Oscp on rchitect

Vulnhub DC-9

Thu, 16 Mar 2023 00:00:00 +0000

This post is about the Walkthrough of the Vulnhub machine: DC-9

Hackthebox Forest

Wed, 30 Nov 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Forest

Hackthebox Active

Fri, 01 Jul 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Active

Hackthebox Object

Thu, 30 Jun 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Object

Hackthebox Knife

Fri, 13 May 2022 00:00:00 +0000

Hackthebox Knife Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.242 127 ⨯
sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.242
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-12 20:19 EDT
Nmap scan report for 10.10.10.242
Host is up (0.066s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-12 20:19 EDT
Warning: 10.10.10.242 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.242
Host is up (0.049s latency).
All 65535 scanned ports on 10.10.10.242 are open|filtered (65483) or closed (52)

Nmap done: 1 IP address (1 host up) scanned in 46.51 seconds

Vulnarabilty Scan Link to heading

 nmap -Pn -p 22,80 -sC -sV -oN details.txt 10.10.10.242
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-12 20:41 EDT
Nmap scan report for 10.10.10.242
Host is up (0.044s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds

Directory Scan Link to heading

Website Front end:

Hackthebox Jarvis

Mon, 25 Apr 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Jarvis

Hackthebox Brainfuck

Thu, 14 Apr 2022 00:00:00 +0000

Hackthebox Brainfuck Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.17 1 ⨯
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:40 EDT
Nmap scan report for 10.10.10.17
Host is up (0.051s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
443/tcp open https


$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.17 1 ⨯
HHost discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:41 EDT
Nmap scan report for 10.10.10.17
Host is up (0.045s latency).
Not shown: 65532 open|filtered ports
PORT STATE SERVICE
110/udp closed pop3
143/udp closed imap
443/udp closed https

Vulnarability Scan Link to heading

ocky㉿kali)-[~/hckbox/node]
└─$ nmap -Pn -p 22,25,110,143,443 -sC -sV -oN details.txt 10.10.10.17 
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:43 EDT
Nmap scan report for 10.10.10.17
Host is up (0.042s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA RESP-CODES USER AUTH-RESP-CODE TOP SASL(PLAIN) PIPELINING UIDL
143/tcp open imap Dovecot imapd
|_imap-capabilities: ID LOGIN-REFERRALS more AUTH=PLAINA0001 have listed LITERAL+ capabilities IMAP4rev1 post-login Pre-login SASL-IR OK IDLE ENABLE
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_ http/1.1
| tls-nextprotoneg: 
|_ http/1.1
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

There was a certificate warning on https service. The site looks like below( seems ngnix is running)

Hackthebox Node

Tue, 05 Apr 2022 00:00:00 +0000

Hackthebox Node Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.58 1 ⨯
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:43 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 24.10% done; ETC: 19:43 (0:00:09 remaining)
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp

$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.58 1 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:57 EDT
Nmap scan report for 10.10.10.58
Host is up.
All 65535 scanned ports on 10.10.10.58 are open|filtered

Vulnarability Scan Link to heading

ocky㉿kali)-[~/hckbox/node]
└─$ nmap -Pn -p 22,3000 -sC -sV -oN details.txt 10.10.10.58
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 20:04 EDT
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info: 
|_ Logs: /login
| hadoop-tasktracker-info: 
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see 2 ports open and on port 3000 apache service seems running. This is how the page lookes on port 3000

Hackthebox Nineveh

Sat, 19 Mar 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Nineveh

File transfer between Windows and Linux

Thu, 10 Mar 2022 00:00:00 +0000

Cheat sheet for OSCP Link to heading

Nmap Commands for Port scan Link to heading

The below 2 nmap scan used to find out the TCP ports opened on server

nmap -sT -p- -Pn -T4–min-rate 10000 -oN alltcp1.txt 10.10.10.58( faster)

nmap -sT -p- -Pn -T4–min-rate 10000 -oN alltcp1.txt 10.10.10.58( little slower)

