Skip to main content

Posts

HacktheBox.eu - Irked - Update

HacktheBox.eu - Irked - Update Recon Let's use threader3000 for our recon scan. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML xsltproc ./irked.htb/irked.htb.xml -o ./irked.html We've got a goodly amount of ports open to us on this box 22,80,111,6697,8067,55015,65534 We can see 22 is OpenSSH 6.7p1 80 is Apache 2.4.10 111 & 55015 both say RPC And the others say UnreallRCd…. Whatever that is, Lets start on port 80 and see what it shows us. An angry face with "IRC is almost working!" If we run dirb we will find some default apache pages but not much else to go on What is that UnreallRCD? https://www.unrealircd.org/ Oh it's an IRC server… that makes sense. If we google UnrealRCD and exploit, there appears to be a backdoor in some versions although we don't know what specif
Post a Comment
Read more

HacktheBox.eu - Jerry - Update

HacktheBox.eu - Jerry - Update Recon Let's use threader3000 for our recon scan. It's a threaded scanner writing in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML xsltproc ./jerry.htb/jerry.htb.xml -o ./jerry.html Ouch, not a lot to go on here. We just have port 8080 running apache tomcat/Coyote JSP version 1.1 Let's see if we can browse to the site. Looks like a generic Apache Tomcat page. There is authentication required for the buttons on the right. We get this error message It looks like the default user/pass  should be tomcat/s3cret If we try this it does look like it works, we can get some more information about this box. Looks like we have a 64-bit Windows Server 2012 R2 box Google around for Tomcat 7.0.88 exploit and you will come across this blog https://www.ethicaltechsupport.com/blog-post/apache-tomcat-war-backdoor/
Post a Comment
Read more

HackTheBox - Curling - Retired - Update

HackTheBox - Curling - Retired - Update Recon I've been using threader3000 for my recon scans lately. It does a super quick threaded up/down scan on all TCP ports. It then recommends a nmap scan based on only the open ports discovered during the initial scan, it saves all the nmap scan output to XML that I then convert to HTML to make it pretty. Looks like we just have two ports open 22 and 80 Port 22 is Open SSH 7.6p1 Port 80 is Apache 2.4.29 And nmap thinks it's an ubuntu box. That version of SSH is not terrible old so we can assume this will not be a path for a foothold. Let's check out port 80 and see what we can find there. We see a page with a login form. Do you see the first clue for the box here?  Cewl…. That is a program we can use to scrape words of the page. So it might come in handy for finding a username or password for the login. Let's run it and see what it comes back with. By default the tool looks 3 level deep within a site and only returns possible str
Post a Comment
Read more