This lab came with Active Directory creds to simulate an assumed breach assessment. I started by checking the credentials with Netexec to confirm they worked. Next I ran Bloodhound-ce-python to collect Active Directory data for Bloodhound. Looking at the user “Olivia” that was provided, I noticed they had an outbound Read more
I started with an nmap scan for all TCP ports and the top UDP ports. This one looks like an Active Directory Domain Controller. Added target hostnames to /etc/hosts Looking through the SMB shares, I found one “support-tools” that is not default. Looking into the share with guest access, I Read more
This box took a ton of troubleshooting and resets for the privilege escalation. The web server kept crashing but after many attempts, I finally got it finished. I start things off with a port scan for all 65,535 TCP ports and the top UDP ports. I ended digging into port Read more
To begin my enumeration, I performed a port scan of both TCP and UDP ports using Nmap. This initial step allowed me to establish a clear picture of the services that were exposed and set the foundation for the rest of the assessment. Checking the web service on port 80, Read more
I began the engagement by performing a full TCP and UDP port scan with Nmap to identify open services running on the target. A SYN scan was used on all TCP ports for speed and stealth, while service detection and version enumeration were enabled to gather more detailed information. In parallel, a Read more
I began by performing a full TCP and UDP port scan to enumerate available services. It looks like we are working with an Active Directory Domain Controller from the ports that are open. I was able to collect system information through an SMB null session misconfiguration, which allowed me to Read more
As always, I start off the assessment with scanning for open TCP and UDP ports. I started looking into the ActiveMQ service and did a search for version 5.15.15. This led to the CVE-2023-46604 exploit with a public RCE on GitHub. I pulled down the exploit to my attack machine Read more
Today I am working on Sauna by Hackthebox. I start out with some port scans. This is a Domain Controller so I looked into some common items such as null sessions and smb share enumeration. I did not have luck so I started enumerating the web server on port 80. Read more
I got stuck on this assessment because the target machine was not accepting the reverse shell. It turned out that I needed to set my attack box to the same time as the target machine, once that was completed, everything worked! I started the assessment with my new poet scanning Read more
I started the assessment with Nmap port scans against all TCP and the top UDP ports. On TCP port 55555, I found this service called request-baskets. I found a public exploit with SSRF (Server side request forgery). I started enumerating the exploit and was able to use the web UI Read more