-
Photobomb | Hack The Box
Our initial results, we get domain (photobomb.htb) and an open SSH port. The web server gives us this – it displays whatever URI you enter, it may be vulnerable – we’ll test while we enumerate directories and vhosts. While browsing with burp we see a few .js files we can enumerate and inside find some […]
-
Metatwo | Hack The Box
Port 21 is interesting, nmap thinks it’s an FTP service but we can’t get anything back from it, so will try to look at the web app. It’s quickly evident that it’s a Word Press website and WPScan reveals that it’s quite out of date. A link on the home page takes us to /events/ […]
-
Ambassador | Hack The Box
Straight off the bat we get a username from the web server. We see from the website source it’s running Hugo 0.94.2, “a static HTML and CSS website generator written in Go”. There’s no immediately obvious CVE so will carry on. There’s not a lot else obvious here, so next we look at port 3000 […]
-
UpDown | Hack The Box
A common theme, not much to go off from the first scan. We’ll poke at the web app while we do an all ports scan. We find a website checker, which does attempt to connect out – that’ll be something to dig into. Debug mode also dispalys whatever is on the page; sadly only displays […]
-
Basic ELF Shell | PwnTools
While doing the HTB Fortress JET I am required to overflow a vulnerable binary named leak. With limited BOF experience (strictly to Immunity Debugger) I decided this is a good time to learn how to use PwnTools. Every time we run the binary, it gives us a different memory location. We see here with a […]
-
VulnNet: Endgame | TryHackMe
The end of the VulnNet series. Not a lot open. We’ll start gobuster and poke at the web app, we find out we need to add vulnnet.thm to /etc/hosts. Gobuster doesn’t find much initially but Ffuf finds a few subdomains, so we’ll keep digging. We discover that blog.vulnnet.thm is running Typo3 CMS. There appear to […]
-
Late | Hack The Box
Out of the blocks we don’t really have a lot to go off, so straight to the web app to see if we can break something. We’re given a subdomain (images.late.htb) from the landing page so we’ll have a look. If we try to bypass the filter by renaming a php.jpg we get the following […]
-
VulnNet: dotpy | TryHackMe
Well, there’s only one place to start… Straight in with a login, we’re allowed to create a user and log in to view the dashboard for StarAdmin. After browsing around and finding the server likes to block certain characters, we find it’s vulnerable to SSTI We discover there is a filter in place to block […]
-
VulnNet | TryHackMe
Initial nmap results, let’s head to the web server… In one of the Javascript files we find reference to http://broadcast.vulnnet.net so let’s add that to /etc/passwd and see what’s there. We get thwacked with a basic authentication screen and it doesn’t seem so easy to bypass. Will return to the web server and see what […]