‘Lazysysadmin’ is another of the targets as recommended by the excellent TJnull, in preparation for the OSCP. Lazysysadmin is considered an ‘easy’ machine. Just for fun, we’ll take a look at a number of different exploitation routes as well as take a look at some post-exploitation activities (specifically data exfiltration or exfil). Exfil would obviously be of interest to a Red Team operator who is more more ‘goal driven’ and not so fixated on gaining root.
This VulnHub writeup is based on Neuromancer - part two of the excellent ‘Wintermute 1’ challenge, created by creosote I’ll spare you all the detail, but as a quick recap, after having rooted Straylight we find that it is dual-homed - i.e. it is part of a second sub-net. We pick up the action from the ‘note.txt’ file found after having gained root privs on that box. TLDR/Spoiler Alert: The privesc route for this machine is not the obvious one chosen by other people who have taken the time to put together so many great writeups.
This VulnHub writeup is based on Straylight - part one of the excellent Wintermute 1 series found on Vulnhub, created by creosote. The Wintermute 1 series is designed to be similar to some of the challenges presented by the ‘OSCP’ (Offensive Security Certified Professional) labs. Skills such as pivoting are really put to the test in the series, and it certainly ticked the box for me in terms of learning new stuff.
I’ve recently been approached to help introduce some new folk to the wonderful world of ethical hacking. The assumption is that they may know about the basic theory behind the stages of rooting a target, but have little by way of hands-on experience. Ideally I want to do something that can be completed in a group scenario where everyone can play along and achieve root in a couple of hours tops.
‘Stapler’ is the second machine from Vulnhub.com that I looked at as part of my OSCP preparations. This one just requires good enumeration skills and leaving no stone unturned. This is a lesson I learned after discovering two different ways for privesc. I had been reading other writeups on this box and then I learned a third way of compromising this machine. I obviously hadn’t read notes posted on Vulnhub by the author, and neither did I pay FULL attention to the output from my enumeration tools.
‘Fristileaks’ is the first of my efforts to exploit Vulnhub.com machines as part of my OSCP preparations. I needed some additional machines to help fine tune my methodology to do things as ‘surgically’ as possible without getting stuck down pointless rabbit holes. I love reading the stuff from abatchy and I decided to get stuck into their recommendations for ‘OSCP-like Vulnhub VMs’ I like to go into lots of (hopefully) useful detail in a progressive manner, starting with an overview and then getting more into the nuts and bolts.