Avatar

Neal's Blog

Development & Security

wechat

Posts List

Haystack - hack the box

@Neal · Nov 30, 2019 · 7 min read

Introduction Target: 10.10.10.115(Linux) Kali: 10.10.16.61 HayStack is an easy box in hack the box. But it does isn’t easy at all. It’s annoying to find the user and password in the messy Spanish. For the root, you should have a basic understanding of ELK. Hence, the box is quite fresh in htb. Information Enumeration As usual, nmap is utilized to detect detailed ports and services. # Nmap 7.70 scan initiated Sun Jun 30 01:10:53 2019 as: nmap -sT -p- --min-rate 1500 -oN ports 10.10.10.115 Nmap scan report for 10.10.10.115 Host is up (0.27s latency). Not shown: 65532 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9200/tcp open wap-wsp Then detect the detailed services:

Holiday -- hack the box

@Neal · May 20, 2019 · 6 min read

Introduction Target: 10.10.10.25(Linux) Kali: 10.10.16.65 Holiday is an insane box officially. It’s really difficult to get the user permission. The most difficult part should be how to pass the XSS filter. It may need a lot of time. And the root privesc is based on the exploitation of npm install which is relatively fresh. Information enumeration As usual, use nmap to detect open ports and related services: nmap -A 10.10.10.25:

Help -- hack the box

@Neal · Apr 22, 2019 · 5 min read

Introduction Target: 10.10.10.121(OS: Linux) Kali: 10.10.16.28 To be honest, Help is not a difficult box. But there are some rabbit holes in the box. And in some case, you may come across some very strange situations. May you should step back, find if there is something wrong. For the PrivEsc of root, never give up trying the most basic method. Infomation Enumeration Firstly, gather open ports and services: # Nmap 7.70 scan initiated Sat Apr 20 02:13:56 2019 as: nmap -sC -sV -oA services 10.10.10.121 Nmap scan report for 10.10.10.121 Host is up (1.2s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA) | 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA) |_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 3000/tcp open http Node.js Express framework |_http-title: Site doesn't have a title (application/json; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 20 02:14:40 2019 -- 1 IP address (1 host up) scanned in 43.61 seconds The port 80 seems to be an HTTP service. Access to http://10.10.10.121, nothing special but just the apache default web page. Try gobuster:

Nibbles - Hack the box

@Neal · Mar 17, 2019 · 6 min read

Introduction Target: 10.10.10.75(OS: Linux) Kali linux: 10.10.16.44 Information Enumeration Firstly, detect the open ports: nmap -sT -p- --min-rate 10000 -oA openports 10.10.10.75 There are not too many open ports, just 80 and 22. Detect the detailed services of the open ports: nmap -sC -sV -oA services 10.10.10.75 Nothing special found. The only clue may be the open port of 80. To be honest, the box with less open ports is easier in general.