Category: Infosec

January 9, 2021 / / Infosec


As usual, recon starts with nmap across all ports:

# Nmap 7.80 scan initiated Mon Sep 28 20:01:12 2020 as: nmap -p- -T4 -A -oN nmap_full.log
Nmap scan report for
Host is up (0.070s latency).
Not shown: 65533 filtered ports
7680/tcp open  pando-pub?
8080/tcp open  http       Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
|_http-title: mrb3n's Bro Hut
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008|7 (85%)

We can see there is a HTTP server on 8080, and an unusual service on 7680. The page itself looks simple enough:

While exploring the page, we initiate a gobuster run on the website. There are quite a few entries which get returned, including an /ex folder which appears to contain an older, somewhat broken version of the website.

November 2, 2019 / / HackTheBox

An interesting box sitting on the ELK (ElasticSearch, Logstash & Kibana) stack with a slant for the CTF side, but a very good introduction to those technologies.

September 2, 2019 / / HackTheBox

Despite the “Easy” tag, La Casa de Papel was an elaborate box. A vulnerable service leads to an unusual, limited PHP shell which allows us to generate our own signed certificates to access a specific part of the site. From there, a local file inclusion lets us acquire SSH credentials and then escalate to root via a misconfiguration.

May 12, 2019 / / HackTheBox

A fairly straightforward machine, Lightweight lets us explore an insuficiently secured LDAP environment, where we intercept credentials by listening in to the network device. It also leads down the path of Linux capabilities, to find an openssl binary which can do far more than it should.

December 4, 2018 / / Devlog