SecWalk.com

Month: June 2020

THM Walkthrough NAX

NAx is a machine released by Track Hack Me. https://tryhackme.com/room/nax Summary The website shows a weird page which turns out to be chemical elements after solving this puzzle we are able to download a image file. when we do some stego stuff we are able to get some credentials for nagios. there is a Nagios Authenticated exploit available for nagios. after executing this we were able to get root on the box. Enumeration Nmap Scan nmap -sV -sC  10.10.233.26 Web Page When we go to the webpage, we see the following. ‘Decrypting’ the chemistry elements This seems some kind of… Read More

HTB Walkthrough Tabby 10.10.10.194

Summary Tabby is launched on the 20th of June and is rated as an Easy Box. Foothold Nmap shows there are only 3 ports open, 22,80,8080. on port 80 we see a webpage that is vulnerable to LFI User After finding the LFI and the right file we get credentials for the tomcat server which is running on port 8080. we were able to obtain a shell with metasploit. After some enumeration we found a zip file. after successfully brute forcing the password we were able to switch to the user ash and get the user flag. Root Ash id… Read More

HTB Walkthrough ServMon 10.10.10.184

Servmon has been released on 11th of April and has been retired on 20th of June. Servmon is an Easy rated machine. Foothold First we see we have anonymous access to FTP, there is a file that mentions there should be a passwords.txt on the desktop of nathan, after the web enumeration we find out there is a directory traversal. We can use this vulnerability to get the passwords.txt from nathans’s his desktop User After finding those passwords we still had to guess to who these belong, we have used crackmapexec for this. it turns out we have credentials for… Read More

HTB Walkthrough Dyplesher 10.10.10.190

Summary Dyplesher is released on 23 th of may in 2020 Foothold This machine was insane rated. in order to gain a foothold we had to dump .git folder. User After a lot of enumeration and a few logins we finally arrived to the login page where we can upload a malicious plugin so we can get a web shell with code execution, this way I could write my ssh key to this user and were able to login on the box, after looking around we see that we have a group called wireshark, this means we can intercept packets… Read More

HTB Walkthrough Blackfield 10.10.10.192

Box Summary: Blackfield has been released on 6th of june in 2020, Blackfield is rated as Hard. From nmap we can assume that we are dealing with a AD machine, after some enumeration we can connect to SMB anonymously, when we connect to profiles$ we see a lot usernames but a few stands out since they don’t start with capital letters. after some more enumeration we found out that we could try kerbroasting attack. after getting user credentials we needed some logical thinking, what can we do with this user? turns out we can change a password. after that we… Read More

HTB Walkthrough Fuse 10.10.10.193

Box Summary: Fuse has been released on 13th of june in 2020 Fuse is rated as Medium. From nmap we can see we are dealing with a AD machine, after visiting port 80 we get redirected to a DNS name, adding this DNS name to our HOST file and we were able to view the page, it’s a printer page wich contains print job history with value data like usernames. After poking around a bit we could concluded we needed a password, sinds Kerbroasting attack didn’t work we needed something else. after trying a lot we created a password list… Read More

HTB Walkthrough Magic 10.10.10.185

Enumeration Nmap Scan nmap -sV -sC  10.10.10.185 Web page After this I ran gobuster, in order to enumerate the web page for files and directories. gobuster dir -u http://10.10.10.185/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt.html We see some interesting pages:                 upload.php                 login.php The login page. Bypassing Login Page We can bypass this login page, by SQL injection. Resource: https://portswigger.net/support/using-sql-injection-to-bypass-authentication Username: ‘ or ”=’ Password: ‘ or ”=’ After we have logged into the website, we see an upload page. Where we can upload an image. Exploitation I tried simple uploading bypass to add .jpg at the end of the file.… Read More

HTB Walkthrough Cronos 10.10.10.13

Box summary: Cronos has been released in 2017, Cronos is rated as medium. By scanning the machine we found out that there is DNS running on the system,By querying the DNS server, we found out there is an subdomain called; admin.cronos.htb. That subdomain is vulnerable to a SQL injection bypass. After we successfully bypass the login page, we found out that there was a ping tool that is vulnerable to code execution which enables us to gain a user level system access. Since we have user level access we want to expand that to root level system access, we where… Read More

Review Virtual Hacking Labs

Intro Are you interested in Virtual hacking labs? Before we dive into Virtual hacking labs itself I would like to share why I did Virtual Hacking Labs. I already mentioned on the about page I just got recently interested in security. After some researching I found out about Hack The Box. Hack The Box is a website where you need to ‘hack’ yourself into a machine. Hack The Box has different difficulties; Easy, Medium, Hard, Insane. But as a newbie I strongly recommend you to start with Virtual hacking labs instead of Hack The Box because when you start with… Read More

Welcome to S3cWalk

First post on S3cwalk. S3cWalk is a website where we have different subjects to talk about for example: Write Ups, Reviews and Handy tricks for pentesting and my own skill development journey