I started with a full port scan using my Nmap automation script. https://github.com/HutchSec/portScan The scan revealed several interesting services including SMB, MSSQL, WinRM, and HTTP. SMB Enumeration — RID Cycling Anonymous SMB access was enabled, which allowed RID cycling attacks using Impacket’s lookupsid.py. This exposed valid domain usernames. Password Spraying Read more
I began the assessment by performing an Nmap port scan to identify open services on the target machine. The scan revealed that port 8080 was open, hosting a web service with the intriguing HTTP title: “mrb3n’s Bro Hut.” Next, I began enumerating the web application to identify potential vulnerabilities. The Read more
I began with an Nmap scan to identify open TCP ports, detect service versions, and run the default NSE scripts. The scan revealed two open ports: 22 (SSH) and 80 (HTTP). Port 80 was hosting a web server identified as Nostromo version 1.9.6. This immediately caught my attention, as Nostromo Read more
I began the lab by running an Nmap scan to identify open TCP and UDP ports. Based on the results, I chose to focus first on TCP ports 80 (HTTP) and 443 (HTTPS), as these services often provide the largest attack surface and the most immediate opportunities for enumeration. The Read more
This machine has a webs server that has unauthenticated access with an IDOR (Insecure Direct Object Reference) vulnerability. By changing the number at the end of the URL, you can find a PCAP file with cleartext FTP traffic containing credentials. These credentials work for ssh and can be used to Read more
I began this lab by running Nmap to identify open TCP and UDP ports on the target system. During the scan, I noticed that UDP port 500 was open, which immediately suggested the presence of an IPsec/IKE VPN service. Given the open UDP 500 port, I decided to enumerate the Read more
This lab came with Active Directory creds to simulate an assumed breach assessment. I started by checking the credentials with Netexec to confirm they worked. Next I ran Bloodhound-ce-python to collect Active Directory data for Bloodhound. Looking at the user “Olivia” that was provided, I noticed they had an outbound Read more
I started with an nmap scan for all TCP ports and the top UDP ports. This one looks like an Active Directory Domain Controller. Added target hostnames to /etc/hosts Looking through the SMB shares, I found one “support-tools” that is not default. Looking into the share with guest access, I Read more
This box took a ton of troubleshooting and resets for the privilege escalation. The web server kept crashing but after many attempts, I finally got it finished. I start things off with a port scan for all 65,535 TCP ports and the top UDP ports. I ended digging into port Read more
To begin my enumeration, I performed a port scan of both TCP and UDP ports using Nmap. This initial step allowed me to establish a clear picture of the services that were exposed and set the foundation for the rest of the assessment. Checking the web service on port 80, Read more