I would be lying if I said I posted this Hack the Box Greenhorn writeup within the same week of me exploiting it. In truth life happened. I did a SANs and a couple of late nights out. But here it is, my greenhorn writeup. Enumeration Lets start as we always do after booting up the box and have a look at what ports are available to us with an nmap. ...
Introduction I recently completed the SANS 540 course in person, and what an intense and rewarding journey it was! As a Product Security Engineer, I’m no stranger to pipelines and the intricacies of implementing security controls and tools. However, building everything from scratch, end-to-end, was an eye-opening experience. The course pushed me out of my comfort zone, especially the full day dedicated to Kubernetes, which completely fried my brain and reminded me just how much there is to learn in this field. ...
I woke up this morning breathed in that sweet morning air. I could feel it, to days the day ima hack a box and come to the sun setting I had pwned this box by getting an AI model to execute a reverse shell that got me root! Here we go Enumeration What can nmap tell us about this target └─$ nmap -A -p- 10.10.11.19 -oN nmap.scan # Nmap 7.94SVN scan initiated Sat Aug 10 11:14:11 2024 as: nmap -A -p- -oN nmap.scan 10.10.11.19 Nmap scan report for 10.10.11.19 Host is up (0.046s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA) | 256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA) |_ 256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519) 80/tcp open http nginx 1.18.0 |_http-server-header: nginx/1.18.0 |_http-title: Did not follow redirect to <http://app.blurry.htb/> Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> . # Nmap done at Sat Aug 10 11:14:36 2024 -- 1 IP address (1 host up) scanned in 25.45 seconds Lets add app.blurry.htb to our hosts file and run some subdomain enumeration tool to see what else is out there ...
This evening I felt like cutting my teeth a little bit more. So lets spin up this box and give it a poke. Enumeration Kicking off this baby with an nmap In doing so we find port 22 and 80 are the only ones open. I did a full port scan after to the avail of no extra dice Browsing the website we don’t find much. All links are get requests to the server so nothing there. We do get the website URL however Board.htb that we can add to our hosts file. ...
I’ve been messing with retired boxes on Hack the box and thought i would finally try my hand on one of the active ones! Enumeration So as per lets start with an nmap scan. # Nmap 7.94SVN scan initiated Sat Jul 27 09:05:17 2024 as: nmap -sV -p- -o nmap.scan 10.10.11.23 Nmap scan report for permx.htb (10.10.11.23) Host is up (0.062s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 Service Info: Host: 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> . # Nmap done at Sat Jul 27 09:06:05 2024 -- 1 IP address (1 host up) scanned in 48.48 seconds In doing so we find ports 22, 80 open. Both versions seem secure so lets have a look at the website. ...
Introduction A couple of years ago I bought a Raspberry Pi 4 and have used it in several ways from a Pi-Hole to a full bitcoin node using a number of prebuilt OS packages. Anyhow today I thought I would tear it all down and start building a system suite from scratch again starting with a generic base. Taking the knowledge I have gained from the past few years. Here’s how I set up my Raspberry Pi 4 with a headless OS for my future projects. ...
Introduction This is my first Hack the Box machine pwned and it’s called Analytics. Here is a mock write-up of the lab because as we all know. It’s great being able to pwn things but if we can’t communicate the remediations to what we have done then there is no benefit past that juicy dopamine hit when you get root 😀 Executive summary The attacker achieved an initial foothold by abusing a pre-authentication remote code execution exploit to achieve a reverse shell. User credentials we then found in the environment variables and used to establish a user shell. This can be prevented by upgrading Metabase to the latest version and removing the environment variables with user account details if possible as a secondary objective. ...
This was my first proving grounds lab of my OSCP. Took longer than I would have liked but I was able to pwn it in the end with a joyful fist pump and woop from my side. Any advice or comments on how I could improve this write-up would be appreciated. Executive summary The attacker was able to achieve privileged remote code execution on the target box. Issues found can be easily remediated by updating the software Booked Scheduler to V3.7.9 and restricting write permissions of a scheduled cron job. ...
Enumeration Lets kick off with a port scan to get a better idea of our target. There are a couple of interesting finds here. So lets start digging! FTP - port 21 FTP Exploit attempt FTP allows for anonymous login but nothing seems to be in the hosted file server Looking into the detected software vsftpd 2.3.4 with searchsploit reviles these two known exploits These however, when I try to execute the exploit, don’t seem to execute successfully. Which is a bummer but lets move on to the other ports. ...