circusmonkey404's Security Site

HackTheBox -Active - Postman Got use and root on this box on 1/3/20. This is just a placeholder until the box is retired and I can upload my full write up. Recon: As always I start with a simple up/down scan on all TCP ports # nmap -T4 -p- -oX /root/Desktop/HTB/postman/nmapb.xml 10.10.10.160 Then I convert the XML to HTML Xsltproc /root/desktop/HTB/postman/nmapb.xml -o /root/Desktop/HTB/postman/nmapb.html

Hackthebox.eu - Retired - Netmon Recon Starting as always is a simple up/down scan on all TCP ports # nmap -T4 -p- -oX /root/Desktop/HTB/Netmon/nmapb.xml 10.10.10.152 Convert it to HTML # xsltproc /root/Desktop/HTB/Netmon/nmapb.xml -o /root/Desktop/HTB/Netmon/nmapb.html That's a bunch of ports open Let's run -A against those ports for fingering the OS/Services # nmap -T4 -A -p21,135,139,445,5985,47001,49664,49665,49666,19667,49668,49669 -oX /root/Desktop/HTB/Netmon/nmapf.xml 10.10.10.152 Then convert it to HTML xsltproc /root/Desktop/HTB/Netmon/nmapf.xml -o /root/Desktop/HTB/Netmon/nmapf.html Port 21 anonymous FTP, NetBIOS and something running on the 4000 port range… not sure yet Let's take a look at that FTP running Oh My God… They have the entire root directory open on FTP I think we can move to exploit from here. Exploit So we just browse the FTP to users There is the user hash.. dd5****************** So

Hackthebox.eu - Retired - Irked Recon As always I start with staged nmap scans. The first scan is a simple up/down scan on all tcp ports # nmap -T4 -p- -oX /root/Desktop/HTB/irked/nmapb.xml 10.10.10.117 Then I convert it to HTML to make it pretty  xsltproc /root/Desktop/HTB/irked/nmapb.xml -o /root/Desktop/HTB/irked/nmapb.html We found the following TCP ports open to put in our next scan 22,80,111,6697,8067,56314,65534 Next we run with -A to finger the OS/Services # nmap -T4 -A -p22,80,111,6697,8067,56314,65534 -oX /root/Desktop/HTB/irked/nmapf.xml 10.10.10.117 Then convert that to HTML also  xsltproc /root/Desktop/HTB/irked/nmapf.xml -o /root/Desktop/HTB/irked/nmapf.html Here is what we get when browsing to port 80 Dirb got me nothing except some default apache manuals… I don't know what the unrealIRCd is A quick google search https://www.unrealircd.org/ Ok its an IRC  Exploit So a quick search on searchsploit I find  Lets