This was an interesting box. It shows how information leaked by a HTTP application can aid an attacker in a password guessing attack. Creating an account in the web application revealed minimum password requirements. With that knowledge and assuming users do the bare minimum for password creation, I was able to create a custom password list. After a little bit of time and luck I was able to successfully guess a user’s password to gain access to the application. Initial Recon Started with the standard nmap scan. There is a single port open – HTTP on port 80. Initial Access…
Category: Hack the Box
This was a very fun box and I learned a lot. A little bit of fuzzing a parameter in a GET request led to the discovery of a local file inclusion. Which turned out to also be a remote file inclusion. With that knowledge I was able to trick the remote system to give me its hash which ultimately resulted in a valid username and password. Initial Recon Started with the standard nmap scan. There are two ports open – 80 is hosting a web server and 5985 is hosting WinRM. Let’s start with port 80. Initial Access HTTP Before…
In the previous writeup, Appointment, I got a little exposure to SQL. I learned how a web application could use some sort of database to authenticate users and how that can be taken advantage of if not properly configured. For this box, I got to work with such a database directly which helped cement what I had learned previously. Initial Recon Started off with the standard nmap scan. There is a single port open – MySQL on port 3306. Initial Access MySQL What is MySQL? It is an open-source database system. There can be multiple databases being managed by MySQL…
This was a very fun box! It starts off with an information leak in a HTTP header that contains a domain to enumerate. From there, a post is seen that hints that some hidden content may not be so hidden. Further enumeration leads to a version number which happens to have a CVE. With that CVE I am able to discover another subdomain. There I discover a custom bot that provides users various functionality. Ultimately I am able to take advantage of the bot to get a reverse shell. Once a shell is established, enumeration of the box is done…
Continuing with Starting Point, I moved onto the next tier. Learned a lot doing these boxes. And it caused some self-reflection. A bad habit that I am trying to correct is my tendency to not completely understand why a specific attack works. Some may call me a script kiddie and I would agree. Relying on tools that automate an attack or copy/pasting a PoC is a major crutch. But what happens when the tool doesn’t work? Or a PoC doesn’t match the exact environment I am in? That is when an understanding of how an exploit works comes into play….
In this post I continue with the tier 0 boxes. These boxes get a user familiar with Redis, Remote Desktop Protocol, and enumerating HTTP directories. These examples show how easy an attacker can access a system if these applications are exposed to the open internet and have poor access control. Using admin, or any variation therein, as a username or password is a horrible idea! Redeemer Initial Recon Started with a nmap scan, but my default scan didn’t pick up anything. However, expanding the scan to include all ports did find something. There is a single port open – Redis…
Starting Point on Hack the Box (HTB) is broken down into tiers and there are three. The first get the user familiar with the HTB interface. It also gets the user familiar with terminology and the pen testing mindset. Below is a short writeup for the first three tier 0 boxes. Meow Initial Recon Ran a quick nmap scan against the box. Looking at the results shows a single port open – telnet on port 23. Initial Access Telnet What is telnet? It is an application protocol that allows remote access to a host. Similar to Secure Shell (SSH) that…
Continuing with the Tier 1 boxes on Starting Point. Moving forward there will be a slight adjustment on how posts will be made. Instead of compiling multiple writeups into a single post, each writeup will have its own post. Next up is Crocodile. Recon Started with the basic nmap scan. There are two ports open – 21 running FTP and 80 running a web server. FTP seems the most lucrative given what we see on the nmap scan. FTP Connected to the FTP server with an anonymous login. Downloaded both files since they have interesting filenames. The files contained usernames…