Windows Privilege Escalation – DLL Hijacking

Introduction

DLLs (Dynamic Link Library) are libraries that contain code and procedures used by Windows programs. They are similar to EXE files as they are based on the Portable Executable (PE) file format although they cannot be executed directly. They are similar to .so (Shared Library) files in Unix.

DLL hijacking is a method of injecting malicious code into a given service or application by loading an evil DLL, often replacing the original one, that will be executed when the service starts. This is possible due to the way some Windows applications search and load DLLs, more specifically, if the path to a service’s DLL isn’t already loaded or stored in the system, Windows will start looking for it in the environment path, an attacker can therefore place the malicious DLL in a directory that is part of it to trigger the malicious code.

March 31, 2021 | by Stefano Lanaro | 6 Comments

CTF Walkthroughs, VulnHub

VulnHub – Kioptrix: Level 1.1 Walkthrough

Introduction

This was an easy Linux machine that involved exploiting an SQL injection to authenticate into a web application, exploiting a remote command execution vulnerability to gain remote access and using a kernel exploit to escalate privileges to root.

March 30, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, TryHackMe

TryHackMe – Game Zone Walkthrough

Introduction

This was a fairly easy Linux machine that involved exploiting an SQL injection vulnerability and cracking a user hash found in the database in order to gain initial access and a vulnerability in the Webmin web application, through SSH tunneling, to escalate privileges to root.

March 30, 2021 | by Stefano Lanaro | 2 Comments

CTF Walkthroughs, VulnHub

VulnHub – Kioptrix: Level 1 Walkthrough

Introduction

This was a really easy Linux box that involved exploiting known vulnerabilities in outdated versions of the Apache web server software and the Samba service in order to gain root access. No privilege escalation was required.

March 29, 2021 | by Stefano Lanaro

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Credentials Harvesting

Introduction

Linux-based operating systems and applications often store clear text, encoded or hashed credentials in files or in memory.

When gaining initial access to a Linux machine and performing privilege escalation enumeration steps, often passwords can be found through these means and they can be used to further escalate privileges.

There are various methods to harvest credentials in a Linux system in order to escalate privileges, the following ones are the most common and they are always worth a try.

March 28, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, Hack The Box

Hack The Box – Fuse Walkthrough

Introduction

This was an intermediate Windows machine that involved crawling a username and password from a web application to access RPC, through which a password stored in a printer’s description can be found in order to obtain remote access to the box, and exploiting a known vulnerability with the SeLoadDriverPrivilege permission to escalate privileges to SYSTEM.

March 25, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, Hack The Box

Hack The Box – CronOS Walkthrough

Introduction

This was an intermediate Linux machine that involved exploiting an SQL injection vulnerability to gain access to a traceroute page affected by a remote command vulnerability in order to obtain a reverse shell, and exploiting a PHP function used in a cron hob to gain root-level code execution and therefore a root shell.

March 23, 2021 | by Stefano Lanaro

Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Exploiting Bashrc

Introduction

The .bashrc file is a script used in Linux-based operating systems that is executed whenever a user logs in. It contains important configurations for the terminal session such as the coloring, aliases, history length, or any commands that need to be executed at login.

It is a hidden file as it begins with a dot and it is normally located in the user’s home directory and like other files stored in this location, by default, it can be read by all users although it can only be edited by the owner or super users. If improper permissions have been applied to this file, it could allow potential attackers to add malicious commands that will be run when the user logs in.

March 20, 2021 | by Stefano Lanaro | 2 Comments

CTF Walkthroughs, Hack The Box

Hack The Box – Sunday Walkthrough

Introduction

This was an easy Solaris machine that required enumerating users in the Finger service to identify the sunny user, bruteforcing it with Hydra to authenticate via SSH, cracking a user hash found in a backup folder to escalate to the sammy user and exploiting the SUID permission set against Wget to escalate privileges to root.

March 19, 2021 | by Stefano Lanaro | Leave a comment

CTF Walkthroughs, TryHackMe

TryHackMe – HackPark Walkthrough

Introduction

This was a fairly easy Windows machine that involved bruteforcing credentials to authenticate into the BlogEngine web application, exploiting a remote code execution vulnerability affecting it to gain remote access and an insecure service file permission vulnerability in the Splinterware System Scheduler application to escalate privileges to SYSTEM.

March 18, 2021 | by Stefano Lanaro | 5 Comments

Hacking

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction