circusmonkey404's Security Site

HackTheBox - Valentine - Retired - Update Recon I've been using threader3000 lately to do my recon scans. It does a staged scan, the first stage is a super quick up/down scan on all TCP ports. Then suggests an nmap scan based on the results of the open ports of the first scan. It also saves all the nmap scans out to a XML file which i like to convert to HTML to make it easy to read. xsltproc ./valentine.htb/valentine.htb.xml -o ./valentine.html Looks like we have just three open ports here. Port Service Version 22 OpenSSH 5.9p1 80 Apache 2.2.22 443 Apache 2.2.22 And nmap thinks its a Ubuntu box. Here is what we see on port 80 That logo is familiar….. But we will get back to that. What about port 443? Same thing but https…. So about that logo…. Not a whole lot of bugs get their own logo, but heartbleed does. https://heartbleed.com/ CVE-2014-0160 " The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected

HackTheBox - Retired  - Granny - updated Recon I used the exact same steps I used for Grandpa for Granny.... so not much new here if you already checked out my writeup on Grandpa. I've been using threader 3000 for my recon scans lately. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports. Then it suggests a nmap scan based on the results of the initial scan. It also saves the nmap scan as an xml file. Like I said, this automatically generates and xml out this nmap output. I like to convert that to HTML to make it easier to read. xsltproc ./granny.htb/granny.htb.xml -o ./granny.html Only port 80 is open, nmap thinks its IIS 6.0… so windows Let's try to browse to it, to see what the server is showing us. An under construction page. Let's use dirb to see if we can find any other things on the server via brute force. dirb http://granny.htb Some directories we have access to but not much to help us get our foothold. Let's try s