Image for post
Image for post

I presented this box at the Hack The Box Ottawa August Meetup. The presentation has been recorded and posted on YouTube.

Let’s get started!

Reconnaissance

Run AutoRecon to enumerate open ports and services running on those ports.

sudo autorecon.py 10.10.10.194

View the full TCP port scan results.

root@kali:~/# cat _full_tcp_nmap.txt
....
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 …


Image for post
Image for post

This is the 1st blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSWE. The full list of OSWE like machines compiled by TJ_Null can be found here. This box is not on TJ_Null’s list, however, when working on the initial foothold, I found it to be very similar to an exercise I worked on in the OSWE labs and therefore, made the decision to include it in the list of boxes.

The blog will be divided into three sections:

  • Box Walkthrough: This section provides a walkthrough of how to solve the box. …


Image for post
Image for post

This is the 1st blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSWE. The full list of OSWE like machines compiled by TJ_Null can be found here.

Let’s get started!

Reconnaissance

Run AutoRecon to enumerate open ports and services running on those ports.

autorecon.py 10.10.10.158

View the full TCP port scan results.

root@kali:~/# cat _full_tcp_nmap.txt
....
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 FileZilla ftpd
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 8.5
| http-methods:
| Supported Methods: GET HEAD OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Json HTB
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49156/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49157/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49158/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
.... …


Image for post
Image for post

This post describes the journey that I went through while studying for the Offensive Security Certified Professional (OSCP) certification. It outlines my personal experience and therefore is very subjective. I don’t go into any details about the OSCP labs and exam due to restrictions set by Offensive Security. Instead, I’ve structured it in such a way that it gives the advice that I wish I had gotten when I first started the certification.

When it all Began — Or so I thought…

I first enrolled in the OSCP certification at the beginning of last year. I had just finished a Master’s degree in Computer Science and started my first full time position as a Security Assessment Analyst. At the time, I had a background in web security, however, I recognized that there was a huge gap in my knowledge of the entire process of penetration testing. …


Image for post
Image for post

This is the 47th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJ_Null can be found here.

Let’s get started!

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

nmapAutomator.sh 10.10.10.161 All
  • All: Runs all the scans consecutively.

We get back the following result.

Running all scans on 10.10.10.161Host is likely running Windows
---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-13 21:50 EDT
Warning: 10.10.10.161 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.161
Host is up (0.092s latency).
Not shown: 940 closed ports, 49 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open…


Image for post

This is the 46th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJ_Null can be found here.

Let’s get started!

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomator.sh 10.10.10.147 All
  • All: Runs all the scans consecutively.

We get back the following result.

Running all scans on 10.10.10.147Host is likely running Linux---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-08 12:56 EST
Nmap scan report for 10.10.10.147
Host is up (0.037s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds


---------------------Starting Nmap Basic Scan---------------------

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-08 12:56 EST
Nmap scan report for 10.10.10.147
Host is up (0.047s …


Image for post
Image for post

This is the 45th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJ_Null can be found here.

Let’s get started!

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomator.sh 10.10.10.34 All
  • All: Runs all the scans consecutively.
Running all scans on 10.10.10.34Host is likely running Linux---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-08 14:46 EDT
Nmap scan report for 10.10.10.34
Host is up (0.044s latency).
Not shown: 996 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
2049/tcp open…


Image for post
Image for post

This is the 44th blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJ_Null can be found here.

Let’s get started!

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomator.sh 10.10.10.59 All
  • All: Runs all the scans consecutively.
Running all scans on 10.10.10.59Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 01:57 EST
Nmap scan report for 10.10.10.59
Host is up (0.043s latency).
Not shown: 726 closed ports, 267 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
81/tcp open hosts2-ns
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
808/tcp open…


Image for post
Image for post

This is the 43rd blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJ_Null can be found here.

Let’s get started!

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomator.sh 10.10.10.81 All
  • All: Runs all the scans consecutively.
Running all scans on 10.10.10.81Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 20:20 EST
Nmap scan report for bart.htb (10.10.10.81)
Host is up (0.28s latency).
Not shown: 999 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open…


Image for post
Image for post

This is the 42nd blog out of a series of blogs I will be publishing on retired HTB machines in preparation for the OSCP. The full list of OSCP like machines compiled by TJ_Null can be found here.

Let’s get started!

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomator.sh 10.10.10.63 All
  • All: Runs all the scans consecutively.

We get back the following result.

root@kali:~/Desktop/htb/jeeves# nmapAutomator.sh 10.10.10.63 AllRunning all scans on 10.10.10.63Host is likely running Windows---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-29 12:09 EST                                                                                                                
Nmap scan report for 10.10.10.63
Host is up (0.043s latency). …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store