Welcome 👋

Enumeration Scanning with nmap All port scanning is being perform with the following command: nmap -p- --min-rate 2500 10.10.11.20 -oN allports.txt The following shows the result of the command: It shows port 22, 80 as open. In order to find the version of services, service version enumeration is being performed with the following command. nmap -p 22,80 10.10.11.20 -sC -sV -O -oN serviceVersion.txt As the web server is running, so the website is being browsed and the following is the hosted web server. ...

Enumeration Run nmap all port scanning with the following command: nmap -p- 10.10.11.208 --min-rate 2500 -T4 -oN nmap/allPorts.txt The following is the nmap all ports output: As the port 22 and 80 are open. Now run the service enumeration to find out the version of services running on the target. The following command was used for the service version enumeration. nmap -A 10.10.11.208 -p 22,80 -oN nmap/ServiceVersion.txt The result of the command shows below: ...

Enumeration All the ports were scanned. ┌──(kali㉿kali)-[~/Desktop/hackthebox/keeper] └─$ nmap -p- --min-rate 1000 keeper.htb --oN AllPortScan.txt Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 18:13 EDT Nmap scan report for keeper.htb (10.10.11.227) Host is up (0.032s latency). Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http The ssh and http port were open. The service version and OS enumeration is being carried out with the following command. ┌──(kali㉿kali)-[~/Desktop/hackthebox/keeper] └─$ nmap -p22,80 -A keeper.htb --oN ServiceVersion.txt Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 18:14 EDT Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.30% done; ETC: 18:14 (0:00:00 remaining) Nmap scan report for keeper.htb (10.10.11.227) Host is up (0.030s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 35:39:d4:39:40:4b:1f:61:86:dd:7c:37:bb:4b:98:9e (ECDSA) |_ 256 1a:e9:72:be:8b:b1:05:d5:ef:fe:dd:80:d8:ef:c0:66 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Site doesnt have a title (text/html). |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel It shows the web server is using nginx and the underlying OS is Linux. ...

What is CRTP? Certified Red Team Professional (CRTP) is beginner level red teaming certification focused on Active Directory by Altered Security. This certification exam proves that certified professionals have sufficient knowledge to perform Red Teaming engagement on an Active Directory environment. Price $249 (With 30 Days Lab Access) Passing Score OS command execution on all the five target servers. Allowed Time 25 hours exam time, and additional 48 hours for report. Proctored? No Link to Purchase Here Exam Focused Areas Red Teaming, Active Directory, MDI Bypass Packages Training is included with the certification exam. There are different packages depending on the lab access time and type of training. There are two types of training that can be followed. ...

What is eMAPT? eLearn Mobile Application Penetration Tester (eMAPT) is a Mobile Application Penetration Testing certification by INE (formerly known as eLearnSecurity). This exam proves that certified professionals have adequate knowledge to perform Penetration Testing of mobile applications (Android and IOS) and can provide exploit application. Price 400$ (Without training) Training Cost 749$ Passing score (Working Android Application as POC) Allowed time 7 days Proctored? No Link to purchase Here Exam Focused Areas Android Application Penetration Testing, Android Application Development My Experience: I started the exam in the morning of 18th May 2024, uploaded the report on 20th May 2024 and received the result on 29th May 2024. ...

What is eCPPT? eLearn Security Certified Professional Penetration Tester (eCPPT) is a Network penetration testing certification by INE. This exam proves that certified professionals have adequate knowledge to perform Penetration Testing on the network (multiple hosts and servers) and can provide the documentation of the findings. Price 400$ (Without training) Training Cost 749$ Passing score (Exploitation of all the machines and a good report) Allowed time 7 days for Pentesting and 7 days for report Proctored? No Link to purchase Here Exam Focused Areas Pivoting, Buffer Overflows My Experience: I started the eCPPT exam in the morning of 25th February 2024, uploaded report on 7th march at 1PM and got the email with subject “You are now an eCPPTv2!” on 27th March 2024. ...

In this challenge, we have to bypass two preg_match functions to get the flag. The Given Code <?php #read flag.txt highlight_file(__FILE__); $code = $_GET['cmd']; $blocked_functions = '/(exec|shell_exec|system|`)/i'; if (preg_match($blocked_functions, $code)) { die("Hacking attempt detected"); } else { $blocked_functions = "/flag/i"; if (preg_match($blocked_functions, $code)) { die("Hacking attempt detected"); } else{ eval(urldecode($code)); } } ?> Initially, It highlights the code file. Then it stores the ‘cmd’ get parameter value in code variable, it blocks all the functions through which we can execute the shell commands. ...

Setup The following entry is being added to the /etc/hosts. 10.10.57.136 cmess.thm Enumeration Nmap all ports scan is being run. The following was the result of the scan. ┌──(kali㉿kali)-[~/Desktop/tryhackme/cmess] └─$ nmap 10.10.57.136 -p- --min-rate 2500 Starting Nmap 7.93 ( https://nmap.org ) at 2023-08-31 16:44 EDT Warning: 10.10.57.136 giving up on port because retransmission cap hit (10). Nmap scan report for cmess.thm (10.10.57.136) Host is up (0.18s latency). Not shown: 65507 closed tcp ports (conn-refused), 26 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 43.91 seconds So, port 22 and 80 are open. The version of services are being identified as shown. ...

The web security challenge was vulnerable to race condition. The following was the given website. The following were the user details with IDs and funds. the /dump path has a comment, which reveals the source code. The following part of the code was vulnerable to Race Condition. A race window exists in the if condition. We can send multiple request parallelly, it will bypass the if condition before the deduction of funds. ...

Enumeration Initially I tried pinging the IP address. It is reachable. ┌──(kali㉿kali)-[~] └─$ ping 10.10.10.3 -c 3 PING 10.10.10.3 (10.10.10.3) 56(84) bytes of data. 64 bytes from 10.10.10.3: icmp_seq=1 ttl=63 time=173 ms 64 bytes from 10.10.10.3: icmp_seq=2 ttl=63 time=189 ms 64 bytes from 10.10.10.3: icmp_seq=3 ttl=63 time=172 ms --- 10.10.10.3 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2004ms rtt min/avg/max/mdev = 171.906/178.070/189.264/7.928 ms I run nmap all ports on it for getting to know the open ports. It shows that the server is down. ...