Posts

This post is a walkthrough of the Hack The Box (Originally VulnLab Box) room Retro Hack The Box: Retro – Exploiting Weak Credentials, Pre-Created Computer Accounts, and Certificate Vulnerabilities Retro is an Easy-rated Windows machine from VulnLabs that offers a fantastic introduction to Active Directory (AD) exploitation, covering weak credential hygiene, pre-created computer account abuse, and certificate template vulnerabilities. The attack path begins with anonymous LDAP enumeration, revealing a list of domain users through a RID brute-force attack using the default guest account. A simple password spray attack with usernames as passwords yields valid credentials, granting access to network shares. Among these shares, a seemingly innocuous ToDo.txt file provides a critical clue—mentioning outdated finance software and pre-created computer accounts in the domain. ...

This post is a walkthrough of the Hack The Box (Originally VulnLab Box) room Down Intro Down is an easy Linux box created originally for Vulnlabs. Hack The Box recently acquired Vulnlabs and are sarting make available the machines. You will need a HTB VIP+ account to access these boxes. From SSRF to Root: A Step-by-Step Breakdown of a Web App Exploitation Chain In this penetration testing engagement, we began by discovering a Server-Side Request Forgery (SSRF) vulnerability, which led us to a Local File Inclusion (LFI) flaw. Exploiting the LFI, we extracted the source code of the web application, revealing a hidden “expertmode” feature designed to check open ports using netcat. ...

This post is a walkthrough of the Hack The Box room Nibbles Intro Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most. Enumeration NMAP Scan sudo nmap -sVC -T4 -p- -vv -oA nmap/alltcp-ports 10.129.202.224 --open Discovered Ports Discovered open port 80/tcp on 10.129.202.224 Discovered open port 22/tcp on 10.129.202.224 Below we can see the web server is running on a Ubuntu 2.2 Server and using Apache 2.4.18 as the backend for the webserver. ...

This post is a walkthrough of the Try Hack Me room Athena Intro Break all security and compromise the machine. Are you capable of mastering the entire system and exploiting all vulnerabilities? NMAP Scan # Nmap 7.94 scan initiated Sat Sep 16 14:50:30 2023 as: nmap -sVC -T4 -p- -vv -oA nmap/all-tcp-ports 10.10.138.143 Nmap scan report for athena.thm (10.10.138.143) Host is up, received reset ttl 63 (0.018s latency). Scanned at 2023-09-16 14:50:31 IST for 25s Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3b:c8:f8:13:e0:cb:42:60:0d:f6:4c:dc:55:d8:3b:ed (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqrhWpCkIWorEVg4w8mfia/rsblIvsmSU9y9mEBby77pooZXLBYMvMC0aiaJvWIgPVOXrHTh9IstAF6s9Tpjx+iV+Me2XdvUyGPmzAlbEJRO4gnNYieBya/0TyMmw0QT/PO8gu/behXQ9R6yCjiw9vmsV+99SiCeuIHssGoLtvTwXE2i8kxqr5S0atmBiDkIqlp+qD1WZzc8YP5OU0CIN5F9ytZOVqO9oiGRgI6CP4TwNQwBLU2zRBmUmtbV9FRQyObrB1zCYcEZcKNPzasXHgRkfYMK9OMmUBhi/Hveei3BNtdaWARN9x30O488BmdET3iaTt5gcIgHfAO+5WzUPBswerbcOHp2798DXkuVpsklS9Zi9dvpxoyZFsmu1RoklPWea+rxq09KRjciXNvy+jV8zBGCGKwwi62nL9mRyA5ZakJKrpWCPffnEMK37SHL0WqWMRZI4Bbj2cOpJztJ+5Ttbj5wixecnvZu8hkknfMSVwPM8RqwQuXtes8AqF6gs= | 256 1f:42:e1:c3:a5:17:2a:38:69:3e:9b:73:6d:cd:56:33 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPBg1Oa6gqrvB/IQQ1EmM1p5o443v5y1zDwXMLkd9oUfYsraZqddzwe2CoYZD3/oTs/YjF84bDqeA+ILx7x5zdQ= | 256 7a:67:59:8d:37:c5:67:29:e8:53:e8:1e:df:b0:c7:1e (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaJ6imGGkCETvb1JN5TUcfj+AWLbVei52kD/nuGSHGF 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Athena - Gods of olympus | http-methods: |_ Supported Methods: POST OPTIONS HEAD GET 139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.6.2 445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.6.2 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 9973/tcp): CLEAN (Couldn't connect) | Check 2 (port 41780/tcp): CLEAN (Couldn't connect) | Check 3 (port 35605/udp): CLEAN (Failed to receive data) | Check 4 (port 36277/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | nbstat: NetBIOS name: ROUTERPANEL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | ROUTERPANEL<00> Flags: <unique><active> | ROUTERPANEL<03> Flags: <unique><active> | ROUTERPANEL<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | SAMBA<00> Flags: <group><active> | SAMBA<1d> Flags: <unique><active> | SAMBA<1e> Flags: <group><active> | Statistics: | 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 | 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 |_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00 |_clock-skew: 0s | smb2-time: | date: 2023-09-16T13:50:56 |_ start_date: N/A Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Sep 16 14:50:56 2023 -- 1 IP address (1 host up) scanned in 25.77 seconds Notes from NMAP ...

