circusmonkey404's Security Site

HacktheBox.eu - Retired - Mango Recon As always  I start with a simple up/down scan on all TCP ports nmap -T4 -p- -oX ./nmapb.xml 10.10.10.162 Then I convert that to HTML # xsltproc ./nmapb.xml -o ./nmapb.html Looks like port 22, 80 and 443 are open. Let's scan again with -A to finger os/services # nmap -T4 -A -p 22,80,443 -oX ./nmapf.xml 10.10.10.162 Then convert it to HTML again # xsltproc ./nmapf.xml -o nmapf.html Ok so port 22 is SSH, Port 80 and 443 are Apache 2.4.29 Here is what we see on 443 Dirbuster found this https://mango.htb/analytics.php This is one of the fist boxes I've done that actually required messing with my hosts file So if you look at the certificate for the site I added staging-order.mabgo.htb to my /etc/hosts file and now we see Let's dirbuster this bad boy and see if we can find anything else During the scan it found this folder /vendor/composer/ https://composer.json.jolicode.com/ Which i

Hackthebox.eu - Retired - Sniper Recon As always I start with a simple UP/Down scan on all TCP ports to see what is open # nmap -T4 -p- -oX ./nmapb.xml sniper.htb Then Convert it to HTML to make it pretty  xsltproc ./nmapb.xml -o nmapb.html Then rescan the open ports with -A to finger OS/Services nmap -T4 -A -p80,135,139,445,49667 sniper.htb -oX ./nmapf.xml Then convert that to HTML too  xsltproc ./nmapf.xml -o ./nmapf.html Looks like we have a windows box with IIS on port 80 RPC and smb Let's see what we get when browsing the IIS Blog from home page And this login for "Client Portal" Tried enrolling a new user with the name admin for possible account enumeration…. Nope, it just let me create it now problem No anonymous access on smb No access on RPC either Exploit Alight so I've poked around. I think this might be susceptible to RFI I found on this on the blog post  page <li><a href="/blog