd

I took inspiration from researching this topic from one of the recent machines that I wrote a writeup for, which you can find here (you can probably get the interpretation from the name of the chain). The topic that I wanted to delve into today was the idea of Domain and Forest Trusts in an Active Directory environment. I tried getting a little creative with Lucidchart, as you’ll see in the images to follow. I’ll list a few topics that you’ll need to understand before we delve into domain and fo ...

This machine is an Active Directory environment that starts from the domain controller and pivots to a workstation before returning back to the DC. Given that we have two machines that are both Windows, I’d like to use Havoc instead of Sliver as our C2 for this walkthrough. EnumerationGiven the IP range of the instance it seems that there are only two machines to this chain. Let’s start with our usual NMAP scans across them both. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 22:59 EDT ...

This was my first step into a three-machine chain on VulnLab, and I want to thank r0BIT on the development of this chain and all of the work that was developed for this chain. It involves exploiting a domain-joined Linux machine and pivoting through MSSQL, finally leading to the DC after. EnumerationUpon doing our first scans, we can see that there are three machines that collectively have either RDP or SSH on them. There’s also another port on .183 denoted as VSAT-CONTROL on port 1880, though t ...

This machine was really interesting to get into, as I learned how to practically implement backdoors onto a compromised host as well as GPO abuses and general vulnerability testing in domain accounts. Props to xct for creating this machine. EnumerationLet’s start with a general NMAP scan of the machine. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-17 21:04 EDTNmap scan report for 10.10.102.12Host is up (0.11s latency).Not shown: 987 filtered tcp ports (no-response)PORT STATE SERVIC ...

This chain was relatively fun, however it’s a REALLY long one. That being said I still think it was a great learning experience, as I’ve learned how to perform pen-testing exploits that I’ve only heard brief snippets about (yet never done them practically). This machine includes exploits such as Local File Inclusion and DLL Hijacking, both of which are actually commonly seen vulnerabilities if not taken into consideration properly by developers. EnumerationRunning our NMAP scans for host discove ...

This chain was relatively fun and allowed me to learn a lot of different tactics that I would’ve previously not known how to do before. It involves attempting to gain initial access to a domain-joined Linux machine, following a pivot to the DC using ADCS. EnumerationRunning our NMAP scanning to discover both machines 10.10.242.85 and 10.10.242.86. ┌──(daz㉿LAPTOP-VA8M33JK)-[~/tech/vl/hybrid]└─$ cat initial_scan.txtStarting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 00:38 EDTNmap scan report ...

This is I believe the second Linux machine that I’ve written a post about, and I liked how it delved more into hash cracking and the infamous Docker (oh how I despise Docker). This specific machine is really helpful if you want to understand ports that aren’t used very often such as rsync. EnumerationLet’s start with our regular NMAP scans. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-31 19:17 EDTNmap scan report for 10.10.110.153Host is up (0.11s latency).Not shown: 996 closed tcp port ...

This machine is another Active Directory machine, and mimics what you might see in an environment where interns and trainees are given a universal account to use in AD. This has it’s own security issues, to which we’ll exploit today. EnumerationLet’s start with our usual NMAP scan. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 16:20 EDTNmap scan report for 10.10.124.140Host is up (0.11s latency).Not shown: 988 filtered tcp ports (no-response)PORT STATE SERVICE53/tcp open domain ...

This is the last writeup I have documented for all of the Easy machines as of 6/3. This machine in particular is related to Gitea, a web-application that we’ve pen-tested before on our writeup of Build. This then follows a really intuitive exploit of a PDF application by creating a breakpoint at a specific opcode for privilege escalation. EnumerationLet’s start with our usual NMAP scan. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-03 17:05 EDTNmap scan report for 10.10.82.24Host is ...

This machine was relatively fun, as it involved progressing through the installation of an unused web-application - which we will then exploit. Big props to xct for creating this machine, as I thought it was great learning material and fun to exploit. EnumerationLet’s start with our usual NMAP scan to see what ports are open. Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-14 21:55 EDTNmap scan report for 10.10.113.195Host is up (0.11s latency).PORT STATE SERVICE VERSION22/tcp open ssh ...