Pre-engagement Briefing You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in three weeks.  Scope of Work The client re...

Info You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days. Scope of Work The client requests that an engine...

Recon Forensics - Analyze the PCAP Use bettercap to parse packets (because I love bettercap) sudo bettercap set net.sniff.source overpass2.pcapng net.sniff on Questions What was the URL of ...

Recon Autorecon sudo $(which autorecon) -vv -m 3 --dirbuster.threads 50 --reports markdown --dirbuster.tool gobuster 10.10.74.153 Nmap # Nmap 7.94 scan initiated Tue Jun 20 08:30:14 2023 as:...

Recon Autorecon sudo $(which autorecon) -vv -m 5 --dirbuster.threads 100 --reports markdown --dirbuster.tool gobuster 10.10.67.8 AutoRecon never finishes, it just hangs or says there is 1 t...

Obtain access via SQLi Login form looks super suspicious Try payload admin' or 1=1 -- - Can try another payload : ' or 1=1 -- - Login success, redirected to /portal.php Single quote tes...

Recon Nmap # Nmap 7.94 scan initiated Sat Jun 17 09:53:59 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/thm/HackPark/results/10.10.168.141/scans/...

Recon Nmap # Nmap 7.94 scan initiated Fri Jun 16 08:51:17 2023 as: nmap -sVC -p- -T4 -Pn -vv -oA alfred 10.10.145.150 Nmap scan report for 10.10.145.150 Host is up, received user-set (0.28s lat...

Recon CME neither Null nor guest login is available ┌──(kali㉿kali)-[~/thm/steel-mountain] └─$ cme smb 10.10.92.230 SMB 10.10.92.230 445 STEELMOUNTAIN [*] Windows Server 201...

Recon Nmap # Nmap 7.94 scan initiated Wed Jun 14 12:16:04 2023 as: nmap -sVC -p- -T4 -vv -oA Kenobi 10.10.182.189 Nmap scan report for 10.10.182.189 Host is up, received reset ttl 63 (0.29s lat...

The virtual machine used in this room (Blue) can be downloaded for offline usage from https://darkstar7471.com/resources.html[](https://darkstar7471.com/resources.html Recon Nmap ┌──(kali㉿kali)...

Reconnaissance Scan the box; how many ports are open? Use --min-rate for fastest scan on port enumeration only Use -n to not resolve dns to be faster (about 2 second…) ┌──(kali㉿kali)-[~/th...

Recon Nmap ┌──(kali㉿kali)-[~/thm/valleype] └─$ cat valleype.nmap # Nmap 7.94 scan initiated Sun Jun 11 09:58:59 2023 as: nmap -sVC -p- -T4 -vv -oA valleype 10.10.83.16 Increasing send delay for...

Nmap # Nmap 7.93 scan initiated Tue Jun 6 10:26:44 2023 as: nmap -sVC -p- -T4 -oA Post-Exploitation -vv 10.10.125.202 Nmap scan report for 10.10.125.202 Host is up, received conn-refused (0.28s ...

Autorecon ┌──(kali㉿kali)-[~/thm] └─$ sudo $(which autorecon) 10.10.148.99 -v [*] Identified service ssh on tcp/22 on 10.10.148.99 [*] Identified service http on tcp/80 on 10.10.148.99 80 - HackI...