# Scope - Attacker host placeholder 10.10.14.15 | **External Testing** | **Internal Testing** | | ------------------------------------------ | --------------------------------------------- | | 10.129.x.x ("external" facing target host) | 172.16.8.0/23 | | *.inlanefreight.local (all subdomains) | 172.16.9.0/23 | | | INLANEFREIGHT.LOCAL (Active Directory domain) | # Intro ## Blind AEN Structure: - get all 7 web flags - ftp - dns - `gitlab.inlanefreight.local` > disclosure - `dev.inlanefreight.local` > verb tampering; file upload - `careers.inlanefreight.local` > IDOR - `status.inlanefreight.local` > SQLi - able to enum `status` db, everything else is default - `shopdev2.inlanefreight.local` > XXE - `support.inlanefreight.local` > blind XSS; session hijacking - `tracking.inlanefreight.local` > injectable PDF via XHR/javascript execution in DOM - `ir.inlanefreight.local` > wordpress brute force; inject webshell into inactive template - able to get a webshell as `www-data` who according to `/etc/passwd` has no login shell ![[images/Pasted image 20260629211336.png]] - locked down in a docker container ![[images/Pasted image 20260629211837.png]] - `monitoring.inlanefreight.local` > password brute force on `admin`; restricted JS shell with filtered CMD injection for revshell as `webdev` who is free of docker containers - get user and root flags on all hosts - DEV01 - MS01 - DC01 flag - get user and root flags on final host > MGTM01