circusmonkey404's Security Site

Hackthebox.eu - Retired - Sniper Recon As always I start with a simple UP/Down scan on all TCP ports to see what is open # nmap -T4 -p- -oX ./nmapb.xml sniper.htb Then Convert it to HTML to make it pretty  xsltproc ./nmapb.xml -o nmapb.html Then rescan the open ports with -A to finger OS/Services nmap -T4 -A -p80,135,139,445,49667 sniper.htb -oX ./nmapf.xml Then convert that to HTML too  xsltproc ./nmapf.xml -o ./nmapf.html Looks like we have a windows box with IIS on port 80 RPC and smb Let’s see what we get when browsing the IIS Blog from home page And this login for “Client Portal” Tried enrolling a new user with the name admin for possible account enumeration…. Nope, it just let me create it now problem No anonymous access on smb No access on RPC either Exploit Alight so I’ve poked around. I think this might be susceptible to RFI I found on the blog post this  <li><a href="/blog?lang=blog-en.php">English</a></li> Looks like we can use “?Lang” to ca

Hackthebox - Active - Registry Recon As always I start with a simple Up/Down scan on all open TCP ports to see what is up $ nmap -T4 -p- -oX ./nmapb.xml registry.htb Then Convert that to HTML to make it pretty $ xsltproc ./nmapb.xml -o ./nmapb.html Alright looks like port 22,80 and 443 lets rescan just those ports using the -A switch to run all scripts and try to finger OS/Services $ nmap -T4 -A -p22,80,443 -oX nmapf.xml registry.htb Then I’ll convert that to HTML Also $ xsltproc ./nmapf.xml -o ./nmapf.html Ok so we got OpenSSH 7.6p1 on 22 and nginx on 80 and 443. Let’s see what is on the website Default nginx page. When we see a SSL page it’s always a good idea to take a peek at the certificate installed to see if it give us any more information Looks like its issues to a subdomain or vhost docker.registry.htb I added this to my etc/hosts and tried to browse the site It returns a completely empty page. No source code or anything, but also no error messages. I started up a dirb scan as