circusmonkey404's Security Site

HackTheBox -Retired - Postman Recon: As always I start with a simple up/down scan on all TCP ports # nmap -T4 -p- -oX /root/Desktop/HTB/postman/nmapb.xml 10.10.10.160 Then I convert the XML to HTML Xsltproc /root/desktop/HTB/postman/nmapb.xml -o /root/Desktop/HTB/postman/nmapb.html Ok we see port 22,80,6379 and 1000 Lets scan just those ports with the -A to finger os/services Nmap -T4 -p 22,80, 6379,10000 -oX /root/Desktop/HTB/postman/nmapf.xml Convert that to html too Xsltproc /root/Desktop/HTB/postman/nmapf.xml -o /root/Desktop/HTB/postman/nmpaf.html Ok we got SSH (Openssh 7.6p1) on port 22 HTTP ( Apache 2.4.29) on port 80 REDIS ( 4.0.9) on 6379 WEBMIN (1.910) on 10000 Let's see what's running on port 80 Just a generic page with not much to poke at Let's run dirb at port 80 and see what we see It found some directories to poke around in /css /fonts /images /js and  /Uploads I really like finding dir's that are calle

Hackthebox.eu - Retired - Bastion Recon As always I start with just a simple up/down scan on all TCP ports to see what is open. $ nmap -T4 -p- -oX ./nmapb.xml bastion.htb Then I convert that to HTML to  make it pretty That is a lot of open ports lets scan again with the -A switch on just the open ports $ nmap -T4 -A -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 -oX ./nmapf.xml bastion.htb Then I convert that to HTML too $ xsltproc ./nmapf.xml -o ./nmapf.html So Let's look. Looks like we have a windows box with openssh on port 22 netbios/smb on139/445 and winRM on the rest of the open ports No website to attack.. That's different. Lets see what shares are on $ smbclient -L \\bastion.htb Cool we can see some shares with an anonymous connection $ smbclient -L \\bastion.htb Let's see if we can connect to any of them. Backups sounds tasty let's try that first Cool We get a nice note

Hackthebox.eu - Retired - Lazy Recon As always I start with a simple UP/Down scan on all TCP ports $ nmap -T4 -p- -oX ./nmapb.xml lazy.htb Then I convert that to HTML to make it pretty xsltproc ./nmapb.xml -o nmapb.html Just two ports open 22 and 80 Lets run nmap again with -A to run all the things  nmap -T4 -A -p22,80 -oX ./nmapf.xml lazy.htb And lets convert that to HTML too $ xsltproc ./nmapf.xml -o ./nmapf.html Looks like openssh 6.6.1p1 And Apache 2.4.7 That is a super old version of OpenSSH. Let's check the website Tried logging in as admin/admin No dice But it did let me register a user Homerj Password Got an auth cookie Check this out.. If we try to register the same name again…. We could theoretically use this to find out some user names on the system. I tried doing a hydra attack at it but  I couldn't get the syntax right for what I wanted it to do…. But I did add several hundred new users to the system :)