This article will cover on room of TryHackMe. This was a easy room meant to let you train LFI (Local File Inclusion). If you don’t know what LFI is please go back to the training page and read the articles, or click here. Enumeration Usually when it comes to CTFs or this type of machines I like running nmap to see what are the available port. As you can see on the image bellow we have two ports open – Port 80 and Port 22. Well port 80 is associated with web applications so lets see what we have there. Bare in mind that this is an LFI task so…
-
-
Armageddon Write Up – Hack The Box
Enumeration The start step for this box is as usual. I am using nmap to check which ports are open and what services are there. As it can be seen from the picture above there are two ports open. My method is to start on port 80. From the scan results it can be seen that there is an Apache server that runs and Drupal version 7. Also we ca see several file locations. That is a lot of information from a single scan. Foothold After some googling I found that Drupal 7 can be exploited with a metasploit module. That is awesome! The module that needs to be used…
-
Spectra Write Up – Hack The Box
Enumeration The start step for this box is as usual. I am using nmap to check which ports are open and what services are there. As you can see there are several ports open. In general I start my recon from port 80. Port 80 means that there is some kind of a web page. Usually from previous experience I edited my /etc/hosts file to add spectra.htb. At first glance at the page … well it does not give a lot of information. There are 2 links and of course the rule is “Click all links” so I did that. I run also dirbuster in the background because one of…
-
Delivery Write Up – Hack The Box
Enumeration: To start the enumeration as always I am using nmap to see which ports are open and what services are available on that ports. As you can see from the screen shot, there are two ports open. Port 80 and port 22. Usually I start on port 80. Lets see what do we have there. Oh look it is a website what a surprise. Lets see the source and if we can find something. Oh.. thats good. we found a url. http://helpdesk.delivery.htb That is nice. After some more enumeration I found one more url:delivery.htb:8065 This can be seen in other place if you follow the links on the “Contact”…
-
Fuse Write Up – Hack The Box
Enumeration: Lets start with whats open on the box and what we can exploit. A quick nmap scan gives us: Holly Fu@k so many ports. I usually start with port 80. By going to the webpage I noticed that the URL is wired, so i decided to add it to the /etc/hosts. Ok so now we have a website. I started browsing around and hoping I can use something. Then I start seeing some users that have used the specific printer. I made a list of all users. You can check it bellow: pmerton, tlavel, sthompson, bhult, administrator Well time to collect some passwords because now we have bunch of…
-
Blunder Writeup – Hack The Box
Initial Foothold: Hello everyone. Today we are going to work on Blunder. As always the first step is Recon! Time to see what ports do we have open on that box. In the picture bellow you can see the nmap command I used. Well we have only one open port and that is port 80. This scan shows us also the server version and some headers. Usually when I am on a box with open port 80 I like to visit the page and see what it contains. OK … that is what we have. A page with articles. My clicking on the links we just go to more detail…
-
Protection ByPass and Brute Force attack – Bludit v. 3.9.2
So this post will describe a how to bypass protection in Bludit CMS v. 3.9.2 that is if you have a username. After managing to find the password I will discuss what metasploit module can help you to get a reverse shell. So, lets begin. If we check the documentation that Bludit provides we can see how they are preventing brute force attacks. Here is a screenshot and the link if you want to read through the whole documentation. https://docs.bludit.com/en/security/brute-force-protection After some googling I found a script that I just edited. I will post the script here and the link to the original article. https://rastating.github.io/bludit-brute-force-mitigation-bypass/ What you will need to…
-
Reverse Shell vs Bind Shell
Reverse Shell Hello guys and girls. This post will just explain the difference between this two types of shell. In a later post I will provide a demo, that you can follow along. This shell is initiated from the target host to the attacker’s machine. The attackers machine should be into listening state to be able to pick up the shell connection. Why use reverse shell and not bind shell? Well reverse shells solve several issues that can be encountered. With reverse shells there is no need of a listener on the target machine. This type of shells can use commonly used and open ports like 80 or 443 –…
-
Catalias – #Virseccon2020
This was a fun challenge, just because I didn’t pay attention in the beginning. To start log in with the provided credentials. After logging of course I used “ls” to see what I have in the current directory. Oh … the flag is here. That looks to easy, but lets use “cat” to see what is the content in the file. Shit…. nothing is happening. How can I view the file. Now … when doing CTFs usually there is a clue in the name of the challenge. This one is called Catalias – “cat”, “alias”. Lets list the alias to see what we work with. As you can see from…
-
Hidden – #Virseccon2020
This was an interesting small challenge. We have been given the password to ssh in to the machine. After we do of course we would like to run a “sl” or sl -al” commands to see what we have in the current directory. Oh wow a directory with a name secret. Lets cd in to that folder. Opps we can’t! This command tells us something important. We are working on “restricted bash”. Please see the image bellow. Now it is a matter of knowing how to escape that. A simple google search can give you the result. As always I will post a link in the end of the article.…
