Initial Access On 10.10.193.119 is a web service running named Node-RED on port 1880 which does not require authentication. We can make a flow which executes a reverse shell on the target system: I...

Sweep is a medium rated Windows Vulnlab machine created by Yeeb . The machine consist of getting access through weak credentials, abusing Lansweeper functionalities and abusing more Lansweeper func...

Sendai is a medium rated Windows box created by XCT, this box was orignally used as a hiring challenge with multiple paths to exploit this box. In this post I will shortly show one of the paths ava...

Nmap only reveals port 3389/RDP open, when we connect to it without credentials and NLA protocol active: xfreerdp /v:10.10.79.137 -sec-nla We get welcomed with a conference prompt stating the user...

I never finished writing this, accidently commited it with posting another writeup so enjoy something that is not finished, hopefully it will help :D Loader design Before we start with the fun stu...

Enumeration NMap showed the following ports open: PORT STATE SERVICE 80/tcp open http 445/tcp open microsoft-ds 3000/tcp open ppp 3389/tcp open ms-wbt-server 5357/tcp open wsdapi We n...

Enumeration We start with a quick Nmap scan: └─$ sudo nmap 10.10.205.21,22 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-16 16:28 CET Nmap scan report for 10.10.205.21 Host is up (0.017s la...

Enumeration NMap showed the following ports open: 21/tcp open ftp 22/tcp open ssh 80/tcp open http 873/tcp open rsync 8000/tcp open http-alt By visiting the webpage we noticed a simpl...

Recon Nmap returns only port 3000 and 22 open. On port 3000 is Grafana version 8.0.0 running. Version 8.0.0 is vulnerable for a unauthorized LFI CVE-2021-43798 It is important to understand what i...