This post is a walkthrough of the Try Hack Me room Expose Intro This challenge is an initial test to evaluate your capabilities in red teaming skills. You will find all the necessary tools to complete the challenge, like Nmap, sqlmap, wordlists, PHP shell, and many more in the AttackBox. Exposing unnecessary services in a machine can be dangerous. Can you capture the flags and pwn the machine? NMAP Scan sudo nmap -sVC -T4 -p- -vv -oA nmap/all-tcp-ports 10.10.191.114 [sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-05 19:41 IST NSE: Loaded 156 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:41 Completed NSE at 19:41, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:41 Completed NSE at 19:41, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:41 Completed NSE at 19:41, 0.00s elapsed Initiating Ping Scan at 19:41 Scanning 10.10.191.114 [4 ports] Completed Ping Scan at 19:41, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:41 Completed Parallel DNS resolution of 1 host. at 19:41, 0.01s elapsed Initiating SYN Stealth Scan at 19:41 Scanning 10.10.191.114 [65535 ports] Discovered open port 21/tcp on 10.10.191.114 Discovered open port 22/tcp on 10.10.191.114 Discovered open port 53/tcp on 10.10.191.114 Discovered open port 1883/tcp on 10.10.191.114 Discovered open port 1337/tcp on 10.10.191.114 Completed SYN Stealth Scan at 19:41, 12.23s elapsed (65535 total ports) Initiating Service scan at 19:41 Scanning 5 services on 10.10.191.114 Completed Service scan at 19:41, 11.11s elapsed (5 services on 1 host) NSE: Script scanning 10.10.191.114. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:41 NSE: [ftp-bounce 10.10.191.114:21] PORT response: 500 Illegal PORT command. Completed NSE at 19:42, 10.16s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.09s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.01s elapsed Nmap scan report for 10.10.191.114 Host is up, received reset ttl 63 (0.051s latency). Scanned at 2023-09-05 19:41:30 IST for 34s Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 2.0.8 or later |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.11.0.200 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 bc:ad:ba:9e:00:c2:bb:94:46:71:6d:eb:9c:6c:8b:de (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDW3b7bXXFhyAEJBjKekBQTRTlKLsL11XjqxcEdYnJZPA9MKD/M2rl8eTW4cBV+p8ktcZulk2BYUWfJpVMxkjLtUBZ5mvI9K89v0Uv01On5dVZitRBJMDMRCLRrlcMvbN5Nr/wizTL970/kxlpL6ya26lkHnXeoclrWj5F5LLZFo/510ZNE1TW9Cwb5+IrzhcdykB7iab3gPWi0Vr3WjelifDCyiOoItMgptg9gILJEoetkZfkR5Zs4ICqYgYoRc32BynnGGTp3mtbOO279RJ3U2y2NTcXtMG4GJl2yEmJAnsoq2y6mosXivbbwAvBZTZbMjXQqBtfkonJr2A/7ieXpwpcqU6eFVs17MjMeJJAE/vegRxj7nDBBobTqF4U/HrNu8nR9pYrrj92XsCu/iv+WxesKJrVIDAdiQDDY9ma6g+1BVThkCZb/Mwe8Z49zgCPcuVef/mpCpE2r0g5UiqXey+agJXsY+oNkDmkDBdd2r5KSh4b48lE3l1bRqjjt490= | 256 3c:0c:11:2f:96:05:ad:08:c6:dd:6e:20:08:b6:71:25 