While perusing the Vulnub back catalog for boxes that I can suggest to a relatively new penetration tester, I came across the "hackfest" series which sounded familiar.  Searching this site, I realized I'd written up the Quaorar box.  This one, Sedna, is the next in the series which promises to be "medium" in difficulty while the Quaorar box is "very easy".  Quickly glancing at the previous write up and just finishing this one, I'd say they are both "easy" but that's just an opinion.  This one is definitely a good beginner box, in my opinion.

    We kick off with Nmap:


    JSTicket : "Joomla Most Comprehensive & Easiest help desk Plugin"  "JS Support Ticket deeply integrated with Joomla and providing more efficient and professional 1-on-1 dedicated ticket support system to its customers."  

    Essentially, a help desk plugin with a SQL Injection vulnerability. 

    Without logging into the application, we can access the dashboard:


    In this domain, the password complexity rules are set to force a password change every 90 days.  When logging into the Domain Controller, I saw the notification and scheduled the password change with the client.  Upon changing the password, I was immediately locked out of the domain.  Needless to say, that was not how I envisioned the start of my day.  Fortunately, that is not the only privileged account.  Looking through my documentation for this client, the AD admin account should not be tied to ANY resources and yet it must be.  In order to determine the root cause, we look at the Event Viewer.  FYI, I'm fairly confident that Auditing must be enabled in Group Policy for these events to be recorded.  


    I just burned down my Kali install and I fired up a completely new box.  As I was putting my favorite tools back on the new box, I went to grab Empire and I saw the following:  "This project is no longer supported".  Not that I was a heavy Empire user but I've used it and that message piqued my curiosity.  While searching, I found another headline:  "PowerShell Empire Framework Is No Longer Maintained" on Bleeping Computer.  Tl;dr -- it's old, hackers (good and bad) are using it, there's newer stuff, and the developer(s) no longer feel the need to maintain it.

    On the newer stuff front, we have Sliver which according to the description, and from my personal interaction, is currently in alpha.  I will warn you right now, I trashed a Windows VM because something got stuck, I Ctrl-C'd out of Sliver and the Windows box got bricked.  After the reboot, I login to Windows, still a brick.  It was either elevate, migrate, or impersonate.  Honestly, I don't recall and I didn't want to go through the hassle of recreating it to find out.  You've been warned.


    Disclosure date:  08/12/19

    CVE-2019-14987

    Adive Framework 2.0.7 and possibly before are affected by a Cross-Site Scripting vulnerability in the Create New Table and Create New Menu Link functions.  This could lead to cookie stealing and other malicious actions.  This vulnerability can be exploited with the authenticated administrator account.


    I witnessed someone trying to inject on a login form and what was expected and the actual result were night and day.  The idea that if we find an injection point by entering a single tick does not necessarily mean we are going to be able to successfully enter ' or '1'='1 and achieve a positive outcome.  In the example below, there at least two components to this injection, we have a PHP front-end with a MySQL back-end.  The latter may cooperate, and it does, but it's the former that is determining what we can do and where we can do it.

    Below, we have a simple login form.  We enter a single tick:


    Page 10 of 45

    © 2020 sevenlayers.com