Posts on Chief Dennis' Blog

Sorcerer Offsec Walkthrough

Thu, 11 Dec 2025 13:07:16 +0100

Sorcerer OffSec Walkthrough Link to heading

1. Introduction Link to heading

This walkthrough documents the compromise of the Sorcerer machine from CyberSecLabs (CFT).

We compromised the Sorcerer machine through classic multi-surface enumeration: multiple web servers, exposed ZIP archives leaking Tomcat credentials and SSH keys, restricted SSH bypass through editing authorized_keys, and final privilege escalation via a misconfigured SUID start-stop-daemon binary (GTFOBins).

Payday Offsec Walkthrough

Sat, 29 Nov 2025 19:00:00 +0100

Payday OffSec Walkthrough Link to heading

This walkthrough documents the full compromise of the OffSec “Payday” target machine. The attack path involves classic recon, discovery of an outdated CS-Cart e-commerce panel, authenticated file upload leading to RCE, and finally a privilege escalation via weak local user credentials and unrestricted sudo access. Despite a large attack surface (SMTP/IMAP/SSLv2/Samba 3.x/etc.), the intended path is surprisingly simple—but easy to overlook.

Pelican Offsec Walkthrough

Sat, 29 Nov 2025 11:00:00 +0100

Pelican OffSec Walkthrough Link to heading

This walkthrough covers the full exploitation path for the Pelican target, from initial reconnaissance to root compromise and post-exploitation considerations. We focus on service enumeration, misconfigurations, abusing an exposed Exhibitor instance, credential extraction through memory dumping, and privilege escalation.

1. Reconnaissance Link to heading

First, a ping is made to verify connection with the machine:

ClamAV Offsec Walkthrough

Fri, 29 Aug 2025 18:00:00 +0100

ClamAV OffSec Walkthrough Link to heading

1. Reconnaissance Link to heading

First, a ping is made to verify connection with the machine:

A high TTL of ~130 is observed. However, the later Nmap scan will show a TTL of 61, which is more typical for Linux machines.

A nmap SYN scan is run to discover all open ports:

sudo nmap -sS -T5 -vvv -p- 192.168.199.42 -Pn -oG nmap_inicial

Internal Offsec Walkthrough

Mon, 09 Jun 2025 15:43:16 +0100

Introduction Link to heading

This post analyzes the process of privilege analysis, exploitation, and escalation in a vulnerable Windows environment. To do this, a network scan is carried out using Nmap, identifying open ports and services on the target system. Subsequently, using Metasploit, the presence of vulnerabilities in the SMB service is searched for and verified.

In particular, the system is found to be vulnerable to CVE-2009-3103, a security flaw in SMB 2.0.2 that allows remote execution of code with elevated privileges. By exploiting this vulnerability, access is gained to the victim machine with NT AUTHORITY\SYSTEM privileges, granting full control over the system.

Cockpit Offsec Walkthrough

Sun, 18 May 2025 13:07:16 +0100

Introduction Link to heading

SQL injection vulnerability Link to heading

A SQL Injection (SQLi) vulnerability is one of the most critical threatsin web applications that interact with databases. This vulnerability occurs when an application does not properly validate and sanitize user input before using it in SQL queries, allowing an attacker to manipulate these queries to access, modify, or delete data in the database.

DVR4 Offsec Walkthrough

Tue, 01 Apr 2025 13:07:16 +0100

DVR4 Offsec Walkthrough Link to heading

LFI Vulnerability Link to heading

Local File Inclusion (LFI) is a security vulnerability in web applications that allows an attacker to access files stored on the server. This failure occurs when an applicationconstructs file paths based on user input without properly validating its contents. As a result, an attacker can manipulate those paths to read sensitive system files and, in some cases, execute malicious code.

Snookum Offsec Walkthrough

Sun, 16 Mar 2025 13:07:16 +0100

Snookum OffSec Walkthrough Link to heading

RFI Vulnerability Link to heading

Remote File Inclusion (RFI) is a vulnerability in web applications that allows an attacker to upload and execute files hosted on external servers. This flaw occurs when an applicationdynamically includes files without properly validating user input, which can lead to the execution of malicious code. If proper security measures are not taken, RFI can completely compromise a system, facilitating data theft, malware execution, or even full control of the server.

