offensive cyber
54 TopicsPoshC2: Ep.6 β Demonstrate Your Skills
I'm stuck on Q8 - Run a privilege escalation enumeration module. What is the Administrator password? I know the answer is output in the command Invoke-AllChecks but i always get an error when running the command. any help is appreciated.Solved19Views0likes2CommentsHalloween Labs - ideas, suggestions, wants π»ππ¦
What would you want to see from future Halloween labs? Did you really enjoy a particular aspect of previous years? Any technologies, themes, rewards you want to see? Want more Community content - webinars, events, media within the labs? π»ππ¦137Views3likes6CommentsHacking tools
Just (re)entering the space of hacking hardware (I had a flipper, but it went boom after a fallout with a bottle of Coke and the rubbish attached lids we have in the UK. I am getting the stuff to build a Bjorn networking tool as a first project. In a "Oh-I-wonder-if-I-could build-one-educational" activity... Has anyone built one before? What use did you get out of it? What other tools have people built?28Views1like5CommentsYour first lab level 9
What was the first level 9 lab you conquered? :). It does not matter that you will seek advice from other giants, or that you will manage to complete it on your own: share your journey with us!; to get the token or become root on that server. I start: I think that my first conquest of Lab level 9 is related to debugging ByteCode in Java (and only a few days ago!): my background is Oracle, and from years ago, so imagine how lost I was :). After loading the project into the IDE (along with the required plugin) I started debugging bit by bit... until one particular string caught my attention; it stood out from the rest!. And it was the solution :). Good luck!357Views2likes10CommentsWindows Exploitation: Bypassing AppLocker Allowed Paths
Hello, I need a assistance with a lab on Windows Exploitation: Bypassing AppLocker Allowed Paths . I have tried to clear this lab but I'm unable to run powershell.exe. I have tried to locate other installations of Powershell on the Windows Machine but even those executables within C:\Windows\WinSxS are getting blocked. Please help me on this to crack down.78Views0likes4CommentsCVE-2021-22205 (GitLab) β Offensive
Has anyone encountered an issue (or not) with this lab? It seems fairly trivial to create the file using the remote Gitlab instance IP and then use the commands included in the linked attackerkb article to upload the image with the reverse shell and gain access. However, when I try to upload the image using the curl command I get a response 422 Unprocessable Entity. In the html: <div class="container"> <h3>The change you requested was rejected.</h3> <hr /> <p>Make sure you have access to the thing you tried to change.</p> <p>Please contact your GitLab administrator if you think this is a mistake.</p> <a href="javascript:history.back()" class="js-go-back go-back">Go back</a> </div> Furthermore in the attackerkb article it states: Finally, itβs possible to determine if a remote GitLab instance is vulnerable based on itβs response to a POST request. For example: albinolobster@ubuntu:~$ echo lollol > test.jpeg albinolobster@ubuntu:~$ curl -v -F 'file=**[@test](/contributors/test)**.jpeg' http://10.0.0.7/$(openssl rand -hex 8) The unpatched version will respond with an HTTP 422 response and some text indicating βThe change you requested was rejected.β The patched version of GitLab will respond with an HTTP 404 response and text indicating βThe page could not be foundβ¦β. When running these commands I receive a 404 Not Found response rather that 422 leading me to believe that the Gitlab version is patched and not vulnerable.Solved56Views0likes5CommentsA Letter to Santa
Hello everyone, Wrong time of year, I know.. I've been having a go at the Christmas challenge collection and stuck on "A letter to Santa". I've managed to get code execution as user but struggling with the priv esc. I've found the cron job which runs chmod 600 * as root in /etc/letters. Is it possible to use chmod to priv esc? I've tried creating a file called '--reference=file' and created another file called 'file' with 7777 privileges - resulting in anything in directory having suid bit set. Tried copying bash and creating a symlink, but with no luck. Am I going down a massive rabbit hole with this? Or missing some obvious plain text creds somewhere πSolved57Views1like4CommentsSnort Rules: Ep.9 β Exploit Kits
I am pulling my hair with question number 8 Create a Snort rule to detect the third GET request in the second PCAP file, then submit the token. This one should do it but it is not working. alert tcp any any -> any any (msg:"detect the third GET request"; content:"e31e6edb08bf0ae9fbb32210b24540b6fl"; sid:1000001) I tried so many rules base on the first GET header and still unable to get the token. Any tips?64Views0likes1Comment