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNe4/l3KTGE7PJc7QH6ImgyMbg82kppYvZJByUaE2opJQ/XV93WScr6SzhcXqG/WrXvHfz4LtHzCxeujJTPyMys= | 256 66:4c:8e:11:31:8c:fb:3a:e1:69:38:ae:d5:d1:5f:5c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2LEEUfDOIGeJBrF3AEOuhqYEnTj+n4/FcYGlAMV92f 53/tcp open domain syn-ack ttl 63 ISC BIND 9.16.1 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.16.1-Ubuntu 1337/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: EXPOSED |_http-server-header: Apache/2.4.41 (Ubuntu) 1883/tcp open mosquitto version 1.6.9 syn-ack ttl 63 | mqtt-subscribe: | Topics and their most recent payloads: | $SYS/broker/load/publish/received/5min: 0.00 | $SYS/broker/load/publish/dropped/1min: 0.00 | $SYS/broker/messages/stored: 53 | $SYS/broker/load/bytes/sent/15min: 136.90 | $SYS/broker/heap/maximum: 54584 | $SYS/broker/publish/messages/dropped: 0 | $SYS/broker/load/bytes/received/1min: 63.04 | $SYS/broker/load/connections/5min: 0.39 | $SYS/broker/bytes/sent: 2066 | $SYS/broker/load/publish/received/1min: 0.00 | $SYS/broker/store/messages/count: 53 | $SYS/broker/clients/connected: 1 | $SYS/broker/publish/bytes/received: 0 | $SYS/broker/load/publish/sent/5min: 10.21 | $SYS/broker/load/publish/dropped/15min: 0.00 | $SYS/broker/bytes/received: 69 | $SYS/broker/load/connections/15min: 0.13 | $SYS/broker/load/sockets/5min: 0.39 | $SYS/broker/clients/inactive: 0 | $SYS/broker/clients/disconnected: 0 | $SYS/broker/load/publish/dropped/5min: 0.00 | $SYS/broker/load/bytes/sent/5min: 405.72 | $SYS/broker/load/publish/sent/15min: 3.45 | $SYS/broker/clients/expired: 0 | $SYS/broker/shared_subscriptions/count: 0 | $SYS/broker/clients/maximum: 1 | $SYS/broker/load/messages/sent/1min: 50.25 | $SYS/broker/version: mosquitto version 1.6.9 | $SYS/broker/load/bytes/sent/1min: 1887.68 | $SYS/broker/uptime: 44 seconds | $SYS/broker/load/messages/sent/5min: 10.80 | $SYS/broker/subscriptions/count: 2 | $SYS/broker/store/messages/bytes: 191 | $SYS/broker/retained messages/count: 53 | $SYS/broker/load/bytes/received/5min: 13.55 | $SYS/broker/load/publish/sent/1min: 47.51 | $SYS/broker/heap/current: 54184 | $SYS/broker/clients/active: 1 | $SYS/broker/load/sockets/15min: 0.13 | $SYS/broker/clients/total: 1 | $SYS/broker/publish/messages/sent: 52 | $SYS/broker/load/publish/received/15min: 0.00 | $SYS/broker/load/messages/sent/15min: 3.64 | $SYS/broker/publish/messages/received: 0 | $SYS/broker/publish/bytes/sent: 177 | $SYS/broker/load/bytes/received/15min: 4.57 | $SYS/broker/messages/sent: 55 | $SYS/broker/load/messages/received/1min: 2.74 | $SYS/broker/messages/received: 3 | $SYS/broker/load/sockets/1min: 1.67 | $SYS/broker/load/messages/received/5min: 0.59 | $SYS/broker/load/messages/received/15min: 0.20 |_ $SYS/broker/load/connections/1min: 1.83 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 34.42 seconds Ports Of Interest Port 21 - FTP (vsftpd 2.0.8 or later) Port 22 - SSH Port 80 - Http Port 1883: mosquito ...

