OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Image for post
Image for post

This was an easy difficulty box, and it involved multiple steps to fully gain root access on the box. Good learning path for:

  • Access Control Bypass on Register Function on Webapp
  • Laravel Token Unserialize RCE
  • Linux Audit
  • Composer Privilege Escalation

Initial Recon

Nmap

$ nmap -Pn --open -p- -T4 -sV -sC 10.10.10.215PORT      STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://academy.htb/
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
  • HTTP…


Image for post
Image for post

This one was an easy-difficulty Windows box. Good learning path for:

  • Anonymous FTP Access and Enumeration
  • NVMS-1000 Directory Traversal Attack
  • SMB Password Guessing (smbclient.py)
  • NSClient++ Privilege Escalation

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -sC -sV -p- 10.10.10.184PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_01-18-20 11:05AM <DIR> Users | ftp-syst: |_ SYST: Windows_NT 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) | ssh-hostkey: | 2048 b9:89:04:ae:b6:26:07:3f:61:89:75:cf:10:29:28:83 (RSA) | 256 71:4e:6c:c0:d3:6e:57:4f:06:b8:95:3d:c7:75:57:53 (ECDSA) |_ 256 15:38:bd:75:06:71:67:7a:01:17:9c:5c:ed:4c:de:0e (ED25519) 80/tcp open http | fingerprint-strings: | GetRequest, HTTPOptions, RTSPRequest: |…

Image for post
Image for post

This one was an easy difficulty box. Good learning path for:

  • Login Brute-forcing
  • Moodle RCE — Math Formula Abuse
  • MySQL DB Enum to Extract Password
  • Privilege Escalation via Cronjob

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -p- -sC -sV 10.10.10.153PORT   STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Blackhat highschool

Interesting Ports to Note

  • HTTP (80/TCP) — Web page for Blackhat High School.

Image Enumeration

Within the homepage, there was another .html page at http://10.10.10.153/gallery.html.


Image for post
Image for post

This one was an easy difficulty box. Good learning path for:

  • Gym Management System 1.0 RCE
  • plink.exe to Port Forward to Bypass Restrictions
  • cloudMe.exe BoF Exploit

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -p- -sC -sV 10.10.10.198PORT     STATE SERVICE    VERSION
7680/tcp open pando-pub?
8080/tcp open http Apache httpd 2.4.43 ((Win64)
OpenSSL/1.1.1g PHP/7.4.6)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut

Interesting Ports to Note

  • HTTP (8080/TCP) — Web page. Gym Management Software 1.0

The contact page disclosing the version of the application:


Image for post
Image for post

This was an easy difficulty box. Good learning path for:

  • Source Code Review (Client-side JavaScript Authentication)
  • Puzzles — Various Encoding Programming
  • Brute-forcing Password Protected .ZIP File
  • playSMS Malicious .csv File Upload RCE
  • x86 Binary Exploit (NX Enabled; ASLR Disabled; ret2libc Attack)

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -sC -sV -p- 10.10.10.111PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) | 256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_ 256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd…

Image for post
Image for post

This was an easy difficulty Windows box. Good learning path for:

  • File Extension Bypass
  • Allowed File Extension Checking (Python Scripting)
  • web.config RCE
  • Nishang (Invoke-PowerShellTcp.ps1) — Reverse Shell
  • Juicy Potato (SeImpersonatePrivilege Abuse)

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -sC -sV -p- 10.10.10.93PORT   STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Bounty
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Interesting Ports to Note

  • HTTP (80/TCP) — IIS 7.5 web server. Main page only contains an image file.

Image for post
Image for post

This was an easy difficulty box. Good learning path for:

  • OpenSSL Heartbleed Vulnerability
  • OpenSSL RSA Private Key Decrypt
  • Tmux Running as Root Privilege Escalation

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -sV -sC -p- 10.10.10.79PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 96:4c:51:42:3c:ba:22:49:20:4d:3e:ec:90:cc:fd:0e (DSA) | 2048 46:bf:1f:cc:92:4f:1d:a0:42:b3:d2:16:a8:58:31:33 (RSA) |_ 256 e6:2b:25:19:cb:7e:54:cb:0a:b9:ac:16:98:c6:7d:a9 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.2.22 ((Ubuntu)) |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a…

Image for post
Image for post

This was an easy difficulty box. It was pretty easy and straight-forward box. Good learning path for:

  • LFI — File Enumeration
  • Tomcat JSP Script Exploit
  • Password Protected .zip File Abuse
  • Linux LXD Container Breakout

Initial Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -p- -sC -sV 10.10.10.194PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Interesting Ports to Note

  • HTTP (80/TCP) — Mega Hosting Web page.

Image for post
Image for post

This was an insane difficulty box and had many tricky steps to fully compromise it. Good learning path for:

  • UDP Service Enumeration
  • SNMP to obtain IPv6 Address
  • ICMP Data Exfiltration
  • systemd-run Command

Recon

Nmap

Let’s begin with an initial port scan:

$ nmap -Pn --open -p- -T4 -sC -sV 10.10.10.92PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA) | 256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA) |_ 256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519) 3366/tcp open caldav Radicale calendar and contacts server (Python BaseHTTPServer) | http-auth: | HTTP/1.0 401 Unauthorized\x0D |_ Basic realm=Test |_http-server-header: SimpleHTTP/0.6 Python/2.7.15rc1 |_http-title…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store