Hackthebox.eu - Retired - Sniper Recon As always I start with a simple UP/Down scan on all TCP ports to see what is open # nmap -T4 -p- -oX ./nmapb.xml sniper.htb Then Convert it to HTML to make it pretty xsltproc ./nmapb.xml -o nmapb.html Then rescan the open ports with -A to finger OS/Services nmap -T4 -A -p80,135,139,445,49667 sniper.htb -oX ./nmapf.xml Then convert that to HTML too xsltproc ./nmapf.xml -o ./nmapf.html Looks like we have a windows box with IIS on port 80 RPC and smb Let’s see what we get when browsing the IIS Blog from home page And this login for “Client Portal” Tried enrolling a new user with the name admin for possible account enumeration…. Nope, it just let me create it now problem No anonymous access on smb No access on RPC either Exploit Alight so I’ve poked around. I think this might be susceptible to RFI I found on the blog post this <li><a href="/blog?lang=blog-en.php">English</a></li> Looks like we can use “?Lang” to ca
@circusmonkey404 on the twitters; DM for contact