circusmonkey404's Security Site

HacktheBox.eu - Irked - Update Recon Let's use threader3000 for our recon scan. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML xsltproc ./irked.htb/irked.htb.xml -o ./irked.html We've got a goodly amount of ports open to us on this box 22,80,111,6697,8067,55015,65534 We can see 22 is OpenSSH 6.7p1 80 is Apache 2.4.10 111 & 55015 both say RPC And the others say UnreallRCd…. Whatever that is, Lets start on port 80 and see what it shows us. An angry face with "IRC is almost working!" If we run dirb we will find some default apache pages but not much else to go on What is that UnreallRCD? https://www.unrealircd.org/ Oh it's an IRC server… that makes sense. If we google UnrealRCD and exploit, there appears to be a backdoor in some versions although we don't know what specif

HacktheBox - Bounty - retired - update Recon I've been using threader3000 to do my recon scans lately. It does a super quick up/down scan on all TCP ports, then suggests a nmap scan to run based just on the open ports returned from the first scan. It will save the results of the nmap scan as an XML that I then convert to HTML to make it pretty. xsltproc ./bounty.htb/bounty.htb.xml -o ./bounty.html Just port 80 open, nmap says its IIS 7.5.. So a windows box for a change. Let's see what is happening when we browse to the site. Weird just a picture of merlin from sword in the stone. Let's try to brute force with drib and see if we can find anything interesting. First I just did the default drib scan  and we did find a couple of interesting directories. dirb http://bounty.htb It found  /aspnet_client/ /aspnet_client/system_web/ /uploadedfiles / Unfortunately we can't browse to any of the directories, but I always love to see anything with the word upload in it. Since this i