circusmonkey404's Security Site

Hackthebox.eu - Retired -Jeeves Recon As is my standard is start with a simple UP/Down scan on all TCP ports   nmap -T4 -p- -oX ./nmapb.xml jeeves.htb Then I convert the output to HTML to make it pretty xsltproc nmapb.xml -o nmapb.html Looks like ports 80,135,445 and 50000 are open. Now I’ll run another nmap scan with the -A switch to run all the scripts against just those ports  nmap -T4 -A -p80,139,445,50000 -oX nmapf.xml jeeves.htb And once again covert the output to HTML xsltproc nmapf.xml -o nmapf.html So we have IIS on 80, for some reason it’s not  showing port 139 here but we know 139 & 445 are smb. Then there is something called jetty 9.4 on 50000 It doesn’t look like there is anonymous access to the smb.. What is IIS showing? Now there is a blast from the past Port 50000 show a 404 error I set Dirb and Dirbuster and nikto at both ports Dirbuster found this on the high 50000 port http://jeeves.htb:50000/askjeeves/ JENKINS https://www.jenkins.io/ I start just p...

HacktheBox.eu - Retired - solidstate Recon So  I start as always with a simple UP/Down scan nmap -T4 -p- -oX ./nmapb.xml solidstate.htb Then I convert that to HTML to make it pretty xsltproc ./nmapb.xml -o ./nmapb.html Thats a goodly amount of open ports 22,25,80,110,119,4555 Let’s scan with nmap again with the -A switch to run all the scripts against those ports.   nmap -T4 -p22,25,80,110,119,4555 -A -oX ./nmapf.xml solidstate.htb   Then I convert that to HTML also xsltproc ./nmapf.xml -o ./nmapf.htm Ok we got open ssh 7.4.1 on 22 apache 2.4.25 on 80 and a bunch of stuff that says james($service) on 25,110,119 and 4555 James is a mail server for apache https://james.apache.org/ Java Apache Mail Enterprise Server So it makes sense to see 25(smtp), 110(pop3),119(nntp?) and 4555 which is some sort of remote admin for james Let’s check out port 80 Exploit Checking around for vulnerabilities in JAMES i found this https://gist.github.com/kjiwa/82d3bb091d45b59c1d7674727b12...