tsustyle

Aspiring Red Team

Beep

less than 1 minute read

Port Scanning and Enumeration (Nmap)

nmap -sV -sC -oN nmap/initial -T4 10.10.10.7

img

nmap -p- 10.10.10.7 -oN nmap/allports

img

Lots of stuff to look at here. Let’s check out the webserver first

img

Couldn’t find any default creds. Let’s keep enumerating.

What’s on 10000?

img

Access (Elastix: LFI and RCE, exploitdb, elastix)

Searching exploitdb for ‘elastix’ we can see that there’s a few vulnerabilities. Some require authentication, so let’s try the LFI vulnerability using graph.php and current_language.

Using the supplied exploit, we’re given a config file

img

Let’s try to log in to Elastix using those creds

Nice, it worked. Maybe one of those vulnerabilities that required some sort of auth will work now?

https://www.exploit-db.com/exploits/18650

So this one requires an extension. Let’s check the PBX tab.

img

So, now that we have an extension, let’s sub in our details for extension, lhost and lport, fire up a listener on our machine and let her rip.

img

img

Privesc (Nmap interactive)

Now that we’re on the box, let’s see about privesc. sudo -l

img

Nmap? Let’s look at gtfobins

img

And we’re root! Let’s capture the flags

img

img

You may also enjoy

THM Challenge

‘THM Challenge’ is a WebApp that I wrote to send along with my CV to TryHackMe when they were recruiting Content Engineers

Granny & Grandpa

Granny & Grandpa are a pair of identical easy rated boxes on Hack the Box. We’ll use metasploit to exploit a buffer overflow in IIS 6.0/WebDav for access and a kernel exploit for privesc

Optimum

‘Optimum’ is an easy rated box on Hack the Box. We’ll exploit a vulnerable version of HttpFileServer for access and use Windows Exploit Suggester to find a kernel exploit for privesc

Bashed

‘Bashed’ is an easy rated box on Hack the Box. We’ll use gobuster to uncover some hidden directories on a webserver, use a custom bash/php client to gain a shell and exploit a script being run as a cronjob for root