circusmonkey404's Security Site

HackTheBox  - Retired - Grandpa - Updated Recon Lately I've been using thread 3000 to do my recon scan on hack the box. It's a threaded scanner written in python that does super quick up/down scans on all TCP ports and then suggests a nmap scan to run based on the results of the first scan. It saves the nmap scan out as an xml which I convert to HTML to make it easier to read. xsltproc ./ 10.10.10.14/10.10.10.14.xml -o grandpa.htb So not much open here just port 80 which nmap says is IIS 6. So since it uses IIS we know it's a windows box. Let's see what is being served on port 80. Just an under construction page. Let's brute force the directory to see if we can find anything else being served on port 80 since it's our only path. I use several tools to do this since each tool has their own quirks and might find things that the others don't. I  started with dirb here  dirb http://grandpa.htb So not much here to go on, no login pages, no admin panels. Exploit

Hackthebox.eu - Retired - Legacy Recon I've been using Threader3000 for my recons can lately. I like the quick threaded up/down scan and the automated nmap scan. I like to convert the xml output of nmap to HTML to make it easier for me to read  xsltproc legacy.htb.xml -o ../legacy.htb.html So it look like just two ports open Port 139 SMB Port 445 SMB Just smb but we can also see from the nmap output that its likely as windows XP box So it's just a windows xp box with smb exposed. I tried to use smbclient to see what shares were being shared. I kept getting a timeout so I assume no shares are open to anonymous access. What to do now? Well how about we just google " Windows XP SMB Exploit" Here is the first result https://ivanitlearning.wordpress.com/2019/02/24/exploiting-ms17-010-without-metasploit-win-xp-sp3/ MS-17-010 is also known as eternal blue. This is kind of an infamous vulnerability, not only because it was very effective, but because it appears

Hackthebox.eu - Retired - Monteverde Recon As always I start with a simple UP/Down scan on all TCP ports to see what is open   nmap -T4 -p- -oX /root/Desktop/HTB/monteverde/nmapb.xml 10.10.10.172 Then I convert that to HTML xsltproc /root/Desktop/HTB/monteverde/nmapb.xml -o /root/Desktop/HTB/monteverde/nmapb.html That’s a bunch of open ports. Lets run nmap again against these ports with the -A switch to try and finger OS/Service nmap -T4 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49669,49670,49673,49702 -A -oX /root/Desktop/HTB/monteverde/nmaf.xml 10.10.10.172 Then convert that to HTML xsltproc /root/Desktop/HTB/monteverde/nmaf.xml -o /root/Desktop/HTB/monteverde/nmapf.html    *****fixed my little typo here in the name of the file Ok It looks like a windows box, and a Domain controller at that. We can see megabank.local for a domain name, we can also see what looks like winRM on 5985 Let’s try to see if we can see anything on smb It’s there and allowed us to connect