Hi amazing hackers from around the world, back again with another write up of a box. This time it’s from OffSec’s Proving Grounds. If you would like to check out more write ups please do check my GitLab repository

Try harder! Credits to Offensive Security

Enumeration

NMAP

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 59:b7:db:e0:ba:63:76:af:d0:20:03:11:e1:3c:0e:34 (RSA)
| 256 2e:20:56:75:84:ca:35:ce:e3:6a:21:32:1f:e7:f5:9a (ECDSA)
|_ 256 0d:02:83:8b:1a:1c:ec:0f:ae:74:cc:7b:da:12:89:9e (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Basic information that you’ll get.

Web

  • Apache 2.4.38
  • WordPress 5.5
  • robots.txt contains…

This room is more focused on PostgresSQL on how misconfiguration could lead to Remote Code Execution.

NMAP SCAN

PORT     STATE SERVICE    VERSION  
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 71:ed:48:af:29:9e:30:c1:b6:1d:ff:b0:24:cc:6d:cb (RSA)
| 256 eb:3a:a3:4e:6f:10:00:ab:ef:fc:c5:2b:0e:db:40:57 (ECDSA)
|_ 256 3e:41:42:35:38:05:d3:92:eb:49:39:c6:e3:ee:78:de (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Poster CMS
|_http-server-header: Apache/2.4.18 (Ubuntu)
5432/tcp open postgresql PostgreSQL DB 9.5.8 - 9.5.10 or 9.5.17 - 9.5.21
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-07-29T00:54:25
|_Not valid after: 2030-07-27T00:54:25
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Always do recon, recon…


Hello all, It’s been a while since I posted, I’ve been hanging out on Portswigger and learning stuff. I’ve been lazy but I’ve been documenting what I do on my gitlab. If you’re interested, check out my GitLab.

Startup

We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough…


Created by ustoun0

Tasks

  • user.txt
  • root.txt

Vulnerabilities

  • PHP deserialization
  • Weak password
  • Permissions for a file.

NMAP

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 44:ee:1e:ba:07:2a:54:69:ff:11:e3:49:d7:db:a9:01 (RSA)
| 256 8b:2a:8f:d8:40:95:33:d5:fa:7a:40:6a:7f:29:e4:03 (ECDSA)
|_ 256 65:59:e4:40:2a:c2:d7:05:77:b3:af:60:da:cd:fc:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Gobuster

Looks like an apache server, let’s enumerate it.

/backup               (Status: 301) [Size: 313] [--> http://10.10.181.31/backup/]
/javascript…

A TryHackMe room made by zyeinn featuring a lot of stuff!

Tasks

user.txt

root.txt

Vulnerabilities

Hash credentials in source code.

Weak password

XXE injection

Not calling binary from $PATH

NMAP

Port 80 and 22 is open
After a full port scan, it reveals port 8765 is also open.

Foothold

After running Gobuster, I checkout the directories and found interesting stuff in custom/js directory.

mobile.js
users.bak

Using CrackStation, the hash in mobile.js seems to be a MD5 and can be cracked.

bcf063452ff1193524e499349d0ac459

Opening up the users.bak it seems like a config file but there is also credentials there.

After that I went to check out port 8765, which seems to be a admin page. …


A room on TryHackMe created by TheCyb3rW0lf featuring a Windows machine.

VulnNet:Roasted

Tasks

  • user.txt
  • system.txt

Vulnerabilities

  • IPC$ share is readable as anonymous leading to enumeration of users.
  • Kerberos leaking a hash which can lead to password cracking (From what I read it’s not a vulnerability?)
  • Strong passwords found in rockyou.txt

Sources I used

https://www.secureauth.com/labs/open-source-tools/impacket/
https://hashcat.net/wiki/doku.php?id=example_hashes
https://github.com/Hackplayers/evil-winrm
https://forum.hackthebox.eu/discussion/2749/getnpusers-py-explained-video

NMAP

I performed a quick scan but unfortunately I didn’t find anything interesting so I decided to a full port scan.

PORT      STATE SERVICE       REASON  VERSION
53/tcp open domain…


A room on TryHackMe created by TheCyb3rW0lf featuring various services to exploit.

Vulnet : Internal

Tasks

  • services flag
  • internal flag
  • user flag
  • root flag

Vulnerabilities

  • Sensitive files in SMB share with Anonymous Login.
  • Leaving credentials in files.
  • Sensitive files and credentials in Redis
  • Normal user able to read sensitive logs when they should not be.

NMAP

PORT     STATE    SERVICE     REASON      VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
|…

A TryHackMe room that involves the basics of penetration testing, enumeration, privilege escalation and webapp testing.

Ultratech

Tasks

  • Identify software on ports.
  • Identify OS
  • Identify routes of web app.
  • Find database name
  • Find credentials
  • Get private SSH key.

Vulnerabilities

  • API is not secure.Should practice least privilege.
  • Weak password.

Nmap

Discovered open port 21/tcp on 10.10.112.55 vsftpd 3.0.3
Discovered open port 22/tcp on 10.10.112.55 opensh 7.6p1
Discovered open port 8081/tcp on 10.10.112.55 Node.js
Discovered open port 31331/tcp on 10.10.122.55 Apache

I used tag -v to print out the open ports when found.

Gobuster

  • Navigate to the apache web server on port 31331.
  • Let’s find a directory…

A TyHackMe room that test’s your Linux skills and escalation skills.

Anonymous

Tasks

  • Identify ports.
  • Identify specific share.
  • user.txt
  • root.txt

Vulnerabilities

  • Anonymous login into FTP.
  • Anonymous login into SMB.
  • Unnecessary SUID on binary.

Scanning the target

Nmap

21/tcp  open  ftp         syn-ack vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 111 113 4096 Jun 04 2020 scripts [NSE: writeable]
| ftp-syst:
| STAT:
| FTP server status:
| Connected to…

What’s worse than an admin? A lazy admin! This is easy level tryhackme room that exploits bad practices and weak passwords.

A lazy admin!

Tasks

  • user.txt
  • root.txt

Vulnerability

Nmap Scan

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 49:7c:f7:41:10:43:73:da:2c:e6:38:95:86:f8:e0:f0 (RSA)
| 256 2f:d7:c4:4c:e8:1b:5a:90:44:df:c0:63:8c:72:ae:55 (ECDSA)
|_ 256 61:84:62:27:c6:c3:29:17:dd:27:45:9e:29:cb:90:5e (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 …

FarisArch

Student that loves FOSS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store