Incendium.rocks

This year my university and I took on the Hack the Box University CTF 2024 again. I had less time than previous year but still we managed to get in the top 40 with only about 4 active students :P. I solved the Freedom full-pwn which was the hardest rated of the three full-pwn challenges. I solved it using an unintentional path. However, I still learned a few cool things during this path which is the reason for this write-up. Scanning and reconSince it is a full pwn challenge we only have the IP ...

In one of my blog posts, I write about the NTLMRelay2self attack which abuses the Webclient service (WebDAV) to NTLM relay a system to itself and forcing it to forward that session to our impacket-ntlmrelayx listener on port 80. Read more about it here: https://www.incendium.rocks/2024/02/29/NTLM%20Relay%202%20self%20without%20Printer%20Spooler%20and%20DNS/. In that blog post I describe the possible attack vectors after having a (LDAP) session as the computer accounts e.g., COMPUTER$. I continue ...

Today, I want to tell you a story about my journey towards OSWP (Offensive Security Wireless Professional). It was quite a fun and interesting experience. OSWP is my second certification from OffSec next to OSCP. OSWP was way less course content and study input. Nevertheless, for me Wi-Fi was an fascinating field to learn more about the offensive side of things. What is OSWP (PEN-210)?For those who don’t know; OSWP (Offensive Security Wireless Professional), is a certification for those who want ...

The past 2-3 months, I’ve been spending some time on preparing for the BSCP (Burp Suite Certified Practitioner) certification. I passed the exam and in this post I will share how I prepared, how the exam went and some tips for you to pass the exam. What is BSCP?From the Portswigger: “The Burp Suite Certified Practitioner (BSCP) is an official certification for web security professionals, from the makers of Burp Suite. Becoming a Burp Suite Certified Practitioner demonstrates a deep knowledge of ...

On the 5th of October 2024, my team and I attended the TU Delft CTF 2024. Our team won the 3rd price with a total of 5403 points. In total, 51 teams attended the CTF with each 4 members. It was a fun CTF and organized well too. Props to the organization! Write up Script RunnerScript Runner is a web challenge that was rated the hardest of the web challenges by the organizers. In total, 4 teams were able to solve this challenge. SummaryScript Runner hosts a service to run scripts that you upload! ...

Microsoft introduced Credential Guard in Windows 10 Enterprise and Windows Server 2016. It is enabled by default on all systems running Windows 11, version 22H2 and later that meet the requirements. It is assumable that Microsoft will enable Credential Guard on Windows server by default too in the future. Before we continue, this blog is heavily based on Oliver Lyak’s blog: https://research.ifcr.dk/pass-the-challenge-defeating-windows-defender-credential-guard-31a892eee22. Oliver Lyak did all of ...

If you landed on a system as a user with low privileges inside a domain, you could coerce the system to authenticate to itself over HTTP (WebDAV), and relay that request to the domain controller using ntlmrelayx. NTLM relay attacks are not new, and have been a big attack surface in the Windows realm for years. However, preventing relay attacks over HTTP are harder to counter and may even be unpatchable (forever day). There are a few methods to go perform this attack. One common way is to use Pri ...

Disclaimer: I am not allowed to share any details about the exam I took, so it will be more a general view of it. PreparationAlthough I have some experience with pentesting, I did not want to underestimate the exam. Before I bought the course from Offensive Security, I already completed 100+ boxes on HackTheBox. I also completed four ProLabs from HackTheBox; Dante, Zephyr, Offshore and Rastalabs. These boxes and prolabs thought me basically everything I needed to know for the exam In the beginni ...

Since it is a full pwn challenge we only have the IP of the machine. We will use Nmap to scan the IP for running services. Nmap scan1234567891011121314151617181920# Nmap 7.94SVN scan initiated Fri Dec 8 10:32:13 2023 as: nmap -sCV -T4 --min-rate 10000 -p- -v -oA nmap/tcp_default 10.129.230.59Nmap scan report for 10.129.230.59Host is up (0.031s latency).Not shown: 65533 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protoc ...

Unlock with PIN is a Bitwarden feature to unlock your vault instead of using your masterkey. Bitwarden introduced this feature, but never raised the security issues within the extension or app. This blog post will show how to retrieve the PIN back from the Firefox extension data. Bitwarden unlock with PIN featureBitwarden’s “Unlock with PIN” feature is a functionality designed to provide users with a quicker way to access their vault of stored passwords, secure notes, credit card information, an ...