circusmonkey404's Security Site

Hackthebox.eu - Retired - Bastion Recon As always I start with just a simple up/down scan on all TCP ports to see what is open. $ nmap -T4 -p- -oX ./nmapb.xml bastion.htb Then I convert that to HTML to  make it pretty That is a lot of open ports lets scan again with the -A switch on just the open ports $ nmap -T4 -A -p22,135,139,445,5985,47001,49664,49665,49666,49667,49668,49669,49670 -oX ./nmapf.xml bastion.htb Then I convert that to HTML too $ xsltproc ./nmapf.xml -o ./nmapf.html So Let's look. Looks like we have a windows box with openssh on port 22 netbios/smb on139/445 and winRM on the rest of the open ports No website to attack.. That's different. Lets see what shares are on $ smbclient -L \\bastion.htb Cool we can see some shares with an anonymous connection $ smbclient -L \\bastion.htb Let's see if we can connect to any of them. Backups sounds tasty let's try that first Cool We get a nice note

Hackthebox.eu - Retired - Lazy Recon As always I start with a simple UP/Down scan on all TCP ports $ nmap -T4 -p- -oX ./nmapb.xml lazy.htb Then I convert that to HTML to make it pretty xsltproc ./nmapb.xml -o nmapb.html Just two ports open 22 and 80 Lets run nmap again with -A to run all the things  nmap -T4 -A -p22,80 -oX ./nmapf.xml lazy.htb And lets convert that to HTML too $ xsltproc ./nmapf.xml -o ./nmapf.html Looks like openssh 6.6.1p1 And Apache 2.4.7 That is a super old version of OpenSSH. Let's check the website Tried logging in as admin/admin No dice But it did let me register a user Homerj Password Got an auth cookie Check this out.. If we try to register the same name again…. We could theoretically use this to find out some user names on the system. I tried doing a hydra attack at it but  I couldn't get the syntax right for what I wanted it to do…. But I did add several hundred new users to the system :)