Blurry HTB Walkthrough

Sun, 16 Jun 2024 13:07:16 +0100

The Blurry HTB machine is a medium difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- ClearML
- CVE-2024-24590
- Json deserialization
- Scipt analysis
- Fickling
- Python scripting

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.19 -Pn -oG nmap_inicial

Where the arguments mean:

Runner HTB Walkthrough

Mon, 10 Jun 2024 13:07:16 +0100

The Runner HTB machine is a medium difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- Subdirectory discovery with ffuf
- CVE-2024-27198
- Hash cracking with JohnTheRipper
- Docker escape
- CVE-2024-21626

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.13 -Pn -oG nmap_inicial

Where the arguments mean:

BoardLight HTB Walkthrough

Tue, 04 Jun 2024 13:07:16 +0100

The BoardLight HTB machine is a medium difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- Grep / Find
- Subdomain discovery with ffuf
- CVE-2023-30253
- CVE-2022-37706

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.11 -Pn -oG nmap_inicial

Where the arguments mean:

Usage HTB Walkthrough

Wed, 29 May 2024 13:07:16 +0100

The Usage HTB machine is a madium difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- Blind SQL injection with SQLmap
- Burpsuite
- Hash cracking with JohnTheRipper
- 7z Wildcard Spare exploitation

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.18 -Pn -oG nmap_inicial

Where the arguments mean:

Monitored HTB Walkthrough

Sat, 17 Feb 2024 13:07:16 +0100

The Monitored HTB machine is a medium difficulty level HackTheBox Machine. The main tools and techniques used to crack this machine are:

 - Dirsearch
 - CVE-2023-40931
 - NMAP UDP scan
 - SNMP enumeration with SNMPwalk
 - JohnTheRipper
 - SQL injection with SQLmap

Reconnaissance Link to heading

We start a broad Nmap TCP scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.248 -Pn -oG nmap_inicial

Where the arguments mean:

Bizness HTB Walkthrough

Fri, 02 Feb 2024 13:07:16 +0100

The Bizness HTB machine is an easy difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

 - Dirsearch
 - CVE-2023-51467
 - Grep, find and strings
 - Hashcat

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.252 -Pn -oG nmap_inicial

Where the arguments mean:

TwoMillion HTB Walkthrough

Tue, 16 Jan 2024 13:07:16 +0100

The TwoMillion HTB machine is an easy difficulty level HackTheBox Machine. The main techniques and tools used to crack this machine are:

- Command Injection
- Burpsuite
- CVE-2023-0386
- JS deobfuscation with Cyberchef
- API enumeration

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.221 -Pn -oG nmap_inicial

Where the arguments mean:

Clicker HTB Walkthrough

Mon, 27 Nov 2023 13:07:16 +0100

The Clicker HTB machine is a medium difficulty level HackTheBox Machine. The main techniques used to crack this machine are:

- SQL Injection
- CRLF Injection
- Parameter Tampering
- PHP Reverse Shell
- Perl_startup Local Privilege Escalation

Reconnaissance Link to heading

We start a broad Nmap scan by executing the following command:

sudo nmap -sS -T5 -vvv -p- 10.10.11.232 -Pn -oG nmap_inicial

Where the arguments mean:

Codify HTB Walkthrough

Wed, 13 Sep 2023 13:07:16 +0100

The Codify HTB machine is a easy difficulty level HackTheBox Linux Machine. The main techniques used to crack this machine are:

- Hash cracking with JohnTheRipper
- Sandbox escape
- Batch Script Analysis
- Python Scripting

Reconnaissance Link to heading

I started by running a NMAP scan to look for services and versions running on open ports;

We can see that the usual ports 22 and 80 are open. However, port 3000 is also open running node.js, which could be useful in the future since node.js has some known vulnerabilities in older versions.