circusmonkey404's Security Site

HacktheBox - Retired - Popcorn Recon I've been using threader 3000 for my recon scans lately. It's a threaded python scanner that does a quick up/down scan on all tcp ports. After the initial scan it suggests a nmap scan to run based on only the open ports found in the initial scan. I like it alot  I then convert the XML the tool generates into HTML to make it pretty. xsltproc ./popcorn.htb/popcorn.htb.xml -o ./popcorn.html Port 22 OpenSSH 5.1p1 Port 80 Apache 2.2.12 Just two porst, a very old version of OpenSSH on port 22 and a very old version of Apache 2.2.12 Let's see what we can see on port 80 Just a page that says it's working. So as part of web recon, we now can see what they want us to see, but how about other things that aren't part of this index.html that the web server is hosting? For this we will do a directory/file brute force on the web server to see if it is indeed serving up anything other than just this index.html dirb http://popcorn.htb GEN

Hackthebox.eu - Retired -Jeeves Recon As is my standard is start with a simple UP/Down scan on all TCP ports   nmap -T4 -p- -oX ./nmapb.xml jeeves.htb Then I convert the output to HTML to make it pretty xsltproc nmapb.xml -o nmapb.html Looks like ports 80,135,445 and 50000 are open. Now I’ll run another nmap scan with the -A switch to run all the scripts against just those ports  nmap -T4 -A -p80,139,445,50000 -oX nmapf.xml jeeves.htb And once again covert the output to HTML xsltproc nmapf.xml -o nmapf.html So we have IIS on 80, for some reason it’s not  showing port 139 here but we know 139 & 445 are smb. Then there is something called jetty 9.4 on 50000 It doesn’t look like there is anonymous access to the smb.. What is IIS showing? Now there is a blast from the past Port 50000 show a 404 error I set Dirb and Dirbuster and nikto at both ports Dirbuster found this on the high 50000 port http://jeeves.htb:50000/askjeeves/ JENKINS https://www.jenkins.io/ I start just poking around a