There’s two hosts to pivot between, limited PowerShell configurations, and lots of enumeration. Rather, it’s just about manuverting from user to user using shared creds and privilieges available to make the next step. Hackthebox ctf htb-acute nmap feroxbuster powershell-web-access exiftool meterpreter metasploit msfvenom defender defender-bypass-directory screenshare credentials powershell-runas powershell-configurationĪcute is a really nice Windows machine because there’s nothing super complex about the attack paths. To escalate to root, I’ll abuse a command injection vulnerability in a Bash script that is checking APK files by giving an application a malicious name field. The intended and most interesting is to inject into a configuration file, setting my host as the redis server, and storing a malicious serialized PHP object in that server to get execution.
![ssh shell stream csharp ssh shell stream csharp](https://user-images.githubusercontent.com/46329768/120117984-597c1200-c1a5-11eb-8190-2dac8b7cbe8d.jpg)
![ssh shell stream csharp ssh shell stream csharp](https://gitlab.com/uploads/-/system/project/avatar/15200236/Axual_-_Logo_X.png)
Those credentials provide access to multiple CVEs in a Cachet instance, providing several different paths to a shell. Ctf hackthebox htb-catch nmap apk android feroxbuster gitea swagger lets-chat cachet jadx mobsf api cve-2021-39172 burp burp-repeater wireshark redis php-deserialization deserialization phpggc laravel cve-2021-39174 cve-2021-39165 sqli ssti sqlmap docker bash command-injection apktool htb-routerspace flare-on-flarebearĬatch requires finding an API token in an Android application, and using that to leak credentials from a chat server.