Enumeration Starting with a comprehensive nmap scan:
sudo nmap -sS -sC -A 10.10.11.14 -T4 -oN first.scan -p- Key Findings The scan reveals a Windows server running hMailServer with multiple mail-related services:
Port 25/587: SMTP (hMailServer) Port 80: HTTP (Microsoft IIS 10.0) - redirects to mailing.htb Port 110: POP3 (hMailServer) Port 143/993: IMAP (hMailServer) Port 445: SMB Port 465: SSL/SMTP Port 5985: WinRM Domain identified: mailing.htb
Web Enumeration Local File Inclusion Discovery When downloading a PDF from the website, the URL structure reveals a potential LFI vulnerability:
Box Overview Boolean is a Linux machine from Offensive Security’s Proving Grounds featuring parameter tampering for authentication bypass, local file inclusion, SSH key injection, and lateral movement to root via stored SSH keys.
Enumeration Nmap Scan nmap -sS -sC -A -T4 -oN first.scan -p- 192.168.229.231 Open Ports:
22/tcp - SSH (OpenSSH 7.9p1 Debian) 80/tcp - HTTP (Custom web application - “Boolean”) 3000/tcp - Closed (ppp) 33017/tcp - HTTP (Apache 2.4.38 - “Development”) Web Enumeration Port 80 - Boolean Application Main application redirects to /login page.