Initial Enumeration Quick syn scan: Wider and deeper scan: A quick note on the scans: I generally do basic nmap scans and then use unicornscan for wider port scans because it's so much quicker, especially with UDP. However HackTheBox VPN appears to interfere with that. So I've been ammending my nmap scans with the T4 timing and --max-retries which seems to be a reasonable alternative. The -p- means ports 0-65535. Without the other settings I've founds all ports scans to take a ridiculously long time. Unfortunately it still doesn't make all-ports UDP scans quick enough so I tend set one Continue Reading

Initial Enumeration Whilst more extensive scans are run, let's look at what we've got so far 22/TCP standard openssh with no known vulnerabilities. Not much use to us so far, without even a username to brute force 80/HTTP A script testing app. If that doesn't shout LFI, I don't know what does. Testing it on the phpinfo.php file executes it at shows a lot of info that might be useful: But let's check for the obvious LFI: In phpinfo we see this script is in this location:  /usr/local/www/apache24/data/browse.php. Just for fun let's see what code the php file contains using the Continue Reading