privesc

TryHackMe - Ignite

Enumeration Host: 10.10.140.200 As always, let’s start with a quick NMAP (-A) scan against the host ┌──(root💀b0x)-[/mnt/hgfs/THM/Ignite] └─# nmap -A 10.10.140.200 -Pn -n Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-09 11:31 PKT Nmap scan report for 10.10.140.200 Host is up (0.19s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open ssl/http Apache/2....

TryHackMe - Bounty Hacker

Enumeration Host: 10.10.56.222 Let’s start with nmap scan against the host and see the ports open on it. ┌──(root💀b0x)-[/mnt/hgfs/THM/Bounty Hacker] [1/377] └─# nmap -A 10.10.56.222 -Pn -n Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-09 00:03 PKT Nmap scan report for 10.10.56.222 Host is up (0.21s latency). Not shown: 967 filtered ports, 30 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3....

TryHackMe - Internal

Enumeration IP: 10.10.25.58 Host: internal.thm Let’s start with the nmap full port scan and see the open ports Nmap full port scan ┌──(root💀b0x)-[/mnt/hgfs/THM/Internal] [7/117] └─# nmap -p- -v -iL ip -oN nmapFullPort.nmap Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-07 13:15 PKT Initiating Ping Scan at 13:15 Scanning 10.10.25.58 [4 ports] Completed Ping Scan at 13:15, 0.22s elapsed (1 total hosts) Initiating SYN Stealth Scan at 13:15 Scanning internal....

TryHackMe - Debug

Enumeration IP: 10.10.51.225 We can scan the host using rustscan (like nmap; but faster!) for open ports: rustscan -a 10.10.51.225 --timeout 5000 --tries 2 --ulimit 5000 -- -sC -sV -a specifies the Host IP address --timeout specifies the timeout before saying the port is closed --tries how many times to try and connect to the port --ulimit specifies how many sockets to open at a time -- for passing arguments for nmap -sC -sV nmap arguments telling rustscan to run default scripts and version fingerprinting Scan results:...

SUID Enumeration & Exploitation - The Automated Way!

What the heck is SUID3NUM!? Are you also tired of finding && enumerating possibly exploitable SUID binaries like me!? Only to miss the ones you were going to escalate your priviliges with? Welp, I just happened to develop a solution: SUID 3NUM. (Self promote, I will! - Yoda) A (not-so-cool-as-it-seems-like) standalone script supporting both python2 & python3 to find out all SUID binaries in a linux box and do the following:...