Posts for: #Easy

PG: Twiggy

#offsec  #proving-grounds  #easy  #linux  #saltstack  #salt-api  #empire 
ターゲット // Twiggy
PlatformOffSec Proving Grounds
OSLinux
DifficultyEasy
IP192.168.192.62

Recon

Nmap

1

nmap -sC -sV -oN nmap/initial 192.168.192.62
▶ Full nmap output
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
53/tcp   open  domain
80/tcp   open  http    nginx 1.16.1
|_http-title: Home | Mezzanine
4505/tcp open  zmtp    ZeroMQ ZMTP 2.0
4506/tcp open  zmtp    ZeroMQ ZMTP 2.0
8000/tcp open  http    nginx 1.16.1

Enumeration

Port 80 - Mezzanine CMS

A blog running Mezzanine CMS with an admin login page. No weak credentials, no version info exposed. Moving on.

[]

HTB: Busqueda

#htb  #easy  #linux  #command-injection  #gitea  #relative-path  #docker 
ターゲット // Busqueda
PlatformHTB
OSLinux
DifficultyEasy
IP10.129.228.217

Recon

Nmap

1

nmap -sC -sV -oN nmap/initial 10.129.228.217
▶ Nmap output
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1
80/tcp open  http    Apache httpd 2.4.52

Requests to the IP get redirected to searcher.htb – add it to /etc/hosts.

[]

HTB: Blue

#htb  #easy  #windows  #ms17-010  #eternalblue 
ターゲット // Blue
PlatformHTB
OSWindows
DifficultyEasy
IP10.129.44.168

Recon

Nothing special needed here – straight to enumeration.

Enumeration

Nmap

▶ Nmap output
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds

OS: Windows 7 Professional 7601 Service Pack 1 x64

[]

PG: Bratarina

#offsec  #proving-grounds  #easy  #linux  #opensmtpd  #smtp  #python-reverse-shell 
ターゲット // Bratarina
PlatformOffSec Proving Grounds
OSLinux
DifficultyEasy
IP192.168.206.71

Recon

Nmap

1

nmap -sC -sV -oN nmap/initial 192.168.206.71
▶ Full nmap output
PORT    STATE  SERVICE     VERSION
22/tcp  open   ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
25/tcp  open   smtp        OpenSMTPD
|_ 2.0.0 This is OpenSMTPD 2.0.0
53/tcp  closed domain
80/tcp  open   http        nginx 1.14.0 (Ubuntu)
|_http-title: Page not found - FlaskBB
445/tcp open   netbios-ssn Samba smbd 4.7.6-Ubuntu

Enumeration

Port 80 - Web App (FlaskBB)

A Flask-based forum. No useful content, weird behavior with empty Host: header. Rabbit hole – moving on.

[]

HTB: Forest

#htb  #easy  #windows  #as-rep-roasting  #bloodhound  #dcsync  #writedacl  #active-directory 
ターゲット // Forest
PlatformHTB
OSWindows
DifficultyEasy
IP10.129.157.109

Recon

Standard AD box – DNS, Kerberos, LDAP, SMB all present. Domain: htb.local.

Enumeration

Nmap

▶ Nmap output
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm

OS: Windows Server 2016 Standard 14393 x64

[]

HTB: Knife

#htb  #easy  #linux  #php-backdoor  #gtfobins 
ターゲット // Knife
PlatformHTB
OSLinux
DifficultyEasy
IP10.129.44.1

Recon

Nmap

1

nmap -sC -sV -oN nmap/initial 10.129.44.1
▶ Nmap output
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH
80/tcp open  http    Apache httpd 2.4.6

OS: Linux (Ubuntu, kernel 5.4.0-80-generic)

[]

PG: Algernon

#offsec  #proving-grounds  #easy  #windows  #smartermail  #rce  #cve-2019-7214 
ターゲット // Algernon
PlatformOffSec Proving Grounds
OSWindows
DifficultyEasy
IP192.168.197.65

Recon

Nmap

▶ Full nmap output
21/tcp    open  ftp           Microsoft ftpd
80/tcp    open  http          Microsoft IIS httpd 10.0
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
9998/tcp  open  http          Microsoft IIS httpd 10.0
17001/tcp open  remoting      MS .NET Remoting services

Enumeration

Port 21 - FTP

Anonymous access is allowed. Downloaded the FTP contents:

[]

PG: ClamAV

#offsec  #proving-grounds  #easy  #linux  #clamav  #sendmail  #snmp  #smtp 
ターゲット // ClamAV
PlatformOffSec Proving Grounds
OSLinux
DifficultyEasy
IP192.168.57.42

Recon

Nmap

▶ Full nmap output (TCP)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
25/tcp    open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
80/tcp    open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp   open  smux        Linux SNMP multiplexer
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
60000/tcp open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
▶ Full nmap output (UDP)
PORT     STATE         SERVICE      VERSION
137/udp  open          netbios-ns   Samba nmbd netbios-ns (workgroup: WORKGROUP)
161/udp  open          snmp         SNMPv1 server (public)
[ 警告 ]
Don’t forget to enumerate UDP. This box has SNMP v1 on UDP 161 which reveals critical information.

Enumeration

Port 25 - SMTP (Sendmail)

Sendmail 8.13.4 is ancient. Searchsploit reveals multiple exploits, and importantly – one that involves ClamAV (hint from the box name):

[]