I began by performing a full TCP and UDP port scan to enumerate available services. It looks like we are working with an Active Directory Domain Controller from the ports that are open. I was able to collect system information through an SMB null session misconfiguration, which allowed me to Read more
As always, I start off the assessment with scanning for open TCP and UDP ports. I started looking into the ActiveMQ service and did a search for version 5.15.15. This led to the CVE-2023-46604 exploit with a public RCE on GitHub. I pulled down the exploit to my attack machine Read more
Today I am working on Sauna by Hackthebox. I start out with some port scans. This is a Domain Controller so I looked into some common items such as null sessions and smb share enumeration. I did not have luck so I started enumerating the web server on port 80. Read more
I got stuck on this assessment because the target machine was not accepting the reverse shell. It turned out that I needed to set my attack box to the same time as the target machine, once that was completed, everything worked! I started the assessment with my new poet scanning Read more
I started the assessment with Nmap port scans against all TCP and the top UDP ports. On TCP port 55555, I found this service called request-baskets. I found a public exploit with SSRF (Server side request forgery). I started enumerating the exploit and was able to use the web UI Read more
To start the assessment, I start with my nmap scans to check for open TCP and UDP ports. Looks like a domain controller with a SQL service. I use the tool smbclient to check for any smb share that look interesting. The share “Public” looks good so I connect to Read more
This assessment was tough, the foothold was really demanding and helped me learn a lot. I started off with port scans using the tool Nmap for both TCP and UDP ports. The site on port 80 was a website created to determine if another website is up or not. I Read more
I started this one with an nmap scan for both TCP and UDP ports. With the Nmap results, I started enumerating port 80. With this error, I am able to enumerate the website domain name and input that information into my /etc/hosts file so my local machine and resolve the Read more
icked off the assessment with a thorough Nmap scan to discover open ports and fingerprint the services running on the Forest host. After identifying RPC on 135, I used rpcclient to connect anonymously and enumerate every domain user. I compiled the discovered usernames into a file and ran Impacket’s GetNPUsers.py Read more
I began this engagement by conducting an Nmap scan to identify open ports on the target. The results revealed several ports in use, including ports 88 (Kerberos), 135 (RPC), 389 (LDAP), and 445 (SMB), which strongly suggested the target was a Windows Domain Controller. Focusing on port 445, I started enumerating Read more