diannaosec

  This explains how I pwned the second black box penetration test lab from ine.com First of all, I did quick nmap scans looking for remote hosts which were alive. I checked using a half-open TCP scan (a SYN scan), a SCTP scan and a UDP scan of common UDP ports. I then combined the discovered hosts into a target file which I then fed into nmap to perform a more in-depth SYN scan. The machine @ 172.16.64.166 was serving a web site on port 8080 using Apache 2.4.18 The version was discovered by grabbing the server header banner with nmap. I started Burpsuite and started to explore the web site. At the same time, I started directory busting using Gobuster. I decided to search for .php files as well as directories because Apache was being used as the web server. Gobuster didn't find anything interesting, but by clicking through the web site and looking into the source code of the responses in Burpsuite, I found information being leaked in comments about members of the team. I tried the f...