Category: TryHackMe
-
VulnNet: Endgame | TryHackMe
The end of the VulnNet series. Not a lot open. We’ll start gobuster and poke at the web app, we find out we need to add vulnnet.thm to /etc/hosts. Gobuster doesn’t find much initially but Ffuf finds a few subdomains, so we’ll keep digging. We discover that blog.vulnnet.thm is running Typo3 CMS. There appear to […]
-
VulnNet: dotpy | TryHackMe
Well, there’s only one place to start… Straight in with a login, we’re allowed to create a user and log in to view the dashboard for StarAdmin. After browsing around and finding the server likes to block certain characters, we find it’s vulnerable to SSTI We discover there is a filter in place to block […]
-
VulnNet | TryHackMe
Initial nmap results, let’s head to the web server… In one of the Javascript files we find reference to http://broadcast.vulnnet.net so let’s add that to /etc/passwd and see what’s there. We get thwacked with a basic authentication screen and it doesn’t seem so easy to bypass. Will return to the web server and see what […]
-
Ra 2 | TryHackMe
WindCorp recently had a security-breach. Since then they have hardened their infrastructure, learning from their mistakes. But maybe not enough? You have managed to enter their local network… My first hard box. Let’s go. Our first nmap scan gives a lot back, so it’s going to be lots of vectors for enumeration. Starting with DNS […]
-
VulnNet Active | TryHackMe
So, we’re probably looking at a domain controller judging by the DNS service running. Running crackmapexec gives us the domain name vulnnet.local which we’ll use to further enumerate the box. SMB allows anonymous login but has no shares to display, but Redis allows unauthenticated logins. We can get a username from this but I spend […]
-
VulnNet Internal | TryHackMe
Initial nmap scan gives some interesting services to enumerate. We’ll start with SMB. We can access the folder shares with anonymous user and inside find 3 files. services.txt data.txt and business-req.txt. Services.txt gives us the first flag but the others give not much else. We’ll continue on to enumerate the NFS shares. When searcing through […]
-
Vulnnet Node | TryHackMe
Nothing to enumerate but poke at the web app. We see they’re usign NodeJS (hence the box name) We’re greeted with a login form and some potential usernames for future enumeration. We’ll run Gobuster and see what else there is. The images uploaded for company portraits suggest they may use first name last initial as […]
-
Looking Glass | TryHackMe
This room is a continuation of the Wonderland room we’ve already completed. A medium difficulty, Linux box. So, initial nmap results give us thousands of of open SSH ports and not much else to go with… There are exploits for Dropbear if we’ve got creds but so far nothing… If we try to log on […]
-
Razorback | TryHackMe
This room was really fun, I had to do a lot of reading and digging so got to learn a lot about Active Directory during the process. Initial nmap results. Lots to go at. We can see the DNS name so first thing to do is add it to /etc/hosts. We’ll start with the open […]