Franco T.’s Post

another machine pwned :) for some reason, the terminal commands are really slow. is there a way to fix the issue? it gets stuck every 2 minutes. I have tried the below command: sudo sysctl vm.swappiness=10 yet it still isn't fixed. open to advice :)

According to Kyle Winton. If it helps... In relation to Crowdstrike there is a fix. Click See Advanced Repair Options Click Troubleshoot Click Command prompt and enter the following pushd C:\Windows\System32\drivers\Crowdstrike del “C-00000291*.sys” exit Click continue, system should reboot normally

#PermX Owned Hack The Box User flag: The first flag was simple to find. I discovered an application running on the web server, which immediately led me to an RCE vulnerability. This allowed me to upload a webshell and, subsequently, a reverse shell to gain access to the system. After some enumeration, I found the local user's credentials and was able to access the first flag. Root flag: The root flag was quite simple. The user account I had access to, could execute a script that used setfacl, which allows users to configure ACLs on directories and files. However, the script could only be executed with files located in the user's 'Home' directory. The way I got around this restriction was by creating a symbolic link to the passwd file within the directory. After running the script, the local user could then modify the file. I removed the root password and was able to access the flag :)

This box was a little bit difficult. I had to mount a system from a backup file found in the host from which I've connected via SMB. Once the system was mounted, I was able to get the SAM hash from the user. From there, I identified and cracked the hash and was able to log into the user's machine via SSH. In this machine, I found that it was running an application called mRemoteNG, which has its configure files located in the "C:\Users\L4mpje\AppData\Roaming\mRemoteNG" directory. In said directory, there was a file called "confcons.xml", which contained the hashes for the User as well as the Administrator. I, then, used a mRemoteNG hash cracker and was able to get the Administrator password, and, therefore, his flag.

🫠 Tricky machine to get a foothold on because I am not quite used to inspecting traffic with Wireshark but eventually got there! 👾 Also make use of a IDOR vulnerability to download the right .pcap file. After that simply run linpeas for privilege escalation. It will highlight what you need to do.

For the current Croudstrike BSOD issue there are a few work around 1. Group policy to remove the file https://lnkd.in/dqzcCM3Z 2. Manually remove the file within Safe Mode, Advanced Start Up (Command Prompt): del "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys" The Reddit thread: https://lnkd.in/gy5UPWtg My chatter on Twitter: https://lnkd.in/gXFkGWNV Try the above in a test environment prior to running it in production.

🎉 This is a special machine from Hack The Box. It shows the old version of the platform. Upon inspecting it, I found an invite code option instead of a registration option. After bypassing this, I checked the API endpoints and found one that was vulnerable. This allowed me to upgrade my user account to administrator level. This allowed me to upgrade my user account to administrator level. With this access, I performed a command injection to gain a foothold. To escalate further, I exploited a vulnerability in the OverlayFS in the kernel (CVE-2023-0386) and successfully escalated my privileges.

But in relation to Crowdstrike there is a fix. Click See Advanced Repair Options Click Troubleshoot Click Command prompt and enter the following pushd C:\Windows\System32\drivers\Crowdstrike del “C-00000291*.sys” exit Click continue, system should reboot normally

How to fix your computer if you are affected by the #crowdstrike crash: 1. Reboot the machine in safe mode 2. Open command prompt with admin credential 3. Run the following command: sc config "csagent" start=disabled 4. Reboot normal #microsoftoutage

🖨 The multifunction device allowed me to specify the domain controller or file server from the website, enabling me to obtain the necessary credentials. With these credentials, I established a persistent connection. To escalate my privileges, I utilized the fact that the user belonged to the Server Operators group. This membership enabled me to configure the Volume Shadow Copy Service, through which I set up a reverse shell, ultimately allowing me to obtain the root flag.