circusmonkey404's Security Site

Hackthebox.eu - Retired- Magic Recon As always I start with a simple up/down scan using nmap on all TCP ports. $ nmap -T4 -p- -oX ./nmapb.xml magic.htb Then I convert the xml output to HTML ot make it pretty xsltproc ./nmapb.xml -o ./nmapb.html Not much open just 22 and 80 Let's scan those ports with -A to run all the scripts against those ports $ nmap -T4 -A -p22,80 -oX ./nmapf.xml magic.htb Then convert that to HTML too xsltproc ./nmapf.xml -o ./nmapf.html Looks like openSSH 7.6p1 on 22 and Apache 2.4.29 on 80 Let's see what he web server is serving up Looks like a photo gallery web app And there is a login page http://magic.htb/login.php Tried admin/admin for the hell of it Exploit What's a little SQLi between friends right? The second thing I tried was  admin'or'1'='1 for the user name Well that was quick Tried uploading a php file and got this error message Dirb found some other folder around Looks like there is an upload folder under images….  I assume

Hackthebox.eu - Retired - Traceback Recon As my normal. I start with a simple Up/Down scan on all TCP ports Nmap -T4 -p- -oX ./nmapb.xml traceback.htb Then I convert that to HTML to make it pretty $ xsltproc ./nmapb.xml -o ./nmapb.html Just three open ports 22, 80 and 8080 Let's scan again with the -A switch to try and finger OS/Service $ nmap -T4 -p22,80,8080 -A -oX ./nmapf.xml traceback.htb Then I convert that to HTML also  xsltproc ./nmapf.xml -o ./nmapf.html Port 22 is a fairly recent openssh 80 is apache 8080 is something strange…  Lets see what we see on port 80 Looks like somebody has defaced the site But they left us a backdoor?  I think it might have something to do with port 8080 but let's run dirb just in case Trying to browse to port 8080 we get nothing What about this part of our nmap output? Googling around for http-proxy socks5 I eventually found this page https://www.systutorials.com/proxy-using-ssh-tunnel/ It talks about setting up an SSH proxy  What happens if