Tenet is a medium-rated but comparatively easy box, that required a straightforward PHP deserialization exploit to gain a foothold and exploiting a race condition vulnerability to privesc.

RECON

We will begin the reconnaissance phase with an all-port Nmap TCP scan.

  • -T4 : Run faster scan
  • -sC : Specifies Nmap to run default scripts
  • -sV : Specifies Nmap to run service and version detection
  • -Pn : Treat all hosts as online (skip host discovery)
  • -p- : Scan all ports
  • -vv : Verbose output
  • -oA : Output all formats

NMAP returns…


Hi, This is Abhishek Rautela and in this blog post, I would like to share my journey to the prestigious OSCP certification. I’ll break this blog into a few sections so that you can go and read the section you’re more interested in. I cannot share much information about the exam machines or the labs due to restrictions by Offensive Security but I will try to provide my personal experience with the Labs and the exam.

Introduction

The path to the OSCP can vary from person to person so this review won’t be justified without me telling about myself and…


Academy is an easy-rated box that required exploiting Laravel deserialization vulnerability(CVE-2018–15133) for an initial foothold and abusing sudo rights for composer to get root. Let’s just jump in.

RECON

We will begin reconnaissance with a full TCP Nmap scan

  • -T4 : Run faster scan
  • -sC : Specifies Nmap to run default scripts
  • -sV : Specifies Nmap to run service and version detection
  • -Pn : Treat all hosts as online (skip host discovery)
  • -p- : Scan all ports
  • -vv : Verbose output
  • -oA : Output all formats

The result of…


BrainFuck is an insane rated box that required a WordPress exploit for initial foothold and LXD group privilege escalation(unintended) for root.

Let’s just jump in.

Recon

Let’s start with a quick Nmap scan to discover open ports

  • -sC: Specifies Nmap to run default scripts
  • -sV: Specifies Nmap to run service and version detection

Nmap returns the following output:


Cronos was rated medium difficulty that required basic SQL injection to get a foothold and command injection to get a reverse shell. The box was actually an easy one. The privilege escalation part was interesting where I learned how to exploit Laravel cron job.

Let’s jump in.

RECON

I prefer running manual commands as they provide better control and prevent us from getting blocked by any firewall but due to time restrictions in the OSCP environment I decided to learn using autorecon.

You can run autorecon as follows:

Nmap Scan results:


HTB/Buff was a fun box based on CloudMe 1.11.2 BufferOverflow Exploitation. Let’s dive deeper into how we can exploit this amazing box.

Scanning

Run a Nmap scan against the box.

AbhishekRautela

Web Developer | Security Researcher | OSCP | HackTheBox Pro Hacker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store