The description states:  "Five86-2 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing."

    This is a friggin' puzzle box.  Fun, but definitely a puzzle box.  I enjoyed it thoroughly because I learned a new trick.  More on that later.

    First, we kick off with Nmap:


    Like most people, when I receive an email with a link, I do a quick check to see if the url is legit.  I'll carefully read it, then I will mouse over it to make sure that the text and the url match.  I've seen that trick a few times and I've also seen a trick where there was what appeared to be an attached Word document but instead it was an image for a URL.  That was definitely clever.  I haven't seen that one too many times but I can see a user repeatedly clicking on it -- wondering why Word wasn't opening.

    But let's say we get a link to an image.  I probably get at least one of these per day where a friend sends me to some meme or something of interest.  http:// blah blah blah / funnymeme.gif


    I think at some point, I started this box but didn't finish it.  That's been known to happen -- I only allot so much time to this kind of thing.  As I wrapped up the box from yesterday, I saw this one, took a quick look and down the rabbit hole I went.  This box is interesting because I don't have a huge amount of experience with Node and I did a little bit of extra hunting.  Perhaps if I were more familiar with Node, I would have honed in on one piece sooner than later.

    Anyway, I don't want to spoil anything so let's get rolling.  We kick off with Nmap:


    Hashcat is one of those tools where I feel like I'm just scratching at the surface with respect to all of its capabilities.  Normally, I'm attempting to crack hashes with a wordlist to prove the strength of a password.  Or I'm playing some CTF where I need to retrieve a password.  In each case, I'm not brute forcing a password, I'm providing a wordlist which makes the process light years faster.  That being said, there are times when I've wanted to use a brute force attack but have shied away when confronted with reading the manual.  RTFM!


    Dare I say this box was easy?  Maybe not for everyone, of course, but I will say this could be the quickest HtB box I've ever rooted.  There's a little bit of hunting and a little be of creativity required.  Aside from that, take a look at what's in your hand and do some Googling, you can figure this one out quickly.

    We kick off with Nmap:


    © 2020 sevenlayers.com