circusmonkey404's Security Site

  So we found  our way into some SSH creds for a webserver. Now we want to pivot to the internal network and start some recon. The problem is our pivot box doesn't have all those fancy hacking tools our attacking machine has on it, and we might not have permission to install them with our current credentials. Also it might raise some red flags if all these hacking tools show up on the webserver.. So how do we get around this?   Meet my friends SSH tunnel and Proxy Chains. You might have used SSH tunneling in the past as just a way to visit an internal URL from your external attacking machine. but we can go even further than that we can use SSH tunneling to create a forwarding port to the  internal network and use all our favorite hacking tools using proxy chains. We can use a couple of switches with SSH here. -D allows us to specify a local port to tunnel to this connection, This is important if you are lazy.. use port 9050 because it's the default port for proxychains, which m

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor

Hackthebox.eu - Tabby -  Retired Recon I started with my basic start a quick up/down scan on all TCP ports then another scan with -A to run all the scripts against the found ports. nmap -T4 -p- -oX ./nmapb.xml 10.10.10.194 Then converted that to HTML Xslprotc ./nmapb.xml -o ./nmapb.html Then I ran my second scan with just those ports nmap -T4 -A -p22,80,4202,8080,15751,24329,28144,28244,32972,34303,41376,42494,55006,57000,60317,62669,62796,63622 -oX ./nmapf.xml 10.10.10.194  Then converted it to html too xsltproc ./nmapf.xml -o ./nmapf.html Looks like we have openssh 8.2p1 on port 22 and apache 2.4.41 on port 80 and 8080 Let's browse to port 80 and see what we can see Looks like a site for a hosting provider.  I generally just start by poking around the site following all the links to see if anything pops out. Well, it just so happens when I went to the News link at the top it gave a 404 error because it was looking for megahosting.htb and not the IP address of the box So I added t

HacktheBox - DevOops - Retired Recon Let's use threader3000 for our recon scan. It's a threaded scanner written in python that does a super quick up/down scan on all TCP ports, then suggests a nmap scan based on the results. It will automatically save the nmap scan results as XML, then we can convert it to HTML xsltproc ./devops.htb/devops.htb.xml -o ./devops.html Just two ports open Port Service Version 22 OpenSSH 7.2p2 5000 Gunicorn 19.7.1 What is Gunicorn? https://gunicorn.org/ "Gunicorn 'Green Unicorn' is a Python WSGI HTTP Server for UNIX. It's a pre-fork worker model. The Gunicorn server is broadly compatible with various web frameworks, simply implemented, light on server resources, and fairly speedy" There is just some text at the top and a picture of another website…. Let's brute force this and see if we can find any other interesting things to look at on this web server. dirb http://devops.htb:5