Nooff's Cyber Blog

VulnNet Entertainment just moved their entire infrastructure… Check this out… Overview VulnNet: Active is a medium Windows machine from TryHackMe. Another room from the VulnNet series, this time focused on Windows and it’s common services. We start by enumerating Redis service, which allows us to read system files. We use a trick to capture user’s NTLM hash using Responder. Then, we get a shell on the machine by overwriting scheduled Powershell script. Next, we do post-exploitation enumeration and found “SeImpersonatePrivilege” enabled. This allows us to perform GodPotato attack and get SYSTEM access. I also show alternative path to full compromise via modifying Group Policy Object (GPO). Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─ # nmap -Pn -A -p- 10.80.138.97 -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-04 11:10 -0500 Nmap scan report for 10.80.138.97 Host is up (0.043s latency). Not shown: 65521 filtered tcp ports (no-response) PORT STA...

Can you take advantage of the misconfigurations made by VulnNet Entertainment? Overview VulnNet is a medium Linux machine from TryHackMe. This room makes a fun challenge for every intermediate/experienced hacker out there. We start by discovering a hidden parameter and abuse it to read host files (LFI). Then, we gain access to a subdomain, which hosts ClipBucket service. We find file upload vulnerability and get reverse shell on the machine. Once inside, we discover SSH private key. We crack the passphrase and gain elevated privilege. For final priv esc, we exploit wildcard vulnerability in a cronjob and get Root shell. Nmap scan Starting with the Nmap scan. ┌──(root㉿kali)-[/home/kali] └─# nmap -Pn -A 10.82 .172 .143 -T5 Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-31 09 :30 -0500 Nmap scan report for vulnnet.thm (10.82.172.143) Host is up (0.041s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22 /tcp open ssh ...