All Posts

The challenge is a webapp that has a Command Injection vulnerability, the goal is to exploit the vulnerability by making an internal request to the Azure instance and extract the access token to authenticate then retrieve the Azure Subscription ID which is the flag

The challenge is a webapp that has a SSRF vulnerability, the goal of the challenge is to exploit the vulnerability to steal sensitive EC2 metadata, then use the IAM credentials to make an authenticated API call and retrive the Instance ID which is the flag

SMB enumeration reveals ansible configuration files for a running webserver that is hosting an LDAPS Server. In those files, contains an ansible vault that has a crackable password revealing credentials to the LDAP Server and executing a Pass-Back Attack revealing more sensitive credentials that are used for initial foothold. Later enumerating ADCS reveals ESC1 for Computer Accounts group which led to creating a computer account and spawning an LDAP-shell and adding the low-privileged user to the Administrators group gaining DA access

Guest Logon enumeration leads to early access to an SQL Server which allows for performing an NTLM Relay attack that captures a crackable hash. Using the valid credentials to find other credentials of another user in a backup log file. Elevating to Domain Admin by enumerating vulnerable certificate templates that reveal the current template is vulnerable to ESC1

Early Situational Awareness allows us to move laterally between different users with common DACLs misconfigurations and using the compromised users credentials to discover a Password Database file that is crackable in the FTP port that leads to user access. For root access, more common DACLs were found that lead us to perform DCSync on the domain. Thus, gaining DA