#windows

11 posts

2 Sept 2022 · 18 min medium Windows WingData

HTB: WingData

A NULL byte in Wing FTP Server's login handler triggers Lua code injection for unauthenticated RCE, then a Python tarfile data filter bypass via PATH_MAX overflow writes an SSH key to root.

#htb #windows #web #api +1

12 Aug 2022 · 22 min hard Windows Interpreter

Pre-authentication Java deserialisation in Mirth Connect, PBKDF2 hash cracking of a dictionary password, and a Python f-string template injection in a root-owned Flask service for privilege escalation.

#htb #windows #custom-interpreter #reverse-engineering +1

5 Aug 2022 · 22 min hard Windows CCTV

HTB: CCTV

Default credentials on ZoneMinder, a time-based blind SQL injection to extract bcrypt hashes, SSH password reuse, and a motionEye command injection running as root through a surveillance daemon's notification configuration.

#htb #windows #web #reverse-engineering +1

8 Jul 2022 · 20 min hard Windows Garfield

HTB: Garfield

An Active Directory domain with a Read-Only Domain Controller whose Password Replication Policy is writable by a Tier 1 admin, enabling the KERB-KEY-LIST attack to extract the Administrator's NT hash.

#htb #windows #active-directory #rodc +1

29 Apr 2022 · 17 min medium Windows Bastard

HTB: Bastard

Drupalgeddon 2 delivers unauthenticated RCE on a Windows Server 2008 R2 box with zero hotfixes, then JuicyPotato turns an IIS service account into SYSTEM via COM/DCOM token impersonation.

#htb #windows #drupal #php +2

18 Mar 2022 · 14 min easy Windows Optimum

HTB: Optimum

A null byte injection in Rejetto HFS 2.3 gives unauthenticated RCE, and a Secondary Logon race condition escalates to SYSTEM on an unpatched Windows Server 2012 R2.

#htb #hfs #windows #rejetto +1

11 Mar 2022 · 14 min easy Windows Grandpa

HTB: Grandpa

A buffer overflow in IIS 6.0's WebDAV handler delivers code execution on Windows Server 2003, and token kidnapping completes the escalation to SYSTEM.

#htb #iis #webdav #windows +2

4 Mar 2022 · 14 min easy Windows Granny

HTB: Granny

IIS 6.0 with WebDAV enabled permits unauthenticated file upload via PUT and MOVE, bypassing extension restrictions to deploy an ASPX webshell. Token kidnapping (MS09-012) escalates NETWORK SERVICE to SYSTEM on Windows Server 2003.

#htb #iis #webdav #windows +1

25 Feb 2022 · 16 min easy Windows Arctic

HTB: Arctic

Adobe ColdFusion 8 on Windows Server 2008 R2 yields unauthenticated RCE through a three-part chain: directory traversal for credential extraction, FCKeditor file upload, and LFI-based CFML code injection. MS10-059 escalates to SYSTEM when JuicyPotato fails.

#htb #coldfusion #windows #directory-traversal +1

28 Jan 2022 · 13 min easy Windows Blue

HTB: Blue

EternalBlue (MS17-010) turns an SMB-only Windows 7 host into a SYSTEM shell in under a minute. The box is a single-exploit machine, but the methodology around blind command execution and exfiltration via writable shares is worth studying.

#htb #smb #ms17-010 #eternalblue +1

21 Jan 2022 · 16 min easy Windows Devel

HTB: Devel

Anonymous FTP write access to an IIS web root creates a trivial foothold. The real lesson is in the privilege escalation — unpatched Windows 7 with no service packs is a kernel exploit playground.

#htb #ftp #iis #aspx +4