circusmonkey404's Security Site

Hackthebox.eu - Retired - Nineveh Recon I start with a simple UP/Down scan on all TCP ports. Nmap -T4 -p- -oX ./nmapb.xml nineveh.htb Then I convert the output to HTML to make it easy  to ready Xsltproc ./nmapb.xml -o ./nmapb.html Looks like just port 80 and 443 are open. A webserver Let’s run nmap again with the -A switch to run all the scripts against just these two ports Nmap -T4 -p80,443 -A -oX ./nmapf.xml nineveh.htb Then convert that to HTML too Xsltproc ./nmapf.xml -o ./nmapf.html Looks like we have Apache 2.4.18 running on an ubuntu server Let’s browse 80 and 443 to see what it serves up. 80 SSL/ Port 443 Here is the cert info for ssl Not much help there. Let’s start to scan these websites and see if we can find something, We will be searching against both ports since they could have different files being served. I’ll start with Nikto on port 80 Nikto -h http://nineveh.htb Info.php is available which is a default apache page that gives a lot of info on the webserver. It also lo

Hackthebox.eu - retired- nest Recons As always I start with a simple up/down scan on all TCP ports to see what is open  nmap -T4 -p- -oX ./nmapb.xml nest.htb Then I convert that to HTML to make it pretty That is very few ports open. Lets scan those ports again with the -A switch to see if we can get anymore info # nmap -T4 -p445,4386 -A -oX ./nmapf.xml nest.htb Then convert that output to HTML also xsltproc ./nmapf.xml -o ./nmapf.html So looks like a windows box with SMB on 445 and something called reporting services on 44386 Let’s start with the SMB and see what we can find out Smbclient -L \\\\nest.htb Cool looks like we can list anonymously. Let’s see if we can connect up to anything. Let’s start with users that sounds very promising. # smbclient \\\\nest.htb\\Users We were able to connect to it anonymously and at the very least have some data leakage here, we now now some user names on the system. Administrator C.Smith L.Frost R.Thompson TempUser Unfortunately that’s all we get fro