circusmonkey404's Security Site

HackTheBox - Retired - Beep Recon Recently I've been using Threader3000 for my recon scan, it's a threaded scanner written in python that does a quick up/down scan on all TCP than pipes that open ports into a nmap scan for you, and even saves all the output as xml for you. That is a lot of open ports. Here is the namp scan that it recommends we run I like to convert the xml output of the nmap scan to HTML to make it easier for me to read. xsltproc ./beep.htb/beep.htb.xml -o ./beep.html Wow that is a lot of ports, There are 16 ports that respond here. Nmap found some service names and version for us and we can see that some services use multiple ports Looks like Port 22 OpenSSH 4.3 Port 25 postfix SMTP Port 80 Apache 2.2.3 Port 110,143,993,995,4190 Cyrus Mail Port 111 RPC Port 3306 MySql Port 4559 HylaFax Port 5038 Asterisk Call Manager Port 10000 MiniServ Let's check out the webserver on port 80 It auto r

HackTheBox -Retired - Postman Recon: As always I start with a simple up/down scan on all TCP ports # nmap -T4 -p- -oX /root/Desktop/HTB/postman/nmapb.xml 10.10.10.160 Then I convert the XML to HTML Xsltproc /root/desktop/HTB/postman/nmapb.xml -o /root/Desktop/HTB/postman/nmapb.html Ok we see port 22,80,6379 and 1000 Lets scan just those ports with the -A to finger os/services Nmap -T4 -p 22,80, 6379,10000 -oX /root/Desktop/HTB/postman/nmapf.xml Convert that to html too Xsltproc /root/Desktop/HTB/postman/nmapf.xml -o /root/Desktop/HTB/postman/nmpaf.html Ok we got SSH (Openssh 7.6p1) on port 22 HTTP ( Apache 2.4.29) on port 80 REDIS ( 4.0.9) on 6379 WEBMIN (1.910) on 10000 Let's see what's running on port 80 Just a generic page with not much to poke at Let's run dirb at port 80 and see what we see It found some directories to poke around in /css /fonts /images /js and  /Uploads I really like finding dir's that are calle