Posts

Showing posts from July, 2020

HackTheBox: Optimum

Image
HTB Optimum Writeup The first thing I notice is an HTTP server is up. It looks old. I'm gonna copy "HttpFileServer 2.3" and see what I get in Google: Well that was easy. Didn't even have to put "exploit" at the end. Lets check out the Rapid7 page. The page points to a metasploit exploit called "exploit/windows/http/rejetto_hfs_exe". I'm gonna use that first. The exploit works and we can read user.txt on kostas desktop. The next challenge is privilege escalation. Then I import Sherlock.ps1 powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}" I see that MS16-098 is vulnerable. We can download binary here: https://www.exploit-db.com/exploits/41020 And there you go!

HTB: 5 out of 40 Checkpoint

Image
HTB Checkpoint 1: 5 out of 40 I made the first checkpoint! I did four writeups: Jerry Tomcat Blue EternalBlue Windows 7 Lame Usermap Samba Legacy ms08-067 Devel (No writeup). - This one was just anonymous FTP and putting a shell on the box. It should take me 1 - 4 weeks to get to 10 out of 40 checkpoint. I'll be very busy at the end of the month. I think the boxes will get harder too. I'm guessing I'll run into some good old C. It'll be the lowest level programming language I've touched. I thought gcc only existed but turns out there is gcc's for win32, win64, i686, amd64. You have to take the C code and compile it to whatever machine your attacking. I'll find out more when I get there. I know nothing about C besides its an old grandparent. I felt a bit challenged for 30 minutes. I'm pretty sure the mountain will get tougher but haven't hit it yet. Just found a hill lol. The boxes so far have been easy. The way peop...

HackTheBox: Jerry Tomcat - Creds in Error Writeup

Image
HackTheBox - Jerry First, lets run nmap. The machine being named Jerry gave me an idea this would be a Tomcat server. Personally I have never developed on a Tomcat server. I saw some during my pentest internship. I thought it was old technology but it looks like the latest Tomcat Server update was 7 days ago. I took Tomcat 7.0.88 and pasted that into Google. There is a CVE called "Tomcat RCE via JSP Upload Bypass" CVE-2017-12617. The metasploit module didn't work for me. I download a python script. It said my Tomcat server wasn't vulnerable. I start googling default creds for the Tomcat Server. I hit cancel and got this error. I tried tomcat/s3cret as the username and password. That worked! Don't have your username and password in the error log :\ I then made a reverse shell and uploaded it was a WAR file. I was automatically NT/System and could see the Administrator folder on Windows.

HackTheBox: Blue, EternalBlue Windows 7 SP1

Image
Hack The Box: Blue The hardest part about hacking this box is spelling the word eternal. Also the exploit is iffy where it needs to be run multiple times. Try changing ports. I changed from 4444 to 5555 and it worked. ^- This sounds like some Sci-Fi movie.

HackTheBox: Lame Walkthrough UsernameMapScript

Image
Lame 2 out of 40 First lets scan the host using nmap. Port 21, 22, 139, 445 is open. vsftpd 2.3.4 has a smileyface exploit. It didn't work for me. I pivoted to the Samba server. Lets see if there is an exploit for that: I changed the LHOST and RHOST. I was good to go. That's it. More Info https://linxz.co.uk/vulnerabilities/2018/11/14/Samba-username-map-script.html

HackTheBox: Legacy Windows XP SP3 SMB Walkthrough

Image
The Hack Walkthroughs are back! The plan is to hack 40 boxes before I sign up for Offensive Security's PWK 60-day training. I need to prepare before I prepare. I need to train before I train! I read online people were regretful they started with PWK first. I paid for VIP on hackthebox.eu which was $10. I'm taking a very long Udemy course and the guy gets into legacy HTB boxes. I'm going to hack them before he shows the answers. I appreciate he put them in order so I have a map on where to go next. The first problem I encountered was switching my openvpn file once I paid for VPN. The answer was to reboot. The first thing I do is nmap the host. I had to use -Pn because nmap thought the host was down. I also couldn't use -A -p- because it took forever. I relied on the top 1000 ports instead. I mean, its an easy box so this is a good start. I tried to smbclient connect and it failed. I got into msfconsole and used the smb_version scanner to see what I was deal...

Trace Labs Global Missing Persons CTF V

Image
Trace Labs CTF V TraceLabs hosted the Global Missing Persons CTF V event on July 11, 2020. My team //synergy got 64th place out of 190 teams. Introduction This was my first Trace Labs CTF. I captained a team. The good thing about being a captain is you can control who is on the team. My rules were: Must have sock puppet accounts ready. Must have a VPN. Writing out this is a competitive team where we work the entire 6 hours. I was worried about a future team member spamming submissions and disqualifying the team. I thought my requirements would eliminate people who weren't serious. The team hit 4 members Friday evening pretty quickly. Notes My laptop was too slow for this event. My virtual machine froze and I had to restart. Restarting means I have to login to my accounts again. I'll use my desktop next time. The team used Slack and Trello. Our strategy was to research a person and rotate every hour. This strategy broke after 1 rotation. Some missin...

Learning for OSCP: Notes

Image
July 5, 2020 In Microsoft SQL Server you can create a shell. SMB Samba server on 139 or 445. openvpn exists. Haven't used it before. HtB Check what priv you have in Microsoft SQL Server cut -d '/' -f 1 is like awk July 6, 2020 The switch -T4 in nmap relates to speed. T1 is slow while T5 is fast. -T4 is commonly used. The switch -p- in nmap means scan all ports from 0-65535. dirbuster is pretty cool. Find wordlists at /usr/share/wordlists/dirbuster/ nikto will give you basic hints and vulnerabilities sudo arp-scan -l is faster than nmap 192.168.0.*. RHosts stand for Remote Hosts. LHosts stand for Local host July, 7 2020 Rapid7 makes metasploit massscan alternative to nmap. It was made to scan the entire internet. /etc/init.d/nessusd start Can install deb packages with dpkg -i example.deb Seeing "Remote Code Execution" is good. That means we can sit at our home and exploit. Staged vs Non-Staged payloads...

Starting my OSCP Journey

Image
I'm secretly starting my OSCP journey. I don't want to publicly promote until I feel I'm about 25-50% ready. Giving a golden commitment is pretty big for the OSCP. Right now I'm having fun and learning (and moving to Chicago). I've wanted my hunter's license for a few years now. I was too busy in college. I was focused on my CCNA/CCDC on the first job. Now I'm not committed to CCDC, paying of debt, or classes. Now is the perfect time to get it. Why? Because it's hard and I like the challenge. Also as an Avatar, my hacking skills are lacking. I can do Development, Networking, and Business (Socializing). The last skill is Hacking. When I see other Developers with an OSCP, I think they are absolutely remarkable! As a fellow Developer, when I see another Developer kicking ass in Red Team/Networking, I cheer! Do any primary-skill Devs feel this way? I've seen a few Software-Network-Hacker types and believe I can do it too. I want to be a force t...