Open in app

Sign In

Write

Sign In

ARZ101
ARZ101

514 Followers

Home

About

Sep 9

Vulnlab — Baby2

Baby2, a medium rated machine involved enumerating smb shares to find a logon script, having the credentials, this script can be modified to get a shell as Amelia , who belongs to a group that had WriteDACL on Gpoadm , granting full control over gpoadm and changing the account’s password…

Ctf

5 min read

Vulnlab — Baby2
Vulnlab — Baby2
Ctf

5 min read


Sep 1

HackTheBox — MointorsTwo

Monitors Two involved exploiting cacti which was vulnerable to un-aunthenticated remote code execution (CVE-2022–46169) which returns a shell as www-data in a docker container, escalating privileges to root through capsh on the container and then getting root on the host by abusing CVE-2021-41091, which is a flaw in docker engine…

4 min read

HackTheBox — MointorsTwo
HackTheBox — MointorsTwo

4 min read


Sep 1

Vulnlab — Retro

Retro, an easy rated machine, involved enumerating smb shares to find an account having a weak password, further finding a note about pre-created computer account having enrollment rights on a template allowing to request a certificate on behalf of any other user dubbed as ESC1 template attack. NMAP PORT…

Ctf

4 min read

Vulnlab — Retro
Vulnlab — Retro
Ctf

4 min read


Aug 24

HackTheBox — OnlyForYou

OnlyForYou, a medium rated machine involved enumerating vhost to find an application which gives us the ability to download the source which was vulnerable to LFR (Local File Read) which leads to reading nginx config to find the root directory of the application and reading the source code of the…

Ctf

6 min read

HackTheBox — OnlyForYou
HackTheBox — OnlyForYou
Ctf

6 min read


Aug 21

Vulnlab — Lustrous

Lustrous, a medium chain AD machine involved two machines, LusMS and LusDC , from LusMS, accessing the ftp share there were usernames which out of which ben.cox didn’t require any pre-authentication, resulting in AS-REP roasting , having remote access to LusMS, local administrator password found in a form of secure…

Ctf

8 min read

Vulnlab — Lustrous
Vulnlab — Lustrous
Ctf

8 min read


Aug 16

Vulnlab — Intercept

Intercept, a hard rated chain machine involved two machines, WS01 and DC01 , on WS01 coercing NTLM authentication by uploading different file extensions to grab the hash of the user, performing Resource Based Constrained Delegation (RBCD) by utilizing WebDAV and PetitPotam to relay WS01’s hash through LDAP, abusing GenericAll to…

Active Directory

8 min read

Vulnlab — Intercept
Vulnlab — Intercept
Active Directory

8 min read


Aug 14

Vulnlab — Reflection

Reflection is a medium Active Directory chain which consists of three machines, MS01, WS01 and DC01 , from MS01, MSSQL staging credentials were found from smb share, which lead to relaying the NTLM hash on DC01’s smb shares, where the service account had access to the prod share containing credentials…

Ctf

9 min read

Vulnlab — Reflection
Vulnlab — Reflection
Ctf

9 min read


Aug 4

HackTheBox — Agile

Agile involved using Local File Read (LFR) to read the source files with debug mode enabled, allowing to access werkzeug console by reading files responsible for generating PIN, having access to the console, getting a shell as www-data and escalating to corum user by accessing the database to retrieve the…

Ctf

6 min read

HackTheBox — Agile
HackTheBox — Agile
Ctf

6 min read


Jul 28

HackTheBox — Cerberus

Cerberus, a hard rated mixture of linux and windows, involved exploiting icinga2 through two CVEs, arbitrary file disclosure (CVE-2022–24716) and Authenticated RCE (CVE-2022–24715) giving a shell as www-data , escalating privileges on linux system through firejail (CVE-2022–31214), being a root user, domain user’s cached hash was recovered from sssd which…

Ctf

7 min read

HackTheBox — Cerberus
HackTheBox — Cerberus
Ctf

7 min read


Jul 12

Vulnlab — Hybrid

Hybrid is an easy Active Directory which involved two machines MAIL01 and DC01, MAIL01 had roundcube webmail running, nfs share was available for mount which had the credentials for roudcube, it was using a plugin for marking mails as junk which was vulnerable to remote code execution with a crafted…

Ctf

8 min read

Vulnlab — Hybrid
Vulnlab — Hybrid
Ctf

8 min read

ARZ101

ARZ101

514 Followers

Smol Pentester| OSCP | CTF Player | UwU

Following
  • Alex Rodriguez

    Alex Rodriguez

  • Nairuz Abulhul

    Nairuz Abulhul

  • Matt Hand

    Matt Hand

  • Sanaullah Aman Korai

    Sanaullah Aman Korai

  • Hussain

    Hussain

See all (41)

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams