Defalt_

thm What we can learn from this machine Enumerations tar crontab PHP-reverse-shell wfuzz Let’s start with a nmap scan. # Nmap 7.91 scan initiated Fri Jun 11 17:04:10 2021 as: nmap -sC -sV -A -oN scans/nmap-output 10.10.250.5 Nmap scan report for 10.10.250.5 Host is up (0.16s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA) | 256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA) |_ 256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: Gila CMS | http-robots.txt: 3 disallowed entries |_/src/ /themes/ /lib/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 1247/tcp filtered visionpyramid Service Inf

thm What we can learn from this machine : XXE injection Enumerations SUID exploit let’s start with a nmap scan. normal nmap scan found port 80 webserver called Mustacchio and port 22 ssh open running ubuntu. I try to running a full nmap scan for see more ports are open above the port 1000. # Nmap 7.91 scan initiated Sat Jun 12 14:57:25 2021 as: nmap -sC -sV -p- -oN scans/nmap-allports 10.10.236.36 Nmap scan report for 10.10.236.36 Host is up (0.15s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-t

thm What we can learn from this machine : enumerations local-file-inclusion (LFI) socat # Nmap 7.91 scan initiated Fri Jun 11 15:50:08 2021 as: nmap -sC -sV -sT -A -oN nmap/nmap-output 10.10.65.107 Nmap scan report for 10.10.65.107 Host is up (0.16s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e6:3a:2e:37:2b:35:fb:47:ca:90:30:d2:14:1c:6c:50 (RSA) | 256 73:1d:17:93:80:31:4f:8a:d5:71:cb:ba:70:63:38:04 (ECDSA) |_ 256 d3:52:31:e8:78:1b:a6:84:db:9b:23:86:f0:1f:31:2a (ED25519) 80/tcp open http Werkzeug httpd 0.16.0 (Python 3.6.9) |_http-title: My blog Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Jun 11 15:50:44 2021 -- 1 IP address (1 host up) scanned in 36.00 seconds Looks like we got the port 80 http web

thm What I learn from this machine: Enumerations Stregnography Python3 script to bruteforce url Screen version 4.5.0 Local Privilege Escalation Let’s start with a nmap scan. # Nmap 7.91 scan initiated Thu Jun 10 17:45:19 2021 as: nmap -sC -sV -A -oN scans/nmap-output 10.10.17.235 Nmap scan report for 10.10.17.235 Host is up (0.15s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 ac:f9:85:10:52:65:6e:17:f5:1c:34:e7:d8:64:67:b1 (RSA) | 256 dd:8e:5a:ec:b1:95:cd:dc:4d:01:b3:fe:5f:4e:12:c1 (ECDSA) |_ 256 e9:ed:e3:eb:58:77:3b:00:5e:3a:f5:24:d8:58:34:8e (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https

thm Always start with a nmap scan. # Nmap 7.91 scan initiated Thu Jun 10 16:35:31 2021 as: nmap -sC -sV -A -oN scans/nmap-output 10.10.55.156 Nmap scan report for 10.10.55.156 Host is up (0.18s latency). Not shown: 968 filtered ports, 29 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.2.182 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA) | 256 ec:c0:f

thm Chocolate Factory A Charlie And The Chocolate Factory themed room, revisit Willy Wonka’s chocolate factory! Always start with a nmap scan. # Nmap 7.91 scan initiated Tue Jun 8 13:13:29 2021 as: nmap -sC -sV -d -A -oN nmap/output 10.10.204.243 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 10, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Nmap scan report for 10.10.204.243 Host is up, received syn-ack (0.16s latency). Scanned at 2021-06-08 13:13:29 +0530 for 380s Not shown: 989 closed ports Reason: 989 conn-refused PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-rw-r-- 1 1000 1000 208838 Sep 30 2020 gum_room.jpg | ftp-syst: | STAT: |