Welcome!

Enumeration nmap We start enumerating with a nmap that scans all ports: where we see two open ports. One running ssh and another running an http server. We inspect these further by running nmap with defaults scripts (-sC) and version detection (-sV): where we see the versions of ssh and Apache 2.4.41 running the http server and that the host is likely running Ubuntu. Website - TCP 80 Navigating to the website hosted by the http server gives us the web page: where there are no links to interact with and nothing interesting when inspecting the source. ...

Enumeration Nmap We start by enumeration by using the usual nmap scans (adding -Pn because I have issues with host discovery on this network for some reason): We see that the host is running an Apache Tomcat webserver. Website We access the website in our browser: The most interesting part is the button to access the Manager App, which when pressed prompts for credentials. After trying with manually putting usual default credentials to no avail we try using Metasploit to handle this with the default wordlists in the module auxiliary/scanner/http/tomcat_mgr_login: ...

Enumeration Nmap We start enumerating with the usual nmap scans: Here we see that the host is running an ftp server allowing anonymous login, a PRTG network monitor among a SMB server and other open windows ports. PRTG Network Monitor Since the network monitor is called netmon, which is the name of the box, we start by checking it out with our browser: We are met with only a login screen. Looking up the default credentials we find that they are prtgadmin:prtgadmin, but these are not accepted, so we try something else. ...

Enumeration Nmap We start enumerating by using the usual nmap scans: but we see that the host is not identified, so we try using the suggested -Pn option: Here we see that the host is running OpenSSH, an SMB server samba 3.0.20-Debian and an FTP server vsFTPd 2.3.4 which allows anonymous login. FTP Logging into FTP with the anonymous credentials anonymous:anonymous results in an empty directory: SMB Checking the shares on SMB with smbmap yields: where only the tmp share is available. ...

Enumeration nmap First we enumerate using the usual nmap scans: This reveals the open port 445 running SMB and that the host runs Windows 7 Professional. SMB We can check these smb shares hosted by port 445 by providing bogus credentials: where we see that Share and Users are readable. These are however empty and does not get us any further. nmap vuln Instead we might use the other information provided from our nmap scan, that the user runs an old windows version. We can check if the host has any obvious vulnerabilities that we can exploit on port 445 with the vuln script from nmap: ...

Enumeration nmap First we enumerate using the usual nmap scans: This shows that port 445 running SMB is open and that the host runs on Windows XP. SMB We try to log in without authentication using smbmap and smbclient: but see that it does not work. nmap vuln Since the host runs Windows XP there might be some vulnerabilities that are easily exploitable with nmap. We can check if the host has any obvious vulnerabilities that we can exploit on port 445 with the vuln script from nmap: ...