circusmonkey404's Security Site

HackTheBox - Retired  - Granny - updated Recon I used the exact same steps I used for Grandpa for Granny.... so not much new here if you already checked out my writeup on Grandpa. I've been using threader 3000 for my recon scans lately. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports. Then it suggests a nmap scan based on the results of the initial scan. It also saves the nmap scan as an xml file. Like I said, this automatically generates and xml out this nmap output. I like to convert that to HTML to make it easier to read. xsltproc ./granny.htb/granny.htb.xml -o ./granny.html Only port 80 is open, nmap thinks its IIS 6.0… so windows Let's try to browse to it, to see what the server is showing us. An under construction page. Let's use dirb to see if we can find any other things on the server via brute force. dirb http://granny.htb Some directories we have access to but not much to help us get our foothold. Let's try s

HackTheBox  - Retired - Grandpa - Updated Recon Lately I've been using thread 3000 to do my recon scan on hack the box. It's a threaded scanner written in python that does super quick up/down scans on all TCP ports and then suggests a nmap scan to run based on the results of the first scan. It saves the nmap scan out as an xml which I convert to HTML to make it easier to read. xsltproc ./ 10.10.10.14/10.10.10.14.xml -o grandpa.htb So not much open here just port 80 which nmap says is IIS 6. So since it uses IIS we know it's a windows box. Let's see what is being served on port 80. Just an under construction page. Let's brute force the directory to see if we can find anything else being served on port 80 since it's our only path. I use several tools to do this since each tool has their own quirks and might find things that the others don't. I  started with dirb here  dirb http://grandpa.htb So not much here to go on, no login pages, no admin panels. Exploit

Hackthebox - Retired - Optimum Recon I've been using threader 3000 for my recon scan lately, it's a threaded fast up/down scan on all TCP ports written in python, then it suggests a nmap scan based on the results of the first scan. It has really sped up my recon scans on hackthebox. Then I convert the XML output it saves to HTML to make it pretty. xsltproc ./ 10.10.10.8/10.10.10.8.xml -o ./optimum.html Not much here just port 80 open Nmap says its httpd 2.3 Let's pull up the server and see what it's showing us. Looks like a file browsing system with a login.. HttpFileServer 2.3 We could try to brute force the login page, I tried a couple SQLi's and they didn't work. This page seems like the only path forward so let's look around for exploits. Exploit I googled HTTPFileSErver 2.3 and this was among the first results https://www.exploit-db.com/raw/39161 It's a python script that is a Remote Code Execution. There is a little setup involved to get it going.