Natan Hailu’s Post

💥 Usage has been pwned! 🎉 I used tools like 'sqlmap' and 'john the ripper' to uncover vulnerabilities and gain initial access. Then I used wildcard technique, also known as wildcard injection for privilege escalation and get the root flag! ✅

#ActiveMachineAdministrator #+45 points #HTB Services --> Kebreros (TGT) --> ftp Abuse __Active Directory Pentest__ --> GenericAll Privilage --> GenericWrite --> DCSync Attack --> Kerberoast attack --> PassTheHash Tools --> Bloodhound --> Impacket (SecretDump) --> Hashcat --> Evil-WinRM --> TargetedKerbroast --> BloodyAD --> Pwsafe

Just completed the "Builder" machine on HTB! Learned how to exploit a Jenkins vulnerability (CVE-2024-23897) to grab sensitive credentials and use an encrypted SSH key to get root access. Awesome hands-on experience with real-world security flaws! #htb #jenkins #pentesting

The Alert machine on Hack The Box showcases an interesting blend of vulnerabilities. From identifying entry points with proper enumeration to leveraging server-side behaviors for deeper exploration, this box highlights the importance of understanding common configurations and exploiting unique file handling mechanisms. This was a great exercise in chaining multiple vulnerabilities to achieve the end goal. As usual, per HTB's guidelines, the full write-up will be release when the machine is retired.

To create block/allow entries for domains and email addresses, use the following methods........ [ Happy learning 🙂 ] Go to defender portal>Policies & Rules > Threat policies> Tenant Allow/Block list> Spoofed Senders Add your External domain and external domain>   -Spoof type- External -Action - Block

I recently conducted a DFIR analysis on a system compromised by a malicious NuGet package using typosquatting to deceive developers. Leveraging tools like Autopsy, EZ Tools, and Windows Event Logs, I traced the attack timeline. The malicious package executed a script to disable real-time monitoring and downloaded a persistent payload. The attacker used the Sliver C2 framework and set up a scheduled task to maintain long-term access. Despite their evasion techniques, there was still enough forensic evidence left to uncover the nature of the breach. Thanks to Hack The Box for the challenge, and I’ll post a full walkthrough as soon as the challenge is retired, following the rules.

Keeper has been Pwned! My Review: 10/10 This machine starts with a page which appears to be accessing a dashboard. It tests your ability to research plugins and version for CVEs and default credentials. After bruteforcing or using default credentials we move onto a nice investigation into users and their credentials for pilaging. This leads to the use of SSH to receive the user flag with the pillaged credentials then we are challenged to escalate privilege. On the exploited host there is a .zip file containing two files vital to the escalation. We discover that the file belongs to an application called "KeePass" and we are able to retreive a hash using keepass2john, however bruteforcing this appeared to lead to rabbit holes so also this tests our ability to adapt. This leads us to researching further and a public exploit appears named keepass-dump-masterkey. Using this exploit we receive a passphrase that still isn't obviously clear and tests our ability to think even more since the passphrase contains characters unrecognisable as they are Dutch. After doing a google search we can find results of the possible passphrase and can open the protected .kdbx file. Finally, this leads to revealing root credentials but also we have one final twist. There is a PuTTy RSA key file that we find and needs to be converted to OpenSSH. After this final twist of converting the RSA key file we are able to SSH into the host using root credentials and OpenSSH key to exploit the root flag.

Just #pwned Ghost, the final challenge of Hack The Box's Season 5! This brand new Windows Active Directory box with Insane difficulty truly tested my skills and pushed me to my limits. It took around 10 hours to have full control over the DC, but the journey was packed with learning and growth. The writeup ended up being my longest yet, Covering a variety of vulnerabilities. - Brute forcing password using LDAP Injection. - Reviwing source code and discovring a LFI. - Exploiting API that is vulnerable to Command injection. - Spoofing DNS records -> getting NTLMv2 hash and cracking it. - MSSQL -> RCE - Child-to-Parent forest privilege escalation -> Golden ticket attack. #Season5 #HTB #Ghost #Pentest #EthicalHacking #RedTeam #HTBSeason5 #Windows #Pwn #LDAP #Gitea #DirectoryTraversal #Docker #Rubeus #Mimikatz #Impacket #TGT #Kerberos #ActiveDirectory #xp_cmdshell #MSSQL #DNSTool #Responder #EfsPotato #Enumeration

Vulnerability assessment and penetration testing of a server. Tools used: nmap, gobuster, wappalyzer, metasploit #VAPT #VulnerabilityAssessment #PenetrationTesting #Reconnaissance