This is a quick walkthrough of the beginner-ish CTF machine “The Planets:Mercury” on Vulnhub.
****Spoiler Alert**** ****Spoiler Alert**** Nmap Scan: It looks like we have a Python WSGIserver under port 8080, but browsing the root directory was a dud, so let’s see if we can enumerate any more info from a Nikto scan:
Here we can see Nikto picked up directory browsing under the /SilverStream directory, so let’s take a look at that:
This is a walkthrough of the beginner-ish CTF machine “The Planets:Earth” on Vulnhub.
****Spoiler Alert**** ****Spoiler Alert**** Shaking off a lot of cobwebs here, ok, obligatory nmap scan of Earth shows the following open ports: Some notable items here are the two DNS names identified in the certificate under port 443 as Subject Alternative Names (SANs) as earth.local and terratest.earth.local. These need to be added to the /etc/hosts file for sure for additional testing of server header goodies.
This is a walkthrough of the beginner-level CTF machine “WestWild” on Vulnhub.
****Spoiler Alert**** ****Spoiler Alert**** So there is an obvious web page here after bootup, but it’s a red herring and we’ll rely on our trusty nmap scan:
Ok, let’s see if nikto turns up anything for HTTP:
Doesn’t look like anything special to me. Let’s take a look at Samba and see if enum4linux turns up anything interesting:
This is a walkthrough of the Intermediate machine “Matrix” on Vulnhub. Let’s take the red pill and see where this story goes….
****Spoiler Alert**** ****Spoiler Alert**** So one of the scripts I run includes what I label as a “shotgun” option, and is essentially nmap -A. Running it here gives the following output:
This shows a typical OpenSSH server with non-typical Python SimpleHTTPServer modules running under ports 80 and 31337. Let’s look at these one at a time.
This is a walkthrough of the CTF machine “SolidState” (originally on HackTheBox), now on Vulnhub. There are many writeups like it, and this one is mine.
****Spoiler Alert**** ****Spoiler Alert**** This was a great classic CTF, with some twists and multiple ways to gain a low privilege shell. Let’s grab our nmap scan and see what our options are:
Ok, so when I see any service that looks like something other than generic (like sendmail or postfix), or bigname (like MS), I tend to think that it’s a great place to look for public exploits.
This is a walkthrough of the CTF machine “Stapler” on Vulnhub. This is a great machine for practicing enumeration :)
****Spoiler Alert**** ****Spoiler Alert**** Let’s jump all in with an extended TCP Nmap scan (nmap -A recommended, but too much info to list here):
Wow, ports a-plenty! For these CTF machines this result is always bittersweet since that’s just that much more possible dead ends. For brevity here, I’ll list some of the avenues I followed here:
I’ve had Brainpan downloaded for awhile and for some reason I haven’t ran it, so having a couple of hours last night I decided to see what it was all about. Unbeknownst to me, it was exactly what I was needing…
****Spoiler Alert**** ****Spoiler Alert**** I had been wanting to practice buffer overflows for my upcoming OSCP test, and have been working on getting Windows machine setup just for this running vulnserver or something similar.