Dark's Security

LINK TO THE ROOM:  GamingServer NMAP SCAN Let’s do nmap first and see what do we get. nmap -Pn -sV 10.10.159.106 The results come back showing : Port 22 & 80. Since we don't have any credentials lets enumerate port 80 first. GOBUSTER  Lets fireup a gobuster scan for finding hidden directories. gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50 WEB ANALYSIS Visiting port 80. And checking its source code gives us a username. Lets visit some of the interesting directories that we found earlier from gobuster scan. /uploads It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file. And now we are going to visit another directory /secret to find the secrets. Looks like a ssh key but encrypted. In order to decrypt the ssh key we first need to copy and paste it into a file then find its password. Used commands: locate ssh2john /usr/share/john/ssh2john.py sshkey > key_hash Now the file key

 LINK TO THE ROOM:  KIBA Kiba is an easy level room based on Kibana. Kibana is an open source frontend application and exploration tool used for log and time-series analytics, application monitoring, and operational intelligence use cases. It offers powerful and easy-to-use features such as histograms, line graphs, pie charts, heat maps, and built-in geospatial support. So, the first question is asking us about a vulnerability that is specific to programming languages with prototype-based inheritance. The answer can be easily obtained by a small google search. NMAP ENUMERATION You can either run the full nmap scan to scan each and every port using the switch -p- but it will take a lot of time or else simply google search for "Default port for kibana" and you will get the port number that is missing in the simple nmap scan whose output is shown below. 5601 is the default port that is used to access kibana. The command that i used here is nmap -Pn -sV -v  10.10.10.197 WEB ANA

 NMAP SCAN Launching a nmap scan against our target machine to find open ports. WEB ANALYSIS On visiting port 8080 we get to know that the website is made using Gym Management Software 1.0. On googling about the software and its version we get to know about a related exploit from exploit-db. https://www.exploit-db.com/exploits/48506 We can now download and run the exploit in order to gain a reverse shell. Now we have a reverse shell but we are unable to run many commands on it. So lets try to put nc.exe here. We will do so using the python server and "curl" command. So now we have nc.exe here and we can use it to gain a new reverse shell where we will be able to run more commands. Now we can grab the user flag which is located inside C:\Users\shaun\Desktop PRIVILEGE ESCALATION Time to explore all the directories and files inside them. The CloudMe Version 1.11.2 is vulnerable to Buffer overflow. An exploit for the same can be found on exploit-db. https://www.exploit-db.com/exp

 Starting with NMAP scan: Checking the website I got a lot of emails and since the box name is SneakyMailer I think that will be useful. Hence I used CEWL to scrap all the emails from the website. $ cewl -d 5 -e --email_file emails.txt http://sneakycorp.htb/  After that I started to look for valid emails , we can do this by VRFY command of SMTP and also there are many tools to do it like iSMTP, metasploit module smtp_enum. But at this point for me none of them worked so I thought may be here it is something related to phishing attack... like there must be some bot in the backend which may click on any link provided in the email but question is which email. Here I made a simple script to send mail to each them with a link to my listening socket. First let me show you how to do this manually.. but it is time taking Now automatic:      And from the script we got password in response. Now I think I need to view all the emails sent or received by this user and for this I will be using Evolu

LOOKING  GLASS: https://tryhackme.com /room/lookingglass   NMAP Starting with a simple nmap scan to see which ports are open and what services are running on these ports. Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name). When we try connecting to port 9000 it tells us to go " lower " which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible. So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" . So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa. So lets try to find the real port while shrinking the range  ssh toii@10.10.128.154 -o StrictHostKeyCheckin