Spread the love

Spread the loveStarting with nmap We have only port 8080 open with Tomcat Click on Manager App Use default credentials tomcat/s3cret We will create a war file and try to get a shell Upload it from manager and access it http://10.10.10.95:8080/shell/ We will get the shell We can now read the flag Spread the love


Spread the love

Spread the love

Spread the loveStarting with nmap port 80 shows just a picture named merlin.jpg. Possibly a user in the box. Doing gobuster and scanning with .aspx extension we get two things of interest. First transfer.aspx where we can upload files and second UploadedFiles where we get to access the files we uploaded. Doing enumeration, we find […]


Spread the love

Spread the love

Spread the loveStarting with nmap Port 80 is HFS, If we try to login then we will get an unauthorized error. Following is the screenshot. Using searchploit to find if there is any vulnerabilities related to HFS Cloning one with Remote Command Execution There are two things we should do before running above python script. […]


Spread the love

Spread the love

Spread the loveStarting with nmap Checking the smb We can check further in Share and Users. Searching if any vulnerability is present using searchploit EternalBlue seems to be interesting. There is a Github repo to exploit this automatically. Let’s clone the repo Then follow the README and generate shellcode This will make sc_all.bin shellcode. Now […]


Spread the love

Spread the love

Spread the love Starting with nmap smb port 445 is open and the machine is XP….legacy Searching on the internet, xp is affected by ms08-067, CVE-2008-4250 Further python exploit is available for this. We can download it from here. First of all we need to change the shellcode in the script. For this we are […]


Spread the love

Spread the love

Spread the loveStarting with masscan Two web ports are open with SSL and without SSL. Lets explore without SSL (port 80) first. To start with we will try gobuster We found one directory /department. Browse it Hmm a login page, we can try few login details like admin/admin, guest/guest, admin/password, etc. But in this case […]


Spread the love

Spread the love

Spread the loveStarting with masscan port 53 is open which is for DNS. Lets see if we can transfer zones We discovered cronos.htb and admin.cronos.htb domains. Insert following in /etc/hosts file Browse both domains …. and admin domain Use a few common techniques to enter/bypass login like admin/admin, guest/guest, etc and finally tried with SQLi […]


Spread the love

Spread the love

Spread the loveStarting with masscan Two ports are open, web and ssh Browsing web, we see WordPress but site does not look good. To view it correctly we need to put following in our /etc/hosts file Then browsing the site. We can go to http://10.10.10.46/?author=1 to view the user in WordPress. This gives us user […]


Spread the love

Spread the love

Spread the loveStarting with nmap. Scan all ports with masscan Doing another scan in open ports using default script. port 80 reveals Drupal website. Looking at CHANGELOG.txt we are using Drupal version 7.54. Simple Google searching, we found another exploit here. Oopss!! let me try that again. Sweet! I am iusr. what can I do?? […]


Spread the love