tsustyle

Red Team Aspirant

Granny & Grandpa

less than 1 minute read

img

Port Scanning and General Enumeration (Nmap, Nikto)

Initial scan showed just 80 (HTTP) open

img

img

Gobuster returned nothing. Nikto had a bunch to say, but I’m starting to see a trend. WebDav in the nmap scan, WebDav in the nikto scan

img

Things we know

  • IIS 6.0
  • WebDav is enabled

Access (searchsploit, metasploit)

Searchsploit:

img

WebDav remote buffer overflow? There’s a python script, but I couldn’t get it to work. Let’s check out metasploit

img

That’s what we’re looking for!

img

img

And we’re in!

Privesc (metasploit, kitrap0d)

Running into issues with my shell and running post exploits. Something about insufficient privileges so I tried migrating to a different process

img

img

new process seems to work

use post/multi/recon/local_exploit_suggester

img

Let’s try kitrap0d

img

That got us there

img

img

You may also enjoy

Tenet

‘Tenet’ is a medium rated box on Hack the Box. We’ll be using PHP Object Injection to get RCE and identify a race condition in a custom script for privesc.

Skynet

‘Skynet’ is a box on TryHackMe. We’ll be enumerating SMB shares, brute forcing a login and exploiting a Remote File Inclusion vulnerability in Cuppa CMS for a foothold. For our root shell we’ll take a look at exploiting some wildcard injection using a script that’s being run as a cronjob.

FFuF Cheatsheet

This is a Cheatsheet I created for reference when using FFuF

Ready

‘Ready’ is a medium rated box on Hack the Box. We’ll be using a public exploit for a vulnerable Gitlab version for a shell, enumeration and password reuse for privesc and escape a docker container for root