Help Q2 - Tuoni 101: Ep.5 – Demonstrate Your Skills
Looking for some help with the Tuoni 101: Ep.5 Q2. The following method is given to gain initial access: "To gain an initial foothold, you'll need to use the Hosted files page to host an executable. Any file hosted using that method will be run once on the initial target. Once executed, it'll be removed from the hosted files page." I tried this one and wasn't able to get the initial access. I tried originally using the default reverse HTTP listener and generating an x64 .exe file and hosting it on the "Files" tab and waited 5 minutes. As this didn't work I tried an x86 payload. This didn't work so I created a new HTTP listener and tried both approaches. After this didn't work, I generated all payload types for the reverse_HTTP and reverse_TCP listeners and hosted them as files and still didn't have any success. Any ways to get the payload to execute would be greatly appreciated.9Views1like0CommentsAPT29 Threat Hunting with Splunk: Ep.4 – Clean-up & Reconnaissance
I need help with Q6. Any hint please The attacker launches a PowerScript useful for reconnaissance activities. What is the full file path of the executed script? I searched (EventCode=4103 OR EventCode=4104) combined with powershell.Solved89Views2likes4CommentsWeb App Hacking (Lab series): CVE-2022-2143 (iView2)
Hello all, I have spent way to long trying to complete the iView2 exploit. I was expecting a text box on the page for command entry, but I cannot get anything like that. I have been able to send a post request to the NetworkServlet page using the provided exploit string and I know that the test.jsp is created because I can use the query parameter ?cmd=whoami and I get the mysqldump output showing "nt authority \system". I cannot get any other query parameters to execute, even simple ls or dir commands. I found y4er's blog post and everything I see in terms of the syntax of the exploit appears to be identical to the lab. Any directions/suggestions/hints would be greatly appreciated! Thanks in advance. J70Views0likes4CommentsPrivilege Escalation: Linux – Demonstrate Your Skills
Hello, I’m doing the Lab "Privilege Escalation: Linux – Demonstrate Your Skills". I’m stuck on the second part regarding the FILE-SRV-DEV, I’ve found with linPEAS a file ( /usr/bin/base64) with the SUID but I don’t know if I am on the right way, when I try to use it I get "permission denied". Am I on the right way by trying to use base64 file ? Thanks in advance, GwenaelSolved39Views1like2CommentsS3: Demonstrate Your Skills
I have completed all 10 questions except question 6. 6. Access control Create an access point (AP) called metrolio-dev-ap attached to the metrolio-data-467e6352 bucket. This should allow developers working in the dev vpc vpc-08333ea4fc7562479 using the role arn:aws:iam::447645673093:role/metrolio-developer to list and get all objects in the bucket. Ensure you follow best practices of blocking public access. NOTE: AWS often faces internal errors – we believe these to be race conditions – when applying policies to new access points. You may need to re-apply the policy to the AP. I have re-applied the Access Point policy several times but still is not detected. I’m not sure if it is my Access Point policy or the AWS Immersivelabs that is at fault. Any help would be greatly appreciated. This is my Access Point Policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::447645673093:role/metrolio-developer" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:eu-west-1:447645673093:accesspoint/metrolio-dev-ap/object/*", "arn:aws:s3:eu-west-1:447645673093:accesspoint/metrolio-dev-ap" ], "Condition": { "StringEquals": { "aws:SourceVpc": "vpc-08333ea4fc7562479" } } } ] } I tried to replicate similar permissions on bucket policy only to be denied by restrictive permission. NOTE: Account ID, Bucket names and few other identifiers do not match between screenshot 1-2 and screenshot 3. The screenshot 3 is from different attempt.49Views1like1CommentRadare2 Reverse Engineering: Ep.2 – Windows Binary Part 2
I have run into a challenge with Question 3 on this lab. I can't seem to get the appropriate md5 hash value for the .text section to correctly answer this question. I feel that I am close but slightly off on one of the mandatory calculations. Any insight or guidance on what I'm missing / doing incorrectly would be greatly appreciated. Thanks in advance.20Views1like1CommentAPT29 Threat Hunting with Splunk Ep.11 Q11
What other value was set on the same key to facilitate the bypass. Searching on the key, there's only one log entry. I'm not clear on what "other value" means. I've tried all the file paths referenced in that log entry, different parts of the registry key, parts of the script that executes, even the cat.png file. What am I missing?30Views0likes1Comment- 92Views0likes1Comment
CVE-2020-11651 (SaltStack RCE) – Defensive
Using the PCAP file located on the Desktop, what are the last five characters of the root_key that was sent to the attacker? I am stuck with question number 5. Any Hint? I tried tcp.payload matches "_send_pub" and just tcp.port == 4506Solved62Views1like3Comments