# Scope
- Attacker host placeholder 10.10.14.15
| **External Testing** | **Internal Testing** |
| ------------------------------------------ | --------------------------------------------- |
| 10.129.x.x ("external" facing target host) | 172.16.8.0/23 |
| *.inlanefreight.local (all subdomains) | 172.16.9.0/23 |
| | INLANEFREIGHT.LOCAL (Active Directory domain) |
# Intro
## Blind AEN Structure:
- get all 7 web flags
- ftp
- dns
- `gitlab.inlanefreight.local` > disclosure
- `dev.inlanefreight.local` > verb tampering; file upload
- `careers.inlanefreight.local` > IDOR
- `status.inlanefreight.local` > SQLi
- able to enum `status` db, everything else is default
- `shopdev2.inlanefreight.local` > XXE
- `support.inlanefreight.local` > blind XSS; session hijacking
- `tracking.inlanefreight.local` > injectable PDF via XHR/javascript execution in DOM
- `ir.inlanefreight.local` > wordpress brute force; inject webshell into inactive template
- able to get a webshell as `www-data` who according to `/etc/passwd` has no login shell ![[images/Pasted image 20260629211336.png]]
- locked down in a docker container ![[images/Pasted image 20260629211837.png]]
- `monitoring.inlanefreight.local` > password brute force on `admin`; restricted JS shell with filtered CMD injection for revshell as `webdev` who is free of docker containers
- get user and root flags on all hosts
- DEV01
- MS01
- DC01 flag
- get user and root flags on final host > MGTM01