Nooff's Cyber Blog

Overview CodePartTwo is an easy Linux machine from HackTheBox. This box has several straight forward and simple attack paths. Hardest part is to find a proper way in. We start by enumerating a Flask web app and discovering a vulnerable Js2Py Python library, which we abuse to get a shell. Then, we find a SQLite database on the machine and crack a password. Next, we discover that our user can run NPBackup software with sudo privileges. We create a malicious config file and perform a backup of the “/root” directory to get all the secrets. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -A 10.10 .11 .82 -T5 Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 13 :11 CEST Nmap scan report for 10.10 .11 .82 Host is up (0.037s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 8. 2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0 ) | ssh-hostkey: | 307...

VulnNet Entertainment just moved their entire infrastructure… Check this out… Overview VulnNet: Active is a medium Windows machine from TryHackMe. Another room from the VulnNet series, this time focused on Windows and it’s common services. We start by enumerating Redis service, which allows us to read system files. We use a trick to capture user’s NTLM hash using Responder. Then, we get a shell on the machine by overwriting scheduled Powershell script. Next, we do post-exploitation enumeration and found “SeImpersonatePrivilege” enabled. This allows us to perform GodPotato attack and get SYSTEM access. I also show alternative path to full compromise via modifying Group Policy Object (GPO). Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─ # nmap -Pn -A -p- 10.80.138.97 -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-04 11:10 -0500 Nmap scan report for 10.80.138.97 Host is up (0.043s latency). Not shown: 65521 filtered tcp ports (no-response) PORT STA...