Initial Enumeration Whilst more extensive scans are run, let's look at what we've got so far 22/TCP standard openssh with no known vulnerabilities. Not much use to us so far, without even a username to brute force 80/HTTP A script testing app. If that doesn't shout LFI, I don't know what does. Testing it on the phpinfo.php file executes it at shows a lot of info that might be useful: But let's check for the obvious LFI: In phpinfo we see this script is in this location: /usr/local/www/apache24/data/browse.php. Just for fun let's see what code the php file contains using the Continue Reading
ch4inrulz 1.0.1 Walkthrough
Initial Enumeration Having located the VM on 192.168.189.129, we run an nmap scan to see what port action is available: No known vulnerabilities for the services were found. Taking the ports one at a time: 21/ftp anonymous FTP access is allowed: PUT and MKDIR are not allowed: 550 Permission denied Server is anonymous only so no root, or other user, access allowed 22/SSH external ssh appears to be allowed 80/HTTP Website found: Dirb finds files and listable directories: [email protected]:~/temp# dirb http://192.168.189.129 ----------------- DIRB v2.22 By The Continue Reading
Vulnix
How to pivot through a Windows host with Secure Sockets Funnelling (SSF) Part 1:
SSF Pivoting is a key part of Penetration Testing as it allows you to move through the target network, getting access to subnets that are on the other side of NAT routers or otherwise inaccessible from your point of entry. Pivoting from a linux machine is quite well served since most linux boxes are running SSH and this service can be co-opted for this purpose. But pivoting from a Windows box you've compromised isn't quite so simple to do using native commands. In this post I'll cover using SSF: Secure Sockets Funneling - a tool available here Secure Sockets Funnelling (SSF) SSF is a Continue Reading