For box Postman, the initial foothold is established by exploiting a security misconfiguration in REDIS. Through this vector an attacker can establish a SSH connection as an unprivileged user.
Enumerate using nmap and notice REDIS port is open
# cat postmap-nmap2.txt |grep "Discovered open port" Discovered open port 22/tcp on 10.10.10.160 Discovered open port 80/tcp on 10.10.10.160 Discovered open port 6379/tcp on 10.10.10.160 Discovered open port 10000/tcp on 10.10.10.160
follow tutorial on
Nmap detects three open ports, ssh, http and elasticsearch
root@kali:~/projects# nmap 10.10.10.115 Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-13 01:49 EDT Nmap scan report for 10.10.10.115 Host is up (0.021s latency).Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9200/tcp open wap-wsp Nmap done: 1 IP address (1 host up) scanned in 6.64 seconds
A browser connection to the host reveals a page with the image of a needle
Heist is a box labeled easy and contains practical enumeration techniques and attack vectors. Initial foothold is achieved by leveraging an improper security configuration.
Start by checking what ports are open:
nmap -sS -Pn -A 10.10.10.149 80/tcp open http Microsoft IIS httpd 10.0 135/tcp open msrpc Microsoft Windows RPCc 445/tcp open microsoft-ds?
Enumerate public files and folders on webserver