Initial Enumeration So a Windows box with 3 ports open. Port 135: RPC There is a vulnerability for XP boxes for RPC on 135 and MSF has an exploit for it but it didn't work. Worth a shot but not this time. I suspect that port 49154 is the higher port associated with the RPC Port 8500: fmtp? Google seems to think this is Flight Message Transfer Protocol. I tried connecting via netcat but didn't get much. Curl produced a result though: So an HTTP service. Let's see what it looks like in a browser: I recognise those directory names from ColdFusion penetrations done Continue Reading
Protected: HackTheBox: Waldo – Walkthough
This content is password protected. To view it please enter your password below: Password: Continue Reading
HackTheBox: Lame – Walkthrough
Initial Enumeration Quick syn scan: Wider and deeper scan: A quick note on the scans: I generally do basic nmap scans and then use unicornscan for wider port scans because it's so much quicker, especially with UDP. However HackTheBox VPN appears to interfere with that. So I've been ammending my nmap scans with the T4 timing and --max-retries which seems to be a reasonable alternative. The -p- means ports 0-65535. Without the other settings I've founds all ports scans to take a ridiculously long time. Unfortunately it still doesn't make all-ports UDP scans quick enough so I tend set one Continue Reading
Hackthebox: Poison – Walkthrough
Initial Enumeration Whilst more extensive scans are run, let's look at what we've got so far 22/TCP standard openssh with no known vulnerabilities. Not much use to us so far, without even a username to brute force 80/HTTP A script testing app. If that doesn't shout LFI, I don't know what does. Testing it on the phpinfo.php file executes it at shows a lot of info that might be useful: But let's check for the obvious LFI: In phpinfo we see this script is in this location: /usr/local/www/apache24/data/browse.php. Just for fun let's see what code the php file contains using the Continue Reading