HackTheBox Blazorized [WriteSPN Kerberoasting + DC session pirvesc + DCSync hash dump + Bloodhound-CE]

Posted on 2024-11-10 In WriteSPN Kerberoasting , DC session pirvesc , DCSync hash dump , Bloodhound-CE Word count in article: 3.2k Reading time ≈ 11 mins.

简述

本文是Hard难度的HTB Blazorized机器的域渗透部分，其中WriteSPN Kerberoasting + DC session pirvesc + DCSync hash dump + Bloodhound-CE等域渗透提权细节是此box的特色，主要参考0xdf’s blog Blazorized walkthrough记录这篇博客加深记忆和理解，及供后续做深入研究查阅，备忘。

HackTheBox Mist [CVE-2024-9405 + PetitPotam Attack + shadow credential + s4u impersonat + reading GMSA password + abusing AddKeyCredentialLink + exploiting ADCS ESC 13 twice]

Posted on 2024-10-27 In CVE-2024-9405 , Bypass AMSI , Malicious Link , Mist-DC01-CA enroll templates , Rubues Dump Hash , Defender Exclusions , PetitPotam Attack , ntlm relay LDAP shell , rubeus get Kerberos ticket , s4u impersonating Administrator , shadow credential , ESC13 enum and attack , Bloodhound Pre-Defined Query , Exfil Reg Hives Word count in article: 9.3k Reading time ≈ 34 mins.

简述

本文是Insane难度的HTB Mist机器的域渗透部分，其中CVE-2024-9405 + PetitPotam Attack + shadow credential + s4u impersonat + reading GMSA password + abusing AddKeyCredentialLink + exploiting ADCS ESC 13 twice等域渗透提权细节是此box的特色，主要参考0xdf’s blog Mist walkthrough记录这篇博客加深记忆和理解，及供后续做深入研究查阅，备忘。

Grafana backend sql injection affected all version

Posted on 2024-04-22 In 漏洞利用复现 Word count in article: 701 Reading time ≈ 3 mins.

Grafana backend sql injection affected all version

Vuln Description

The open-source platform for monitoring and observability

to exploit this sql injection vulnerability, someone must use a valid account login to the grafana web backend, then send malicious POST request to /api/ds/query “rawSql” entry.

if attackers login to the grafana web backend, they can use a post request to /api/ds/query api, then they can modify the “rawSql” filed to execute Malicious sql strings leading to time-based blind sql injection vulnerability, then leak data from databases.

HackTheBox Rebound [RID cycling + AS-REP-Roasting with Kerberoasting + Weak ACLs + ShadowCredentials attack + cross-session relay + Runascs and KrbRelay read gMSA password + Resource-Based Constrained Delegation (RBCD) + S4U2Self & S4U2Proxy]

Posted on 2024-04-01 Edited on 2024-04-06 In RID cycling , AS-REP-Roasting with Kerberoasting , Weak ACLs , ShadowCredentials attack , cross-session relay , Runascs and KrbRelay read gMSA password , Resource-Based Constrained Delegation (RBCD) , S4U2Self & S4U2Proxy Word count in article: 5.9k Reading time ≈ 22 mins.

简述

本文是Insane难度的HTB Rebound机器的域渗透部分，其中RID cycling + AS-REP-Roasting with Kerberoasting + Weak ACLs + ShadowCredentials attack + cross-session relay + Runascs and KrbRelay read gMSA password + Resource-Based Constrained Delegation (RBCD) + S4U2Self & S4U2Proxy等域渗透提权细节是此box的特色，主要参考0xdf’s blog rebound walkthrough和HTB的rebound官方writeup paper记录这篇博客加深记忆和理解，及供后续做深入研究查阅，备忘。

HackTheBox Manager [RID cycling + MSSQL xp_dirtree + ESC7 exploitation]

Posted on 2024-03-17 In RID cycling , MSSQL xp_dirtree , ESC7 exploitation Word count in article: 3.4k Reading time ≈ 12 mins.

简述

本文是Medium难度的HTB Manager机器的域渗透部分，其中RID cycling, MSSQL xp_dirtree, ESC7 exploitation等域渗透提权细节是此box的特色，主要参考0xdf’s blog manager walkthrough和HTB的manager官方writeup paper记录这篇博客加深记忆和理解，及供后续做深入研究查阅，备忘。

HackTheBox Coder [Bloodhound AD Enumeration + ADCS CVE-2022-26923]

Posted on 2023-12-19 Edited on 2023-12-21 In Bloodhound AD Enumeration , ADCS CVE-2022-26923 Word count in article: 4.3k Reading time ≈ 16 mins.

简述

本文是insane难度的HTB Coder机器的域渗透部分，其中Bloodhound AD Enumeration, ADCS CVE-2022-26923等域渗透提权细节是此box的特色，主要参考0xdf’s blog coder walkthrough和HTB的coder官方writeup paper记录这篇博客加深记忆和理解，及供后续做深入研究查阅，备忘。

HackTheBox Authority [ansible hash crack + ESC1 attack + pass-the-cert attack]

Posted on 2023-12-11 Edited on 2023-12-12 In ansible hash crack , ESC1 attack , pass-the-cert attack Word count in article: 5k Reading time ≈ 18 mins.

简述

本文是medium难度的HTB authority机器的域渗透部分，其中ansible hash crack + ESC1 attack + pass-the-cert attack等域渗透只是细节是此box的特色，主要参考0xdf’s blog authority walkthrough和HTB的authority官方writeup paper记录这篇博客加深记忆和理解，及供后续做深入研究查阅，备忘。

2023年春秋杯网络安全联赛春季赛 web php_again [PHP 8.2.2 OPcache Binary Webshell + CVE-2022-42919 LPE]

Posted on 2023-07-01 Edited on 2023-07-03 In ctf Word count in article: 1.5k Reading time ≈ 6 mins.

介绍

同样是在ichunqiu CTF大本营刷题的时候碰到一道高质量的web题，也比较有实战价值，比赛中算是web里耗时较长的的。网上已经有一些公开的writeup，但是为了加深理解记忆，故记录一篇blog。

其中包括一些网上没公开的一些CVE-2022-42919 LPE exp的利用细节及PHP 8.2.2 OPcache Binary Webshell手工利用方法。

复现链接: 2023年春秋杯网络安全联赛春季赛 web php_again

ciscn 2022 ezpentest writeup [sql BIGINT盲注绕正则+解phpjiami混淆+反序列化POP链构造]

Posted on 2023-06-29 In ctf Word count in article: 2.3k Reading time ≈ 8 mins.

介绍

最近在ichunqiu CTF大本营刷题的时候碰到一道高质量的web题，比赛中还算是web里难度比较大的。网上已经有很多公开的writeup，但是为了加深理解记忆，故记录一篇blog。

复现链接: 第十五届全国大学生信息安全竞赛——创新实践能力赛 Ezpentest

HackTheBox Escape [Net-NTLMv2 + ADCS + PTH + Silver Ticket]

Posted on 2023-06-18 Edited on 2023-06-19 In Net-NTLMv2 hash crack , ESC1 attack , PTH , Silver Ticket Word count in article: 6.4k Reading time ≈ 23 mins.

简述

本文是medium难度的HTB Escape机器的域渗透部分，其中Net-NTLMv2, ADCS, PTH, Silver Ticket等域渗透细节是此box的特色，主要参考0xdf’s blog Escape walkthrough和HTB’s official Escape walkthrough记录这篇博客加深记忆和理解，及供后续做深入研究查阅，备忘。