This post is a walkthrough of the Try Hack Me room Lesson-Learned Intro This is a relatively easy machine that tries to teach you a lesson, but perhaps you’ve already learned the lesson? Let’s find out. Treat this box as if it were a real target and not a CTF. Get past the login screen and you will find the flag. There are no rabbit holes, no hidden files, just a login page and a flag. Good luck! ...

This post is a walkthrough of the Try Hack Me room Grep Intro Welcome to the OSINT challenge, part of TryHackMe’s Red Teaming Path. In this task, you will be an ethical hacker aiming to exploit a newly developed web application. SuperSecure Corp, a fast-paced startup, is currently creating a blogging platform inviting security professionals to assess its security. The challenge involves using OSINT techniques to gather information from publicly accessible sources and exploit potential vulnerabilities in the web application. Your goal is to identify and exploit vulnerabilities in the application using a combination of recon and OSINT skills. As you progress, you’ll look for weak points in the app, find sensitive data, and attempt to gain unauthorized access. You will leverage the skills and knowledge acquired through the Red Team Pathway to devise and execute your attack strategies. ...

This post is a walkthrough of the Try Hack Me room Crylo Intro Welcome to Crylo. Crylo is an engaging room on TryHackMe that focuses on teaching two interesting topics: SQL Injection and bypassing Two-Factor Authentication (2FA) through exploiting the Crypto JS library. Through these concepts, participants learn how to overcome security challenges. In the Crylo room, you’ll explore techniques to go beyond just local connections and achieve command injection on a web application. This allows you to gain access to the server. Once you have access, you can uncover the sudo user’s password by utilizing the same AES encryption system that the server is employing. This room offers a hands-on and practical learning experience in the realm of cybersecurity. ...

This post is a walkthrough of the Try Hack Me room Forgotten Implant Intro Welcome to Forgotten Implant! This is a pretty straightforward CTF-like room in which you will have to get initial access before elevating your privileges. The initial attack surface is quite limited, and you’ll have to find a way of interacting with the system. If you have no prior knowledge of Command and Control (C2), you might want to look at the Intro to C2 room. While it is not necessary to solve this challenge, it will provide valuable context for your learning experience. ...

This post is a walkthrough of the Try Hack Me room Red Intro Red is a TryHackMe room created by readysetexploit which was inspired by TryHackMe’s King of the Hill. The theme of this machine is a battle between red and blue in which we try to navigate red’s defense mechanisms in order to take back the machine. We start by finding a Web Server that is vulnerable to Local File Inclusion. We use to read blue’s history file in order to create a password list. We gain access to the server and find that we can edit the hosts file so that a reverse shell that is being executed by red points to us. We then make use of the PwnKit exploit in order to get root and defeat red. Although it seems pretty straightforward, red’s defenses add a layer of complexity that can irritate even the most seasoned player. ...