circusmonkey404's Security Site

Hackthebox.eu - Retired - Sniper Recon As always I start with a simple UP/Down scan on all TCP ports to see what is open # nmap -T4 -p- -oX ./nmapb.xml sniper.htb Then Convert it to HTML to make it pretty  xsltproc ./nmapb.xml -o nmapb.html Then rescan the open ports with -A to finger OS/Services nmap -T4 -A -p80,135,139,445,49667 sniper.htb -oX ./nmapf.xml Then convert that to HTML too  xsltproc ./nmapf.xml -o ./nmapf.html Looks like we have a windows box with IIS on port 80 RPC and smb Let's see what we get when browsing the IIS Blog from home page And this login for "Client Portal" Tried enrolling a new user with the name admin for possible account enumeration…. Nope, it just let me create it now problem No anonymous access on smb No access on RPC either Exploit Alight so I've poked around. I think this might be susceptible to RFI I found on this on the blog post  page <li><a href="/blog

Hackthebox.eu - Retired - Europa Recon As always I start with a simple UP/Down scan on all TCP ports. $ nmap -T4 -p- -oX ./nmapb.xml europa.htb Then I convert that to HTML to make it pretty xsltproc ./nmapb.xml -o ./nmapb.html Ports 22, 80 and 443 open.. Looks like this box is going to be mostly web based Let's run nmap again with the -A switch to run all scripts against these three ports $ nmap -T4 -A -p22,80,443 -oX ./nmapf.xtml europa.htb Then we will convert that output to HTML also xsltproc ./nmapf.xml -o ./nmapf.html Looks like we have an Ubuntu box running a fairly new version of OpenSSH on port 22 and Apache 2.4.18 on 80 and 443 Let's check out those Apache sites Both are just the default Apache install page Got a little bit more info from the certificate on 443 Europacorp.htb should be the box I ran a bunch of scans at these two domains Europa.htb europacorp.htb Tried Dirb and Dirbuster and didn't find anything…