Enumeration As with every engagement, it starts with information gathering. Ran the standard nmap scan and found the following port open on the target system. A scan for UDP ports was also done but nothing interesting was seen. Initial Access The first thing I did was see if there was any low hanging fruit by performing a simple brute force against TCP port 22. Unfortunately, no credentials were found so moved on to TCP port 80. Simply navigating to the target system’s IP in the browser revealed that there should be some sort of ticketing system that is only accessible…
Category: Hack the Box
Enumeration As with every machine, I like to start off with an nmap scan of all TCP ports using the standard NSE scripts and gather version information. Additionally, I did a scan of the top UDP ports. The results of the scans show TCP ports 22, 80, 8338, and 55555 as open as well as UDP port 68 being open. Looking closer at the results, TCP ports 80 and 8338 are showing as filtered. This means there is a firewall or filter in place that is preventing a successful connection from the attack box to the target box. Initial Access…
Introduction This box taught me a lot. It provided many opportunities to learn how to enumerate services, even if nothing ultimately was gleaned from it. It also taught me that sometimes getting fresh air and resetting is the best thing to do. Sometimes you need to try harder, but that is not always the case. And finally, do not get stuck on using the same tools or wordlists for a specific job. Different tools can give different results, so expand your arsenal. Sometimes you might not get results because of the tool, not because of something you are inherently doing…
Learned a lot doing this box. It starts off with accessing an open SMB share that contains a password protected ZIP. Cracking the password for the ZIP allowed access to a PFX file. After cracking the password associated with the PFX file I was able to extract a .crt and .key file. Using those files, I was able to login via WinRM. After doing some recon on the local box I discovered a clear text password for another user in the PowerShell history file. Said user was part of a group that could read LAPS passwords. And it just so…
For this box, I discover a password protected ZIP file. After cracking the password and examining what was in the ZIP file, I find credentials to a website. Once logged in I discover that the HTTP application is vulnerable to SQL injection. I am able to exploit this vulnerability to get a reverse shell. Once on the box I take advantage of vi to get a shell as root thanks to GTFOBins! Initial Recon Started with the standard nmap scan. There are three ports open – SSH on 21, FTP on 22, and HTTP on 80. Initial Access FTP The…
Seems like I say this for every box, but it was fun and I learned a lot. The box starts off will cookie manipulation so that I can upload files. From there I am able to upload a PHP reverse shell to gain a foothold. Poking around the system reveals SSH credentials. After logging in via SSH I find a custom SUID binary. This binary accepts user input and allows the viewing of files under the security context of root. I image the intent was to only allow the viewing of files in a hard coded directory that is in…
This is the first installment of Tier 2 writeups. There is a clear increase in difficulty with these boxes. The increase in difficulty is do to more steps needing to be taken to gain access and elevate privileges. Archetype starts off with the enumeration of SMB shares. On this share is a config file that contains credentials. I then use those credentials and Impacket to get a reverse shell. Once I have a shell on the box I find a command history file with administrator credentials waiting for me. Initial Recon Started with the standard nmap scan. There are a…
Introduction This was a straight forward box. It was very similar to a previous Starting Point machine. Gain access to SMB via brute force. With valid credentials and Impacket I am able to get a semi-interactive shell on the box. This wraps up Tier 1 machines. Next is Tier 2 and then on to some retired machines! Initial Recon Started with the standard nmap scan. There are a few ports open – RPC on 135, NetBIOS on 139, and SMB on 445. Initial Access SMB The first thing I do when I see port 445 is try to list shares….
This box required a password guessing attack to discover valid credentials to a Jenkins application. From there it was easy enough to get code execution via a Groovy script. There is one more Tier 1 box to look at before moving to Tier 2. These easier machines have taught me a lot. No matter what skill level you are at there is always an opportunity to learn. Initial Recon Started with the standard nmap scan. There is a single port open – HTTP on port 8080. Initial Access HTTP Prior to navigating to a web site, I like to start…
This box taught me A LOT about Node.JS and Server Side Template Injections (SSTI). It was fun creating a payload, determining why it did not work, and tweaking it until the desired end state is achieved. With that said, documentation is your friend! A lot of time was spent going through the Node.JS documentation to identify how a SSTI can be abused to get a RCE. Initial Recon Started off with the standard nmap scan. There are only two ports open – SSH on 22 and HTTP on 80. Initial Access HTTP Before I do anything with HTTP I like…