diannaosec

  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...

  This post is about how I went about pwning the first black box pentesting lab on the student pen tester course on ine.com I started with the usual nmap port scans. I like to do a fast scan on TCP, SCTP and the most common UDP ports to quickly identify potential targets. These targets are then grepped into one targets .txt file which is used to do the subsequent more in depth scans. I like to scan all ports as sometimes there are sneaky services listening on higher numbered ports. I then had a look at the 101 host and noticed it was running Tomcat on port 8080. This was the first thing I checked in a browser. I was greeted by an Apache default web-page, which got me thinking - why would they serve a default page? It seemed to me like they had poor security practices as leaving a default page online makes no sense. I wondered what else they might have left as default, so I tried to navigate to the /manager/html page for Tomcat. This worked, and I was able to log in using the unchan...

  I have just completed a lab on  ine.com  which required me to use Nmap to identify live hosts on a network and then find out more about their operating systems if possible and the daemons running on the open ports. I started by identifying the network I was connected to by using ifconfig to find my local IP address and net mask. This let me know that I was connected to the network 10.142.111.0/24 I then turned my attention to how I would identify the live hosts. Since lots of firewalls are configured to drop ICMP traffic, I decided to use Nmap's SYN, SCTP and UDP scans. I started with a fast scan of fewer than default ports. I elected to save the results as greppable files so I would be able to grep them together into one neat list of targets later. This first scan uses -T4 to increase the speed slightly but still keep accuracy. The -Pn flag ensures that all hosts are treated as being up to avoid missing some due to ICMP traffic being dropped. The -sS flag selects the h...

  I first of all did an Nmap scan and found an SSH and Apache server open. I decided to start by enumerating the website using Gobuster. I like to use Gobuster before dirbuster as it is faster. It did not take long for it to find an interesting directory called /cgi-bin/ This, along with the name of the box, led me to thinking about Shellshock bugs. One Shellshock exploit uses shell scripts in the Command Gateway Interface to work. I therefore decided to use dirbuster to dig deeper to see if I could find an available .sh file in the /cgi-bin/ directory. I had to try a couple of wordlists before I found the right one. I kept on trying as I was sure the way to pwn this machine would be via a Shellshock exploit. Sure enough, with a little perseverance and experimentation with wordlists, I found an .sh script which could potentially be used: I fired up msfconsole and did a search for shellshock: Number 1 looked interesting, so I checked out its info: This seemed good, so I set the vari...