Hi, here we will see some things which we can do with LFI. And combining this info how we can get RCE.

1. Turning LFI into RCE by sending emails via SMTP

Note: This scenario is in HTB Beep Machine. SMTP server is also running on the machine at port 25.

We start with a basic LFI

https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/passwd%00&module=Accounts&action

a. Identifying user with which current process is running-

Basically, /proc/self/ represents the process that’s reading /proc/self/. So if we try to open /proc/self/ from a C program then it represents that program. If you we to do it from the shell then it is that shell…

/proc/self/status

if we try to read the contents of “/proc/self/status” then it will output…

Hi readers this is just another windows privesc article. Here we will be seeing how misconfigured services, registry and exposed SAM/SYSTEM files can be exploited for escalating privileges….

Some windows learning prerequisites:

Types of groups in Windows:

1. Regular Groups e.g Administrators, Users
2. Pseudo Groups- Groups are created for short period of time. e.g Authenticated Users, NT AUTHORITY\INTERACTIVE

Types of user accounts in Windows:

1. User Accounts- Used by users to login. e.g Administrator(default)
2. Service Accounts- Used by different software services to run. Cannot be used to login. e.g LocalService, NetworkService, LocalSystem etc.

Access Control lists (ACLs) contains info regarding permissions for…

Hi, readers here we will be seeing how can we can create our own personal VPN server on oracle cloud(However, these same steps will work for every cloud provider and also for your local machine). Specifically we will be creating wireguard VPN server using algo VPN, which is a open source project created for this specific purpose of easily setting up personal VPN server on cloud(https://github.com/trailofbits/algo). Lets start….

1. Creating a VM compute instance

a. Login to your oracle cloud account and Click Create VM instance option.

b. In the next screen you will be prompted with various configuration options for your instance. First we can…

Hi readers here we will see how we can tunnel tcp traffic inside ssh session. There are two types of tunneling/forwarding local and remote. In local we expose services running on system accesible to remote server(ssh server) to our local network and in remote we expose services running in local network to a device accesible by remote server(ssh server). I have found a excellent diagram explaining this on stackexchange discussions (https://unix.stackexchange.com/questions/115897/whats-ssh-port-forwarding-and-whats-the-difference-between-ssh-local-and-remot) take a look and you will get more clear picture what is going on here.

NOTE: Please keep in mind for case 2 of both -R and -L options…

Hi readers, here we will see how we can get reverse meterpreter shell from a internal machine(which is not connected to internet). For more understanding this article can be followed after reading previous article(https://pswalia2u.medium.com/pivoting-metasploit-proxychains-85d18ce5bf2d)

Prerequisites:

Already compromised system(Pivot) with meterpreter session with already autoroute configured for next machine(10.100.11.100).

Hi, here we will see how we can perform Man in the middle(MITM) attack on compromised remote windows machine.

Prerequisites: Meterpreter session

sessions -l

Steps:

1. Installing VPN server:

I have already installed it. You can install it by running the command given below.

This is just another pivoting tutorial(Nothing special). We will try to find other hosts in the internal network of a organization and will do basic enumeration on discovered hosts.

Prerequisite:

Already compromised host with meterpreter session.

1. Let’s check available meterpreter sessions:

sessions -l

2. Using autoroute module to create a pivot for the other network i.e. 172.30.111.0/24 . After running this all the metasploit modules will be able to access internal network 172.30.111.0/24.

(Here in this lab scenario, we already know this subnet exists)

msf6 post(multi/manage/autoroute) > set session 1
session => 1
msf6 post(multi/manage/autoroute) > set subnet 172.30.111.0/24
subnet => 172.30.111.0/24
msf6 post(multi/manage/autoroute)…

Serialization is nothing but a way of representing objects as a long string. Methodology here is similar to encoding. We are converting objects into more usable, easy to handle format to be handled by our application or for our network stack.

<?phpclass User
{
 public $username;
 public $isDumb;public function printData()
 {
  if($this->isDumb)
  {
   echo $this->username . ' is dumb.';
  }
  else 
  {
   echo $this->username . ' is not dumb.';
  }
 }
}$obj=new User();#instantiating class
$obj->username='bholu';
$obj->isDumb=False; #change this boolean variable
$obj->PrintData();
echo "\n";
echo serialize($obj);?>

Let’s see what is going on here:

We have created…