circusmonkey404's Security Site

HackTheBox - Curling - Retired - Update Recon I've been using threader3000 for my recon scans lately. It does a super quick threaded up/down scan on all TCP ports. It then recommends a nmap scan based on only the open ports discovered during the initial scan, it saves all the nmap scan output to XML that I then convert to HTML to make it pretty. Looks like we just have two ports open 22 and 80 Port 22 is Open SSH 7.6p1 Port 80 is Apache 2.4.29 And nmap thinks it's an ubuntu box. That version of SSH is not terrible old so we can assume this will not be a path for a foothold. Let's check out port 80 and see what we can find there. We see a page with a login form. Do you see the first clue for the box here?  Cewl…. That is a program we can use to scrape words of the page. So it might come in handy for finding a username or password for the login. Let's run it and see what it comes back with. By default the tool looks 3 level deep within a site and only returns possible str

HacktheBox - Bounty - retired - update Recon I've been using threader3000 to do my recon scans lately. It does a super quick up/down scan on all TCP ports, then suggests a nmap scan to run based just on the open ports returned from the first scan. It will save the results of the nmap scan as an XML that I then convert to HTML to make it pretty. xsltproc ./bounty.htb/bounty.htb.xml -o ./bounty.html Just port 80 open, nmap says its IIS 7.5.. So a windows box for a change. Let's see what is happening when we browse to the site. Weird just a picture of merlin from sword in the stone. Let's try to brute force with drib and see if we can find anything interesting. First I just did the default drib scan  and we did find a couple of interesting directories. dirb http://bounty.htb It found  /aspnet_client/ /aspnet_client/system_web/ /uploadedfiles / Unfortunately we can't browse to any of the directories, but I always love to see anything with the word upload in it. Since this i