I recently purchased a Tuya-based RGB ceiling light on Amazon (https://amzn.eu/d/80xtOv5) that can be controlled through the Tuya / Smart Life mobile application. Initially, my plan was to keep the original Tuya firmware and integrate the lamp locally into Home Assistant using LocalTuya, in order to control the light without relying on the Tuya cloud. However, as I discovered along the way, the Tuya firmware can be replaced with ESPHome. Read more

Heist from Proving Grounds Practice is a hard rated Windows Active Directory (AD) machine, in which we first exploit a Server-Side Request Forgery (SSRF) vulnerability to retrieve an NTLMv2 handshake via Responder. Cracking the hash provides us with credentials for the AD user enox. We then discover that the enox user has permission to read the password hash of a group Managed Service Account (gMSA) named svc_apache$. This account has the SeRestore privilege assigned, which we can leverage to gain SYSTEM-level access by replacing the Utility Manager (utilman.exe) with cmd.exe. Read more

Access from Proving Grounds Practice is an intermediate rated Windows Active Directory (AD) machine, in which we first get a shell through a file upload vulnerability in a web application running in the context of a low privileged domain user svc_apache. Within that shell we perform a kerberoasting attack using Rubeus and obtain the credentials of the user svc_mssql. In order to get a shell as svc_mssql, we make use of a tool called RunasCs. Read more

The MyCloud NAS device can be configured to automatically redirect to HTTPS when browsing it’s web interface. The URL it is redirecting to is of the form https://device-local-<GUID>.remotewd.com:8543/. I was wondering if I can use my own certificate, and it actually worked out after digging a bit into the inner workings. First of all, I checked which tool is listening on port 8543. The name is nasAdmin: root@WDMyCloudEX2100 ~ # netstat -tulpen | grep 8543 tcp6 0 0 :::8543 :::* LISTEN 0 16738 4455/nasAdmin It’s started with a configuration located at /etc/nasAdmin.toml: Read more

Sauna from HackTheBox is an easy rated machine, in which we first identify an Active Directory user through a list of team members on a web page and get credentials for it through ASREP Roasting. We then identify a service account and find its password in the AutoLogon credentials. That user has DCSync privileges, which we can use to dump the hash of the Administrator and use that hash to get Administrator access. Read more