Fun box – When it was released, it had IPv6 enabled and the port knocking service was only applied to IPv4. So using the IPv6 enumeration methods I talked about in Sneaky I was able to SSH after finding the key with GoBuseter. Box was patched to remove IPv6 but if you were curious how I did it in under 15 minutes, that was the trick.
Anyways. One thing I think I did differently than most people is used a quick process monitoring script after noticing something was running every minute. This script shows when processes both start and end. Comes in really handy.
After releasing the video, Yas3r told me the login was vulnerable to Type Confusion. So you were able to log in if you changed “password=” to “password=” for the HTTP App (ninevehNotes one). It would log you in.
00:00 - Intro
01:58 - Begin Recon (NMAP)
04:19 - GoBuster HTTP + HTTPS
06:35 - Accessing Pages
07:05 - Using Hydra against HTTP + HTTPS Web Forms
11:30 - Logging into HTTP and hunting for vulns
17:00 - Second Hydra attempt against HTTPS
17:57 - Logging into HTTPS (phpLiteAdmin)
20:17 - Chaining Exploits to get Code Execution
26:38 - Reverse Shell Returned
28:00 - LinEnum.sh Script Review
31:30 - Watching for new Processes
37:00 - Found the error in script
39:30 - Getting reverse root shell
41:51 - Intended Route to get User
46:12 - Reviewing Knockd configuration
49:33 - Doing the PortKnock