Hackthebox.eu - Retired - Lazy Recon As always I start with a simple UP/Down scan on all TCP ports $ nmap -T4 -p- -oX ./nmapb.xml lazy.htb Then I convert that to HTML to make it pretty xsltproc ./nmapb.xml -o nmapb.html Just two ports open 22 and 80 Lets run nmap again with -A to run all the things nmap -T4 -A -p22,80 -oX ./nmapf.xml lazy.htb And lets convert that to HTML too $ xsltproc ./nmapf.xml -o ./nmapf.html Looks like openssh 6.6.1p1 And Apache 2.4.7 That is a super old version of OpenSSH. Let's check the website Tried logging in as admin/admin No dice But it did let me register a user Homerj Password Got an auth cookie Check this out.. If we try to register the same name again…. We could theoretically use this to find out some user names on the system. I tried doing a hydra attack at it but I couldn't get the syntax right for what I wanted it to do…. But I did add several hundred new users to the system :)
@circusmonkey404 on the twitters; DM for contact