Initial Enumeration Quick syn scan: Wider and deeper scan: A quick note on the scans: I generally do basic nmap scans and then use unicornscan for wider port scans because it's so much quicker, especially with UDP. However HackTheBox VPN appears to interfere with that. So I've been ammending my nmap scans with the T4 timing and --max-retries which seems to be a reasonable alternative. The -p- means ports 0-65535. Without the other settings I've founds all ports scans to take a ridiculously long time. Unfortunately it still doesn't make all-ports UDP scans quick enough so I tend set one Continue Reading
Hackthebox: Poison – Walkthrough
Initial Enumeration Whilst more extensive scans are run, let's look at what we've got so far 22/TCP standard openssh with no known vulnerabilities. Not much use to us so far, without even a username to brute force 80/HTTP A script testing app. If that doesn't shout LFI, I don't know what does. Testing it on the phpinfo.php file executes it at shows a lot of info that might be useful: But let's check for the obvious LFI: In phpinfo we see this script is in this location: /usr/local/www/apache24/data/browse.php. Just for fun let's see what code the php file contains using the Continue Reading
ch4inrulz 1.0.1 Walkthrough
Initial Enumeration Having located the VM on 192.168.189.129, we run an nmap scan to see what port action is available: No known vulnerabilities for the services were found. Taking the ports one at a time: 21/ftp anonymous FTP access is allowed: PUT and MKDIR are not allowed: 550 Permission denied Server is anonymous only so no root, or other user, access allowed 22/SSH external ssh appears to be allowed 80/HTTP Website found: Dirb finds files and listable directories: root@kali:~/temp# dirb https://192.168.189.129 ----------------- DIRB v2.22 By The Continue Reading
VulnHub VM: Stapler
This has turned out to be quite a fun box to attack because it has multiple ways in and supposedly multiple escalation methods too. I prefer this sort of CTF to the ones where they hide passwords in Base64 encoded jpgs in the page source and that sort of thing. This is less of a puzzle/game and more realistic, albeit an unrealistically badly configured security setup. N.B. when I write these up, I write as I'm doing it so it's not a carefully edited walk-through as such but more of a record (for myself) as to what I did, as I did and the thought-processes which I'm hoping to Continue Reading