Posts: 14
Threads: 1
Joined: Oct 2024
(Oct 20, 2024, 03:36 PM)Krapt Wrote: (Sep 30, 2024, 04:36 AM)0rch1d Wrote: (Sep 29, 2024, 09:15 AM)Goku_black Wrote: what was the attack path? how did you compromised these machines? any hints?
Web01:- user: focus on requests then git
- root: common CVE
Scada:- user: try logging in
- root: didn't do it yet
LDAP:- user: enumerate with what you have
- root: look at user accounts
Web02:- user: CVE on web
- root: enumerate your user
WS02:- user: spray and pray then use what's in the accessible service
- root: enumerate common user files then use what you find to take advantage of privs
I'll put updates here when I get access to WS01, FW, EW, and Printer.
I’m still stuck on Web01, can anyone please give me more hints onto what I should be looking at? Look closely to git commits... You will find credentials for SSH
Posts: 3
Threads: 0
Joined: Oct 2024
(Oct 20, 2024, 07:05 PM)Heilel Wrote: (Oct 20, 2024, 03:36 PM)Krapt Wrote: (Sep 30, 2024, 04:36 AM)0rch1d Wrote: (Sep 29, 2024, 09:15 AM)Goku_black Wrote: what was the attack path? how did you compromised these machines? any hints?
Web01:- user: focus on requests then git
- root: common CVE
Scada:- user: try logging in
- root: didn't do it yet
LDAP:- user: enumerate with what you have
- root: look at user accounts
Web02:- user: CVE on web
- root: enumerate your user
WS02:- user: spray and pray then use what's in the accessible service
- root: enumerate common user files then use what you find to take advantage of privs
I'll put updates here when I get access to WS01, FW, EW, and Printer.
I’m still stuck on Web01, can anyone please give me more hints onto what I should be looking at? Look closely to git commits... You will find credentials for SSH
I have a feeling that ur hint is based on the next step which is being logged in with one of the users that are on the gogs service  , I’m not even there, if that’s what u meant by ur hint then plz let me know.
Posts: 14
Threads: 1
Joined: Oct 2024
Quote:I have a feeling that ur hint is based on the next step which is being logged in with one of the users that are on the gogs service , I’m not even there, if that’s what u meant by ur hint then plz let me know.
Look closely to the login functionality in web proxy (burp suite)
There should parameter related to LDAP that you able to tamper.
Idea quite simple - try to listen 389 port on your kali and put your IP to the parameter when log-in ...
Posts: 3
Threads: 0
Joined: Oct 2024
(Oct 21, 2024, 03:54 PM)Heilel Wrote: Quote:I have a feeling that ur hint is based on the next step which is being logged in with one of the users that are on the gogs service , I’m not even there, if that’s what u meant by ur hint then plz let me know.
Look closely to the login functionality in web proxy (burp suite)
There should parameter related to LDAP that you able to tamper.
Idea quite simple - try to listen 389 port on your kali and put your IP to the parameter when log-in ...
Huge thanks ❤️
Posts: 96
Threads: 2
Joined: Feb 2024
(Oct 21, 2024, 03:54 PM)Heilel Wrote: Quote:I have a feeling that ur hint is based on the next step which is being logged in with one of the users that are on the gogs service , I’m not even there, if that’s what u meant by ur hint then plz let me know.
Look closely to the login functionality in web proxy (burp suite)
There should parameter related to LDAP that you able to tamper.
Idea quite simple - try to listen 389 port on your kali and put your IP to the parameter when log-in ...
Or use Responder to catch the login
Posts: 5
Threads: 0
Joined: Sep 2023
Understand the responder part, but I can't for the life of me figure out what to change in the login flow. Keep hitting response code 500 and nothing to show for it. is it the lo*********ce parameter that needs to be changed to IP?
Posts: 47
Threads: 1
Joined: Jan 2024
Guys. Use Chisel, Socat. in SCADA, basic enumeration and you will find a really piece of cake to make a privilege escalation.
Posts: 96
Threads: 2
Joined: Feb 2024
(Oct 21, 2024, 09:09 PM)xorraxrax Wrote: Understand the responder part, but I can't for the life of me figure out what to change in the login flow. Keep hitting response code 500 and nothing to show for it. is it the lo*********ce parameter that needs to be changed to IP?
look at the login for the normal site, there is some parameter in the login request that is asking to be hacked...
Posts: 47
Threads: 1
Joined: Jan 2024
Hint for WS02 -> list shares, maybe there are something you can do with the permission you have.
Posts: 14
Threads: 1
Joined: Oct 2024
Need a hint on The secret is out! flag for ALCHEMY-LAUTERING-PLC . It seems that need look something related to inkate process. But strugling to understand what need to search and what we should to do.
|
