circusmonkey404's Security Site

Hackthebox.eu - Retired - Bastard Recon As always I start with a simple Up/Down scan on all TCP port to see what is open # nmap -T4 -p- -oX ./nmapb.xml bastard.htb Then I convert it to HTML to make it pretty :)  xsltproc ./nmapb.xml -o ./nmapb.html We have port 80,135 and 49154 Let's scan just again on those ports with the -A switch to finger OS/Services # nmap -T4 -p80,135,49154 -A -oX ./nmapf.xml bastard.htb Then convert that to HTML also   xsltproc ./nmapf.xml -o ./nmapf.html So we have IIS 7.5 on 80 and RPC on 135 and 49154 Lets see whats on 80 A login form powered by Drupal There are a bunch of listings in the robots.txt for the site I found this while enumerating through the robots.txt list Drupal 7.54 Expolit Googling around for exploits on Drupal 7.54 we find https://github.com/pimps/CVE-2018-7600 Which will allow us to execute commands with I cloned it to my attacking machine # git clone https://github.com/pimps/CV

Hackthebox - Retired - JSON Recon As always I start with a simple up/down scan on all TCP ports for a staged scan nmap -T4 -p- -oX ./nmapb.xml 10.10.10.158 Then I convert the output to HTML # xsltproc ./nmapb.xml -o ./nmapb.html That's a lot of open ports Lets scan just those ports with the -A switch to finger os/services # nmap -T4 -p21,80,135,139,445,5985,47001,49152,49153,49154,49155,49156,49157,4915 -A -oX ./nmapf.xml 10.10.10.158 Then convert that to HTML # xsltproc ./nmapf.xml -o ./nmapf.html Looks like we got a windows box with a Filezilla FTP on 21, IIS on 80 and netbios/smb, with RPC on 5985 Let's start poking around. SMB is open but no shares for anonymous Same story for FTP At least 80 is open, there is a page displayed briefly then it redirects to this login page Same old song for rpc Dirb found r oot@kali:~/Desktop/HTB/json# dirb http://10.10.10.158 ----------------- DIRB v2.22     By The Dark Raver