Source

This will be a practical demonstration of how a student on Moodle version 3.9 can able to exploit XSS vulnerability to gain teachers session and then escalate from teacher to manager to RCE to get local shell.

For this to work, you should have access to student account on Moodle and have enrolled to at least one class.

First we take advantage of CVE-2020–25627 to steal teachers session cookies.

TL;DR — CVE-2020–25627
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk. This affects versions 3.9 to 3.9.1. Fixed in 3.9.2.

The objective is to steal…


Source

This is a practical Walkthrough of “Armageddon” machine from HackTheBox. Credit goes to bertolis for making this machine available to us.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Synopsis

“Armageddon” is marked as easy difficulty machine which features Apache, hosting vulnerable Drupal CMS on Linux OS. We exploit Drupalgeddon2 vulnerability to gain initial access on target machine, then use stored credentials of database to access the DB and retrieve user credentials (Hash). We crack the hash and login to user account, this user has permission to run a binary as root…


Source

This is a practical Walkthrough of “Luanne” machine from HackTheBox. Credit goes to polarbearer for making this machine available to us.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Synopsis

“Luanne” is marked as easy difficulty machine that features nginx and supervisor to host website and to control process system. The website has basic HTTP authentication enabled, but a certain http directory is wide open to get weather information of UK cities by querying manually. Web application is connected to a lua script which generates random data about city’s weather. Taking advantage…


Source

This is a practical writeup of “Tally” retired machine from HackTheBox. Credit goes to egre55 for making this machine available to us. Although this machine is from 2017 but the simulation of vulnerabilities are real-to-life.

Synopsis

“Tally” is marked as Hard difficulty machine that features IIS web server and SharePoint CMS with MSSQL running in background. Gobuster gives us path to FTP credentials. FTP has a directory with KeePass credential database, we crack the master password of DB and get access to SMB credentials. SMB access gives us credentials to MSSQL DB. …


Source

This is a practical Walkthrough of “Time” machine from HackTheBox. This machine is marked as medium level. Credit goes to egotisticalSW & felamos for making this machine available to us and base points are 30 for this machine.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Synopsis

“Time” is medium difficulty Linux machine that features Apache server hosting a PHP website. The website homepage is “Online JSON beautifier & validator”. Many websites offer APIs, which will return data in JSON format. Often the JSON provided has white space compressed to reduce the…


Source

This is a practical Walkthrough of “Passage” machine from HackTheBox. This machine is marked as medium level. Credit goes to ChefByzen for making this machine available to us and base points are 30 for this machine.

This walkthrough will be explanatory, because I learned a lot of new things from this machine. So, don’t mind my blabbering.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Enumeration

We will kick off this machine with enumerating using nmap.


Source

This is a practical walkthrough of room “Watcher” from TryHackMe. Although this room is marked as easy level, but for me it was kind a medium level. This room is aimed at Boot2root, Web exploitation, Privilege escalation, LFI.

Room Link: https://tryhackme.com/room/watcher

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible) There are two ways to access the deployed target machine. 1) Use attacker box — Provided by TryHackMe, it consist of all the required…


Source

Room Link

This is a practical walkthrough of room “Retro” from TryHackMe. Although this room is marked as hard level, but for me it felt like medium level.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible) There are two ways to access the deployed target machine. 1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking. 2) Use OpenVpn configuration file to connect your machine…


Source

This is a practical walkthrough of room “Inferno” from TryHackMe. Although this room is marked as medium level, but for me it felt like difficult. This room is aimed at HTTP basic auth and IDE Exploit and Linux PrivEsc.

This walkthrough will be explanatory, because I learned couple new things from this room. So, don’t mind my blabbering.

Room Link: https://tryhackme.com/room/inferno

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible) There are two ways…


This is a practical walkthrough of room “En-Pass” from TryHackMe. Although this room is marked as easy level, but for me it was kind of difficult level. This room is aimed at tricky web application Exploits and PrivEsc.

This walkthrough will be explanatory, because I learned couple new things from this room. So, don’t mind my blabbering.

Room Link: https://tryhackme.com/room/enpass

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First

Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible) There are two ways to…

Aniket Badami

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store