Mohamed Khalil Mzali

TombWatcher is a Medium Windows Machine that starts following an assumed breach scenario with an access to the tombwatcher.htb domain. This user can perform a targeted Kerberoast over alfred who has AddSelf over the Infrastructure group followed by ReadGMSAPassword over a machine account ANSIBLE_DEV$. That machine account can ForceChangePassword over Sam who has WriteOwner ACL over john, a member of the Remote Managament Users that will be used for the user foothold. For root access, we found th ...

DLL injection consists on injecting a DLL within a memory page inside the virtual address space of a target process, before invoking a thread that calls LoadLibraryA from kernel32.dll to load that DLL. OverviewDLL injection consists on injecting a DLL within a memory region inside the virtual address space of a target process, before invoking a thread that calls LoadLibraryA from kernel32.dll to load that DLL. This process injection techniques involves: Toolhelp32: To enumerate running processe ...

Remote Process Injection consists on injecting a shellcode within a memory region inside the virtual address space of target process’s memory. OverviewThis process injection technique involves: Toolhelp32: To enumerate running processes within a read-only snapshot and search for a process by its name. OpenProcess: To get a handle on a specific running process with necessary access rights. VirtualAllocEx: To allocate a memory region within the virtual address space of the target process using it ...

Reflection is an AD chain composed of 3 machines MS01, WS01 and DC01. It involves NTLM Relaying, exploiting LAPS and Resource-Based Constrained Delegation. Scan for DC01 12345678910111213141516171819202122PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-29 17:42:03Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp o ...

Trusted is an Active Directory Chain from VulnLab that starts with an LFI leading to MySQL database Access. Then, it follows with a compromise of the child domain and a bidirectional child to parent domain trust exploitation. EnumerationScan for 10.10.152.117 machine 1234567891011121314151617181920212223242526272829303132333435PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11- ...

Baby is a Linux machine from VulnLab, focusing on LDAP anonymous binding accesss as the initial foothold vector, and using SeBackUpPrivilege to escalate our privileges. EnumerationFirst, We start by enumerating the machine using the following command:  1nmap -Pn -p- -A -oN scan 10.10.112.168 Here is the output of the previous command: 12345678910111213141516171819202122232425262728293031323334353637383940414243444546PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Pl ...

Feedback is a Linux machine from VulnLab, released at the end of 2021 and focusing on Log4j exploit for the initial foothold, and password reuse to escalate our privileges. EnumerationWe start by enumerating the machine, by executing the following command: 1nmap -p- -A -Pn -oN scan 10.10.82.10 Output of the scan: 1234567891011PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 13a2f4af3d3ddceb500bd29cb2bf616d ...