Scanning & Enumeration

Introduction Anyone in the information security or penetration testing field knows how deep a topic, or even a certificate may go, and as we progress deeper into the field; it gets harder to keep track of the knowledge gained. For me personally, notes, cheatsheets, and mind maps are the best way to keep track of things. As far as studies go, the eLearnSecurity Junior Penetration Tester (eJPT) is an entry-level, beginner-friendly, and a great starting pointing to get some fundamentals of networking, programming, and penetration testing; all for an affordable price....

This machine is classified as Medium difficulty by Micah but may seem hard as it takes tons of enumeration against a domain controller with a webserver running. On the webserver, we will find a documents uploads folder, using its naming convention; we will brute for each and every uploaded document as their meta data contains usernames which eventually leads to getting a default password. We will password spray with the enumerated users and find one valid user....

This box was classified as a medium box by ch4p on HackTheBox. It is also categorized as a OSCP-style box on TJNull’s list. While enumerating port 80, we find an instance of TorrentHoster where we get to upload an image and bypass its filtering to get our initial foothold. For privilege escalation, we leverage CVE-2010-0832 to get root. OS Difficulty IP Address Status Linux Medium 10.10.10.6 Retired Phase 1 - Enumeration Nmap As usual, we start off with a Nmap to identify open ports:...

This box is classified as easy, but we at CovertBay decided to classify it as super easy, thanks to InfosecJack on HackTheBox. Since the web application page did not have any kind of authentication and allowed us to download packet capture files (.pcap) where when analyzed; reveals a FTP username and password which is also the credentials for SSH. Once logged in, as this box’s name suggests, the privilege escalation path is via Linux capabilities....

This was a classified as a medium difficulty box by felamos from HackTheBox. Our foothold into this box starts on its webpage on port 8080, where we will find an “Online YAML Parser” which is vulnerable to SnakeYaml Deserialization attack, we can upload a YAML payload from the web application and the server-side will parse it using the SnakeYaml library. So, we’ll let it “parse” a Java payload to get remote code execution, and gain our foothold....