Posts for: #Medium

PG: Pelican

2024-02-15

ターゲット // Pelican
Platform	OffSec Proving Grounds
OS	Linux
Difficulty	Medium
IP	`192.168.53.98`

Recon

Nmap

▶ Full nmap output

PORT      STATE SERVICE
22/tcp    open  ssh
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
631/tcp   open  ipp
2181/tcp  open  eforward
2222/tcp  open  EtherNetIP-1
8080/tcp  open  http-proxy
8081/tcp  open  blackice-icecap
44091/tcp open  unknown

Enumeration

Port 8081 / 8080 - Exhibitor for ZooKeeper

Nmap reveals nginx on 8081 redirecting to Exhibitor’s web UI:

[]

HTB: Poison

2023-12-21

#htb #medium #freebsd #lfi #vnc #ssh-tunneling #base64

ターゲット // Poison
Platform	HTB
OS	FreeBSD
Difficulty	Medium
IP	`10.129.1.254`

Enumeration

Nmap

▶ Nmap output

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)

OS: FreeBSD

[]

HTB: Resolute

2023-11-12

#htb #medium #windows #active-directory #smb-null-session #password-spray #hidden-files #dnsadmins #dnscmd

ターゲット // Resolute
Platform	HTB
OS	Windows
Difficulty	Medium
IP	`10.129.96.155`

Enumeration

Nmap

▶ Nmap output

PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm

Domain: megabank.local, Windows Server 2016.

[]

HTB: Seal

2023-10-15

#htb #medium #linux #tomcat #403-bypass #gitbucket #ansible #symlink

ターゲット // Seal
Platform	HTB
OS	Linux
Difficulty	Medium
IP	`10.129.95.190`

Enumeration

Nmap

▶ Nmap output

PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8080/tcp open  http-proxy

Port 8080 - GitBucket

A GitBucket instance with open registration. After registering, we get access to repository info and commit history.

[]

PG: Hutch

2023-03-10

#offsec #proving-grounds #medium #windows #ldap #webdav #laps #printspoofer #active-directory

ターゲット // Hutch
Platform	OffSec Proving Grounds
OS	Windows
Difficulty	Medium
IP	`192.168.160.122`

Recon

Nmap

▶ Full nmap output

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0.)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hutch.offsec0.)
3269/tcp open  tcpwrapped

This is a Windows Server 2019 domain controller (hutch.offsec).

[]

PG: Nickel

2023-01-15

#offsec #proving-grounds #medium #windows #api-enumeration #curl #pdf-cracking #command-injection

ターゲット // Nickel
Platform	OffSec Proving Grounds
OS	Windows
Difficulty	Medium
IP	`192.168.57.99`

Enumeration

Nmap

▶ Nmap output

PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
22/tcp    open  ssh           OpenSSH for_Windows_8.1
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
8089/tcp  open  http          Microsoft HTTPAPI httpd 2.0
33333/tcp open  http          Microsoft HTTPAPI httpd 2.0

Two HTTP APIs on non-standard ports. FTP requires credentials, no anonymous access.

[]

PG: Banzai

2022-12-12

#offsec #proving-grounds #medium #linux #ftp #weak-credentials #mysql #udf #privilege-escalation

ターゲット // Banzai
Platform	OffSec Proving Grounds
OS	Linux
Difficulty	Medium
IP	`192.168.89.56`

Recon

Nmap

▶ Full nmap output

20/tcp   closed ftp-data
21/tcp   open   ftp        vsftpd 3.0.3
22/tcp   open   ssh        OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
25/tcp   open   smtp       Postfix smtpd
5432/tcp open   postgresql PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.19
8080/tcp open   http       Apache httpd 2.4.25
8295/tcp open   http       Apache httpd 2.4.25 ((Debian))

Enumeration

Port 21 - FTP

No anonymous access. No public exploits for vsftpd 3.0.3 (aside from DoS).

[]

PG: Slort

2022-11-22

#offsec #proving-grounds #medium #windows #lfi #rfi #php-wrapper #scheduled-task #xampp

ターゲット // Slort
Platform	OffSec Proving Grounds
OS	Windows
Difficulty	Medium
IP	`192.168.105.53`

Enumeration

Nmap

▶ Nmap output

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     FileZilla ftpd 0.9.41 beta
135/tcp  open  msrpc   Microsoft Windows RPC
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql   MariaDB (host not allowed)
4443/tcp open  http    Apache httpd 2.4.43 (XAMPP)
8080/tcp open  http    Apache httpd 2.4.43 (XAMPP)

Windows box running XAMPP on two ports. FTP requires credentials, MySQL is localhost-only.

[]

HTB: Forge

2022-05-27

#htb #medium #linux #ssrf #ssrf-redirect #ftp #python-pdb

ターゲット // Forge
Platform	HTB
OS	Linux
Difficulty	Medium
IP	`10.129.106.197`

Recon

Subdomain brute-force reveals admin.forge.htb, but it only responds to requests from localhost:

1
2
curl http://forge.htb -H 'Host: admin.forge.htb'
# Only localhost is allowed!

Enumeration

Nmap

▶ Nmap output

21/tcp filtered ftp
22/tcp open     ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3
80/tcp open     http    Apache httpd 2.4.41

OS: Ubuntu 20.04 (Focal)

[]