Tenet is a medium-rated but comparatively easy box, that required a straightforward PHP deserialization exploit to gain a foothold and exploiting a race condition vulnerability to privesc.
We will begin the reconnaissance phase with an all-port Nmap TCP scan.
sudo nmap -T4 -p- -sC -sV -vv -Pn -oA nmap/full-tcp 10.10.10.223
Hi, This is Abhishek Rautela and in this blog post, I would like to share my journey to the prestigious OSCP certification. I’ll break this blog into a few sections so that you can go and read the section you’re more interested in. I cannot share much information about the exam machines or the labs due to restrictions by Offensive Security but I will try to provide my personal experience with the Labs and the exam.
The path to the OSCP can vary from person to person so this review won’t be justified without me telling about myself and…
Academy is an easy-rated box that required exploiting Laravel deserialization vulnerability(CVE-2018–15133) for an initial foothold and abusing sudo rights for composer to get root. Let’s just jump in.
We will begin reconnaissance with a full TCP Nmap scan
sudo nmap -T4 -sC -sV -Pn -p- -vv -oA nmap/10.10.10.215 10.10.10.215
The result of…
BrainFuck is an insane rated box that required a WordPress exploit for initial foothold and LXD group privilege escalation(unintended) for root.
Let’s just jump in.
Let’s start with a quick Nmap scan to discover open ports
nmap -T4 -sC -sV 10.10.10.17
Nmap returns the following output:
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-25 09:08 EST
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing
Nmap scan report for 10.10.10.17
Host is up (0.043s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE…
Cronos was rated medium difficulty that required basic SQL injection to get a foothold and command injection to get a reverse shell. The box was actually an easy one. The privilege escalation part was interesting where I learned how to exploit Laravel cron job.
Let’s jump in.
I prefer running manual commands as they provide better control and prevent us from getting blocked by any firewall but due to time restrictions in the OSCP environment I decided to learn using autorecon.
You can run autorecon as follows:
sudo autorecon -vv 10.10.10.13
Nmap Scan results:
# Nmap 7.91 scan initiated…
HTB/Buff was a fun box based on CloudMe 1.11.2 BufferOverflow Exploitation. Let’s dive deeper into how we can exploit this amazing box.
Run a Nmap scan against the box.
nmap -A -T4 -p- -v 10.10.10.198