RCE

This post is a walkthrough of the Hack The Box room Nibbles Intro Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most. Enumeration NMAP Scan sudo nmap -sVC -T4 -p- -vv -oA nmap/alltcp-ports 10.129.202.224 --open Discovered Ports Discovered open port 80/tcp on 10.129.202.224 Discovered open port 22/tcp on 10.129.202.224 Below we can see the web server is running on a Ubuntu 2.2 Server and using Apache 2.4.18 as the backend for the webserver. ...

This post is a walkthrough of the Try Hack Me room Athena Intro Break all security and compromise the machine. Are you capable of mastering the entire system and exploiting all vulnerabilities? NMAP Scan # Nmap 7.94 scan initiated Sat Sep 16 14:50:30 2023 as: nmap -sVC -T4 -p- -vv -oA nmap/all-tcp-ports 10.10.138.143 Nmap scan report for athena.thm (10.10.138.143) Host is up, received reset ttl 63 (0.018s latency). Scanned at 2023-09-16 14:50:31 IST for 25s Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3b:c8:f8:13:e0:cb:42:60:0d:f6:4c:dc:55:d8:3b:ed (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCqrhWpCkIWorEVg4w8mfia/rsblIvsmSU9y9mEBby77pooZXLBYMvMC0aiaJvWIgPVOXrHTh9IstAF6s9Tpjx+iV+Me2XdvUyGPmzAlbEJRO4gnNYieBya/0TyMmw0QT/PO8gu/behXQ9R6yCjiw9vmsV+99SiCeuIHssGoLtvTwXE2i8kxqr5S0atmBiDkIqlp+qD1WZzc8YP5OU0CIN5F9ytZOVqO9oiGRgI6CP4TwNQwBLU2zRBmUmtbV9FRQyObrB1zCYcEZcKNPzasXHgRkfYMK9OMmUBhi/Hveei3BNtdaWARN9x30O488BmdET3iaTt5gcIgHfAO+5WzUPBswerbcOHp2798DXkuVpsklS9Zi9dvpxoyZFsmu1RoklPWea+rxq09KRjciXNvy+jV8zBGCGKwwi62nL9mRyA5ZakJKrpWCPffnEMK37SHL0WqWMRZI4Bbj2cOpJztJ+5Ttbj5wixecnvZu8hkknfMSVwPM8RqwQuXtes8AqF6gs= | 256 1f:42:e1:c3:a5:17:2a:38:69:3e:9b:73:6d:cd:56:33 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPBg1Oa6gqrvB/IQQ1EmM1p5o443v5y1zDwXMLkd9oUfYsraZqddzwe2CoYZD3/oTs/YjF84bDqeA+ILx7x5zdQ= | 256 7a:67:59:8d:37:c5:67:29:e8:53:e8:1e:df:b0:c7:1e (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaJ6imGGkCETvb1JN5TUcfj+AWLbVei52kD/nuGSHGF 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Athena - Gods of olympus | http-methods: |_ Supported Methods: POST OPTIONS HEAD GET 139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.6.2 445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.6.2 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 9973/tcp): CLEAN (Couldn't connect) | Check 2 (port 41780/tcp): CLEAN (Couldn't connect) | Check 3 (port 35605/udp): CLEAN (Failed to receive data) | Check 4 (port 36277/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | nbstat: NetBIOS name: ROUTERPANEL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | ROUTERPANEL<00> Flags: <unique><active> | ROUTERPANEL<03> Flags: <unique><active> | ROUTERPANEL<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | SAMBA<00> Flags: <group><active> | SAMBA<1d> Flags: <unique><active> | SAMBA<1e> Flags: <group><active> | Statistics: | 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 | 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 |_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00 |_clock-skew: 0s | smb2-time: | date: 2023-09-16T13:50:56 |_ start_date: N/A Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Sep 16 14:50:56 2023 -- 1 IP address (1 host up) scanned in 25.77 seconds Notes from NMAP ...

This post is a walkthrough of the Try Hack Me room Crylo Intro Welcome to Crylo. Crylo is an engaging room on TryHackMe that focuses on teaching two interesting topics: SQL Injection and bypassing Two-Factor Authentication (2FA) through exploiting the Crypto JS library. Through these concepts, participants learn how to overcome security challenges. In the Crylo room, you’ll explore techniques to go beyond just local connections and achieve command injection on a web application. This allows you to gain access to the server. Once you have access, you can uncover the sudo user’s password by utilizing the same AES encryption system that the server is employing. This room offers a hands-on and practical learning experience in the realm of cybersecurity. ...

This post is a walkthrough of the Try Hack Me room Forgotten Implant Intro Welcome to Forgotten Implant! This is a pretty straightforward CTF-like room in which you will have to get initial access before elevating your privileges. The initial attack surface is quite limited, and you’ll have to find a way of interacting with the system. If you have no prior knowledge of Command and Control (C2), you might want to look at the Intro to C2 room. While it is not necessary to solve this challenge, it will provide valuable context for your learning experience. ...

This post is a walkthrough of the Try Hack Me room Intranet Intro The web application development company SecureSolaCoders has created their own intranet page. The developers are still very young and inexperienced, but they ensured their boss (Magnus) that the web application was secured appropriately. The developers said, “Don’t worry, Magnus. We have learnt from our previous mistakes. It won’t happen again”. However, Magnus was not convinced, as they had introduced many strange vulnerabilities in their customers’ applications earlier. ...