Skip to content

Instantly share code, notes, and snippets.

@jeremypruitt
Last active August 31, 2019 03:50
Show Gist options
  • Save jeremypruitt/b0974e23bbf84a052a3de896d5817188 to your computer and use it in GitHub Desktop.
Save jeremypruitt/b0974e23bbf84a052a3de896d5817188 to your computer and use it in GitHub Desktop.
Hack The Box - Unattended

Techniques

Tools

  • nmap

Setup

  1. Add unattended.htb to the hosts file so we can refer to the host by name
    $ echo "10.10.10.126 unattended.htb" >> /etc/hosts

Port Scan

  1. Scan for ports and services

    # Use nmap to find available TCP ports quickly
    $ unattended_tcp_ports=$( \
        nmap unattended.htb \
             -p- \
             --min-rate=1000 \
             --max-retries=2 \
             -T4 \
             -Pn \
             -oA nmap-tcp-allports \
        | grep ^[0-9] \
        | cut -d '/' -f 1 \
        | tr '\n' ',' \
        | sed s/,$// \
      )
    
    # Scan found ports for services
    $ nmap unattended.htb \
           -p ${unattended_tcp_ports} \
           -sV \
           -sC \
           -T4 \
           -Pn \
           -oA nmap-tcp-foundports
  2. Check found ports against the Vulners db/nse script

    $ nmap unattended.htb \
           -p ${unattended_tcp_ports} \
           --script=vulners \
           -Pn \
           -A \
           -T4 \
           -oA nmap-tcp-foundports-vulners
  1. Let's start by looking for interesting URL paths

    $ gobuster -u https://www.nestedflanders.htb \
               -w /usr/share/seclists/Discovery/Web-Content/common.txt \
               -o gobuster-https.log \
               -t 20 \
               -k

We foun a few things, of which /dev is the most interesting. Let's see if there are any subpaths off of /dev.

  1. Now let's look for subpaths

    $ gobuster -u https://www.nestedflanders.htb/dev/ \
               -w /usr/share/seclists/Discovery/Web-Content/common.txt \
               -o gobuster-https.log \
               -t 20 \
               -k
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment