circusmonkey404's Security Site

HackTheBox - Curling - Retired - Update Recon I've been using threader3000 for my recon scans lately. It does a super quick threaded up/down scan on all TCP ports. It then recommends a nmap scan based on only the open ports discovered during the initial scan, it saves all the nmap scan output to XML that I then convert to HTML to make it pretty. Looks like we just have two ports open 22 and 80 Port 22 is Open SSH 7.6p1 Port 80 is Apache 2.4.29 And nmap thinks it's an ubuntu box. That version of SSH is not terrible old so we can assume this will not be a path for a foothold. Let's check out port 80 and see what we can find there. We see a page with a login form. Do you see the first clue for the box here?  Cewl…. That is a program we can use to scrape words of the page. So it might come in handy for finding a username or password for the login. Let's run it and see what it comes back with. By default the tool looks 3 level deep within a site and only returns possible str

HacktheBox.eu - Retired - solidstate Recon So  I start as always with a simple UP/Down scan nmap -T4 -p- -oX ./nmapb.xml solidstate.htb Then I convert that to HTML to make it pretty xsltproc ./nmapb.xml -o ./nmapb.html Thats a goodly amount of open ports 22,25,80,110,119,4555 Let’s scan with nmap again with the -A switch to run all the scripts against those ports.   nmap -T4 -p22,25,80,110,119,4555 -A -oX ./nmapf.xml solidstate.htb   Then I convert that to HTML also xsltproc ./nmapf.xml -o ./nmapf.htm Ok we got open ssh 7.4.1 on 22 apache 2.4.25 on 80 and a bunch of stuff that says james($service) on 25,110,119 and 4555 James is a mail server for apache https://james.apache.org/ Java Apache Mail Enterprise Server So it makes sense to see 25(smtp), 110(pop3),119(nntp?) and 4555 which is some sort of remote admin for james Let’s check out port 80 Exploit Checking around for vulnerabilities in JAMES i found this https://gist.github.com/kjiwa/82d3bb091d45b59c1d7674727b1292a7 Which creates