circusmonkey404's Security Site

HacktheBox.eu - Retired - Tenten Recon As always I start with a staged scan, just a simple up/down scan on all TCP ports Nmap -T4 -p- -oX /root/Desktop/HTB/Tenten/nmapb.xml Then convert that to HTML to make it pretty # xsltproc /root/Desktop/HTB/Tenten/nmapb.xml -o  /root/Desktop/HTB/Tenten/nmapb.html Just ports 22 and 80 open, let's do another scan with just those two ports but add -A to finger OS/Services # nmap -T4 -A -p22,80 -oX /root/Desktop/HTB/Tenten/nmapf.xml 10.10.10.10 Then convert that to HTML too # xsltproc /root/Desktop/HTB/Tenten/nmapf.xml -o /root/Desktop/HTB/Tenten/nmapf.html Let's recap here Looks like a Linux box running  Apache 2.4.18 on Port 80 And OpenSSH on port 22 Let's browse to the webpage and see what we see. A basic webpage using wordpress Also found this login page pretty quickly Let's run Dirb to see what else we might find Dirb http://10.10.10.10 Here is a sampling of what Dirb found ----

Hackthebox.eu - retired- obscurity Recon As is my custom I start with a simple up/down scan on all TCP ports to  see what we can find nmap -T4 -p- -oX ./nmapb.xml 10.10.10.168 I then convert the XML to HTML to make it look pretty Xsltproc /root/Desktop/HTB/obscurity/nmapb.xml -o /root/Desktop/HTB/obscurity/nmapb.html So we have port 22 and 8080 open. Let's do another scan with -A to finger os/services nmap -T4 -A -p22,8080 -oX ./nmapf.xml 10.10.10.168 Then I again convert to html with the same Xsltproc cmd Port 33 is OpenSSH 7.6p1 Port 8080 is something named BadHTTPServer, I've never heard of that Let's see what we get when we browse to 8080 We get a web page for a company name obscura. They brag about writing all their own software from scratch so there should be no existing exploits for them. Here they left a message for their Dev's that the source code for the web server is called "SuperSecureServer.py" in t