circusmonkey404's Security Site

Hackthebox.eu - Retired - Cronos Recon As always I start with a simple UP/Down scan on all TCP ports to see what is open   nmap -T4 -p- -oX /home/circusmonkey/Desktop/HTB/cronos/nmapb.xml cronos.htb Then I convert it to HTML to make it pretty xsltproc /home/circusmonkey/Desktop/HTB/cronos/nmapb.xml -o /home/circusmonkey/Desktop/HTB/cronos/nmapb.html On this box we see three open ports, pretty standard ports 22 SSH, 53 DNS and 80 HTTP Let's scan against those ports with the -A switch to run all the things against them $ nmap -T4  -A -p22,80,53 -oX ./nmapf.xml cronos.htb I'll convert that to HTML too $ xsltproc ./nmapf.xml  -o ./nmapf.html Looks like we have an ubuntu box with openssh 7.2p2 on port 22 ISC BIND 8.10.3-p4 on port 53  Apache 2.4.18 on 80 Here is what we see on port 80 Nothing too interesting in in the source code  A bunch of links to things about something called Laravel? https://laravel.com/ It's a PHP fr

Hackthebox.eu - Retired - Bastard Recon As always I start with a simple Up/Down scan on all TCP port to see what is open # nmap -T4 -p- -oX ./nmapb.xml bastard.htb Then I convert it to HTML to make it pretty :)  xsltproc ./nmapb.xml -o ./nmapb.html We have port 80,135 and 49154 Let's scan just again on those ports with the -A switch to finger OS/Services # nmap -T4 -p80,135,49154 -A -oX ./nmapf.xml bastard.htb Then convert that to HTML also   xsltproc ./nmapf.xml -o ./nmapf.html So we have IIS 7.5 on 80 and RPC on 135 and 49154 Lets see whats on 80 A login form powered by Drupal There are a bunch of listings in the robots.txt for the site I found this while enumerating through the robots.txt list Drupal 7.54 Expolit Googling around for exploits on Drupal 7.54 we find https://github.com/pimps/CVE-2018-7600 Which will allow us to execute commands with I cloned it to my attacking machine # git clone https://github.com/pimps/CV