For this machine, we discover a website running on BlogEngine and proceed to brute force our way into the admin account. From there, we exploit the vulnerable version of BlogEngine via Remote Code Execution to gain our initial foothold. We continue to take two attack vectors to escalate privileges: the first is through discovered admin credentials and second is through DLL hijacking.

In this walkthrough, we discover a Jenkins application running on the target. We find two ways to execute commands on the target via Jenkins and we exploit these methods to pop a shell on the target. We then use token impersonation to create a new user with admin privileges. Finally, we connect to the target as this new user, thereby gaining root privileges on the target.

In this walkthrough, we go through some basic enumeration and find a vulnerable HTTP File Server running on the target. We proceed to exploit this vulnerability, using a public exploit, to pop a shell on the target. We then take advantage of an unquoted service path to run a malicious executable that connects back to our machine with a SYSTEM session, giving us full access to the target machine.

In this walkthrough, we enumerate SMB shares with NMAP and download them using smbget. We also leverage the vulnerable mod_copy module in ProFTP to gain access to the target user’s private SSH key. Using this private key, we SSH into the target and continue to escalate our privileges by exploiting a path variable manipulation vulnerability in an SUID 3rd party binary.

For this machine, we exploit EternalBlue (ms17-010) both manually and with Metasploit, encounter exploit failures, migrate our meterpreter session from one process to another, dump password hashes and crack the administrator’s password using John the Ripper.