Month: July 2020

HTB – Sneaky – FH: SQLI

Foot-hold: SQL Injection

This box is going to make me do some learning! It was extremely basic in the scans, and didn’t reveal hardly anything. NMAP only showed port 80, and gobuster showed a folder called /dev. Those were two things that could easily be put together to give a hint as to the way forward.

Continue Reading

HTB – October – FH: File Upload

Foot-hold: File upload after logging in

On October, only ports 22 and 80 were open. It was pretty obvious to go check on the website to see what was up.

Continue Reading

HTB – Cronos – FH: DNS, then SQL Injection

Foot-hold: DNS, then SQL Injection

NMAP shoed a few ports for http, DNS, and SSH.
I wanted to go ahead and check for any exploits for Apache. Turns out that a lot of these Hack The Box ‘boxes’ run the same Apache. So I’ve seen this dance before. I can confirm that I can GET, POST, etc to the Apache server… but I haven’t been able to exploit this so far. The google search for Apache 2.4.18 revealed an attack called Optionsblee that I’ve seen before.

Continue Reading

OSCP Practice References

This was interesting… someone made a list of all the boxes that are good to practice for the Offensive Security Certified Professional (OSCP) exam. That’s the one that is my goal.

I will make a note of this now and use it whenever appropriate

OSCP Practice References

HTB – Bastard – FH: Drupalgeddon2

Foot-hold: Remote Code Execution with Drupalageddon2

Nmap showed a few ports open, but it was obvious that the website was to be exploited for this box. The website shows a Drupal install.

Continue Reading

HTB – Optimum – FH: RCE

Foot-hold: Remote Code Execution, through Metasploit

This Optimum box took all of about 15 seconds after I discovered the service that was running. It’s at the bottom of the screenshot.

Continue Reading

HTB – Beep – FH: LFI

Foot-hold: Local File Inclusion

For the Beep box, there were several ports found with NMAP. Some looked like mail servers, and others for MySQL and other things. So I explored around for each of them.

Found login page via
Port 80 redirects to this…

Continue Reading

HTB – Popcorn – FH: File Upload

Foot-hold: File upload via the torrent server

The Popcorn machine was fun, and played on many things that I had learned through a Udemy Course for web application testing. Specifically, changing the name of a file upload to ensure that the server trusts you.

To begin, I did the nmap scan to find only port 22 and 80 available. This machine was one that was only going to give away tricks through the web interface. I don’t go after port 22 unless I have to! So port 80 it was.

Visiting the webpage showed only some text that said that the web server was working. The source code confirmed that there was nothing interesting, and therefore a dead-end. The program ‘Dirb’ had something entirely different to say, however. I always run nmap to begin, and dirb as a follow-on. Dirb resulted in the discovery of several directories, one of which was torrent. So that was the vector for further enumeration.

Continue Reading

HTB – Devel – FH: FTP

Foot-hold: ftp anonymous upload

Devel was not a tricky machine. It was pretty obvious that trying the ftp connection was the way. The NMAP showed port 21 and 80, which didn’t give too many options for an exploit. The website on port 80 only showed an IIS installation, and a link that went to the Microsoft site. Before running a directory scanner, I went ahead and tried the connection to the ftp portion of the server.

Continue Reading
Scroll to top