Network-Exploitation
Found 8 related articles.
Back to Categories- 2024-11-20
Crocodile - FTP Anonymous Login and Credential Disclosure
Technical writeup detailing the compromise of the Crocodile machine. Initial access is achieved by exploiting the Anonymous FTP login vulnerability on the vsFTPd 3.0.3 service (21/tcp) to disclose files containing credentials (allowed.userlist and allowed.userlist.passwd). Web enumeration via Gobuster reveals a hidden '/login.php' endpoint. The disclosed 'admin' credentials are used to access the web panel and retrieve the flag, completing the box.
- 2024-11-19
Sequel - Exploiting Unauthenticated MariaDB Access (A07:2021)
Technical writeup detailing the compromise of the Sequel machine. The methodology focuses on Nmap scanning to identify the exposed MariaDB service (version 10.3) on port 3306. The system is exploited due to a critical Identification and Authentication Failure (OWASP A07:2021) allowing unauthenticated root login. The process concludes with database enumeration (SHOW DATABASES, USE htb, SELECT * FROM config) to retrieve the flag.
- 2024-10-20
Cap - PCAP Analysis, FTP Credential Disclosure, and cap_setuid Privilege Escalation
Technical writeup detailing the compromise of the Cap machine. Initial access is achieved by enumerating a web application that provides downloadable .PCAP network capture files. Tshark analysis of a specific PCAP file reveals FTP credentials in plaintext. These credentials are used to gain SSH access as the 'nathan' user. Privilege escalation to root is achieved by exploiting the 'cap_setuid' capability set on the /usr/bin/python3.8 binary, allowing arbitrary user ID change to 0 (root).
- 2024-10-11
TickTackRoot - FTP Anonymous, SSH Brute-Force, and SUID Binary Exploitation
Technical writeup detailing the compromise of the TickTackRoot machine. The path includes initial enumeration of open services (21/FTP, 22/SSH, 80/HTTP). Access is gained by leveraging Anonymous FTP login to find potential usernames, followed by a successful SSH brute-force attack using Hydra. Privilege escalation is achieved by exploiting the SUID binary 'timeout_suid' to gain a root shell, demonstrating a classic Linux privilege escalation technique.
- 2024-09-05
Dancing - Exploiting Unauthenticated SMB Shares
Technical writeup detailing the initial compromise of the Dancing machine. The methodology focuses on thorough Nmap scanning to identify exposed SMB services (ports 139, 445), leveraging the 'smbclient' tool to enumerate and gain unauthorized access to publicly accessible network shares (WorkShares), and retrieving sensitive data (flags/notes) due to weak share permissions.
- 2024-09-05
Redeemer - Exploiting Unauthenticated Redis Access
Technical writeup detailing the compromise of the Redeemer machine. The methodology focuses on Nmap scanning to identify the exposed Redis service on port 6379, exploiting the lack of required authentication to connect directly using 'redis-cli', enumerating the key-value store with INFO and KEYS *, and retrieving the flag.
- 2024-09-04
Fawn - Exploiting Anonymous FTP Login
Technical writeup detailing the compromise of the Fawn machine. The methodology focuses on Nmap scanning to identify the exposed FTP service (vsftpd 3.0.3) on port 21, exploiting the 'Anonymous FTP Login Allowed' setting to gain unauthenticated access, and retrieving the flag via standard FTP file transfer protocols.
- 2024-09-03
Meow - Exploiting Weak Credentials via Telnet (Port 23)
Technical writeup detailing the compromise of the Meow machine. The methodology involves Nmap scanning to identify the exposed Telnet service on port 23 and exploiting weak, unauthenticated credentials (root access with no password) to gain immediate root control and retrieve the flag.