circusmonkey404's Security Site

HacktheBox.eu - Jerry - Update Recon Let's use threader3000 for our recon scan. It's a threaded scanner writing in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML xsltproc ./jerry.htb/jerry.htb.xml -o ./jerry.html Ouch, not a lot to go on here. We just have port 8080 running apache tomcat/Coyote JSP version 1.1 Let's see if we can browse to the site. Looks like a generic Apache Tomcat page. There is authentication required for the buttons on the right. We get this error message It looks like the default user/pass  should be tomcat/s3cret If we try this it does look like it works, we can get some more information about this box. Looks like we have a 64-bit Windows Server 2012 R2 box Google around for Tomcat 7.0.88 exploit and you will come across this blog https://www.ethicaltechsupport.com/blog-post/apache-tomcat-war-backdoor/

HackTheBox - Retired - Poison Recon I've been using threader lately to do my initial scanning. It's a threaded scanner written in python by Joe Helle https://twitter.com/joehelle You just supply an IP and it does a quick threaded up/down scan on all TCP ports and then pipes the results into a nmap scan for you. And saves the outputs as xml for you too Which I then convert the nmap output to HTML to make it a bit easier to digest xsltproc 10.10.10.84.xml -o poison.html Not much open here just port 80 and 22 Port 80 Apache 2.4.29 Port 22 OpenSSH 7.2 Well we know we will need a password for ssh or a key at least, let's look at 80 to see what it's serving up.  I'll add poison.htb to my /etc/hosts to make it a be easier A temporary website to test local. Php scripts….. This sounds really promising to get a foothold here. So here it states there are 4 files that can be tested. 1st thing I did was try not supplying a script. Caught an error about the filename b

Hackthebox.eu - Retired - Sniper Recon As always I start with a simple UP/Down scan on all TCP ports to see what is open # nmap -T4 -p- -oX ./nmapb.xml sniper.htb Then Convert it to HTML to make it pretty  xsltproc ./nmapb.xml -o nmapb.html Then rescan the open ports with -A to finger OS/Services nmap -T4 -A -p80,135,139,445,49667 sniper.htb -oX ./nmapf.xml Then convert that to HTML too  xsltproc ./nmapf.xml -o ./nmapf.html Looks like we have a windows box with IIS on port 80 RPC and smb Let’s see what we get when browsing the IIS Blog from home page And this login for “Client Portal” Tried enrolling a new user with the name admin for possible account enumeration…. Nope, it just let me create it now problem No anonymous access on smb No access on RPC either Exploit Alight so I’ve poked around. I think this might be susceptible to RFI I found on the blog post this  <li><a href="/blog?lang=blog-en.php">English</a></li> Looks like we can use “?Lang” to ca