As the initial user, I’ll find creds in the PowerShell history file for the next user.
I’ll crack the zip and the keys within, and use Evil-WinRM differently than I have shown before to authenticate to Timelapse using the keys. It starts by finding a set of keys used for authentication to the Windows host on an SMB share. Timelapse is a really nice introduction level active directory box. This container has a dangerous capabilities, CAP_DAC_READ_SEARCH, which I’ll abuse to both read and write files on the host.Ĭtf htb-timelapse hackthebox nmap windows active-directory crackmapexec smbclient laps zip2john john pfx2john evil-winrm winrm-keys powershell-history htb-pivotapi I’ll abuse the Rocket Chat webhook functionality to get a shell in yet another Docker container. I’ll connect to that and use it to get access as admin for a Rocket Chat instance. From the host, I’ll find a different network of containers, and find MongoDB running in one. From that container, I can SSH into the main host.
#Shellshock live thinking with portals code
There I’ll find creds for the Bolt CMS instance, and use those to log into the admin panel and edit a template to get code execution in the next container. I’ll start by abusing the built-in R scripter in jamovi to get execution and shell in a docker container. Talkative is about hacking a communications platform. Hackthebox ctf htb-talkative nmap wfuzz jamovi bolt-cms feroxbuster rocket-chat r-lang docker webhook twig ssti mongo deepce shocker cap-dac-read-search htb-paper htb-anubis htb-registry