Sign in

Cyber Security Specialist

Made by RebornSec ®

Fuse is windows box made up by egre55, this box a good practice in the advanced enumeration on Windows machines. Without further do let’s start our work :)


Made by RebornSec ®

Fuse is windows box made up by egre55, this box a good practice in the advanced enumeration on Windows machines. Without further do let’s start our work :)


Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Finding some credentials from the directory admin-dir/
  • Checking the files in ftp using the credentials we found
  • Create our MySQL db and link it to adminer administration platform
  • Get the credential and login as waldo
  • We getUser.txt
  • Creating file function make_archive() inside file called shutil.sh
  • Launch shutil.sh using the option 6
  • We get Root.txt


Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Finding some credentials from the directory admin-dir/
  • Checking the files in ftp using the credentials we found
  • Create our MySQL db and link it to adminer administration platform
  • Get the credential and login as waldo
  • We getUser.txt
  • Creating file function make_archive() inside file called shutil.sh
  • Launch shutil.sh using the option 6
  • We get Root.txt


Made by RebornSec ®

This is amusing box made up preparing for the Halloween. So lets start the MAGIC.


Made by RebornSec ®

This is amusing box made up preparing for the Halloween. So lets start the MAGIC.


Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Retrieving some information from the defaced webpage
  • Grabing the username and the password for the webshell (some OSINT)
  • Replacing the webadmin ssh key with ours
  • Login as webadmin
  • Embedding our ssh key using luvit
  • Login as sysadmin
  • We getUser.txt
  • Checking the services to find script that run every 30 s as root
  • Checking /etc/update-motd.d/00-header
  • Edit the script to get root.txt when it’s executed
  • Login as sysadmin again
  • We get Root.txt

Enumeration phase :

As usual let’s start off with a Nmap scan :

[~] Nmap -sC -sV 10.10.10.175


Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Retrieving some information from the defaced webpage
  • Grabing the username and the password for the webshell (some OSINT)
  • Replacing the webadmin ssh key with ours
  • Login as webadmin
  • Embedding our ssh key using luvit
  • Login as sysadmin
  • We getUser.txt
  • Checking the services to find script that run every 30 s as root
  • Checking /etc/update-motd.d/00-header
  • Edit the script to get root.txt when it’s executed
  • Login as sysadmin again
  • We get Root.txt

Enumeration phase :

As usual let’s start off with a Nmap scan :

[~] Nmap -sC -sV 10.10.10.175


Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Retrieving some information from the webpage
  • Enumerating LDAP and finding users
  • Getting the hash password of our wanted user
  • Login as fsmith
  • We getUser.txt
  • Finding password in logon registry
  • Login as svc_loanmgr
  • Uploading mimkatz and grabbing the Administrator NLTM hash
  • Login as Administrator using Evil-winrm
  • We get Root.txt

Enumeration phase :

As usual let’s start with the Nmap scan :

[~] Nmap -sC -sV 10.10.10.175


Made by RebornSec ®

Machine Maker(s) :

Overview :

  • Retrieving some information from the webpage
  • Enumerating LDAP and finding users
  • Getting the hash password of our wanted user
  • Login as fsmith
  • We getUser.txt
  • Finding password in logon registry
  • Login as svc_loanmgr
  • Uploading mimkatz and grabbing the Administrator NLTM hash
  • Login as Administrator using Evil-winrm
  • We get Root.txt

Enumeration phase :

As usual let’s start with the Nmap scan :

[~] Nmap -sC -sV 10.10.10.175

REBRON SECURITY

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store