[email protected]
Search…
[email protected]
About Calvin Lai (fkclai)
My Work
Exploit/CVE PoC
ZeroLogon Exploit
Remote Retrieved Chrome saved Encrypted Password
Twitter Control an RCE attack
Hacking Report (HTB)
Hits & Summary
Windows Machine
Linux Machine
Pandora 10.10.11.136
BountyHunter 10.10.11.100
CAP 10.10.10.245
Spectra 10.10.10.229
Ready 10.10.10.220
Doctor 10.10.10.209
Bucket 10.10.10.212
Blunder 10.10.10.191
Registry 10.10.10.159
Magic
Tabby
Penetration Testing Checklists
Web Application PenTest
Network/System PenTest
Mobile Application PenTest
Red Team (Windows)
01 Reconnaissance
02 Privileges Escalation
03 Lateral Movement
04 AD Attacks
05 Bypass-Evasion
06 Kerberos Attack
99 Basic Command
Exploitation Guide
01 Reconnaissance
02 Port Enumeration
03 Web Enumeration
04 Windows Enum & Exploit
05 File Enumeration
06 Reverse Shell Cheat Sheet
07 SQL Injection
08 BruteForce
09 XSS Bypass Checklist
10 Spring Boot
11 WPA
12 Payload list
Vuln Hub (Writeup)
MrRobot
CYBERRY
MATRIX 1
Node-1
DPwwn-1
DC7
AiWeb-2
AiWeb-1
BrainPan
CTF (Writeup)
Hacker One
CTF Learn
P.W.N. University - CTF 2018
HITCON
Pwnable
Useful Command/Tools
Windows
Linux
Offensive Security Lab & Exam
Lab
Powered By GitBook
Spectra 10.10.10.229

Background

Spectra is a Linux base machine from HackTheBox that focuses on the enumeration technique for training your ethical hacking skills and penetration testing skills.
​
​
Target Machine: 10.10.10.239
Attacker Machine: 10.10.14.3

Hacking Process Part 0 – Service Scanning

Quick Pre-searching

  1. 1.
    nmap -p- -T5 --min-rate=1000 10.10.10.229 -oG fkclai.nmap
  2. 2.
    nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.229 -o nmap-result.txt
1
nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.229 -o nmap-result.txt
2
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-31 22:27 HKT
3
Nmap scan report for 10.10.10.229
4
Host is up (0.23s latency).
5
​
6
PORT STATE SERVICE VERSION
7
22/tcp open ssh OpenSSH 8.1 (protocol 2.0)
8
| ssh-hostkey:
9
|_ 4096 52:47:de:5c:37:4f:29:0e:8e:1d:88:6e:f9:23:4d:5a (RSA)
10
80/tcp open http nginx 1.17.4
11
|_http-server-header: nginx/1.17.4
12
|_http-title: Site doesn't have a title (text/html).
13
3306/tcp open mysql MySQL (unauthorized)
14
​
15
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
16
Nmap done: 1 IP address (1 host up) scanned in 17.96 seconds
Copied!
Enumeration strategies According to the Nmap result, the target machine is a

Hacking Process Part 1 – Enumeration

Web Enumeration

1
​
2
// ** MySQL settings - You can get this info from your web host ** //
3
/** The name of the database for WordPress */
4
define( 'DB_NAME', 'dev' );
5
​
6
/** MySQL database username */
7
define( 'DB_USER', 'devtest' );
8
​
9
/** MySQL database password */
10
define( 'DB_PASSWORD', 'devteam01' );
11
​
12
/** MySQL hostname */
13
define( 'DB_HOST', 'localhost' );
14
​
15
/** Database Charset to use in creating database tables. */
16
define( 'DB_CHARSET', 'utf8' );
17
​
18
/** The Database Collate type. Don't change this if in doubt. */
19
define( 'DB_COLLATE', '' );
20
​
Copied!
1
​
2
cat /etc/autologin/passwd
3
SummerHereWeCome!!
4
​
Copied!
​
1
​
Copied!
Previous
CAP 10.10.10.245
Next
Ready 10.10.10.220
Last modified 1yr ago
Copy link
Contents
Background
Hacking Process Part 0 – Service Scanning
Quick Pre-searching
Hacking Process Part 1 – Enumeration
Web Enumeration