I've taken a short break from the PWK labs, due to family business. Right before the break I managed to root a host running a specific database platform. I've gathered all the evidence, but the most frustrating thing is that, as you may have read, I can no longer reproduce the break-in!
The fourth host was apparently one of the easier ones in the labs, with many folks on the OffSec forums being about as cordial as the average League or CS:GO player. "Most simplest in the list it took only 15 minutes :p" "omw, enumerate and 15 seconds later done and dusted"
After confirming my ideas about the host with an automated attack in Metasploit, I proceeded to reproduce the attack manually. ExploitDB has a readymade C program that exploits the vulnerability to provide a remote shell. GCC initially refused to compile, because one locally defined function macro required an unloaded library. I'm glad that GCC provided the exact hint that got me on my way :) I've made sure to submit the bugfix to ExploitDB through Github, making it my second fix for EDB! :D
That's four boxes popped and explored. After gaining root on each host, I spend a lot of time combing through files, email boxes and databases, scouring for good hints. All the password hashes get run through hashcat or NTLM Cracker, to attempt lateral movement.
To quote the Mickey-D's commercials: I'm lovin'it!
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Thomas Sluyter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.