Simple easy box, perfect to warmup before the FIC 2021 and get more confidence in 1337 h4ck1n9 TL;DR Find PCAP file on server, get SSH credentials, execute code as root with Python. Footholds I did not even use nmap here, as we had a web server serving on port tcp:80. This website looked like this: It seems to be a security dashboard for a server, we donβt have any info about that....
The famous packet manager for Archlinux
Maybe the most used tool when it comes to network discovery and port knocking.
Wow you donβt know yet what Docker is? π€ Let me introduce you this beautiful containerization tool!
So I came up with this basic concept: TL;DR. But what is it exactly? The TL;DR series The main idea is to share some knowledge in a quick and concise way, such as a RUMP but written on a file. It is like a writeup speedrunning-ish style of writting. And maybe because I am kind of lazy sometimes. The goal here is to write small articles about a subject I like, a new technique learnt, or anything that is not worth a full and detailed article....
Recently I wanted to run a MySQL Docker container and encountered a tragical error: simple_db | 2021-03-25 10:54:04+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql' simple_db | 2021-03-25 10:54:04+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.31-1debian10 started. simple_db | 2021-03-25 10:54:04+00:00 [Note] [Entrypoint]: Initializing database files simple_db | 2021-03-25T10:54:04.578298Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details). simple_db | 2021-03-25T10:54:04....
Cool box, maybe too easy for a medium? Got reverse shell in minutes, but stuck for rootβs password for hours π TL;DR Gitlab RCE, get reverse shell. Privesc with cleartext root password, escape Docker to own the box. Footholds nmap Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 16:00 UTC Nmap scan report for 10.10.10.220 Host is up (0.035s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8....
Some weeks ago I created a trainning lab for SQL injections called SQLi lab. And I will go through all levels in this blog post, explainning the expected way to solve each of them. The lab currently contains 5 levels, and I will update this post as I add more of them π Installation The GitHub repository is at https://github.com/OxNinja/SQLi-lab if you want more information. First I clone the lab in a folder, add its IP to my hosts file for conveignance, and then build it with the given script:...