Here’s a fun rundown of a zero day vulnerability that was seen last year. It was called PrintNightmare, and it ravaged through some Windows computers. It used two CVEs that first grabbed credentials through SMB, and second allowed privilege escalation through the printer spool. I was able to play with this through a practice computer found on Hack The Box but can’t reveal its name due to it still being an active challenge (against the rules). In any case, seeing the exploit in action below should give you a good idea of the exploit’s capabilities.


Excerpt from this site:

When the user will browse the share a connection will established automatically from his system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the username and the password of the user. During that authentication process a random 8 byte challenge key is sent from the server to the client and the hashed NTLM/LANMAN password is encrypted again with this challenge key. Responder will capture the NTLMv2 hash.

With basic credentials, this .scf file can be used to initiate a flow of viewable information. Before uploading, make a responder available to receive the information.

Continue Reading

Bastard on HTB – Retired




Nmap 7.91 scan initiated Fri Feb 12 23:36:02 2021 as: nmap -A -p- -T4 -oG nmap.init
Host: () Status: Up
Host: ()
80/open/tcp//http//Microsoft IIS httpd 7.5/,
135/open/tcp//msrpc//Microsoft Windows RPC/,
49154/open/tcp//msrpc//Microsoft Windows RPC/
Ignored State: filtered (65532)
Nmap done at Fri Feb 12 23:38:42 2021 — 1 IP address (1 host up) scanned in 160.81 seconds

Continue Reading

HTB – Bank – FH: DNS / File Upload

The Bank box was the first time I ran into virtual hosts on a web server. Till now, I’ve been able to discover all of the directories with a simple dirb or gobuster scan… this time was very different.

The NMAP scan showed only a few ports open. 22, 53, and 80. I always bypass 22 because there are rarely SSH exploits that go quick, so it was on to the other two ports. Interestingly, they had DNS running on port 53 and the description was ICS BIND. Bind is the Berkeley Internet Name Domain, and ISC bind can run in a large number of Linux environments. In this case, it was used to map to folders that didn’t show on an IP address scan of the machine.

Continue Reading

HTB – Haircut – FH: Curl

The only ports available on the Haircut box were 22, and 80. As SSH usually reveals no interesting attack vectors, it’s always best to go for port 80. So I visited the site.

Continue Reading
Scroll to top