2 posts tagged with "Code Injection"

Day-10: SOC Alert Triaging - Tinsel Triage | Day-11: XSS - Merry XSSMas | Day-12: Phishing - Phishmas Greetings

HTB | Unified | Summary:​

We test connectivity and scan the target, then enumerate its web app and identify vulnerabilities. We find a Log4Shell vulnerability and exploit it using Metasploit to get a reverse shell connection with low-level access. From there, we grab the user flag and use our access to modify the admin credentials in the MongoDB database. We then log in as admin and change the recorded SSH credentials to ones under our control, granting us root privileges. Finally, we obtain the root flag.

Machine Name: Unified | Difficulty: Easy | OS: Linux