Hackthebox Conceal

Mon, 07 Mar 2022 00:00:00 +0000

Hackthebox Conceal Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

$ sudo nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.116
sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.116
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 19:46 EST
Nmap scan report for 10.10.10.116
Host is up.
All 65535 scanned ports on 10.10.10.116 are filtered

Nmap done: 1 IP address (1 host up) scanned in 130.18 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-27 19:48 EST
Nmap scan report for 10.10.10.116
Host is up (0.16s latency).
Not shown: 65534 open|filtered ports
PORT STATE SERVICE
500/udp open isakmp

Nmap done: 1 IP address (1 host up) scanned in 14.25 seconds

I have decided to run the Autorecon script as well to confirm i have not missed anything. It took longer time(more than 40min). I could see and additinal udp port 161 as well.Full results are uploaded [here](Rchitect/_top_100_udp_nmap.txt at Yoda · tcprks/Rchitect · GitHub). There 2 services to enumerate( SNMP and ISAKMP)

Autorecon enumeration script in Kali linux

Thu, 24 Feb 2022 00:00:00 +0000

How to run Autorecon for Enumeration

Hackthebox Silo

Thu, 24 Feb 2022 00:00:00 +0000

Hackthebox Silo Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

─$ nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:46 EST
Nmap scan report for 10.10.10.82
Host is up (0.091s latency).
Not shown: 65261 filtered ports, 269 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 121.90 seconds

┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:48 EST
Nmap scan report for 10.10.10.82
Host is up (0.100s latency).
Not shown: 65268 filtered ports, 262 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds

┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.82
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:49 EST
Warning: 10.10.10.82 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.82
Host is up (0.16s latency).
All 65535 scanned ports on 10.10.10.82 are open|filtered (65460) or closed (75)

Nmap done: 1 IP address (1 host up) scanned in 75.11 seconds

┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ sudo nmap -p 80,135,139,445,8080 -Pn -sC -sV -oN detailed.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:53 EST
Nmap scan report for 10.10.10.82
Host is up (0.16s latency).

PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-server-header: Oracle XML DB/Oracle Database
|_http-title: 400 Bad Request
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb-security-mode: 
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2022-02-24T00:53:53
|_ start_date: 2022-02-24T00:28:20

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.89 seconds

Vulnrability Scan Link to heading

$ sudo nmap -p 80,135,139,445,8080 -script VULN 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:54 EST
Nmap scan report for 10.10.10.82
Host is up (0.057s latency).

PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
| http-enum: 
|_ /i/: Potentially interesting folder

Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try

Nmap done: 1 IP address (1 host up) scanned in 342.38 seconds

SMB enumeration Link to heading

It seems we may not get any information from SMB ports.

Hackthebox Buff

Wed, 23 Feb 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Buff

Port forwarding from Windows

Wed, 23 Feb 2022 00:00:00 +0000

How to do Port Forwarding in Windows

Transfer Files From Windows to Linux with SMB2 support

Wed, 23 Feb 2022 00:00:00 +0000

How to Transfer Files from Windows to Linux using SMB2

Oscp on rchitect

Vulnhub DC-9

Hackthebox Forest

Hackthebox Active

Hackthebox Object

Hackthebox Knife

Hackthebox Knife Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

Vulnarabilty Scan Link to heading

Directory Scan Link to heading

Hackthebox Jarvis

Hackthebox Brainfuck

Hackthebox Brainfuck Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

Vulnarability Scan Link to heading

Hackthebox Node

Hackthebox Node Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

Vulnarability Scan Link to heading

Hackthebox Nineveh

File transfer between Windows and Linux

Cheat sheet for OSCP Link to heading

Reconnaisance Link to heading

Nmap Commands for Port scan Link to heading

Hackthebox Conceal

Hackthebox Conceal Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

Autorecon enumeration script in Kali linux

Hackthebox Silo

Hackthebox Silo Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

Vulnrability Scan Link to heading

SMB enumeration Link to heading

Hackthebox Buff

Port forwarding from Windows

Transfer Files From Windows to Linux with SMB2 support