Disclosure date: 10/23/19

CVE-2019-18344

Online Grading System is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the student, instructor, department, room, class, and user, parameters.

Read more: Online Grading System 1.0 SQLi

The other day, a friend asked if I was on HacktheBox and I was reminded that I'd been absent for a while.  Apparently, they are cranking out a new box every week which could be good or bad -- I'm not really sure.  While looking for something to write, I thought I'd take on one of their retired boxes and that would solve two "needs" simultaneously.  

This box was interesting mostly because of the hunt for the exploit to gain a foothold on the system.  From there, it was trial and error as to which technique would work for a particular task.  After that, root was easy.

First, we kick off with Nmap:

Read more: HacktheBox Bastard Walkthrough

Disclosure date: 10/22/19

CVE-2019-18280

Online Grading System 1.0 is affected by a Cross Site Request Forgery vulnerability due to a lack of CSRF protection. This could lead to an attacker tricking the administrator into executing arbitrary code via a specially crafted HTML page.

Read more: Online Grading System 1.0 CSRF

The description states:  "The machine was part of my workshop for Hacker Fest 2019 at Prague.  Difficulty level of this VM is very “very easy”. There are two paths for exploit it."

In the eye of the beholder and such but yes, very easy.  I saw the description and I thought this might be a good machine to check out for my weekend group.  One person has already rooted it and all I did was mention it so we're off to a good start.

Anyway, we kick off with Nmap:

Read more: Vulnhub Hacker Fest: 2019 Walkthrough

"Cymmetria’s MazeRunner platform lets you dominate an attacker’s movements from the very beginning and lead them to a monitored deception network."

I really like this product but after my first installation, I felt like I sort of rushed the process and I wanted to start over again.  With a fresh install, I headed over to the Responder monitor.  For those of you unfamiliar with Responder.py, it's wicked fun if you're an attacker, and not so much fun if you're a defender.

Read more: MazeRunner Responder Monitor

In a previous post, I wrote about how to get a reverse shell on Drupal 7 (and possibly earlier).  I'm currently working on a project involving Drupal and I'm also teaching a class this weekend -- I thought... why not pair the two together.  I figured if I built something for the class with Drupal, that would lend a hand with my project.  Familiarity and such.  I "thought" I was going to recycle my knowledge from the previous post but it turns out in Drupal 8, they removed the filter function which allows you to insert PHP into the posts.  After some reading, it turns out their reasoning was due to the fact that hackers can exploit this functionality. 

Read more: Drupal 8 to Reverse Shell