Posts for: #Medium

PG: Pelican

#offsec  #proving-grounds  #medium  #linux  #zookeeper  #exhibitor  #memory-dump  #gcore  #sudo 
ターゲット // Pelican
PlatformOffSec Proving Grounds
OSLinux
DifficultyMedium
IP192.168.53.98

Recon

Nmap

▶ Full nmap output
PORT      STATE SERVICE
22/tcp    open  ssh
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
631/tcp   open  ipp
2181/tcp  open  eforward
2222/tcp  open  EtherNetIP-1
8080/tcp  open  http-proxy
8081/tcp  open  blackice-icecap
44091/tcp open  unknown

Enumeration

Port 8081 / 8080 - Exhibitor for ZooKeeper

Nmap reveals nginx on 8081 redirecting to Exhibitor’s web UI:

[]

HTB: Poison

#htb  #medium  #freebsd  #lfi  #vnc  #ssh-tunneling  #base64 
ターゲット // Poison
PlatformHTB
OSFreeBSD
DifficultyMedium
IP10.129.1.254

Enumeration

Nmap

▶ Nmap output
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

OS: FreeBSD

[]

HTB: Seal

#htb  #medium  #linux  #tomcat  #403-bypass  #gitbucket  #ansible  #symlink 
ターゲット // Seal
PlatformHTB
OSLinux
DifficultyMedium
IP10.129.95.190

Enumeration

Nmap

▶ Nmap output
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8080/tcp open  http-proxy

Port 8080 - GitBucket

A GitBucket instance with open registration. After registering, we get access to repository info and commit history.

[]

PG: Hutch

#offsec  #proving-grounds  #medium  #windows  #ldap  #webdav  #laps  #printspoofer  #active-directory 
ターゲット // Hutch
PlatformOffSec Proving Grounds
OSWindows
DifficultyMedium
IP192.168.160.122

Recon

Nmap

▶ Full nmap output
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0.)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0.)
3269/tcp open  tcpwrapped

This is a Windows Server 2019 domain controller (hutch.offsec).

[]

PG: Banzai

#offsec  #proving-grounds  #medium  #linux  #ftp  #weak-credentials  #mysql  #udf  #privilege-escalation 
ターゲット // Banzai
PlatformOffSec Proving Grounds
OSLinux
DifficultyMedium
IP192.168.89.56

Recon

Nmap

▶ Full nmap output
20/tcp   closed ftp-data
21/tcp   open   ftp        vsftpd 3.0.3
22/tcp   open   ssh        OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
25/tcp   open   smtp       Postfix smtpd
5432/tcp open   postgresql PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.19
8080/tcp open   http       Apache httpd 2.4.25
8295/tcp open   http       Apache httpd 2.4.25 ((Debian))

Enumeration

Port 21 - FTP

No anonymous access. No public exploits for vsftpd 3.0.3 (aside from DoS).

[]

HTB: Forge

#htb  #medium  #linux  #ssrf  #ssrf-redirect  #ftp  #python-pdb 
ターゲット // Forge
PlatformHTB
OSLinux
DifficultyMedium
IP10.129.106.197

Recon

Subdomain brute-force reveals admin.forge.htb, but it only responds to requests from localhost:

1
2

curl http://forge.htb -H 'Host: admin.forge.htb'
# Only localhost is allowed!

Enumeration

Nmap

▶ Nmap output
21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3
80/tcp open     http    Apache httpd 2.4.41

OS: Ubuntu 20.04 (Focal)

[]