offensive cyber
64 TopicsKerberos: Active Directory Certificate Services lab - getting KRB-ERROR (16): KDC_ERR_PADATA_TYPE_NOSUPP
Lab: Kerberos: Active Directory Certificate Services - Labs - Immersive I am not able to get tgt ticket using this command .\Rubeus.exe asktgt /certificate:cert.pfx /user:Administrator /ptt It throws error: KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP I have tried all the steps in same order: 1. .\Certify.exe find /vulnerable 2. .\Certify.exe request /ca:DC01.krbtown.local\krbtown-DC01-CA /template:VulnTemplate /altname:Administrator 3. generate cert.pfx and running rubeus. Searched for this error and it says - "In order to login using a certificate through a valid Kerberos TGT, Public Key Cryptography for Initial Authentication (PKINIT) must be supported in AD." Can someone plz help me to solve the lab.50Views0likes1CommentApache Header Tampering
Can someone point me to the right track? On this one, I found the hidden directory, used an X-Forwarded-For: to see into that directory where scanning for files showed a lot of 404s, with just a few 403 response codes. I've tried everything I can think of with variations on X-Original-URL:, X-Rewrite-URL:, and X-Forwarded-Uri:, but none of them get me able to see into any of the files/directories. I've even tried a few variations instead of X-Forwarded-For:, such as X-Client-IP: and a few others. I feel like I must be missing something. I didn't find any actual .php files in the hidden directory but the question seems to indicate that there are some in there. I found what I think are other directories within that first hidden directory.Solved42Views0likes2CommentsNetcat: Advanced Features last question (9)
I'm supposed to do a reverse bind using an netcat website. it hangs and the client and there is no feedback on the netcat website that the listener is working. i don't need the course i was taking it this one for fun, but fun it hasn't been.98Views0likes2CommentsNHS Offensive Cyber Range: Armsdon Hospital
Hi all, Just wanted some advice on this as I am stuck. I managed to get into the intranet using SQL injection/union and extract all the usernames and passwords. I am not sure if I am on the wrong path or doing things in the wrong order for the next part. The FTP server seems to only be active on RDP. The DC has no samba vulnerabilities. So... I assume I try to use the credentials from the intranet to RDP to the DC/FTP (then after this elevate access using other techniques) but so far that has failed for the Armsdon users I have tried their users/passwords (from the intranet). Any tips welcome!88Views0likes2CommentsTrick or Treat on Specter Street: Morphy's Mansion Challenge
I understand that the move_logger is the vulnerable program, and tried a few methods to exploit it. However, where is the token.txt? Anyone managed to find it? "Whatever means necessary" is quite broad. Any hints from anyone?Solved165Views0likes1CommentTrick or Treat on Specter Street: Serpent Sanctum
So for this challenge we have got hint: (serpent-statue) $ hint Maybe the fang can be in two places at once... Tried to copy both fang.key and fang2.key to statue folder but it did not allow me. The error message: The statue's eyes flare red with anger. This is merely a copy; a false fang with no power. The worthless copy crumbles to dust in your hands. What other methods can we try here? Anyone solved it already?Solved131Views0likes5CommentsCVE-2022-30190 (Follina) ms-msdt Scheme Abuse – Offensive Question 11
Hey guys, wondering if when trying to upload the payload for "Question 11: In a browser, visit http://<TARGET_IP>:8080, upload the payload.docx file, then press Submit and Execute" if this error is supposed to be generated. After choosing the file after clicking browse sometimes this work. After executing nothing seems to happen though. even after 30 seconds of waiting.Solved69Views0likes1CommentCVE-2022-26134 (Confluence) – OGNL Injection
For Question 6. Look at the first exploit attempt by this attacker. What command did they run? I am wondering about why when sharing the commands found in the logs, it still outputs wrong. even if typing in "X-Cmd-Response" as the command as well as the entire string found. Wondering if they are exepecting a different format/snippet of the code, or the GET requests instead?124Views0likes4CommentsCVE-2021-25281 (SaltStack) – Offensive
I've tried every way I can think of to use the python script for this lab. Here's and example using the state option: I've also tried creating a python script to try to write to the /var/cache/salt/master/extmods/ directory, and tried creating the ssh key and uploading the public key with the ssh option. I've thrown some print commands in to see what is being passed in the requests. All end up with the Traceback similar to above. Is there something I'm missing in the syntax?Solved120Views1like2Comments